Full Disclosure mailing list archives
Re: [Tool] - inundator - an intrusion detection false positives generator.
From: Adriel Desautels <adriel () netragard com>
Date: Mon, 5 Jul 2010 21:44:07 -0400
Wow you need a vacation bro. Regards, Adriel T Desautels Netragard, LLC Mobile device On Jul 5, 2010, at 6:56 PM, "epixoip" <epixoip () hush com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh, for fuck's sake... <acerbity> Wow, you've really called us out on this one. How embarrassing for us. Please accept our sincerest apologies, Mr. Brito. We now understand how phrases like "inundator is a modern twist on an old concept" and "Snot, fwsnort's snortspoof, and possibly others beat us to the punch" can be incredibly obtuse and largely indecipherable, requiring *at least* a third grade education for full comprehension. We accept full responsibility for failing to write this announcement with the lowest common denominator in mind, and promise to limit our vocabulary to only words found on http://simple.wikipedia.org in future posts. Also, thank you for taking the time to hi-jack our announcement by linking to your incredibly superior NNG tool. We failed to include it in our list of credits, and it brings us much shame. Please excuse us while we prepare for Seppuku. </acerbity> To set the record straight right up front, we never stated this was an original idea. In fact, we clearly stated this was *NOT* an original idea. And we *DID,* in fact, credit SNOT -- and fwsnort's snortspoof as well -- even though we discovered them after we had already begun working on Inundator. We didn't credit IDSwakeup, because while IDSwakeup is kind of cool, it uses a static set payloads to generate the false positives, and we use a dynamic set. We thought parsing Snort's rules files to dynamically build attack payloads was at least original, but when we learned otherwise, we credited the only other two apps we could find that did something similar: SNOT and snortspoof. So we're definitely going out of our way here to give credit where credit is due, even though we had no knowledge of these applications when we thought of the concept. Again, all of this was clearly explained in plain English. Now then, back to you. At first I presumed you were just a self-important moron who couldn't be bothered to actually read the full text of the announcement before crafting your witty reply on your iPhone and publicly embarrassing yourself on four separate mailing lists concurrently. That is until I paid a visit to your outstanding little blog, and realized that not only are you a self-important queef, but you're also a little fucking crybaby who wants credit and attention for every original thought you didn't have. As we can clearly see from your blog, "ANY INFORMATION TAKEN FROM THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK TO THE ORIGINAL ARTICLE." This must mean you observed some parallel between NNG and Inundator, and thus feel we should be giving you some sort of credit and a backlink (although I suppose the backlink has already been covered by you douching all over this thread.) Let's see what sort of parallels could possibly exist between NNG and Inundator: From http://packetstormsecurity.org/filedesc/nng-4.13r- public.rar.html: "Description: NNG is a tool that creates crafted packets to cause MS02-039 false-positives against IPS/IDS. NNG does not have the same approach used by Snot and Stick, where the main goal is DoSing the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to have the leakage of real attack. "Author: Nelson Brito" First of all, I don't think SNOT's main goal was to DoS the IPS, as you so cleverly state. Second, I have no fucking clue what "NNG tries to make IPS/IDS 'numbed' enough to have the leakage of real attack" is even supposed to mean. I see some English words there, but that sentence means fuck-all. So from what I can gather, your little tool is capable of send a single packet mimicking MS02-039. Bra-fucking-vo, how innovative. So it isn't multi-threaded, no attempt is made to send the attack anonymously, you're using a single static payload, and you essentially have little to no user configuration at all. What's the point? I actually have no idea what the actual goal of NNG is, other than to serve as a POC for why pattern matching is full of fail. But then again, that's something we've known for over a decade (although I see you still give presentations on the topic as if it were both new and original), so again -- what is the point of NNG? Even snortspoof, though dated and pretty much useless by today's standards, is vastly more impressive than NNG, as it at least makes an attempt to anonymize attacks and dynamically parses an array of signatures to generate an attack instead of hard-coding ONE payload. Who are you giving credit to for NNG, by the way? Oh that's right -- yourself, even though there is literally nothing original about NNG. By the way, I like how you have a file named "Authors" in the NNG source tarball, where you list yourself and your contact information twice. Your pathetic piece of shit doesn't even come close to what Inundator does, so why the fuck would we give NNG credit? Were you so disillusioned by your own self-importance that you honestly saw a parallel between NNG and Inundator? Or perhaps you were just trying to drive traffic to your little piece of shit by linking everyone to it after trying to make yourself look superior? No, I honestly think your cunt start aching at the thought of us crediting SNOT and snortspoof, but not NNG. Reality is a bitch, huh. Here's my advice to you, Mr. Brito: slap some vagisil on your aching pussy and shut the fuck up. Nobody has heard of you, and nobody has heard of NNG. Get over yourself. Oh, and Inundator is still available at http://inundator.sourceforge.net/ Stay classy, /epixoip. On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito <nbrito () sekure org> wrote:That is not new and you should give the credits, not just for NNG (http://packetstormsecurity.org/filedesc/nng-4.13r- public.rar.html), but you are missing STICK, SNOT and and IDSWAKEUP as well. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip () hush com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 homepage: http://inundator.bindshell.nl/ deb repo: deb http://inundator.sourceforge.net/repo/ all/ gpg key : http://inundator.sourceforge.net/inundator.asc Announcing the release of inundator v0.5! inundator is a modern twist on an old concept -- it's an IDS/IPS/WAF evasion tool, used to anonymously flood intrusion detection systems with false positives in order to obfuscate arealattack. inundator leverages the vagueness and poor quality of Snort's rules files to generate completely harmless packets /HTTPrequests that contain just enough keywords to trigger a false positive. We thought this was an original idea, but it lookslikeSnot, fwsnort's snortspoof, and possibly others beat us to the punch. However, these tools were developed around the turn ofthecentury, are quite dated and well-forgotten, and overall quite inferior to inundator. inundator is full featured, multi-threaded, queue-based,supportsmultiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generatingaround1000 false positives per minute. Via a high-bandwidth SOCKSproxy,you might be able to generate ten times that amount. The general idea is one would launch inundator prior to startinganattack, allow it to run during the attack, and continue to runit awhile longer after you've accomplished the attack. The goal, of course, is to generate an overwhelming number of false positivessothat your real attack is essentially buried within the other alerts, minimizing the chance of your attack being detected. It could also be used to ruin an IDS analyst's day, or keep an organization's infosec department busy for a while. I suppose it could also be used to test the effectiveness of an IDS, but no,notreally. inundator is implemented in Perl (version >= 5.10 is recommended due to ithreads bugs in previous versions), and has been testedonDebian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and MacOSX against Snort v2.8.5.2. It is presumed to work on all POSIX operating systems. Hell, it might even work on Windows. /epixoip.-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkwyYxEACgkQacHgESW3wZrghAQAoaUr7ZCmRKhpVs86cvXCHphwB/V9 XCmQFCodPp6puHkCe0KqonLXBLCrW92qjVObOxW8TYlb56JKrZs0EV/jGLKUSrlcfgh7 0/UMwH/vAL0C+PowgHuWFZSGSpLsKk5vUC+9YrKz0/oRkCVj4Ypks6Rd+VAUetzuNIeT W60Z6o0= =uHzo -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Adriel Desautels (Jul 06)
- <Possible follow-ups>
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Jubei Trippataka (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Valdis . Kletnieks (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. nelsonburrito (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. musnt live (Jul 06)
(Thread continues...)