Vulnerability Development mailing list archives

Naptha's code finally released (was: Re: [kiss from Helisec] : testing sinn)

From: Bruno Morisson <morisson () GENHEX ORG>
Date: Sun, 18 Feb 2001 04:47:38 +0000

"Helios Security (Helisec)" wrote:


i have tried sinn between two machines of my network. this is what i got:

(snip)

at first, i thought sinn and sinnd were working just fine, but after that i
tried not to run sinnd and repeat the attack with sinn, and got same results.
finally, i tried a little shell script that opened multiple connections to
ftp port, and same results. so, nothing to do with sinn.



SINN was working fine. SINN is supposed to simulate exactly what you did
with your shell script, which is to flood the victim with connections.
The difference between the script (real connect()) and SINN (or the
"Naptha concept") is that the attacker's OS has no impact on it's
resources, since it doesn't retain any state on the connections, it's
all handled in userland, simulating ACK responses to SYN/ACK's.
Without sinnd, you did a synflood attack, which (as you probably know)
also creates a DoS.

Just for the record, I never stated that SINN was anything new, or good
:). I even stated at the time I released it that I didn't get any good
results with it (you had better results than I did! :)). It was just
developed out of my curiosity on Naptha, and all the hype around it.

we'll have to wait till naphta is released :)


Well.. it has been. Why BindView didn't say anything about it ? well,
I'll keep my thoughts on that to myself...
You can get it at
http://packetstorm.securify.com/filedesc/naptha-1.1.html .

I didn't test it much, but I must say I wasn't AT ALL surprised. Main
differences from my interpretation of the advisory (implemented in SINN)
is the arp daemon, and a LOT of options. It is more effective than SINN,
but i'd have to test it more to get to make an opinion. In my tests all
daemons recovered (just like with SINN) after a while (even win98
netbios ports).

Take a look at the code yourself. I guess SINN is/was not so far from
Naptha after all :)

I must say I expected Naptha to be a _totally_new_ concept, or maybe
even an IP stack bug, and I even thought I was completely wrong in my
interpretation (SINN). I guess I was not...

regards,
Bruno Morisson <morisson () genhex org>
--
.bm

Life's not original, everybody's got one.

Current thread:

[kiss from Helisec] : testing sinn Helios Security (Helisec) (Feb 17)
- Re: [kiss from Helisec] : testing sinn John (Feb 17)
- Naptha's code finally released (was: Re: [kiss from Helisec] : testing sinn) Bruno Morisson (Feb 17)
  - Re: Naptha's code finally released (was: Re: [kiss from Helisec] : testing sinn) Simple Nomad (Feb 19)