From: Matt Foster (matt.foster@blade-software.com)
Date: Thu Mar 18 2004 - 16:27:02 EST
Hi Mark,
You may be interested in the Informer Evasion Gateway, details are available at
the below link
http://www.blade-software.com/EvasionGateway.htm
The product runs on Windows and allows you to apply a wide range of individual
or layered evasion techniques to any traffic passing through it such as;
Fragmentation
User defined packet fragmentation levels between 8 and 1512 bytes in 8 bytes
increments, Null fragment insertion before or after original packet,
transmission of fragments out of sequence and an override for specific TCP
packet types.
HTTP Evasion
URI Encoding
URI encoding (non UTF8) (hex encoding)
Random URI encoding (non UTF8) (random hex encoding)
URL Encoding Methods
Reverse Backslash
Directory Self Reference
Prepend Random String
Fake Parameter
Random Case URL
TAB Separator GET Request
Random case GET Request
Invalid HTTP Version
Invalid HTTP version (dot)
Random case HTTP
Session Splicing
I hope this info is of use to you.
Regards
Matt
_____________________________________
Matt Foster
Blade-Software Inc.
www.blade-software.com
Security Verification Management Solutions
______________________________________
-----Original Message-----
From: Mark G. Spencer [mailto:mspencer@evidentdata.com]
Sent: 18 March 2004 18:56
To: pen-test@securityfocus.com
Subject: Evading IDS?
I've come across what I assume is an IDS during some network reconnaissance.
I am able to run nmap (connect scan, default ports) against the entire
target class C in question without any problems, but when I run Nikto
against any of the webservers, Nikto output dies just after the trace/track
method information and I am then unable to access anything on the target
class C for a set period of time - at least fifteen minutes.
If I move to a different netblock, I can access the target class C again ..
well, until I run Nikto. ;)
It looks like all the routing and VPN gear on the target class C is Cisco
based, so I'll make an assumption for now that the IDS is also Cisco.
Any advice on how to evade the IDS? I know Nessus and Nikto offer a variety
of IDS evasion techniques, but am I correct in assuming that a vendor such
as Cisco (or any large vendor) has taken well-known evasion techniques into
account? I will try different combinations of evasion techniques today and
hopefully won't run out of open class C IP addresses on my network as I
continue getting 15min+ blacklisted.
Thanks for the advice,
Mark
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT