EV: IDS Evasion via Packet Manipulation

Related tags

Networking ev
Overview

EV: IDS Evasion via TCP/IP Packet Manipulation

中文文档

Introduction

EV is a tool that allows you crafting TCP packets and leveraging some well-known TCP/IP packet manipulation techniques to evade IDS devices.

It supports HTTP protocol but unfortunately not HTTPS protocol. The handshake process of TLS is quite complecated and I haven't figure out how to craft TLS packets elegantly.

This tools is written in Python and QT5, using Scapy to make packets. So though this software is tested on Windows platform only, it theoretically works on other platforms like Linux or MacOS.

Setup&run

Run following commands in your cmd/terminal to pull the latest version of the software and install required python packages:

git clone https://github.com/TomAPU/ev.git
cd ev
pip3 install -r requirements.txt

Run this command to start the software:

python3 ev.py

or you can click run.bat in the root directory of the software to start it.

Basic Usage

Fill IP,Port,and Payload field and click "Send" button to send the TCP packet to target. You can also set TCP options and source port. Remeber that TCP options are tcp options supported by scapy.

You can view response packets in "Received packets" window and click packet to view it in "View Received Packet" window. This is implemented by scapy's sniff() function, it finds packets that matches the target IP or is ICMP protocol(so that you can find TTL exceeded packets). However, sniff() sometimes records packets duplicately.So I strongly recommend users use WireShark if you've installed one to see received packets.

Request Split

You can use TCP Segmentation and IP Fragmentation to break the TCP packet into pieces and send them to target. This may defeats IDS devices which doesn't support TCP/IP reassembly.

Increasing wait time or sending packets out of order may also circumvent IDS devices who has a very limited capability in TCP/IP reassembly.

Sending Distractor Packets

Distractor packets are packets that might be ignored by target and be recognized by IDS devices.

Small TTL distractor packets are packets' TTL are subtracted to 0 between IDS device and the target. The target will not receive this packet because the packet has been dropped before reaching the target. But IDS might think that the packet arrives the target. Therefore, sending small TTL distractor packets containing junk data or RST flag may distract the process of reassembling TCP packets, leading to an evasion.

Bad Checksum packets are packets with wrong TCP checksum. Packets with wrong checksum are ignored by target, but IDS devices may not calculate checksum and reassemble all packets directly, which leads to an evasion.

Corrupt ack distractor packets are packets' ACK field is corrupted. The target ignore such packets because of the wrong ACK field, but IDS might reassemble all packets directly, which leads to an evasion.

English Document

介绍

EV是一个通过各种著名的TCP/IP报文操纵技术实现IDS绕过的工具。你可以用它自定义TCP包并且利用其中内置的逃逸手段对IDS执行测试。

当前支持HTTP协议但是不支持HTTPS协议,HTTPS协议的握手比较复杂,我还没搞懂怎么优雅地构造TLS包。

这个工具是用 Python 和 QT5 编写的,使用 Scapy 来制作数据包。 因此,虽然该软件仅在 Windows 平台上进行了测试,但理论上它可以在 Linux 或 MacOS 等其他平台上运行。

安装&运行

在CMD或者终端中运行如下命令来获取最新版本的软件并且安装所需的Python包:

git clone https://github.com/TomAPU/ev.git
cd ev
pip3 install -r requirements.txt

运行如下命令启动程序

python3 ev.py

或者你可以点击软件根目录下的run.bat 文件打开程序。

基本使用

填写IP、Port和Payload字段,点击 "发送 "按钮,将TCP数据包发送到目标。您还可以设置TCP选项和源端口。请注意,TCP选项是scapy支持的TCP选项。

您可以在 "Received packets"窗口查看响应数据包,点击数据包在 "View Received Packet"窗口查看。这个功能由scapy的sniff()函数实现的,它找到与目标IP相匹配的数据包,或者是ICMP协议的数据包(这样你可以找到因为TTL过期而返回的ICMP包)。然而,sniff()有时会重复记录数据,所以如果安了Wireshark,我强烈建议用户使用WireShark而不是这个

请求拆分

你可以使用TCP分段和IP分片,将TCP数据包分成几块并发送给目标。这可能会使不支持TCP/IP重组的IDS设备失效。

也可以增加等待时间或不按顺序发送数据包,这样可能规避在TCP/IP重组能力非常有限的IDS设备。

发送干扰包

干扰包是被目标忽略而被IDS设备识别的数据包。

TTL过小的干扰包是指在IDS设备和目标之间的TTL被减为0的数据包。目标不会收到这个数据包,因为该数据包在到达目标之前因为TTL为0而已经被丢弃。但IDS可能认为该数据包到达了目标。因此,发送含有垃圾数据或RST标志的TTL过小的干扰包可能会让IDS重组出错,导致绕过。

坏校验数据包是具有错误TCP校验的数据包。具有错误校验和的数据包会被目标忽略,但IDS设备可能不会计算校验和并直接重新组装所有数据包,这导致了绕过。

坏ACK干扰数据包是指数据包具有错误的ACK字段。目标忽略这些ACK错误的包,但IDS可能会直接重新组装所有的数据包,这可能导致绕过。

You might also like...
The module that allows the collection of data sampling, which is transmitted with WebSocket via WIFI or serial port for CSV file.
The module that allows the collection of data sampling, which is transmitted with WebSocket via WIFI or serial port for CSV file.

The module that allows the collection of data sampling, which is transmitted with WebSocket via WIFI or serial port for CSV file.

A vpn that sits in your browser, accessible via a website

VPNInYourBrowser A vpn that sits in your browser, accessible via a website Example setup: https://VPNInBrowser.jaffa42.repl.co Setup Put the code onto

A vpn that sits in your browser, accessible via a website

VPNInYourBrowser A vpn that sits in your browser, accessible via a website Example setup: https://VPNInBrowser.jaffa42.repl.co Setup Put the code onto

Simple app that redirect fixed URL to changing URL, configurable via POST requests

This is a basic URL redirection service. It stores associations between apps and redirection URLs, for apps with changing URLs. You can then use GET r

Transfer files to and from a Windows host via ICMP in restricted network environments.
Transfer files to and from a Windows host via ICMP in restricted network environments.

ICMP-TransferTools ICMP-TransferTools is a set of scripts designed to move files to and from Windows hosts in restricted network environments. This is

Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.

Scapy Scapy is a powerful Python-based interactive packet manipulation program and library. It is able to forge or decode packets of a wide number of

Shellcode antivirus evasion framework

Schrodinger's Cat Schrodinger'sCat is a Shellcode antivirus evasion framework Technical principle Please visit my blog https://idiotc4t.com/ How to us

Sentello is python script that simulates the anti-evasion and anti-analysis techniques used by malware.
Sentello is python script that simulates the anti-evasion and anti-analysis techniques used by malware.

sentello Sentello is a python script that simulates the anti-evasion and anti-analysis techniques used by malware. For techniques that are difficult t

Adversarial Robustness Toolbox (ART) - Python Library for Machine Learning Security - Evasion, Poisoning, Extraction, Inference - Red and Blue Teams
Adversarial Robustness Toolbox (ART) - Python Library for Machine Learning Security - Evasion, Poisoning, Extraction, Inference - Red and Blue Teams

Adversarial Robustness Toolbox (ART) is a Python library for Machine Learning Security. ART provides tools that enable developers and researchers to defend and evaluate Machine Learning models and applications against the adversarial threats of Evasion, Poisoning, Extraction, and Inference. ART supports all popular machine learning frameworks (TensorFlow, Keras, PyTorch, MXNet, scikit-learn, XGBoost, LightGBM, CatBoost, GPy, etc.), all data types (images, tables, audio, video, etc.) and machine learning tasks (classification, object detection, speech recognition, generation, certification, etc.).

AV Evasion, a Red Team Tool - Fiber, APC, PNG and UUID
AV Evasion, a Red Team Tool - Fiber, APC, PNG and UUID

AV Evasion, a Red Team Tool - Fiber, APC, PNG and UUID

2021 Machine Learning Security Evasion Competition

2021 Machine Learning Security Evasion Competition This repository contains code samples for the 2021 Machine Learning Security Evasion Competition. P

ManiSkill-Learn is a framework for training agents on SAPIEN Open-Source Manipulation Skill Challenge (ManiSkill Challenge), a large-scale learning-from-demonstrations benchmark for object manipulation.

ManiSkill-Learn ManiSkill-Learn is a framework for training agents on SAPIEN Open-Source Manipulation Skill Challenge, a large-scale learning-from-dem

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Experimental proxy for dumping the unencrypted packet data from Brawl Stars (WIP)

Brawl Stars Proxy Experimental proxy for version 39.99 of Brawl Stars. It allows you to capture the packets being sent between the Brawl Stars client

NetMiaou is an crossplatform hacking tool that can do reverse shells, send files, create an http server or send and receive tcp packet
NetMiaou is an crossplatform hacking tool that can do reverse shells, send files, create an http server or send and receive tcp packet

NetMiaou is an crossplatform hacking tool that can do reverse shells, send files, create an http server or send and receive tcp packet

nettrace is a powerful tool to trace network packet and diagnose network problem inside kernel.

nettrace nettrace is is a powerful tool to trace network packet and diagnose network problem inside kernel on TencentOS. It make use of eBPF and BCC.

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram
PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

User-friendly packet captures

capture-packets: User-friendly packet captures Please read before using All network traffic occurring on your machine is captured (unless you specify

Comments
  • 无法正常建立TCP连接

    无法正常建立TCP连接

    分别用curl和ev进行测试 curl: curl

    ev(尝试了多次,勾选不同的选项,均无法正常通信): ev

    环境(均为vmware虚拟机): 攻击机: Ubuntu 22.04.1 LTS / python == 3.9.12 / scapy == 2.4.5 靶机:winserver 2012 防火墙全关 / nginx 1.15.11

    opened by 4nth0ny1130 2
Owner
null
Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation

Mariusz B. 715 Dec 25, 2022
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Cybersecurity and Infrastructure Security Agency 1.3k Jan 8, 2023
NetMiaou is an crossplatform hacking tool that can do reverse shells, send files, create an http server or send and receive tcp packet

NetMiaou is an crossplatform hacking tool that can do reverse shells, send files, create an http server or send and receive tcp packet

TRIKKSS 5 Oct 5, 2022
nettrace is a powerful tool to trace network packet and diagnose network problem inside kernel.

nettrace nettrace is is a powerful tool to trace network packet and diagnose network problem inside kernel on TencentOS. It make use of eBPF and BCC.

null 84 Jan 1, 2023
PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

Srinivas P G 1.4k Dec 28, 2022
User-friendly packet captures

capture-packets: User-friendly packet captures Please read before using All network traffic occurring on your machine is captured (unless you specify

Seth Michael Larson 2 Feb 5, 2022
NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks.

NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks.

NetworkX 12k Jan 2, 2023
Client library for relay - a service for relaying server side messages to the client side browsers via websockets.

Client library for relay - a service for relaying server side messages to the client side browsers via websockets.

getme 1 Nov 10, 2021
Program can control your server via discord bot

GTPS Controller Program can control your server via discord bot Require Python How To Use Download This Source Extract The Zip File Paste gtps.py to y

Lamp 2 Mar 15, 2022
Tiny JSON RPC via HTTP library.

jrpc Simplest ever possible Asynchronous JSON RPC via HTTP library for Python, backed by httpx. Installation pip install async-jrpc Usage Import JRPC

Onigiri Team 2 Jan 31, 2022