Re: [Tool] - inundator - an intrusion detection false positives generator.

[Nelson Brito <nbrito () sekure org>]

Last message to you, kid.

NNG was released in September 2008, and it doesn't mean it's not older than that.

And I see you've checked my background... Good! Are you gonna to hire me? Maybe I could teach you how to deal with real 
Perl, such as:
{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}$0;

Cheers.

Nelson Brito 
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential misspellings!

On Jul 6, 2010, at 1:01 AM, "epixoip" <epixoip () hush com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 05 Jul 2010 19:02:12 -0700 Nelson Brito <nbrito () sekure org>
> wrote:
>
> > One more thing, just for the records and being polite: nobody
> > works on such "bad idea" anymore...
>
> Somehow you've gone from "you stole my idea and you need to give me
> credit, and here's the download link" to "well, it's a bad idea and
> nobody does it anymore." Your tool (which you now claim isn't a
> tool) was just released 20 months ago -- six to eight years after
> tools like Snot and IDSwakeup were released, and far less effective
> than those tools. So what you're essentially saying here is your
> own work was irrelevant. Well, at least you admit it.
>
> > Why? Because doesn't make any sense you doing so many noise to
> evade
> > an IPS.
>
> Ah, I see. You're using reverse psychology. The tool doesn't make
> any sense, so why not go ahead and throw a little credit your way,
> right? Honestly, I couldn't care less what your "professional"
> opinion is, and I still refuse to credit your work. I will,
> however, continue to give full credit to tools like Snot and
> snortspoof, regardless of their post-development discovery.
>
> > There much more effectiveness ways to do it without "scream
> > wolf", little boy.
>
> Of course there are more effective techniques for IDS evasion, and
> there's nothing stopping you from employing those techniques as
> well, especially in tandem with Inundator. I guess that thought
> never crossed your mind. If you decide to use that idea though, I
> demand you give me full credit and prove a backlink to this post.
>
>
> > Best regards.
> >
> > PS: Keep playing with "incubator"
>
>
> I'm not entirely sure how calling it 'incubator' is an insult, but
> I suppose I'll pretend to be insulted.
>
>
> > and let the real work for the pros.
>
>
> And what sort of "real work" might you be doing? I'm curious to
> know what sort of "pro work" one with "12 years of experience in
> high-tek" does. Perhaps you're working on your "PATENT PENDING"
> ENG++?
>
> By the way, here's a shell script to replace NNG:
>
> while [ 1 ]; do
>    printf
> "\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E\n" |
> nc -v $1 1434
> done
>
> Again, if you're going to use that, you must give me full credit
> and provide a backlink to this post. I'm super duper serious.
>
>
> > Nelson Brito
> > Security Researcher
> > http://fnstenv.blogspot.com/
> >
> > Sent on an  iPhone wireless device. Please, forgive any potential
> > misspellings!
> >
> > On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip () hush com> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > >
> > >
> > > Oh, for fuck's sake...
> > >
> > > <acerbity>
> > >
> > > Wow, you've really called us out on this one. How embarrassing
> > for
> > > us.
> > >
> > > Please accept our sincerest apologies, Mr. Brito. We now
> > understand
> > > how phrases like "inundator is a modern twist on an old concept"
> > > and "Snot, fwsnort's snortspoof, and possibly others beat us to
> > the
> > > punch" can be incredibly obtuse and largely indecipherable,
> > > requiring *at least* a third grade education for full
> > > comprehension. We accept full responsibility for failing to
> > write
> > > this announcement with the lowest common denominator in mind,
> > and
> > > promise to limit our vocabulary to only words found on
> > > http://simple.wikipedia.org in future posts.
> > >
> > > Also, thank you for taking the time to hi-jack our announcement
> > by
> > > linking to your incredibly superior NNG tool. We failed to
> > include
> > > it in our list of credits, and it brings us much shame. Please
> > > excuse us while we prepare for Seppuku.
> > >
> > > </acerbity>
> > >
> > > To set the record straight right up front, we never stated this
> > was
> > > an original idea. In fact, we clearly stated this was *NOT* an
> > > original idea. And we *DID,* in fact, credit SNOT -- and
> > fwsnort's
> > > snortspoof as well -- even though we discovered them after we
> > had
> > > already begun working on Inundator. We didn't credit IDSwakeup,
> > > because while IDSwakeup is kind of cool, it uses a static set
> > > payloads to generate the false positives, and we use a dynamic
> > set.
> > > We thought parsing Snort's rules files to dynamically build
> > attack
> > > payloads was at least original, but when we learned otherwise,
> > we
> > > credited the only other two apps we could find that did
> > something
> > > similar: SNOT and snortspoof. So we're definitely going out of
> > our
> > > way here to give credit where credit is due, even though we had
> > no
> > > knowledge of these applications when we thought of the concept.
> > > Again, all of this was clearly explained in plain English.
> > >
> > > Now then, back to you.
> > >
> > > At first I presumed you were just a self-important moron who
> > > couldn't be bothered to actually read the full text of the
> > > announcement before crafting your witty reply on your iPhone and
> > > publicly embarrassing yourself on four separate mailing lists
> > > concurrently. That is until I paid a visit to your outstanding
> > > little blog, and realized that not only are you a self-important
> > > queef, but you're also a little fucking crybaby who wants credit
> > > and attention for every original thought you didn't have.
> > >
> > > As we can clearly see from your blog, "ANY INFORMATION TAKEN
> > FROM
> > > THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK
> > TO
> > > THE ORIGINAL ARTICLE." This must mean you observed some parallel
> > > between NNG and Inundator, and thus feel we should be giving you
> > > some sort of credit and a backlink (although I suppose the
> > backlink
> > > has already been covered by you douching all over this thread.)
> > > Let's see what sort of parallels could possibly exist between
> > NNG
> > > and Inundator:
> > >
> > > From http://packetstormsecurity.org/filedesc/nng-4.13r-
> > > public.rar.html:
> > >
> > > "Description: NNG is a tool that creates crafted packets to
> > cause
> > > MS02-039 false-positives against IPS/IDS. NNG does not have the
> > > same approach used by Snot and Stick, where the main goal is
> > DoSing
> > > the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
> > have
> > > the leakage of real attack.
> > >
> > > "Author: Nelson Brito"
> > >
> > > First of all, I don't think SNOT's main goal was to DoS the IPS,
> > as
> > > you so cleverly state. Second, I have no fucking clue what "NNG
> > > tries to make IPS/IDS 'numbed' enough to have the leakage of
> > real
> > > attack" is even supposed to mean. I see some English words
> > there,
> > > but that sentence means fuck-all.
> > >
> > > So from what I can gather, your little tool is capable of send a
> > > single packet mimicking MS02-039. Bra-fucking-vo, how
> > innovative.
> > > So it isn't multi-threaded, no attempt is made to send the
> > attack
> > > anonymously, you're using a single static payload, and you
> > > essentially have little to no user configuration at all. What's
> > the
> > > point? I actually have no idea what the actual goal of NNG is,
> > > other than to serve as a POC for why pattern matching is full of
> > > fail. But then again, that's something we've known for over a
> > > decade (although I see you still give presentations on the topic
> > as
> > > if it were both new and original), so again -- what is the point
> > of
> > > NNG? Even snortspoof, though dated and pretty much useless by
> > > today's standards, is vastly more impressive than NNG, as it at
> > > least makes an attempt to anonymize attacks and dynamically
> > parses
> > > an array of signatures to generate an attack instead of hard-
> > coding
> > > ONE payload. Who are you giving credit to for NNG, by the way?
> > Oh
> > > that's right -- yourself, even though there is literally nothing
> > > original about NNG. By the way, I like how you have a file named
> > > "Authors" in the NNG source tarball, where you list yourself and
> > > your contact information twice.
> > >
> > > Your pathetic piece of shit doesn't even come close to what
> > > Inundator does, so why the fuck would we give NNG credit? Were
> > you
> > > so disillusioned by your own self-importance that you honestly
> > saw
> > > a parallel between NNG and Inundator? Or perhaps you were just
> > > trying to drive traffic to your little piece of shit by linking
> > > everyone to it after trying to make yourself look superior? No,
> > I
> > > honestly think your cunt start aching at the thought of us
> > > crediting SNOT and snortspoof, but not NNG. Reality is a bitch,
> > huh.
> > > Here's my advice to you, Mr. Brito: slap some vagisil on your
> > > aching pussy and shut the fuck up. Nobody has heard of you, and
> > > nobody has heard of NNG. Get over yourself.
> > >
> > >
> > > Oh, and Inundator is still available at
> > > http://inundator.sourceforge.net/
> > >
> > >
> > > Stay classy,
> > > /epixoip.
> > >
> > >
> > > On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
> > <nbrito () sekure org>
> > > wrote:
> > > > That is not new and you should give the credits, not just for
> > NNG
> > > > (http://packetstormsecurity.org/filedesc/nng-4.13r-
> > > > public.rar.html), but you are missing STICK, SNOT and and
> > > > IDSWAKEUP as well.
> > > >
> > > > Nelson Brito
> > > > Security Researcher
> > > > http://fnstenv.blogspot.com/
> > > >
> > > > Sent on an  iPhone wireless device. Please, forgive any
> > potential
> > > > misspellings!
> > > >
> > > > On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip () hush com>
> > wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > >
> > > > >
> > > > > homepage: http://inundator.bindshell.nl/
> > > > > deb repo: deb http://inundator.sourceforge.net/repo/ all/
> > > > > gpg key : http://inundator.sourceforge.net/inundator.asc
> > > > >
> > > > > Announcing the release of inundator v0.5!
> > > > >
> > > > > inundator is a modern twist on an old concept -- it's an
> > > > > IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
> > > > > detection systems with false positives in order to obfuscate a
> > > > real
> > > > > attack. inundator leverages the vagueness and poor quality of
> > > > > Snort's rules files to generate completely harmless packets /
> > > > HTTP
> > > > > requests that contain just enough keywords to trigger a false
> > > > > positive. We thought this was an original idea, but it looks
> > > > like
> > > > > Snot, fwsnort's snortspoof, and possibly others beat us to the
> > > > > punch. However, these tools were developed around the turn of
> > > > the
> > > > > century, are quite dated and well-forgotten, and overall quite
> > > > > inferior to inundator.
> > > > >
> > > > > inundator is full featured, multi-threaded, queue-based,
> > > > supports
> > > > > multiple targets, and requires the use of a SOCKS proxy for
> > > > > anonymization. Via Tor, inundator is capable of generating
> > > > around
> > > > > 1000 false positives per minute. Via a high-bandwidth SOCKS
> > > > proxy,
> > > > > you might be able to generate ten times that amount.
> > > > >
> > > > > The general idea is one would launch inundator prior to
> > starting
> > > > an
> > > > > attack, allow it to run during the attack, and continue to run
> > > > it a
> > > > > while longer after you've accomplished the attack. The goal,
> > of
> > > > > course, is to generate an overwhelming number of false
> > positives
> > > > so
> > > > > that your real attack is essentially buried within the other
> > > > > alerts, minimizing the chance of your attack being detected.
> > It
> > > > > could also be used to ruin an IDS analyst's day, or keep an
> > > > > organization's infosec department busy for a while. I suppose
> > it
> > > > > could also be used to test the effectiveness of an IDS, but
> > no,
> > > > not
> > > > > really.
> > > > >
> > > > > inundator is implemented in Perl (version >= 5.10 is
> > recommended
> > > > > due to ithreads bugs in previous versions), and has been
> > tested
> > > > on
> > > > > Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
> > Mac
> > > > OS
> > > > > X against Snort v2.8.5.2. It is presumed to work on all POSIX
> > > > > operating systems. Hell, it might even work on Windows.
> > > > >
> > > > > /epixoip.
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Charset: UTF8
> > > Note: This signature can be verified at
> > https://www.hushtools.com/verify
> > > Version: Hush 3.0
> > wpwEAQMCAAYFAkwyYxEACgkQacHgESW3wZrghAQAoaUr7ZCmRKhpVs86cvXCHphwB/V
> > 9
> > >
> > XCmQFCodPp6puHkCe0KqonLXBLCrW92qjVObOxW8TYlb56JKrZs0EV/jGLKUSrlcfgh
> > 7
> > >
> > 0/UMwH/vAL0C+PowgHuWFZSGSpLsKk5vUC+9YrKz0/oRkCVj4Ypks6Rd+VAUetzuNIe
> > T
> > > W60Z6o0=
> > > =uHzo
> > > -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAkwyqqYACgkQacHgESW3wZq22gP7Bisp36Tfco5+nvNFHBKYyxd7EW8a
> 4wQxbya29L3BxP7fF+V/hqlNQbdEPOeW6EnpPh71laO9PSl7jsPJsGdyLRE51JAcRoxp
> UXr+d6VPf5lbQ6E7KHLPvtd33+HPA8nBgfY+uD/uqt3qda2o8xihefx2rnKGPqI1jKE8
> r6Hha9g=
> =nPAL
> -----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/