You could always have HackMeBank on a VM at home "SSH home to your tools" (covertly setting up your -D 8080) and "attack" a bank. Minor tweaks to logos and account balances might be in order, but "breaking in" to an account with 13 million dollars would impress most ;-)
-- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com Ignore this: x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* On Tue, May 4, 2010 at 4:55 PM, Craig Freyman <[email protected]> wrote: > My wife get's the same treatment. Using SET is the easiest way to make a > point to non-technical people. Between the site cloning and the java applet > method in set (which is still undetected by most AVs), you can grab their > attention. > > On Tue, May 4, 2010 at 2:19 PM, Chris Blazek <[email protected]> wrote: >> >> To try and convince my wife to be very careful of public networks I did a >> little arp poison and cranked up webspy. I had her go into the other room >> and pull up whatever website she wanted and then come and look at what I had >> on my laptop. :) >> >> I have folks telling me I'm just paranoid and overreacting. When I show >> them a little mitm attack, they all see my point. >> >> Another fun thing to do is load beef into a crafted web page. Have someone >> visit it and use one of the tools in the framework. :) >> >> >> >> >> >> On Tue, May 4, 2010 at 12:37 PM, Robin Wood <[email protected]> wrote: >>> >>> On 4 May 2010 18:36, Larry Pesce <[email protected]> wrote: >>> > He is, and I know of....I mean Bob knows of a setup similar to this. >>> > I'll see if I can get Bob to share his properly sanitized Asterisk >>> > config to do so. >>> >>> That would be good. >>> >>> > >>> > - L >>> > >>> > >>> > >>> > On 5/4/10 10:45 AM, Chris Clymer wrote: >>> >> Im assuming Mick is referring to Asterisk >>> >> >>> >> ------------------------- >>> >> securityjustice.com <http://securityjustice.com> | >>> >> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>> >> >>> >> >>> >> On May 3, 2010, at 11:37 PM, Michael McGrew >>> >> <[email protected] >>> >> <mailto:[email protected]>> wrote: >>> >> >>> >>> Michael, >>> >>> >>> >>> I remember hearing about that software on a PDC episode. It has a >>> >>> name, do you know what that is? It was either the name of the >>> >>> software >>> >>> or they just gave the "attack" a catchy name. >>> >>> >>> >>> Thank you >>> >>> >>> >>> On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < >>> >>> <mailto:[email protected]>[email protected] >>> >>> <mailto:[email protected]>> wrote: >>> >>> >>> >>> I got a little late to the party... this is *not* a hack, but it >>> >>> shuts >>> >>> everyone the hell up because it scares them. And I've never had >>> >>> any >>> >>> follow up questions >>> >>> >>> >>> Here's what you do. It costs a few dollars (pounds in your case >>> >>> right?), but it's so worth it. ssh into a server that's running >>> >>> some >>> >>> form of VoIP software. (skype can work for you i suppose, but I >>> >>> don't >>> >>> know CLI for skype) Setup a call group that has the phone number >>> >>> of a >>> >>> good amount of people at the party... the more numbers you have, >>> >>> the >>> >>> better. Have the VoIP software call the group all at once (the >>> >>> PC to >>> >>> phone rate is where you have to spend $) ... all phones ring at >>> >>> the >>> >>> same time. Even stranger, when they answer the call, they are >>> >>> all >>> >>> talking to each other. Warning: the effect is highly creepy. I >>> >>> thought folks would think it was funny (cause it is!) but it >>> >>> really >>> >>> freaked everyone out. >>> >>> >>> >>> That said, I tend to laugh off the "prove it" requests, unless >>> >>> it's >>> >>> some hot girl... in which case I wake up from my pleasant dream >>> >>> and >>> >>> remember there are no parties where hot ladies are asking anyone >>> >>> to >>> >>> show 1337 skills. ;-) >>> >>> >>> >>> - Mick >>> >>> >>> >>> >>> >>> On Mon, May 3, 2010 at 5:27 PM, Robin Wood < >>> >>> <mailto:[email protected]>[email protected] >>> >>> <mailto:[email protected]>> wrote: >>> >>> > Thanks for all the suggestions, I think I like this one the >>> >>> best, I >>> >>> > might set something up on a site so I can access it from my >>> >>> phone. Tie >>> >>> > this with an SMS service I've got that lets me specify the >>> >>> sender >>> >>> > number I could have some fun. Email and SMS the person from >>> >>> someone >>> >>> > else in the room. >>> >>> > >>> >>> > Robin >>> >>> > >>> >>> > On 3 May 2010 20:55, Andrew Ellis < >>> >>> <mailto:[email protected]>[email protected] >>> >>> <mailto:[email protected]>> wrote: >>> >>> >> A trick I've used for a while is keeping a protected email >>> >>> spoofing >>> >>> >> form on my web server. That way when I'm asked to "demo" my >>> >>> skills, I >>> >>> >> can simply send the person an email from theirself or the >>> >>> like. >>> >>> >> >>> >>> >> This has the advantage of looking pretty cool to laymen and, >>> >>> as >>> >>> far as >>> >>> >> I know, isn't illegal. >>> >>> >> >>> >>> >> It's definitely not a "1337 hack" but it's a nice way to show >>> >>> the >>> >>> >> types of things that can be done without getting in too much >>> >>> trouble. >>> >>> >> >>> >>> >> -Andrew >>> >>> >> >>> >>> >> On 5/3/10, Chris Clymer < >>> >>> <mailto:[email protected]>[email protected] >>> >>> <mailto:[email protected]>> wrote: >>> >>> >>> Rather than a live demo, better tactic might be telling a >>> >>> story about >>> >>> >>> a vulnerability in joe sixpack terms. The pizza coupon thing >>> >>> >>> (dominos?) a few months back is a good example. >>> >>> >>> >>> >>> >>> I see a lot of downsides to letting folks at a party pressure >>> >>> you into >>> >>> >>> a live demo. You are basically allowing strangers to SE you. >>> >>> If you >>> >>> >>> show a successful demo, you just know the next question will >>> >>> come: so >>> >>> >>> can you hack into so-and-so's facebook account? ;) >>> >>> >>> >>> >>> >>> When you consider the potential for demo fail too, this is >>> >>> really a >>> >>> >>> lose/lose situation :( >>> >>> >>> >>> >>> >>> ------------------------- >>> >>> >>> <http://securityjustice.com>securityjustice.com >>> >>> <http://securityjustice.com> | >>> >>> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>> >>> >>> >>> >>> >>> >>> >>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < >>> >>> <mailto:[email protected]>[email protected] >>> >>> <mailto:[email protected]>> wrote: >>> >>> >>> >>> >>> >>>> Hi >>> >>> >>>> At a party the other day I was asked the normal question of >>> >>> what do I >>> >>> >>>> do for a living. I said security and kept it a bit vague but >>> >>> was >>> >>> >>>> pressed so explained what pen-testing is and roughly what I >>> >>> do. I then >>> >>> >>>> got the challenge, prove it, prove you can hack a company. >>> >>> >>>> >>> >>> >>>> People would say to a dentist, prove you can do a filling >>> >>> but >>> >>> this >>> >>> >>>> person insisted they wanted a demo. I explained the >>> >>> legalities and >>> >>> >>>> finally fobbed them off and got away but it got me thinking, >>> >>> has >>> >>> >>>> anyone got any good party tricks that they can pull in this >>> >>> kind of >>> >>> >>>> situation that give an instant wow but are easy to do and >>> >>> legal? Not >>> >>> >>>> quite legal but I was thinking if I knew any big sites with >>> >>> XSS I >>> >>> >>>> could rewrite but none came to mind at that time. >>> >>> >>>> >>> >>> >>>> Robin >>> >>> >>>> _______________________________________________ >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> >> -- >> http://www.kingbin.net/ >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
