Penetration Testing mailing list archives
Re: Scanning through an IPS
From: natron <natron () invisibledenizen org>
Date: Tue, 23 Sep 2008 17:47:35 -0500
Remember that IDS/IPS is basically using pattern matching to determine if you're bad or not. If you match that pattern above a certain threshold, you get hit by the IPS and your IP address is blocked. As such, if you want your traffic to get through, you need to a) make it look as much like normal traffic as you can or b) make it look like something the IPS doesn't understand. "B" is usually a moving target, "A" isn't always. To directly answer your question, I prefer -sT nmap scans initially (connect scans, not SYN scans), I only look at a select number of ports, and I put large delays in between sending packets. Keep the traffic low and most IDS/IPS will ignore you. After I've gathered a fair amount of information via "A" (say, over the course of 3-7 days of scanning), I'll play with "B" and see what I can get through. N On Tue, Sep 23, 2008 at 1:28 PM, jond <x () jond com> wrote:
I'm wondering what techniques everyone else uses when you know for a fact you're scanning a client who has an Intrusion Prevention System. As far as determining which IPs and ports are open: I know with nmap you can do a SYN scan(by default) which is a little stealth and you can slow it down to make it a little more stealthy. Is there a better way? As far as determining if software on said ports is vulnerable: I'm assuming the only stealth way is to use netcat or telnet and manually grab the banner, and look up what I find? Something like Nessus, I'm assuming, is impossible to make stealthy? Thanks in advance, Jon . ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Scanning through an IPS jond (Sep 23)
- Re: Scanning through an IPS natron (Sep 23)
- Re: Scanning through an IPS Andre Gironda (Sep 23)
- Re: Scanning through an IPS Matt - MRS Security (Sep 24)
- Re: Scanning through an IPS Andre Gironda (Sep 24)
- Re: Scanning through an IPS Marco Ivaldi (Sep 24)
- Re: Scanning through an IPS Matt - MRS Security (Sep 24)
- Re: Scanning through an IPS Todd Haverkos (Sep 24)