HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tools > IDSwakeup
Go to: HSC Trainings
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|IDSwakeup  
blah Resources
See also...
o Babelweb
o BlueBerry
o Delphes
o Dislocker
o Dns2tcp
  o filterrules
o IDSwakeup
o jis & wis
o nstreams
o passe-partout
  o Patator
o PktFilter
o Net::RawSock
o rkscan
o skyrack
  o smbsniff
o SSLTunnel
o SSToPer
o Subweb
o Webef
  o WifiScanner
o WSPP
o xml-logs

IDSwakeup is a collection of tools that allows to test network intrusion detection systems.

The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives.

Like nidsbench, IDSwakeup is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is *still* a black art at best.

> Download

This release of IDSwakeup includes:

  • IDSwakeup

    The main shell script that permits to launch hping2 or iwu. The user just has to choose which attack or set of attacks he or she want to mimic. The user can also fix the TTL to produce short TTL and impact only NIDS and not the servers.

    Usage: ./IDSwakeup <src addr> <dst addr> [nb] [ttl]

    Example: see screenshot.

    IDSwakeup requires hping2.

  • iwu

    Sends a buffer as a datagram. It allows to change the source address, the destination address, the TTL (in order to produce short TTL). It also takes as parameter the number of times the user wants to send the same datagram.

    Usage: ./iwu <srcIP> <dstIP> <nb> <ttl> <ip-datagram>

    Example: ./iwu 10.0.0.1 20.0.0.2 200 4 \
            "4500 0018 00f2 0003 4011 73db 0101 0101 0202 0202 e63e 4494"

    iwu requires libnet 1.x.

IDSwakeup suite is written by Stéphane Aubert, it is available in a beta version and published under a BSD-style license.

Screenshot ;-) :

# ./IDSwakeup  0  127.0.0.1  1  1

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-  IDSwakeup : false positive generator
-  Stephane Aubert
-  Hervé Schauer Consultants (c) 2000
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


  src_addr:0  dst_addr:127.0.0.1  nb:1  ttl:1

  sending : teardrop ...
  sending : land ...
  sending : get_phf ...
  sending : bind_version ...
  sending : get_phf_syn_ack_get ...
  sending : ping_of_death ...
  sending : syndrop ...
  sending : newtear ...
  sending : X11 ...
  sending : SMBnegprot ...
  sending : smtp_expn_root ...
  sending : finger_redirect ...
  sending : ftp_cwd_root ...
  sending : ftp_port ...
  sending : trin00_pong ...
  sending : back_orifice ...
  sending : msadcs ...
            245.146.219.144 -> 127.0.0.1 80/tcp  GET /msadc/msadcs.dll HTTP/1.0
  sending : www_frag ...
            225.158.207.188 -> 127.0.0.1 80/fragmented-tcp
              GET /................................... HTTP/1.0
            181.114.219.120 -> 127.0.0.1 80/fragmented-tcp
              GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
              AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
              AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
              AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/../cgi-bin/phf HTTP/1.0
  sending : www_bestof ...
    137.78.167.188 -> 127.0.0.1 80/tcp  GET  /  HTTP/1.0
    165.90.83.96 -> 127.0.0.1 80/tcp  GET //////// HTTP/1.0
            249.174.111.124 -> 127.0.0.1 80/tcp  HEAD  /  HTTP/1.0
            101.146.51.80 -> 127.0.0.1 80/tcpHEAD/./
            137.126.215.76 -> 127.0.0.1 80/tcp  /cgi-bin\\handler
            101.226.235.216 -> 127.0.0.1 80/tcp  /cgi-bin\\webdist.cgi
            241.70.55.180 -> 127.0.0.1 80/tcp  /mlog.phtml
            69.138.75.176 -> 127.0.0.1 80/tcp  /mylog.phtml
            137.86.207.116 -> 127.0.0.1 80/tcp  /cfide\\administrator\\startstop.html
            53.90.147.104 -> 127.0.0.1 80/tcp  /cfappman\\index.cfm
            201.110.175.156 -> 127.0.0.1 80/tcp  /mall_log_files\\order.log
            221.226.155.208 -> 127.0.0.1 80/tcp  /admin_files\\order.log
            137.222.71.244 -> 127.0.0.1 80/tcp  /cgi-bin\\wrap
            85.82.147.96 -> 127.0.0.1 80/tcp  GET /cgi-bin/ph%66 HTTP/1.0
            57.230.199.52 -> 127.0.0.1 80/tcp  GET /sahsc.lnk HTTP/1.0
            221.74.227.112 -> 127.0.0.1 80/tcp GET /sahsc.bat HTTP/1.0
            201.206.207.124 -> 127.0.0.1 80/tcp GET /sahsc.url HTTP/1.0
            69.138.171.192 -> 127.0.0.1 80/tcp  GET /sahsc.ida HTTP/1.0
            145.94.199.68 -> 127.0.0.1 80/tcp  GET /default.asp::$DATA HTTP/1.0
            69.218.155.216 -> 127.0.0.1 80/tcp  GET     /        HTTP/1.0
            65.166.87.92 -> 127.0.0.1 80/tcp  PUT /scripts/cmd.exe HTTP/1.0
            133.186.155.192 -> 127.0.0.1 80/tcp  GET /scripts/cmd.exe HTTP/1.0
            201.102.239.204 -> 127.0.0.1 80/tcp  BAD /scripts/cmd.exe HTTP/1.0
            101.122.75.192 -> 127.0.0.1 80/tcp  GET /_vti_pvt/administrators.pwd HTTP/1.0
            193.238.239.212 -> 127.0.0.1 80/tcp  GET /cgi-bin/handler HTTP/1.0
            149.98.227.160 -> 127.0.0.1 80/tcp  GET /../../../../../../etc/passwd HTTP/1.0
            153.54.55.124 -> 127.0.0.1 80/tcp  GET /cgi-bin/perl.exe HTTP/1.0
            181.122.51.104 -> 127.0.0.1 80/tcp  GET /scripts/tools/newdsn.exe HTTP/1.0
            121.222.199.84 -> 127.0.0.1 80/tcp  GET /search97.vts HTTP/1.0
            245.202.123.232 -> 127.0.0.1 80/tcp  GET /IISADMIN HTTP/1.0
  sending : ddos_bestof ...
            86.175.100.245 -> 127.0.0.1 15104/tcp -S
            219.152.249.118 -> 127.0.0.1 1613/tcp -PA >
            244.157.170.179 -> 127.0.0.1 12754/tcp -PA >
            225.62.71.60 -> 127.0.0.1 10498/udp  pong
            138.243.72.241 -> 127.0.0.1 10498/udp  ping
            71.156.85.130 -> 127.0.0.1 10498/udp  stream/
            152.73.182.207 -> 127.0.0.1 6838/udp  newserver
            76.117.90.59 -> 127.0.0.1 27665/tcp  killme
            233.110.119.156 -> 127.0.0.1 31335/udp  PONG
            154.91.200.89 -> 127.0.0.1 1624/udp  l44
            119.76.125.202 -> 127.0.0.1 1713/udp  *HELLO*
            131.184.89.206 -> 127.0.0.1 27665/tcp  gOrave
            175.108.53.106 -> 127.0.0.1 20432/tcp
            152.73.126.135 -> 127.0.0.1 18753/udp  alive tijgu
            117.74.59.112 -> 127.0.0.1 20433/udp  alive
            214.239.148.93 -> 127.0.0.1 1676/tcp -S --setseq 674711609
  sending : ftp_bestof ...
            50.235.72.153 -> 127.0.0.1 21/tcp  PORT 127,0,0,1,0,23
            214.127.236.157 -> 127.0.0.1 21/tcp  PORT 10,6,6,6,0,23
            242.115.176.201 -> 127.0.0.1 21/tcp  PORT 127,0,0,1,255,510
            198.175.140.85 -> 127.0.0.1 21/tcp  passwd
            58.75.96.65 -> 127.0.0.1 21/tcp  site exec %p%p%p%p%p%p
            246.159.196.181 -> 127.0.0.1 21/tcp  SITE exec cat /etc/passwd ;-)
            106.91.176.121 -> 127.0.0.1 21/tcp  SYST /etc/passwd ;-)
            230.119.84.157 -> 127.0.0.1 21/tcp  SYST
            194.139.224.209 -> 127.0.0.1 21/tcp  CWD ~root
            158.231.76.53 -> 127.0.0.1 21/tcp  STOR |
            130.59.112.241 -> 127.0.0.1 21/tcp  RETR |
  sending : telnet_bestof ...
            238.71.116.245 -> 127.0.0.1 23/tcp
              ciscociscociscociscociscociscociscociscociscociscocisco
            58.227.120.121 -> 127.0.0.1 23/tcp
                                                                  bof
            214.79.76.173 -> 127.0.0.1 23/tcp  IFS=/
            50.219.120.225 -> 127.0.0.1 23/tcp  su - root
            158.95.100.149 -> 127.0.0.1 23/tcp  su root
            50.139.120.65 -> 127.0.0.1 23/tcp  id; cat /etc/shadow
            214.231.196.77 -> 127.0.0.1 23/tcp  echo "+ +">.rhosts
            130.235.64.209 -> 127.0.0.1 23/tcp  resolv_host_conf
            190.127.172.69 -> 127.0.0.1 23/tcp  ld_preload
            170.211.224.105 -> 127.0.0.1 23/tcp  ld_library_pat
  sending : rlogin_bestof ...
            94.159.236.229 -> 127.0.0.1 513/tcp  IFS=/
            106.107.144.193 -> 127.0.0.1 513/tcp  su - root
            134.167.196.69 -> 127.0.0.1 513/tcp  su root
            218.171.96.113 -> 127.0.0.1 513/tcp  id; cat /etc/shadow
            118.127.196.165 -> 127.0.0.1 513/tcp  echo "+ +">.rhosts
  sending : tcpflag_bestof ...
            171.160.241.54 -> 127.0.0.1 80/tcp -SF
            108.221.194.155 -> 127.0.0.1 80/tcp -SR
            153.86.71.140 -> 127.0.0.1 80/tcp
            210.227.112.89 -> 127.0.0.1 80/tcp -A
            135.236.53.98 -> 127.0.0.1 80/tcp -SFR
            152.225.134.119 -> 127.0.0.1 80/tcp -SFARPXY
            181.202.139.200 -> 127.0.0.1 80/tcp -SA
            166.63.188.101 -> 127.0.0.1 80/tcp -SAFR
            195.200.65.126 -> 127.0.0.1 80/tcp -XY
            124.61.90.107 -> 127.0.0.1 1999/tcp -S
  sending : icmp_bestof ...
            160.249.86.199 -> 127.0.0.1 icmp type:0 code:0
            92.165.90.51 -> 127.0.0.1 icmp type:0 code:0  Hi B0B !...
            152.201.62.207 -> 127.0.0.1 icmp type:3 code:0
            228.125.74.67 -> 127.0.0.1 icmp type:3 code:1
            56.161.54.143 -> 127.0.0.1 icmp type:3 code:2
            148.245.114.131 -> 127.0.0.1 icmp type:3 code:3
            208.169.142.247 -> 127.0.0.1 icmp type:3 code:4
            188.237.218.219 -> 127.0.0.1 icmp type:3 code:5
            88.137.134.159 -> 127.0.0.1 icmp type:3 code:13
            156.141.130.235 -> 127.0.0.1 icmp type:3 code:14
            232.105.102.191 -> 127.0.0.1 icmp type:3 code:15
            132.133.58.91 -> 127.0.0.1 icmp type:4 code:0
            56.113.190.183 -> 127.0.0.1 icmp type:5 code:0
            52.53.74.163 -> 127.0.0.1 icmp type:5 code:1
            160.137.206.111 -> 127.0.0.1 icmp type:5 code:2
            196.77.58.91 -> 127.0.0.1 icmp type:5 code:3
            160.89.158.215 -> 127.0.0.1 icmp type:8 code:0
            236.245.82.115 -> 127.0.0.1 icmp type:11 code:0
            192.137.54.71 -> 127.0.0.1 icmp type:11 code:1
            180.69.154.147 -> 127.0.0.1 icmp type:12 code:0
            200.129.238.55 -> 127.0.0.1 icmp type:13 code:0
            172.53.82.91 -> 127.0.0.1 icmp type:14 code:0
            128.169.182.71 -> 127.0.0.1 icmp type:15 code:0
            84.245.210.59 -> 127.0.0.1 icmp type:16 code:0
            112.233.94.167 -> 127.0.0.1 icmp type:17 code:0
            60.213.146.91 -> 127.0.0.1 icmp type:18 code:0
  sending : smtp_bestof ...
            232.233.54.247 -> 127.0.0.1 25/tcp  rcpt to: bouncebounce
            108.69.162.163 -> 127.0.0.1 25/tcp  expn root
            160.73.198.87 -> 127.0.0.1 25/tcp  expn decode
            236.53.202.115 -> 127.0.0.1 25/tcp  debug
            104.129.70.63 -> 127.0.0.1 25/tcp  vrfy smtp
            52.141.74.123 -> 127.0.0.1 25/tcp  mail from: |
            144.177.78.215 -> 127.0.0.1 25/tcp  rcpt to: |
  sending : misc_bestof ...
            109.122.163.216 -> 127.0.0.1 161/udp  public
            230.119.116.197 -> 127.0.0.1 161/udp  private
            75.64.145.70 -> 127.0.0.1 161/udp  all private
            180.245.234.235 -> 127.0.0.1 162/udp  trap trap trap ...
            96.217.70.215 -> 127.0.0.1 5631/tcp  ADMINISTRATOR
            101.186.83.120 -> 127.0.0.1 32771/tcp -S
            249.174.223.148 -> 127.0.0.1 6699/tcp  .mp3
            133.210.131.80 -> 127.0.0.1 8888/tcp  .mp3
            145.54.151.68 -> 127.0.0.1 7777/tcp  .mp3
            53.50.83.248 -> 127.0.0.1 6666/tcp  .mp3
            217.54.239.68 -> 127.0.0.1 5555/tcp  .mp3
            237.114.51.232 -> 127.0.0.1 4444/tcp  .mp3
            169.118.63.156 -> 127.0.0.1 8875/tcp  anon@napster.com
  sending : dos_chargen ...
            189.210.139.176 -> 127.0.0.1 19/udp  hello
  sending : dos_snork ...
            249.182.63.76 -> 127.0.0.1 135/udp  hi !...
  sending : dos_syslog ...
            146.195.88.161 -> 127.0.0.1 514/udp  B0MB

Last modified on 23 October 2002 at 13:07:04 CET - webmaster@hsc.fr
Information on this server - © 1989-2010 Hervé Schauer Consultants