Logo
RSS Feed

โš”๏ธ Attacks DB

Evasion Techniques

This is about … .

๐Ÿ“š Cloud

๐Ÿ“š Containers

Host-based IDP/IPS

Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.

IDS and IPS as firewall’s filters. There are Control Plane (looks after the OS and routing table) and the Forwarding Plane (makes decisions on routing and discarding). If something happens to the Control Plane, the device will still forward the traffic (really???).

By default IDS only listens ๐Ÿ‘‚ the traffic. It’s usually connected to the span port on a switch. Looks for anomalies and sends alerts. Won’t take any actions by default, but can be configured in such a way. If the IDS is down, nothing is changed for the rest of the network, it’s still operating.

IPS takes actions on its own. It is not connected to the span port, but rather is a gateway. Before it inspects and allows a packet through, nothing can move forward. So, if IPS is down, everyone is down (unless there is some load balancing enabled or may be some policy for such cases). Positioned right after the router, edge device or a firewall.

Network Recon

traceroute, tracert

On Windows, it’s tracert (due to some legacy max-name-size limitations). On Linux and macOS - traceroute. Windows uses ICMP protocol by default, while macOS and Linux - UDP. You can, however, make tracerout on UNIX operate over ICMP by specifying -I switch.

๐Ÿงช There is an extraordinary thing that I have noticed. I was trying to capture the traceroute and tracert traffic to show the screenshots.

I launched traceroute on macOS, and I got a bizarre response: 64 lines of 3 wildcards that could indicate a firewall blocking ICMP/UDP requests. I googled and googled and decided to check the Windows tracert on a VM on the same machine. And strangely, I got a normal response. That led me to believe that the macOS traceroute is buggy since the machine is the same and all traffic is routed through the same nodes.

Port Scanning

There are several techniques for port scanning. Some of them work for one OS only.

๐Ÿ“˜ BTFM

dshell

# MacOSX path to directory with pyenv (example):
/Users/[user_name]/.pyenv/versions/3.8.5/envs/python3/lib/python3.8/site-packages/dshell/

decode -l # list decoders
decode -d [decoder_name] # decoder info

# who talked to whom
decode -d ip [capture_file_name].(p)cap

# by what means (transport layer) i.e. not tcp,udp or icmp
decode -d protocol [capture_file_name].(p)cap

Analysis example 1

Downloading some (p)cap file from here. Chose some smb file smbtorture.cap.gz. This sample’s info: “Capture showing a wide range of SMB features. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server.”

๐Ÿ“š Network Protocols

This set of articles describe network protocols for each layer separately. Each article may contain an attack description and how to metigate it.