RE: Evading IDS?

From: Billy Dodson (billy@pmm-i.com)
Date: Thu Mar 18 2004 - 18:46:34 EST


Since the Cisco IDS is signature based you can assume this is why you
are getting shunned. The Cisco IDS is/can be configured to send a shun
to a Cisco PIX firewall for the attackers IP address for a set amount of
time if enough triggers are set by the IDS. Running a scan like Nikito
or Nessus with an IDS configured to Shun to a pix will continue to get
your address "blacklisted". I am not familiar with the Nikito app, and
whether or not you can fragment the packets. If the IDS is only doing
pattern-matching, fragmenting the data would generally avoid the IDS
triggers. If the IDS is configured for Stateful pattern matching, and
you are sending a long string of data, fragmenting would not be as
affective. When you are doing your NMAP scan, are you having to
fragment the packets to get them through? I am sure the IDS has a
signature for anything Nikito is going to throw at it. If, in your
experiments, you find a way to avoid the IDS please post what you have
found.

Billy Dodson
Network Systems Engineer
Permian Micro Mart
3815 E. 52nd Street
Odessa, TX 79762
432.367.3239 - Direct Line
432.367.6179 x139

-----Original Message-----
From: Mark G. Spencer [mailto:mspencer@evidentdata.com]
Sent: Thursday, March 18, 2004 12:56 PM
To: pen-test@securityfocus.com
Subject: Evading IDS?

I've come across what I assume is an IDS during some network
reconnaissance.
I am able to run nmap (connect scan, default ports) against the entire
target class C in question without any problems, but when I run Nikto
against any of the webservers, Nikto output dies just after the
trace/track method information and I am then unable to access anything
on the target class C for a set period of time - at least fifteen
minutes.

If I move to a different netblock, I can access the target class C again
..
well, until I run Nikto. ;)

It looks like all the routing and VPN gear on the target class C is
Cisco based, so I'll make an assumption for now that the IDS is also
Cisco.

Any advice on how to evade the IDS? I know Nessus and Nikto offer a
variety of IDS evasion techniques, but am I correct in assuming that a
vendor such as Cisco (or any large vendor) has taken well-known evasion
techniques into account? I will try different combinations of evasion
techniques today and hopefully won't run out of open class C IP
addresses on my network as I continue getting 15min+ blacklisted.

Thanks for the advice,

Mark

------------------------------------------------------------------------

---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT