Re: proposed pen-test

[Terry Cutler <jedi31337 () gmail com>]

Hey John, I'm actually reproducing the Hack that was done on Google
called "Project Aurora" in a Keynot demo at Novell Brainshare. I'll be
using Core Impact 10 to do this. In essence what happens is that Core
installs a webserver instance on my PC and fires off an email to whom
ever you specify and FROM who ever you want. Now, core has some built
in HTML messages that look like the real deal such as Facebook and
Linkedin invitations. The point is to trick a user into clicking the
"Add me" link which forces IE or Firefox to open and get exploited. At
that point an encrytped session gets connected back to my PC running
the webserver.

> From this point I can now browse the files on your Pc, or scan other
devices in your network from your PC being the source. I can then
launch network side attacks and exploit files servers etc....all while
bypassing your firewalls, IPS, IDS.  :)

So to me this is a VERY important test. The beauty with Core Impact is
that you can run a User report at the end that will highlight which
user clicked that link so that we can put them through security
awareness training.

If you want to see a demo of core, I have a 45 minute demo of it on my
website at http://www.terrycutler.com.   I also have a 2.5 hour live
demostration recorded where I use the product often called "Intro to
Ethical Hacking and Penetration Testing.

Hope this helps !

On Sun, Mar 7, 2010 at 2:03 PM, John Grimes <john.k.grimes () gmail com> wrote:
> Hi--
>
> A consultant firm has recommended to my university's IT department
> that we run the following pen-test:
>
> We send, through regular mail, a letter to members of the staff and
> faculty, that appears to come from a well-known social networking
> site, that is, it uses a facsimile of the actual letterhead and
> envelope of the site, including the correct return address. In this
> letter, we invite the recipient to beta-test a new version of the
> social networking site by using the program on the enclosed usb stick.
> We offer a gift card to a major online retailer as further inducement.
> If any staff member plugs in the usb stick, they will be told in a
> pop-up window that they have been duped, and the fact will be logged
> to a server at the university.
>
> It seems to us that there are two potential legal problems here:
> impersonating the social networking site, and using the US postal
> service for a fraudulent, if well-intentioned, purpose. Can anyone
> here comment on this?
>
> Beyond the legalities, does this seem like an effective and worthwhile test?
>
> Thanks for any insight.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



-- 
./Terry Cutler
Master CNE , CDE, CLP, Certified Ethical Hacker

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------