search

dipsec / armitage

Automatically exported from code.google.com/p/armitage
0 stars 0 forks source link

Import IP List #37

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
from techbytom.com, @thomas_ervin on twitter.

I've got some cool idea that may help reduce IDS detection for scans ;)  I'm 
working on that privately first but depending on how it goes I'd love to 
incorporate that into Armitage as well.  I'm guessing I'd need to export a list 
of IPs?  Could you specify a format so I can make sure to have it ready to plug 
and play?

Two possible ways this could work with Armitage:
 - File -> Import targets style (ok, and more compatible for other users)
 - As a new discovery method baked into Armitage

Original issue reported on code.google.com by ThomasEr...@gmail.com on 18 Feb 2011 at 4:25

GoogleCodeExporter commented 9 years ago 
One option: consider incorporating it as a module into Metasploit. Armitage 
blindly works off of Metasploit's importing capabilities. If you get it 
accepted into the MSF tree and it's a useful thing for most cases, I'd be happy 
to investigate adding it to the right spot in the UI.

Original comment by rsmu...@gmail.com on 19 Feb 2011 at 12:37

GoogleCodeExporter commented 9 years ago 
Perhaps a similar project to this already exists. I'm sure I'm not the first to 
imagine something like this, but here it goes:

What if we were to use valid, and normal network requests to perform "stealth" 
network scans?  Things like blindly sending null session authorization 
attempts, http, ftp, etc.  Just traffic that might not have been included in 
IDS rules.  Remember, we don't need to authenticate, authentication failures 
can serve as a "return ping" so to speak, though obviously even mass 
authentication failures would set off alarms, so perhaps even a "super stealth" 
scan would be useful in cases where it's expected that the client has effective 
log monitoring implemented.

Obviously, this could provide some false positives and wouldn't be the scan to 
use if a comprehensive list of network devices was desired, but that's not the 
point.  I find that it's very easy to get a client's attention if I'm sitting 
on their DC with admin access within minutes of booting up and plugging in on a 
pen test.  I know that Armitage will help me make this happen faster for me, 
but for the greatest effect, I don't want to make any unusual noise on the 
network unless absolutely required before I begin exhaustive scans.

Just an idea, and perhaps I should post this someplace outside your issue 
tracker so I can collect some comments/input advice.  Just curious to hear your 
input and interest for now.

Original comment by ThomasEr...@gmail.com on 23 Feb 2011 at 12:04

GoogleCodeExporter commented 9 years ago 
So what you're planning to do is generate legitimate looking traffic and using 
the results of that generated traffic to tell if a host is up or not? That 
could work. I think the best place for it though is a Metasploit module. 
Armitage is just a dumb UI that adds a few collaboration features and tools to 
launch existing modules.

Original comment by rsmu...@gmail.com on 23 Feb 2011 at 12:30

GoogleCodeExporter commented 9 years ago 
We can continue this discussion via email, Twitter, or your blog. I'm just 
closing this as it's not directly related to Armitage development.

Original comment by rsmu...@gmail.com on 23 Feb 2011 at 12:31