lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <CE8F1851-5282-4A7A-B0BC-B77CB3579C72@sekure.org>
Date: Mon, 5 Jul 2010 22:34:24 -0300
From: Nelson Brito <nbrito@...ure.org>
To: epixoip <epixoip@...h.com>
Cc: "focus-ids@...urityfocus.com" <focus-ids@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"pen-test@...urityfocus.com" <pen-test@...urityfocus.com>,
	"security-basics@...urityfocus.com" <security-basics@...urityfocus.com>
Subject: Re: [Tool] - inundator - an intrusion detection
	false positives generator.

Thanks for the credits and keep doing the great work! Just for the records: NNG is not a tool, it is just a PoC for the concept you are just mimicking. Really creative!!! 8)

I will keep me the right to be polite.

BTW, I don like my iPhone... 8)

Specially my apps for that one.

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential misspellings!

On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> 
> Oh, for fuck's sake...
> 
> <acerbity>
> 
> Wow, you've really called us out on this one. How embarrassing for
> us.
> 
> Please accept our sincerest apologies, Mr. Brito. We now understand
> how phrases like "inundator is a modern twist on an old concept"
> and "Snot, fwsnort's snortspoof, and possibly others beat us to the
> punch" can be incredibly obtuse and largely indecipherable,
> requiring *at least* a third grade education for full
> comprehension. We accept full responsibility for failing to write
> this announcement with the lowest common denominator in mind, and
> promise to limit our vocabulary to only words found on
> http://simple.wikipedia.org in future posts.
> 
> Also, thank you for taking the time to hi-jack our announcement by
> linking to your incredibly superior NNG tool. We failed to include
> it in our list of credits, and it brings us much shame. Please
> excuse us while we prepare for Seppuku.
> 
> </acerbity>
> 
> To set the record straight right up front, we never stated this was
> an original idea. In fact, we clearly stated this was *NOT* an
> original idea. And we *DID,* in fact, credit SNOT -- and fwsnort's
> snortspoof as well -- even though we discovered them after we had
> already begun working on Inundator. We didn't credit IDSwakeup,
> because while IDSwakeup is kind of cool, it uses a static set
> payloads to generate the false positives, and we use a dynamic set.
> We thought parsing Snort's rules files to dynamically build attack
> payloads was at least original, but when we learned otherwise, we
> credited the only other two apps we could find that did something
> similar: SNOT and snortspoof. So we're definitely going out of our
> way here to give credit where credit is due, even though we had no
> knowledge of these applications when we thought of the concept.
> Again, all of this was clearly explained in plain English.
> 
> Now then, back to you.
> 
> At first I presumed you were just a self-important moron who
> couldn't be bothered to actually read the full text of the
> announcement before crafting your witty reply on your iPhone and
> publicly embarrassing yourself on four separate mailing lists
> concurrently. That is until I paid a visit to your outstanding
> little blog, and realized that not only are you a self-important
> queef, but you're also a little fucking crybaby who wants credit
> and attention for every original thought you didn't have.
> 
> As we can clearly see from your blog, "ANY INFORMATION TAKEN FROM
> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK TO
> THE ORIGINAL ARTICLE." This must mean you observed some parallel
> between NNG and Inundator, and thus feel we should be giving you
> some sort of credit and a backlink (although I suppose the backlink
> has already been covered by you douching all over this thread.)
> Let's see what sort of parallels could possibly exist between NNG
> and Inundator:
> 
> From http://packetstormsecurity.org/filedesc/nng-4.13r-
> public.rar.html:
> 
> "Description: NNG is a tool that creates crafted packets to cause
> MS02-039 false-positives against IPS/IDS. NNG does not have the
> same approach used by Snot and Stick, where the main goal is DoSing
> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to have
> the leakage of real attack.
> 
> "Author: Nelson Brito"
> 
> First of all, I don't think SNOT's main goal was to DoS the IPS, as
> you so cleverly state. Second, I have no fucking clue what "NNG
> tries to make IPS/IDS 'numbed' enough to have the leakage of real
> attack" is even supposed to mean. I see some English words there,
> but that sentence means fuck-all.
> 
> So from what I can gather, your little tool is capable of send a
> single packet mimicking MS02-039. Bra-fucking-vo, how innovative.
> So it isn't multi-threaded, no attempt is made to send the attack
> anonymously, you're using a single static payload, and you
> essentially have little to no user configuration at all. What's the
> point? I actually have no idea what the actual goal of NNG is,
> other than to serve as a POC for why pattern matching is full of
> fail. But then again, that's something we've known for over a
> decade (although I see you still give presentations on the topic as
> if it were both new and original), so again -- what is the point of
> NNG? Even snortspoof, though dated and pretty much useless by
> today's standards, is vastly more impressive than NNG, as it at
> least makes an attempt to anonymize attacks and dynamically parses
> an array of signatures to generate an attack instead of hard-coding
> ONE payload. Who are you giving credit to for NNG, by the way? Oh
> that's right -- yourself, even though there is literally nothing
> original about NNG. By the way, I like how you have a file named
> "Authors" in the NNG source tarball, where you list yourself and
> your contact information twice.
> 
> Your pathetic piece of shit doesn't even come close to what
> Inundator does, so why the fuck would we give NNG credit? Were you
> so disillusioned by your own self-importance that you honestly saw
> a parallel between NNG and Inundator? Or perhaps you were just
> trying to drive traffic to your little piece of shit by linking
> everyone to it after trying to make yourself look superior? No, I
> honestly think your cunt start aching at the thought of us
> crediting SNOT and snortspoof, but not NNG. Reality is a bitch, huh.
> 
> Here's my advice to you, Mr. Brito: slap some vagisil on your
> aching pussy and shut the fuck up. Nobody has heard of you, and
> nobody has heard of NNG. Get over yourself.
> 
> 
> Oh, and Inundator is still available at
> http://inundator.sourceforge.net/
> 
> 
> Stay classy,
> /epixoip.
> 
> 
> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito <nbrito@...ure.org>
> wrote:
>> That is not new and you should give the credits, not just for NNG
>> (http://packetstormsecurity.org/filedesc/nng-4.13r-
>> public.rar.html), but you are missing STICK, SNOT and and
>> IDSWAKEUP as well.
>> 
>> Nelson Brito
>> Security Researcher
>> http://fnstenv.blogspot.com/
>> 
>> Sent on an  iPhone wireless device. Please, forgive any potential
>> misspellings!
>> 
>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com> wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> 
>>> 
>>> homepage: http://inundator.bindshell.nl/
>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>> 
>>> Announcing the release of inundator v0.5!
>>> 
>>> inundator is a modern twist on an old concept -- it's an
>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
>>> detection systems with false positives in order to obfuscate a
>> real
>>> attack. inundator leverages the vagueness and poor quality of
>>> Snort's rules files to generate completely harmless packets /
>> HTTP
>>> requests that contain just enough keywords to trigger a false
>>> positive. We thought this was an original idea, but it looks
>> like
>>> Snot, fwsnort's snortspoof, and possibly others beat us to the
>>> punch. However, these tools were developed around the turn of
>> the
>>> century, are quite dated and well-forgotten, and overall quite
>>> inferior to inundator.
>>> 
>>> inundator is full featured, multi-threaded, queue-based,
>> supports
>>> multiple targets, and requires the use of a SOCKS proxy for
>>> anonymization. Via Tor, inundator is capable of generating
>> around
>>> 1000 false positives per minute. Via a high-bandwidth SOCKS
>> proxy,
>>> you might be able to generate ten times that amount.
>>> 
>>> The general idea is one would launch inundator prior to starting
>> an
>>> attack, allow it to run during the attack, and continue to run
>> it a
>>> while longer after you've accomplished the attack. The goal, of
>>> course, is to generate an overwhelming number of false positives
>> so
>>> that your real attack is essentially buried within the other
>>> alerts, minimizing the chance of your attack being detected. It
>>> could also be used to ruin an IDS analyst's day, or keep an
>>> organization's infosec department busy for a while. I suppose it
>>> could also be used to test the effectiveness of an IDS, but no,
>> not
>>> really.
>>> 
>>> inundator is implemented in Perl (version >= 5.10 is recommended
>>> due to ithreads bugs in previous versions), and has been tested
>> on
>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac
>> OS
>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX
>>> operating systems. Hell, it might even work on Windows.
>>> 
>>> /epixoip.
>>> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
> 
> wpwEAQMCAAYFAkwyYxEACgkQacHgESW3wZrghAQAoaUr7ZCmRKhpVs86cvXCHphwB/V9
> XCmQFCodPp6puHkCe0KqonLXBLCrW92qjVObOxW8TYlb56JKrZs0EV/jGLKUSrlcfgh7
> 0/UMwH/vAL0C+PowgHuWFZSGSpLsKk5vUC+9YrKz0/oRkCVj4Ypks6Rd+VAUetzuNIeT
> W60Z6o0=
> =uHzo
> -----END PGP SIGNATURE-----
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ