Penetration Testing mailing list archives
Re: AppScan and IDS evasion
From: "Yuli Stremovsky" <stremovsky () gmail com>
Date: Sat, 24 May 2008 23:14:18 +0300
You can always configure AppScan to use proxy. For example if you will use tor, literally each time request is made, it will come from a new IP address. Yuli --- http://www.greensql.net/ On Sat, May 24, 2008 at 10:46 PM, Erin Carroll <amoeba () amoebazone com> wrote:
If an IDS is blocking/banning your source IP there are a couple things that are possibly happening that you can try to work around the issue. Either a probe (or group of probe types) in AppScan is triggering an IDS response based on request type or your concurrent connection and request rate is triggering anti-DoS responses. First, I would recommend limiting your concurrent threads to a bare minimum, see if that works. Bear in mind that this will increase the total time AppScan takes to complete a scan significantly. Second, if that doesn't work and you are still getting blocked you may want to modify which tests are being performed. Depending on IDS setup and type, you could encounter blocking for request types which don't match the target server ("content-aware" approaches) like sending apache probes against an IIS server. If that doesn't work, try removing server/service attacks/checks from your scan run and stick to just content-based attacks. Some IDS/IPS systems are aware of server/service attack behavior (like Apache 2.2.3's mod_rewrite off-by-one error vuln). But, like you said, manual checking is the way to go. AppScan and similar tools are just useful first steps to help pinpoint potential vectors. SecurityFocus has pretty good intro to IDS evasion techniques at http://www.securityfocus.com/infocus/1577 Hope that helps. I'm sure other list members will have other suggestions :) -- Erin Carroll Moderator, SecurityFocus pen-test mailing list amoeba () amoebazone com "Do Not Taunt Happy-Fun Ball" -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Pen Testing Sent: Saturday, May 24, 2008 7:14 AM To: pen-test () securityfocus com Subject: AppScan and IDS evasion Hello, I've launched AppScan against a web application and I'm being blocked/banned (since I have a dynamic IP I can reboot my router and get another IP, which is shortly banned again, as long as the attack persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK), what could I do? Of course, I can perform a manual audit (which I was going to do anyway, automatic scanners are only the first phase) but do you have other ideas to bypass the locking mechanism? Perhaps I could put in place some kind of proxy applying IDS-evasion techniques, so I could configure AppScan to use that proxy, and this last one would be in charge of manipulate/rewrite the requests to bypass IDS. Does such a proxy exist? It would be nice if you could point to some good and practical anti-IDS paper, doc and tools. Thank you. PS: I don't know which kind of IDS is in use (perhaps it's not a full-IDS but some anomaly detection as the one included in Checkpoint FW-1 but I don't have that information). Cheers, -q ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
-- http://www.kyplex.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- AppScan and IDS evasion Pen Testing (May 24)
- RE: AppScan and IDS evasion Erin Carroll (May 24)
- Re: AppScan and IDS evasion Yuli Stremovsky (May 24)
- RE: AppScan and IDS evasion Erin Carroll (May 26)
- Re: AppScan and IDS evasion Yuli Stremovsky (May 24)
- Re: AppScan and IDS evasion bigbert007 (May 28)
- Re: AppScan and IDS evasion Todd Haverkos (May 29)
- Re: AppScan and IDS evasion Sanjay R (May 31)
- Re: AppScan and IDS evasion Todd Haverkos (May 29)
- RE: AppScan and IDS evasion Erin Carroll (May 24)