[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <B3E5DDCA-ED00-4AD1-9F83-7C28A5348E29@sekure.org>
Date: Tue, 6 Jul 2010 00:52:40 -0300
From: Nelson Brito <nbrito@...ure.org>
To: epixoip <epixoip@...h.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Tool] - inundator - an intrusion detection
false positives generator.
If you don't deal well with criticism, don't send such "31337" tool to a public mailing list, keep it just for your friends. I got you incubator and it looks like: "look mom, I did my first Perl script". No offense, kid! Okay... Keep studying and you're gonna to learn more and more...
Just to let you know, because you're probably 2 years old and live in the jungle, here is the NNG and ENG post:
http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0397.html
Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/
Sent on an iPhone wireless device. Please, forgive any potential misspellings!
On Jul 6, 2010, at 12:20 AM, "epixoip" <epixoip@...h.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito <nbrito@...ure.org>
> wrote:
>> Thanks for the credits and keep doing the great work! Just for the
>> records: NNG is not a tool, it is just a PoC for the concept you
>> are just mimicking. Really creative!!! 8)
>
>
> Again, nobody has ever heard of this "NNG PoC" (which, by the way,
> you did call it a tool in your packetstorm description) until you
> started demanding we give you credit for your ground-breaking
> research into a decade-old topic. And again, as I've clearly
> highlighted, the only parallel between NNG and Inundator is we both
> generate false positives. Nothing new here, not even for NNG.
>
>
>> I will keep me the right to be polite.
>
>
> That doesn't make you any less of a douche.
>
>
>> BTW, I don like my iPhone... 8)
>> Specially my apps for that one.
>
>
> Erm, okay?
>
>
>> Nelson Brito
>> Security Researcher
>> http://fnstenv.blogspot.com/
>>
>> Sent on an iPhone wireless device. Please, forgive any potential
>> misspellings!
>>
>> On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>>
>>> Oh, for fuck's sake...
>>>
>>> <acerbity>
>>>
>>> Wow, you've really called us out on this one. How embarrassing
>> for
>>> us.
>>>
>>> Please accept our sincerest apologies, Mr. Brito. We now
>> understand
>>> how phrases like "inundator is a modern twist on an old concept"
>>> and "Snot, fwsnort's snortspoof, and possibly others beat us to
>> the
>>> punch" can be incredibly obtuse and largely indecipherable,
>>> requiring *at least* a third grade education for full
>>> comprehension. We accept full responsibility for failing to
>> write
>>> this announcement with the lowest common denominator in mind,
>> and
>>> promise to limit our vocabulary to only words found on
>>> http://simple.wikipedia.org in future posts.
>>>
>>> Also, thank you for taking the time to hi-jack our announcement
>> by
>>> linking to your incredibly superior NNG tool. We failed to
>> include
>>> it in our list of credits, and it brings us much shame. Please
>>> excuse us while we prepare for Seppuku.
>>>
>>> </acerbity>
>>>
>>> To set the record straight right up front, we never stated this
>> was
>>> an original idea. In fact, we clearly stated this was *NOT* an
>>> original idea. And we *DID,* in fact, credit SNOT -- and
>> fwsnort's
>>> snortspoof as well -- even though we discovered them after we
>> had
>>> already begun working on Inundator. We didn't credit IDSwakeup,
>>> because while IDSwakeup is kind of cool, it uses a static set
>>> payloads to generate the false positives, and we use a dynamic
>> set.
>>> We thought parsing Snort's rules files to dynamically build
>> attack
>>> payloads was at least original, but when we learned otherwise,
>> we
>>> credited the only other two apps we could find that did
>> something
>>> similar: SNOT and snortspoof. So we're definitely going out of
>> our
>>> way here to give credit where credit is due, even though we had
>> no
>>> knowledge of these applications when we thought of the concept.
>>> Again, all of this was clearly explained in plain English.
>>>
>>> Now then, back to you.
>>>
>>> At first I presumed you were just a self-important moron who
>>> couldn't be bothered to actually read the full text of the
>>> announcement before crafting your witty reply on your iPhone and
>>> publicly embarrassing yourself on four separate mailing lists
>>> concurrently. That is until I paid a visit to your outstanding
>>> little blog, and realized that not only are you a self-important
>>> queef, but you're also a little fucking crybaby who wants credit
>>> and attention for every original thought you didn't have.
>>>
>>> As we can clearly see from your blog, "ANY INFORMATION TAKEN
>> FROM
>>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK
>> TO
>>> THE ORIGINAL ARTICLE." This must mean you observed some parallel
>>> between NNG and Inundator, and thus feel we should be giving you
>>> some sort of credit and a backlink (although I suppose the
>> backlink
>>> has already been covered by you douching all over this thread.)
>>> Let's see what sort of parallels could possibly exist between
>> NNG
>>> and Inundator:
>>>
>>> From http://packetstormsecurity.org/filedesc/nng-4.13r-
>>> public.rar.html:
>>>
>>> "Description: NNG is a tool that creates crafted packets to
>> cause
>>> MS02-039 false-positives against IPS/IDS. NNG does not have the
>>> same approach used by Snot and Stick, where the main goal is
>> DoSing
>>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
>> have
>>> the leakage of real attack.
>>>
>>> "Author: Nelson Brito"
>>>
>>> First of all, I don't think SNOT's main goal was to DoS the IPS,
>> as
>>> you so cleverly state. Second, I have no fucking clue what "NNG
>>> tries to make IPS/IDS 'numbed' enough to have the leakage of
>> real
>>> attack" is even supposed to mean. I see some English words
>> there,
>>> but that sentence means fuck-all.
>>>
>>> So from what I can gather, your little tool is capable of send a
>>> single packet mimicking MS02-039. Bra-fucking-vo, how
>> innovative.
>>> So it isn't multi-threaded, no attempt is made to send the
>> attack
>>> anonymously, you're using a single static payload, and you
>>> essentially have little to no user configuration at all. What's
>> the
>>> point? I actually have no idea what the actual goal of NNG is,
>>> other than to serve as a POC for why pattern matching is full of
>>> fail. But then again, that's something we've known for over a
>>> decade (although I see you still give presentations on the topic
>> as
>>> if it were both new and original), so again -- what is the point
>> of
>>> NNG? Even snortspoof, though dated and pretty much useless by
>>> today's standards, is vastly more impressive than NNG, as it at
>>> least makes an attempt to anonymize attacks and dynamically
>> parses
>>> an array of signatures to generate an attack instead of hard-
>> coding
>>> ONE payload. Who are you giving credit to for NNG, by the way?
>> Oh
>>> that's right -- yourself, even though there is literally nothing
>>> original about NNG. By the way, I like how you have a file named
>>> "Authors" in the NNG source tarball, where you list yourself and
>>> your contact information twice.
>>>
>>> Your pathetic piece of shit doesn't even come close to what
>>> Inundator does, so why the fuck would we give NNG credit? Were
>> you
>>> so disillusioned by your own self-importance that you honestly
>> saw
>>> a parallel between NNG and Inundator? Or perhaps you were just
>>> trying to drive traffic to your little piece of shit by linking
>>> everyone to it after trying to make yourself look superior? No,
>> I
>>> honestly think your cunt start aching at the thought of us
>>> crediting SNOT and snortspoof, but not NNG. Reality is a bitch,
>> huh.
>>>
>>> Here's my advice to you, Mr. Brito: slap some vagisil on your
>>> aching pussy and shut the fuck up. Nobody has heard of you, and
>>> nobody has heard of NNG. Get over yourself.
>>>
>>>
>>> Oh, and Inundator is still available at
>>> http://inundator.sourceforge.net/
>>>
>>>
>>> Stay classy,
>>> /epixoip.
>>>
>>>
>>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
>> <nbrito@...ure.org>
>>> wrote:
>>>> That is not new and you should give the credits, not just for
>> NNG
>>>> (http://packetstormsecurity.org/filedesc/nng-4.13r-
>>>> public.rar.html), but you are missing STICK, SNOT and and
>>>> IDSWAKEUP as well.
>>>>
>>>> Nelson Brito
>>>> Security Researcher
>>>> http://fnstenv.blogspot.com/
>>>>
>>>> Sent on an iPhone wireless device. Please, forgive any
>> potential
>>>> misspellings!
>>>>
>>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com>
>> wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>>
>>>>>
>>>>> homepage: http://inundator.bindshell.nl/
>>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>>>>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>>>>
>>>>> Announcing the release of inundator v0.5!
>>>>>
>>>>> inundator is a modern twist on an old concept -- it's an
>>>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
>>>>> detection systems with false positives in order to obfuscate a
>>>> real
>>>>> attack. inundator leverages the vagueness and poor quality of
>>>>> Snort's rules files to generate completely harmless packets /
>>>> HTTP
>>>>> requests that contain just enough keywords to trigger a false
>>>>> positive. We thought this was an original idea, but it looks
>>>> like
>>>>> Snot, fwsnort's snortspoof, and possibly others beat us to the
>>>>> punch. However, these tools were developed around the turn of
>>>> the
>>>>> century, are quite dated and well-forgotten, and overall quite
>>>>> inferior to inundator.
>>>>>
>>>>> inundator is full featured, multi-threaded, queue-based,
>>>> supports
>>>>> multiple targets, and requires the use of a SOCKS proxy for
>>>>> anonymization. Via Tor, inundator is capable of generating
>>>> around
>>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS
>>>> proxy,
>>>>> you might be able to generate ten times that amount.
>>>>>
>>>>> The general idea is one would launch inundator prior to
>> starting
>>>> an
>>>>> attack, allow it to run during the attack, and continue to run
>>>> it a
>>>>> while longer after you've accomplished the attack. The goal,
>> of
>>>>> course, is to generate an overwhelming number of false
>> positives
>>>> so
>>>>> that your real attack is essentially buried within the other
>>>>> alerts, minimizing the chance of your attack being detected.
>> It
>>>>> could also be used to ruin an IDS analyst's day, or keep an
>>>>> organization's infosec department busy for a while. I suppose
>> it
>>>>> could also be used to test the effectiveness of an IDS, but
>> no,
>>>> not
>>>>> really.
>>>>>
>>>>> inundator is implemented in Perl (version >= 5.10 is
>> recommended
>>>>> due to ithreads bugs in previous versions), and has been
>> tested
>>>> on
>>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
>> Mac
>>>> OS
>>>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX
>>>>> operating systems. Hell, it might even work on Windows.
>>>>>
>>>>> /epixoip.
>>>>>
>
>
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxCE
> THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25pJ
> xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW5
> xhdJc1A=
> =Zdzn
> -----END PGP SIGNATURE-----
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists