May 13, 2014 at 3:46 pm #8698w00tburgerParticipant
Hello there. First post. I had done a few web searches, but I was curious to know how all fellow pen testers keep their “noise” to a minimum.
Take the following for example, there is a web application you would like to test, but running something such as DirBuster, or SkipFish would create megs of logs it would be hard for the server admin to miss if they were paying attention.
Rather then customizing open source tools to dumb down the number of requests it makes to a web-server, I was wondering how you fellow ethical hackers do a low level reconnaissance to exploitation.
May 13, 2014 at 9:36 pm #53814SephStormParticipant
My inexperienced .02, any public webservers are going to get so many alerts that your scan won’t cause much concern, if they see it, they are likely to just block you. But if you want to avoid that or want to test internal, you’d probably want to try manual exploitation attempts rather than a tool.
May 18, 2014 at 3:33 am #53815dynamikParticipant
It’s unlikely that activity would get noticed unless they’re actively working with the logs at the time, but more mature environment/more advanced controls may detect repeated 404s and blacklist the source IP or do things like intercept and respond to all requests with 200 messages.
In general, you really have these options:
- Simply tune the tools to go so slow you avoid detection
- Do recon/run noisy tools from alternate locations (a pool of VPSes, through TOR, etc)
- Generate so much fake noise that your legitimate requests get lost in all that (i.e. make a few dozen/hundred requests with a spoofed source IP for each legitimate request)
- Perform attacks manually that aren’t flagged by signature or heuristic systems.
The latter often works a lot better for specific, targeted attacks than noisy scanning/enumeration attacks. Maybe you can fragment packets in such a manner that avoids IDS detection, but when they’re reassembled into an HTTP GET request, the web server is still going to log the request. However, maybe you can find ways around that as well. For example, maybe the web server will disclose the existence of an item through a less common request (TRACE, DELETE, etc.) that the server isn’t configured to log.
- You must be logged in to reply to this topic.