Hey Parth, Monday, May 28, 2001, 1:10:04 PM, you wrote: PG> Recently I was pentesting a site and was noticed by a very good admin's homegrown IDS. His IDS was some batch files that keyed on ".exe" in the IIS logs. I have something similiar on my sites, PG> using Snort and scanning the IIS logs. PG> So, I was thinking, could someone give me the Unicoded encoded string for "cmd.exe"? Then when pentesting sites like this (using a browser, .pl, or nc based call to the Unicode or Filename Double PG> Decode exploits) I can also test their IDS. I would then recommend that they key on "%" when not followed by "20", since a "%" sign would be suspicious when not used to encode a space. Not true. I work with many URLs that use %3A for example. There are legitimate reasons to use % other than in %20, and what you're suggesting would block out a lot of URLs. (In my case, the ":" is used in a CGI bug script submission -- blocking this would not be a good idea). PG> Thanks for your time and effort! Any feedback would be much appreciated! PG> Parth -- Kevin
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 17:26:57 PDT