party trick to shut up the non-believers

[d4ncingd4n at gmail.com (d4ncingd4n at gmail.com)]

Personally, I would view someone that challenged me as a troll and try to ignore them. 

Sometimes you can't ignore them so I would try a simpler (and more fun) approach: I would open a web page to 
their favorite site, right click on the page and select "view source"

I would show them the javascript embedded in the page, etc. I would then start a 45 minute rant on insecure development 
practices, the balance of features vs security, browser security, etc. After 1/2 hour of the rant, most trolls will 
find an reason to excuse themselves from the rant. If not, try to sell them your services as a consultant. Your milage 
may vary.... 

Bart
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Robert McGrew <wesleymcgrew at gmail.com>
Date: Wed, 5 May 2010 08:31:08 
To: PaulDotCom Security Weekly Mailing List<pauldotcom at mail.pauldotcom.com>
Subject: Re: [Pauldotcom] party trick to shut up the non-believers

On Mon, May 3, 2010 at 10:54 AM, Robin Wood <robin at digininja.org> wrote:
> Hi
> At a party the other day I was asked the normal question of what do I
> do for a living. I said security and kept it a bit vague but was
> pressed so explained what pen-testing is and roughly what I do. I then
> got the challenge, prove it, prove you can hack a company.
>
> People would say to a dentist, prove you can do a filling but this
> person insisted they wanted a demo. I explained the legalities and
> finally fobbed them off and got away but it got me thinking, has
> anyone got any good party tricks that they can pull in this kind of
> situation that give an instant wow but are easy to do and legal? Not
> quite legal but I was thinking if I knew any big sites with XSS I
> could rewrite but none came to mind at that time.

I sent Robin a specific example of the below trick off-list, but
there's no harm in going over the general idea on-list :) :  I often
show off early steps of the recon phase--information gathering from
publicly available sources without sending any sort of weird traffic
the target's way.  This avoids doing anything illegal, and is more
impressive to most than a contrived attack on my own stuff.

A favorite quick trick that I can do from anyone's computer is to find
secret/obscure/forgotten areas of company web sites using Google.  I
start with a:

site:example.com

....and start enumerating interesting subdomains by subtracting out
common/uninteresting ones that show up in the results:

site:example.com -site:www.example.com -site:pr.example.com

....and/or subtracting out pages that match the normal naming scheme,
in order to find the unusual ones.

site:example.com -intitle:"Example Technologies Inc."

Most of the time, I know of one or two current examples of companies
that have secret (but mostly harmless) portions of their web presence.
 I'll do the demo with one of those that I know will work, and
occasionally follow up with off-the-cuff searches on sites owned by
folks I am talking to.

This is easy enough that people who aren't in the field can follow and
understand exactly what you're doing, and you can follow it up with
interesting war stories of things you've seen and done past this
phase.  Overall, if you're enjoy what you do and you like telling
stories, it's pretty easy to catch peoples' interest talking about
penetration testing.

-- 
Wesley McGrew
http://mcgrewsecurity.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com