To try and convince my wife to be very careful of public networks I did a little arp poison and cranked up webspy. I had her go into the other room and pull up whatever website she wanted and then come and look at what I had on my laptop. :)
I have folks telling me I'm just paranoid and overreacting. When I show them a little mitm attack, they all see my point. Another fun thing to do is load beef into a crafted web page. Have someone visit it and use one of the tools in the framework. :) On Tue, May 4, 2010 at 12:37 PM, Robin Wood <[email protected]> wrote: > On 4 May 2010 18:36, Larry Pesce <[email protected]> wrote: > > He is, and I know of....I mean Bob knows of a setup similar to this. > > I'll see if I can get Bob to share his properly sanitized Asterisk > > config to do so. > > That would be good. > > > > > - L > > > > > > > > On 5/4/10 10:45 AM, Chris Clymer wrote: > >> Im assuming Mick is referring to Asterisk > >> > >> ------------------------- > >> securityjustice.com <http://securityjustice.com> | > >> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> > >> > >> > >> On May 3, 2010, at 11:37 PM, Michael McGrew <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >>> Michael, > >>> > >>> I remember hearing about that software on a PDC episode. It has a > >>> name, do you know what that is? It was either the name of the software > >>> or they just gave the "attack" a catchy name. > >>> > >>> Thank you > >>> > >>> On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < > >>> <mailto:[email protected]>[email protected] > >>> <mailto:[email protected]>> wrote: > >>> > >>> I got a little late to the party... this is *not* a hack, but it > shuts > >>> everyone the hell up because it scares them. And I've never had > any > >>> follow up questions > >>> > >>> Here's what you do. It costs a few dollars (pounds in your case > >>> right?), but it's so worth it. ssh into a server that's running > some > >>> form of VoIP software. (skype can work for you i suppose, but I > don't > >>> know CLI for skype) Setup a call group that has the phone number > of a > >>> good amount of people at the party... the more numbers you have, > the > >>> better. Have the VoIP software call the group all at once (the PC > to > >>> phone rate is where you have to spend $) ... all phones ring at the > >>> same time. Even stranger, when they answer the call, they are all > >>> talking to each other. Warning: the effect is highly creepy. I > >>> thought folks would think it was funny (cause it is!) but it really > >>> freaked everyone out. > >>> > >>> That said, I tend to laugh off the "prove it" requests, unless it's > >>> some hot girl... in which case I wake up from my pleasant dream and > >>> remember there are no parties where hot ladies are asking anyone to > >>> show 1337 skills. ;-) > >>> > >>> - Mick > >>> > >>> > >>> On Mon, May 3, 2010 at 5:27 PM, Robin Wood < > >>> <mailto:[email protected]>[email protected] > >>> <mailto:[email protected]>> wrote: > >>> > Thanks for all the suggestions, I think I like this one the best, > I > >>> > might set something up on a site so I can access it from my > >>> phone. Tie > >>> > this with an SMS service I've got that lets me specify the sender > >>> > number I could have some fun. Email and SMS the person from > someone > >>> > else in the room. > >>> > > >>> > Robin > >>> > > >>> > On 3 May 2010 20:55, Andrew Ellis < > >>> <mailto:[email protected]>[email protected] > >>> <mailto:[email protected]>> wrote: > >>> >> A trick I've used for a while is keeping a protected email > spoofing > >>> >> form on my web server. That way when I'm asked to "demo" my > >>> skills, I > >>> >> can simply send the person an email from theirself or the like. > >>> >> > >>> >> This has the advantage of looking pretty cool to laymen and, as > >>> far as > >>> >> I know, isn't illegal. > >>> >> > >>> >> It's definitely not a "1337 hack" but it's a nice way to show > the > >>> >> types of things that can be done without getting in too much > >>> trouble. > >>> >> > >>> >> -Andrew > >>> >> > >>> >> On 5/3/10, Chris Clymer < > >>> <mailto:[email protected]>[email protected] > >>> <mailto:[email protected]>> wrote: > >>> >>> Rather than a live demo, better tactic might be telling a > >>> story about > >>> >>> a vulnerability in joe sixpack terms. The pizza coupon thing > >>> >>> (dominos?) a few months back is a good example. > >>> >>> > >>> >>> I see a lot of downsides to letting folks at a party pressure > >>> you into > >>> >>> a live demo. You are basically allowing strangers to SE you. > >>> If you > >>> >>> show a successful demo, you just know the next question will > >>> come: so > >>> >>> can you hack into so-and-so's facebook account? ;) > >>> >>> > >>> >>> When you consider the potential for demo fail too, this is > >>> really a > >>> >>> lose/lose situation :( > >>> >>> > >>> >>> ------------------------- > >>> >>> <http://securityjustice.com>securityjustice.com > >>> <http://securityjustice.com> | > >>> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> > >>> >>> > >>> >>> > >>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < > >>> <mailto:[email protected]>[email protected] > >>> <mailto:[email protected]>> wrote: > >>> >>> > >>> >>>> Hi > >>> >>>> At a party the other day I was asked the normal question of > >>> what do I > >>> >>>> do for a living. I said security and kept it a bit vague but > was > >>> >>>> pressed so explained what pen-testing is and roughly what I > >>> do. I then > >>> >>>> got the challenge, prove it, prove you can hack a company. > >>> >>>> > >>> >>>> People would say to a dentist, prove you can do a filling but > >>> this > >>> >>>> person insisted they wanted a demo. I explained the > >>> legalities and > >>> >>>> finally fobbed them off and got away but it got me thinking, > has > >>> >>>> anyone got any good party tricks that they can pull in this > >>> kind of > >>> >>>> situation that give an instant wow but are easy to do and > >>> legal? Not > >>> >>>> quite legal but I was thinking if I knew any big sites with > XSS I > >>> >>>> could rewrite but none came to mind at that time. > >>> >>>> > >>> >>>> Robin > >>> >>>> _______________________________________________ > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- http://www.kingbin.net/
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
