Stealthy Hacking: IDS/Firewall Evasion Techniques for Ethical Hackers
Getting into a network is only half the battle. Staying undetected while you operate and exfiltrating data without triggering alerts is where skill matters.
These techniques let you move through networks like a ghost, bypassing security controls and slipping past intrusion detection systems and firewalls silently.
Writer’s note: This guide covers evasion strategies at a high level. If you want step-by-step technical guides, leave a comment and I’ll make them.
1. Firewalking - Map allowed ports with TTL
Firewalking discovers which ports are open through a firewall without directly connecting to the target. It works by manipulating the Time-To-Live (TTL) value in packets so they expire right at or just beyond the firewall. When a packet’s TTL reaches zero, the router sends back an ICMP “time exceeded” message.
By incrementing TTL values and observing which ports generate responses versus silence, you can map the firewall’s rule set.
Tools like Firewalk and hping3 systematically probe port ranges to build a picture of what the firewall allows through. This technique is stealthier than direct port scanning because it leverages normal network diagnostic behavior that resembles traceroute traffic.
2. Banner Grabbing - Identify vulnerable service versions
Banner grabbing extracts version information from network services by connecting to open ports and capturing the initial response headers they send.
When you connect to a web server, FTP server, SSH daemon, or mail server, it typically announces itself with a banner containing software name and version number.
Tools like netcat, telnet, and Nmap’s scripting engine can retrieve these banners. The information reveals patch levels and helps identify known vulnerabilities associated with specific software versions.
Advanced banner grabbing can fingerprint operating systems and service configurations without triggering intrusion detection signatures, since connecting to open services is normal network behavior.
3. IP Address Spoofing - Appear as trusted source
IP spoofing involves forging the source address in packet headers to make traffic appear as if it originates from a trusted host rather than the attacker. Tools like Scapy and hping3 allow crafting packets with arbitrary source IPs. This can bypass IP-based access control lists and firewall rules that trust specific addresses.
The challenge is that response packets go to the spoofed address, not the attacker, making this primarily useful for denial-of-service attacks or when combined with network sniffing capabilities.
Some attackers use spoofing in conjunction with session hijacking, where they predict sequence numbers to insert themselves into ongoing connections.
4. Source Routing - Bypass security checkpoints
Source routing exploits an IP option that lets the sender specify the exact path packets should take through a network. By designating specific routers as waypoints, attackers can potentially route traffic around security devices or through trusted network segments.
Loose source routing allows some flexibility in the path, while strict source routing mandates every hop. Modern networks typically disable source routing because of these security implications, but misconfigurations still exist.
Testing tools can verify whether routers honor source routing options, revealing potential paths that bypass firewalls or IDS sensors positioned on other network routes.
5. Tiny Fragments - Evade packet inspection
Tiny fragmentation splits packets into unusually small pieces to evade intrusion detection systems that only inspect the first fragment or fail to properly reassemble fragmented traffic. By fragmenting TCP headers across multiple IP fragments, attackers can hide port numbers, flags, and payload signatures that IDS rules look for.
Some security devices have resource constraints that prevent them from tracking and reassembling all fragments, especially under heavy load. Tools like fragroute and Nmap’s fragmentation options create these tiny fragments.
Detecting this requires security devices to buffer and reassemble all fragments before inspection, which some older or misconfigured systems cannot do.
6. IP Instead of URL - Circumvent web filters
Many web filters and content security systems operate by matching domain names against blacklists or categorization databases.
Accessing resources directly by IP address bypasses these URL-based controls.
The technique extends further by encoding IPs in alternative formats—decimal, octal, hexadecimal, or IPv6 representations that browsers understand but filters may not recognize. This works because the filter sees an IP address that isn’t in its URL database, while the browser resolves it to the same destination.
Application-layer filters focused on domain reputation completely miss IP-based access, making this effective against less sophisticated web security gateways.
7. Proxy Server - Hide your real location
Routing traffic through proxy servers masks the attacker’s true origin and can bypass geographic restrictions, IP blacklists, and network monitoring. Proxy chains involve multiple proxy hops, making traffic attribution nearly impossible.
Tools like ProxyChains, Tor, and SSH dynamic port forwarding create these intermediary connections. SOCKS proxies can tunnel any TCP protocol, not just HTTP. For penetration testing, intercepting proxies like Burp Suite and OWASP ZAP sit between the tester and target, allowing traffic inspection and modification.
The proxy appears as the traffic source to the target, while the real attacker remains hidden behind potentially multiple layers of intermediaries.
8. ICMP Tunneling - Exfiltrate data via ping
ICMP tunneling encapsulates data inside ICMP echo request and reply packets, which firewalls commonly allow for network diagnostics. Since ping is rarely blocked, it creates a covert channel for command execution and data exfiltration.
Tools like ptunnel and icmptunnel establish bidirectional communication by embedding TCP/IP traffic within ICMP payloads. Normal ping packets have standard sizes, so detection requires monitoring for anomalous ICMP traffic with unusual payload sizes or frequencies.
Attackers can throttle transmission rates to blend with legitimate network diagnostics. The technique is particularly effective in networks with strict firewall rules that only permit ICMP and DNS outbound.
9. ACK/HTTP Tunneling - Tunnel blocked protocols in allowed traffic
ACK tunneling exploits how stateful firewalls handle TCP acknowledgment packets. By sending data in packets with only the ACK flag set, attackers leverage firewall assumptions that these belong to established connections.
Stateless firewalls and some stateful systems under load may allow ACK packets through without verifying the connection handshake occurred. HTTP tunneling wraps forbidden protocols like SSH or RDP inside HTTP requests and responses.
Since port 80/443 traffic is almost never blocked, tools like HTTPTunnel and Chisel create these encapsulated channels. The firewall sees normal web traffic while prohibited protocols tunnel through invisibly, defeating protocol-based blocking rules.
10. SSH/DNS Tunneling - Encrypt covert communication channels
SSH tunneling creates encrypted channels that can carry any TCP protocol through SSH’s secure connection. Local, remote, and dynamic port forwarding options make internal services accessible from outside networks or vice versa.
DNS tunneling encodes data within DNS queries and responses, which are rarely filtered since DNS resolution is essential for network operation. Tools like Iodine and dnscat2 implement bidirectional DNS tunnels that support command execution and file transfer.
Each DNS query can carry small amounts of encoded data in subdomains, while responses contain encoded replies. Since DNS typically uses UDP and requires no connection establishment, it’s extremely difficult to block without breaking legitimate name resolution.
11. External Systems - Pivot through trusted partners
Compromising external systems that have trust relationships with the target network provides an entry point that bypasses perimeter defenses. Partner organizations, vendors with VPN access, cloud service providers, and managed service providers often have privileged network access.
Tools like BloodHound map Active Directory trust relationships to identify these external connections. Exploiting a supplier’s weaker security to access a harder target is called “island hopping.” VPN concentrators, jump hosts, and cloud peering connections become pivot points for lateral movement.
Since the traffic originates from a trusted partner network, it bypasses IP whitelists and geographic restrictions that would block direct attacks.
12. MITM Attack - Intercept and manipulate traffic
Man-in-the-Middle attacks position the attacker between communicating parties to intercept, read, and modify traffic without their knowledge.
A common technique uses DNS poisoning to redirect victims to attacker-controlled servers that impersonate legitimate destinations. When a user requests a legitimate domain, the compromised DNS server returns the attacker’s IP address instead of the real one.
The victim’s browser connects to the malicious server, which can harvest credentials, inject malicious code, or proxy the connection to the real server while capturing all traffic in between. ARP spoofing is another approach that poisons the local network’s address resolution tables, redirecting traffic through the attacker’s machine.
For HTTPS traffic, tools attempt to downgrade connections to unencrypted HTTP or present fraudulent certificates. This bypasses firewall and IDS protections because the traffic appears to originate from internal users making legitimate outbound connections to trusted domains. The attack evades detection since DNS resolution and normal web browsing are expected behaviors that security devices allow through.
13. XSS Attack - Execute code on trusted sites
Cross-Site Scripting injects malicious JavaScript into trusted websites, which then executes in victims’ browsers with the site’s privileges. The attacker’s code runs in the context of a legitimate domain, bypassing same-origin policies and content security restrictions.
Reflected XSS bounces malicious scripts off web servers in crafted URLs. Stored XSS permanently injects code into databases that executes for every user viewing the infected content. DOM-based XSS exploits client-side JavaScript processing.
Once executing, the malicious script can steal cookies, session tokens, and sensitive data, or use the victim’s browser to scan internal networks and make authenticated requests to internal resources that the external attacker couldn’t directly reach.
14. HTML Smuggling - Bypass file scanning gateways
HTML smuggling constructs malicious files client-side using JavaScript rather than transmitting them across the network as complete files. The technique encodes executables as base64 strings within HTML or JavaScript, then uses browser APIs like Blob and createObjectURL to assemble and download the file in the victim’s browser.
Since email gateways and web proxies scan files crossing network boundaries, they never see the assembled executable—only HTML and encoded text that appears benign. Tools can prepare payloads and encode them for embedding.
Detection requires monitoring for suspicious JavaScript patterns, Blob object creation, and files appearing on disk without corresponding network downloads.
15. Windows BITS - Transfer files via background service
Background Intelligent Transfer Service is a legitimate Windows component designed for downloading updates without disrupting user activity.
BITS operates at low priority, automatically pausing during user activity and resuming when idle, making transfers nearly invisible to users.
Jobs survive reboots and network interruptions, automatically resuming when connectivity returns. PowerShell and bitsadmin command-line tools create BITS jobs that download or upload files while appearing as normal Windows system traffic.
Since BITS uses the trusted svchost.exe process with Microsoft’s digital signature, it evades many security controls.
Detection requires monitoring BITS job creation, especially those initiated by non-system users or downloading from non-Microsoft domains.
Evasion: Be a Ghost in the Wire
By mastering these techniques, you will become a skilled hacker who can move through networks undetected and use advanced methods to download or exfiltrate data without leaving traces.
These skills are especially valuable for ethical hackers because they provide insight into how attackers access systems and remain undetected. Firewalls and IDS/IPS systems must be continuously fine-tuned to keep pace with the latest attack techniques. Happy hacking!
Awesome post
Not a technical user but would like more info on how Technique 9 would be implemented in the context of freeriding attacks
Thanks