Re: Scanning through an IPS

[Marco Ivaldi <raptor () mediaservice net>]

On Tue, 23 Sep 2008, Andre Gironda wrote:

> On Tue, Sep 23, 2008 at 11:28 AM, jond <x () jond com> wrote:
> > I'm wondering what techniques everyone else uses when you know for a
> > fact you're scanning a client who has an Intrusion Prevention System.
>
> 1) Don't do pen-testing or vulnerability assessments like this.  See
> post/comments:
> http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/

As a side note, here's something that's often overlooked by security 
testers and network architects alike: if you can trigger a block by the 
IPS using easily spoofable packets (i.e., SYN scans or malicious UDP 
payloads), you may effectively be able to cause a Denial of Service 
condition on the target network -- depending on IPS configuration and 
other factors.

For instance, what happens if you launch a spoofed port scan that appears 
to be coming from either their upstream router, the root nameservers, or 
other actors that need to be able to connect to the target network?

Of course, don't try to reproduce such an attack scenario without prior 
explicit Client consent.

PS. See also: http://seclists.org/pen-test/2008/Jun/0070.html

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------