Penetration Testing mailing list archives
RE: Evading IDS?
From: "Levinson, Karl" <Karl.Levinson () dhs gov>
Date: Thu, 18 Mar 2004 17:28:30 -0500
-----Original Message-----
From: Mark G. Spencer [mailto:mspencer () evidentdata com]
Any advice on how to evade the IDS? I know Nessus and Nikto offer a
variety of IDS evasion techniques, Why not try them? I would want to know whether you are being blocked by network IDS or host-based IDS, because the evasion techniques are different. If the IDS is alerting on your excessive use of the HTTP track and trace verbs [just a guess], you could try generating such HTTP requests or your entire scan through an encrypted HTTPS session. If you do not get blocked, then I would guess that NIDS type of evasion may help. If you do get blocked, then NIDS type of evasion may not work. If you really are being blocked by use of the track and trace verbs, then disabling those tests might help. The IDS evasion techniques in Nikto / libwhisker are described below: http://www.wiretrip.net/rfp/txt/whiskerids.html http://www.sans.org/rr/papers/30/339.pdf http://www.insecure.org/stf/secnet_ids/secnet_ids.html Most of them would probably be more effective at evading NIDS, with the *possible* exception of premature request ending and/or session splicing, depending on the IDS method. Give those a try. I would also recommend determining which IDS they are using on which OS, and read about the features and flaws in that IDS. It may not be safe to assume it is a Cisco IDS. You might also consider a different type of web assessment tool as well, such as a proxy type like WebProxy atstake.com instead of a scanner. Note that the Nikto readme states: "Nikto leaves a footprint on a server it scans--both in an invalid 404 check and in the User-Agent header. This can be changed by forcing the $NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source code, OR, if any IDS evasion (-e) option is used. Note that it's pretty obvious when Nikto is scanning a server anyway--the large number of invalid requests sticks out a lot in the server logs, although with an IDS evasion technique it might not be extremely obvious that it was Nikto."
but am I correct in assuming that a vendor such as Cisco (or any large
vendor) has taken well-known
evasion techniques into account?
No, especially not when you're talking network IDS. NIDS can detect many kinds of evasion techniques, but when trying to see past the evasion technique to see what actually was done, IDS often has a choice of two or more different ways to interpret the data, and quite often the IDS has to choose one method or another to interpret the data. Which means that if you used the other method, IDS reports it has found something suspicious but can't tell you what exactly it is, and may choose not to block access based on that particular alert. Also, IDS will always have finite computing resources that can be starved and which make it generally undesirable to be overly thorough in inspecting traffic. So, there are still ways to evade IDS. Feel free to let me know what ends up happening, I'd be curious. - karl --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Evading IDS?, (continued)
- RE: Evading IDS? Matt Foster (Mar 19)
- Re: Evading IDS? Al Smolkin (Mar 19)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Antonio Varni (Mar 21)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Jerry Shenk (Mar 19)
- Re: Evading IDS? Antonio Varni (Mar 19)
- RE: Evading IDS? Golomb, Gary (Mar 19)
- Re: Evading IDS? Rogan Dawes (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 22)
- RE: Evading IDS? Billy Dodson (Mar 19)
- RE: Evading IDS? Levinson, Karl (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 19)
- RE: Evading IDS? Gary E. Miller (Mar 21)
- RE: Evading IDS? Mark G. Spencer (Mar 19)
- RE: Evading IDS? Eric McCarty (Mar 19)
- RE: Evading IDS? Billy Dodson (Mar 21)