Penetration Testing mailing list archives
IDS and Unicode
From: "Parth Galen" <Parth_Galen () ziplip com>
Date: 28 May 2001 17:10:04 -0000
Recently I was pentesting a site and was noticed by a very good admin's homegrown IDS. His IDS was some batch files that keyed on ".exe" in the IIS logs. I have something similiar on my sites, using Snort and scanning the IIS logs. So, I was thinking, could someone give me the Unicoded encoded string for "cmd.exe"? Then when pentesting sites like this (using a browser, .pl, or nc based call to the Unicode or Filename Double Decode exploits) I can also test their IDS. I would then recommend that they key on "%" when not followed by "20", since a "%" sign would be suspicious when not used to encode a space. Thanks for your time and effort! Any feedback would be much appreciated! Parth * Get free, secure online email at http://www.ziplip.com/ *
Current thread:
- IDS and Unicode Parth Galen (May 28)
- Re: IDS and Unicode Kevin J. Menard, Jr. (May 29)
- <Possible follow-ups>
- re: IDS and Unicode Blurred Vision (May 28)