Re: Evading IDS?

From: Antonio Varni (avarni@cj.com)
Date: Thu Mar 18 2004 - 21:05:09 EST


I've always disliked the idea of an IDS that actively responds to
perceived attacks. Unless it only acts on alerts that stem from
established TCP connections it might be easy to knock it offline
by spoofing a UDP attack from it's default gateway (or something
similar). What one person views as a security measure could also
be viewed as more functionality that can potentially be influenced
by an attacker.

I would try all the anti-IDS features of nessus/nikto, just because
it's a commercial system doens't automatically make it a good IDS.

Maybe you could bombard the IDS with suspect traffic using isic
in hopes of temporarily disabling it while you conduct your
scan?

If you
On Thu, 18 Mar 2004, Mark G. Spencer wrote:

> I've come across what I assume is an IDS during some network reconnaissance.
> I am able to run nmap (connect scan, default ports) against the entire
> target class C in question without any problems, but when I run Nikto
> against any of the webservers, Nikto output dies just after the trace/track
> method information and I am then unable to access anything on the target
> class C for a set period of time - at least fifteen minutes.
>
> If I move to a different netblock, I can access the target class C again ..
> well, until I run Nikto. ;)
>
> It looks like all the routing and VPN gear on the target class C is Cisco
> based, so I'll make an assumption for now that the IDS is also Cisco.
>
> Any advice on how to evade the IDS? I know Nessus and Nikto offer a variety
> of IDS evasion techniques, but am I correct in assuming that a vendor such
> as Cisco (or any large vendor) has taken well-known evasion techniques into
> account? I will try different combinations of evasion techniques today and
> hopefully won't run out of open class C IP addresses on my network as I
> continue getting 15min+ blacklisted.
>
> Thanks for the advice,
>
> Mark
>
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT