Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Tool] - inundator - an intrusion detection false positives generator.

From: "epixoip" <epixoip () hush com>
Date: Mon, 05 Jul 2010 21:12:51 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 05 Jul 2010 20:52:40 -0700 Nelson Brito <nbrito () sekure org>
wrote:

If you don't deal well with criticism, don't send such "31337"
tool to a public mailing list, keep it just for your friends.


Criticism? All you did was demand credit for work nobody has even
heard of, much less cared about.



I
got you incubator and it looks like: "look mom, I did my first
Perl script". No offense, kid! Okay... Keep studying and you're
gonna to learn more and more...


Heh. I'm not even sure where to begin with this one, so I won't.




Just to let you know, because you're probably 2 years old and live
in the jungle,


Oh, snap!


here is the NNG and ENG post:
http://archives.neohapsis.com/archives/fulldisclosure/2008-
09/0397.html


Wow, you are far more self-important than I ever gave you credit
for.

This will be my last reply on this thread, by the way, I'm going to
go ahead and kill it here. Anyone reading this thread can clearly
see just how desperate you are to make yourself look good and make
your name known, and the last thing I want to do is give more
attention to an attention whore.



Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential
misspellings!

On Jul 6, 2010, at 12:20 AM, "epixoip" <epixoip () hush com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito

<nbrito () sekure org>

wrote:

Thanks for the credits and keep doing the great work! Just for

the

records: NNG is not a tool, it is just a PoC for the concept

you

are just mimicking. Really creative!!! 8)



Again, nobody has ever heard of this "NNG PoC" (which, by the

way,

you did call it a tool in your packetstorm description) until

you

started demanding we give you credit for your ground-breaking
research into a decade-old topic. And again, as I've clearly
highlighted, the only parallel between NNG and Inundator is we

both

generate false positives. Nothing new here, not even for NNG.



I will keep me the right to be polite.



That doesn't make you any less of a douche.



BTW, I don like my iPhone... 8)
Specially my apps for that one.



Erm, okay?



Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any

potential

misspellings!

On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip () hush com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Oh, for fuck's sake...

<acerbity>

Wow, you've really called us out on this one. How embarrassing

for

us.

Please accept our sincerest apologies, Mr. Brito. We now

understand

how phrases like "inundator is a modern twist on an old

concept"

and "Snot, fwsnort's snortspoof, and possibly others beat us

to

the

punch" can be incredibly obtuse and largely indecipherable,
requiring *at least* a third grade education for full
comprehension. We accept full responsibility for failing to

write

this announcement with the lowest common denominator in mind,

and

promise to limit our vocabulary to only words found on
http://simple.wikipedia.org in future posts.

Also, thank you for taking the time to hi-jack our

announcement

by

linking to your incredibly superior NNG tool. We failed to

include

it in our list of credits, and it brings us much shame. Please
excuse us while we prepare for Seppuku.

</acerbity>

To set the record straight right up front, we never stated

this

was

an original idea. In fact, we clearly stated this was *NOT* an
original idea. And we *DID,* in fact, credit SNOT -- and

fwsnort's

snortspoof as well -- even though we discovered them after we

had

already begun working on Inundator. We didn't credit

IDSwakeup,

because while IDSwakeup is kind of cool, it uses a static set
payloads to generate the false positives, and we use a dynamic

set.

We thought parsing Snort's rules files to dynamically build

attack

payloads was at least original, but when we learned otherwise,

we

credited the only other two apps we could find that did

something

similar: SNOT and snortspoof. So we're definitely going out of

our

way here to give credit where credit is due, even though we

had

no

knowledge of these applications when we thought of the

concept.

Again, all of this was clearly explained in plain English.

Now then, back to you.

At first I presumed you were just a self-important moron who
couldn't be bothered to actually read the full text of the
announcement before crafting your witty reply on your iPhone

and

publicly embarrassing yourself on four separate mailing lists
concurrently. That is until I paid a visit to your outstanding
little blog, and realized that not only are you a self-

important

queef, but you're also a little fucking crybaby who wants

credit

and attention for every original thought you didn't have.

As we can clearly see from your blog, "ANY INFORMATION TAKEN

FROM

THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A

BACKLINK

TO

THE ORIGINAL ARTICLE." This must mean you observed some

parallel

between NNG and Inundator, and thus feel we should be giving

you

some sort of credit and a backlink (although I suppose the

backlink

has already been covered by you douching all over this

thread.)

Let's see what sort of parallels could possibly exist between

NNG

and Inundator:

From http://packetstormsecurity.org/filedesc/nng-4.13r-
public.rar.html:

"Description: NNG is a tool that creates crafted packets to

cause

MS02-039 false-positives against IPS/IDS. NNG does not have

the

same approach used by Snot and Stick, where the main goal is

DoSing

the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to

have

the leakage of real attack.

"Author: Nelson Brito"

First of all, I don't think SNOT's main goal was to DoS the

IPS,

as

you so cleverly state. Second, I have no fucking clue what

"NNG

tries to make IPS/IDS 'numbed' enough to have the leakage of

real

attack" is even supposed to mean. I see some English words

there,

but that sentence means fuck-all.

So from what I can gather, your little tool is capable of send

a

single packet mimicking MS02-039. Bra-fucking-vo, how

innovative.

So it isn't multi-threaded, no attempt is made to send the

attack

anonymously, you're using a single static payload, and you
essentially have little to no user configuration at all.

What's

the

point? I actually have no idea what the actual goal of NNG is,
other than to serve as a POC for why pattern matching is full

of

fail. But then again, that's something we've known for over a
decade (although I see you still give presentations on the

topic

as

if it were both new and original), so again -- what is the

point

of

NNG? Even snortspoof, though dated and pretty much useless by
today's standards, is vastly more impressive than NNG, as it

at

least makes an attempt to anonymize attacks and dynamically

parses

an array of signatures to generate an attack instead of hard-

coding

ONE payload. Who are you giving credit to for NNG, by the way?

Oh

that's right -- yourself, even though there is literally

nothing

original about NNG. By the way, I like how you have a file

named

"Authors" in the NNG source tarball, where you list yourself

and

your contact information twice.

Your pathetic piece of shit doesn't even come close to what
Inundator does, so why the fuck would we give NNG credit? Were

you

so disillusioned by your own self-importance that you honestly

saw

a parallel between NNG and Inundator? Or perhaps you were just
trying to drive traffic to your little piece of shit by

linking

everyone to it after trying to make yourself look superior?

No,

I

honestly think your cunt start aching at the thought of us
crediting SNOT and snortspoof, but not NNG. Reality is a

bitch,

huh.


Here's my advice to you, Mr. Brito: slap some vagisil on your
aching pussy and shut the fuck up. Nobody has heard of you,

and

nobody has heard of NNG. Get over yourself.


Oh, and Inundator is still available at
http://inundator.sourceforge.net/


Stay classy,
/epixoip.


On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito

<nbrito () sekure org>

wrote:

That is not new and you should give the credits, not just for

NNG

(http://packetstormsecurity.org/filedesc/nng-4.13r-
public.rar.html), but you are missing STICK, SNOT and and
IDSWAKEUP as well.

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any

potential

misspellings!

On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip () hush com>

wrote:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



homepage: http://inundator.bindshell.nl/
deb repo: deb http://inundator.sourceforge.net/repo/ all/
gpg key : http://inundator.sourceforge.net/inundator.asc

Announcing the release of inundator v0.5!

inundator is a modern twist on an old concept -- it's an
IDS/IPS/WAF evasion tool, used to anonymously flood

intrusion

detection systems with false positives in order to obfuscate

a

real

attack. inundator leverages the vagueness and poor quality

of

Snort's rules files to generate completely harmless packets

/

HTTP

requests that contain just enough keywords to trigger a

false

positive. We thought this was an original idea, but it looks

like

Snot, fwsnort's snortspoof, and possibly others beat us to

the

punch. However, these tools were developed around the turn

of

the

century, are quite dated and well-forgotten, and overall

quite

inferior to inundator.

inundator is full featured, multi-threaded, queue-based,

supports

multiple targets, and requires the use of a SOCKS proxy for
anonymization. Via Tor, inundator is capable of generating

around

1000 false positives per minute. Via a high-bandwidth SOCKS

proxy,

you might be able to generate ten times that amount.

The general idea is one would launch inundator prior to

starting

an

attack, allow it to run during the attack, and continue to

run

it a

while longer after you've accomplished the attack. The goal,

of

course, is to generate an overwhelming number of false

positives

so

that your real attack is essentially buried within the other
alerts, minimizing the chance of your attack being detected.

It

could also be used to ruin an IDS analyst's day, or keep an
organization's infosec department busy for a while. I

suppose

it

could also be used to test the effectiveness of an IDS, but

no,

not

really.

inundator is implemented in Perl (version >= 5.10 is

recommended

due to ithreads bugs in previous versions), and has been

tested

on

Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and

Mac

OS

X against Snort v2.8.5.2. It is presumed to work on all

POSIX

operating systems. Hell, it might even work on Windows.

/epixoip.




-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at

https://www.hushtools.com/verify

Version: Hush 3.0



wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxC
E



THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25p
J



xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW
5

xhdJc1A=
=Zdzn
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkwyrUMACgkQacHgESW3wZqfSwQAtKyc8XZvxC16uGoZui5Tu1SgGK/m
NteWdM2+FIubQA61Rn++JLZ0rjNFprf0HR5SVQNgg8fF/Y8C2nmecXUxgxGQNWqLb49l
zkcEH0KijX4T83fHhDBPe5i7asm24T0sudPSMA6ebEWIoUX2B6AZnDGfBmoKj/TQpWlY
8VctizY=
=ATDp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: