AW: IPS Testing

From: Jörg Weber (j.weber@infoserve.de)
Date: Tue Jan 08 2008 - 11:59:37 EST

• Next message: Barry Greene (bgreene): "RE: How to report a Vulnerability to a Company"
• Previous message: Joseph McCray: "SQL Injection: Issue with UNION SELECT ALL"
• In reply to: pentestr: "Re: IPS Testing"
• Next in thread: Mark Teicher: "Re: IPS Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well,

> I have achieved this by configuring a Linux iptables Gateway for me.

you essentially found out how NAT works. Like, how Source NAT works. Or masquerading. It has nothing to do with IP source address spoofing, and just as Alexander Klimov explained, spoofing source IPs with TCP sessions is hard these days.

Try to read up on the topic first. Like, how it's been done back then: http://www.gulker.com/ra/hack/tsattack.html

Good luck!

Joerg

> -----Ursprüngliche Nachricht-----
> Von: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] Im
> Auftrag von pentestr
> Gesendet: Samstag, 5. Januar 2008 09:35
> An: Pentest Mailinglist
> Betreff: Re: IPS Testing
>
> Hi,
>
> I have achieved this by configuring a Linux iptables Gateway for me.
> With following configuration. I can run nessus in one of my systems and
> that will go through this gateway and the packet will show it is coming
> from the Spoofed IP.
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERAD
> iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <spoofed IP>
>
> Discussion/suggestion/advices/etc are welcome.
> Regards.
> PenTestr.
>
>
> Hi,
>
> I am doing a PT for a customer and found that after running nessus
> against the target our IP is getting blocked permanently. I want to show
> this issue to the customer.
> 1. Is there any specific tool that can generate nessus traffic by
> spoofing IPs?
> 2. Is there any tool that can change IP on the fly? While running nessus
> that should change source IP?
>
> The server have only port 80 Open.
>
> Thank you.
> Regards.
> PenTestr.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Barry Greene (bgreene): "RE: How to report a Vulnerability to a Company"
• Previous message: Joseph McCray: "SQL Injection: Issue with UNION SELECT ALL"
• In reply to: pentestr: "Re: IPS Testing"
• Next in thread: Mark Teicher: "Re: IPS Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT