Penetration Testing mailing list archives
RE: IDS and Unicode
From: Parth Galen <Parth_Galen () ziplip com>
Date: 5 Jun 2001 16:43:53 -0000
Kevin (and all the others who have replied), thanks MUCH. I appreciate the helpful feedback. You are so right! There will be (many) Unicode strings that are completly legit (space,;:). You would need to take your site's use of Unicode strings into consideration before filtering any Unicode. But my point was more about using Unicode to hide the ".exe" string (and others like "rdisk", "TFTP"). The goal being, is this a worthwhile technique for testing IDSs, or is it too trivial? Here are portions from my IIS 4 log. The first has spaces in place of the Unicode I used, the second and third show strings that are decoded from the Unicode. In all cases, a legit string is obscured on the wire (inbound), and in the IIS logs. GET, /winnt/system32/cmd.exe, /c+dir+C:/, GET, /scripts/..=C0%9v../winnt/system32/cmd.exe, /c+dir, GET, /scripts/..=C1%8s../winnt/system32/cmd.exe, /c+dir, Again, thanks much for all the feedback!
Current thread:
- RE: IDS and Unicode Parth Galen (Jun 05)
- RE: IDS and Unicode Curt Wilson (Jun 06)