lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <A84991D1-36BC-432A-B27F-8CFDD7F34871@sekure.org>
Date: Tue, 6 Jul 2010 01:15:50 -0300
From: Nelson Brito <nbrito@...ure.org>
To: epixoip <epixoip@...h.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Tool] - inundator - an intrusion detection
	false positives generator.

Last message to you, kid.

NNG was released in September 2008, and it doesn't mean it's not older than that.

And I see you've checked my background... Good! Are you gonna to hire me? Maybe I could teach you how to deal with real Perl, such as:
{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}$0;

Cheers.

Nelson Brito 
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential misspellings!

On Jul 6, 2010, at 1:01 AM, "epixoip" <epixoip@...h.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 05 Jul 2010 19:02:12 -0700 Nelson Brito <nbrito@...ure.org>
> wrote:
> 
>> One more thing, just for the records and being polite: nobody
>> works on such "bad idea" anymore...
> 
> Somehow you've gone from "you stole my idea and you need to give me
> credit, and here's the download link" to "well, it's a bad idea and
> nobody does it anymore." Your tool (which you now claim isn't a
> tool) was just released 20 months ago -- six to eight years after
> tools like Snot and IDSwakeup were released, and far less effective
> than those tools. So what you're essentially saying here is your
> own work was irrelevant. Well, at least you admit it.
> 
>> Why? Because doesn't make any sense you doing so many noise to
> evade
>> an IPS.
> 
> Ah, I see. You're using reverse psychology. The tool doesn't make
> any sense, so why not go ahead and throw a little credit your way,
> right? Honestly, I couldn't care less what your "professional"
> opinion is, and I still refuse to credit your work. I will,
> however, continue to give full credit to tools like Snot and
> snortspoof, regardless of their post-development discovery.
> 
>> There much more effectiveness ways to do it without "scream
>> wolf", little boy.
> 
> Of course there are more effective techniques for IDS evasion, and
> there's nothing stopping you from employing those techniques as
> well, especially in tandem with Inundator. I guess that thought
> never crossed your mind. If you decide to use that idea though, I
> demand you give me full credit and prove a backlink to this post.
> 
> 
>> Best regards.
>> 
>> PS: Keep playing with "incubator"
> 
> 
> I'm not entirely sure how calling it 'incubator' is an insult, but
> I suppose I'll pretend to be insulted.
> 
> 
>> and let the real work for the pros.
> 
> 
> And what sort of "real work" might you be doing? I'm curious to
> know what sort of "pro work" one with "12 years of experience in
> high-tek" does. Perhaps you're working on your "PATENT PENDING"
> ENG++?
> 
> By the way, here's a shell script to replace NNG:
> 
> while [ 1 ]; do
>    printf
> "\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E\n" |
> nc -v $1 1434
> done
> 
> Again, if you're going to use that, you must give me full credit
> and provide a backlink to this post. I'm super duper serious.
> 
> 
>> Nelson Brito
>> Security Researcher
>> http://fnstenv.blogspot.com/
>> 
>> Sent on an  iPhone wireless device. Please, forgive any potential
>> misspellings!
>> 
>> On Jul 5, 2010, at 7:56 PM, "epixoip" <epixoip@...h.com> wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> 
>>> 
>>> 
>>> Oh, for fuck's sake...
>>> 
>>> <acerbity>
>>> 
>>> Wow, you've really called us out on this one. How embarrassing
>> for
>>> us.
>>> 
>>> Please accept our sincerest apologies, Mr. Brito. We now
>> understand
>>> how phrases like "inundator is a modern twist on an old concept"
>>> and "Snot, fwsnort's snortspoof, and possibly others beat us to
>> the
>>> punch" can be incredibly obtuse and largely indecipherable,
>>> requiring *at least* a third grade education for full
>>> comprehension. We accept full responsibility for failing to
>> write
>>> this announcement with the lowest common denominator in mind,
>> and
>>> promise to limit our vocabulary to only words found on
>>> http://simple.wikipedia.org in future posts.
>>> 
>>> Also, thank you for taking the time to hi-jack our announcement
>> by
>>> linking to your incredibly superior NNG tool. We failed to
>> include
>>> it in our list of credits, and it brings us much shame. Please
>>> excuse us while we prepare for Seppuku.
>>> 
>>> </acerbity>
>>> 
>>> To set the record straight right up front, we never stated this
>> was
>>> an original idea. In fact, we clearly stated this was *NOT* an
>>> original idea. And we *DID,* in fact, credit SNOT -- and
>> fwsnort's
>>> snortspoof as well -- even though we discovered them after we
>> had
>>> already begun working on Inundator. We didn't credit IDSwakeup,
>>> because while IDSwakeup is kind of cool, it uses a static set
>>> payloads to generate the false positives, and we use a dynamic
>> set.
>>> We thought parsing Snort's rules files to dynamically build
>> attack
>>> payloads was at least original, but when we learned otherwise,
>> we
>>> credited the only other two apps we could find that did
>> something
>>> similar: SNOT and snortspoof. So we're definitely going out of
>> our
>>> way here to give credit where credit is due, even though we had
>> no
>>> knowledge of these applications when we thought of the concept.
>>> Again, all of this was clearly explained in plain English.
>>> 
>>> Now then, back to you.
>>> 
>>> At first I presumed you were just a self-important moron who
>>> couldn't be bothered to actually read the full text of the
>>> announcement before crafting your witty reply on your iPhone and
>>> publicly embarrassing yourself on four separate mailing lists
>>> concurrently. That is until I paid a visit to your outstanding
>>> little blog, and realized that not only are you a self-important
>>> queef, but you're also a little fucking crybaby who wants credit
>>> and attention for every original thought you didn't have.
>>> 
>>> As we can clearly see from your blog, "ANY INFORMATION TAKEN
>> FROM
>>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK
>> TO
>>> THE ORIGINAL ARTICLE." This must mean you observed some parallel
>>> between NNG and Inundator, and thus feel we should be giving you
>>> some sort of credit and a backlink (although I suppose the
>> backlink
>>> has already been covered by you douching all over this thread.)
>>> Let's see what sort of parallels could possibly exist between
>> NNG
>>> and Inundator:
>>> 
>>> From http://packetstormsecurity.org/filedesc/nng-4.13r-
>>> public.rar.html:
>>> 
>>> "Description: NNG is a tool that creates crafted packets to
>> cause
>>> MS02-039 false-positives against IPS/IDS. NNG does not have the
>>> same approach used by Snot and Stick, where the main goal is
>> DoSing
>>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to
>> have
>>> the leakage of real attack.
>>> 
>>> "Author: Nelson Brito"
>>> 
>>> First of all, I don't think SNOT's main goal was to DoS the IPS,
>> as
>>> you so cleverly state. Second, I have no fucking clue what "NNG
>>> tries to make IPS/IDS 'numbed' enough to have the leakage of
>> real
>>> attack" is even supposed to mean. I see some English words
>> there,
>>> but that sentence means fuck-all.
>>> 
>>> So from what I can gather, your little tool is capable of send a
>>> single packet mimicking MS02-039. Bra-fucking-vo, how
>> innovative.
>>> So it isn't multi-threaded, no attempt is made to send the
>> attack
>>> anonymously, you're using a single static payload, and you
>>> essentially have little to no user configuration at all. What's
>> the
>>> point? I actually have no idea what the actual goal of NNG is,
>>> other than to serve as a POC for why pattern matching is full of
>>> fail. But then again, that's something we've known for over a
>>> decade (although I see you still give presentations on the topic
>> as
>>> if it were both new and original), so again -- what is the point
>> of
>>> NNG? Even snortspoof, though dated and pretty much useless by
>>> today's standards, is vastly more impressive than NNG, as it at
>>> least makes an attempt to anonymize attacks and dynamically
>> parses
>>> an array of signatures to generate an attack instead of hard-
>> coding
>>> ONE payload. Who are you giving credit to for NNG, by the way?
>> Oh
>>> that's right -- yourself, even though there is literally nothing
>>> original about NNG. By the way, I like how you have a file named
>>> "Authors" in the NNG source tarball, where you list yourself and
>>> your contact information twice.
>>> 
>>> Your pathetic piece of shit doesn't even come close to what
>>> Inundator does, so why the fuck would we give NNG credit? Were
>> you
>>> so disillusioned by your own self-importance that you honestly
>> saw
>>> a parallel between NNG and Inundator? Or perhaps you were just
>>> trying to drive traffic to your little piece of shit by linking
>>> everyone to it after trying to make yourself look superior? No,
>> I
>>> honestly think your cunt start aching at the thought of us
>>> crediting SNOT and snortspoof, but not NNG. Reality is a bitch,
>> huh.
>>> 
>>> Here's my advice to you, Mr. Brito: slap some vagisil on your
>>> aching pussy and shut the fuck up. Nobody has heard of you, and
>>> nobody has heard of NNG. Get over yourself.
>>> 
>>> 
>>> Oh, and Inundator is still available at
>>> http://inundator.sourceforge.net/
>>> 
>>> 
>>> Stay classy,
>>> /epixoip.
>>> 
>>> 
>>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito
>> <nbrito@...ure.org>
>>> wrote:
>>>> That is not new and you should give the credits, not just for
>> NNG
>>>> (http://packetstormsecurity.org/filedesc/nng-4.13r-
>>>> public.rar.html), but you are missing STICK, SNOT and and
>>>> IDSWAKEUP as well.
>>>> 
>>>> Nelson Brito
>>>> Security Researcher
>>>> http://fnstenv.blogspot.com/
>>>> 
>>>> Sent on an  iPhone wireless device. Please, forgive any
>> potential
>>>> misspellings!
>>>> 
>>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@...h.com>
>> wrote:
>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> 
>>>>> 
>>>>> homepage: http://inundator.bindshell.nl/
>>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/
>>>>> gpg key : http://inundator.sourceforge.net/inundator.asc
>>>>> 
>>>>> Announcing the release of inundator v0.5!
>>>>> 
>>>>> inundator is a modern twist on an old concept -- it's an
>>>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
>>>>> detection systems with false positives in order to obfuscate a
>>>> real
>>>>> attack. inundator leverages the vagueness and poor quality of
>>>>> Snort's rules files to generate completely harmless packets /
>>>> HTTP
>>>>> requests that contain just enough keywords to trigger a false
>>>>> positive. We thought this was an original idea, but it looks
>>>> like
>>>>> Snot, fwsnort's snortspoof, and possibly others beat us to the
>>>>> punch. However, these tools were developed around the turn of
>>>> the
>>>>> century, are quite dated and well-forgotten, and overall quite
>>>>> inferior to inundator.
>>>>> 
>>>>> inundator is full featured, multi-threaded, queue-based,
>>>> supports
>>>>> multiple targets, and requires the use of a SOCKS proxy for
>>>>> anonymization. Via Tor, inundator is capable of generating
>>>> around
>>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS
>>>> proxy,
>>>>> you might be able to generate ten times that amount.
>>>>> 
>>>>> The general idea is one would launch inundator prior to
>> starting
>>>> an
>>>>> attack, allow it to run during the attack, and continue to run
>>>> it a
>>>>> while longer after you've accomplished the attack. The goal,
>> of
>>>>> course, is to generate an overwhelming number of false
>> positives
>>>> so
>>>>> that your real attack is essentially buried within the other
>>>>> alerts, minimizing the chance of your attack being detected.
>> It
>>>>> could also be used to ruin an IDS analyst's day, or keep an
>>>>> organization's infosec department busy for a while. I suppose
>> it
>>>>> could also be used to test the effectiveness of an IDS, but
>> no,
>>>> not
>>>>> really.
>>>>> 
>>>>> inundator is implemented in Perl (version >= 5.10 is
>> recommended
>>>>> due to ithreads bugs in previous versions), and has been
>> tested
>>>> on
>>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and
>> Mac
>>>> OS
>>>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX
>>>>> operating systems. Hell, it might even work on Windows.
>>>>> 
>>>>> /epixoip.
>>>>> 
>>> 
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Charset: UTF8
>>> Note: This signature can be verified at
>> https://www.hushtools.com/verify
>>> Version: Hush 3.0
>>> 
>>> 
>> wpwEAQMCAAYFAkwyYxEACgkQacHgESW3wZrghAQAoaUr7ZCmRKhpVs86cvXCHphwB/V
>> 9
>>> 
>> XCmQFCodPp6puHkCe0KqonLXBLCrW92qjVObOxW8TYlb56JKrZs0EV/jGLKUSrlcfgh
>> 7
>>> 
>> 0/UMwH/vAL0C+PowgHuWFZSGSpLsKk5vUC+9YrKz0/oRkCVj4Ypks6Rd+VAUetzuNIe
>> T
>>> W60Z6o0=
>>> =uHzo
>>> -----END PGP SIGNATURE-----
>>> 
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
> 
> wpwEAQMCAAYFAkwyqqYACgkQacHgESW3wZq22gP7Bisp36Tfco5+nvNFHBKYyxd7EW8a
> 4wQxbya29L3BxP7fF+V/hqlNQbdEPOeW6EnpPh71laO9PSl7jsPJsGdyLRE51JAcRoxp
> UXr+d6VPf5lbQ6E7KHLPvtd33+HPA8nBgfY+uD/uqt3qda2o8xihefx2rnKGPqI1jKE8
> r6Hha9g=
> =nPAL
> -----END PGP SIGNATURE-----
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ