Penetration Testing mailing list archives
RE: Thanks for the feedback and NAT-hide question
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 10 Aug 2006 21:18:49 -0700
Tim, Some comments inline below:
One mistake in the network design appears to be the placement of the IPS. Wouldn't we normally want that positioned
Actually this type of network design is very common for larger networks with multiple webserver farms or netblocks within a DMZ. Placing the IPS behind the FW in the DMZ and ahead of the load balancers allows for multiple webserver clusters on different networks in the DMZ to all be "protected" by a single[1] device.
between the load balancers and the webserver? Presumably the load balancers could terminate SSL connections and allow the IPS a full view of upper-layer attacks. So, attacking the web application over SSL is my first choice.
While some IPS/IDS do have the ability to do teardown/rebuild to analyze encrypted protocols provided they have the keys/certs, it's usually not done due to the resource overhead and cost (I don't know offhand of an IPS vendor that uses ettercap-like MITM captures of key/cert exchanges to sniff the traffic in the clear). Attacking the web app over SSL is in most cases one of the most likely successful attack vectors I've seen due to IPS/IDS's not doing decrypt/analyze/re-encrypt of packets. Even in cases where it is set up, it won't stop "legit" traffic over 80/443 as there is no way to reliably create or implement signatures which would know that a HTTP POST with your example of inject myFunc('Nancy\\'); alert('xss'); ('s', 'hamster') is a bad thing.
However, if you're still wanting to hit the lower layers, then I would try find a way to differentiate between requests that are blocked at the firewall, and ones that are blocked by the IPS. This would then allow me to probe the policy on the firewall alone, possibly using idle scans to conduct spoofed scans from more trusted 3rd party servers.
What about fragmentation to bypass IPS and FW rules to get firewalk or similar tools to enumerate attack vectors? I love me some nmap -f or --mtu action. The hard part is getting the right offset to balance speed vs stealth. In a lot of cases a 16-byte fragment setting will get through and reduce the # of fragments you have to send as opposed to the default 8-byte.
Oh, finally, if the load balancers operate more as reverse HTTP proxies than lower-layer TCP/SSL accelerators, then I'd look into HTTP request smuggling as well.
I'll have to confess that my question was based on a real-life scenario I dealt with recently. The network infrastructure was as I described. The hard part was that of the 12 webservers in the WebLogic cluster, only 1 had a vulnerable weblogic install. Trying to get the fragmentation and evasion to work *and* hit the right box to inject the remote exploit was a royal pain in the ass. I was hoping someone might be able to illustrate another way to accomplish it. [1] Where single=active-active HA installs to keep up with traffic demands of course :) -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.10.8/415 - Release Date: 8/9/2006 ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Thanks for the feedback and NAT-hide question Erin Carroll (Aug 06)
- Re: Thanks for the feedback and NAT-hide question marko ruotsalainen (Aug 10)
- Re: Thanks for the feedback and NAT-hide question Tim (Aug 10)
- RE: Thanks for the feedback and NAT-hide question Erin Carroll (Aug 11)
- Re: Thanks for the feedback and NAT-hide question Rogan Dawes (Aug 11)
- RE: Thanks for the feedback and NAT-hide question Erin Carroll (Aug 11)