Re: IPS Testing

From: Joseph McCray (joe@learnsecurityonline.com)
Date: Fri Jan 04 2008 - 04:01:30 EST


I hope this email is coherent....

It's 4am for me...and I'm tired....

Pentestr...although though you can use a host of tools to change your IP
from SMAC (windows), to macchanger (Linux), to the unthinkable
ifconfig/ipconfig commands....

I would say that you just want to report to the customer that whatever
filtering solution that they have in place is if not working - is at
least doing something.

You didn't give a whole lot of information, but I would say that based
on what you said in your email that the scope of the assessment needs to
be more clearly defined...

1. Is this just something you just want to note for your report?

2. Is this something that you want to test its effectiveness (i.e. play
with the IDS evasion side of the house).

3. Most importantly - what is the customer looking for? Does the
customer know that you are testing the I{D|P}S, and/or does he want you
to test the effectiveness of it?

As much as I love hacking - I'm slowing coming to the unbearable
conclusion that pentesting is a service that we provide FOR the
customer, and at the end of the day we have to give them what they want
or at least what they think they want.

NOTE:
If you are only trying to show that an Active IPS solution is in place
then just show the customer that in screenshot 1 your packets were
reaching the target, and in screenshot 2 your packets weren't reaching
the target, but were reachable from another IP address.

If you are looking to actually scan against targets with an IPS in front
of them then I hope you have a lot of time on your hands, because it's
not something that you are going to be able to do quickly.

Make sure that it is in scope first (e.g. some pentest scopes require
the tester to shoot from specific IP addresses). Then get a huge list of
proxies, don't forget the tor network, don't use Nessus, and just sit
down at the command prompt with a beer - because it's gonna be a long
night.

You are going to have to go slow and low - through proxies and tor to
get your network enumeration data. Make sure this is in scope, and is
what the customer REALLY wants you to do before you waste tons of time
doing this kind of stuff only to find out that the target can easily be
exploited via client-side attacks sent via email.

Hope this helps...

j0e

On Thu, 2008-01-03 at 14:26 +0530, pentestr wrote:
> Hi,
>
> I am doing a PT for a customer and found that after running nessus
> against the target our IP is getting blocked permanently. I want to show
> this issue to the customer.
> 1. Is there any specific tool that can generate nessus traffic by
> spoofing IPs?
> 2. Is there any tool that can change IP on the fly? While running nessus
> that should change source IP?
>
> The server have only port 80 Open.
>
> Thank you.
> Regards.
> PenTestr.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access
"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 
        - Zig Ziglar




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT