Penetration Testing mailing list archives
Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?
From: Joseph McCray <joe () learnsecurityonline com>
Date: Sun, 30 Sep 2007 04:53:24 -0400
Last year I was doing some IDS/IPS Evasion research, and it was a lot of fun (just ungodly time consuming). I would say that yes a great deal many older IDS/IPS evasion techniques like fragmentation work against modern I{D|P}S solutions. Real World: =========== The key thing that I'm running into in my auditing work that I think is more important is identifying whether or not there is an Active Network I{D|P}S or Load Balancing solution in place, before you can even consider bypassing it. I think you run into the most issues with a Passive IDS Solution. It's really difficult to identify whether one is in use or not because it probably won't have an IP address, and it doesn't block your attacks. Then it's even harder to know what vendor it is, and IMHO almost impossible to know which signatures it has loaded. That being said - speaking as a former IDS analyst I remember we got more than our fair share of compromises identified by means other than the IDS (usually an admin or user notifying us because the box was acting funny). A lot of times the attack went undetected, and the attacker was an idiot and did something really noisy on the box after having compromised it (this happened a lot) that the IDS would detect. There are tools out there that can help you identify whether an Active Filtering solution is in place. For me that's the first thing I do after doing my footprinting - before I do any port or vulnerability scanning I look for Load Balancing, and Active Network Filtering. If neither one are in place then I open up the flood gates and scan until heart is content. Lab Environment: ================ If you are in a lab environment where you can actually see what is getting by the IDS, and what isn't, then yes it's actually pretty easy even without Metasploit. Add Metasploit to the picture and it's game over. I honestly don't think Network-based IDS/IPS solutions have a chance with a vulnerable host on the network against Metasploit. If you want any of my notes from that IDS/IPS research from last year let me know. Take care, -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Are Fragmentation Attacks Still Used for IDS/IPS Evasion? seclt yuri (Sep 25)
- Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? Harry Hoffman (Sep 25)
- Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? seclt yuri (Sep 25)
- Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? Harry Hoffman (Sep 25)
- RE: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? Philippe Bogaerts (Sep 26)
- RE: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? Shenk, Jerry A (Sep 26)
- RE: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? xxradar (Sep 26)
- Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? seclt yuri (Sep 25)
- Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? Harry Hoffman (Sep 25)
- <Possible follow-ups>
- Re: Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? vijay . upadhyaya (Sep 30)
- Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion? seclt yuri (Sep 30)