From: pentestr (pentestr@gmail.com)
Date: Fri Jan 04 2008 - 04:09:24 EST
Hi,
First of all.Thank you very much.
I want to confirm this issue of the IPS. If the IPS is blocking traffic
then by spoofing other IP I can block service to them and It will become
a CRITICAL issue because an attacker can spoof IP ranges and it could
lead to DOS.
Regds.
PenTestr.
Joseph McCray wrote:
> I hope this email is coherent....
>
> It's 4am for me...and I'm tired....
>
> Pentestr...although though you can use a host of tools to change your IP
> from SMAC (windows), to macchanger (Linux), to the unthinkable
> ifconfig/ipconfig commands....
>
> I would say that you just want to report to the customer that whatever
> filtering solution that they have in place is if not working - is at
> least doing something.
>
> You didn't give a whole lot of information, but I would say that based
> on what you said in your email that the scope of the assessment needs to
> be more clearly defined...
>
> 1. Is this just something you just want to note for your report?
>
> 2. Is this something that you want to test its effectiveness (i.e. play
> with the IDS evasion side of the house).
>
> 3. Most importantly - what is the customer looking for? Does the
> customer know that you are testing the I{D|P}S, and/or does he want you
> to test the effectiveness of it?
>
>
> As much as I love hacking - I'm slowing coming to the unbearable
> conclusion that pentesting is a service that we provide FOR the
> customer, and at the end of the day we have to give them what they want
> or at least what they think they want.
>
> NOTE:
> If you are only trying to show that an Active IPS solution is in place
> then just show the customer that in screenshot 1 your packets were
> reaching the target, and in screenshot 2 your packets weren't reaching
> the target, but were reachable from another IP address.
>
> If you are looking to actually scan against targets with an IPS in front
> of them then I hope you have a lot of time on your hands, because it's
> not something that you are going to be able to do quickly.
>
> Make sure that it is in scope first (e.g. some pentest scopes require
> the tester to shoot from specific IP addresses). Then get a huge list of
> proxies, don't forget the tor network, don't use Nessus, and just sit
> down at the command prompt with a beer - because it's gonna be a long
> night.
>
> You are going to have to go slow and low - through proxies and tor to
> get your network enumeration data. Make sure this is in scope, and is
> what the customer REALLY wants you to do before you waste tons of time
> doing this kind of stuff only to find out that the target can easily be
> exploited via client-side attacks sent via email.
>
>
> Hope this helps...
>
> j0e
>
>
>
>
>
> On Thu, 2008-01-03 at 14:26 +0530, pentestr wrote:
>
>> Hi,
>>
>> I am doing a PT for a customer and found that after running nessus
>> against the target our IP is getting blocked permanently. I want to show
>> this issue to the customer.
>> 1. Is there any specific tool that can generate nessus traffic by
>> spoofing IPs?
>> 2. Is there any tool that can change IP on the fly? While running nessus
>> that should change source IP?
>>
>> The server have only port 80 Open.
>>
>> Thank you.
>> Regards.
>> PenTestr.
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ------------------------------------------------------------------------
>>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT