Penetration Testing mailing list archives
Re: IDS and Unicode
From: "Kevin J. Menard, Jr." <kmenard () WPI EDU>
Date: Tue, 29 May 2001 10:08:31 -0400
Hey Parth, Monday, May 28, 2001, 1:10:04 PM, you wrote: PG> Recently I was pentesting a site and was noticed by a very good admin's homegrown IDS. His IDS was some batch files that keyed on ".exe" in the IIS logs. I have something similiar on my sites, PG> using Snort and scanning the IIS logs. PG> So, I was thinking, could someone give me the Unicoded encoded string for "cmd.exe"? Then when pentesting sites like this (using a browser, .pl, or nc based call to the Unicode or Filename Double PG> Decode exploits) I can also test their IDS. I would then recommend that they key on "%" when not followed by "20", since a "%" sign would be suspicious when not used to encode a space. Not true. I work with many URLs that use %3A for example. There are legitimate reasons to use % other than in %20, and what you're suggesting would block out a lot of URLs. (In my case, the ":" is used in a CGI bug script submission -- blocking this would not be a good idea). PG> Thanks for your time and effort! Any feedback would be much appreciated! PG> Parth -- Kevin
Current thread:
- IDS and Unicode Parth Galen (May 28)
- Re: IDS and Unicode Kevin J. Menard, Jr. (May 29)
- <Possible follow-ups>
- re: IDS and Unicode Blurred Vision (May 28)