Just recently I attended a conference regarding NIDS issues and one of the
things they pointed out is that most NIDS are unable to detect deviation
from the RFC standards when accessing a service. Sample: using "HELLO /
HTTP/1.0" as an HTTP request (since valid methods do not include HELLO). The
report [1] has been made public and, since I wrote an article recently for a
spanish information-security magazine talking about the issues around NIDS,
I am quite interested now in this issue.
Also, in the pen-test mailing list SnakeByte / Eric Sesterhenn
[snakebyte@gmx.de] has announced a tool that tries to do this for FTP (
www.kryptocrew.de/snakebyte/bed.html ).
¿Is anyone working in a similar tool for Nessus? ¿Is there one available? It
would be quite
useful to test both the server's and the IDS's implementations out there.
Ok, some code a simple HTTP test would be (bear with me, I have not tested
it and it's just an idea so you see what I'm talking about)
port = get_kb_item("Services/www");
if (!port) port = 80;
if (get_port_state(port))
{
soctcp80 = open_sock_tcp(port);
if (soctcp80)
{
for (i=0;i<=25;i=i+1) {
for (j=0;j<=25;j=j+1) {
for (k=0;k<=25;k=k+1) {
for (l=0;l<=25;l=l+1) {
data = string(raw_string(65+i,65+j,65+k,65+l)," / HTTP/1.0\r\n\r\n");
resultsend = send(socket:soctcp80, data:data);
resultrecv = http_recv_headers(soctcp80);
(... test the response.. ¿is it a proper HTTP error response? ...)
}
}
}
}
}
}
Best regards
Javi
[1] Available here http://www.criptored.upm.es/guiateoria/gt_m292a.htm (only
in Spanish though)
things they pointed out is that most NIDS are unable to detect deviation
from the RFC standards when accessing a service. Sample: using "HELLO /
HTTP/1.0" as an HTTP request (since valid methods do not include HELLO). The
report [1] has been made public and, since I wrote an article recently for a
spanish information-security magazine talking about the issues around NIDS,
I am quite interested now in this issue.
Also, in the pen-test mailing list SnakeByte / Eric Sesterhenn
[snakebyte@gmx.de] has announced a tool that tries to do this for FTP (
www.kryptocrew.de/snakebyte/bed.html ).
¿Is anyone working in a similar tool for Nessus? ¿Is there one available? It
would be quite
useful to test both the server's and the IDS's implementations out there.
Ok, some code a simple HTTP test would be (bear with me, I have not tested
it and it's just an idea so you see what I'm talking about)
port = get_kb_item("Services/www");
if (!port) port = 80;
if (get_port_state(port))
{
soctcp80 = open_sock_tcp(port);
if (soctcp80)
{
for (i=0;i<=25;i=i+1) {
for (j=0;j<=25;j=j+1) {
for (k=0;k<=25;k=k+1) {
for (l=0;l<=25;l=l+1) {
data = string(raw_string(65+i,65+j,65+k,65+l)," / HTTP/1.0\r\n\r\n");
resultsend = send(socket:soctcp80, data:data);
resultrecv = http_recv_headers(soctcp80);
(... test the response.. ¿is it a proper HTTP error response? ...)
}
}
}
}
}
}
Best regards
Javi
[1] Available here http://www.criptored.upm.es/guiateoria/gt_m292a.htm (only
in Spanish though)