As Alex began the engagement, they chose to assume the role of a determined attacker. They carefully planned their approach, selecting the tools and techniques that would help them bypass the corporation's security measures.
🛡️ Evasion is for authorized red-teaming & CTF only.
Most corporate firewalls allow and DNS (port 53) . Why? Because without web traffic, the internet is useless. Without DNS, nobody can find Google.
Operates up to the Application layer (OSI Layer 7). They perform Deep Packet Inspection (DPI) to identify specific applications, user identities, and embedded malware payloads. Intrusion Detection Systems (IDS) As Alex began the engagement, they chose to
You don't need a contract or expensive hardware. Build this:
When overwhelmed, some IDS systems default to a "fail-open" state, letting traffic pass through uninspected to prevent network downtime, or they create an overwhelming backlog of alerts that prevents security analysts from spotting the real attack vector. 3. Session Splicing
Before launching any evasion strategy, it is necessary to understand what you are up against. Most corporate firewalls allow and DNS (port 53)
Similar to fragmentation, session splicing splits the attack payload across multiple network packets within an established TCP session. If the IDS fails to maintain proper state tracking or does not buffer the packets long enough to reconstruct the entire session string, the signature matching engine will fail to recognize the threat. 4. Denial of Service (DoS) / Flooding
For those interested in learning more about evading IDS, firewalls, and honeypots, here are some free resources:
Inspects packets at the Network layer (OSI Layer 3) and Transport layer (OSI Layer 4), blocking traffic based on source/destination IP addresses and ports. Without DNS, nobody can find Google
Real systems have configuration quirks, temporary directories, user histories, and varied file creation dates. A system with a completely pristine file structure, missing logs, or lack of standard system updates warrants caution.
IDS evasion focuses on confusing the pattern-matching engine or overwhelming the system's processing capabilities. 1. Traffic Encryption (SSL/TLS)
Splitting an attack string across multiple TCP packets prevents the IDS from seeing the full signature. If the phrase "malware" triggers an alert, sending "mal" in the first packet and "ware" in the second bypasses basic signature engines. Detecting and Avoiding Honeypots
Honeypots represent a more psychological layer of defense. These are decoy systems designed to lure attackers away from critical assets and gather intelligence on their methods. For an ethical hacker, the challenge is "honeypot detection." By identifying subtle cues—such as unusually slow response times, limited file systems, or strange service configurations—the hacker can confirm if a target is a trap. Learning to spot these decoys is vital; it ensures that true security assessments focus on production environments rather than getting bogged down in simulated distractions.