[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTineZWxMaufUXgnmB8zSSGlt5n-0rS_yFB_TQrOh@mail.gmail.com>
Date: Tue, 6 Jul 2010 09:17:58 +1000
From: quispiam lepidus <quispiam.lepidus@...il.com>
To: Nelson Brito <nbrito@...ure.org>
Cc: full-disclosure@...ts.grok.org.uk, epixoip <epixoip@...h.com>
Subject: Re: [Tool] - inundator - an intrusion detection
false positives generator.
I guess you missed this line?
"We thought this was an original idea, but it looks like Snot,
fwsnort's snortspoof, and possibly others beat us to the punch."
On Tue, Jul 6, 2010 at 2:51 AM, Nelson Brito <nbrito@...ure.org> wrote:
> That is not new and you should give the credits, not just for NNG (http://packetstormsecurity.org/filedesc/nng-4.13r-public.rar.html), but you are missing STICK, SNOT and and IDSWAKEUP as well.
>
> Nelson Brito
> Security Researcher
> http://fnstenv.blogspot.com/
>
> Sent on an iPhone wireless device. Please, forgive any potential misspellings!
>
> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> homepage: http://inundator.bindshell.nl/
>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>
>> Announcing the release of inundator v0.5!
>>
>> inundator is a modern twist on an old concept -- it's an
>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
>> detection systems with false positives in order to obfuscate a real
>> attack. inundator leverages the vagueness and poor quality of
>> Snort's rules files to generate completely harmless packets / HTTP
>> requests that contain just enough keywords to trigger a false
>> positive. We thought this was an original idea, but it looks like
>> Snot, fwsnort's snortspoof, and possibly others beat us to the
>> punch. However, these tools were developed around the turn of the
>> century, are quite dated and well-forgotten, and overall quite
>> inferior to inundator.
>>
>> inundator is full featured, multi-threaded, queue-based, supports
>> multiple targets, and requires the use of a SOCKS proxy for
>> anonymization. Via Tor, inundator is capable of generating around
>> 1000 false positives per minute. Via a high-bandwidth SOCKS proxy,
>> you might be able to generate ten times that amount.
>>
>> The general idea is one would launch inundator prior to starting an
>> attack, allow it to run during the attack, and continue to run it a
>> while longer after you've accomplished the attack. The goal, of
>> course, is to generate an overwhelming number of false positives so
>> that your real attack is essentially buried within the other
>> alerts, minimizing the chance of your attack being detected. It
>> could also be used to ruin an IDS analyst's day, or keep an
>> organization's infosec department busy for a while. I suppose it
>> could also be used to test the effectiveness of an IDS, but no, not
>> really.
>>
>> inundator is implemented in Perl (version >= 5.10 is recommended
>> due to ithreads bugs in previous versions), and has been tested on
>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac OS
>> X against Snort v2.8.5.2. It is presumed to work on all POSIX
>> operating systems. Hell, it might even work on Windows.
>>
>> /epixoip.
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Charset: UTF8
>> Version: Hush 3.0
>> Note: This signature can be verified at https://www.hushtools.com/verify
>>
>> wpwEAQMCAAYFAkwtQBUACgkQacHgESW3wZpdIwP+P6LnI4PLGYPOOcoE84PKcVr/4dNu
>> /T9kXWFqi0WWE9mO5zGo/UqemhBEutjUsxH880i39AnpKVuHroBbuouO3p/9AJ+q6CoJ
>> z64LBg6mSYzzcrCbBGU1XGxNiNsqhaHc9SIMAYCM1Yj6jbnHrm+lMIzneIuCgRhIJeoj
>> NlqSahc=
>> =O9AY
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists