IDS/IPS identification

Penetration testers can utilize fragroute and WAFW00F to identify whether there are any detection or prevention mechanisms put in place, such as Intrusion Detection System (IDS)/Intrusion Prevention system (IPS)/Web application Firewall (WAF).

Fragroute is a default tool in Kali Linux that performs fragmentation. Network packets allow attackers to intercept, modify, and rewrite the egress traffic for a specific target. This tool really comes in handy on a highly secure remote environment.

The following screenshot provides the list of options that is available in fragroute to determine any network IDs in place:

Attackers can also write their own custom configuration to perform fragmentation attacks to delay, duplicate, drop, fragment, overlap, reorder, source-route, and segment. A sample custom configuration would look like the following screenshot:

Fragroute on target is as simple as running fragroute target.com and if there are any connections to target.com, then attackers will be able to see the traffic that is being sent to the target.com. The following screenshot shows that the IP segments are fragmented as per the custom configuration file:

Another tool that attackers utilize during active reconnaissance is WAFW00f. This tool is pre-installed in the latest version of Kali Linux. It is used to identify and fingerprint Web Application Firewall (WAF) products. It also provides a list of well-known WAFs. It can be listed by typing the -l switch to the command (for example, Wafw00f -l).

The following screenshot provides the exact WAF running behind the web application: