Skip to content

Commit 9fd8783

Browse files
carlospolopcarlospolop
authored
Merge pull request #1993 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_ids-evasion_20260312_170734
Research Update Enhanced src/generic-methodologies-and-resou...
2 parents 89add44 + 10683b0 commit 9fd8783

1 file changed

Lines changed: 25 additions & 0 deletions

File tree

  • src/generic-methodologies-and-resources/pentesting-network

src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,35 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which
4141
- **First** (Windows): First value that comes, value that stays.
4242
- **Last** (cisco): Last value that comes, value that stays.
4343

44+
45+
## **TCP Stream Overlap / Reassembly Mismatch**
46+
47+
Like IP fragments, **overlapping TCP segments** can be reassembled differently by the IDS/IPS and by the destination host. If the sensor and the host disagree on **which bytes win** in the overlap, you can place benign bytes where the IDS/IPS looks and malicious bytes where the host finally reassembles them.
48+
49+
- Send a benign segment first and a **malicious overlapping segment** later (or invert the order) depending on the target OS reassembly policy.
50+
- Use **tiny overlaps** to keep the stream valid for the host while maximizing ambiguity for the sensor.
51+
52+
## **IPv6 Extension Headers & Fragment Tricks**
53+
54+
IPv6 allows **arbitrary header chains**, and the upper-layer (TCP/UDP/ICMPv6) header appears **after** all extension headers. If a device doesn’t parse the full chain, it can be bypassed by inserting extension headers or by fragmenting so the upper-layer header is not visible where the device expects it. RFC 7112 **requires the entire IPv6 header chain to be present in the first fragment**; devices that accept non-compliant tiny fragments can be evaded by pushing the L4 header into later fragments.
55+
56+
Practical patterns:
57+
58+
- **Long extension-header chains** to push the upper-layer header deeper in the packet.
59+
- **Small first fragments** that contain only IPv6 + Fragment + options, leaving the L4 header for later fragments.
60+
- Combining **extension headers + fragmentation** to hide the real upper-layer protocol from devices that only inspect the first fragment.
61+
4462
## Tools
4563

4664
- [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke)
65+
- [https://github.com/secdev/scapy](https://github.com/secdev/scapy)
66+
67+
68+
69+
## References
4770

71+
- [https://www.rfc-editor.org/rfc/rfc7112](https://www.rfc-editor.org/rfc/rfc7112)
72+
- [https://www.rfc-editor.org/rfc/rfc9098](https://www.rfc-editor.org/rfc/rfc9098)
4873

4974
{{#include ../../banners/hacktricks-training.md}}
5075

0 commit comments

Comments
 (0)