I think.... We have a winner! Mubix!
Have your own "bank" to break into? Brilliant!! On Tue, May 4, 2010 at 9:04 PM, Rob Fuller <[email protected]> wrote: > You could always have HackMeBank on a VM at home "SSH home to your > tools" (covertly setting up your -D 8080) and "attack" a bank. Minor > tweaks to logos and account balances might be in order, but "breaking > in" to an account with 13 million dollars would impress most ;-) > > > -- > Rob Fuller | Mubix > Room362.com | Hak5.org | TheAcademyPro.com > Ignore this: > x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > > > > > On Tue, May 4, 2010 at 4:55 PM, Craig Freyman <[email protected]> > wrote: > > My wife get's the same treatment. Using SET is the easiest way to make a > > point to non-technical people. Between the site cloning and the java > applet > > method in set (which is still undetected by most AVs), you can grab their > > attention. > > > > On Tue, May 4, 2010 at 2:19 PM, Chris Blazek <[email protected]> > wrote: > >> > >> To try and convince my wife to be very careful of public networks I did > a > >> little arp poison and cranked up webspy. I had her go into the other > room > >> and pull up whatever website she wanted and then come and look at what I > had > >> on my laptop. :) > >> > >> I have folks telling me I'm just paranoid and overreacting. When I show > >> them a little mitm attack, they all see my point. > >> > >> Another fun thing to do is load beef into a crafted web page. Have > someone > >> visit it and use one of the tools in the framework. :) > >> > >> > >> > >> > >> > >> On Tue, May 4, 2010 at 12:37 PM, Robin Wood <[email protected]> > wrote: > >>> > >>> On 4 May 2010 18:36, Larry Pesce <[email protected]> wrote: > >>> > He is, and I know of....I mean Bob knows of a setup similar to this. > >>> > I'll see if I can get Bob to share his properly sanitized Asterisk > >>> > config to do so. > >>> > >>> That would be good. > >>> > >>> > > >>> > - L > >>> > > >>> > > >>> > > >>> > On 5/4/10 10:45 AM, Chris Clymer wrote: > >>> >> Im assuming Mick is referring to Asterisk > >>> >> > >>> >> ------------------------- > >>> >> securityjustice.com <http://securityjustice.com> | > >>> >> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> > >>> >> > >>> >> > >>> >> On May 3, 2010, at 11:37 PM, Michael McGrew > >>> >> <[email protected] > >>> >> <mailto:[email protected]>> wrote: > >>> >> > >>> >>> Michael, > >>> >>> > >>> >>> I remember hearing about that software on a PDC episode. It has a > >>> >>> name, do you know what that is? It was either the name of the > >>> >>> software > >>> >>> or they just gave the "attack" a catchy name. > >>> >>> > >>> >>> Thank you > >>> >>> > >>> >>> On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < > >>> >>> <mailto:[email protected]>[email protected] > >>> >>> <mailto:[email protected]>> wrote: > >>> >>> > >>> >>> I got a little late to the party... this is *not* a hack, but > it > >>> >>> shuts > >>> >>> everyone the hell up because it scares them. And I've never > had > >>> >>> any > >>> >>> follow up questions > >>> >>> > >>> >>> Here's what you do. It costs a few dollars (pounds in your > case > >>> >>> right?), but it's so worth it. ssh into a server that's > running > >>> >>> some > >>> >>> form of VoIP software. (skype can work for you i suppose, but > I > >>> >>> don't > >>> >>> know CLI for skype) Setup a call group that has the phone > number > >>> >>> of a > >>> >>> good amount of people at the party... the more numbers you > have, > >>> >>> the > >>> >>> better. Have the VoIP software call the group all at once (the > >>> >>> PC to > >>> >>> phone rate is where you have to spend $) ... all phones ring at > >>> >>> the > >>> >>> same time. Even stranger, when they answer the call, they are > >>> >>> all > >>> >>> talking to each other. Warning: the effect is highly creepy. > I > >>> >>> thought folks would think it was funny (cause it is!) but it > >>> >>> really > >>> >>> freaked everyone out. > >>> >>> > >>> >>> That said, I tend to laugh off the "prove it" requests, unless > >>> >>> it's > >>> >>> some hot girl... in which case I wake up from my pleasant dream > >>> >>> and > >>> >>> remember there are no parties where hot ladies are asking > anyone > >>> >>> to > >>> >>> show 1337 skills. ;-) > >>> >>> > >>> >>> - Mick > >>> >>> > >>> >>> > >>> >>> On Mon, May 3, 2010 at 5:27 PM, Robin Wood < > >>> >>> <mailto:[email protected]>[email protected] > >>> >>> <mailto:[email protected]>> wrote: > >>> >>> > Thanks for all the suggestions, I think I like this one the > >>> >>> best, I > >>> >>> > might set something up on a site so I can access it from my > >>> >>> phone. Tie > >>> >>> > this with an SMS service I've got that lets me specify the > >>> >>> sender > >>> >>> > number I could have some fun. Email and SMS the person from > >>> >>> someone > >>> >>> > else in the room. > >>> >>> > > >>> >>> > Robin > >>> >>> > > >>> >>> > On 3 May 2010 20:55, Andrew Ellis < > >>> >>> <mailto:[email protected]>[email protected] > >>> >>> <mailto:[email protected]>> wrote: > >>> >>> >> A trick I've used for a while is keeping a protected email > >>> >>> spoofing > >>> >>> >> form on my web server. That way when I'm asked to "demo" my > >>> >>> skills, I > >>> >>> >> can simply send the person an email from theirself or the > >>> >>> like. > >>> >>> >> > >>> >>> >> This has the advantage of looking pretty cool to laymen and, > >>> >>> as > >>> >>> far as > >>> >>> >> I know, isn't illegal. > >>> >>> >> > >>> >>> >> It's definitely not a "1337 hack" but it's a nice way to > show > >>> >>> the > >>> >>> >> types of things that can be done without getting in too much > >>> >>> trouble. > >>> >>> >> > >>> >>> >> -Andrew > >>> >>> >> > >>> >>> >> On 5/3/10, Chris Clymer < > >>> >>> <mailto:[email protected]>[email protected] > >>> >>> <mailto:[email protected]>> wrote: > >>> >>> >>> Rather than a live demo, better tactic might be telling a > >>> >>> story about > >>> >>> >>> a vulnerability in joe sixpack terms. The pizza coupon > thing > >>> >>> >>> (dominos?) a few months back is a good example. > >>> >>> >>> > >>> >>> >>> I see a lot of downsides to letting folks at a party > pressure > >>> >>> you into > >>> >>> >>> a live demo. You are basically allowing strangers to SE > you. > >>> >>> If you > >>> >>> >>> show a successful demo, you just know the next question > will > >>> >>> come: so > >>> >>> >>> can you hack into so-and-so's facebook account? ;) > >>> >>> >>> > >>> >>> >>> When you consider the potential for demo fail too, this is > >>> >>> really a > >>> >>> >>> lose/lose situation :( > >>> >>> >>> > >>> >>> >>> ------------------------- > >>> >>> >>> <http://securityjustice.com>securityjustice.com > >>> >>> <http://securityjustice.com> | > >>> >>> <http://chrisclymer.com>chrisclymer.com < > http://chrisclymer.com> > >>> >>> >>> > >>> >>> >>> > >>> >>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < > >>> >>> <mailto:[email protected]>[email protected] > >>> >>> <mailto:[email protected]>> wrote: > >>> >>> >>> > >>> >>> >>>> Hi > >>> >>> >>>> At a party the other day I was asked the normal question > of > >>> >>> what do I > >>> >>> >>>> do for a living. I said security and kept it a bit vague > but > >>> >>> was > >>> >>> >>>> pressed so explained what pen-testing is and roughly what > I > >>> >>> do. I then > >>> >>> >>>> got the challenge, prove it, prove you can hack a company. > >>> >>> >>>> > >>> >>> >>>> People would say to a dentist, prove you can do a filling > >>> >>> but > >>> >>> this > >>> >>> >>>> person insisted they wanted a demo. I explained the > >>> >>> legalities and > >>> >>> >>>> finally fobbed them off and got away but it got me > thinking, > >>> >>> has > >>> >>> >>>> anyone got any good party tricks that they can pull in > this > >>> >>> kind of > >>> >>> >>>> situation that give an instant wow but are easy to do and > >>> >>> legal? Not > >>> >>> >>>> quite legal but I was thinking if I knew any big sites > with > >>> >>> XSS I > >>> >>> >>>> could rewrite but none came to mind at that time. > >>> >>> >>>> > >>> >>> >>>> Robin > >>> >>> >>>> _______________________________________________ > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> > >> > >> -- > >> http://www.kingbin.net/ > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
