[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] [DEMO] Sample videos about IDS/IPS evasions...
From: "Nelson Brito" <nbrito () sekure ! org>
Date: 2010-10-29 20:47:54
Message-ID: 000301cb77aa$91f5c5a0$b5e150e0$ () org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi, everyone!
As so many highlights have been given on Intrusion Detection System and
Intrusion Prevention System evasions (?) last week, I decided to send this
message just to let you all know that I published a brand-new sample video,
demonstrating two Exploit Next GenerationR example modules, successfully
evading:
. SNORT 2.8.6 detection for MS02-056 vulnerability.
. SURICATA 0.9.0 detection for MS08-078 vulnerability.
Here is the YouTube video:
. http://www.youtube.com/watch?v=iHgtf4PXqeU
PS: So, Intrusion Detection System and Intrusion Prevention System evasions
are not that BIG NEWS, at least not for the H2HC Sixth Edition's audience.
Before someone asks what the similarities and/or differences between Exploit
Next GenerationR (ENG++) and Advanced Evasion Techniques (AET), let me get
this clear:
. ENG++ has a different approach and has no similarity to AET,
despite the fact that both of them can be used to bypass IDS and IPS
technology. Besides, ENG++ is a much older research.
. ENG++ was first designed in 2004, coded in 2005, published in 2008
( <http://packetstormsecurity.org/papers/general/ENG_in_a_nutshell.pdf>
"Exploit creation - The random approach" or "Playing with random to build
exploits"), and became a methodology in 2009 (
<http://www.h2hc.com.br/repositorio/2009/files/Nelson.en.pdf> "The Departed:
Exploit Next Generation - The Philosophy").
. ENG++ became a methodology when I decided to port it to work
with/to any open exploit development framework, i.e., Metasploit Framework.
. Ported means that ENG++ has been developed for a long, long, long
time, so just some modules is working on Metasploit Framework to release
some of its example and to help people understanding that really cool stuff
can be done when you are innovating and creating.
In a few words: Exploit Next GenerationR Compliance Methodology is not the
same thing as Advanced Evasion Techniques (ENG++ != AET).
For further information, please, visit the URL:
. http://j.mp/ExploitNG
For online information and news about Exploit Next GenerationR Compliance
Methodology, please, follow @Exploit_NG <http://twitter.com/Exploit_NG> on
Twitter.
Cheers.
Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:143161584;
mso-list-type:hybrid;
mso-list-template-ids:-1404659564 1660043518 67698713 67698715 67698703 67698713 67698715 \
67698703 67698713 67698715;} @list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l1
{mso-list-id:208080021;
mso-list-type:hybrid;
mso-list-template-ids:-1599537798 67698689 67698691 67698693 67698689 67698691 67698693 \
67698689 67698691 67698693;} @list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2
{mso-list-id:252863000;
mso-list-type:hybrid;
mso-list-template-ids:-640639428 67698703 67698713 67698715 67698703 67698713 67698715 \
67698703 67698713 67698715;} @list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;}
@list l3
{mso-list-id:362175153;
mso-list-type:hybrid;
mso-list-template-ids:413141488 67698689 67698691 67698693 67698689 67698691 67698693 67698689 \
67698691 67698693;} @list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4
{mso-list-id:527521723;
mso-list-type:hybrid;
mso-list-template-ids:-1232288844 67698689 67698713 67698715 67698703 67698713 67698715 \
67698703 67698713 67698715;} @list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l5
{mso-list-id:787547539;
mso-list-type:hybrid;
mso-list-template-ids:506502496 67698689 67698713 67698715 67698703 67698713 67698715 67698703 \
67698713 67698715;} @list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l6
{mso-list-id:1451510790;
mso-list-type:hybrid;
mso-list-template-ids:-1971039264 67698689 67698691 67698693 67698689 67698691 67698693 \
67698689 67698691 67698693;} @list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l7
{mso-list-id:1799567014;
mso-list-type:hybrid;
mso-list-template-ids:1460550182 1660043518 67698713 67698715 67698703 67698713 67698715 \
67698703 67698713 67698715;} @list l7:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l8
{mso-list-id:1934045378;
mso-list-type:hybrid;
mso-list-template-ids:-639324892 1660043518 67698713 67698715 67698703 67698713 67698715 \
67698703 67698713 67698715;} @list l8:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoPlainText>Hi, everyone!<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>As so many highlights have been given on Intrusion Detection
System and Intrusion Prevention System evasions (?) last week, I decided to send
this message just to let you all know that I published a brand-new sample video,
demonstrating two <b>Exploit Next Generation®</b> example modules,
successfully evading:<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.75in;text-indent:-.25in;mso-list:
l4 level1 lfo7'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New \
Roman"'> \
</span></span></span><![endif]><b>SNORT 2.8.6</b> detection for <b>MS02-056</b> \
vulnerability.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.75in;text-indent:-.25in;mso-list:
l4 level1 lfo7'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New \
Roman"'> \
</span></span></span><![endif]><b>SURICATA 0.9.0</b> detection for <b>MS08-078</b> \
vulnerability.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Here is the YouTube video:<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo9'><![if \
!supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><a
href="http://www.youtube.com/watch?v=iHgtf4PXqeU">http://www.youtube.com/watch?v=iHgtf4PXqeU</a><o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>PS: <i>So, Intrusion Detection System and Intrusion
Prevention System evasions are not that BIG NEWS, at least not for the H2HC
Sixth Edition's audience.<o:p></o:p></i></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Before someone asks what the similarities and/or
differences between <b>Exploit Next Generation®</b> (<b><i>ENG<sup>++</sup></i></b>)
and <b>Advanced Evasion Techniques</b> (<b><i>AET</i></b>), let me get this
clear:<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.75in;text-indent:-.25in;mso-list:
l5 level1 lfo8'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New \
Roman"'> \
</span></span></span><![endif]><b><i>ENG<sup>++</sup></i></b> has a different approach and has \
no similarity to <b><i>AET</i></b>, despite the fact that both of them can be used to bypass \
IDS and IPS technology. Besides, <b><i>ENG<sup>++</sup></i></b> is a much older research. \
<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.75in;text-indent:-.25in;mso-list:
l5 level1 lfo8'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New \
Roman"'> \
</span></span></span><![endif]><b><i>ENG<sup>++</sup></i></b> was first designed in 2004, coded \
in 2005, published in 2008 (<b><i><a \
href="http://packetstormsecurity.org/papers/general/ENG_in_a_nutshell.pdf">“Exploit \
creation - The random approach” or “Playing with random to build \
exploits”</a></i></b>), and became a methodology in 2009 (<b><i><a \
href="http://www.h2hc.com.br/repositorio/2009/files/Nelson.en.pdf">“The
Departed: Exploit Next Generation – The Philosophy”</a></i></b>). <o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.75in;text-indent:-.25in;mso-list:
l5 level1 lfo8'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New \
Roman"'> \
</span></span></span><![endif]><b><i>ENG<sup>++</sup></i></b> became a methodology when I \
decided to port it to work with/to any open exploit development framework, i.e., Metasploit \
Framework. <o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.75in;text-indent:-.25in;mso-list:
l5 level1 lfo8'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New \
Roman"'> </span></span></span><![endif]>Ported \
means that <b><i>ENG<sup>++</sup></i></b> has been developed for a long, long, long time, so \
just some modules is working on Metasploit Framework to release some of its example and to help \
people understanding that really cool stuff can be done when you are innovating and creating.
<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In a few words: <b>Exploit Next Generation®
Compliance Methodology</b> is not the same thing as <b>Advanced Evasion
Techniques</b> (<b><i>ENG<sup>++</sup></i></b> != <b><i>AET</i></b>).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>For further information, please, visit the URL:<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in;text-indent:-.25in;mso-list:l3 level1 lfo5'><![if \
!supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span
style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><a \
href="http://j.mp/ExploitNG">http://j.mp/ExploitNG</a><o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>For online information and news about <b>Exploit Next
Generation® Compliance Methodology</b>, please, follow <a
href="http://twitter.com/Exploit_NG">@Exploit_NG</a> on Twitter.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Cheers.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Nelson Brito<o:p></o:p></p>
<p class=MsoPlainText>Security Researcher<o:p></o:p></p>
<p class=MsoPlainText>http://fnstenv.blogspot.com/<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
</div>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic