Penetration Testing mailing list archives
RE: IDS and Unicode
From: Curt Wilson <netw3 () netw3 com>
Date: Wed, 06 Jun 2001 00:49:30 -0500
RFP's whisker (wiretrip.net) uses various methods to default pattern matching IDS. I believe one of these methods is the use of unicode. So, based on this information, I would gather that it IS a worthwhile technique since it's in active use "in the wild". How does RealSecure stack up with regards to protecting IIS? Does anyone have any experience with this? We are thinking of a RealSecure implementation at one of my places of employ. Thanks, Curt Wilson Netw3 Consulting
But my point was more about using Unicode to hide the ".exe" string (and
others like "rdisk", "TFTP"). The goal being, is this a worthwhile technique for testing IDSs, or is it too trivial?
Here are portions from my IIS 4 log. The first has spaces in place of the
Unicode I used, the second and third show strings that are decoded from the Unicode. In all cases, a legit string is obscured on the wire (inbound), and in the IIS logs.
GET, /winnt/system32/cmd.exe, /c+dir+C:/, GET, /scripts/..=C0%9v../winnt/system32/cmd.exe, /c+dir, GET, /scripts/..=C1%8s../winnt/system32/cmd.exe, /c+dir, Again, thanks much for all the feedback!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- RE: IDS and Unicode Parth Galen (Jun 05)
- RE: IDS and Unicode Curt Wilson (Jun 06)