There are a number of different ways that a site can configure and deploy their host-based protection, or moreover, their endpoint security. As a tester, it is a matter of experimentation when it comes to implementing this on our target range. The majority of these products are commercial and you have to get trial versions or request a proof of concept implementation from the vendor. Either way, your ability to deploy this on your network range will be largely dependent on what your client has. This is information that can be obtained during the early stages of your non-intrusive target searching. However, it is usually provided to you at meetings to determine the scope of work, or during the social engineering phase of testing when it is allowed and is in scope.

When the deployed intrusion prevention tool has detected and subsequently blocked attack attempts by an IP address from our tools it is not always a good idea, because we can spoof an IP address and then the user with that IP address will be blocked. This is one of the reasons why IP blocking is usually only configured for something that could lead to a significant loss, and many of the IPSes we encounter will be in monitor and detect mode only. There are a number of tools we can use that, when you run them, you have the option of using random addresses, and this is very effective when attempting to bypass these types of protections. Another way to do this is to conduct your attacks from a VPN, and just connect to different servers once you have managed to get your IP blocked.

Some of the VPN client software products will do this for you; an example of this is shown in the following screenshot:

As the previous screenshot shows, the Pro VPN tool provides us with the capability to not only change our IP address, but to also set the duration and interval that we want to use to make that change.