stealth network analysis techniques

I read at www.taosecurity.com that it could offer a course on Network
Stealth techniques. These techniques allow assessors or analysts to
bypass IDS, IPS, firewall, and other security measures.

Any info or pointers on these techniques are appreciated.

Thanks,

DF

 

################################
I looked at the page that decribes the training and it really didn't look
like a HOWTO on bypassing firewalls and detection systems. It seemed to be
offering defensive and forensic techniques instead.
http://www.honeynet.org/challenge/
Take a look at that site for forensic info and try your hand at their
monthly challenge. A unix box is really needed for that.
www.phrack.org
Phrack has plenty of info on buffer overflows and other hacking techniques
that are more up to date then most of the hacking texts on the net. As
detection systems and firewalls get better along w/ networks being NATed,
more programming knowledge is needed to write programs that will do function
calls to the software behind the firewall.
Have fun,
donnie.

 

Hrrrmm, be a good trick. Be interested to see how this could be
accomplished without detection.

Winged

 

Ok, that was probably one of the dumbest things I've seen posted to Usenet
in a while. Sorta like saying you'd like to see someone make a sandwich
using bread.

Bypassing security MEANS you're not detected. If you're accomplishing it,
you're not being detected. If you're detected, you're not accomplishing it.

 

Our assessors or those testing our network security, would always alert
those with the IDS etc of their activity. Then we would ignore their
activities.

While I am aware of a number of ways to "stealth" attack. I believe we
have reasonably covered our bases to eliminate non-detection. Even if
the attack were occurring via SLL not only would we see the activity but
are able to read the SSL session. Yes it is possible to encrypt using
non-standard encryption methods (been there done that) but this too
raises flags and tends to cause an automatic block of the communication
and ring bells.

This individual asked how to penetrate a network, from outside the
firewalls undetected. If I knew how to do this, it would be fixed. Yes
one might try to penetrate to DMZ and perhaps jump off a server, though
tripwire might be an issue... But even inside the DMZ (assuming success
and avoiding various monitoring pieces) it still would not get them past
other boundaries "undetected". We have penetration tests yearly.
Typically as part of the pen testing we have to "let" them in to the
next level to pen test from there. The most significant success of the
pen testers is taking or copying a client after hours. Theft is very
difficult to stop in large environments. But I have yet to see a
penetration without detection...shrugs but I guess I wouldn't know but
professional pen testers have yet to accomplish it undetected.

It is possible if a trusted host outside were compromised they could
penetrate inside but once they launched from that server, activities
would not be undetected.

Unless the user has already accomplished complete footprinting the
network in question and had significant inside knowledge I do not
believe it could be done. Bypassing any single device including most
firewalls is relatively easy, but undetected??? Even inside one of the
firewall boundaries as a domain user it would be very problematic. Even
as one of the administrators doing inappropriate activities across the
network would induce challenges as no single administrator has the
resources to bypass all the required security precautions undetected.
Sometimes administrators are bad folks too.

I am familiar with ways to bypass various single pieces, but I have no
idea how one could do this "undetected" by all of the layers successfully.

If I had an idea I would ensure it were fixed to the best of my ability
and I highly doubt I would publish the "how to" on UseNet.

The undetected part...yeah...thats the pickle.

Winged