Re: [Tool] - inundator - an intrusion detection false positives generator.

[Nelson Brito <nbrito () sekure org>]

If you don't deal well with criticism, don't send such "31337" tool to a public mailing list, keep it just for your 
friends. I got you incubator and it looks like: "look mom, I did my first Perl script". No offense, kid! Okay... Keep 
studying and you're gonna to learn more and more...

Just to let you know, because you're probably 2 years old and live in the jungle, here is the NNG and ENG post:
http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0397.html

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential misspellings!

On Jul 6, 2010, at 12:20 AM, "epixoip" <epixoip () hush com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito <nbrito () sekure org>
> wrote:
> > Thanks for the credits and keep doing the great work! Just for the
> > records: NNG is not a tool, it is just a PoC for the concept you
> > are just mimicking. Really creative!!! 8)
>
>
> Again, nobody has ever heard of this "NNG PoC" (which, by the way,
> you did call it a tool in your packetstorm description) until you
> started demanding we give you credit for your ground-breaking
> research into a decade-old topic. And again, as I've clearly
> highlighted, the only parallel between NNG and Inundator is we both
> generate false positives. Nothing new here, not even for NNG.
>
>
> > I will keep me the right to be polite.
>
>
> That doesn't make you any less of a douche.
>
>
> > BTW, I don like my iPhone... 8)
> > Specially my apps for that one.
>
>
> Erm, okay?
>
>
> > Nelson Brito
> > Security Researcher
> > http://fnstenv.blogspot.com/
> >
> > Sent on an  iPhone wireless device. Please, forgive any potential
> > misspellings!
> >
> > On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip () hush com> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > >
> > >
> > > Oh, for fuck's sake...
> > >
> > > <acerbity>
> > >
> > > Wow, you've really called us out on this one. How embarrassing
> > for
> > > us.
> > >
> > > Please accept our sincerest apologies, Mr. Brito. We now
> > understand
> > > how phrases like "inundator is a modern twist on an old concept"
> > > and "Snot, fwsnort's snortspoof, and possibly others beat us to
> > the
> > > punch" can be incredibly obtuse and largely indecipherable,
> > > requiring *at least* a third grade education for full
> > > comprehension. We accept full responsibility for failing to
> > write
> > > this announcement with the lowest common denominator in mind,
> > and
> > > promise to limit our vocabulary to only words found on
> > > http://simple.wikipedia.org in future posts.
> > >
> > > Also, thank you for taking the time to hi-jack our announcement
> > by
> > > linking to your incredibly superior NNG tool. We failed to
> > include
> > > it in our list of credits, and it brings us much shame. Please
> > > excuse us while we prepare for Seppuku.
> > >
> > > </acerbity>
> > >
> > > To set the record straight right up front, we never stated this
> > was
> > > an original idea. In fact, we clearly stated this was *NOT* an
> > > original idea. And we *DID,* in fact, credit SNOT -- and
> > fwsnort's
> > > snortspoof as well -- even though we discovered them after we
> > had
> > > already begun working on Inundator. We didn't credit IDSwakeup,
> > > because while IDSwakeup is kind of cool, it uses a static set
> > > payloads to generate the false positives, and we use a dynamic
> > set.
> > > We thought parsing Snort's rules files to dynamically build
> > attack
> > > payloads was at least original, but when we learned otherwise,
> > we
> > > credited the only other two apps we could find that did
> > something
> > > similar: SNOT and snortspoof. So we're definitely going out of
> > our
> > > way here to give credit where credit is due, even though we had
> > no
> > > knowledge of these applications when we thought of the concept.
> > > Again, all of this was clearly explained in plain English.
> > >
> > > Now then, back to you.
> > >
> > > At first I presumed you were just a self-important moron who
> > > couldn't be bothered to actually read the full text of the
> > > announcement before crafting your witty reply on your iPhone and
> > > publicly embarrassing yourself on four separate mailing lists
> > > concurrently. That is until I paid a visit to your outstanding
> > > little blog, and realized that not only are you a self-important
> > > queef, but you're also a little fucking crybaby who wants credit
> > > and attention for every original thought you didn't have.
> > >
> > > As we can clearly see from your blog, "ANY INFORMATION TAKEN
> > FROM
> > > THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK
> > TO
> > > THE ORIGINAL ARTICLE." This must mean you observed some parallel
> > > between NNG and Inundator, and thus feel we should be giving you
> > > some sort of credit and a backlink (although I suppose the
> > backlink
> > > has already been covered by you douching all over this thread.)
> > > Let's see what sort of parallels could possibly exist between
> > NNG
> > > and Inundator:
> > >
> > > From http://packetstormsecurity.org/filedesc/nng-4.13r-
> > > public.rar.html:
> > >
> > > "Description: NNG is a tool that creates crafted packets to
> > cause
> > > MS02-039 false-positives against IPS/IDS. NNG does not have the
> > > same approach used by Snot and Stick, where the main goal is
> > DoSing
> > > the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
> > have
> > > the leakage of real attack.
> > >
> > > "Author: Nelson Brito"
> > >
> > > First of all, I don't think SNOT's main goal was to DoS the IPS,
> > as
> > > you so cleverly state. Second, I have no fucking clue what "NNG
> > > tries to make IPS/IDS 'numbed' enough to have the leakage of
> > real
> > > attack" is even supposed to mean. I see some English words
> > there,
> > > but that sentence means fuck-all.
> > >
> > > So from what I can gather, your little tool is capable of send a
> > > single packet mimicking MS02-039. Bra-fucking-vo, how
> > innovative.
> > > So it isn't multi-threaded, no attempt is made to send the
> > attack
> > > anonymously, you're using a single static payload, and you
> > > essentially have little to no user configuration at all. What's
> > the
> > > point? I actually have no idea what the actual goal of NNG is,
> > > other than to serve as a POC for why pattern matching is full of
> > > fail. But then again, that's something we've known for over a
> > > decade (although I see you still give presentations on the topic
> > as
> > > if it were both new and original), so again -- what is the point
> > of
> > > NNG? Even snortspoof, though dated and pretty much useless by
> > > today's standards, is vastly more impressive than NNG, as it at
> > > least makes an attempt to anonymize attacks and dynamically
> > parses
> > > an array of signatures to generate an attack instead of hard-
> > coding
> > > ONE payload. Who are you giving credit to for NNG, by the way?
> > Oh
> > > that's right -- yourself, even though there is literally nothing
> > > original about NNG. By the way, I like how you have a file named
> > > "Authors" in the NNG source tarball, where you list yourself and
> > > your contact information twice.
> > >
> > > Your pathetic piece of shit doesn't even come close to what
> > > Inundator does, so why the fuck would we give NNG credit? Were
> > you
> > > so disillusioned by your own self-importance that you honestly
> > saw
> > > a parallel between NNG and Inundator? Or perhaps you were just
> > > trying to drive traffic to your little piece of shit by linking
> > > everyone to it after trying to make yourself look superior? No,
> > I
> > > honestly think your cunt start aching at the thought of us
> > > crediting SNOT and snortspoof, but not NNG. Reality is a bitch,
> > huh.
> > > Here's my advice to you, Mr. Brito: slap some vagisil on your
> > > aching pussy and shut the fuck up. Nobody has heard of you, and
> > > nobody has heard of NNG. Get over yourself.
> > >
> > >
> > > Oh, and Inundator is still available at
> > > http://inundator.sourceforge.net/
> > >
> > >
> > > Stay classy,
> > > /epixoip.
> > >
> > >
> > > On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
> > <nbrito () sekure org>
> > > wrote:
> > > > That is not new and you should give the credits, not just for
> > NNG
> > > > (http://packetstormsecurity.org/filedesc/nng-4.13r-
> > > > public.rar.html), but you are missing STICK, SNOT and and
> > > > IDSWAKEUP as well.
> > > >
> > > > Nelson Brito
> > > > Security Researcher
> > > > http://fnstenv.blogspot.com/
> > > >
> > > > Sent on an  iPhone wireless device. Please, forgive any
> > potential
> > > > misspellings!
> > > >
> > > > On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip () hush com>
> > wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > >
> > > > >
> > > > > homepage: http://inundator.bindshell.nl/
> > > > > deb repo: deb http://inundator.sourceforge.net/repo/ all/
> > > > > gpg key : http://inundator.sourceforge.net/inundator.asc
> > > > >
> > > > > Announcing the release of inundator v0.5!
> > > > >
> > > > > inundator is a modern twist on an old concept -- it's an
> > > > > IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
> > > > > detection systems with false positives in order to obfuscate a
> > > > real
> > > > > attack. inundator leverages the vagueness and poor quality of
> > > > > Snort's rules files to generate completely harmless packets /
> > > > HTTP
> > > > > requests that contain just enough keywords to trigger a false
> > > > > positive. We thought this was an original idea, but it looks
> > > > like
> > > > > Snot, fwsnort's snortspoof, and possibly others beat us to the
> > > > > punch. However, these tools were developed around the turn of
> > > > the
> > > > > century, are quite dated and well-forgotten, and overall quite
> > > > > inferior to inundator.
> > > > >
> > > > > inundator is full featured, multi-threaded, queue-based,
> > > > supports
> > > > > multiple targets, and requires the use of a SOCKS proxy for
> > > > > anonymization. Via Tor, inundator is capable of generating
> > > > around
> > > > > 1000 false positives per minute. Via a high-bandwidth SOCKS
> > > > proxy,
> > > > > you might be able to generate ten times that amount.
> > > > >
> > > > > The general idea is one would launch inundator prior to
> > starting
> > > > an
> > > > > attack, allow it to run during the attack, and continue to run
> > > > it a
> > > > > while longer after you've accomplished the attack. The goal,
> > of
> > > > > course, is to generate an overwhelming number of false
> > positives
> > > > so
> > > > > that your real attack is essentially buried within the other
> > > > > alerts, minimizing the chance of your attack being detected.
> > It
> > > > > could also be used to ruin an IDS analyst's day, or keep an
> > > > > organization's infosec department busy for a while. I suppose
> > it
> > > > > could also be used to test the effectiveness of an IDS, but
> > no,
> > > > not
> > > > > really.
> > > > >
> > > > > inundator is implemented in Perl (version >= 5.10 is
> > recommended
> > > > > due to ithreads bugs in previous versions), and has been
> > tested
> > > > on
> > > > > Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
> > Mac
> > > > OS
> > > > > X against Snort v2.8.5.2. It is presumed to work on all POSIX
> > > > > operating systems. Hell, it might even work on Windows.
> > > > >
> > > > > /epixoip.
>
>
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxCE
> THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25pJ
> xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW5
> xhdJc1A=
> =Zdzn
> -----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/