Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Thanks for the feedback and NAT-hide question
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 10 Aug 2006 21:18:49 -0700


Some comments inline below:

One mistake in the network design appears to be the placement 
of the IPS.  Wouldn't we normally want that positioned 

Actually this type of network design is very common for larger networks with
multiple webserver farms or netblocks within a DMZ. Placing the IPS behind
the FW in the DMZ and ahead of the load balancers allows for multiple
webserver clusters on different networks in the DMZ to all be "protected" by
a single[1] device.

between the load balancers and the webserver?  Presumably the 
load balancers could terminate SSL connections and allow the 
IPS a full view of upper-layer attacks.  So, attacking the 
web application over SSL is my first choice.

While some IPS/IDS do have the ability to do teardown/rebuild to analyze
encrypted protocols provided they have the keys/certs, it's usually not done
due to the resource overhead and cost (I don't know offhand of an IPS vendor
that uses ettercap-like MITM captures of key/cert exchanges to sniff the
traffic in the clear). 

Attacking the web app over SSL is in most cases one of the most likely
successful attack vectors I've seen due to IPS/IDS's not doing
decrypt/analyze/re-encrypt of packets. Even in cases where it is set up, it
won't stop "legit" traffic over 80/443 as there is no way to reliably create
or implement signatures which would know that a HTTP POST with your example
of inject myFunc('Nancy\\'); alert('xss'); ('s', 'hamster') is a bad thing.

However, if you're still wanting to hit the lower layers, 
then I would try find a way to differentiate between requests 
that are blocked at the firewall, and ones that are blocked 
by the IPS.  This would then allow me to probe the policy on 
the firewall alone, possibly using idle scans to conduct 
spoofed scans from more trusted 3rd party servers.

What about fragmentation to bypass IPS and FW rules to get firewalk or
similar tools to enumerate attack vectors? I love me some nmap -f or --mtu
action. The hard part is getting the right offset to balance speed vs
stealth. In a lot of cases a 16-byte fragment setting will get through and
reduce the # of fragments you have to send as opposed to the default 8-byte.

Oh, finally, if the load balancers operate more as reverse 
HTTP proxies than lower-layer TCP/SSL accelerators, then I'd 
look into HTTP request smuggling as well.

I'll have to confess that my question was based on a real-life scenario I
dealt with recently. The network infrastructure was as I described. The hard
part was that of the 12 webservers in the WebLogic cluster, only 1 had a
vulnerable weblogic install. Trying to get the fragmentation and evasion to
work *and* hit the right box to inject the remote exploit was a royal pain
in the ass. I was hoping someone might be able to illustrate another way to
accomplish it.

[1] Where single=active-active HA installs to keep up with traffic demands
of course :)

Erin Carroll
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.10.8/415 - Release Date: 8/9/2006

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]