From: John Forristel (SunGard-Chico) (John.Forristel@sungardbi-tech.com)
Date: Wed Jan 02 2008 - 09:39:18 EST
If I understand the problem, you need to gather information from a
remote machine without tripping the IPS. Or change your scanner to not
trip the IPS.
The first method takes me back a while, so I had to look it up. It
would require finding a machine that returned packet with sequential
numbers. Most these days are random, or random enough where it makes no
difference. The method is found at
http://insecure.org/nmap/idlescan.html
The other way is to slow your scans enough where the IPS server won't
trigger and block your packets. In NMAP, you can do this by setting the
-t option to 2, 1, or 0 to slow its down. Of course, this take a lot
more time, but it is patience that counts in the pentest game.
Personally, I use Nessus in conjunction with NMAP. I use a setting of
-t2 and let it go on the subnet. This can take a couple of days, but
who cares. I never schedule a pentest without three weeks of time,
minimum. Once I can look at what it open/filtered/closed, I tailor the
Nessus session to look at the particular services, not just slam the
whole thing. I set Nessus to scan one target at a time (the default it
4). I use Metasploit with the same methodology. Metasploit is more
granular, and the proof is far more convincing to a client.
However, if you goal is to send malformed packets only, Scapy is the
tool you are looking for, NMAP doesn't do that.
John
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Ravi
Sent: Sunday, December 30, 2007 9:29 PM
To: kish_pent@yahoo.com; pen-test
Subject: Re: Tool for sending malicious traffic to destination system
Hi Kish & list,
I'm kinda looking to do a decoy scanning with traffic similar to Nessus.
I understand I can't do decoy scanning with Nessus. So if there is a
tool that could send malicious traffic like Nessus to my target that
would be it!!! I'm basically trying to test a network that blocks my IP
when I scan with Nessus. I want to prove to customer that I can spoof a
source IP that would be blocked by your IPS leading to a DoS issue.
Thax.
Kish Pent wrote:
> Hey ,
>
> You must define what you mean by malicious traffic
> before crafting it, based on which the tool can be
> selected. Your aim is to send malformed packets which
> in other words you're trying to interpret as malicious
> traffic. By the way, nmap is no example for sending
> malicious traffic. Scapy is a very good packet
> crafting tool, and it can be used for subsequent
> port-scanning, protocol analysis, and best of all,
> it's just THE tool for packets. (it can do what hping
> can do for you, it can do what nmap,unicornscan or
> some other tools can do for you)
>
> You might also want to check out the www.secdev.org
> website, Philippe Biondi from EADS has written the
> tool, and given some excellent docs and ppt(s) out
> there.
>
> Cheers :)
> Kish
>
> --- Ravi <whitehaat@gmail.com> wrote:
>
>
>> Hi guys...
>>
>> Can anybody help me in finding a tool like 'nmap-(-D
>> decoy)' which can
>> send some malicious content to a system...
>>
>>
>>
>> Thanks & Regards,
>>
>> Whitehaat
>>
>>
>>
>>
>>
>
------------------------------------------------------------------------
>
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE
>> today!
>>
>> http://www.cenzic.com/downloads
>>
>>
>
------------------------------------------------------------------------
>
>>
>
>
> --
> Kishore, Penetration Tester,
> 17/1,Upstairs,Sarojini St,
> Smart Security, T.Nagar,
> Chennai - 600 017
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT