[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40B8F6FF.4040408@davewking.com>
From: davedf at davewking.com (Dave King)
Subject: Pentesting an IDP-System
You might try nessus (http://www.nessus.org) and turn on all the
dangerous plugins and turn safe checks off. It also has some detection
evasion stuff. Good luck.
p.s. Marcin asked what to pentest means. It's just a slang term for
penetration test.
Dave King
http://www.thesecure.net
H D Moore wrote:
>On Saturday 29 May 2004 06:03, ph03n1x wrote:
>
>
>>Do you guys have an idea how i could test it more efficiently, is there
>>some software that automatically tries to attack with a bunch of the
>>most common and new exploits so i dont have to do it manually?
>>Preferably some GPL or other "free" stuff since i dont have a budget
>>for this.
>>
>>
>
>Check out the Metasploit Framework, it was designed with IDS testing in
>mind. There is an environment option that you can set from the console
>that forces all "nop" instructions to be randomized; you may want to try
>setting this and see if the attack is detected at all :) [1]
>
>The Framework is available from:
> http://metasploit.com/projects/Framework/
>
>Version 2.0 is the latest public release. If you read through the Crash
>Course PDF on the documentation page, it will describe how to configure
>random nop sleds, as well how the system works in general. The 2.0
>release includes about twenty exploits; updated and new modules are sent
>out to the Framework mailing list. If you have any questions about using
>the Framework, or the general development status, drop us a message
>at msfdef[at]metasploit.com.
>
>-HD
>
>1. Something you may want to keep in mind is that intrusion detection
>systems which follow a first-exit methodolgy (Snort, etc) will normally
>report only one event for a given attack. If the "nops" rule matches
>before the exploit rule, that would be the only event reported. The Snort
>team has added something called "event queueing" in the 2.1.3/2.2 version
>(currently in CVS), that allows much better control over which types of
>events override each other. Some day we may post our paper on bypassing
>every single signature with event masking...
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
Powered by blists - more mailing lists