Penetration Testing mailing list archives
Re: IDS/IPS Evasion Research Project
From: Jerome Athias <jerome.athias () free fr>
Date: Tue, 10 Oct 2006 10:18:03 +0200
Hi Joseph, that's a nice ideaas you speak about the MetaSploit Framework, i would like to give you some information i know
you'll find a lot of usefull information in the MSF Developers Guide: http://metasploit.com/projects/Framework/msf3/developers_guide.pdflook also, in example, to the "ips_filter.rb" plugin of the MSF3 and to the "passive" exploits concept (see the last IE's exploits of HDM ;-))
see also the Thermoptic Camouflauge: Total IDS Evasion (Brian Caswell and H D Moore) http://metasploit.blogspot.com/2006/06/black-hat-2006-and-defcon-14.html
My 2 euro cents /JA Good luck! Joseph McCray a écrit :
I was talking with a buddy of mine on the subject of IDS evasion. We were going on and on about how none of the old techniques really work anymore (substitution/obfuscation/session splicing/fragmentation, blah blah blah). I was an IDS monkey in a former life - maybe I'm just a glutton for punishment. There is a bunch of new stuff on the subject that really isn't all that well documented (AT LEAST NOT FOR FREE). Everybody charges for this kind of info these days - hey who am I to complain - I charge for teaching hacking too right? So I figured why not start an IDS/IPS Evasion research project of my own. I figured I could give a shout out to you guys here on the pentest/ids lists to help me try out some different open source tools against a few I{D|P}Ss, maybe even write a few new tools too, and we can see for ourselves what lights up and what doesn't. Now of course you know we'll start with Snort as it is by far the most accessible and the easiest to find competent users. Things I'm really interested in digging into: 1. Specifically which of the older IDS evasion techniques still work against modern I{D|P}Ss. 2. What types of tricks can we do with metasploit to evade I{D|P}Ss (and get it documented) 3. Solidifying, and expanding Renaud Bidou's good work on the subject 4. Nail down Firewall/IDS testing specifics for packet crafting tools like: * hping * scapy * rubyforger * isic * nemesis * Paketto Keritsu If you are interested in working on this send me an email. Won't be able to start for a week or two, but I can start getting the attack host and some targets ready during that time. We'll all figure out how we want to build/configure the test network.
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- IDS/IPS Evasion Research Project Joseph McCray (Oct 09)
- Re: IDS/IPS Evasion Research Project crazy frog crazy frog (Oct 10)
- Re: IDS/IPS Evasion Research Project Jerome Athias (Oct 10)