RE: Evading IDS?

From: Mark G. Spencer (mspencer_at_evidentdata.com)
Date: 03/23/04

  • Next message: Intel96: "FW: Email Pen-testing" 
    To: <pen-test@securityfocus.com>
Date: Mon, 22 Mar 2004 15:24:13 -0800

    Hi Gary,

    I've been banging away on the target network and it looks like host based
    IDS/IPS .. While getting locked out of each webserver during fragroute
    testing today, I noticed I could still telnet into routers and domain
    servers on the target network. I took your advice and have been testing
    each fragroute method with "legitimate" traffic to make sure things are put
    back together properly on the other end - so far, they do. I've tried the
    following fragroute configs and still got blacklisted once I fired up Nikto:

    Tcp_chaff paws

    And

    Tcp_chaff paws
    Order random

    So I've got many more methods to go. I'm still using Nikto for my testing.
    I haven't figured out yet how to turn the trace/track tests (where I get
    blacklisted) off, but will get to that soon to see if getting rid of those
    tests has any impact on the IDS/IPS behavior.

    Thank you, and everyone else on the list, for the great advice!

    Mark

    -----Original Message-----
    From: Golomb, Gary [mailto:GGolomb@enterasys.com]
    Sent: Thursday, March 18, 2004 7:08 PM
    To: Mark G. Spencer; pen-test@securityfocus.com
    Subject: RE: Evading IDS?

    As far as already available tools go, use fragroute with the PAWS/wrapped
    sequencing chaffing options. Don't bother with the fragmentation options -
    you'll probably just run into the same problem.
    This could be used together with overlapping and out-of-order segments with
    some lapses in timing. (The fragroute man page is well written and covers
    all this stuff.) The only caveat is that you'll need to know how the end
    host will handle reassembly of your packets. A good way to test is to set up
    fragroute, send completely benign/normal requests though it, and see if you
    get replies. In reality, you'll get limited mileage with application-layer
    encoding against most IDSs, *especially* when it comes to http. (Not that
    it's completely ineffective. There are just easier alternatives available
    IMO.)

    -gary

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------

  • Next message: Intel96: "FW: Email Pen-testing"