Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: ET LoWNOISE (etCYBERSPACE.ORG)
Date: Mon Apr 09 2001 - 11:33:35 CDT
[ MUTATE v1.1 ]
ANTI NIDS/FW Simple PROXY
by Efrain 'ET' Torres
[LoWNOISE] Colombia 2001
Use it, Learn, Teach. Be responsible. Be happy.
You need to test a NIDS, and want to test a Web server(D) for common
problems including pretty bad coded cgis. The web server is protected by a
firewall, and IN THIS CASE lets assume that it only permits http from host
B(linux) and you are on A(winNT "No-Terminated"). For some reason you can
run stuff on B and the only tool you have for scanning cgis is a Win
proggy. Well, so put MUTATE on B, configure it to connect to D and put
all the flags for the anti-IDS tactics. Now from A you can connect , using
your win-pretty-cgi-scanner, to MUTATE on B and Voila! you are testing
D for CGIS using Anti-IDS tactics,testing the NIDS, bypassing FWs and
using the same simple cgi scanner that you like to use because is
updated and pretty from A.
You dont know shit about PERL so updating Whisker it may kill you. But
you have a updated simple C scanner, and you
want to have all those nice anti-ids tactics from whisker and want to
protect your attack because you are going to fuck a Colombian guerrilla
web page. Dont worry use your little C program and , put MUTATE any where
There are too many examples, to many uses for MUTATE use you imagination.
Plz READ THE COMMENTS ON THE SOURCE CODE. HELP ME BUILD A BETTER VERSION.
[THINGS TO DO]
Well im tired and i want to give you my stupid program now. So the next
version will have some Network based and Behavior Based anti-IDS tactics.
Just put my name in some place and do whatever you want with MUTATE.
Freedoom of information.
Usage: mutate <target> <port> Normal boring operation mode
: mutate <target> <port> [flags] Anti-NIDS Tactics
Default MUTATE listening port: 7000
[-h ] This SHORT help
====== Knowledge Based Anti-IDS ======
[-mM] METHOD MATCHING (expanded)
M: 0 HEAD
d Remove the method. On some platforms the method is even
ignored. Should be the last flag used.
On some web servers like apache, you can use multiple
methods to see if a file exists or not. If a file exist the
common response is a [200 OK] or [405 Method Not Allowed].
Check the -f flag.
[-f ] Change any response from 405 to 200,usefull for cgi-scanners
[-eS] URL ENCODING (expanded)
S: 0 Encode everything
1 Do NOT encode '/'s chars
ex. Apache needs -e1
[-s ] DOUBLE/MULTIPLE SLASHES METHOD (expanded)
define MAXS How many MAXS>=1
[-t ] REVERSE TRAVERSAL (expanded)
: define MAXT How many MAXT>=1
[-r ] SELF-REFERENCE DIRECTORIES (expanded)
define MAXR How many MAXR>=1
[-p ] PREMATURE REQUEST ENDING (expanded)
define MAXP How many MAXP>=1
[-o ] HTTP MIS-FORMATING (expanded)
define MAXO How many MAXO>=1
[-n ] NULL METHOD
[-w ] DOS/WIN DIRECTORY SYNTAX (expanded)
define MAXW How many MAXW>=1
[-c ] CASE SENSITIVITY
[-g ] SPACE GARBAGE (new)
[-b ] DIRECTORY BROWSING (new)
(expanded) Taken from whisker (RFP) but with new details. Please
read the doc 'A look at whisker's anti-IDS tactics' by RFP for more
info on the basic anti-ids tactics. And check the MUTATE source code.
Use many flags at the same time.I recommend to use -e for the LAST flag.
I have added some new tactics, expanded old ones and implemented
many tactics taken from RFP 'A look at whisker's anti-IDS tactics'
The Idea is simple but powerful, is necesary a tool with this
- Anti-IDS capabilities transparent to the client
- Easy to update or modify to any necesity
- Transparent redirection capabilities to bypass firewalls
- Protect Identity when testing
- Simple configuration
MUTATE will help you test NIDS, and it will help you understand
that Static NIDS (Rule Based),have many limitations (they sucks).
MUTATE is focused to security scanners and cgi-scanners, but is
easy to modify it to any requirement you have.
Remember to choose the right port on the client side so it can
connect to MUTATE.
New ideas are welcome. Remember this is just the first version.
-Efrain 'ET' Torres
-------------------[ ET LoWNOISE Colombia 2001 etcyberspace.org
- APPLICATION/octet-stream attachment: mutate11.tar.gz