From: Jerry Shenk (jshenk@decommunications.com)
Date: Fri Mar 19 2004 - 09:19:55 EST
If the web site supports https, you could use https to shoot past the
IDS and probably avoid detection/blockage. I use a Linux box with
sslproxy for this but there are other options that work well also.
BTW, in your write-up, it would be fair to mention that fact that the
IDS (or whatever) is blocking the traffic so that certainly makes an
exploit more difficult.
-----Original Message-----
From: Mark G. Spencer [mailto:mspencer@evidentdata.com]
Sent: Thursday, March 18, 2004 1:56 PM
To: pen-test@securityfocus.com
Subject: Evading IDS?
I've come across what I assume is an IDS during some network
reconnaissance.
I am able to run nmap (connect scan, default ports) against the entire
target class C in question without any problems, but when I run Nikto
against any of the webservers, Nikto output dies just after the
trace/track
method information and I am then unable to access anything on the target
class C for a set period of time - at least fifteen minutes.
If I move to a different netblock, I can access the target class C again
..
well, until I run Nikto. ;)
It looks like all the routing and VPN gear on the target class C is
Cisco
based, so I'll make an assumption for now that the IDS is also Cisco.
Any advice on how to evade the IDS? I know Nessus and Nikto offer a
variety
of IDS evasion techniques, but am I correct in assuming that a vendor
such
as Cisco (or any large vendor) has taken well-known evasion techniques
into
account? I will try different combinations of evasion techniques today
and
hopefully won't run out of open class C IP addresses on my network as I
continue getting 15min+ blacklisted.
Thanks for the advice,
Mark
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT