RE: Evading IDS?

From: Mark G. Spencer (mspencer@evidentdata.com)
Date: Mon Mar 22 2004 - 18:24:13 EST


Hi Gary,

I've been banging away on the target network and it looks like host based
IDS/IPS .. While getting locked out of each webserver during fragroute
testing today, I noticed I could still telnet into routers and domain
servers on the target network. I took your advice and have been testing
each fragroute method with "legitimate" traffic to make sure things are put
back together properly on the other end - so far, they do. I've tried the
following fragroute configs and still got blacklisted once I fired up Nikto:

Tcp_chaff paws

And

Tcp_chaff paws
Order random

So I've got many more methods to go. I'm still using Nikto for my testing.
I haven't figured out yet how to turn the trace/track tests (where I get
blacklisted) off, but will get to that soon to see if getting rid of those
tests has any impact on the IDS/IPS behavior.

Thank you, and everyone else on the list, for the great advice!

Mark

-----Original Message-----
From: Golomb, Gary [mailto:GGolomb@enterasys.com]
Sent: Thursday, March 18, 2004 7:08 PM
To: Mark G. Spencer; pen-test@securityfocus.com
Subject: RE: Evading IDS?

As far as already available tools go, use fragroute with the PAWS/wrapped
sequencing chaffing options. Don't bother with the fragmentation options -
you'll probably just run into the same problem.
This could be used together with overlapping and out-of-order segments with
some lapses in timing. (The fragroute man page is well written and covers
all this stuff.) The only caveat is that you'll need to know how the end
host will handle reassembly of your packets. A good way to test is to set up
fragroute, send completely benign/normal requests though it, and see if you
get replies. In reality, you'll get limited mileage with application-layer
encoding against most IDSs, *especially* when it comes to http. (Not that
it's completely ineffective. There are just easier alternatives available
IMO.)

-gary

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT