Most vulnerability scanners will allow you to configure an exception list. If an organization has an internal vulnerability scanning program in place they are probably aware of a few troublesome systems that don’t respond well to poking and prodding.  (That ancient VAX, those Dell DRACs, that crazy plotter, etc…)

It’s not uncommon to be asked by a client to “Avoid this list of systems during the Pentest…” But what if you have some nice custom tools that don’t have the ability to honor an exception list?  What if you have some tools that you point to an NT Domain and not an IP list?

On the surface the simplest solution would be to “just configure the firewall to block outbound to x.x.x.y….”  The problem is windows personal firewalls don’t make it easy to do that. In fact, most of these firewalls will break the scanning tools you’re trying to use. 

I’ve found that Peer Guardian 2 does an awesome job at fixing this problem.  Peer Guardian is mostly used by peer-to-peer users but you can easily make a custom “block list” that will prevent your computer from hitting IPs on your client’s exclusion list.  You can run Peer Guardian and not worry about it mucking up those funky packets that youre trying to send.

-higB