Results 1 to 6 of 6

Thread: Timed out in penetration testing

  1. #1
    Just burned his ISO
    Join Date
    Aug 2008
    Posts
    1

    Exclamation Timed out in penetration testing

    We are doing an external penetration test to our client network but can't proceed further as our scan/request are timed out every time we start the initial scan. As an example, we knew port 21 is open and could connect to it, but after we did a scan to check any available open ports, all requests(pings, etc) are timed out without any results and we can't even connect back to port 21. This would last for 10 mins and ping replies would return to normal.

    We're thinking this might be an issue(or feature) on the ISP's side because all the IPs in the network block behaved in the same way. Is there any advice on how to proceed with the pentest? Should we notify the ISP or the client about the issue? Results would be very minimal and inconsistent and i am sure the client will be not satisfied if we mention the problem at the end of the day.

    Thanks

  2. #2
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Sounds like your client (or the ISP) has an IDS kicking in, and as a educated guess, the behavior is that it's doing exactly what it is supposed to be doing. There are several IDS packages that will do similar things. My suggestion would be to make appropriate notes, adjust timing on your tool(s) to perform the needed scan(s) and move on. Depending on the scope of the pen test, you might want to see if you can identify the IDS, and see what vulnerabilities it may possess.
    Thorn
    Stop the TSA now! Boycott the airlines.

  3. #3
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Default

    today's IDS/IPS and firewall are able to easily detect almost all kind of scan attacks like syn,null,tcp etc. and consider as attack patterns.if there is IDS in place it is denying you for next 10 mins according to signature tuning and that may be firewall too.because if you are pinging then the first 1 or 2 packet's reply you will get and after that firewall or IDS will learn about the attacking host and based on signature tuning its action can be request block,signature alarm,RST.so I think you are getting RST signal and connection is being terminated.but I think you have to PT for client so you must consult ISP about it as it will be taken as criminal offense if you dont take him into consideration.no ISP will allow scanning through his network as its vital for security and can lead to security breach.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by mindf View Post
    We're thinking this might be an issue(or feature) on the ISP's side because all the IPs in the network block behaved in the same way.
    I hope you were contracted to assess all the IPs in that netblock, otherwise you've attempted to pentest resources of the ISP or other clients of the ISP that you have no contract for.
    Is there any advice on how to proceed with the pentest?
    I see a few options:
    1) Script or schedule your way around the IDS/IPS which is imposing the timeout.
    2) Tell the client you've noted that their protections (or the ISPs) are working (somewhat) but that you'd like them to insert some exceptions for your testing so that you can proceed within a decent time frame. (Of course this means you'll have to provide them with source addressing that you'll be doing the testing from).
    3) Present the results as you've found them, as this represents the way the majority of the attacks will come at them (though nothing says an attacker wouldn't go to the trouble of #1 above....the client should make this determination. i.e.: How much effort do they expect an attacker/malicious user to invest in attacking them).
    Should we notify the ISP or the client about the issue?
    That depends on your contract and agreements (or lack thereof) with the client and ISP.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    get on the LAN or get some user to use a java scanner or excel template port scanner..

    -T 1 in nmap ... ( also try syn etc . )

    only thing you can do with IDP is first
    * slow down the scans
    * set max threads down
    * obfuscate the test manually and find out what does not trigger the IDS ( unicode base26 etc .. )
    * own a client inside the LAN ...scan away!
    * also fun one is to hijack the LAN and trigger the IDP to block everybody on the network ( if miss configured )

  6. #6
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Wink

    Quote Originally Posted by operat0r View Post
    get on the LAN or get some user to use a java scanner or excel template port scanner..

    -T 1 in nmap ... ( also try syn etc . )

    only thing you can do with IDP is first
    * slow down the scans
    * set max threads down
    * obfuscate the test manually and find out what does not trigger the IDS ( unicode base26 etc .. )
    * own a client inside the LAN ...scan away!
    * also fun one is to hijack the LAN and trigger the IDP to block everybody on the network ( if miss configured )
    These are fully detectable by most of modern IDS/IPS and a proper configuration and signature tuning and Meta event generators are able to catch these scans easily.I have tested Nmap IDS evasion scans,fragmentation attacks.all are easily detectable by modern IDS/IPS like cisco 5.1,6.0,6.1 and ISS IPS so they wont make sense while scanning.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •