Testing your IPS…Should you and how ?

Before I start with this post…Disclaimer : This post is not to show how to hack systems. Rather it is to be used to learn on how to test your IPS Systems that you have deployed. Now that we have that out of the way…

I was giving training a while ago on Trend Micro Deep Discovery. During the training I ask the question if any one ever test their IPS deployments. The answers I got was that they hope it works…Sadly not a good answer…
So should you test you IPS rules ? My answer is YES ! You should as a Security Professional be able to do some basic tests to see if the rules that you have implemented is working. Simple.
I have some basic tests I do when I do implementations of IPS rules. The most basic one I use is MS12-020. This is a RDP exploit that is present in Windows 7 SP1 and Windows 2008R2. Here is the How To.

The How to…
I use KALI Linux for all my testing. The application inside KALI that I use is Armitage. Armitage uses the MetaExploit rule sets. It is really easy to install. The basics is that you download the ISO, install from the ISO, do an apt-update and then apt-upgrade.
For the OS I used Windows 7 SP1 with no Service Packs installed. Ensure you have RDP enabled but do not select NLM Authentication for RDP Sessions. Also ensure the firewall on the Windows side is disabled. Make sure you not using a production machine…if you run this exploit against an unpatch machine it will Blue Screen the OS!

On the IPS side I used Trend Micro Deep Security. I ensured that I have added the rule set for MS12-020 to my VM as seen below:
Next from KALI I start Armitage, search for MS12_020. Make sure you double click on the Auxiliary ->dos->windows->rdp->ms12_020_maxchannelids exxploit. This will open a window. All you have to do is to enter the IP address of the OS that you want to run the exploit against. Click “Launch”. You can see in the console window in the back that the exploit was run against the host.
IPS Test01
If all goes well you should not have a OS Blue Screen and you should see a event in the IPS events of the VM as below:
IPS Test02
As you can see the IPS Module in Deep Security have done a RESET on the connection and have blocked the exploit.

Learn how to test IPS Systems. It took me a while to learn the basics around using the application and tools sets that is out there. YouTube is your friend in this matter. There is a lot of free tools that you can use….KALI Linux being the best out there that I know of. With regards to IPS systems, I use Deep Security as I know the product well (Use to work for Trend Micro). Happy Testing!!

Leave a Reply