Re: Testing IPS with virtual vs real attacks



Thanks for all the responses.

For 1, we are planning to retry by fine tuning signature engine and
setting threshold to some lower values required for the testing.

For 2, we verified with tcpdump that a couple of different attack
payloads are being captured at the victim. Don't know why IPS is not
able to detect. Relevant signatures are enabled and active.

Regards,
Alcides

On Wed, Jan 19, 2011 at 3:11 AM, Dan Catalin Vasile
<danvasile@xxxxxxxxxx> wrote:
A quick hint to problem 1:

The IPS is behaving in a normal way.

First
nmap -sS -n -p 80,443  192.168.1.101 -> is scanning only two common
ports, even if SYN is used, it's not so uncommon for a host to
initiate and than drop a connection like this for various reasons

On the other hand
nmap -sS -n 192.168.1.101 -> is scanning 1000 ports, see
http://nmap.org/book/man-port-specification.html
so the IPS knows it's a scanning attempt.

So it's all about the configuration of the IPS, but triggering an
alert on each half-open connection is paranoid. There are several
other techniques to evade IPS and you can probably test them too:
http://nmap.org/book/man-bypass-firewalls-ids.html
(I would add to this the timing option)

On problem 2 run a tcpdump an the attacker host and see how packets
are formed and transmitted.

--
Dan Catalin VASILE
Pentest Romania
http://www.pentest.ro

On Tue, Jan 18, 2011 at 11:16 AM, Alcides <alcides.hercules@xxxxxxxxx> wrote:

Hi All,

I have come across something little hard to digest. I want to know
your expert views on this.

Here's the scenario:
An IPS (Cisco 4260) is being tested in a pre-deployment phase, at one
of our clients. IPS is running in 'promiscuous mode' and plaugged into
the SPAN port at the core switch.

We have written a bash script which we run from the 'attacker'
machine(192.168.1.1). It first does a portscan and then throws an
exploit code at the vulnerable webserver in our
network(192.168.1.101). We expected our IPS to raise at least 2
alerts.

Problem 1:
Now, whenever we launch nmap to scan for two ports, IPS does not show
any alert.
nmap -sS -n -p 80,443  192.168.1.101

But, if we run the nmap from CLI without -p switch, IPS shows an alert.
nmap -sS -n 192.168.1.101

What could be the reason behind this?


Problem 2:
When we send the SQL injection payload using script, it is not caught
by IPS. While troubleshooting, we confirmed (using netcat listener at
victim - instead of real web server) that ' or '1'='1 string reaches
the server machine. If packets with that SQL payload are travelling
through the same network, why IPS is not seeing them? We could not
find the answer.
Going one step ahead, when we submitted the same string in the URL
request from attacker's browser, it was caught by IPS

Same happens with all other attack paylods that we are throwing
towards real or virtual (netcat listener) servers, using netcat.

Why IPS is unable to see these attacks?


Thanks,
Alcides

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Different ways to portscan IPS
    ... What are the different ways of port scanning the target when an IPS in placed. ... Delay the scan prob ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Testing IPS with virtual vs real attacks
    ... The IPS is behaving in a normal way. ... On problem 2 run a tcpdump an the attacker host and see how packets ... Now, whenever we launch nmap to scan for two ports, IPS does not show ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: IPS, alternative solutions
    ... they're populated with attack patterns (hopefully in advance of those ... so then why IPS? ... > information on screens and printers, including JPEG image files. ... > - Embedded in Word sent as a MIME encoded mail ...
    (Focus-IDS)
  • RE: need your help about IPS and IDS,thanks
    ... We run a SOC with IPSes. ... cause a DoS at high bandwidth), you can mitigate the attack without taking ... traditional firewall and IDS vendors try to protect their market shares. ... The main difference in my opinion is that IPS are inline and can therefore ...
    (Focus-IDS)
  • Re: Dos Attack es part of a pentest
    ... a client of mine wants mi to perform a Dos attack against his webserver as part of a pentest. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)