PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

party trick to shut up the non-believers

From: jd.mubix at gmail.com (Rob Fuller)
Date: Tue, 4 May 2010 23:04:51 -0400
You could always have HackMeBank on a VM at home "SSH home to your
tools" (covertly setting up your -D 8080) and "attack" a bank. Minor
tweaks to logos and account balances might be in order, but "breaking
in" to an account with 13 million dollars would impress most ;-)


--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com
Ignore this:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*




On Tue, May 4, 2010 at 4:55 PM, Craig Freyman <craigfreyman at gmail.com> wrote:

My wife get's the same treatment. Using SET is the easiest way to make a
point to non-technical people. Between the site?cloning?and the java applet
method in set (which is still undetected by most AVs), you can grab their
attention.

On Tue, May 4, 2010 at 2:19 PM, Chris Blazek <chris.blazek at gmail.com> wrote:


To try and convince my wife to be very careful of public networks I did a
little arp poison and cranked up webspy. I had her go into the other room
and pull up whatever website she wanted and then come and look at what I had
on my laptop. :)

I have folks telling me I'm just paranoid and overreacting. When I show
them a little mitm attack, they all see my point.

Another fun thing to do is load beef into a crafted web page. Have someone
visit it and use one of the tools in the framework.? :)





On Tue, May 4, 2010 at 12:37 PM, Robin Wood <robin at digininja.org> wrote:


On 4 May 2010 18:36, Larry Pesce <larry at pauldotcom.com> wrote:

He is, and I know of....I mean Bob knows of a setup similar to this.
I'll see if I can get Bob to share his properly sanitized Asterisk
config to do so.


That would be good.



- L



On 5/4/10 10:45 AM, Chris Clymer wrote:

Im assuming Mick is referring to Asterisk

-------------------------
securityjustice.com <http://securityjustice.com> |
<http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com>


On May 3, 2010, at 11:37 PM, Michael McGrew
<mmcgrew1 at mail.csuchico.edu
<mailto:mmcgrew1 at mail.csuchico.edu>> wrote:


Michael,

I remember hearing about that software on a PDC episode. It has a
name, do you know what that is? It was either the name of the
software
or they just gave the "attack" a catchy name.

Thank you

On Mon, May 3, 2010 at 7:00 PM, Michael Douglas <
<mailto:mick at pauldotcom.com>mick at pauldotcom.com
<mailto:mick at pauldotcom.com>> wrote:

? ? I got a little late to the party... this is *not* a hack, but it
shuts
? ? everyone the hell up because it scares them. ?And I've never had
any
? ? follow up questions

? ? Here's what you do. ?It costs a few dollars (pounds in your case
? ? right?), but it's so worth it. ?ssh into a server that's running
some
? ? form of VoIP software. ?(skype can work for you i suppose, but I
don't
? ? know CLI for skype) ?Setup a call group that has the phone number
of a
? ? good amount of people at the party... the more numbers you have,
the
? ? better. ?Have the VoIP software call the group all at once (the
PC to
? ? phone rate is where you have to spend $) ... all phones ring at
the
? ? same time. ? Even stranger, when they answer the call, they are
all
? ? talking to each other. ?Warning: the effect is highly creepy. ?I
? ? thought folks would think it was funny (cause it is!) but it
really
? ? freaked everyone out.

? ? That said, I tend to laugh off the "prove it" requests, unless
it's
? ? some hot girl... in which case I wake up from my pleasant dream
and
? ? remember there are no parties where hot ladies are asking anyone
to
? ? show 1337 skills. ? ;-)

? ? - Mick


? ? On Mon, May 3, 2010 at 5:27 PM, Robin Wood <
? ? <mailto:robin at digininja.org>robin at digininja.org
? ? <mailto:robin at digininja.org>> wrote:
? ? > Thanks for all the suggestions, I think I like this one the
best, I
? ? > might set something up on a site so I can access it from my
? ? phone. Tie
? ? > this with an SMS service I've got that lets me specify the
sender
? ? > number I could have some fun. Email and SMS the person from
someone
? ? > else in the room.
? ? >
? ? > Robin
? ? >
? ? > On 3 May 2010 20:55, Andrew Ellis <
? ? <mailto:only.samurai at gmail.com>only.samurai at gmail.com
? ? <mailto:only.samurai at gmail.com>> wrote:
? ? >> A trick I've used for a while is keeping a protected email
spoofing
? ? >> form on my web server. That way when I'm asked to "demo" my
? ? skills, I
? ? >> can simply send the person an email from theirself or the
like.
? ? >>
? ? >> This has the advantage of looking pretty cool to laymen and,
as
? ? far as
? ? >> I know, isn't illegal.
? ? >>
? ? >> It's definitely not a "1337 hack" but it's a nice way to show
the
? ? >> types of things that can be done without getting in too much
? ? trouble.
? ? >>
? ? >> -Andrew
? ? >>
? ? >> On 5/3/10, Chris Clymer <
? ? <mailto:cclymer at gmail.com>cclymer at gmail.com
? ? <mailto:cclymer at gmail.com>> wrote:
? ? >>> Rather than a live demo, better tactic might be telling a
? ? story about
? ? >>> a vulnerability in joe sixpack terms. ?The pizza coupon thing
? ? >>> (dominos?) a few months back is a good example.
? ? >>>
? ? >>> I see a lot of downsides to letting folks at a party pressure
? ? you into
? ? >>> a live demo. ?You are basically allowing strangers to SE you.
? ? ?If you
? ? >>> show a successful demo, you just know the next question will
? ? come: so
? ? >>> can you hack into so-and-so's facebook account? ;)
? ? >>>
? ? >>> When you consider the potential for demo fail too, this is
? ? really a
? ? >>> lose/lose situation :(
? ? >>>
? ? >>> -------------------------
? ? >>> <http://securityjustice.com>securityjustice.com
? ? <http://securityjustice.com> |
? ? <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com>
? ? >>>
? ? >>>
? ? >>> On May 3, 2010, at 11:54 AM, Robin Wood <
? ? <mailto:robin at digininja.org>robin at digininja.org
? ? <mailto:robin at digininja.org>> wrote:
? ? >>>
? ? >>>> Hi
? ? >>>> At a party the other day I was asked the normal question of
? ? what do I
? ? >>>> do for a living. I said security and kept it a bit vague but
was
? ? >>>> pressed so explained what pen-testing is and roughly what I
? ? do. I then
? ? >>>> got the challenge, prove it, prove you can hack a company.
? ? >>>>
? ? >>>> People would say to a dentist, prove you can do a filling
but
? ? this
? ? >>>> person insisted they wanted a demo. I explained the
? ? legalities and
? ? >>>> finally fobbed them off and got away but it got me thinking,
has
? ? >>>> anyone got any good party tricks that they can pull in this
? ? kind of
? ? >>>> situation that give an instant wow but are easy to do and
? ? legal? Not
? ? >>>> quite legal but I was thinking if I knew any big sites with
XSS I
? ? >>>> could rewrite but none came to mind at that time.
? ? >>>>
? ? >>>> Robin
? ? >>>> _______________________________________________

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
http://www.kingbin.net/

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: