lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 05 Jul 2010 21:01:42 -0700
From: "epixoip" <epixoip@...h.com>
To: nbrito@...ure.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Tool] - inundator - an intrusion detection
	false positives generator.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 05 Jul 2010 19:02:12 -0700 Nelson Brito <nbrito@...ure.org>
wrote:

>One more thing, just for the records and being polite: nobody
>works on such "bad idea" anymore...

Somehow you've gone from "you stole my idea and you need to give me
credit, and here's the download link" to "well, it's a bad idea and
nobody does it anymore." Your tool (which you now claim isn't a
tool) was just released 20 months ago -- six to eight years after
tools like Snot and IDSwakeup were released, and far less effective
than those tools. So what you're essentially saying here is your
own work was irrelevant. Well, at least you admit it.

>Why? Because doesn't make any sense you doing so many noise to
evade
>an IPS.

Ah, I see. You're using reverse psychology. The tool doesn't make
any sense, so why not go ahead and throw a little credit your way,
right? Honestly, I couldn't care less what your "professional"
opinion is, and I still refuse to credit your work. I will,
however, continue to give full credit to tools like Snot and
snortspoof, regardless of their post-development discovery.

>There much more effectiveness ways to do it without "scream
>wolf", little boy.

Of course there are more effective techniques for IDS evasion, and
there's nothing stopping you from employing those techniques as
well, especially in tandem with Inundator. I guess that thought
never crossed your mind. If you decide to use that idea though, I
demand you give me full credit and prove a backlink to this post.


>Best regards.
>
>PS: Keep playing with "incubator"


I'm not entirely sure how calling it 'incubator' is an insult, but
I suppose I'll pretend to be insulted.


> and let the real work for the pros.


And what sort of "real work" might you be doing? I'm curious to
know what sort of "pro work" one with "12 years of experience in
high-tek" does. Perhaps you're working on your "PATENT PENDING"
ENG++?

By the way, here's a shell script to replace NNG:

while [ 1 ]; do
    printf
"\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E\n" |
nc -v $1 1434
done

Again, if you're going to use that, you must give me full credit
and provide a backlink to this post. I'm super duper serious.


>Nelson Brito
>Security Researcher
>http://fnstenv.blogspot.com/
>
>Sent on an  iPhone wireless device. Please, forgive any potential
>misspellings!
>
>On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>>
>> Oh, for fuck's sake...
>>
>> <acerbity>
>>
>> Wow, you've really called us out on this one. How embarrassing
>for
>> us.
>>
>> Please accept our sincerest apologies, Mr. Brito. We now
>understand
>> how phrases like "inundator is a modern twist on an old concept"
>> and "Snot, fwsnort's snortspoof, and possibly others beat us to
>the
>> punch" can be incredibly obtuse and largely indecipherable,
>> requiring *at least* a third grade education for full
>> comprehension. We accept full responsibility for failing to
>write
>> this announcement with the lowest common denominator in mind,
>and
>> promise to limit our vocabulary to only words found on
>> http://simple.wikipedia.org in future posts.
>>
>> Also, thank you for taking the time to hi-jack our announcement
>by
>> linking to your incredibly superior NNG tool. We failed to
>include
>> it in our list of credits, and it brings us much shame. Please
>> excuse us while we prepare for Seppuku.
>>
>> </acerbity>
>>
>> To set the record straight right up front, we never stated this
>was
>> an original idea. In fact, we clearly stated this was *NOT* an
>> original idea. And we *DID,* in fact, credit SNOT -- and
>fwsnort's
>> snortspoof as well -- even though we discovered them after we
>had
>> already begun working on Inundator. We didn't credit IDSwakeup,
>> because while IDSwakeup is kind of cool, it uses a static set
>> payloads to generate the false positives, and we use a dynamic
>set.
>> We thought parsing Snort's rules files to dynamically build
>attack
>> payloads was at least original, but when we learned otherwise,
>we
>> credited the only other two apps we could find that did
>something
>> similar: SNOT and snortspoof. So we're definitely going out of
>our
>> way here to give credit where credit is due, even though we had
>no
>> knowledge of these applications when we thought of the concept.
>> Again, all of this was clearly explained in plain English.
>>
>> Now then, back to you.
>>
>> At first I presumed you were just a self-important moron who
>> couldn't be bothered to actually read the full text of the
>> announcement before crafting your witty reply on your iPhone and
>> publicly embarrassing yourself on four separate mailing lists
>> concurrently. That is until I paid a visit to your outstanding
>> little blog, and realized that not only are you a self-important
>> queef, but you're also a little fucking crybaby who wants credit
>> and attention for every original thought you didn't have.
>>
>> As we can clearly see from your blog, "ANY INFORMATION TAKEN
>FROM
>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK
>TO
>> THE ORIGINAL ARTICLE." This must mean you observed some parallel
>> between NNG and Inundator, and thus feel we should be giving you
>> some sort of credit and a backlink (although I suppose the
>backlink
>> has already been covered by you douching all over this thread.)
>> Let's see what sort of parallels could possibly exist between
>NNG
>> and Inundator:
>>
>> From http://packetstormsecurity.org/filedesc/nng-4.13r-
>> public.rar.html:
>>
>> "Description: NNG is a tool that creates crafted packets to
>cause
>> MS02-039 false-positives against IPS/IDS. NNG does not have the
>> same approach used by Snot and Stick, where the main goal is
>DoSing
>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
>have
>> the leakage of real attack.
>>
>> "Author: Nelson Brito"
>>
>> First of all, I don't think SNOT's main goal was to DoS the IPS,
>as
>> you so cleverly state. Second, I have no fucking clue what "NNG
>> tries to make IPS/IDS 'numbed' enough to have the leakage of
>real
>> attack" is even supposed to mean. I see some English words
>there,
>> but that sentence means fuck-all.
>>
>> So from what I can gather, your little tool is capable of send a
>> single packet mimicking MS02-039. Bra-fucking-vo, how
>innovative.
>> So it isn't multi-threaded, no attempt is made to send the
>attack
>> anonymously, you're using a single static payload, and you
>> essentially have little to no user configuration at all. What's
>the
>> point? I actually have no idea what the actual goal of NNG is,
>> other than to serve as a POC for why pattern matching is full of
>> fail. But then again, that's something we've known for over a
>> decade (although I see you still give presentations on the topic
>as
>> if it were both new and original), so again -- what is the point
>of
>> NNG? Even snortspoof, though dated and pretty much useless by
>> today's standards, is vastly more impressive than NNG, as it at
>> least makes an attempt to anonymize attacks and dynamically
>parses
>> an array of signatures to generate an attack instead of hard-
>coding
>> ONE payload. Who are you giving credit to for NNG, by the way?
>Oh
>> that's right -- yourself, even though there is literally nothing
>> original about NNG. By the way, I like how you have a file named
>> "Authors" in the NNG source tarball, where you list yourself and
>> your contact information twice.
>>
>> Your pathetic piece of shit doesn't even come close to what
>> Inundator does, so why the fuck would we give NNG credit? Were
>you
>> so disillusioned by your own self-importance that you honestly
>saw
>> a parallel between NNG and Inundator? Or perhaps you were just
>> trying to drive traffic to your little piece of shit by linking
>> everyone to it after trying to make yourself look superior? No,
>I
>> honestly think your cunt start aching at the thought of us
>> crediting SNOT and snortspoof, but not NNG. Reality is a bitch,
>huh.
>>
>> Here's my advice to you, Mr. Brito: slap some vagisil on your
>> aching pussy and shut the fuck up. Nobody has heard of you, and
>> nobody has heard of NNG. Get over yourself.
>>
>>
>> Oh, and Inundator is still available at
>> http://inundator.sourceforge.net/
>>
>>
>> Stay classy,
>> /epixoip.
>>
>>
>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
><nbrito@...ure.org>
>> wrote:
>>> That is not new and you should give the credits, not just for
>NNG
>>> (http://packetstormsecurity.org/filedesc/nng-4.13r-
>>> public.rar.html), but you are missing STICK, SNOT and and
>>> IDSWAKEUP as well.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Sent on an  iPhone wireless device. Please, forgive any
>potential
>>> misspellings!
>>>
>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com>
>wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>>
>>>>
>>>> homepage: http://inundator.bindshell.nl/
>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>>>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>>>
>>>> Announcing the release of inundator v0.5!
>>>>
>>>> inundator is a modern twist on an old concept -- it's an
>>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
>>>> detection systems with false positives in order to obfuscate a
>>> real
>>>> attack. inundator leverages the vagueness and poor quality of
>>>> Snort's rules files to generate completely harmless packets /
>>> HTTP
>>>> requests that contain just enough keywords to trigger a false
>>>> positive. We thought this was an original idea, but it looks
>>> like
>>>> Snot, fwsnort's snortspoof, and possibly others beat us to the
>>>> punch. However, these tools were developed around the turn of
>>> the
>>>> century, are quite dated and well-forgotten, and overall quite
>>>> inferior to inundator.
>>>>
>>>> inundator is full featured, multi-threaded, queue-based,
>>> supports
>>>> multiple targets, and requires the use of a SOCKS proxy for
>>>> anonymization. Via Tor, inundator is capable of generating
>>> around
>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS
>>> proxy,
>>>> you might be able to generate ten times that amount.
>>>>
>>>> The general idea is one would launch inundator prior to
>starting
>>> an
>>>> attack, allow it to run during the attack, and continue to run
>>> it a
>>>> while longer after you've accomplished the attack. The goal,
>of
>>>> course, is to generate an overwhelming number of false
>positives
>>> so
>>>> that your real attack is essentially buried within the other
>>>> alerts, minimizing the chance of your attack being detected.
>It
>>>> could also be used to ruin an IDS analyst's day, or keep an
>>>> organization's infosec department busy for a while. I suppose
>it
>>>> could also be used to test the effectiveness of an IDS, but
>no,
>>> not
>>>> really.
>>>>
>>>> inundator is implemented in Perl (version >= 5.10 is
>recommended
>>>> due to ithreads bugs in previous versions), and has been
>tested
>>> on
>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
>Mac
>>> OS
>>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX
>>>> operating systems. Hell, it might even work on Windows.
>>>>
>>>> /epixoip.
>>>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Charset: UTF8
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>>
>wpwEAQMCAAYFAkwyYxEACgkQacHgESW3wZrghAQAoaUr7ZCmRKhpVs86cvXCHphwB/V
>9
>>
>XCmQFCodPp6puHkCe0KqonLXBLCrW92qjVObOxW8TYlb56JKrZs0EV/jGLKUSrlcfgh
>7
>>
>0/UMwH/vAL0C+PowgHuWFZSGSpLsKk5vUC+9YrKz0/oRkCVj4Ypks6Rd+VAUetzuNIe
>T
>> W60Z6o0=
>> =uHzo
>> -----END PGP SIGNATURE-----
>>
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkwyqqYACgkQacHgESW3wZq22gP7Bisp36Tfco5+nvNFHBKYyxd7EW8a
4wQxbya29L3BxP7fF+V/hqlNQbdEPOeW6EnpPh71laO9PSl7jsPJsGdyLRE51JAcRoxp
UXr+d6VPf5lbQ6E7KHLPvtd33+HPA8nBgfY+uD/uqt3qda2o8xihefx2rnKGPqI1jKE8
r6Hha9g=
=nPAL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ