Penetration Testing mailing list archives
RE: Evading IDS?
From: "Mark G. Spencer" <mspencer () evidentdata com>
Date: Mon, 22 Mar 2004 15:24:13 -0800
Hi Gary, I've been banging away on the target network and it looks like host based IDS/IPS .. While getting locked out of each webserver during fragroute testing today, I noticed I could still telnet into routers and domain servers on the target network. I took your advice and have been testing each fragroute method with "legitimate" traffic to make sure things are put back together properly on the other end - so far, they do. I've tried the following fragroute configs and still got blacklisted once I fired up Nikto: Tcp_chaff paws And Tcp_chaff paws Order random So I've got many more methods to go. I'm still using Nikto for my testing. I haven't figured out yet how to turn the trace/track tests (where I get blacklisted) off, but will get to that soon to see if getting rid of those tests has any impact on the IDS/IPS behavior. Thank you, and everyone else on the list, for the great advice! Mark -----Original Message----- From: Golomb, Gary [mailto:GGolomb () enterasys com] Sent: Thursday, March 18, 2004 7:08 PM To: Mark G. Spencer; pen-test () securityfocus com Subject: RE: Evading IDS? As far as already available tools go, use fragroute with the PAWS/wrapped sequencing chaffing options. Don't bother with the fragmentation options - you'll probably just run into the same problem. This could be used together with overlapping and out-of-order segments with some lapses in timing. (The fragroute man page is well written and covers all this stuff.) The only caveat is that you'll need to know how the end host will handle reassembly of your packets. A good way to test is to set up fragroute, send completely benign/normal requests though it, and see if you get replies. In reality, you'll get limited mileage with application-layer encoding against most IDSs, *especially* when it comes to http. (Not that it's completely ineffective. There are just easier alternatives available IMO.) -gary --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Evading IDS? Mark G. Spencer (Mar 18)
- RE: Evading IDS? Matt Foster (Mar 19)
- Re: Evading IDS? Al Smolkin (Mar 19)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Antonio Varni (Mar 21)
- RE: Evading IDS? Rob Shein (Mar 19)
- RE: Evading IDS? Jerry Shenk (Mar 19)
- Re: Evading IDS? Antonio Varni (Mar 19)
- <Possible follow-ups>
- RE: Evading IDS? Golomb, Gary (Mar 19)
- Re: Evading IDS? Rogan Dawes (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 22)
- RE: Evading IDS? Billy Dodson (Mar 19)
- RE: Evading IDS? Levinson, Karl (Mar 19)
- RE: Evading IDS? Mark G. Spencer (Mar 19)
- RE: Evading IDS? Gary E. Miller (Mar 21)
- RE: Evading IDS? Mark G. Spencer (Mar 19)
- RE: Evading IDS? Eric McCarty (Mar 19)
- RE: Evading IDS? Billy Dodson (Mar 21)