My wife get's the same treatment. Using SET is the easiest way to make a point to non-technical people. Between the site cloning and the java applet method in set (which is still undetected by most AVs), you can grab their attention.
On Tue, May 4, 2010 at 2:19 PM, Chris Blazek <[email protected]> wrote: > To try and convince my wife to be very careful of public networks I did a > little arp poison and cranked up webspy. I had her go into the other room > and pull up whatever website she wanted and then come and look at what I had > on my laptop. :) > > I have folks telling me I'm just paranoid and overreacting. When I show > them a little mitm attack, they all see my point. > > Another fun thing to do is load beef into a crafted web page. Have someone > visit it and use one of the tools in the framework. :) > > > > > > > On Tue, May 4, 2010 at 12:37 PM, Robin Wood <[email protected]> wrote: > >> On 4 May 2010 18:36, Larry Pesce <[email protected]> wrote: >> > He is, and I know of....I mean Bob knows of a setup similar to this. >> > I'll see if I can get Bob to share his properly sanitized Asterisk >> > config to do so. >> >> That would be good. >> >> > >> > - L >> > >> > >> > >> > On 5/4/10 10:45 AM, Chris Clymer wrote: >> >> Im assuming Mick is referring to Asterisk >> >> >> >> ------------------------- >> >> securityjustice.com <http://securityjustice.com> | >> >> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >> >> >> >> >> >> On May 3, 2010, at 11:37 PM, Michael McGrew < >> [email protected] >> >> <mailto:[email protected]>> wrote: >> >> >> >>> Michael, >> >>> >> >>> I remember hearing about that software on a PDC episode. It has a >> >>> name, do you know what that is? It was either the name of the software >> >>> or they just gave the "attack" a catchy name. >> >>> >> >>> Thank you >> >>> >> >>> On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < >> >>> <mailto:[email protected]>[email protected] >> >>> <mailto:[email protected]>> wrote: >> >>> >> >>> I got a little late to the party... this is *not* a hack, but it >> shuts >> >>> everyone the hell up because it scares them. And I've never had >> any >> >>> follow up questions >> >>> >> >>> Here's what you do. It costs a few dollars (pounds in your case >> >>> right?), but it's so worth it. ssh into a server that's running >> some >> >>> form of VoIP software. (skype can work for you i suppose, but I >> don't >> >>> know CLI for skype) Setup a call group that has the phone number >> of a >> >>> good amount of people at the party... the more numbers you have, >> the >> >>> better. Have the VoIP software call the group all at once (the PC >> to >> >>> phone rate is where you have to spend $) ... all phones ring at >> the >> >>> same time. Even stranger, when they answer the call, they are >> all >> >>> talking to each other. Warning: the effect is highly creepy. I >> >>> thought folks would think it was funny (cause it is!) but it >> really >> >>> freaked everyone out. >> >>> >> >>> That said, I tend to laugh off the "prove it" requests, unless >> it's >> >>> some hot girl... in which case I wake up from my pleasant dream >> and >> >>> remember there are no parties where hot ladies are asking anyone >> to >> >>> show 1337 skills. ;-) >> >>> >> >>> - Mick >> >>> >> >>> >> >>> On Mon, May 3, 2010 at 5:27 PM, Robin Wood < >> >>> <mailto:[email protected]>[email protected] >> >>> <mailto:[email protected]>> wrote: >> >>> > Thanks for all the suggestions, I think I like this one the >> best, I >> >>> > might set something up on a site so I can access it from my >> >>> phone. Tie >> >>> > this with an SMS service I've got that lets me specify the >> sender >> >>> > number I could have some fun. Email and SMS the person from >> someone >> >>> > else in the room. >> >>> > >> >>> > Robin >> >>> > >> >>> > On 3 May 2010 20:55, Andrew Ellis < >> >>> <mailto:[email protected]>[email protected] >> >>> <mailto:[email protected]>> wrote: >> >>> >> A trick I've used for a while is keeping a protected email >> spoofing >> >>> >> form on my web server. That way when I'm asked to "demo" my >> >>> skills, I >> >>> >> can simply send the person an email from theirself or the like. >> >>> >> >> >>> >> This has the advantage of looking pretty cool to laymen and, as >> >>> far as >> >>> >> I know, isn't illegal. >> >>> >> >> >>> >> It's definitely not a "1337 hack" but it's a nice way to show >> the >> >>> >> types of things that can be done without getting in too much >> >>> trouble. >> >>> >> >> >>> >> -Andrew >> >>> >> >> >>> >> On 5/3/10, Chris Clymer < >> >>> <mailto:[email protected]>[email protected] >> >>> <mailto:[email protected]>> wrote: >> >>> >>> Rather than a live demo, better tactic might be telling a >> >>> story about >> >>> >>> a vulnerability in joe sixpack terms. The pizza coupon thing >> >>> >>> (dominos?) a few months back is a good example. >> >>> >>> >> >>> >>> I see a lot of downsides to letting folks at a party pressure >> >>> you into >> >>> >>> a live demo. You are basically allowing strangers to SE you. >> >>> If you >> >>> >>> show a successful demo, you just know the next question will >> >>> come: so >> >>> >>> can you hack into so-and-so's facebook account? ;) >> >>> >>> >> >>> >>> When you consider the potential for demo fail too, this is >> >>> really a >> >>> >>> lose/lose situation :( >> >>> >>> >> >>> >>> ------------------------- >> >>> >>> <http://securityjustice.com>securityjustice.com >> >>> <http://securityjustice.com> | >> >>> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >> >>> >>> >> >>> >>> >> >>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < >> >>> <mailto:[email protected]>[email protected] >> >>> <mailto:[email protected]>> wrote: >> >>> >>> >> >>> >>>> Hi >> >>> >>>> At a party the other day I was asked the normal question of >> >>> what do I >> >>> >>>> do for a living. I said security and kept it a bit vague but >> was >> >>> >>>> pressed so explained what pen-testing is and roughly what I >> >>> do. I then >> >>> >>>> got the challenge, prove it, prove you can hack a company. >> >>> >>>> >> >>> >>>> People would say to a dentist, prove you can do a filling but >> >>> this >> >>> >>>> person insisted they wanted a demo. I explained the >> >>> legalities and >> >>> >>>> finally fobbed them off and got away but it got me thinking, >> has >> >>> >>>> anyone got any good party tricks that they can pull in this >> >>> kind of >> >>> >>>> situation that give an instant wow but are easy to do and >> >>> legal? Not >> >>> >>>> quite legal but I was thinking if I knew any big sites with >> XSS I >> >>> >>>> could rewrite but none came to mind at that time. >> >>> >>>> >> >>> >>>> Robin >> >>> >>>> _______________________________________________ >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > http://www.kingbin.net/ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
