1 00:00:06,330 --> 00:00:07,960 - One of the goals 2 00:00:07,960 --> 00:00:11,810 of a Pentesting engagement is to maintain stealth 3 00:00:11,810 --> 00:00:14,530 and try to evade and circumvent any 4 00:00:14,530 --> 00:00:18,510 security controls that the organization may have in place. 5 00:00:18,510 --> 00:00:20,250 There are several tools and techniques 6 00:00:20,250 --> 00:00:22,300 that can be used for evasion. 7 00:00:22,300 --> 00:00:24,650 We're going to cover a few here. 8 00:00:24,650 --> 00:00:26,340 The first one is veal. 9 00:00:26,340 --> 00:00:29,442 Veal is a framework that can be used with Metasploit. 10 00:00:29,442 --> 00:00:31,810 To evade antivirus checks 11 00:00:31,810 --> 00:00:33,830 and other security controls. 12 00:00:33,830 --> 00:00:37,890 You can download veal at the GitHub repository 13 00:00:37,890 --> 00:00:40,210 that I'm actually sharing in the screen. 14 00:00:40,210 --> 00:00:43,194 Another tool that is used for evasion is Tor. 15 00:00:43,194 --> 00:00:47,580 And many people actually use Tor for privacy. 16 00:00:47,580 --> 00:00:52,100 It is a free tool that enables users 17 00:00:52,990 --> 00:00:56,170 to serve the web anonymously. 18 00:00:56,170 --> 00:00:59,520 Tor stands for the onion router. 19 00:00:59,520 --> 00:01:03,620 Now Tor works by routing IP traffic 20 00:01:03,620 --> 00:01:05,640 through a free worldwide network 21 00:01:05,640 --> 00:01:09,110 consists of thousands of Tor relays. 22 00:01:09,110 --> 00:01:11,490 It constantly changes the way that 23 00:01:11,490 --> 00:01:14,940 it routes traffic in order to obscure 24 00:01:14,940 --> 00:01:18,450 and user's location from anyone monitoring the network. 25 00:01:18,450 --> 00:01:20,770 Now, some type of malware also use Tor 26 00:01:20,770 --> 00:01:23,370 to cover their tracks, right? 27 00:01:23,370 --> 00:01:27,090 That's actually a very popular by real attackers, 28 00:01:27,090 --> 00:01:28,460 you know nowadays. 29 00:01:28,460 --> 00:01:31,910 Now, Tor enables users to evade or 30 00:01:31,910 --> 00:01:33,790 circumvent security monitoring 31 00:01:33,790 --> 00:01:37,790 and control because it is actually very hard 32 00:01:37,790 --> 00:01:42,080 to attribute and trace back the traffic to the user. 33 00:01:42,080 --> 00:01:44,420 The Tor client actually encrypts the data 34 00:01:44,420 --> 00:01:46,080 multiple times and that is censored 35 00:01:46,080 --> 00:01:49,070 through a network or a circuit 36 00:01:49,070 --> 00:01:53,170 that includes randomly selected Tor relays. 37 00:01:53,170 --> 00:01:56,500 Then each of the relays decrypt a layer of the onion 38 00:01:56,500 --> 00:02:00,060 to reveal only the next release. 39 00:02:00,060 --> 00:02:02,480 So that they actually remaining, 40 00:02:02,480 --> 00:02:06,180 you know, encrypted data can be routed through it. 41 00:02:06,180 --> 00:02:08,950 Now here, I'm actually just showing the Tor Browser, 42 00:02:08,950 --> 00:02:10,817 And you can see that the Tor 43 00:02:10,817 --> 00:02:13,630 Browser actually, 44 00:02:13,630 --> 00:02:17,483 communicate it to several nodes in this tours circuit 45 00:02:17,483 --> 00:02:21,550 when the user actually access the art of hacking.org, 46 00:02:21,550 --> 00:02:23,100 you know, from the Tor Browser. 47 00:02:23,950 --> 00:02:26,958 Now one concept that I want you to know about Tor, 48 00:02:26,958 --> 00:02:29,930 is the concept of a Tor exit node. 49 00:02:29,930 --> 00:02:31,500 And a Tor exit node is 50 00:02:31,500 --> 00:02:34,894 basically the last node or the gateway 51 00:02:34,894 --> 00:02:39,880 where the Tor encrypted traffic exits to the internet. 52 00:02:39,880 --> 00:02:42,484 Now at Tor exit node can be targeted to monitor it 53 00:02:42,484 --> 00:02:44,850 Tor traffic in the organization. 54 00:02:44,850 --> 00:02:46,240 So many organizations actually 55 00:02:46,240 --> 00:02:49,150 blocked Tor exit nodes in their environment. 56 00:02:49,150 --> 00:02:52,237 And even the Tor project has a 57 00:02:52,237 --> 00:02:55,451 dynamic list of all the Tor exit nodes 58 00:02:55,451 --> 00:02:58,420 that makes this tax a little bit easier 59 00:02:58,420 --> 00:02:59,959 for people that actually just want to 60 00:02:59,959 --> 00:03:02,010 Block tour. 61 00:03:02,010 --> 00:03:02,843 Now another tool 62 00:03:02,843 --> 00:03:06,370 that can be used for evasion is called proxy chains. 63 00:03:06,370 --> 00:03:08,610 And proxy chains can be used for evasion 64 00:03:08,610 --> 00:03:11,282 because it actually forces any TCP connection 65 00:03:11,282 --> 00:03:14,110 that is made by a specific application 66 00:03:14,110 --> 00:03:17,960 to use Tor or any others sucks for sucks 67 00:03:18,798 --> 00:03:22,010 five HTTP or HTTPS proxies. 68 00:03:22,010 --> 00:03:25,264 You can download proxy chains from the GitHub repository 69 00:03:25,264 --> 00:03:27,403 that I'm highlighting in this screen. 70 00:03:28,390 --> 00:03:31,716 Now one last evasion tool or technique 71 00:03:31,716 --> 00:03:34,710 that I would like to actually highlight 72 00:03:34,710 --> 00:03:36,610 is the use of encryption. 73 00:03:36,610 --> 00:03:37,443 Now as you know, 74 00:03:37,443 --> 00:03:40,406 encryption has great benefits for security and privacy. 75 00:03:40,406 --> 00:03:42,490 But in the world of instant response 76 00:03:42,490 --> 00:03:46,760 and forensics, it can actually present several challenges. 77 00:03:46,760 --> 00:03:47,843 Even law enforcement agencies 78 00:03:47,843 --> 00:03:50,290 have been actually fascinating with the 79 00:03:50,290 --> 00:03:52,840 dual the nature of encryption. 80 00:03:52,840 --> 00:03:57,570 Nowadays, threat actors use encryption as a 81 00:03:57,570 --> 00:04:00,063 preferred method of evasion and obfuscation. 82 00:04:01,812 --> 00:04:03,600 Most of the malware and 83 00:04:04,820 --> 00:04:05,778 malicious communication 84 00:04:05,778 --> 00:04:08,860 nowadays use some type of encryption