Dailydave mailing list archives

RE: Dreaming of Summer

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 9 Dec 2003 13:01:38 -0800

While they frequently watch network traffic from a tap, almost all NIDS also
use a separate connection to allow them to be monitored/managed remotely.
Your payload would probably not be able to be very small but given a little 
creativity in exploring the IDS you compromised, you could probably find at
least a partial way out of the network.

On a side-note, the problem with modifying the packet capture engine is knowing
which one they are using. If you just mean inserting a shim in the stack, then
you run into problems of ensuring you are capture packets below the IDS so that
you can remove the ones you don't want it to see.

toby

-----Original Message-----
From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
Halvar Flake
Sent: Sunday, December 07, 2003 12:42 PM
To: David Maynor
Cc: PBrass () iss net; dailydave () lists immunitysec com
Subject: RE: [Dailydave] Dreaming of Summer

Add a shim to the packet capture engine. Before the captured packet gets
set up the stack for traditonal protocol decodes you can check for
conditions like the seq number matches a predefined set and if it does
you can readsomething like the window size and translate that into a
part of a command. If a packet like this is captured it woun't get
flagged by the IDS becasue it never makes it to the IDS analysis phase.
Command response is done by the same shim via packet injection. This
would require some device driver foo. This would not work well if the
IDS supplies its own network card driver.


The installations I've seen so far lack any ability to talk back to the
network for use of a cable without the appropriate wires -- but then
again I am no expert on this.

Cheers,
Halvar

-- 
+++ GMX - die erste Adresse für Mail, Message, More +++
Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

RE: Dreaming of Summer, (continued)
- - RE: Dreaming of Summer David Maynor (Dec 06)
    - Re: Dreaming of Summer Dave Aitel (Dec 06)
    - Re: Dreaming of Summer David Maynor (Dec 06)
  - RE: Dreaming of Summer Halvar Flake (Dec 09)
    - RE: Dreaming of Summer David Maynor (Dec 07)
    - RE: Dreaming of Summer Halvar Flake (Dec 09)
    - RE: Dreaming of Summer David Maynor (Dec 07)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 07)
- RE: Dreaming of Summer ph00dy (Dec 07)
  - RE: Dreaming of Summer The Dark Tangent (Dec 09)
- RE: Dreaming of Summer Kohlenberg, Toby (Dec 09)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 09)