Penetration Testing mailing list archives
Re: Port Scanning.
From: robert () dyadsecurity com
Date: Tue, 21 Dec 2004 22:10:31 -0800
Sugiowono(sugiowono () datacomm co id)@Wed, Dec 22, 2004 at 10:42:53AM
So how to or what is the step to pass through those security devices ? What is the great tools to pass through the FW and IPS?
Let me clear up the context for this response before all of the traditional "Give me $50 and I'll punch you in the face" style penetration testers respond. In most engagements, we perform our testing with as much customer interaction as possible. The conversation we have with our customers when it comes to the IPS and port scanning issues is this: While IPS's can detect port scans and disallow access to the IP seeming to performing the scan, they can not determine the difference bettween a real IP and a spoofed IP. When you disallow access based on a perception of bad behavior, you are essentially adding rules that the attacker has control over. In our next version of unicornscan, for example, it will be possible to target a particular network range to come from. If you know your customer works primarily with a particular remote network, a simple 'unicornscan -sr:remote_range/24 customer_range/24:a -mT -r500 -R20' could effectively make an IPS disallow entry for every IP in the remote_range/24 network. A wise man once said "When you let bad people write your rules for you, bad things can happen". In the direct act of malice situation, attackers have an unlimited amount of time. They also have an unlimited amount of resources (IP addresses/machines/bandwidth) because there are countless machines they can compromise first, and then attack you from. No IPS will stop the determined attacker from collecting available services information over time. New tools also allow for custom packet payloads, including exploit payloads. In these automated attacks, the attacker will attempt to compromise any machine that is available. They will not port scan you first. They will not check for the banner. In this situtation, most IPS's will also not help you. That said, we will go through the IDS testing section of the OSSTMM. This allows us to map and measure the capabilities of the IDS. We will attempt to measure what triggers a block, and for how long the block lasts. As soon as we are done mapping and measuring the IDS, we ask to be whitelisted for the duration of the test. As I stated before, attackers have an unlimited amount of time and resources. Security testers do not =). Also if the IPS triggers blocks on payloads from spoofed hosts, it gets written up as a potential DoS in the report. For firewall testing, it is advisable to use a tool on both sides of the firewall. One for sending a wide variety of packets, one for catching the packets. Based on knowing what you sent, and what got through, you will will have a very accurate picture of where the FW device is falling short. Robert -- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033
Current thread:
- Port Scanning. Faisal Khan (Dec 13)
- Re: Port Scanning. robert (Dec 13)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 13)
- <Possible follow-ups>
- Re: Port Scanning. miguel . dilaj (Dec 13)
- Message not available
- Re: Port Scanning. Faisal Khan (Dec 13)
- Message not available
- RE: Port Scanning. rzaluski (Dec 14)
- Re: Port Scanning. Martin Mačok (Dec 15)