Penetration Testing mailing list archives
Re: IDS Testing
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Thu, 11 Mar 2004 15:08:00 -0600
Wednesday, March 10, 2004 1:47 PM Subject: RE: IDS Testing
I just run standard tests against them and see if it showed up. Every IDS alerts on ../../winnt/system32/cmd.exe or something like that. I sometimes connect manually to a web server where the IDS is in the path of the traffic. Another idea is to use nmap with the -f (fragments) switch....every IDS alerts on mall fragments.
I just went through this with a 24x7x365 managed services security service....they didn't pick up anything...it was a riot!
To be fair, you ought to run attacks in a slowly increasing treat and see when things start to light up. Some 'attacks' like a portscan might be listed at a low level and then things should start to crank up as you launch targeted exploits that match the protected hardware. I'm not sure the above named cmd.exe 'exploit' should trigger at all if the web servers are all running Apache.
Fragmenting packets is a common IDS evasion technique... especially on older IDS's. Many IDS's still don't reassemble the session properly. Then, when you combine fragmentation with slowing your traffic down, you really test the evasion boundaries of the IDS. The last IDS I worked on could be evaded quite easily by slowing your attack or scan down somewhat (a little patience goes a long way). A less stealthy technique is to hit the IDS with a D.O.S. first (provided it's a pass-by and not a pass-through) while initiating your attack on your actual target. This will test the IDS's ability to track sessions properly and pick out the attack while getting hammered with D.O.S. or other trash/decoy packets. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- IDS Testing Security Tester (Mar 10)
- Re: IDS Testing Cedric Blancher (Mar 10)
- Re: IDS Testing Clint Bodungen (Mar 11)
- Re: IDS Testing (another way) Clint Bodungen (Mar 11)
- Re: IDS Testing Peter Van Epp (Mar 11)
- RE: IDS Testing Jerry Shenk (Mar 11)
- Re: IDS Testing Clint Bodungen (Mar 12)
- Re: IDS Testing Frederic Charpentier (Mar 11)
- RE: IDS Testing Matt Foster (Mar 12)
- <Possible follow-ups>
- RE: IDS Testing Teicher, Mark (Mark) (Mar 10)
- Re: IDS Testing Pedro Andujar (Mar 15)
- FW: IDS Testing Robert E. Lee (Mar 11)
- Re: IDS Testing Don Parker (Mar 12)