Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: AppScan and IDS evasion

RE: AppScan and IDS evasion

From: Erin Carroll <amoeba_at_amoebazone.com>
Date: Mon, 26 May 2008 11:42:59 -0700

See, I knew a list member would come up with something. :) I completely
spaced on Tor as a possibility.

However, while a tor proxy might work around the issue, it won't give you
any solid idea of what types of probes are being blocked. That in and of
itself is useful information that can be leveraged for the manual portion of
testing.

-----Original Message-----
From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] On
Behalf Of Yuli Stremovsky
Sent: Saturday, May 24, 2008 1:14 PM
To: Erin Carroll; Pen Testing
Cc: pen-test_at_securityfocus.com
Subject: Re: AppScan and IDS evasion

You can always configure AppScan to use proxy. For example if you will use
tor,
literally each time request is made, it will come from a new IP address.

Yuli 

---
http://www.greensql.net/
On Sat, May 24, 2008 at 10:46 PM, Erin Carroll <amoeba_at_amoebazone.com>
wrote:
> If an IDS is blocking/banning your source IP there are a couple things
that
> are possibly happening that you can try to work around the issue. Either a
> probe (or group of probe types) in AppScan is triggering an IDS response
> based on request type or your concurrent connection and request rate is
> triggering anti-DoS responses.
>
> First, I would recommend limiting your concurrent threads to a bare
minimum,
> see if that works. Bear in mind that this will increase the total time
> AppScan takes to complete a scan significantly.
>
> Second, if that doesn't work and you are still getting blocked you may
want
> to modify which tests are being performed. Depending on IDS setup and
type,
> you could encounter blocking for request types which don't match the
target
> server ("content-aware" approaches) like sending apache probes against an
> IIS server. If that doesn't work, try removing server/service
attacks/checks
> from your scan run and stick to just content-based attacks. Some IDS/IPS
> systems are aware of server/service attack behavior (like Apache 2.2.3's
> mod_rewrite off-by-one error vuln).
>
> But, like you said, manual checking is the way to go. AppScan and similar
> tools are just useful first steps to help pinpoint potential vectors.
>
> SecurityFocus has pretty good intro to IDS evasion techniques at
> http://www.securityfocus.com/infocus/1577
>
>
> Hope that helps. I'm sure other list members will have other suggestions
:)
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba_at_amoebazone.com
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
On
> Behalf Of Pen Testing
> Sent: Saturday, May 24, 2008 7:14 AM
> To: pen-test_at_securityfocus.com
> Subject: AppScan and IDS evasion
>
> Hello,
>
> I've launched AppScan against a web application and I'm being
> blocked/banned (since I have a dynamic IP I can reboot my router and
> get another IP, which is shortly banned again, as long as the attack
> persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK),
> what could I do?
>
> Of course, I can perform a manual audit (which I was going to do
> anyway, automatic scanners are only the first phase) but do you have
> other ideas to bypass the locking mechanism? Perhaps I could put in
> place some kind of proxy applying IDS-evasion techniques, so I could
> configure AppScan to use that proxy, and this last one would be in
> charge of manipulate/rewrite the requests to bypass IDS. Does such a
> proxy exist?
>
> It would be nice if you could point to some good and practical
> anti-IDS paper, doc and tools.
>
> Thank you.
>
> PS: I don't know which kind of IDS is in use (perhaps it's not a
> full-IDS but some anomaly detection as the one included in Checkpoint
> FW-1 but I don't have that information).
>
> Cheers,
> -q
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
-- 
http://www.kyplex.com/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 26 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos