[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20100706032042.4733EB8079@smtp.hushmail.com>
Date: Mon, 05 Jul 2010 20:20:42 -0700
From: "epixoip" <epixoip@...h.com>
To: nbrito@...ure.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Tool] - inundator - an intrusion detection
false positives generator.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito <nbrito@...ure.org>
wrote:
>Thanks for the credits and keep doing the great work! Just for the
>records: NNG is not a tool, it is just a PoC for the concept you
>are just mimicking. Really creative!!! 8)
Again, nobody has ever heard of this "NNG PoC" (which, by the way,
you did call it a tool in your packetstorm description) until you
started demanding we give you credit for your ground-breaking
research into a decade-old topic. And again, as I've clearly
highlighted, the only parallel between NNG and Inundator is we both
generate false positives. Nothing new here, not even for NNG.
>I will keep me the right to be polite.
That doesn't make you any less of a douche.
>BTW, I don like my iPhone... 8)
>Specially my apps for that one.
Erm, okay?
>Nelson Brito
>Security Researcher
>http://fnstenv.blogspot.com/
>
>Sent on an iPhone wireless device. Please, forgive any potential
>misspellings!
>
>On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>>
>> Oh, for fuck's sake...
>>
>> <acerbity>
>>
>> Wow, you've really called us out on this one. How embarrassing
>for
>> us.
>>
>> Please accept our sincerest apologies, Mr. Brito. We now
>understand
>> how phrases like "inundator is a modern twist on an old concept"
>> and "Snot, fwsnort's snortspoof, and possibly others beat us to
>the
>> punch" can be incredibly obtuse and largely indecipherable,
>> requiring *at least* a third grade education for full
>> comprehension. We accept full responsibility for failing to
>write
>> this announcement with the lowest common denominator in mind,
>and
>> promise to limit our vocabulary to only words found on
>> http://simple.wikipedia.org in future posts.
>>
>> Also, thank you for taking the time to hi-jack our announcement
>by
>> linking to your incredibly superior NNG tool. We failed to
>include
>> it in our list of credits, and it brings us much shame. Please
>> excuse us while we prepare for Seppuku.
>>
>> </acerbity>
>>
>> To set the record straight right up front, we never stated this
>was
>> an original idea. In fact, we clearly stated this was *NOT* an
>> original idea. And we *DID,* in fact, credit SNOT -- and
>fwsnort's
>> snortspoof as well -- even though we discovered them after we
>had
>> already begun working on Inundator. We didn't credit IDSwakeup,
>> because while IDSwakeup is kind of cool, it uses a static set
>> payloads to generate the false positives, and we use a dynamic
>set.
>> We thought parsing Snort's rules files to dynamically build
>attack
>> payloads was at least original, but when we learned otherwise,
>we
>> credited the only other two apps we could find that did
>something
>> similar: SNOT and snortspoof. So we're definitely going out of
>our
>> way here to give credit where credit is due, even though we had
>no
>> knowledge of these applications when we thought of the concept.
>> Again, all of this was clearly explained in plain English.
>>
>> Now then, back to you.
>>
>> At first I presumed you were just a self-important moron who
>> couldn't be bothered to actually read the full text of the
>> announcement before crafting your witty reply on your iPhone and
>> publicly embarrassing yourself on four separate mailing lists
>> concurrently. That is until I paid a visit to your outstanding
>> little blog, and realized that not only are you a self-important
>> queef, but you're also a little fucking crybaby who wants credit
>> and attention for every original thought you didn't have.
>>
>> As we can clearly see from your blog, "ANY INFORMATION TAKEN
>FROM
>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK
>TO
>> THE ORIGINAL ARTICLE." This must mean you observed some parallel
>> between NNG and Inundator, and thus feel we should be giving you
>> some sort of credit and a backlink (although I suppose the
>backlink
>> has already been covered by you douching all over this thread.)
>> Let's see what sort of parallels could possibly exist between
>NNG
>> and Inundator:
>>
>> From http://packetstormsecurity.org/filedesc/nng-4.13r-
>> public.rar.html:
>>
>> "Description: NNG is a tool that creates crafted packets to
>cause
>> MS02-039 false-positives against IPS/IDS. NNG does not have the
>> same approach used by Snot and Stick, where the main goal is
>DoSing
>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
>have
>> the leakage of real attack.
>>
>> "Author: Nelson Brito"
>>
>> First of all, I don't think SNOT's main goal was to DoS the IPS,
>as
>> you so cleverly state. Second, I have no fucking clue what "NNG
>> tries to make IPS/IDS 'numbed' enough to have the leakage of
>real
>> attack" is even supposed to mean. I see some English words
>there,
>> but that sentence means fuck-all.
>>
>> So from what I can gather, your little tool is capable of send a
>> single packet mimicking MS02-039. Bra-fucking-vo, how
>innovative.
>> So it isn't multi-threaded, no attempt is made to send the
>attack
>> anonymously, you're using a single static payload, and you
>> essentially have little to no user configuration at all. What's
>the
>> point? I actually have no idea what the actual goal of NNG is,
>> other than to serve as a POC for why pattern matching is full of
>> fail. But then again, that's something we've known for over a
>> decade (although I see you still give presentations on the topic
>as
>> if it were both new and original), so again -- what is the point
>of
>> NNG? Even snortspoof, though dated and pretty much useless by
>> today's standards, is vastly more impressive than NNG, as it at
>> least makes an attempt to anonymize attacks and dynamically
>parses
>> an array of signatures to generate an attack instead of hard-
>coding
>> ONE payload. Who are you giving credit to for NNG, by the way?
>Oh
>> that's right -- yourself, even though there is literally nothing
>> original about NNG. By the way, I like how you have a file named
>> "Authors" in the NNG source tarball, where you list yourself and
>> your contact information twice.
>>
>> Your pathetic piece of shit doesn't even come close to what
>> Inundator does, so why the fuck would we give NNG credit? Were
>you
>> so disillusioned by your own self-importance that you honestly
>saw
>> a parallel between NNG and Inundator? Or perhaps you were just
>> trying to drive traffic to your little piece of shit by linking
>> everyone to it after trying to make yourself look superior? No,
>I
>> honestly think your cunt start aching at the thought of us
>> crediting SNOT and snortspoof, but not NNG. Reality is a bitch,
>huh.
>>
>> Here's my advice to you, Mr. Brito: slap some vagisil on your
>> aching pussy and shut the fuck up. Nobody has heard of you, and
>> nobody has heard of NNG. Get over yourself.
>>
>>
>> Oh, and Inundator is still available at
>> http://inundator.sourceforge.net/
>>
>>
>> Stay classy,
>> /epixoip.
>>
>>
>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
><nbrito@...ure.org>
>> wrote:
>>> That is not new and you should give the credits, not just for
>NNG
>>> (http://packetstormsecurity.org/filedesc/nng-4.13r-
>>> public.rar.html), but you are missing STICK, SNOT and and
>>> IDSWAKEUP as well.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Sent on an iPhone wireless device. Please, forgive any
>potential
>>> misspellings!
>>>
>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com>
>wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>>
>>>>
>>>> homepage: http://inundator.bindshell.nl/
>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>>>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>>>
>>>> Announcing the release of inundator v0.5!
>>>>
>>>> inundator is a modern twist on an old concept -- it's an
>>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
>>>> detection systems with false positives in order to obfuscate a
>>> real
>>>> attack. inundator leverages the vagueness and poor quality of
>>>> Snort's rules files to generate completely harmless packets /
>>> HTTP
>>>> requests that contain just enough keywords to trigger a false
>>>> positive. We thought this was an original idea, but it looks
>>> like
>>>> Snot, fwsnort's snortspoof, and possibly others beat us to the
>>>> punch. However, these tools were developed around the turn of
>>> the
>>>> century, are quite dated and well-forgotten, and overall quite
>>>> inferior to inundator.
>>>>
>>>> inundator is full featured, multi-threaded, queue-based,
>>> supports
>>>> multiple targets, and requires the use of a SOCKS proxy for
>>>> anonymization. Via Tor, inundator is capable of generating
>>> around
>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS
>>> proxy,
>>>> you might be able to generate ten times that amount.
>>>>
>>>> The general idea is one would launch inundator prior to
>starting
>>> an
>>>> attack, allow it to run during the attack, and continue to run
>>> it a
>>>> while longer after you've accomplished the attack. The goal,
>of
>>>> course, is to generate an overwhelming number of false
>positives
>>> so
>>>> that your real attack is essentially buried within the other
>>>> alerts, minimizing the chance of your attack being detected.
>It
>>>> could also be used to ruin an IDS analyst's day, or keep an
>>>> organization's infosec department busy for a while. I suppose
>it
>>>> could also be used to test the effectiveness of an IDS, but
>no,
>>> not
>>>> really.
>>>>
>>>> inundator is implemented in Perl (version >= 5.10 is
>recommended
>>>> due to ithreads bugs in previous versions), and has been
>tested
>>> on
>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
>Mac
>>> OS
>>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX
>>>> operating systems. Hell, it might even work on Windows.
>>>>
>>>> /epixoip.
>>>>
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxCE
THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25pJ
xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW5
xhdJc1A=
=Zdzn
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists