Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (

from [Aaron Turner] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring)
Date: Thu, 27 May 2004 22:45:24 -0700 
[snip original comments... read the archives if you don't know what
this thread is about]

Three comments:
1) Yes, playing with dst MAC addresses will work against most if not
all inline IPS solutions, and probably every sniffer based IDS... they
just don't track that sort of thing, although some do track source
MAC's to make sure you're not running ettercap or something like that.
 About the only solution that might protect against that is a device
which runs in a proxy-arp mode, since it would either not receive the
packet or would correct the destination MAC before forwarding (in the
case of a hw broadcast or hub).

2) Certain current and "state of the art" products can be evaded using
other methods which cause them to become out of sync with the victim. 
Just last week I found a certain IPS vendor who will remain nameless
still hasn't figured out how to do proper TCP stream reassembly and
proper IP defragmentation.  Other even more basic problems exist in
various products for which appear to be either pure laziness or
attempts to cut corners to boost performance numbers.

3) If you really want to have fun evading IDS you need to be using
libnet & libpcap or raw sockets.

-AT
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] full-disclosure search engine, 404
Next by Date:  Re: [Full-Disclosure] lists, autoresponders, and netiquette, Siraj 'Sid' Rakhada
Previous by Thread:  [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring), Michal Zalewski
Next by Thread:  [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Jim Bauer
Indexes:  [Date] [Thread] [Top] [All Lists]