Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: AppScan and IDS evasion

Re: AppScan and IDS evasion

From: Yuli Stremovsky <stremovsky_at_gmail.com>
Date: Sat, 24 May 2008 23:14:18 +0300

You can always configure AppScan to use proxy. For example if you will use tor,
literally each time request is made, it will come from a new IP address.

Yuli 

---
http://www.greensql.net/
On Sat, May 24, 2008 at 10:46 PM, Erin Carroll <amoeba_at_amoebazone.com> wrote:
> If an IDS is blocking/banning your source IP there are a couple things that
> are possibly happening that you can try to work around the issue. Either a
> probe (or group of probe types) in AppScan is triggering an IDS response
> based on request type or your concurrent connection and request rate is
> triggering anti-DoS responses.
>
> First, I would recommend limiting your concurrent threads to a bare minimum,
> see if that works. Bear in mind that this will increase the total time
> AppScan takes to complete a scan significantly.
>
> Second, if that doesn't work and you are still getting blocked you may want
> to modify which tests are being performed. Depending on IDS setup and type,
> you could encounter blocking for request types which don't match the target
> server ("content-aware" approaches) like sending apache probes against an
> IIS server. If that doesn't work, try removing server/service attacks/checks
> from your scan run and stick to just content-based attacks. Some IDS/IPS
> systems are aware of server/service attack behavior (like Apache 2.2.3's
> mod_rewrite off-by-one error vuln).
>
> But, like you said, manual checking is the way to go. AppScan and similar
> tools are just useful first steps to help pinpoint potential vectors.
>
> SecurityFocus has pretty good intro to IDS evasion techniques at
> http://www.securityfocus.com/infocus/1577
>
>
> Hope that helps. I'm sure other list members will have other suggestions :)
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba_at_amoebazone.com
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] On
> Behalf Of Pen Testing
> Sent: Saturday, May 24, 2008 7:14 AM
> To: pen-test_at_securityfocus.com
> Subject: AppScan and IDS evasion
>
> Hello,
>
> I've launched AppScan against a web application and I'm being
> blocked/banned (since I have a dynamic IP I can reboot my router and
> get another IP, which is shortly banned again, as long as the attack
> persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK),
> what could I do?
>
> Of course, I can perform a manual audit (which I was going to do
> anyway, automatic scanners are only the first phase) but do you have
> other ideas to bypass the locking mechanism? Perhaps I could put in
> place some kind of proxy applying IDS-evasion techniques, so I could
> configure AppScan to use that proxy, and this last one would be in
> charge of manipulate/rewrite the requests to bypass IDS. Does such a
> proxy exist?
>
> It would be nice if you could point to some good and practical
> anti-IDS paper, doc and tools.
>
> Thank you.
>
> PS: I don't know which kind of IDS is in use (perhaps it's not a
> full-IDS but some anomaly detection as the one included in Checkpoint
> FW-1 but I don't have that information).
>
> Cheers,
> -q
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
-- 
http://www.kyplex.com/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 24 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos