| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jul 2010 00:52:40 -0300 From: Nelson Brito <nbrito@...ure.org> To: epixoip <epixoip@...h.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: [Tool] - inundator - an intrusion detection false positives generator. If you don't deal well with criticism, don't send such "31337" tool to a public mailing list, keep it just for your friends. I got you incubator and it looks like: "look mom, I did my first Perl script". No offense, kid! Okay... Keep studying and you're gonna to learn more and more... Just to let you know, because you're probably 2 years old and live in the jungle, here is the NNG and ENG post: http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0397.html Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jul 6, 2010, at 12:20 AM, "epixoip" <epixoip@...h.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito <nbrito@...ure.org> > wrote: >> Thanks for the credits and keep doing the great work! Just for the >> records: NNG is not a tool, it is just a PoC for the concept you >> are just mimicking. Really creative!!! 8) > > > Again, nobody has ever heard of this "NNG PoC" (which, by the way, > you did call it a tool in your packetstorm description) until you > started demanding we give you credit for your ground-breaking > research into a decade-old topic. And again, as I've clearly > highlighted, the only parallel between NNG and Inundator is we both > generate false positives. Nothing new here, not even for NNG. > > >> I will keep me the right to be polite. > > > That doesn't make you any less of a douche. > > >> BTW, I don like my iPhone... 8) >> Specially my apps for that one. > > > Erm, okay? > > >> Nelson Brito >> Security Researcher >> http://fnstenv.blogspot.com/ >> >> Sent on an iPhone wireless device. Please, forgive any potential >> misspellings! >> >> On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> >>> Oh, for fuck's sake... >>> >>> <acerbity> >>> >>> Wow, you've really called us out on this one. How embarrassing >> for >>> us. >>> >>> Please accept our sincerest apologies, Mr. Brito. We now >> understand >>> how phrases like "inundator is a modern twist on an old concept" >>> and "Snot, fwsnort's snortspoof, and possibly others beat us to >> the >>> punch" can be incredibly obtuse and largely indecipherable, >>> requiring *at least* a third grade education for full >>> comprehension. We accept full responsibility for failing to >> write >>> this announcement with the lowest common denominator in mind, >> and >>> promise to limit our vocabulary to only words found on >>> http://simple.wikipedia.org in future posts. >>> >>> Also, thank you for taking the time to hi-jack our announcement >> by >>> linking to your incredibly superior NNG tool. We failed to >> include >>> it in our list of credits, and it brings us much shame. Please >>> excuse us while we prepare for Seppuku. >>> >>> </acerbity> >>> >>> To set the record straight right up front, we never stated this >> was >>> an original idea. In fact, we clearly stated this was *NOT* an >>> original idea. And we *DID,* in fact, credit SNOT -- and >> fwsnort's >>> snortspoof as well -- even though we discovered them after we >> had >>> already begun working on Inundator. We didn't credit IDSwakeup, >>> because while IDSwakeup is kind of cool, it uses a static set >>> payloads to generate the false positives, and we use a dynamic >> set. >>> We thought parsing Snort's rules files to dynamically build >> attack >>> payloads was at least original, but when we learned otherwise, >> we >>> credited the only other two apps we could find that did >> something >>> similar: SNOT and snortspoof. So we're definitely going out of >> our >>> way here to give credit where credit is due, even though we had >> no >>> knowledge of these applications when we thought of the concept. >>> Again, all of this was clearly explained in plain English. >>> >>> Now then, back to you. >>> >>> At first I presumed you were just a self-important moron who >>> couldn't be bothered to actually read the full text of the >>> announcement before crafting your witty reply on your iPhone and >>> publicly embarrassing yourself on four separate mailing lists >>> concurrently. That is until I paid a visit to your outstanding >>> little blog, and realized that not only are you a self-important >>> queef, but you're also a little fucking crybaby who wants credit >>> and attention for every original thought you didn't have. >>> >>> As we can clearly see from your blog, "ANY INFORMATION TAKEN >> FROM >>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK >> TO >>> THE ORIGINAL ARTICLE." This must mean you observed some parallel >>> between NNG and Inundator, and thus feel we should be giving you >>> some sort of credit and a backlink (although I suppose the >> backlink >>> has already been covered by you douching all over this thread.) >>> Let's see what sort of parallels could possibly exist between >> NNG >>> and Inundator: >>> >>> From http://packetstormsecurity.org/filedesc/nng-4.13r- >>> public.rar.html: >>> >>> "Description: NNG is a tool that creates crafted packets to >> cause >>> MS02-039 false-positives against IPS/IDS. NNG does not have the >>> same approach used by Snot and Stick, where the main goal is >> DoSing >>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to >> have >>> the leakage of real attack. >>> >>> "Author: Nelson Brito" >>> >>> First of all, I don't think SNOT's main goal was to DoS the IPS, >> as >>> you so cleverly state. Second, I have no fucking clue what "NNG >>> tries to make IPS/IDS 'numbed' enough to have the leakage of >> real >>> attack" is even supposed to mean. I see some English words >> there, >>> but that sentence means fuck-all. >>> >>> So from what I can gather, your little tool is capable of send a >>> single packet mimicking MS02-039. Bra-fucking-vo, how >> innovative. >>> So it isn't multi-threaded, no attempt is made to send the >> attack >>> anonymously, you're using a single static payload, and you >>> essentially have little to no user configuration at all. What's >> the >>> point? I actually have no idea what the actual goal of NNG is, >>> other than to serve as a POC for why pattern matching is full of >>> fail. But then again, that's something we've known for over a >>> decade (although I see you still give presentations on the topic >> as >>> if it were both new and original), so again -- what is the point >> of >>> NNG? Even snortspoof, though dated and pretty much useless by >>> today's standards, is vastly more impressive than NNG, as it at >>> least makes an attempt to anonymize attacks and dynamically >> parses >>> an array of signatures to generate an attack instead of hard- >> coding >>> ONE payload. Who are you giving credit to for NNG, by the way? >> Oh >>> that's right -- yourself, even though there is literally nothing >>> original about NNG. By the way, I like how you have a file named >>> "Authors" in the NNG source tarball, where you list yourself and >>> your contact information twice. >>> >>> Your pathetic piece of shit doesn't even come close to what >>> Inundator does, so why the fuck would we give NNG credit? Were >> you >>> so disillusioned by your own self-importance that you honestly >> saw >>> a parallel between NNG and Inundator? Or perhaps you were just >>> trying to drive traffic to your little piece of shit by linking >>> everyone to it after trying to make yourself look superior? No, >> I >>> honestly think your cunt start aching at the thought of us >>> crediting SNOT and snortspoof, but not NNG. Reality is a bitch, >> huh. >>> >>> Here's my advice to you, Mr. Brito: slap some vagisil on your >>> aching pussy and shut the fuck up. Nobody has heard of you, and >>> nobody has heard of NNG. Get over yourself. >>> >>> >>> Oh, and Inundator is still available at >>> http://inundator.sourceforge.net/ >>> >>> >>> Stay classy, >>> /epixoip. >>> >>> >>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito >> <nbrito@...ure.org> >>> wrote: >>>> That is not new and you should give the credits, not just for >> NNG >>>> (http://packetstormsecurity.org/filedesc/nng-4.13r- >>>> public.rar.html), but you are missing STICK, SNOT and and >>>> IDSWAKEUP as well. >>>> >>>> Nelson Brito >>>> Security Researcher >>>> http://fnstenv.blogspot.com/ >>>> >>>> Sent on an iPhone wireless device. Please, forgive any >> potential >>>> misspellings! >>>> >>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com> >> wrote: >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> >>>>> >>>>> homepage: http://inundator.bindshell.nl/ >>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/ >>>>> gpg key : http://inundator.sourceforge.net/inundator.asc >>>>> >>>>> Announcing the release of inundator v0.5! >>>>> >>>>> inundator is a modern twist on an old concept -- it's an >>>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion >>>>> detection systems with false positives in order to obfuscate a >>>> real >>>>> attack. inundator leverages the vagueness and poor quality of >>>>> Snort's rules files to generate completely harmless packets / >>>> HTTP >>>>> requests that contain just enough keywords to trigger a false >>>>> positive. We thought this was an original idea, but it looks >>>> like >>>>> Snot, fwsnort's snortspoof, and possibly others beat us to the >>>>> punch. However, these tools were developed around the turn of >>>> the >>>>> century, are quite dated and well-forgotten, and overall quite >>>>> inferior to inundator. >>>>> >>>>> inundator is full featured, multi-threaded, queue-based, >>>> supports >>>>> multiple targets, and requires the use of a SOCKS proxy for >>>>> anonymization. Via Tor, inundator is capable of generating >>>> around >>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS >>>> proxy, >>>>> you might be able to generate ten times that amount. >>>>> >>>>> The general idea is one would launch inundator prior to >> starting >>>> an >>>>> attack, allow it to run during the attack, and continue to run >>>> it a >>>>> while longer after you've accomplished the attack. The goal, >> of >>>>> course, is to generate an overwhelming number of false >> positives >>>> so >>>>> that your real attack is essentially buried within the other >>>>> alerts, minimizing the chance of your attack being detected. >> It >>>>> could also be used to ruin an IDS analyst's day, or keep an >>>>> organization's infosec department busy for a while. I suppose >> it >>>>> could also be used to test the effectiveness of an IDS, but >> no, >>>> not >>>>> really. >>>>> >>>>> inundator is implemented in Perl (version >= 5.10 is >> recommended >>>>> due to ithreads bugs in previous versions), and has been >> tested >>>> on >>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and >> Mac >>>> OS >>>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX >>>>> operating systems. Hell, it might even work on Windows. >>>>> >>>>> /epixoip. >>>>> > > > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 3.0 > > wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxCE > THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25pJ > xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW5 > xhdJc1A= > =Zdzn > -----END PGP SIGNATURE----- > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists