Jul 22, 2010

False Positive Generator - inundator

Tags: ,
Inundator is a multi-threaded, queue-driven, anonymous intrusion detection false positive generator with support for multiple targets.

It can be used:

  • before, during and after a real attack to bury any IDS by flooding with false positives attack.
  • mess with an IDS analyst and keep the CIRT busy for investigation.
  • test the effectiveness of an IDS/IPS. (Less alerts mean a better product; more alerts mean a horrible product)
Inundator is part of the BackTrack. However, if you prefer to add it to your manually:
  • Add repository to /etc/apt/source.list:
deb http://inundator.sourceforge.net/repo/ all/

  • Then, download and install GPG key:
wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc


  • Then you can automatically pull in Inundator and all its dependencies:

aptitude update
aptitude install inundator


Change Your MAC Address (Quick)

Tags: , ,
Sometime, I need to change my MAC address quickly in order to get a new IP address from DHCP. Here's how I do it:
ifconfig eth0 down 
ifconfig eth0 hw ether 001122AABBCC
dhcpcd eth0
Enjoy the fun!

IDS Evasion on Linux Off-by-one TCP Timestamps

Tags: , ,
A very good article explaining potential IDS/IPS evasion with Linux 2.4/2.6 Kernel using off-by-one TCP timestamps.
In a nutshell, TCP timestamps can be included as a TCP option to specify the sending host's timestamp and echo the most recently received timestamp from the other side of the connection. The notion of time or timestamp is not the typical one since it denotes, for most operating systems except OpenBSD, a representation of the uptime of the host since the last reboot.

Jul 21, 2010

Terminal in BackTrack

Tags: ,
What's the terminal you use in BackTrack normally? Konsole? Terminator?

Today, I found a cool one for me, Yakuake. Having a cool terminal to type command is very important, especially for pentesters!

To use it, press a shortcut key, such as F12, it pops up the terminal; press again it goes hiding.

Jul 19, 2010

SHVA=1

Tags:
According to Mike Sego, a former Gmail engineer, "shva" is an acronym for "should have valid authentication". Apparently, the parameter is only included after a successful authentication.
Subscribe to: Posts (Atom)