Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Obfuscated shellcode
From: "Don Parker" <dparker () rigelksecurity com>
Date: Sun, 1 Feb 2004 16:57:50 -0500 (EST)
Hi Aaron, well agreed any IDS worth it's salt will detect a NOOP sled. I have however 
seen the signatures firsthand of some major vendors and they all go for very generic 
stuff such as the NOOP  times n amount, and perhaps port matching. That is it, 
literally. Also drawing on my work with some large entities I know firsthand that the 
rollout of some patches can be very slow, thereby leaving open a large window of 
opportunity for a munged egg to get through. Hence my question on using an obfuscated 
egg to slip past the IDS.

Cheers,

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 1 , Aaron Turner <aturner () pobox com> wrote:
Don,



While most IDS's will detect a NOOP sled, any IDS worth it's salt which has

a signature for an exploit won't rely on it.  Rather it will use something

unique to the exploit which can't (at least easily) changed to avoid 

detection.



Also, in my experiance most corporations update their signatures about as

often as feasible (a combination of how often the IDS vendor updates the

signatures and how easy it is to push the update to the sensors).  Any

organization which isn't using the latest signature set is wasting their

effort and $$$.  Ie, if you have to carefully manage your signature set 

and delay updating your sensors because things might horribly break 

without a way to manage that risk, then you should find another IDS 

vendor.



-- 

Aaron Turner <aturner at pobox.com|synfin.net>  http://synfin.net/

They that can give up essential liberty to obtain a little temporary 

safety deserve neither liberty nor safety. -- Benjamin Franklin

All emails are PGP signed; a lack of a signature indicates a forgery.



On Sun, Feb 01, 2004 at 12:38:32PM -0500, Don Parker wrote:


Hello all, do any of you bother using obfuscated eggs during a pentest? I

 ask here for I 


got no responses elsewhere. Though changing the well known x90 sled to so

me other 1 byte 


function that won't affect the egg won't work against a patched service i

t will, however 


elude an IDS signature.  



 



Quite a few large corporations may get updated signatures relatively quic

kly but, they 


often do not patch for sometime due to baseline rollouts. Hence using an 

obfuscated egg 


to slip past the IDS. This technique is not new, but it is becoming more 

well known. 


There are some mitigaing factors here which could affect this such as app

lication layer 


firewalls and the such. I would however be interested in your thoughts on

 this. I have 


not seem much discussion anywhere on this topic. 





 UNKNOWN

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]