Network Security Solutions
Learn about and experiment with various IDS/IPS evasion techniques, such as protocol and payload manipulation.
Task 1: Introduction
Q1: What does an IPS stand for?
Ans1: Intrusion Prevention System
Q2: What do you call a system that can detect malicious activity but not stop it?
Ans2: Intrusion Detection System
Task 2: IDS Engine Types
Q1: What kind of IDS engine has a database of all known malicious packets’ contents?
Ans1: signature-based
Q2: What kind of IDS engine needs to learn what normal traffic looks like instead of malicious traffic?
Ans2: anomaly-based
Q3: What kind of IDS engine needs to be updated constantly as new malicious packets and activities are discovered?
Ans3: signature-based
Task 3: IDS/IPS Rule Triggering
Q1: In the attached file, the logs show that a specific IP address has been detected scanning our system of IP address 10.10.112.168. What is the IP address running the port scan?
Ans1: 10.14.17.226
Task 4: Evasion via Protocol Manipulation
Q1: We use the following Nmap command, nmap -sU -F MACHINE_IP, to launch a UDP scan against our target. What is the option we need to add to set the source port to 161?
Ans1: -g 161
Q2: The target allows Telnet traffic. Using ncat, how do we set a listener on the Telnet port?
Ans2: ncat -lvnp 23
Q3: We are scanning our target using nmap -sS -F MACHINE_IP. We want to fragment the IP packets used in our Nmap scan so that the data size does not exceed 16 bytes. What is the option that we need to add?
Ans3: -ff
Q4: Start the AttackBox and the attached machine. Consider the following three types of Nmap scans:-sX for Xmas Scan-sF for FIN Scan-sNfor Null ScanWhich of the above three arguments would return meaningful results when scanning MACHINE_IP?
Ans4: -sF
Q5: What is the option in hping3 to set a custom TCP window size?
Ans5: -w
Task 5: Evasion via Payload Manipulation
Q1: Using base64 encoding, what is the transformation of cat /etc/passwd?
Ans1: Y2F0IC9ldGMvcGFzc3dkCg==
Q2: The base32 encoding of a particular string is NZRWC5BAFVWCAOBQHAYAU===. What is the original string?
Ans2: ncat -l 8080
Q3: Using the provided openssl command above. You created a certificate, which we gave the extension .crt, and a private key, which we gave the extension .key. What is the first line in the certificate file?
Ans3: —–BEGIN CERTIFICATE—–
Q4: What is the last line in the private key file?
Ans4: —–END PRIVATE KEY—–
Q5: On the attached machine from the previous task, browse to http://MACHINE_IP:8080, where you can write your Linux commands. Note that no output will be returned. A command like ncat -lvnp 1234 -e /bin/bash will create a bind shell that you can connect to it from the AttackBox using ncat MACHINE_IP 1234; however, some IPS is filtering out the command we are submitting on the form. Using one of the techniques mentioned in this task, try to adapt the command typed in the form to run properly. Once you connect to the bind shell using ncat MACHINE_IP 1234, find the user’s name.
Ans5: redteamnetsec
Task 6: Evasion via Route Manipulation
Q1: Protocols used in proxy servers can be HTTP, HTTPS, SOCKS4, and SOCKS5. Which protocols are currently supported by Nmap?
Ans1: HTTP SOCKS4
Task 7: Evasion via Tactical DoS
Q1: Make sure you have read and understood the three points of this task.
Ans1: No answer needed
Task 8: C2 and IDS/IPS Evasion
Q1: Which variable would you modify to add a random sleep time between beacon check-ins?
Ans1: Jitter
Task 9: Next-Gen Security
Q1: Read about NGFW in the Red Team Firewalls room.
Ans1: No answer needed
Task 10: Summary
Q1: Continue your learning with the next room.
Ans1: No answer needed
Contents
