lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <2C53E83B-D1AD-4EA7-BA42-BBD162184007@sekure.org>
Date: Tue, 6 Jul 2010 01:20:29 -0300
From: Nelson Brito <nbrito@...ure.org>
To: epixoip <epixoip@...h.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Tool] - inundator - an intrusion detection
	false positives generator.

http://www.networksecurityarchive.org/html/Snort-Signatures/2008-09/msg00007.html

People know about this... Even before you've learned Perl!

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential misspellings!

On Jul 6, 2010, at 1:12 AM, "epixoip" <epixoip@...h.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 05 Jul 2010 20:52:40 -0700 Nelson Brito <nbrito@...ure.org>
> wrote:
>> If you don't deal well with criticism, don't send such "31337"
>> tool to a public mailing list, keep it just for your friends.
> 
> Criticism? All you did was demand credit for work nobody has even
> heard of, much less cared about.
> 
> 
>> I
>> got you incubator and it looks like: "look mom, I did my first
>> Perl script". No offense, kid! Okay... Keep studying and you're
>> gonna to learn more and more...
> 
> Heh. I'm not even sure where to begin with this one, so I won't.
> 
> 
>> 
>> Just to let you know, because you're probably 2 years old and live
>> in the jungle,
> 
> Oh, snap!
> 
>> here is the NNG and ENG post:
>> http://archives.neohapsis.com/archives/fulldisclosure/2008-
>> 09/0397.html
> 
> Wow, you are far more self-important than I ever gave you credit
> for.
> 
> This will be my last reply on this thread, by the way, I'm going to
> go ahead and kill it here. Anyone reading this thread can clearly
> see just how desperate you are to make yourself look good and make
> your name known, and the last thing I want to do is give more
> attention to an attention whore.
> 
> 
>> Nelson Brito
>> Security Researcher
>> http://fnstenv.blogspot.com/
>> 
>> Sent on an  iPhone wireless device. Please, forgive any potential
>> misspellings!
>> 
>> On Jul 6, 2010, at 12:20 AM, "epixoip" <epixoip@...h.com> wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito
>> <nbrito@...ure.org>
>>> wrote:
>>>> Thanks for the credits and keep doing the great work! Just for
>> the
>>>> records: NNG is not a tool, it is just a PoC for the concept
>> you
>>>> are just mimicking. Really creative!!! 8)
>>> 
>>> 
>>> Again, nobody has ever heard of this "NNG PoC" (which, by the
>> way,
>>> you did call it a tool in your packetstorm description) until
>> you
>>> started demanding we give you credit for your ground-breaking
>>> research into a decade-old topic. And again, as I've clearly
>>> highlighted, the only parallel between NNG and Inundator is we
>> both
>>> generate false positives. Nothing new here, not even for NNG.
>>> 
>>> 
>>>> I will keep me the right to be polite.
>>> 
>>> 
>>> That doesn't make you any less of a douche.
>>> 
>>> 
>>>> BTW, I don like my iPhone... 8)
>>>> Specially my apps for that one.
>>> 
>>> 
>>> Erm, okay?
>>> 
>>> 
>>>> Nelson Brito
>>>> Security Researcher
>>>> http://fnstenv.blogspot.com/
>>>> 
>>>> Sent on an  iPhone wireless device. Please, forgive any
>> potential
>>>> misspellings!
>>>> 
>>>> On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote:
>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Oh, for fuck's sake...
>>>>> 
>>>>> <acerbity>
>>>>> 
>>>>> Wow, you've really called us out on this one. How embarrassing
>>>> for
>>>>> us.
>>>>> 
>>>>> Please accept our sincerest apologies, Mr. Brito. We now
>>>> understand
>>>>> how phrases like "inundator is a modern twist on an old
>> concept"
>>>>> and "Snot, fwsnort's snortspoof, and possibly others beat us
>> to
>>>> the
>>>>> punch" can be incredibly obtuse and largely indecipherable,
>>>>> requiring *at least* a third grade education for full
>>>>> comprehension. We accept full responsibility for failing to
>>>> write
>>>>> this announcement with the lowest common denominator in mind,
>>>> and
>>>>> promise to limit our vocabulary to only words found on
>>>>> http://simple.wikipedia.org in future posts.
>>>>> 
>>>>> Also, thank you for taking the time to hi-jack our
>> announcement
>>>> by
>>>>> linking to your incredibly superior NNG tool. We failed to
>>>> include
>>>>> it in our list of credits, and it brings us much shame. Please
>>>>> excuse us while we prepare for Seppuku.
>>>>> 
>>>>> </acerbity>
>>>>> 
>>>>> To set the record straight right up front, we never stated
>> this
>>>> was
>>>>> an original idea. In fact, we clearly stated this was *NOT* an
>>>>> original idea. And we *DID,* in fact, credit SNOT -- and
>>>> fwsnort's
>>>>> snortspoof as well -- even though we discovered them after we
>>>> had
>>>>> already begun working on Inundator. We didn't credit
>> IDSwakeup,
>>>>> because while IDSwakeup is kind of cool, it uses a static set
>>>>> payloads to generate the false positives, and we use a dynamic
>>>> set.
>>>>> We thought parsing Snort's rules files to dynamically build
>>>> attack
>>>>> payloads was at least original, but when we learned otherwise,
>>>> we
>>>>> credited the only other two apps we could find that did
>>>> something
>>>>> similar: SNOT and snortspoof. So we're definitely going out of
>>>> our
>>>>> way here to give credit where credit is due, even though we
>> had
>>>> no
>>>>> knowledge of these applications when we thought of the
>> concept.
>>>>> Again, all of this was clearly explained in plain English.
>>>>> 
>>>>> Now then, back to you.
>>>>> 
>>>>> At first I presumed you were just a self-important moron who
>>>>> couldn't be bothered to actually read the full text of the
>>>>> announcement before crafting your witty reply on your iPhone
>> and
>>>>> publicly embarrassing yourself on four separate mailing lists
>>>>> concurrently. That is until I paid a visit to your outstanding
>>>>> little blog, and realized that not only are you a self-
>> important
>>>>> queef, but you're also a little fucking crybaby who wants
>> credit
>>>>> and attention for every original thought you didn't have.
>>>>> 
>>>>> As we can clearly see from your blog, "ANY INFORMATION TAKEN
>>>> FROM
>>>>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A
>> BACKLINK
>>>> TO
>>>>> THE ORIGINAL ARTICLE." This must mean you observed some
>> parallel
>>>>> between NNG and Inundator, and thus feel we should be giving
>> you
>>>>> some sort of credit and a backlink (although I suppose the
>>>> backlink
>>>>> has already been covered by you douching all over this
>> thread.)
>>>>> Let's see what sort of parallels could possibly exist between
>>>> NNG
>>>>> and Inundator:
>>>>> 
>>>>> From http://packetstormsecurity.org/filedesc/nng-4.13r-
>>>>> public.rar.html:
>>>>> 
>>>>> "Description: NNG is a tool that creates crafted packets to
>>>> cause
>>>>> MS02-039 false-positives against IPS/IDS. NNG does not have
>> the
>>>>> same approach used by Snot and Stick, where the main goal is
>>>> DoSing
>>>>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
>>>> have
>>>>> the leakage of real attack.
>>>>> 
>>>>> "Author: Nelson Brito"
>>>>> 
>>>>> First of all, I don't think SNOT's main goal was to DoS the
>> IPS,
>>>> as
>>>>> you so cleverly state. Second, I have no fucking clue what
>> "NNG
>>>>> tries to make IPS/IDS 'numbed' enough to have the leakage of
>>>> real
>>>>> attack" is even supposed to mean. I see some English words
>>>> there,
>>>>> but that sentence means fuck-all.
>>>>> 
>>>>> So from what I can gather, your little tool is capable of send
>> a
>>>>> single packet mimicking MS02-039. Bra-fucking-vo, how
>>>> innovative.
>>>>> So it isn't multi-threaded, no attempt is made to send the
>>>> attack
>>>>> anonymously, you're using a single static payload, and you
>>>>> essentially have little to no user configuration at all.
>> What's
>>>> the
>>>>> point? I actually have no idea what the actual goal of NNG is,
>>>>> other than to serve as a POC for why pattern matching is full
>> of
>>>>> fail. But then again, that's something we've known for over a
>>>>> decade (although I see you still give presentations on the
>> topic
>>>> as
>>>>> if it were both new and original), so again -- what is the
>> point
>>>> of
>>>>> NNG? Even snortspoof, though dated and pretty much useless by
>>>>> today's standards, is vastly more impressive than NNG, as it
>> at
>>>>> least makes an attempt to anonymize attacks and dynamically
>>>> parses
>>>>> an array of signatures to generate an attack instead of hard-
>>>> coding
>>>>> ONE payload. Who are you giving credit to for NNG, by the way?
>>>> Oh
>>>>> that's right -- yourself, even though there is literally
>> nothing
>>>>> original about NNG. By the way, I like how you have a file
>> named
>>>>> "Authors" in the NNG source tarball, where you list yourself
>> and
>>>>> your contact information twice.
>>>>> 
>>>>> Your pathetic piece of shit doesn't even come close to what
>>>>> Inundator does, so why the fuck would we give NNG credit? Were
>>>> you
>>>>> so disillusioned by your own self-importance that you honestly
>>>> saw
>>>>> a parallel between NNG and Inundator? Or perhaps you were just
>>>>> trying to drive traffic to your little piece of shit by
>> linking
>>>>> everyone to it after trying to make yourself look superior?
>> No,
>>>> I
>>>>> honestly think your cunt start aching at the thought of us
>>>>> crediting SNOT and snortspoof, but not NNG. Reality is a
>> bitch,
>>>> huh.
>>>>> 
>>>>> Here's my advice to you, Mr. Brito: slap some vagisil on your
>>>>> aching pussy and shut the fuck up. Nobody has heard of you,
>> and
>>>>> nobody has heard of NNG. Get over yourself.
>>>>> 
>>>>> 
>>>>> Oh, and Inundator is still available at
>>>>> http://inundator.sourceforge.net/
>>>>> 
>>>>> 
>>>>> Stay classy,
>>>>> /epixoip.
>>>>> 
>>>>> 
>>>>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
>>>> <nbrito@...ure.org>
>>>>> wrote:
>>>>>> That is not new and you should give the credits, not just for
>>>> NNG
>>>>>> (http://packetstormsecurity.org/filedesc/nng-4.13r-
>>>>>> public.rar.html), but you are missing STICK, SNOT and and
>>>>>> IDSWAKEUP as well.
>>>>>> 
>>>>>> Nelson Brito
>>>>>> Security Researcher
>>>>>> http://fnstenv.blogspot.com/
>>>>>> 
>>>>>> Sent on an  iPhone wireless device. Please, forgive any
>>>> potential
>>>>>> misspellings!
>>>>>> 
>>>>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com>
>>>> wrote:
>>>>>> 
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> homepage: http://inundator.bindshell.nl/
>>>>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>>>>>>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>>>>>> 
>>>>>>> Announcing the release of inundator v0.5!
>>>>>>> 
>>>>>>> inundator is a modern twist on an old concept -- it's an
>>>>>>> IDS/IPS/WAF evasion tool, used to anonymously flood
>> intrusion
>>>>>>> detection systems with false positives in order to obfuscate
>> a
>>>>>> real
>>>>>>> attack. inundator leverages the vagueness and poor quality
>> of
>>>>>>> Snort's rules files to generate completely harmless packets
>> /
>>>>>> HTTP
>>>>>>> requests that contain just enough keywords to trigger a
>> false
>>>>>>> positive. We thought this was an original idea, but it looks
>>>>>> like
>>>>>>> Snot, fwsnort's snortspoof, and possibly others beat us to
>> the
>>>>>>> punch. However, these tools were developed around the turn
>> of
>>>>>> the
>>>>>>> century, are quite dated and well-forgotten, and overall
>> quite
>>>>>>> inferior to inundator.
>>>>>>> 
>>>>>>> inundator is full featured, multi-threaded, queue-based,
>>>>>> supports
>>>>>>> multiple targets, and requires the use of a SOCKS proxy for
>>>>>>> anonymization. Via Tor, inundator is capable of generating
>>>>>> around
>>>>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS
>>>>>> proxy,
>>>>>>> you might be able to generate ten times that amount.
>>>>>>> 
>>>>>>> The general idea is one would launch inundator prior to
>>>> starting
>>>>>> an
>>>>>>> attack, allow it to run during the attack, and continue to
>> run
>>>>>> it a
>>>>>>> while longer after you've accomplished the attack. The goal,
>>>> of
>>>>>>> course, is to generate an overwhelming number of false
>>>> positives
>>>>>> so
>>>>>>> that your real attack is essentially buried within the other
>>>>>>> alerts, minimizing the chance of your attack being detected.
>>>> It
>>>>>>> could also be used to ruin an IDS analyst's day, or keep an
>>>>>>> organization's infosec department busy for a while. I
>> suppose
>>>> it
>>>>>>> could also be used to test the effectiveness of an IDS, but
>>>> no,
>>>>>> not
>>>>>>> really.
>>>>>>> 
>>>>>>> inundator is implemented in Perl (version >= 5.10 is
>>>> recommended
>>>>>>> due to ithreads bugs in previous versions), and has been
>>>> tested
>>>>>> on
>>>>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
>>>> Mac
>>>>>> OS
>>>>>>> X against Snort v2.8.5.2. It is presumed to work on all
>> POSIX
>>>>>>> operating systems. Hell, it might even work on Windows.
>>>>>>> 
>>>>>>> /epixoip.
>>>>>>> 
>>> 
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Charset: UTF8
>>> Note: This signature can be verified at
>> https://www.hushtools.com/verify
>>> Version: Hush 3.0
>>> 
>>> 
>> wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxC
>> E
>>> 
>> THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25p
>> J
>>> 
>> xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW
>> 5
>>> xhdJc1A=
>>> =Zdzn
>>> -----END PGP SIGNATURE-----
>>> 
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
> 
> wpwEAQMCAAYFAkwyrUMACgkQacHgESW3wZqfSwQAtKyc8XZvxC16uGoZui5Tu1SgGK/m
> NteWdM2+FIubQA61Rn++JLZ0rjNFprf0HR5SVQNgg8fF/Y8C2nmecXUxgxGQNWqLb49l
> zkcEH0KijX4T83fHhDBPe5i7asm24T0sudPSMA6ebEWIoUX2B6AZnDGfBmoKj/TQpWlY
> 8VctizY=
> =ATDp
> -----END PGP SIGNATURE-----
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ