Full Disclosure mailing list archives
Re: [Tool] - inundator - an intrusion detection false positives generator.
From: Nelson Brito <nbrito () sekure org>
Date: Tue, 6 Jul 2010 01:20:29 -0300
http://www.networksecurityarchive.org/html/Snort-Signatures/2008-09/msg00007.html People know about this... Even before you've learned Perl! Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jul 6, 2010, at 1:12 AM, "epixoip" <epixoip () hush com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 05 Jul 2010 20:52:40 -0700 Nelson Brito <nbrito () sekure org> wrote:If you don't deal well with criticism, don't send such "31337" tool to a public mailing list, keep it just for your friends.Criticism? All you did was demand credit for work nobody has even heard of, much less cared about.I got you incubator and it looks like: "look mom, I did my first Perl script". No offense, kid! Okay... Keep studying and you're gonna to learn more and more...Heh. I'm not even sure where to begin with this one, so I won't.Just to let you know, because you're probably 2 years old and live in the jungle,Oh, snap!here is the NNG and ENG post: http://archives.neohapsis.com/archives/fulldisclosure/2008- 09/0397.htmlWow, you are far more self-important than I ever gave you credit for. This will be my last reply on this thread, by the way, I'm going to go ahead and kill it here. Anyone reading this thread can clearly see just how desperate you are to make yourself look good and make your name known, and the last thing I want to do is give more attention to an attention whore.Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jul 6, 2010, at 12:20 AM, "epixoip" <epixoip () hush com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito<nbrito () sekure org>wrote:Thanks for the credits and keep doing the great work! Just fortherecords: NNG is not a tool, it is just a PoC for the conceptyouare just mimicking. Really creative!!! 8)Again, nobody has ever heard of this "NNG PoC" (which, by theway,you did call it a tool in your packetstorm description) untilyoustarted demanding we give you credit for your ground-breaking research into a decade-old topic. And again, as I've clearly highlighted, the only parallel between NNG and Inundator is webothgenerate false positives. Nothing new here, not even for NNG.I will keep me the right to be polite.That doesn't make you any less of a douche.BTW, I don like my iPhone... 8) Specially my apps for that one.Erm, okay?Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive anypotentialmisspellings! On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip () hush com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh, for fuck's sake... <acerbity> Wow, you've really called us out on this one. How embarrassingforus. Please accept our sincerest apologies, Mr. Brito. We nowunderstandhow phrases like "inundator is a modern twist on an oldconcept"and "Snot, fwsnort's snortspoof, and possibly others beat ustothepunch" can be incredibly obtuse and largely indecipherable, requiring *at least* a third grade education for full comprehension. We accept full responsibility for failing towritethis announcement with the lowest common denominator in mind,andpromise to limit our vocabulary to only words found on http://simple.wikipedia.org in future posts. Also, thank you for taking the time to hi-jack ourannouncementbylinking to your incredibly superior NNG tool. We failed toincludeit in our list of credits, and it brings us much shame. Please excuse us while we prepare for Seppuku. </acerbity> To set the record straight right up front, we never statedthiswasan original idea. In fact, we clearly stated this was *NOT* an original idea. And we *DID,* in fact, credit SNOT -- andfwsnort'ssnortspoof as well -- even though we discovered them after wehadalready begun working on Inundator. We didn't creditIDSwakeup,because while IDSwakeup is kind of cool, it uses a static set payloads to generate the false positives, and we use a dynamicset.We thought parsing Snort's rules files to dynamically buildattackpayloads was at least original, but when we learned otherwise,wecredited the only other two apps we could find that didsomethingsimilar: SNOT and snortspoof. So we're definitely going out ofourway here to give credit where credit is due, even though wehadnoknowledge of these applications when we thought of theconcept.Again, all of this was clearly explained in plain English. Now then, back to you. At first I presumed you were just a self-important moron who couldn't be bothered to actually read the full text of the announcement before crafting your witty reply on your iPhoneandpublicly embarrassing yourself on four separate mailing lists concurrently. That is until I paid a visit to your outstanding little blog, and realized that not only are you a self-importantqueef, but you're also a little fucking crybaby who wantscreditand attention for every original thought you didn't have. As we can clearly see from your blog, "ANY INFORMATION TAKENFROMTHIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD ABACKLINKTOTHE ORIGINAL ARTICLE." This must mean you observed someparallelbetween NNG and Inundator, and thus feel we should be givingyousome sort of credit and a backlink (although I suppose thebacklinkhas already been covered by you douching all over thisthread.)Let's see what sort of parallels could possibly exist betweenNNGand Inundator: From http://packetstormsecurity.org/filedesc/nng-4.13r- public.rar.html: "Description: NNG is a tool that creates crafted packets tocauseMS02-039 false-positives against IPS/IDS. NNG does not havethesame approach used by Snot and Stick, where the main goal isDoSingthe IPS. Instead, NNG tries to make IPS/IDS "numbed" enough tohavethe leakage of real attack. "Author: Nelson Brito" First of all, I don't think SNOT's main goal was to DoS theIPS,asyou so cleverly state. Second, I have no fucking clue what"NNGtries to make IPS/IDS 'numbed' enough to have the leakage ofrealattack" is even supposed to mean. I see some English wordsthere,but that sentence means fuck-all. So from what I can gather, your little tool is capable of sendasingle packet mimicking MS02-039. Bra-fucking-vo, howinnovative.So it isn't multi-threaded, no attempt is made to send theattackanonymously, you're using a single static payload, and you essentially have little to no user configuration at all.What'sthepoint? I actually have no idea what the actual goal of NNG is, other than to serve as a POC for why pattern matching is fulloffail. But then again, that's something we've known for over a decade (although I see you still give presentations on thetopicasif it were both new and original), so again -- what is thepointofNNG? Even snortspoof, though dated and pretty much useless by today's standards, is vastly more impressive than NNG, as itatleast makes an attempt to anonymize attacks and dynamicallyparsesan array of signatures to generate an attack instead of hard-codingONE payload. Who are you giving credit to for NNG, by the way?Ohthat's right -- yourself, even though there is literallynothingoriginal about NNG. By the way, I like how you have a filenamed"Authors" in the NNG source tarball, where you list yourselfandyour contact information twice. Your pathetic piece of shit doesn't even come close to what Inundator does, so why the fuck would we give NNG credit? Wereyouso disillusioned by your own self-importance that you honestlysawa parallel between NNG and Inundator? Or perhaps you were just trying to drive traffic to your little piece of shit bylinkingeveryone to it after trying to make yourself look superior?No,Ihonestly think your cunt start aching at the thought of us crediting SNOT and snortspoof, but not NNG. Reality is abitch,huh.Here's my advice to you, Mr. Brito: slap some vagisil on your aching pussy and shut the fuck up. Nobody has heard of you,andnobody has heard of NNG. Get over yourself. Oh, and Inundator is still available at http://inundator.sourceforge.net/ Stay classy, /epixoip. On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito<nbrito () sekure org>wrote:That is not new and you should give the credits, not just forNNG(http://packetstormsecurity.org/filedesc/nng-4.13r- public.rar.html), but you are missing STICK, SNOT and and IDSWAKEUP as well. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive anypotentialmisspellings! On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip () hush com>wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 homepage: http://inundator.bindshell.nl/ deb repo: deb http://inundator.sourceforge.net/repo/ all/ gpg key : http://inundator.sourceforge.net/inundator.asc Announcing the release of inundator v0.5! inundator is a modern twist on an old concept -- it's an IDS/IPS/WAF evasion tool, used to anonymously floodintrusiondetection systems with false positives in order to obfuscatearealattack. inundator leverages the vagueness and poor qualityofSnort's rules files to generate completely harmless packets/HTTPrequests that contain just enough keywords to trigger afalsepositive. We thought this was an original idea, but it lookslikeSnot, fwsnort's snortspoof, and possibly others beat us tothepunch. However, these tools were developed around the turnofthecentury, are quite dated and well-forgotten, and overallquiteinferior to inundator. inundator is full featured, multi-threaded, queue-based,supportsmultiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generatingaround1000 false positives per minute. Via a high-bandwidth SOCKSproxy,you might be able to generate ten times that amount. The general idea is one would launch inundator prior tostartinganattack, allow it to run during the attack, and continue torunit awhile longer after you've accomplished the attack. The goal,ofcourse, is to generate an overwhelming number of falsepositivessothat your real attack is essentially buried within the other alerts, minimizing the chance of your attack being detected.Itcould also be used to ruin an IDS analyst's day, or keep an organization's infosec department busy for a while. Isupposeitcould also be used to test the effectiveness of an IDS, butno,notreally. inundator is implemented in Perl (version >= 5.10 isrecommendeddue to ithreads bugs in previous versions), and has beentestedonDebian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, andMacOSX against Snort v2.8.5.2. It is presumed to work on allPOSIXoperating systems. Hell, it might even work on Windows. /epixoip.-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified athttps://www.hushtools.com/verifyVersion: Hush 3.0wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxC ETHV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25p JxrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW 5xhdJc1A= =Zdzn -----END PGP SIGNATURE----------BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkwyrUMACgkQacHgESW3wZqfSwQAtKyc8XZvxC16uGoZui5Tu1SgGK/m NteWdM2+FIubQA61Rn++JLZ0rjNFprf0HR5SVQNgg8fF/Y8C2nmecXUxgxGQNWqLb49l zkcEH0KijX4T83fHhDBPe5i7asm24T0sudPSMA6ebEWIoUX2B6AZnDGfBmoKj/TQpWlY 8VctizY= =ATDp -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Adriel Desautels (Jul 06)
- <Possible follow-ups>
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Jubei Trippataka (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 05)
- Re: [Tool] - inundator - an intrusion detection false positives generator. epixoip (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Valdis . Kletnieks (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Nelson Brito (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. nelsonburrito (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. musnt live (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. NOC (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. Christian Sciberras (Jul 06)
- Re: [Tool] - inundator - an intrusion detection false positives generator. musnt live (Jul 06)