Penetration Testing mailing list archives
Re: AppScan and IDS evasion
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Sat, 28 Jun 2008 06:41:21 -0400
On Fri, 2008-06-27 at 16:53 -0500, TH wrote:
For instance, what if an attacker with nice network connectivity such that they can spoof packets without any filtering, and then they run snot or sneeze, or whatever the IDS/IPS triggering tool of chioce is...while spoofing traffic as though its coming from... $ for i in a b c d e f g h i j k l m ; do dig +short $i.root-servers.net; done
Seen this in the wild. Noting worse than a financial institution that can no longer find anything. ;-) The "belief" is that an attacker can not spoof a TCP session because the three packet handshake is required prior to data transmission. I've found a few excepts in my travels: 1) IDS/IPS will tag malicious payloads in the SYN 2) State is not properly maintained or skipped on some TCP ports so a single malicious ACK does the trick 3) Shunning based ob UDP which is easily spoofed HTH, C ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: AppScan and IDS evasion Chroot (Jun 27)
- Re: AppScan and IDS evasion Pen Testing (Jun 27)
- Re: AppScan and IDS evasion TH (Jun 27)
- Re: AppScan and IDS evasion Chris Brenton (Jun 28)
- <Possible follow-ups>
- Re: AppScan and IDS evasion Joseph McCray (Jun 29)
- RE: AppScan and IDS evasion admin (Jun 29)
- RE: AppScan and IDS evasion Marco Ivaldi (Jun 30)