Penetration Testing mailing list archives
Re: Different ways to portscan IPS
From: White Hat <whitehat237 () gmail com>
Date: Tue, 1 Dec 2009 13:16:06 -0800
If your using nmap for your scanning, then you may be interested in this. Fyodor did an excellent presentation on this at schmoocon 2006 http://insecure.org/presentations/Shmoo06 In the talk he touches on the logic and behavior behind IDS systems. here are my after thoughts and notes after watching the video. Beware unorganized mind thinking aloud here. If you think about an IDS conceptually, it's really just a set of rules, syntax and definitions in rules files, that it tries to match against each incoming packet. If you know what the rule syntax looks like, you can adjust your scan parameters to avoid triggering the specific IDS rule. This is (was?) particularly true for snort, but applies to many of the more common IDS systems out there, as many of the default timing checks and values are the same. 1. Limiting the packet rate to avoid triggering an IDS packet per second threshold. The default threshold is typically 15 packets per second. While this is configurable with most IDS's most people leave these types of defaults in place, and just don't change them. You can use the --max-rate 14 parameter to specify the maximum packet rate. 2. Most IDS systems utilize a sliding window. The idea of sliding windows is to keep track of the acknowledgments for each ID. However, a scheme in which a sender send a single message (e.g. to multiple receivers in a group) and then waits for all ACKs is to slow: a sender should be able to send a number of messages and a separate thread should receive ACKs, and resend messages with ACKs missing. Many IDS systems also utilize a time out before the sliding window is reset. Typically the default is 20 seconds. I believe the trick here is to avoid too many ACKS too quickly. We can use the following nmap parameter to avoid triggering an IDS systems sliding window threshold. --scan-delay 22 Don't forget about decoy's. These can be very useful during initial test scans. Let's get someone else system filtered for the scan, not our scan box. :) Hope this helps. whitehat237 On Tue, Dec 1, 2009 at 10:21 AM, Benjamin Brown <optikali () gmail com> wrote:
You might want to look into using a networked printer that has not been properly secured (which is often).On Mon, Nov 30, 2009 at 2:16 PM, Yiannis Koukouras <ikoukouras () gmail com> wrote:Hi, Scripting netcat to do a connect only scan worked for my team. You can use time delays in your script as well ;) Ioannis (Yiannis) Koukouras CISSP, CISA, CISM MSc in Computer Systems Security BEng in Electronic Engineering http://www.linkedin.com/in/ikoukouras --- The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by responding to this email and then delete it from your system. On Fri, Nov 20, 2009 at 1:02 PM, Vimal™ <avvimalkumar () gmail com> wrote:What are the different ways of port scanning the target when an IPS in placed. Some of the methods I used are: 1. Delay the scan prob (nmap --scan-delay) 2. Integrating the scanner with TOR Regards Vimal web : http://www.maestro-sec.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Different ways to portscan IPS Yiannis Koukouras (Dec 01)
- Message not available
- Re: Different ways to portscan IPS Benjamin Brown (Dec 01)
- Re: Different ways to portscan IPS White Hat (Dec 04)
- Re: Different ways to portscan IPS Benjamin Brown (Dec 01)
- Message not available
- Re: Different ways to portscan IPS AK (Dec 04)
- RE: Different ways to portscan IPS Ward, Jon (Dec 04)
- Re: Different ways to portscan IPS J. Oquendo (Dec 08)
- Re: Different ways to portscan IPS chr1x (Dec 08)
- RE: Different ways to portscan IPS Ward, Jon (Dec 04)