PaulDotCom mailing list archives

party trick to shut up the non-believers

From: strandjs at gmail.com (John Strand)
Date: Wed, 5 May 2010 07:36:46 -0600

I think.... We have a winner!

Mubix!

Have your own "bank" to break into?

Brilliant!!

On Tue, May 4, 2010 at 9:04 PM, Rob Fuller <jd.mubix at gmail.com> wrote:

You could always have HackMeBank on a VM at home "SSH home to your
tools" (covertly setting up your -D 8080) and "attack" a bank. Minor
tweaks to logos and account balances might be in order, but "breaking
in" to an account with 13 million dollars would impress most ;-)


--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com
Ignore this:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*




On Tue, May 4, 2010 at 4:55 PM, Craig Freyman <craigfreyman at gmail.com>
wrote:

My wife get's the same treatment. Using SET is the easiest way to make a
point to non-technical people. Between the site cloning and the java

applet

method in set (which is still undetected by most AVs), you can grab their
attention.

On Tue, May 4, 2010 at 2:19 PM, Chris Blazek <chris.blazek at gmail.com>

wrote:


To try and convince my wife to be very careful of public networks I did

little arp poison and cranked up webspy. I had her go into the other

room

and pull up whatever website she wanted and then come and look at what I

had

on my laptop. :)

I have folks telling me I'm just paranoid and overreacting. When I show
them a little mitm attack, they all see my point.

Another fun thing to do is load beef into a crafted web page. Have

someone

visit it and use one of the tools in the framework.  :)





On Tue, May 4, 2010 at 12:37 PM, Robin Wood <robin at digininja.org>

wrote:


On 4 May 2010 18:36, Larry Pesce <larry at pauldotcom.com> wrote:

He is, and I know of....I mean Bob knows of a setup similar to this.
I'll see if I can get Bob to share his properly sanitized Asterisk
config to do so.


That would be good.


- L



On 5/4/10 10:45 AM, Chris Clymer wrote:

Im assuming Mick is referring to Asterisk

-------------------------
securityjustice.com <http://securityjustice.com> |
<http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com>


On May 3, 2010, at 11:37 PM, Michael McGrew
<mmcgrew1 at mail.csuchico.edu
<mailto:mmcgrew1 at mail.csuchico.edu>> wrote:

Michael,

I remember hearing about that software on a PDC episode. It has a
name, do you know what that is? It was either the name of the
software
or they just gave the "attack" a catchy name.

Thank you

On Mon, May 3, 2010 at 7:00 PM, Michael Douglas <
<mailto:mick at pauldotcom.com>mick at pauldotcom.com
<mailto:mick at pauldotcom.com>> wrote:

    I got a little late to the party... this is *not* a hack, but

it

shuts
    everyone the hell up because it scares them.  And I've never

had

any
    follow up questions

    Here's what you do.  It costs a few dollars (pounds in your

case

    right?), but it's so worth it.  ssh into a server that's

running

some
    form of VoIP software.  (skype can work for you i suppose, but

don't
    know CLI for skype)  Setup a call group that has the phone

number

of a
    good amount of people at the party... the more numbers you

have,

the
    better.  Have the VoIP software call the group all at once (the
PC to
    phone rate is where you have to spend $) ... all phones ring at
the
    same time.   Even stranger, when they answer the call, they are
all
    talking to each other.  Warning: the effect is highly creepy.

    thought folks would think it was funny (cause it is!) but it
really
    freaked everyone out.

    That said, I tend to laugh off the "prove it" requests, unless
it's
    some hot girl... in which case I wake up from my pleasant dream
and
    remember there are no parties where hot ladies are asking

anyone

to
    show 1337 skills.   ;-)

    - Mick


    On Mon, May 3, 2010 at 5:27 PM, Robin Wood <
    <mailto:robin at digininja.org>robin at digininja.org
    <mailto:robin at digininja.org>> wrote:
    > Thanks for all the suggestions, I think I like this one the
best, I
    > might set something up on a site so I can access it from my
    phone. Tie
    > this with an SMS service I've got that lets me specify the
sender
    > number I could have some fun. Email and SMS the person from
someone
    > else in the room.
    >
    > Robin
    >
    > On 3 May 2010 20:55, Andrew Ellis <
    <mailto:only.samurai at gmail.com>only.samurai at gmail.com
    <mailto:only.samurai at gmail.com>> wrote:
    >> A trick I've used for a while is keeping a protected email
spoofing
    >> form on my web server. That way when I'm asked to "demo" my
    skills, I
    >> can simply send the person an email from theirself or the
like.
    >>
    >> This has the advantage of looking pretty cool to laymen and,
as
    far as
    >> I know, isn't illegal.
    >>
    >> It's definitely not a "1337 hack" but it's a nice way to

show

the
    >> types of things that can be done without getting in too much
    trouble.
    >>
    >> -Andrew
    >>
    >> On 5/3/10, Chris Clymer <
    <mailto:cclymer at gmail.com>cclymer at gmail.com
    <mailto:cclymer at gmail.com>> wrote:
    >>> Rather than a live demo, better tactic might be telling a
    story about
    >>> a vulnerability in joe sixpack terms.  The pizza coupon

thing

    >>> (dominos?) a few months back is a good example.
    >>>
    >>> I see a lot of downsides to letting folks at a party

pressure

    you into
    >>> a live demo.  You are basically allowing strangers to SE

you.

     If you
    >>> show a successful demo, you just know the next question

will

    come: so
    >>> can you hack into so-and-so's facebook account? ;)
    >>>
    >>> When you consider the potential for demo fail too, this is
    really a
    >>> lose/lose situation :(
    >>>
    >>> -------------------------
    >>> <http://securityjustice.com>securityjustice.com
    <http://securityjustice.com> |
    <http://chrisclymer.com>chrisclymer.com <

http://chrisclymer.com>

    >>>
    >>>
    >>> On May 3, 2010, at 11:54 AM, Robin Wood <
    <mailto:robin at digininja.org>robin at digininja.org
    <mailto:robin at digininja.org>> wrote:
    >>>
    >>>> Hi
    >>>> At a party the other day I was asked the normal question

of

    what do I
    >>>> do for a living. I said security and kept it a bit vague

but

was
    >>>> pressed so explained what pen-testing is and roughly what

    do. I then
    >>>> got the challenge, prove it, prove you can hack a company.
    >>>>
    >>>> People would say to a dentist, prove you can do a filling
but
    this
    >>>> person insisted they wanted a demo. I explained the
    legalities and
    >>>> finally fobbed them off and got away but it got me

thinking,

has
    >>>> anyone got any good party tricks that they can pull in

this

    kind of
    >>>> situation that give an instant wow but are easy to do and
    legal? Not
    >>>> quite legal but I was thinking if I knew any big sites

with

XSS I
    >>>> could rewrite but none came to mind at that time.
    >>>>
    >>>> Robin
    >>>> _______________________________________________

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
http://www.kingbin.net/

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100505/5273a2a4/attachment.htm

Current thread:

party trick to shut up the non-believers, (continued)
- - - party trick to shut up the non-believers Larry Pesce (May 04)
    - party trick to shut up the non-believers Robin Wood (May 04)
    - party trick to shut up the non-believers Chris Blazek (May 04)
    - party trick to shut up the non-believers Mike Patterson (May 04)
    - party trick to shut up the non-believers Craig Freyman (May 04)
    - party trick to shut up the non-believers Rob Fuller (May 04)
    - party trick to shut up the non-believers Bugbear (May 05)
    - party trick to shut up the non-believers Robin Wood (May 05)
    - party trick to shut up the non-believers Robert McGrew (May 05)
    - party trick to shut up the non-believers d4ncingd4n at gmail.com (May 05)
    - party trick to shut up the non-believers John Strand (May 05)
    - party trick to shut up the non-believers Robin Wood (May 04)
- party trick to shut up the non-believers Ali Alhebshi (May 03)
  - party trick to shut up the non-believers John Strand (May 03)
- party trick to shut up the non-believers NetEvil (May 03)
- party trick to shut up the non-believers Mike Patterson (May 03)
- party trick to shut up the non-believers Ulisses Castro (May 03)
- party trick to shut up the non-believers Robert McGrew (May 05)
  - party trick to shut up the non-believers d4ncingd4n at gmail.com (May 05)
- party trick to shut up the non-believers iamnowonmai (May 05)