Monday, January 18, 2016
IDS evasion - Inundator
7:58:00 PM
DFIR & Forensics, Firewall, Hackers Tools, HIDS, IDS, Pentest Tools, Security Tools
No comments
IDS/IPS/WAF Evasion & Flooding Tool
inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.
inundator would be used whenever you feel there is a significant chance the attack you’re about to perform may be detected by the target’s intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.
inundator is full featured, multi-threaded, queue-based, supports multiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generating around 1000 false positives per minute. Via a high-bandwidth SOCKS proxy, you might be able to generate ten times that amount.
IDS evasion: Inundator Features
ºParses Snort rules files to generate false positive attacks
ºSupport for multiple targets (FQDN, ip addr range, subnet in CIDR format)
ºMulti-threaded
ºQueue-based
ºSOCKS support
Dependencies:
ºNmap
ºPerl (>= 5.10)
ºNet::SOCKS (>=0.03)
ºNet::CIDR (>= 0.11)
ºSnort’s rules files
ºOinkmaster (for keeping Snort rules up to date)
ºTor (If you don’t have a remote SOCKS proxy to exploit.)
When would I use Inundator?
Whenever you feel like it. Seriously. It’s anonymous, so why not watch the world burn?
Example Scenarios:
ºBefore, during, and after a real attack to bury any potential alerts among a flood of false positives.
ºSeriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.
ºTest the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.
How does Inundator work?
At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort’s poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor’s local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.
Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.
Downloading and Installing Inundator.
The preferred method of installation for all other .deb-based distributions is via our software repository. This is by far the best and simplest way of installing Inundator and its dependencies.
Add our repository to /etc/apt/sources.list:
deb http://inundator.sourceforge.net/repo/ all/
Next, download and install our GPG key:
wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc
Then you can automatically pull in Inundator and all its dependencies:
aptitude update
aptitude install inundator
Search
Categories
Popular Posts
-
dotenv loads .env files into process.env for Node.js projects, making it useful for configuration hygiene checks, secret-handling review...
-
In this post, we will explore a Python script designed to parse logs containing url:user:pass data. These logs are instrumental in executin...
-
New bug bounty(vulnerabilities) collector Requirements Chrome with GUI (If you encounter trouble with script execution, check the stat...
-
x64dbg is a Windows user-mode debugger for controlled runtime inspection, breakpoint logic, trace collection and patch validation in autho...
-
As cyber threats evolve, so must our strategies to combat them. The deepdarkCTI project serves as a crucial resource, offering access to a c...
-
GTFOcli it's a Command Line Interface for easy binaries search commands that can be used to bypass local security restrictions in mis...
-
As mobile applications become more integral to our daily lives, ensuring their security is paramount. Vulnerabilities in mobile apps can exp...
-
social-analyzer provides API, CLI, and web interfaces for finding and analyzing public profiles across more than 1000 social media and web...
-
Remote adminitration tool for android Features Notifications listener SMS listener Phone call recording Image capturing and sc...
-
RepoReaper is a precision tool designed to automate the identification of exposed .git repositories across a list of domains and subdomai...
Blog Archive
-
►
2026
(3)
- ► 05/24 - 05/31 (3)
-
►
2024
(42)
- ► 05/26 - 06/02 (1)
- ► 05/12 - 05/19 (1)
- ► 05/05 - 05/12 (5)
- ► 03/10 - 03/17 (3)
- ► 02/18 - 02/25 (32)
-
►
2022
(20)
- ► 02/06 - 02/13 (18)
- ► 01/30 - 02/06 (2)
-
►
2018
(69)
- ► 10/14 - 10/21 (4)
- ► 08/26 - 09/02 (7)
- ► 08/12 - 08/19 (4)
- ► 07/15 - 07/22 (2)
- ► 07/08 - 07/15 (6)
- ► 07/01 - 07/08 (3)
- ► 06/17 - 06/24 (2)
- ► 03/04 - 03/11 (2)
- ► 02/18 - 02/25 (1)
- ► 02/04 - 02/11 (3)
- ► 01/28 - 02/04 (7)
- ► 01/21 - 01/28 (6)
- ► 01/14 - 01/21 (12)
- ► 01/07 - 01/14 (10)
-
►
2017
(72)
- ► 12/31 - 01/07 (2)
- ► 12/03 - 12/10 (1)
- ► 11/19 - 11/26 (1)
- ► 11/12 - 11/19 (1)
- ► 10/22 - 10/29 (3)
- ► 10/01 - 10/08 (2)
- ► 09/17 - 09/24 (6)
- ► 09/10 - 09/17 (2)
- ► 09/03 - 09/10 (2)
- ► 08/27 - 09/03 (4)
- ► 07/23 - 07/30 (5)
- ► 07/16 - 07/23 (3)
- ► 06/25 - 07/02 (1)
- ► 06/18 - 06/25 (4)
- ► 05/21 - 05/28 (7)
- ► 05/14 - 05/21 (1)
- ► 05/07 - 05/14 (2)
- ► 04/30 - 05/07 (2)
- ► 04/23 - 04/30 (2)
- ► 04/16 - 04/23 (2)
- ► 03/19 - 03/26 (4)
- ► 01/22 - 01/29 (2)
- ► 01/15 - 01/22 (1)
- ► 01/08 - 01/15 (8)
- ► 01/01 - 01/08 (4)
-
▼
2016
(648)
- ► 12/25 - 01/01 (1)
- ► 12/18 - 12/25 (2)
- ► 12/11 - 12/18 (6)
- ► 12/04 - 12/11 (4)
- ► 11/27 - 12/04 (5)
- ► 11/13 - 11/20 (1)
- ► 11/06 - 11/13 (1)
- ► 10/30 - 11/06 (5)
- ► 10/23 - 10/30 (1)
- ► 10/16 - 10/23 (2)
- ► 10/09 - 10/16 (5)
- ► 10/02 - 10/09 (3)
- ► 09/25 - 10/02 (2)
- ► 09/18 - 09/25 (6)
- ► 09/11 - 09/18 (6)
- ► 09/04 - 09/11 (4)
- ► 08/28 - 09/04 (7)
- ► 08/21 - 08/28 (5)
- ► 08/14 - 08/21 (4)
- ► 08/07 - 08/14 (2)
- ► 07/31 - 08/07 (2)
- ► 07/24 - 07/31 (5)
- ► 07/17 - 07/24 (2)
- ► 07/10 - 07/17 (3)
- ► 07/03 - 07/10 (6)
- ► 06/26 - 07/03 (11)
- ► 06/12 - 06/19 (4)
- ► 06/05 - 06/12 (1)
- ► 05/29 - 06/05 (1)
- ► 05/08 - 05/15 (4)
- ► 04/24 - 05/01 (8)
- ► 04/17 - 04/24 (5)
- ► 04/10 - 04/17 (1)
- ► 04/03 - 04/10 (8)
- ► 03/27 - 04/03 (1)
- ► 03/20 - 03/27 (5)
- ► 03/13 - 03/20 (1)
- ► 03/06 - 03/13 (12)
- ► 02/28 - 03/06 (14)
- ► 02/21 - 02/28 (11)
- ► 02/14 - 02/21 (12)
- ► 02/07 - 02/14 (13)
- ► 01/31 - 02/07 (121)
- ► 01/24 - 01/31 (34)
-
▼
01/17 - 01/24
(58)
- Open Source Vulnerability Scanner - OpenVAS
- Passive DNS Network Mapper - dnsmap
- Admin Page Finder Script
- TrueCrypt brute-force password cracker - TrueCrack
- Automatic Database Dump - sqlcake
- Open Source Intelligence - Maltego
- Mobile Terminal Application for Intermittent Conne...
- Joomla Security Scanner - Joomscan
- Post Exploitation Framework - Intersect
- Exploring Android Platform - Mercury
- Python Script Searching - Dark D0rk3r
- SQLi and Web Attack Framework - Enema SQLi
- Linux Live USB Creator - LiLi
- Backup and Recovery - ReDo
- Yet Another Man in The Middle Automation Script -...
- Wi-Fi network scanner - inSSIDer
- Open Source MySQL Injection - sqlsus
- Extreme GPU - Bruteforcer
- Passive Traffic Fingerprinting - p0f
- Rainbow Tables Hash Cracker - RainbowCrack
- Web Application Testing - Vega
- PDF Analysis Tool - peepdf
- PHP Vulnerability - Hunter
- O Programa da Matrix Está Falhando - ''O Que Você ...
- Automatic Bluetooth Spoofing - Spooftooph
- Wireless Network Monitoring Tool - Kismet
- Pentest - Security Cheatsheets
- Antivirus Evasion - foolav
- Razorback
- LAMP/LEMP Secure Deployment - JShielder
- Wordlist Generator - Crunch
- SIP Witch
- Injecting Fake Updates - Evilgrade
- Tiny Core Linux
- MD5 Online Password Cracking - md5cracker
- Writing Your Own Exploits
- Encrypt Your Network Traffic - Tcpcrypt
- Passive Network Monitoring - lanmap2
- Wireless and Wired Network Interceptor - the Inter...
- Encrypted UDP based FTP - UFTP
- IDS evasion - Inundator
- Standardized Security - OpenSCAP
- Web Application Security Scanner - w3af
- Log Monitoring Daemon - agentsmith
- Blind SQL Injections - BSQL Hacker
- Final Released - Bruter v1.0
- V For Vendetta
- AfterGlow
- Network Forensics - Xplico
- Digital Forensics Framework - DFF
- Digital Forensics - Autopsy
- Volatility 2.5 - Memory Forensics
- Credit Card Magstripe Spoofer - MagSpoof
- Privilege Escalation - Potato
- Cross Platform ELF Analysis - ELF Parser
- Pentest Distro - Web Testing Framework Samurai
- 10 Estratégias de Manipulação da Mídia
- Project Arsenal X - As HackTheGame But Real
- ► 01/10 - 01/17 (59)
- ► 01/03 - 01/10 (174)
-
►
2015
(26)
- ► 12/27 - 01/03 (1)
- ► 08/30 - 09/06 (8)
- ► 08/23 - 08/30 (16)
- ► 08/16 - 08/23 (1)
Home
Privacy Center
Data Protection
Community
Digital Policy
Security Tools
Online Utilities
Resources
Search Operators
Library


0 comentários:
Post a Comment
Note: Only a member of this blog may post a comment.