Penetration Testing mailing list archives
RE: Evading IDS?
From: "Billy Dodson" <billy () pmm-i com>
Date: Thu, 18 Mar 2004 17:46:34 -0600
Since the Cisco IDS is signature based you can assume this is why you are getting shunned. The Cisco IDS is/can be configured to send a shun to a Cisco PIX firewall for the attackers IP address for a set amount of time if enough triggers are set by the IDS. Running a scan like Nikito or Nessus with an IDS configured to Shun to a pix will continue to get your address "blacklisted". I am not familiar with the Nikito app, and whether or not you can fragment the packets. If the IDS is only doing pattern-matching, fragmenting the data would generally avoid the IDS triggers. If the IDS is configured for Stateful pattern matching, and you are sending a long string of data, fragmenting would not be as affective. When you are doing your NMAP scan, are you having to fragment the packets to get them through? I am sure the IDS has a signature for anything Nikito is going to throw at it. If, in your experiments, you find a way to avoid the IDS please post what you have found. Billy Dodson Network Systems Engineer Permian Micro Mart 3815 E. 52nd Street Odessa, TX 79762 432.367.3239 - Direct Line 432.367.6179 x139 -----Original Message----- From: Mark G. Spencer [mailto:mspencer () evidentdata com] Sent: Thursday, March 18, 2004 12:56 PM To: pen-test () securityfocus com Subject: Evading IDS? I've come across what I assume is an IDS during some network reconnaissance. I am able to run nmap (connect scan, default ports) against the entire target class C in question without any problems, but when I run Nikto against any of the webservers, Nikto output dies just after the trace/track method information and I am then unable to access anything on the target class C for a set period of time - at least fifteen minutes. If I move to a different netblock, I can access the target class C again .. well, until I run Nikto. ;) It looks like all the routing and VPN gear on the target class C is Cisco based, so I'll make an assumption for now that the IDS is also Cisco. Any advice on how to evade the IDS? I know Nessus and Nikto offer a variety of IDS evasion techniques, but am I correct in assuming that a vendor such as Cisco (or any large vendor) has taken well-known evasion techniques into account? I will try different combinations of evasion techniques today and hopefully won't run out of open class C IP addresses on my network as I continue getting 15min+ blacklisted. Thanks for the advice, Mark ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Evading IDS? Mark G. Spencer (Mar 18)
- RE: Evading IDS? Matt Foster (Mar 19)
- Re: Evading IDS? Al Smolkin (Mar 19)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Antonio Varni (Mar 21)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Jerry Shenk (Mar 19)
- Re: Evading IDS? Antonio Varni (Mar 19)
- <Possible follow-ups>
- RE: Evading IDS? Golomb, Gary (Mar 19)
- Re: Evading IDS? Rogan Dawes (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 22)
- RE: Evading IDS? Billy Dodson (Mar 19)
- RE: Evading IDS? Levinson, Karl (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 19)
- RE: Evading IDS? Gary E. Miller (Mar 21)
- RE: Evading IDS? Mark G. Spencer (Mar 19)
- RE: Evading IDS? Eric McCarty (Mar 19)
- RE: Evading IDS? Billy Dodson (Mar 21)