It’s now time for you to have fun with your next generation firewall!
What2Evade is now fully available on GitHub: https://github.com/What2Code/What2Evade
A quick reminder about what is What2Evade
W2E is a tool designed to bypass application control engine on next-gen firewalls…
Next-Gen firewalls ?
Next-generation firewalls (and some IPS) are “applications aware”, they use deep inspection to recognize protocols and match the traffic with signatures.
What’s an application in the NGFW world ? Depending on the signature, it can be:
- Facebook Chat
- Google Search, FTP ,Torrent, SMB
- Web Browsing
What2Evade is a customizable tool and allow to easily change the data which encapsulates the payload to match a specific application such as Google Search or whatever you want.
The encapsulated payload is encoded with base64, but could be also obfuscated which would make it completely undetectable to a “next-gen” firewall, or an IPS.
How it works ?
Currently, only TCP protocols such as SSH or VNC are supported in that release. These protocols implies that the server “talks first”, which means they send you data once you connect to it which is perfect for such use of What2Evade…
- Both client & server are listening for connections and are ready to forward them
- What2Evade client uses a magic packet (user defined) request first to ensure that What2Evade server is running on the remote host
- Then, What2Evade switches to “forwarding mode” and starts to encapsulate/encode/decode data on both sides
Whatever the mode (client or server) relies on one XML configuration file that can be customized to match a specific HTTP application
How to use it ?
With a nice video example !
You’ll see other video of that tool on my Youtube channel 😉
Why the hell did i wrote it in Java ?!
What2Evade has been written during an penetration test, and i noticed that Java was available by default on a lot of workstations of my customer… Now, you know!