Penetration Testing mailing list archives
Re: [PEN-TEST] IDS Testing
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Tue, 12 Dec 2000 11:48:54 -0600
My favorite method of testing NID systems (like RealSecure, NetProwler, and friends) is just by using common tools that were designed for NIDS evasion. Of these tools, nmap, whisker, and fragrouter all deserve honorable mention. I also like to play with DoS tools. I believe jolt2 and trash on the local network were both able to freeze up some of the the NIDS engine systems I tested (blinding the NIDS), while still maintaining enough bandwidth to leverage other attacks and remain undetected. If I recall correctly, RealSecure does some wicked things when you try to directly DoS the engine. I think it did something with arp that sort of munged my Linux laptop's ability to talk on the network, but I can't remember. It's been a while, but I'll let you figure it out yourself. All I can say is "test it before you show it to an audience". If you're trying to sell a pen-test, show off the fact that some of your attacks can easily evade detection. If you're trying to SELL the product, or sell them managed services, show them how it can detect almost anything you throw at it. Do be sure to throw in the caveat that nothing is 100% secure though. :) nmap -T Paranoid is good, but limit the ports you try. most NID systems will see the scan but they won't put 2 & 2 together to start alerting about an attack in progress. whisker and fragrouter just try to confuse the NIDS. I can guarantee you that your mileage will vary using these tools. --Noah Dunker -----Original Message----- From: Roger Roberts [mailto:rogerwroberts2000 () YAHOO COM] Sent: Tuesday, December 12, 2000 10:06 AM To: PEN-TEST () SECURITYFOCUS COM Subject: IDS Testing Hello all, We here are going to be conducting a local testing on a proposal IDS System (Real Secure). I would like to know if anyone has written test documentation or other show stoppers they accomplished during the test. Thanks Roger __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- [PEN-TEST] IDS Testing Roger Roberts (Dec 13)
- Re: [PEN-TEST] IDS Testing Talisker (Dec 14)
- <Possible follow-ups>
- Re: [PEN-TEST] IDS Testing Wertheimer, Ishai (Dec 13)
- Re: [PEN-TEST] IDS Testing Dunker, Noah (Dec 13)
- Re: [PEN-TEST] IDS Testing jeru (Dec 13)