lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 01 Jul 2010 18:25:41 -0700
From: "epixoip" <epixoip@...h.com>
To: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com,
	focus-ids@...urityfocus.com, security-basics@...urityfocus.com
Subject: [Tool] - inundator - an intrusion detection false
	positives generator.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



homepage: http://inundator.bindshell.nl/
deb repo: deb http://inundator.sourceforge.net/repo/ all/
gpg key : http://inundator.sourceforge.net/inundator.asc

Announcing the release of inundator v0.5!

inundator is a modern twist on an old concept -- it's an
IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
detection systems with false positives in order to obfuscate a real
attack. inundator leverages the vagueness and poor quality of
Snort's rules files to generate completely harmless packets / HTTP
requests that contain just enough keywords to trigger a false
positive. We thought this was an original idea, but it looks like
Snot, fwsnort's snortspoof, and possibly others beat us to the
punch. However, these tools were developed around the turn of the
century, are quite dated and well-forgotten, and overall quite
inferior to inundator.

inundator is full featured, multi-threaded, queue-based, supports
multiple targets, and requires the use of a SOCKS proxy for
anonymization. Via Tor, inundator is capable of generating around
1000 false positives per minute. Via a high-bandwidth SOCKS proxy,
you might be able to generate ten times that amount.

The general idea is one would launch inundator prior to starting an
attack, allow it to run during the attack, and continue to run it a
while longer after you've accomplished the attack. The goal, of
course, is to generate an overwhelming number of false positives so
that your real attack is essentially buried within the other
alerts, minimizing the chance of your attack being detected. It
could also be used to ruin an IDS analyst's day, or keep an
organization's infosec department busy for a while. I suppose it
could also be used to test the effectiveness of an IDS, but no, not
really.

inundator is implemented in Perl (version >= 5.10 is recommended
due to ithreads bugs in previous versions), and has been tested on
Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac OS
X against Snort v2.8.5.2. It is presumed to work on all POSIX
operating systems. Hell, it might even work on Windows.

/epixoip.



-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkwtQBUACgkQacHgESW3wZpdIwP+P6LnI4PLGYPOOcoE84PKcVr/4dNu
/T9kXWFqi0WWE9mO5zGo/UqemhBEutjUsxH880i39AnpKVuHroBbuouO3p/9AJ+q6CoJ
z64LBg6mSYzzcrCbBGU1XGxNiNsqhaHc9SIMAYCM1Yj6jbnHrm+lMIzneIuCgRhIJeoj
NlqSahc=
=O9AY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists