Re: Port Scanning.

From: robert@dyadsecurity.com
Date: Wed Dec 22 2004 - 01:10:31 EST


Sugiowono(sugiowono@datacomm.co.id)@Wed, Dec 22, 2004 at 10:42:53AM
> So how to or what is the step to pass through those security devices ?
> What is the great tools to pass through the FW and IPS?

Let me clear up the context for this response before all of the
traditional "Give me $50 and I'll punch you in the face" style
penetration testers respond. In most engagements, we perform our
testing with as much customer interaction as possible.

The conversation we have with our customers when it comes to the IPS and
port scanning issues is this: While IPS's can detect port scans and
disallow access to the IP seeming to performing the scan, they can not
determine the difference bettween a real IP and a spoofed IP. When you
disallow access based on a perception of bad behavior, you are
essentially adding rules that the attacker has control over.

In our next version of unicornscan, for example, it will be possible to
target a particular network range to come from. If you know your
customer works primarily with a particular remote network, a simple
'unicornscan -sr:remote_range/24 customer_range/24:a -mT -r500 -R20'
could effectively make an IPS disallow entry for every IP in the
remote_range/24 network. A wise man once said "When you let bad people
write your rules for you, bad things can happen".

In the direct act of malice situation, attackers have an unlimited
amount of time. They also have an unlimited amount of resources (IP
addresses/machines/bandwidth) because there are countless machines they
can compromise first, and then attack you from. No IPS will stop the
determined attacker from collecting available services information over
time.

New tools also allow for custom packet payloads, including exploit
payloads. In these automated attacks, the attacker will attempt to
compromise any machine that is available. They will not port scan you
first. They will not check for the banner. In this situtation, most
IPS's will also not help you.

That said, we will go through the IDS testing section of the OSSTMM.
This allows us to map and measure the capabilities of the IDS. We will
attempt to measure what triggers a block, and for how long the block
lasts. As soon as we are done mapping and measuring the IDS, we ask to
be whitelisted for the duration of the test. As I stated before,
attackers have an unlimited amount of time and resources. Security
testers do not =). Also if the IPS triggers blocks on payloads from
spoofed hosts, it gets written up as a potential DoS in the report.

For firewall testing, it is advisable to use a tool on both sides of the
firewall. One for sending a wide variety of packets, one for catching
the packets. Based on knowing what you sent, and what got through, you
will will have a very accurate picture of where the FW device is falling
short.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT