INTRO ===== This is a stupid piece of software that should help in detected inline IPS. It basically gets the home page of a web site and provide Flags, TTL, TCP windows size and IPID information. HOWTO ===== 0. This program needs the following PERL modules to run - threads - threads::shared - Net::RawIP - LWP::UserAgent If you miss some of them you will be provided the URL where to get them. 1. Command line usage : ./http-ips-detect.pl[port] Looks self explanatory except the mode. Set as 0 the tool is just going to get the home page. This is useful to set a baseline. Set as 1 the tool will launch exploits. Differences between answers to legitimate and malicious URLs is one of the clue use to detect IPS. Only one stupid exploit-like URL is implemented yet (/cmd.exe). If you want to add more edit the @TEST array of arrays. An exploit is an array with 3 fields : Name,URL,mode to be used with (0 baseline, 1 exploit). DETECTING IPS ============= IPS may behave at different network layers. But let's have an example. >>>>>>> [root@localhost progs]# ./http-ips-detect.pl eth0 10.0.0.101 0 80 +-----------------------------------+ : Baseline : +-----------------------------------+ : Network Level : +----+--------+-----+-------+-------+ : # : flags : ttl : ipid : win : +----+--------+-----+-------+-------: : 1 : S.A... : 54 : 0 : 5792 : <- Probably Linux : 2 : ..A... : 54 : 60559 : 5792 : : 3 : ..A.P. : 54 : 60560 : 5792 : : 4 : .FA... : 54 : 60561 : 5792 : : 5 : ..A... : 54 : 60562 : 5792 : +----+--------+-----+-------+-------: +-----------------------------------+ : Application Level : +--------+--------------------------+ : Server : Microsoft-IIS/5.0 : <- Probably not... : Code : 200 : +--------+--------------------------+ + htm : 1 : + html : 1 : +--------+--------------------------+ <<<<<<< ok, you've got it ? Another example. >>>>>>> [root@localhost progs]# ./http-ips-detect.pl eth0 10.0.0.104 1 80 +-----------------------------------+ : Baseline : +-----------------------------------+ : Network Level : +----+--------+-----+-------+-------+ : # : flags : ttl : ipid : win : +----+--------+-----+-------+-------: : 1 : S.A... : 112 : 4449 : 17520 : : 2 : .FA.P. : 112 : 4450 : 17411 : : 3 : ..A... : 112 : 4451 : 17411 : +----+--------+-----+-------+-------: +-----------------------------------+ : Application Level : +--------+--------------------------+ : Server : Microsoft-IIS/5.0 : : Code : 200 : +--------+--------------------------+ + htm : 1 : + html : 1 : +--------+--------------------------+ +-----------------------------------+ : CMD.EXE : +-----------------------------------+ : Network Level : +----+--------+-----+-------+-------+ : # : flags : ttl : ipid : win : +----+--------+-----+-------+-------: : 1 : S.A... : 112 : 4473 : 17520 : <- Probably 16 hops : 2 : ...R.. : 49 : 3241 : 0 : <- Probably 15 hops +----+--------+-----+-------+-------: +-----------------------------------+ : Application Level : +--------+--------------------------+ : Server : 200 : : Code : : +--------+--------------------------+ +--------+--------------------------+ <<<<<<< Here the exploit has been blocked. However the IPS was nice enought to send a reset. So we know : 1. there is an IPS 2. it is one hop away from the server Let's prepare some insertion tools to test its stateful capabilties... WHO === Renaud Bidou -> renaudb at radware.com -> renaud.bidou at iv2-technologies.com