I have come across something little hard to digest. I want to know
your expert views on this.
Here's the scenario:
An IPS (Cisco 4260) is being tested in a pre-deployment phase, at one
of our clients. IPS is running in 'promiscuous mode' and plaugged into
the SPAN port at the core switch.
We have written a bash script which we run from the 'attacker'
machine(192.168.1.1). It first does a portscan and then throws an
exploit code at the vulnerable webserver in our
network(192.168.1.101). We expected our IPS to raise at least 2
alerts.
Problem 1:
Now, whenever we launch nmap to scan for two ports, IPS does not show
any alert.
nmap -sS -n -p 80,443 192.168.1.101
But, if we run the nmap from CLI without -p switch, IPS shows an alert.
nmap -sS -n 192.168.1.101
What could be the reason behind this?
Problem 2:
When we send the SQL injection payload using script, it is not caught
by IPS. While troubleshooting, we confirmed (using netcat listener at
victim - instead of real web server) that ' or '1'='1 string reaches
the server machine. If packets with that SQL payload are travelling
through the same network, why IPS is not seeing them? We could not
find the answer.
Going one step ahead, when we submitted the same string in the URL
request from attacker's browser, it was caught by IPS
Same happens with all other attack paylods that we are throwing
towards real or virtual (netcat listener) servers, using netcat.
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
I have come across something little hard to digest. I want to know
your expert views on this.
Here's the scenario:
An IPS (Cisco 4260) is being tested in a pre-deployment phase, at one
of our clients. IPS is running in 'promiscuous mode' and plaugged into
the SPAN port at the core switch.
We have written a bash script which we run from the 'attacker'
machine(192.168.1.1). It first does a portscan and then throws an
exploit code at the vulnerable webserver in our
network(192.168.1.101). We expected our IPS to raise at least 2
alerts.
Problem 1:
Now, whenever we launch nmap to scan for two ports, IPS does not show
any alert.
nmap -sS -n -p 80,443 192.168.1.101
But, if we run the nmap from CLI without -p switch, IPS shows an alert.
nmap -sS -n 192.168.1.101
What could be the reason behind this?
Problem 2:
When we send the SQL injection payload using script, it is not caught
by IPS. While troubleshooting, we confirmed (using netcat listener at
victim - instead of real web server) that ' or '1'='1 string reaches
the server machine. If packets with that SQL payload are travelling
through the same network, why IPS is not seeing them? We could not
find the answer.
Going one step ahead, when we submitted the same string in the URL
request from attacker's browser, it was caught by IPS
Same happens with all other attack paylods that we are throwing
towards real or virtual (netcat listener) servers, using netcat.
Why IPS is unable to see these attacks?
Thanks,
Alcides
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]