1. I had two machines set up on two projectors in a conference room, an attacker box and a victim box. 2. I used SET to clone an internal site and asked them to let me know if the site looked weird or not, they all agreed it looked perfectly fine. I had a colleague log into the site and showed that I could harvest his credentials. Eyebrows were raised. 3. Then I cloned a public site and used the java method to open a meterpreter session. They didn't really understand what this was so I did a screen screengrab and demonstrated the keylogger and they perked up a little more. 4. Then I sent my colleague a spoofed email from the CEO with a naughty pdf attachment. He opened it and i showed them I had access to the box again. Simply by opening an attachment. 5. The last part was what really scared them. I ran the soundrecorder script from http://www.darkoperator.com/meterpreter/ and demonstrated that I could record their conversations. Now I had their attention. 6. We're now implementing social engineering training and management is on board with our security strategies.
On Thu, Apr 22, 2010 at 10:33 AM, Pommerening, Jeremy < [email protected]> wrote: > Very cool. Any chance you could share how you accomplished that? I > think that would definitely garner some attention at my organization and > maybe help to make a point in my department. > > > > *Jeremy Pommerening* > > *MGR, Information Security* > > *Symbion, Inc.* > > *615-234-8912 Direct* > > *615-429-6883 BB* > > * * > > *GIAC - GCFA,GPEN, GAWN & GCFW,* > > *GIAC Advisory Board Member* > > *MCSE Win2K, MCSE NT4,* > > *CompTia SERVER+, HP APS* > > * * > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Craig Freyman > *Sent:* Thursday, April 22, 2010 9:41 AM > *To:* PaulDotCom Security Weekly Mailing List > *Subject:* Re: [Pauldotcom] Security Awareness Training for SysAdmins > > > > I recently gave a demo to some of our managers and tech support guys using > SET that blew them away. I followed it up with some of the flashy metasploit > stuff like the soundrecorder script and the vnc payload. Then, I had > Metasploit order me a pizza. The demo had a major impact on them and they're > all of a sudden very open to security awareness training and not bitching > about having admin rights. > > On Wed, Apr 21, 2010 at 11:51 PM, Ng Choon Kiat <[email protected]> > wrote: > > Hi, > > > > I had a simple report on weak password and recommendation. Hope it is > helpful for you > > > > This is quite silly, it was shared and posted not long ago here. > > http://twitter.com/cs420 > > > > Regards, > > Grey > > On Thu, Apr 22, 2010 at 10:27 AM, Jorge A. Orchilles <[email protected]> > wrote: > > Hello all, > > > > I was asked to put together an outline for a security awareness > training/talk/presentation aimed at system and network admins. I would like > to show examples and make it fun. Here are my thoughts so far but would like > to see if any of you have done this, have resources to point me to, and/or > feedback on what I have so far: > > - Password construction/management > > > - Show online password lists for default passwords > - Examples of bruteforcing and cracking > - Emphasis on having strong and different passwords for each system > - Policy > > > - Online postings related to work > > > - Social networks > - Mailing lists > - Vendor sites/forums > > > - Following best practices > > > - SANS SCORE > - Vendor recommendations > - Think of the data > > Thanks in advance, > > Jorge Orchilles > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > Disclaimer: The email and files transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they are > addressed. If you are not the original recipient or the person responsible > for the delivering the email to the intended recipient, be advised that you > have received this email in error, and that any use, dissemination, > forwarding, printing or copying of this email is strictly prohibited. If you > received this email in error, please delete it from your system without > copying it, and notify the sender by reply email so that our address record > can be corrected. Thank you. Symbion, Inc. > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
