Re: Evading IDS?

From: Al Smolkin (UnODir@hotpop.com)
Date: Thu Mar 18 2004 - 15:14:51 EST

• Next message: wirepair: "Re: Pen Test Data/Report Management; Tracking/Procedure document"
• Previous message: Mike Shaw: "Re: Bank Audit Best practices"
• In reply to: Mark G. Spencer: "Evading IDS?"
• Next in thread: Rob Shein: "RE: Evading IDS?"
• Reply: Rob Shein: "RE: Evading IDS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Firewalk utnil you can pinpoint the hosts, and THEN run nmap

On Thu, 18 Mar 2004 10:55:52 -0800, Mark G. Spencer wrote:

>I've come across what I assume is an IDS during some network reconnaissance.
>I am able to run nmap (connect scan, default ports) against the entire
>target class C in question without any problems, but when I run Nikto
>against any of the webservers, Nikto output dies just after the trace/track
>method information and I am then unable to access anything on the target
>class C for a set period of time - at least fifteen minutes.
>
>If I move to a different netblock, I can access the target class C again ..
>well, until I run Nikto. ;)
>
>It looks like all the routing and VPN gear on the target class C is Cisco
>based, so I'll make an assumption for now that the IDS is also Cisco.
>
>Any advice on how to evade the IDS? I know Nessus and Nikto offer a variety
>of IDS evasion techniques, but am I correct in assuming that a vendor such
>as Cisco (or any large vendor) has taken well-known evasion techniques into
>account? I will try different combinations of evasion techniques today and
>hopefully won't run out of open class C IP addresses on my network as I
>continue getting 15min+ blacklisted.
>
>Thanks for the advice,
>
>Mark
>
>
>
>---------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instructors.
>Attend a course taught by an expert instructor with years of in-the-field
>pen testing experience in our state of the art hacking lab. Master the skills
>of an Ethical Hacker to better assess the security of your organization.
>Visit us at:
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Next message: wirepair: "Re: Pen Test Data/Report Management; Tracking/Procedure document"
• Previous message: Mike Shaw: "Re: Bank Audit Best practices"
• In reply to: Mark G. Spencer: "Evading IDS?"
• Next in thread: Rob Shein: "RE: Evading IDS?"
• Reply: Rob Shein: "RE: Evading IDS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT