Re: Evading IDS?

From: Al Smolkin (UnODir_at_hotpop.com)
Date: 03/18/04

  • Next message: wirepair: "Re: Pen Test Data/Report Management; Tracking/Procedure document" 
    To: "pen-test@securityfocus.com" <pen-test@securityfocus.com>
Date: Thu, 18 Mar 2004 15:14:51 -0500

    Firewalk utnil you can pinpoint the hosts, and THEN run nmap

    On Thu, 18 Mar 2004 10:55:52 -0800, Mark G. Spencer wrote:

    >I've come across what I assume is an IDS during some network reconnaissance.
    >I am able to run nmap (connect scan, default ports) against the entire
    >target class C in question without any problems, but when I run Nikto
    >against any of the webservers, Nikto output dies just after the trace/track
    >method information and I am then unable to access anything on the target
    >class C for a set period of time - at least fifteen minutes.
    >
    >If I move to a different netblock, I can access the target class C again ..
    >well, until I run Nikto. ;)
    >
    >It looks like all the routing and VPN gear on the target class C is Cisco
    >based, so I'll make an assumption for now that the IDS is also Cisco.
    >
    >Any advice on how to evade the IDS? I know Nessus and Nikto offer a variety
    >of IDS evasion techniques, but am I correct in assuming that a vendor such
    >as Cisco (or any large vendor) has taken well-known evasion techniques into
    >account? I will try different combinations of evasion techniques today and
    >hopefully won't run out of open class C IP addresses on my network as I
    >continue getting 15min+ blacklisted.
    >
    >Thanks for the advice,
    >
    >Mark
    >
    >
    >
    >---------------------------------------------------------------------------
    >Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    >any course! All of our class sizes are guaranteed to be 10 students or less
    >to facilitate one-on-one interaction with one of our expert instructors.
    >Attend a course taught by an expert instructor with years of in-the-field
    >pen testing experience in our state of the art hacking lab. Master the skills
    >of an Ethical Hacker to better assess the security of your organization.
    >Visit us at:
    >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: wirepair: "Re: Pen Test Data/Report Management; Tracking/Procedure document"