Penetration Testing mailing list archives
Re: Scanning through an IPS
From: "Andre Gironda" <andreg () gmail com>
Date: Tue, 23 Sep 2008 21:36:42 -0700
On Tue, Sep 23, 2008 at 11:28 AM, jond <x () jond com> wrote:
I'm wondering what techniques everyone else uses when you know for a fact you're scanning a client who has an Intrusion Prevention System.
1) Don't do pen-testing or vulnerability assessments like this. See post/comments: http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/ Using the OSSTMM 3.0 terminology, prefer Reversals, Tandem, and Double-Gray Box security tests types (in my order of preference) over Blind or Double Blind tests. See page 16, [PDF] http://www.isecom.org/mirror/OSSTMM_3.0_LITE.pdf 2) If you have to do a low-knowledge security test, then make sure to use osstmm-afd, w3af, and/or other tools (I like the lft -E tool) to help identify IPS, WAF, or unsightly firewalls. 3) You can also do what the other poster suggested and use multiple channels of access. It's often beneficial to try and get partner or VPN access to the system-under-test. Try the above mentioned tools from each channel and note the results. One especially good tool for testing in this way is proxyScan.pl http://www.e-things.org/go//?p=52 nmap supports various ways of testing from different channels - see the documentation for ideas. 4) Another way would be to start with spear phishing and then pivot your attacks through the client-side. Spear phishing is just a fancy way of saying targeted, client-side attack. This could be varied in many ways, including physical access, wireless access (WiFi, BT, other), and the classic browser/Flash/PDF/document/email borne malware. I think Core Impact Essential and SAINTexploit provide cheap commercial solutions for spear phishing. Popular today are the easy and free Karmetasploit, Caffe Latte (via aireplay-ng -6 or airbase-ng -L), Jasager, and similar attacks. pbounce and chownat are just some example tools that would allow easy pivoting without a full rootkit, backdoor, or syscall proxy. ImmunitySec has some neat free rootkit and backdoor technology for Windows and Linux that also might be worth exploring. Much of this often goes a bit too far and tends to waste a lot of time and resources on unnecessary offensive research, IMO, but YMMV on that depending on who you are talking to. 5) Some like to see the IPS as a challenge. Is the IPS secure? Can you get access to its firmware and do a full pen-test on the IPS itself? Can it be fingerprinted down to the firmware revision (answer: of course it can)? Is there source code available for review? Is there an active, known vulnerability or exploit against the version the client is using? I tend to look at all applications, every piece of software or firmware in the path - as a part of this exercise. Fingerprint, identify the use and misuse angles of every piece of software. Finally, app pen-test each software, setting priorities and taking time into account. What else do you do during a pen-test? Please donut say "run a scanner and write a report". Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Scanning through an IPS jond (Sep 23)
- Re: Scanning through an IPS natron (Sep 23)
- Re: Scanning through an IPS Andre Gironda (Sep 23)
- Re: Scanning through an IPS Matt - MRS Security (Sep 24)
- Re: Scanning through an IPS Andre Gironda (Sep 24)
- Re: Scanning through an IPS Marco Ivaldi (Sep 24)
- Re: Scanning through an IPS Matt - MRS Security (Sep 24)
- Re: Scanning through an IPS Todd Haverkos (Sep 24)