Ethical Hacking: Evading IDS, Firewalls and Honeypots — Notes
This article is a collection of my personal notes taken while attending the LinkedIn courses entitled: Ethical Hacking: Evading IDS, Firewalls and Honeypots. The course is the 12th course in the LinkedIn learning path “Become an Ethical Hacker”. The course id divided into 6 sections named respectively:
- Firewalls.
- Hardware Firewalls.
- Network Simulation Using GNS3.
- Special Purpose Perimeter Devices.
- Protection from Intrusion.
- Evasion Techniques.
Firewalls
Perimeter firewalls are used to fight against hacking through direct penetration. They come in two forms personal firewalls and endpoint devices and enterprise firewalls. The firewall has a set of rules which instructs it to either allow or deny the connection based on various criteria,such as source and destination addresses,source and destination….
On Windows you can find your firewall under:
Windows → settings → windows security or defender. It has some rules that can be set for optimal experience. An example of that is the applications that are allowed to connect through the firewall, which can be set to connect in both private and public networks. Windows Defender Firewall with Advanced Security is intended for system administrators in an enterprise network. It is used to configure rules of which connections are allowed and which are not.
Windows firewall logs are stored under Windows system 32 → log files → firewall → pfirewall.log.
Windows firewall logs can be large and hard to read so The ZedLan analyzer for Windows Firewall logs provides a more manageable interface for log viewing and analysis.
Each log entry has a date, the type of action, the port, the protocol,….
IPTables is one of the set of rules based firewall modules in Linux. It has 3 sections:
- INPUT: contains the rules controlling what addresses and ports used for data coming into the computer.
- FORWARD: it tells the iptables to take the incoming data and pass it straight through to an output on an ongoing address and port. (used when switching traffic)
- OUTPUT: has rules controlling what addresses and ports are data can be sent to.
Firewall Builder provides a simple way to express and manage rules.
Port Tester is a tool used for checking whether specific ports are open for accessing a target URL. This checks the pathway to the URL, including any proxy or firewall that might be positioned in front of it.
Hardware Firewalls
Cisco provides a range of popular home and business-grade firewalls,built using a propriety Cisco operating system known as IOS.This provides a much more powerful firewall and solution to the built-in Windows and Linux firewalls.
To configure the firewall (an example here was PIX firewall from Cisco), you can connect through PuTTY and configure accounts, rules, ….
We can configure the firewall to create a secure enclave of a range of addresses.
Network Simulation Using GNS3
You can download and install GNS3 to build and test your network in a risk-free virtual environment. GNS3 is a simulator that you can use to test rules and configurations before applying them in the real world.
In this section, GNS3 was used to conduct tests with the Cisco Advanced Security Appliance (ASA) which will allow us to better understand firewall on an enterprise level.
Special Purpose Perimeter Devices
Web Application Firewalls (WAF) operate on the application Layer of the OSI model, they filter out traffic to protect web servers and applications from malicious attacks. They will consistently monitor inbound and outbound traffic to detect any abnormal activities and block hackers. They are usually guided by Access Control Lists (ACL) to get the rules with which they filter out and monitor the traffic.
Web Application Firewalls can come as:
- Hardware appliances.
- Software applications.
- Cloud services.
Imperva is a one of the industry-leading commarcial WAF. Amazon Web Services (AWS) provides a cloud-based WAF. Microsoft Azure also provides cloud-based WAF. Cloudflare runs an integrated WAF as part of its service. WebKnight is an open source WAF provided by AQTRONiX. OWASP provides ModSecurity as an open source WAF.
Web applications nowadays are delivered as micro-services according to the Agile delivery approach which makes, in a way, development, test and production delivery blurred transitions.
API gateways are often used as proxies for applications., providing another layer of operational security monitoring.
WSO2 is an open source API gateway, it mediates the traffic between the API subscriber and the backend micro-services that they call.
Honeypots is one of the techniques used to detect intruders. they lure attackers to trap them, understand their methods and monitor and analyze the attack aside from the legitimate system.
There are 2 types of honeypots:
- Low interaction: they present as service but have little inside them to look like a legitimate system.
- High interaction: provides a close to real system interaction to keep the attacker engaged.
Honeynet project is no lucrative project that provides tools and resources for honeypots. HIHAT is high-interaction honeypot. Dockpot is also a high-interaction honeypot. A medium-interaction honeypot available is called Cowrie.
Most honeypots can be detected through different techniques like trying to add a user which some systems will fail to do and other will only pretend to add the user but will crash when trying to use the newly added said user. A session restart is also used to detect honeypots as it erases anything
Protection from Intrusion
Intrusion Detection Systems (IDS) use known signatures to detect intrusions and protect your system. IDS systems require regular signature updates to be capable to identify and protect against the latest attacks.
It can be used in two areas:
- Network based devices.
- Host based systems.
IDS send alerts when an intrusion is detected to the administrators for them to take action.
An Intrusion Prevention System (IPS) is an IDS that can block intrusion on its own. In enterprises, IPS is first executed in monitoring mode to learn normal traffic then the prevention stage is activated to protect the system.
Anomaly Detection System (ADS) is a device used to detect malicious behavior. They build a model of normal data flows then they detect what they considered an anomaly comparing to what they learned.
One of the most common problems with IDS is their false-positive, when they detect legitimate activity as an intrusion or their false-negative where they neglect an intrusion which compromises the system.
To protect against malicious websites there are 2 techniques:
- Blacklisting: prohibiting access to black listed websites .. it only protects against known malicious websites.
- Whitelisting: allowing access to only known websites and blocking the rest .. this is a much more effective technique.
Snort is an IDS built on top of tcpdump, includes packet analytics and detection rules and has plugin capability for pre and post-analysis.
Security Onion is another example of IDS that provides a comprehensive intrusion detection, network security monitoring, and log management solution.
Reputation is another technique in combating malicious activities. It’s a logical extension of threat intelligence in which the collective intelligence is able to provide a reputational feed to devices to complement the signature-based ID as feeds. Reputation-based intrusion detection is a powerful feature that can help prevent threats from malware and zero-day attacks by sharing collective intelligence.
Einstein was developed by the US Computer Emergency Readiness Team as an intrusion detection system for monitoring the network gateways of government departments and agencies for unauthorized traffic. But it failed because of its low detection rate.
Evasion Techniques
As a pentester you need to test these evasion tools and see how effective is an organization’s system to protect against intrusion.
When creating a payload, we need to make sure that it isn’t detected as malicious by the target’s firewall or IDS system. There are many possible ways to obfuscate the payload, one of them using msfvenom.
Obfuscated malware needs to be in readable form still to be able to execute. One of the ways to insure that is not detected by IDS is to inject it in benign files.
Malware packers obfuscate the malicious code by compressing, masking using XOR or encrypting it. They may also include anti-sandboxing code.
The Andromeda Gamarue Custom Packer is a custom packer used to ensure that the attacks has its own fingerprint and cannot be based on previous attacks.
Fileless attacks means that the malware is not written to disk but rather executed directly in memory and evade being detected.
Malware can be hidden in an alternate data stream to evade detection. Alternate data streams can be used to hide executable files.
Analyzing malware can be dangerous to live production systems. It is advisable to use virtual environment or sandboxes while doing so.
