lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1ca1c141040527224553a1a731@mail.gmail.com>
From: synfinatic at gmail.com (Aaron Turner)
Subject: Bypassing "smart" IDSes with misdirected frames? (long and boring)

[snip original comments... read the archives if you don't know what
this thread is about]

Three comments:
1) Yes, playing with dst MAC addresses will work against most if not
all inline IPS solutions, and probably every sniffer based IDS... they
just don't track that sort of thing, although some do track source
MAC's to make sure you're not running ettercap or something like that.
 About the only solution that might protect against that is a device
which runs in a proxy-arp mode, since it would either not receive the
packet or would correct the destination MAC before forwarding (in the
case of a hw broadcast or hub).

2) Certain current and "state of the art" products can be evaded using
other methods which cause them to become out of sync with the victim. 
Just last week I found a certain IPS vendor who will remain nameless
still hasn't figured out how to do proper TCP stream reassembly and
proper IP defragmentation.  Other even more basic problems exist in
various products for which appear to be either pure laziness or
attempts to cut corners to boost performance numbers.

3) If you really want to have fun evading IDS you need to be using
libnet & libpcap or raw sockets.

-AT


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ