Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Evading IDS?

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 19 Mar 2004 09:19:55 -0500
If the web site supports https, you could use https to shoot past the
IDS and probably avoid detection/blockage.  I use a Linux box with
sslproxy for this but there are other options that work well also.

BTW, in your write-up, it would be fair to mention that fact that the
IDS (or whatever) is blocking the traffic so that certainly makes an
exploit more difficult.

-----Original Message-----
From: Mark G. Spencer [mailto:mspencer () evidentdata com] 
Sent: Thursday, March 18, 2004 1:56 PM
To: pen-test () securityfocus com
Subject: Evading IDS?


I've come across what I assume is an IDS during some network
reconnaissance.
I am able to run nmap (connect scan, default ports) against the entire
target class C in question without any problems, but when I run Nikto
against any of the webservers, Nikto output dies just after the
trace/track
method information and I am then unable to access anything on the target
class C for a set period of time - at least fifteen minutes.  

If I move to a different netblock, I can access the target class C again
..
well, until I run Nikto.  ;)

It looks like all the routing and VPN gear on the target class C is
Cisco
based, so I'll make an assumption for now that the IDS is also Cisco.

Any advice on how to evade the IDS?  I know Nessus and Nikto offer a
variety
of IDS evasion techniques, but am I correct in assuming that a vendor
such
as Cisco (or any large vendor) has taken well-known evasion techniques
into
account?  I will try different combinations of evasion techniques today
and
hopefully won't run out of open class C IP addresses on my network as I
continue getting 15min+ blacklisted.

Thanks for the advice,

Mark



------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: