Penetration Testing mailing list archives
RE: Evading IDS?
From: "Matt Foster" <matt.foster () blade-software com>
Date: Thu, 18 Mar 2004 21:27:02 -0000
Hi Mark, You may be interested in the Informer Evasion Gateway, details are available at the below link http://www.blade-software.com/EvasionGateway.htm The product runs on Windows and allows you to apply a wide range of individual or layered evasion techniques to any traffic passing through it such as; Fragmentation User defined packet fragmentation levels between 8 and 1512 bytes in 8 bytes increments, Null fragment insertion before or after original packet, transmission of fragments out of sequence and an override for specific TCP packet types. HTTP Evasion URI Encoding URI encoding (non UTF8) (hex encoding) Random URI encoding (non UTF8) (random hex encoding) URL Encoding Methods Reverse Backslash Directory Self Reference Prepend Random String Fake Parameter Random Case URL TAB Separator GET Request Random case GET Request Invalid HTTP Version Invalid HTTP version (dot) Random case HTTP Session Splicing I hope this info is of use to you. Regards Matt _____________________________________ Matt Foster Blade-Software Inc. www.blade-software.com Security Verification Management Solutions ______________________________________ -----Original Message----- From: Mark G. Spencer [mailto:mspencer () evidentdata com] Sent: 18 March 2004 18:56 To: pen-test () securityfocus com Subject: Evading IDS? I've come across what I assume is an IDS during some network reconnaissance. I am able to run nmap (connect scan, default ports) against the entire target class C in question without any problems, but when I run Nikto against any of the webservers, Nikto output dies just after the trace/track method information and I am then unable to access anything on the target class C for a set period of time - at least fifteen minutes. If I move to a different netblock, I can access the target class C again .. well, until I run Nikto. ;) It looks like all the routing and VPN gear on the target class C is Cisco based, so I'll make an assumption for now that the IDS is also Cisco. Any advice on how to evade the IDS? I know Nessus and Nikto offer a variety of IDS evasion techniques, but am I correct in assuming that a vendor such as Cisco (or any large vendor) has taken well-known evasion techniques into account? I will try different combinations of evasion techniques today and hopefully won't run out of open class C IP addresses on my network as I continue getting 15min+ blacklisted. Thanks for the advice, Mark --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Evading IDS? Mark G. Spencer (Mar 18)
- RE: Evading IDS? Matt Foster (Mar 19)
- Re: Evading IDS? Al Smolkin (Mar 19)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Antonio Varni (Mar 21)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Jerry Shenk (Mar 19)
- Re: Evading IDS? Antonio Varni (Mar 19)
- <Possible follow-ups>
- RE: Evading IDS? Golomb, Gary (Mar 19)
- Re: Evading IDS? Rogan Dawes (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 22)
- RE: Evading IDS? Billy Dodson (Mar 19)
- RE: Evading IDS? Levinson, Karl (Mar 19)
(Thread continues...)