Penetration Testing mailing list archives
Re: IPS Testing
From: Clone <c70n3 () yahoo co in>
Date: Fri, 18 Jan 2008 18:26:55 +0000 (GMT)
What if an attacker spoofs SQL Injection/XSS/CSRF attack packets on port 80? I guess that should be easy to spoof a whole lot of IP addresses with such a payload. --- Mike Gibson <micheal.gibson () gmail com> wrote:
Pentestr, Chances are the IPS is blocking your IP because of the malicious payload within the packets that Nessus is sending. Spoofing your IP for a TCP session to get to the point where the server believes you have an established connection so you can actually send a malicious payload from a spoofed IP is not that easy these days. If you are able to get the IPS to permanently block your IP based on other things like performing an NMAP scan from a spoofed IP for example then that would be something that would be easy to reproduce and something your client would definitely want to do something about. Do you know for sure that it is blocking you forever? Most clients I have come across block for a certain amount of time (as much as 24 hours) but it isn't forever. If I was a network admin and my IPS was blocking an IP for 24 hours based on it detecting malicious content in a datagram during an established TCP session I wouldn't be too concerned about an attacker leveraging this to perform a DoS against legitimate users. I would be nervous about false positives but that is another story. :-) Mike Gibson Security Architect Third Brigade On Jan 8, 2008 9:36 AM, Maxime Ducharme <mducharme () cybergeneration com> wrote:Hi i suggest iptables SNAT spoof every packets destined to their address something like iptables -t nat -A POSTROUTING -o ethX --dst4.3.2.1 -j SNAT --to-source1.2.3.4 where 4.3.2.1 is their IP and 1.2.3.4 is thespoofed IPsome info :
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SNATTARGET
hth Max -----Message d'origine----- De : listbounce () securityfocus com[mailto:listbounce () securityfocus com] Dela part de pentestr Envoyé : 3 janvier 2008 03:56 À : Pentest Mailinglist Objet : IPS Testing Hi, I am doing a PT for a customer and found thatafter running nessusagainst the target our IP is getting blockedpermanently. I want to showthis issue to the customer. 1. Is there any specific tool that can generatenessus traffic byspoofing IPs? 2. Is there any tool that can change IP on thefly? While running nessusthat should change source IP? The server have only port 80 Open. Thank you. Regards. PenTestr.
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solutionFREE today!http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solutionFREE today!http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
------------------------------------------------------------------------
Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- AW: IPS Testing, (continued)
- AW: IPS Testing Jörg Weber (Jan 09)
- Re: IPS Testing Mark Teicher (Jan 09)
- Re: IPS Testing feel2chat (Jan 09)
- Re: IPS Testing Alexander Klimov (Jan 08)
- Re: IPS Testing Joseph McCray (Jan 08)
- Re: IPS Testing pentestr (Jan 08)
- Re: IPS Testing Daniel Clemens (Jan 15)
- Re: IPS Testing pentestr (Jan 08)
- RE: IPS Testing Maxime Ducharme (Jan 09)
- Re: IPS Testing Mike Gibson (Jan 14)
- Re: IPS Testing José M. Palazón Romero (Jan 15)
- Re: IPS Testing Clone (Jan 22)
- Re: IPS Testing Mike Gibson (Jan 14)
- RE: IPS Testing Jeremiah Brott (Jan 07)
- RE: IPS Testing Clone (Jan 09)