-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito <[email protected]> wrote: >Thanks for the credits and keep doing the great work! Just for the >records: NNG is not a tool, it is just a PoC for the concept you >are just mimicking. Really creative!!! 8)
Again, nobody has ever heard of this "NNG PoC" (which, by the way, you did call it a tool in your packetstorm description) until you started demanding we give you credit for your ground-breaking research into a decade-old topic. And again, as I've clearly highlighted, the only parallel between NNG and Inundator is we both generate false positives. Nothing new here, not even for NNG. >I will keep me the right to be polite. That doesn't make you any less of a douche. >BTW, I don like my iPhone... 8) >Specially my apps for that one. Erm, okay? >Nelson Brito >Security Researcher >http://fnstenv.blogspot.com/ > >Sent on an iPhone wireless device. Please, forgive any potential >misspellings! > >On Jul 5, 2010, at 7:56 PM, "epixoip" <[email protected]> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> >> Oh, for fuck's sake... >> >> <acerbity> >> >> Wow, you've really called us out on this one. How embarrassing >for >> us. >> >> Please accept our sincerest apologies, Mr. Brito. We now >understand >> how phrases like "inundator is a modern twist on an old concept" >> and "Snot, fwsnort's snortspoof, and possibly others beat us to >the >> punch" can be incredibly obtuse and largely indecipherable, >> requiring *at least* a third grade education for full >> comprehension. We accept full responsibility for failing to >write >> this announcement with the lowest common denominator in mind, >and >> promise to limit our vocabulary to only words found on >> http://simple.wikipedia.org in future posts. >> >> Also, thank you for taking the time to hi-jack our announcement >by >> linking to your incredibly superior NNG tool. We failed to >include >> it in our list of credits, and it brings us much shame. Please >> excuse us while we prepare for Seppuku. >> >> </acerbity> >> >> To set the record straight right up front, we never stated this >was >> an original idea. In fact, we clearly stated this was *NOT* an >> original idea. And we *DID,* in fact, credit SNOT -- and >fwsnort's >> snortspoof as well -- even though we discovered them after we >had >> already begun working on Inundator. We didn't credit IDSwakeup, >> because while IDSwakeup is kind of cool, it uses a static set >> payloads to generate the false positives, and we use a dynamic >set. >> We thought parsing Snort's rules files to dynamically build >attack >> payloads was at least original, but when we learned otherwise, >we >> credited the only other two apps we could find that did >something >> similar: SNOT and snortspoof. So we're definitely going out of >our >> way here to give credit where credit is due, even though we had >no >> knowledge of these applications when we thought of the concept. >> Again, all of this was clearly explained in plain English. >> >> Now then, back to you. >> >> At first I presumed you were just a self-important moron who >> couldn't be bothered to actually read the full text of the >> announcement before crafting your witty reply on your iPhone and >> publicly embarrassing yourself on four separate mailing lists >> concurrently. That is until I paid a visit to your outstanding >> little blog, and realized that not only are you a self-important >> queef, but you're also a little fucking crybaby who wants credit >> and attention for every original thought you didn't have. >> >> As we can clearly see from your blog, "ANY INFORMATION TAKEN >FROM >> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK >TO >> THE ORIGINAL ARTICLE." This must mean you observed some parallel >> between NNG and Inundator, and thus feel we should be giving you >> some sort of credit and a backlink (although I suppose the >backlink >> has already been covered by you douching all over this thread.) >> Let's see what sort of parallels could possibly exist between >NNG >> and Inundator: >> >> From http://packetstormsecurity.org/filedesc/nng-4.13r- >> public.rar.html: >> >> "Description: NNG is a tool that creates crafted packets to >cause >> MS02-039 false-positives against IPS/IDS. NNG does not have the >> same approach used by Snot and Stick, where the main goal is >DoSing >> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to >have >> the leakage of real attack. >> >> "Author: Nelson Brito" >> >> First of all, I don't think SNOT's main goal was to DoS the IPS, >as >> you so cleverly state. Second, I have no fucking clue what "NNG >> tries to make IPS/IDS 'numbed' enough to have the leakage of >real >> attack" is even supposed to mean. I see some English words >there, >> but that sentence means fuck-all. >> >> So from what I can gather, your little tool is capable of send a >> single packet mimicking MS02-039. Bra-fucking-vo, how >innovative. >> So it isn't multi-threaded, no attempt is made to send the >attack >> anonymously, you're using a single static payload, and you >> essentially have little to no user configuration at all. What's >the >> point? I actually have no idea what the actual goal of NNG is, >> other than to serve as a POC for why pattern matching is full of >> fail. But then again, that's something we've known for over a >> decade (although I see you still give presentations on the topic >as >> if it were both new and original), so again -- what is the point >of >> NNG? Even snortspoof, though dated and pretty much useless by >> today's standards, is vastly more impressive than NNG, as it at >> least makes an attempt to anonymize attacks and dynamically >parses >> an array of signatures to generate an attack instead of hard- >coding >> ONE payload. Who are you giving credit to for NNG, by the way? >Oh >> that's right -- yourself, even though there is literally nothing >> original about NNG. By the way, I like how you have a file named >> "Authors" in the NNG source tarball, where you list yourself and >> your contact information twice. >> >> Your pathetic piece of shit doesn't even come close to what >> Inundator does, so why the fuck would we give NNG credit? Were >you >> so disillusioned by your own self-importance that you honestly >saw >> a parallel between NNG and Inundator? Or perhaps you were just >> trying to drive traffic to your little piece of shit by linking >> everyone to it after trying to make yourself look superior? No, >I >> honestly think your cunt start aching at the thought of us >> crediting SNOT and snortspoof, but not NNG. Reality is a bitch, >huh. >> >> Here's my advice to you, Mr. Brito: slap some vagisil on your >> aching pussy and shut the fuck up. Nobody has heard of you, and >> nobody has heard of NNG. Get over yourself. >> >> >> Oh, and Inundator is still available at >> http://inundator.sourceforge.net/ >> >> >> Stay classy, >> /epixoip. >> >> >> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito ><[email protected]> >> wrote: >>> That is not new and you should give the credits, not just for >NNG >>> (http://packetstormsecurity.org/filedesc/nng-4.13r- >>> public.rar.html), but you are missing STICK, SNOT and and >>> IDSWAKEUP as well. >>> >>> Nelson Brito >>> Security Researcher >>> http://fnstenv.blogspot.com/ >>> >>> Sent on an iPhone wireless device. Please, forgive any >potential >>> misspellings! >>> >>> On Jul 1, 2010, at 10:25 PM, "epixoip" <[email protected]> >wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> homepage: http://inundator.bindshell.nl/ >>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/ >>>> gpg key : http://inundator.sourceforge.net/inundator.asc >>>> >>>> Announcing the release of inundator v0.5! >>>> >>>> inundator is a modern twist on an old concept -- it's an >>>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion >>>> detection systems with false positives in order to obfuscate a >>> real >>>> attack. inundator leverages the vagueness and poor quality of >>>> Snort's rules files to generate completely harmless packets / >>> HTTP >>>> requests that contain just enough keywords to trigger a false >>>> positive. We thought this was an original idea, but it looks >>> like >>>> Snot, fwsnort's snortspoof, and possibly others beat us to the >>>> punch. However, these tools were developed around the turn of >>> the >>>> century, are quite dated and well-forgotten, and overall quite >>>> inferior to inundator. >>>> >>>> inundator is full featured, multi-threaded, queue-based, >>> supports >>>> multiple targets, and requires the use of a SOCKS proxy for >>>> anonymization. Via Tor, inundator is capable of generating >>> around >>>> 1000 false positives per minute. Via a high-bandwidth SOCKS >>> proxy, >>>> you might be able to generate ten times that amount. >>>> >>>> The general idea is one would launch inundator prior to >starting >>> an >>>> attack, allow it to run during the attack, and continue to run >>> it a >>>> while longer after you've accomplished the attack. The goal, >of >>>> course, is to generate an overwhelming number of false >positives >>> so >>>> that your real attack is essentially buried within the other >>>> alerts, minimizing the chance of your attack being detected. >It >>>> could also be used to ruin an IDS analyst's day, or keep an >>>> organization's infosec department busy for a while. I suppose >it >>>> could also be used to test the effectiveness of an IDS, but >no, >>> not >>>> really. >>>> >>>> inundator is implemented in Perl (version >= 5.10 is >recommended >>>> due to ithreads bugs in previous versions), and has been >tested >>> on >>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and >Mac >>> OS >>>> X against Snort v2.8.5.2. It is presumed to work on all POSIX >>>> operating systems. Hell, it might even work on Windows. >>>> >>>> /epixoip. >>>> -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxCE THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25pJ xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW5 xhdJc1A= =Zdzn -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
