Penetration Testing mailing list archives
RE: AppScan and IDS evasion
From: admin () systemstates net
Date: Sun, 29 Jun 2008 05:23:18 -0700
If you need to establish a TCP session, it's pretty hard these days to spoof the source address - unless you own bits of the routing infrastructure between the spoofed endpoint and the target. As you say, you could use proxying to get round this. metasploit 3 does very good IDS evasion against snort in terms of HTTP traffic. Would be worth having a look at the techniques used there. cheers, -- www.systemstates.net - penetration test / IDS / incident response
-------- Original Message -------- Subject: Re: AppScan and IDS evasion From: Chroot <chrooted () gmail com> Date: Fri, June 27, 2008 7:33 am To: "Pen Testing" <quick.pentesting () gmail com> Cc: pen-test () securityfocus com Isn't this a vulnerability in itself that your client blocks an IP address. This could result in a DoS attack if you can spoof source IP address. In my book IPS should block the attack not the source. Source can be spoofed. On Sat, May 24, 2008 at 7:44 PM, Pen Testing <quick.pentesting () gmail com> wrote:Hello, I've launched AppScan against a web application and I'm being blocked/banned (since I have a dynamic IP I can reboot my router and get another IP, which is shortly banned again, as long as the attack persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK), what could I do? Of course, I can perform a manual audit (which I was going to do anyway, automatic scanners are only the first phase) but do you have other ideas to bypass the locking mechanism? Perhaps I could put in place some kind of proxy applying IDS-evasion techniques, so I could configure AppScan to use that proxy, and this last one would be in charge of manipulate/rewrite the requests to bypass IDS. Does such a proxy exist? It would be nice if you could point to some good and practical anti-IDS paper, doc and tools. Thank you. PS: I don't know which kind of IDS is in use (perhaps it's not a full-IDS but some anomaly detection as the one included in Checkpoint FW-1 but I don't have that information). Cheers, -q
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: AppScan and IDS evasion Chroot (Jun 27)
- Re: AppScan and IDS evasion Pen Testing (Jun 27)
- Re: AppScan and IDS evasion TH (Jun 27)
- Re: AppScan and IDS evasion Chris Brenton (Jun 28)
- <Possible follow-ups>
- Re: AppScan and IDS evasion Joseph McCray (Jun 29)
- RE: AppScan and IDS evasion admin (Jun 29)
- RE: AppScan and IDS evasion Marco Ivaldi (Jun 30)