Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: AppScan and IDS evasion
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Sat, 28 Jun 2008 06:41:21 -0400

On Fri, 2008-06-27 at 16:53 -0500, TH wrote:

For instance, what if an attacker with nice network connectivity such
that they can spoof packets without any filtering, and then they run
snot or sneeze, or whatever the IDS/IPS triggering tool of chioce
is...while spoofing traffic as though its coming from...

$ for i in a b c d e f g h i j k l m ; do  dig +short $i.root-servers.net; done

Seen this in the wild. Noting worse than a financial institution that
can no longer find anything. ;-)

The "belief" is that an attacker can not spoof a TCP session because the
three packet handshake is required prior to data transmission. I've
found a few excepts in my travels:

1) IDS/IPS will tag malicious payloads in the SYN
2) State is not properly maintained or skipped on some TCP ports so a
single malicious ACK does the trick
3) Shunning based ob UDP which is easily spoofed

HTH,
C



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault