PaulDotCom mailing list archives
Re: Avoiding IPS Detection
From: "Wicked Clown" <Wicked.Clown () tombstone-bbs co uk>
Date: Wed, 22 May 2013 22:58:23 +0100
I am not 100% sure about probing networks, but here are some ways to bypass IPS/IDS in general that works against some big hitters: 1) send the protocol over a different allowed port, for example.. use FTP over MYSQL. 2) Most IPS/IDS will ignore the first 4k of data on network, so if you send data out of the network just do it in 3k chunks, yes you will have to keep re-establish the connection.. but if you do a snatch and grab for example the /etc/passwd and kill the connections you be fine. 3) on windows 7 machine, copy the cmd.exe from one location to a random locations the IPS wont see this as a backdoor connection and will allow CMD.exe to call out! 4) use the nmap -G over port 80 I have had some success. 5) my personal favourite, phish the victim to click on an evil rdp profile and control their machine: POC here: http://www.tombstone-bbs.co.uk/EvilRDP/demo.mp4 Full patched windows 7 machine with an IPS/IDS in place getting cmd line on the box.. including tactic number 3 above :) Ok, it's not probing the network but it is bypassing IPS/IDS, but might be useful to someone :) .. I have tested all the above on IPS/IDS with good success. Wicked Clown. -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Tim Tomes Sent: 21 May 2013 13:53 To: PaulDotCom Security Weekly Mailing List; GPWN List; NoVA Hackers Subject: [Pauldotcom] Avoiding IPS Detection I'm compiling a list of preferred methods for probing networks while avoiding IDS/IPS detection. Any and all input is appreciated. Thanks. -- Tim Tomes @lanmaster53 http://lanmaster53.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Avoiding IPS Detection Tim Tomes (May 21)
- Re: [GPWN-list] Avoiding IPS Detection Jamil Ben Alluch (May 21)
- Message not available
- Re: [GPWN-list] Avoiding IPS Detection Tim Tomes (May 21)
- Re: Avoiding IPS Detection Dan King (May 21)
- Re: Avoiding IPS Detection Wicked Clown (May 22)