From: Chris Brenton (cbrenton@chrisbrenton.org)
Date: Tue Jan 01 2008 - 08:26:01 EST
On Mon, 2007-12-31 at 10:59 +0530, Ravi wrote:
>
> I'm kinda looking to do a decoy scanning with traffic similar to Nessus.
How easy/hard depends on what they have on the other end. For example:
hping -a 192.168.1.10 -E attack.txt -A -p 80 10.10.10.1
Will send a TCP ACK packet to port 80 at 10.10.10.1 from the source IP
192.168.1.10. The payload will be the contents of the file "attack.txt".
This file should contain some well known signature that an IDS/IPS will
trigger on such as:
GET /cgi-bin/wrap
or similar. Now, the above will only work if the IDS/IPS in question *is
not* stateful. If it is, you need to do a UDP based attack. Something
like:
hping -a 192.168.1.10 -E attack.txt -2 -p 53 10.10.10.1
Where 10.10.10.1 is their name server and attack.txt contains something
like:
version.bind
HTH,
Chris
-- cbrenton@chrisbrenton.org Did you know: When a Windows system sends an Echo-Request, it codes in how many Echo-Requests have been transmitted since the last reboot. This can be helpful in locating zombies. Visit http://www.sans.org/info/16981 to find out how you can learn more. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT