Penetration Testing mailing list archives
Re: AppScan and IDS evasion
From: Joseph McCray <joe () learnsecurityonline com>
Date: Sun, 29 Jun 2008 06:28:43 -0400
Although I'm really not one for closed source commercial tools so I can't give any configuration advice for AppScan - I've gotten the chance to up against my fair share of IPS Solutions with open source tools. You've already gotten the major steps recommended to you: 1. Attack on port 443 2. Slow down your scan, only check for a few things at a time 3. Use some sort of proxy and/or tor Sounds like you are already "SOL" and getting your IP blocked over and and over already so you might just want to chalk this pentest up to a learning experience and start planning for your next assessment. As one person mentioned it's not uncommon for the administrator to whitelist your attack IP address(es) from the security solution in place. You might want to play with something like Active Filter Detection from PureHacking.com and also halberd you might as well verify that the site isn't load balanced while you are at it. The bottom line is you need to have your IP(s) excluded or you are going to have to drop AppScan and go manual against the site using a proxy and/or Tor most likely with some different encoding of your attacks as well to have a REAL chance against a decent IPS, or Web App Firewall. If you are already in the middle of the assessment and the clock is ticking, I don't see how you have time for the manual option so you should probably ask to have your IP excluded. Hope this helps.... Joe On Sat, 2008-05-24 at 16:14 +0200, Pen Testing wrote:
Hello, I've launched AppScan against a web application and I'm being blocked/banned (since I have a dynamic IP I can reboot my router and get another IP, which is shortly banned again, as long as the attack persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK), what could I do? Of course, I can perform a manual audit (which I was going to do anyway, automatic scanners are only the first phase) but do you have other ideas to bypass the locking mechanism? Perhaps I could put in place some kind of proxy applying IDS-evasion techniques, so I could configure AppScan to use that proxy, and this last one would be in charge of manipulate/rewrite the requests to bypass IDS. Does such a proxy exist? It would be nice if you could point to some good and practical anti-IDS paper, doc and tools. Thank you. PS: I don't know which kind of IDS is in use (perhaps it's not a full-IDS but some anomaly detection as the one included in Checkpoint FW-1 but I don't have that information). Cheers, -q ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
-- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: AppScan and IDS evasion Chroot (Jun 27)
- Re: AppScan and IDS evasion Pen Testing (Jun 27)
- Re: AppScan and IDS evasion TH (Jun 27)
- Re: AppScan and IDS evasion Chris Brenton (Jun 28)
- <Possible follow-ups>
- Re: AppScan and IDS evasion Joseph McCray (Jun 29)
- RE: AppScan and IDS evasion admin (Jun 29)
- RE: AppScan and IDS evasion Marco Ivaldi (Jun 30)