Re: Scanning through an IPS

["Andre Gironda" <andreg () gmail com>]

On Tue, Sep 23, 2008 at 11:28 AM, jond <x () jond com> wrote:
> I'm wondering what techniques everyone else uses when you know for a
> fact you're scanning a client who has an Intrusion Prevention System.

1) Don't do pen-testing or vulnerability assessments like this.  See
post/comments:
http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/

Using the OSSTMM 3.0 terminology, prefer Reversals, Tandem, and
Double-Gray Box security tests types (in my order of preference) over
Blind or Double Blind tests.
See page 16, [PDF] http://www.isecom.org/mirror/OSSTMM_3.0_LITE.pdf

2) If you have to do a low-knowledge security test, then make sure to
use osstmm-afd, w3af, and/or other tools (I like the lft -E tool) to
help identify IPS, WAF, or unsightly firewalls.

3) You can also do what the other poster suggested and use multiple
channels of access.  It's often beneficial to try and get partner or
VPN access to the system-under-test.  Try the above mentioned tools
from each channel and note the results.

One especially good tool for testing in this way is proxyScan.pl
http://www.e-things.org/go//?p=52

nmap supports various ways of testing from different channels - see
the documentation for ideas.

4) Another way would be to start with spear phishing and then pivot
your attacks through the client-side.  Spear phishing is just a fancy
way of saying targeted, client-side attack.  This could be varied in
many ways, including physical access, wireless access (WiFi, BT,
other), and the classic browser/Flash/PDF/document/email borne
malware.  I think Core Impact Essential and SAINTexploit provide cheap
commercial solutions for spear phishing.  Popular today are the easy
and free Karmetasploit, Caffe Latte (via aireplay-ng -6 or airbase-ng
-L), Jasager, and similar attacks.  pbounce and chownat are just some
example tools that would allow easy pivoting without a full rootkit,
backdoor, or syscall proxy.  ImmunitySec has some neat free rootkit
and backdoor technology for Windows and Linux that also might be worth
exploring.  Much of this often goes a bit too far and tends to waste a
lot of time and resources on unnecessary offensive research, IMO, but
YMMV on that depending on who you are talking to.

5) Some like to see the IPS as a challenge.  Is the IPS secure?  Can
you get access to its firmware and do a full pen-test on the IPS
itself?  Can it be fingerprinted down to the firmware revision
(answer: of course it can)?  Is there source code available for
review?  Is there an active, known vulnerability or exploit against
the version the client is using?

I tend to look at all applications, every piece of software or
firmware in the path - as a part of this exercise.  Fingerprint,
identify the use and misuse angles of every piece of software.
Finally, app pen-test each software, setting priorities and taking
time into account.  What else do you do during a pen-test?  Please
donut say "run a scanner and write a report".

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------