RE: Evading IDS?

From: Billy Dodson (billy@pmm-i.com)
Date: Fri Mar 19 2004 - 13:50:49 EST


 If this pix is running recent code that bug has been fixed.

Billy Dodson
Network Systems Engineer
Permian Micro Mart
3815 E. 52nd Street
Odessa, TX 79762
432.367.3239 - Direct Line
432.367.6179 x139

-----Original Message-----
From: Rogan Dawes [mailto:lists@NO_dawes.SPAM_za.net]
Sent: Friday, March 19, 2004 11:17 AM
Cc: Mark G. Spencer; pen-test@securityfocus.com
Subject: Re: Evading IDS?

One other thing to consider, if it is a Cisco (Netranger) IDS, is that
the shun list is generally only 100 items long. (This applied to a
version I tested a couple of years ago, YMMV)

If you generate a large amount of bogus traffic that would get blocked
(maybe by aliasing 100 interfaces to eth0, and nikto from each of them
one ofter another), then after about 100 IP's, the IDS will be unable to
add any more IPs to the shun list. Any new IP's that generate traffic
that would normally be shunned will not be shunned, because the list is
unable to accept any more entries.

You will be able to run your Nikto from a new IP address so long as you
do it within the shun period when your 100 IP's are already shunned.

Might be worth exploring.

Regards,

Rogan

Golomb, Gary wrote:

> As far as already available tools go, use fragroute with the
> PAWS/wrapped sequencing chaffing options. Don't bother with the
> fragmentation options - you'll probably just run into the same
problem.
> This could be used together with overlapping and out-of-order segments

> with some lapses in timing. (The fragroute man page is well written
> and covers all this stuff.) The only caveat is that you'll need to
> know how the end host will handle reassembly of your packets. A good
> way to test is to set up fragroute, send completely benign/normal
> requests though it, and see if you get replies. In reality, you'll get

> limited mileage with application-layer encoding against most IDSs,
> *especially* when it comes to http. (Not that it's completely
> ineffective. There are just easier alternatives available IMO.)
>
> -gary
>
>
>>-----Original Message From: Mark G. Spencer
>>
>>I've come across what I assume is an IDS during some network
>>reconnaissance.
>>I am able to run nmap (connect scan, default ports) against the entire

>>target class C in question without any problems, but when I run Nikto
>>against any of the webservers, Nikto output dies just after the
>>trace/track method information and I am then unable to access anything

>>on the
>
> target
>
>>class C for a set period of time - at least fifteen minutes.
>>
>>If I move to a different netblock, I can access the target class C
>
> again
>
>>..
>>well, until I run Nikto. ;)
>>
>>It looks like all the routing and VPN gear on the target class C is
>
> Cisco
>
>>based, so I'll make an assumption for now that the IDS is also Cisco.
>>
>>Any advice on how to evade the IDS? I know Nessus and Nikto offer a
>>variety of IDS evasion techniques, but am I correct in assuming that a

>>vendor
>
> such
>
>>as Cisco (or any large vendor) has taken well-known evasion techniques

>>into account? I will try different combinations of evasion techniques
>
> today
>
>>and
>>hopefully won't run out of open class C IP addresses on my network as
>
> I
>
>>continue getting 15min+ blacklisted.
>>
>>Thanks for the advice,
>>
>>Mark
>>
>>
>>
>
> ----------------------------------------------------------------------
> --
> --
> This space for rent. Only two spots left, so hurry! Have you ad placed

> in all my emails for one low monthly fee! Credit Card payments now
> accepted.
> ----------------------------------------------------------------------
> --
> --
>
>
> ----------------------------------------------------------------------
> ----- Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off any course! All of our class sizes are guaranteed to be
> 10 students or less to facilitate one-on-one interaction with one of
> our expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking
> lab. Master the skills of an Ethical Hacker to better assess the
security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------
> ------
>
>

--
Rogan Dawes
email: lists AT dawes DOT za DOT net
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living in a
cardboard box to someone living on a park bench."
- Gene Spafford
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT