Keeping under the radar from server admins

Viewing 2 reply threads
  • Author
    Posts
    • #8698
      w00tburger
      Participant

      Hello there. First post. I had done a few web searches, but I was curious to know how all fellow pen testers keep their “noise” to a minimum.

      Take the following for example, there is a web application you would like to test, but running something such as DirBuster, or SkipFish would create megs of logs it would be hard for the server admin to miss if they were paying attention.

      Rather then customizing open source tools to dumb down the number of requests it makes to a web-server, I was wondering how you fellow ethical hackers do a low level reconnaissance to exploitation.

    • #53814
      SephStorm
      Participant

      My inexperienced .02, any public webservers are going to get so many alerts that your scan won’t cause much concern, if they see it, they are likely to just block you. But if you want to avoid that or want to test internal, you’d probably want to try manual exploitation attempts rather than a tool.

    • #53815
      dynamik
      Participant

      It’s unlikely that activity would get noticed unless they’re actively working with the logs at the time, but more mature environment/more advanced controls may detect repeated 404s and blacklist the source IP or do things like intercept and respond to all requests with 200 messages.

      In general, you really have these options:

      1. Simply tune the tools to go so slow you avoid detection
      2. Do recon/run noisy tools from alternate locations (a pool of VPSes, through TOR, etc)
      3. Generate so much fake noise that your legitimate requests get lost in all that (i.e. make a few dozen/hundred requests with a spoofed source IP for each legitimate request)
      4. Perform attacks manually that aren’t flagged by signature or heuristic systems.

      The latter often works a lot better for specific, targeted attacks than noisy scanning/enumeration attacks. Maybe you can fragment packets in such a manner that avoids IDS detection, but when they’re reassembled into an HTTP GET request, the web server is still going to log the request. However, maybe you can find ways around that as well. For example, maybe the web server will disclose the existence of an item through a less common request (TRACE, DELETE, etc.) that the server isn’t configured to log.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?