Re: IPS Testing

From: Mike Gibson (micheal.gibson@gmail.com)
Date: Fri Jan 11 2008 - 13:07:26 EST


Pentestr,

Chances are the IPS is blocking your IP because of the malicious
payload within the packets that Nessus is sending. Spoofing your IP
for a TCP session to get to the point where the server believes you
have an established connection so you can actually send a malicious
payload from a spoofed IP is not that easy these days. If you are able
to get the IPS to permanently block your IP based on other things like
performing an NMAP scan from a spoofed IP for example then that would
be something that would be easy to reproduce and something your client
would definitely want to do something about.

Do you know for sure that it is blocking you forever? Most clients I
have come across block for a certain amount of time (as much as 24
hours) but it isn't forever.

If I was a network admin and my IPS was blocking an IP for 24 hours
based on it detecting malicious content in a datagram during an
established TCP session I wouldn't be too concerned about an attacker
leveraging this to perform a DoS against legitimate users. I would be
nervous about false positives but that is another story. :-)

Mike Gibson
Security Architect
Third Brigade

On Jan 8, 2008 9:36 AM, Maxime Ducharme <mducharme@cybergeneration.com> wrote:
>
> Hi
>
> i suggest iptables SNAT
>
> spoof every packets destined to their address
>
> something like
> iptables -t nat -A POSTROUTING -o ethX --dst 4.3.2.1 -j SNAT --to-source
> 1.2.3.4
>
> where 4.3.2.1 is their IP and 1.2.3.4 is the spoofed IP
>
> some info :
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SNATTARGET
>
> hth
>
> Max
>
>
> -----Message d'origine-----
> De : listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] De
> la part de pentestr
> Envoyé : 3 janvier 2008 03:56
> À : Pentest Mailinglist
> Objet : IPS Testing
>
>
> Hi,
>
> I am doing a PT for a customer and found that after running nessus
> against the target our IP is getting blocked permanently. I want to show
> this issue to the customer.
> 1. Is there any specific tool that can generate nessus traffic by
> spoofing IPs?
> 2. Is there any tool that can change IP on the fly? While running nessus
> that should change source IP?
>
> The server have only port 80 Open.
>
> Thank you.
> Regards.
> PenTestr.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT