Penetration Testing mailing list archives
Re: IPS Testing
From: pentestr <pentestr () gmail com>
Date: Fri, 04 Jan 2008 14:39:24 +0530
Hi, First of all.Thank you very much.I want to confirm this issue of the IPS. If the IPS is blocking traffic then by spoofing other IP I can block service to them and It will become a CRITICAL issue because an attacker can spoof IP ranges and it could lead to DOS.
Regds. PenTestr. Joseph McCray wrote:
I hope this email is coherent.... It's 4am for me...and I'm tired.... Pentestr...although though you can use a host of tools to change your IP from SMAC (windows), to macchanger (Linux), to the unthinkable ifconfig/ipconfig commands.... I would say that you just want to report to the customer that whatever filtering solution that they have in place is if not working - is at least doing something. You didn't give a whole lot of information, but I would say that based on what you said in your email that the scope of the assessment needs to be more clearly defined... 1. Is this just something you just want to note for your report? 2. Is this something that you want to test its effectiveness (i.e. play with the IDS evasion side of the house). 3. Most importantly - what is the customer looking for? Does the customer know that you are testing the I{D|P}S, and/or does he want you to test the effectiveness of it? As much as I love hacking - I'm slowing coming to the unbearable conclusion that pentesting is a service that we provide FOR the customer, and at the end of the day we have to give them what they wantor at least what they think they want.NOTE: If you are only trying to show that an Active IPS solution is in place then just show the customer that in screenshot 1 your packets were reaching the target, and in screenshot 2 your packets weren't reaching the target, but were reachable from another IP address. If you are looking to actually scan against targets with an IPS in front of them then I hope you have a lot of time on your hands, because it's not something that you are going to be able to do quickly. Make sure that it is in scope first (e.g. some pentest scopes require the tester to shoot from specific IP addresses). Then get a huge list of proxies, don't forget the tor network, don't use Nessus, and just sit down at the command prompt with a beer - because it's gonna be a long night. You are going to have to go slow and low - through proxies and tor to get your network enumeration data. Make sure this is in scope, and is what the customer REALLY wants you to do before you waste tons of time doing this kind of stuff only to find out that the target can easily be exploited via client-side attacks sent via email. Hope this helps... j0e On Thu, 2008-01-03 at 14:26 +0530, pentestr wrote:Hi,I am doing a PT for a customer and found that after running nessus against the target our IP is getting blocked permanently. I want to show this issue to the customer. 1. Is there any specific tool that can generate nessus traffic by spoofing IPs? 2. Is there any tool that can change IP on the fly? While running nessus that should change source IP?The server have only port 80 Open. Thank you. Regards. PenTestr. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- IPS Testing pentestr (Jan 03)
- Re: IPS Testing Joshua Gimer (Jan 07)
- Re: IPS Testing pentestr (Jan 08)
- AW: IPS Testing Jörg Weber (Jan 09)
- Re: IPS Testing Mark Teicher (Jan 09)
- Re: IPS Testing feel2chat (Jan 09)
- Re: IPS Testing pentestr (Jan 08)
- Re: IPS Testing Alexander Klimov (Jan 08)
- Re: IPS Testing Joseph McCray (Jan 08)
- Re: IPS Testing pentestr (Jan 08)
- Re: IPS Testing Daniel Clemens (Jan 15)
- Re: IPS Testing pentestr (Jan 08)
- RE: IPS Testing Maxime Ducharme (Jan 09)
- Re: IPS Testing Mike Gibson (Jan 14)
- Re: IPS Testing José M. Palazón Romero (Jan 15)
- Re: IPS Testing Clone (Jan 22)
- Re: IPS Testing Mike Gibson (Jan 14)
- <Possible follow-ups>
- RE: IPS Testing Jeremiah Brott (Jan 07)
- RE: IPS Testing Clone (Jan 09)
- Re: IPS Testing Joshua Gimer (Jan 07)