.

Keeping under the radar from server admins

<<

w00tburger

User avatar

Newbie
Newbie

Posts: 1

Joined: Tue May 13, 2014 9:44 am

Post Tue May 13, 2014 10:46 am

Keeping under the radar from server admins

Hello there. First post. I had done a few web searches, but I was curious to know how all fellow pen testers keep their "noise" to a minimum.

Take the following for example, there is a web application you would like to test, but running something such as DirBuster, or SkipFish would create megs of logs it would be hard for the server admin to miss if they were paying attention.

Rather then customizing open source tools to dumb down the number of requests it makes to a web-server, I was wondering how you fellow ethical hackers do a low level reconnaissance to exploitation.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 622

Joined: Sat Apr 17, 2010 12:12 pm

Post Tue May 13, 2014 4:36 pm

Re: Keeping under the radar from server admins

My inexperienced .02, any public webservers are going to get so many alerts that your scan won't cause much concern, if they see it, they are likely to just block you. But if you want to avoid that or want to test internal, you'd probably want to try manual exploitation attempts rather than a tool.
sectestanalysis.blogspot.com/‎
<<

dynamik

Recruiters
Recruiters

Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat May 17, 2014 10:33 pm

Re: Keeping under the radar from server admins

It's unlikely that activity would get noticed unless they're actively working with the logs at the time, but more mature environment/more advanced controls may detect repeated 404s and blacklist the source IP or do things like intercept and respond to all requests with 200 messages.

In general, you really have these options:
  1. Simply tune the tools to go so slow you avoid detection
  2. Do recon/run noisy tools from alternate locations (a pool of VPSes, through TOR, etc)
  3. Generate so much fake noise that your legitimate requests get lost in all that (i.e. make a few dozen/hundred requests with a spoofed source IP for each legitimate request)
  4. Perform attacks manually that aren't flagged by signature or heuristic systems.
The latter often works a lot better for specific, targeted attacks than noisy scanning/enumeration attacks. Maybe you can fragment packets in such a manner that avoids IDS detection, but when they're reassembled into an HTTP GET request, the web server is still going to log the request. However, maybe you can find ways around that as well. For example, maybe the web server will disclose the existence of an item through a less common request (TRACE, DELETE, etc.) that the server isn't configured to log.
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software