Thanks for the credits and keep doing the great work! Just for the records: NNG is not a tool, it is just a PoC for the concept you are just mimicking. Really creative!!! 8)
I will keep me the right to be polite. BTW, I don like my iPhone... 8) Specially my apps for that one. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jul 5, 2010, at 7:56 PM, "epixoip" <epix...@hush.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Oh, for fuck's sake... > > <acerbity> > > Wow, you've really called us out on this one. How embarrassing for > us. > > Please accept our sincerest apologies, Mr. Brito. We now understand > how phrases like "inundator is a modern twist on an old concept" > and "Snot, fwsnort's snortspoof, and possibly others beat us to the > punch" can be incredibly obtuse and largely indecipherable, > requiring *at least* a third grade education for full > comprehension. We accept full responsibility for failing to write > this announcement with the lowest common denominator in mind, and > promise to limit our vocabulary to only words found on > http://simple.wikipedia.org in future posts. > > Also, thank you for taking the time to hi-jack our announcement by > linking to your incredibly superior NNG tool. We failed to include > it in our list of credits, and it brings us much shame. Please > excuse us while we prepare for Seppuku. > > </acerbity> > > To set the record straight right up front, we never stated this was > an original idea. In fact, we clearly stated this was *NOT* an > original idea. And we *DID,* in fact, credit SNOT -- and fwsnort's > snortspoof as well -- even though we discovered them after we had > already begun working on Inundator. We didn't credit IDSwakeup, > because while IDSwakeup is kind of cool, it uses a static set > payloads to generate the false positives, and we use a dynamic set. > We thought parsing Snort's rules files to dynamically build attack > payloads was at least original, but when we learned otherwise, we > credited the only other two apps we could find that did something > similar: SNOT and snortspoof. So we're definitely going out of our > way here to give credit where credit is due, even though we had no > knowledge of these applications when we thought of the concept. > Again, all of this was clearly explained in plain English. > > Now then, back to you. > > At first I presumed you were just a self-important moron who > couldn't be bothered to actually read the full text of the > announcement before crafting your witty reply on your iPhone and > publicly embarrassing yourself on four separate mailing lists > concurrently. That is until I paid a visit to your outstanding > little blog, and realized that not only are you a self-important > queef, but you're also a little fucking crybaby who wants credit > and attention for every original thought you didn't have. > > As we can clearly see from your blog, "ANY INFORMATION TAKEN FROM > THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A BACKLINK TO > THE ORIGINAL ARTICLE." This must mean you observed some parallel > between NNG and Inundator, and thus feel we should be giving you > some sort of credit and a backlink (although I suppose the backlink > has already been covered by you douching all over this thread.) > Let's see what sort of parallels could possibly exist between NNG > and Inundator: > > From http://packetstormsecurity.org/filedesc/nng-4.13r- > public.rar.html: > > "Description: NNG is a tool that creates crafted packets to cause > MS02-039 false-positives against IPS/IDS. NNG does not have the > same approach used by Snot and Stick, where the main goal is DoSing > the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to have > the leakage of real attack. > > "Author: Nelson Brito" > > First of all, I don't think SNOT's main goal was to DoS the IPS, as > you so cleverly state. Second, I have no fucking clue what "NNG > tries to make IPS/IDS 'numbed' enough to have the leakage of real > attack" is even supposed to mean. I see some English words there, > but that sentence means fuck-all. > > So from what I can gather, your little tool is capable of send a > single packet mimicking MS02-039. Bra-fucking-vo, how innovative. > So it isn't multi-threaded, no attempt is made to send the attack > anonymously, you're using a single static payload, and you > essentially have little to no user configuration at all. What's the > point? I actually have no idea what the actual goal of NNG is, > other than to serve as a POC for why pattern matching is full of > fail. But then again, that's something we've known for over a > decade (although I see you still give presentations on the topic as > if it were both new and original), so again -- what is the point of > NNG? Even snortspoof, though dated and pretty much useless by > today's standards, is vastly more impressive than NNG, as it at > least makes an attempt to anonymize attacks and dynamically parses > an array of signatures to generate an attack instead of hard-coding > ONE payload. Who are you giving credit to for NNG, by the way? Oh > that's right -- yourself, even though there is literally nothing > original about NNG. By the way, I like how you have a file named > "Authors" in the NNG source tarball, where you list yourself and > your contact information twice. > > Your pathetic piece of shit doesn't even come close to what > Inundator does, so why the fuck would we give NNG credit? Were you > so disillusioned by your own self-importance that you honestly saw > a parallel between NNG and Inundator? Or perhaps you were just > trying to drive traffic to your little piece of shit by linking > everyone to it after trying to make yourself look superior? No, I > honestly think your cunt start aching at the thought of us > crediting SNOT and snortspoof, but not NNG. Reality is a bitch, huh. > > Here's my advice to you, Mr. Brito: slap some vagisil on your > aching pussy and shut the fuck up. Nobody has heard of you, and > nobody has heard of NNG. Get over yourself. > > > Oh, and Inundator is still available at > http://inundator.sourceforge.net/ > > > Stay classy, > /epixoip. > > > On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito <nbr...@sekure.org> > wrote: >> That is not new and you should give the credits, not just for NNG >> (http://packetstormsecurity.org/filedesc/nng-4.13r- >> public.rar.html), but you are missing STICK, SNOT and and >> IDSWAKEUP as well. >> >> Nelson Brito >> Security Researcher >> http://fnstenv.blogspot.com/ >> >> Sent on an iPhone wireless device. Please, forgive any potential >> misspellings! >> >> On Jul 1, 2010, at 10:25 PM, "epixoip" <epix...@hush.com> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> homepage: http://inundator.bindshell.nl/ >>> deb repo: deb http://inundator.sourceforge.net/repo/ all/ >>> gpg key : http://inundator.sourceforge.net/inundator.asc >>> >>> Announcing the release of inundator v0.5! >>> >>> inundator is a modern twist on an old concept -- it's an >>> IDS/IPS/WAF evasion tool, used to anonymously flood intrusion >>> detection systems with false positives in order to obfuscate a >> real >>> attack. inundator leverages the vagueness and poor quality of >>> Snort's rules files to generate completely harmless packets / >> HTTP >>> requests that contain just enough keywords to trigger a false >>> positive. We thought this was an original idea, but it looks >> like >>> Snot, fwsnort's snortspoof, and possibly others beat us to the >>> punch. However, these tools were developed around the turn of >> the >>> century, are quite dated and well-forgotten, and overall quite >>> inferior to inundator. >>> >>> inundator is full featured, multi-threaded, queue-based, >> supports >>> multiple targets, and requires the use of a SOCKS proxy for >>> anonymization. Via Tor, inundator is capable of generating >> around >>> 1000 false positives per minute. Via a high-bandwidth SOCKS >> proxy, >>> you might be able to generate ten times that amount. >>> >>> The general idea is one would launch inundator prior to starting >> an >>> attack, allow it to run during the attack, and continue to run >> it a >>> while longer after you've accomplished the attack. The goal, of >>> course, is to generate an overwhelming number of false positives >> so >>> that your real attack is essentially buried within the other >>> alerts, minimizing the chance of your attack being detected. It >>> could also be used to ruin an IDS analyst's day, or keep an >>> organization's infosec department busy for a while. I suppose it >>> could also be used to test the effectiveness of an IDS, but no, >> not >>> really. >>> >>> inundator is implemented in Perl (version >= 5.10 is recommended >>> due to ithreads bugs in previous versions), and has been tested >> on >>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac >> OS >>> X against Snort v2.8.5.2. It is presumed to work on all POSIX >>> operating systems. Hell, it might even work on Windows. >>> >>> /epixoip. >>> > > > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 3.0 > > wpwEAQMCAAYFAkwyYxEACgkQacHgESW3wZrghAQAoaUr7ZCmRKhpVs86cvXCHphwB/V9 > XCmQFCodPp6puHkCe0KqonLXBLCrW92qjVObOxW8TYlb56JKrZs0EV/jGLKUSrlcfgh7 > 0/UMwH/vAL0C+PowgHuWFZSGSpLsKk5vUC+9YrKz0/oRkCVj4Ypks6Rd+VAUetzuNIeT > W60Z6o0= > =uHzo > -----END PGP SIGNATURE----- > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/