Penetration Testing mailing list archives

Re: IPS Testing

From: Clone <c70n3 () yahoo co in>
Date: Fri, 18 Jan 2008 18:26:55 +0000 (GMT)

What if an attacker spoofs SQL Injection/XSS/CSRF
attack packets on port 80? I guess that should be easy
to spoof a whole lot of IP addresses with such a
payload.

--- Mike Gibson <micheal.gibson () gmail com> wrote:

Pentestr,

Chances are the IPS is blocking your IP because of
the malicious
payload within the packets that Nessus is sending.
Spoofing your IP
for a TCP session to get to the point where the
server believes you
have an established connection so you can actually
send a malicious
payload from a spoofed IP is not that easy these
days. If you are able
to get the IPS to permanently block your IP based on
other things like
performing an NMAP scan from a spoofed IP for
example then that would
be something that would be easy to reproduce and
something your client
would definitely want to do something about.

Do you know for sure that it is blocking you
forever? Most clients I
have come across block for a certain amount of time
(as much as 24
hours) but it isn't forever.

If I was a network admin and my IPS was blocking an
IP for 24 hours
based on it detecting malicious content in a
datagram during an
established TCP session I wouldn't be too concerned
about an attacker
leveraging this to perform a DoS against legitimate
users. I would be
nervous about false positives but that is another
story. :-)

Mike Gibson
Security Architect
Third Brigade

On Jan 8, 2008 9:36 AM, Maxime Ducharme
<mducharme () cybergeneration com> wrote:


Hi

i suggest iptables SNAT

spoof every packets destined to their address

something like
iptables -t nat -A POSTROUTING -o ethX --dst

4.3.2.1 -j SNAT --to-source

1.2.3.4

where 4.3.2.1 is their IP and 1.2.3.4 is the

spoofed IP


some info :

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SNATTARGET


hth

Max


-----Message d'origine-----
De : listbounce () securityfocus com

[mailto:listbounce () securityfocus com] De

la part de pentestr
Envoyé : 3 janvier 2008 03:56
À : Pentest Mailinglist
Objet : IPS Testing


Hi,

I am doing a PT for a customer and found that

after running nessus

against the target our IP is getting blocked

permanently. I want to show

this issue to the customer.
1. Is there any specific tool that can generate

nessus traffic by

spoofing IPs?
2. Is there any tool that can change IP on the

fly? While running nessus

that should change source IP?

The server have only port 80 Open.

Thank you.
Regards.
PenTestr.

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution

FREE today!


http://www.cenzic.com/downloads

------------------------------------------------------------------------

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution

FREE today!


http://www.cenzic.com/downloads

------------------------------------------------------------------------

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE
today!

http://www.cenzic.com/downloads

------------------------------------------------------------------------




      Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

AW: IPS Testing, (continued)
- - - AW: IPS Testing Jörg Weber (Jan 09)
  - Re: IPS Testing Mark Teicher (Jan 09)
  - Re: IPS Testing feel2chat (Jan 09)
- Re: IPS Testing Alexander Klimov (Jan 08)
- Re: IPS Testing Joseph McCray (Jan 08)
  - Re: IPS Testing pentestr (Jan 08)
    - Re: IPS Testing Daniel Clemens (Jan 15)
- RE: IPS Testing Maxime Ducharme (Jan 09)
  - Re: IPS Testing Mike Gibson (Jan 14)
    - Re: IPS Testing José M. Palazón Romero (Jan 15)
    - Re: IPS Testing Clone (Jan 22)
- RE: IPS Testing Jeremiah Brott (Jan 07)
  - RE: IPS Testing Clone (Jan 09)