Penetration Testing mailing list archives
Re: Testing IPS with virtual vs real attacks
From: Dan Catalin Vasile <danvasile () pentest ro>
Date: Wed, 19 Jan 2011 10:11:39 +0200
A quick hint to problem 1: The IPS is behaving in a normal way. First nmap -sS -n -p 80,443 192.168.1.101 -> is scanning only two common ports, even if SYN is used, it's not so uncommon for a host to initiate and than drop a connection like this for various reasons On the other hand nmap -sS -n 192.168.1.101 -> is scanning 1000 ports, see http://nmap.org/book/man-port-specification.html so the IPS knows it's a scanning attempt. So it's all about the configuration of the IPS, but triggering an alert on each half-open connection is paranoid. There are several other techniques to evade IPS and you can probably test them too: http://nmap.org/book/man-bypass-firewalls-ids.html (I would add to this the timing option) On problem 2 run a tcpdump an the attacker host and see how packets are formed and transmitted. -- Dan Catalin VASILE Pentest Romania http://www.pentest.ro On Tue, Jan 18, 2011 at 11:16 AM, Alcides <alcides.hercules () gmail com> wrote:
Hi All, I have come across something little hard to digest. I want to know your expert views on this. Here's the scenario: An IPS (Cisco 4260) is being tested in a pre-deployment phase, at one of our clients. IPS is running in 'promiscuous mode' and plaugged into the SPAN port at the core switch. We have written a bash script which we run from the 'attacker' machine(192.168.1.1). It first does a portscan and then throws an exploit code at the vulnerable webserver in our network(192.168.1.101). We expected our IPS to raise at least 2 alerts. Problem 1: Now, whenever we launch nmap to scan for two ports, IPS does not show any alert. nmap -sS -n -p 80,443 192.168.1.101 But, if we run the nmap from CLI without -p switch, IPS shows an alert. nmap -sS -n 192.168.1.101 What could be the reason behind this? Problem 2: When we send the SQL injection payload using script, it is not caught by IPS. While troubleshooting, we confirmed (using netcat listener at victim - instead of real web server) that ' or '1'='1 string reaches the server machine. If packets with that SQL payload are travelling through the same network, why IPS is not seeing them? We could not find the answer. Going one step ahead, when we submitted the same string in the URL request from attacker's browser, it was caught by IPS Same happens with all other attack paylods that we are throwing towards real or virtual (netcat listener) servers, using netcat. Why IPS is unable to see these attacks? Thanks, Alcides ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Testing IPS with virtual vs real attacks Alcides (Jan 18)
- Re: Testing IPS with virtual vs real attacks Dan Catalin Vasile (Jan 20)
- Re: Testing IPS with virtual vs real attacks Alcides (Jan 23)
- Re: Testing IPS with virtual vs real attacks Dan Catalin Vasile (Jan 20)