Penetration Testing mailing list archives

Re: [PEN-TEST] IDS Testing

From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Tue, 12 Dec 2000 11:48:54 -0600

My favorite method of testing NID systems (like RealSecure,
NetProwler, and friends) is just by using common tools
that were designed for NIDS evasion.  Of these tools, nmap,
whisker, and fragrouter all deserve honorable mention.

I also like to play with DoS tools.  I believe jolt2 and
trash on the local network were both able to freeze up
some of the the NIDS engine systems I tested (blinding the
NIDS), while still maintaining enough bandwidth to leverage
other attacks and remain undetected.  If I recall correctly,
RealSecure does some wicked things when you try to directly
DoS the engine.  I think it did something with arp that sort
of munged my Linux laptop's ability to talk on the network,
but I can't remember.  It's been a while, but I'll let you
figure it out yourself.  All I can say is "test it before
you show it to an audience".  If you're trying to sell a
pen-test, show off the fact that some of your attacks can
easily evade detection.  If you're trying to SELL the
product, or sell them managed services, show them how it
can detect almost anything you throw at it.  Do be sure
to throw in the caveat that nothing is 100% secure though.
:)

nmap -T Paranoid     is good, but limit the ports you try.
most NID systems will see the scan but they won't put 2 & 2
together to start alerting about an attack in progress.

whisker and fragrouter just try to confuse the NIDS.  I can
guarantee you that your mileage will vary using these tools.

--Noah Dunker


-----Original Message-----
From: Roger Roberts [mailto:rogerwroberts2000 () YAHOO COM]
Sent: Tuesday, December 12, 2000 10:06 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: IDS Testing


Hello all,
We here are going to be conducting a local testing on
a proposal IDS System (Real Secure).  I would like to
know if anyone has written test documentation or other
show stoppers they accomplished during the test.

Thanks

Roger



__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

Current thread:

[PEN-TEST] IDS Testing Roger Roberts (Dec 13)
- Re: [PEN-TEST] IDS Testing Talisker (Dec 14)
- <Possible follow-ups>
- Re: [PEN-TEST] IDS Testing Wertheimer, Ishai (Dec 13)
- Re: [PEN-TEST] IDS Testing Dunker, Noah (Dec 13)
  - Re: [PEN-TEST] IDS Testing jeru (Dec 13)