On 5 May 2010 14:14, Bugbear <[email protected]> wrote: > Guy pestering you sounds like a tool. Personally I would have told him > to get away from me or I was going to demonstrate how a nose bleeds. > That wouldn't fit you "legal" requirements I suppose and I have been > told I need to manage my anger ;)
Its only happened once and I did just abandon the guy but I was thinking if it had happened at one of the dull parties that I occasionally get dragged to the chance to get out a machine and do some showing off might outweigh sitting around getting bored. Robin > > On Tue, May 4, 2010 at 11:04 PM, Rob Fuller <[email protected]> wrote: >> You could always have HackMeBank on a VM at home "SSH home to your >> tools" (covertly setting up your -D 8080) and "attack" a bank. Minor >> tweaks to logos and account balances might be in order, but "breaking >> in" to an account with 13 million dollars would impress most ;-) >> >> >> -- >> Rob Fuller | Mubix >> Room362.com | Hak5.org | TheAcademyPro.com >> Ignore this: >> x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >> >> >> >> >> On Tue, May 4, 2010 at 4:55 PM, Craig Freyman <[email protected]> wrote: >>> My wife get's the same treatment. Using SET is the easiest way to make a >>> point to non-technical people. Between the site cloning and the java applet >>> method in set (which is still undetected by most AVs), you can grab their >>> attention. >>> >>> On Tue, May 4, 2010 at 2:19 PM, Chris Blazek <[email protected]> wrote: >>>> >>>> To try and convince my wife to be very careful of public networks I did a >>>> little arp poison and cranked up webspy. I had her go into the other room >>>> and pull up whatever website she wanted and then come and look at what I >>>> had >>>> on my laptop. :) >>>> >>>> I have folks telling me I'm just paranoid and overreacting. When I show >>>> them a little mitm attack, they all see my point. >>>> >>>> Another fun thing to do is load beef into a crafted web page. Have someone >>>> visit it and use one of the tools in the framework. :) >>>> >>>> >>>> >>>> >>>> >>>> On Tue, May 4, 2010 at 12:37 PM, Robin Wood <[email protected]> wrote: >>>>> >>>>> On 4 May 2010 18:36, Larry Pesce <[email protected]> wrote: >>>>> > He is, and I know of....I mean Bob knows of a setup similar to this. >>>>> > I'll see if I can get Bob to share his properly sanitized Asterisk >>>>> > config to do so. >>>>> >>>>> That would be good. >>>>> >>>>> > >>>>> > - L >>>>> > >>>>> > >>>>> > >>>>> > On 5/4/10 10:45 AM, Chris Clymer wrote: >>>>> >> Im assuming Mick is referring to Asterisk >>>>> >> >>>>> >> ------------------------- >>>>> >> securityjustice.com <http://securityjustice.com> | >>>>> >> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>>>> >> >>>>> >> >>>>> >> On May 3, 2010, at 11:37 PM, Michael McGrew >>>>> >> <[email protected] >>>>> >> <mailto:[email protected]>> wrote: >>>>> >> >>>>> >>> Michael, >>>>> >>> >>>>> >>> I remember hearing about that software on a PDC episode. It has a >>>>> >>> name, do you know what that is? It was either the name of the >>>>> >>> software >>>>> >>> or they just gave the "attack" a catchy name. >>>>> >>> >>>>> >>> Thank you >>>>> >>> >>>>> >>> On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < >>>>> >>> <mailto:[email protected]>[email protected] >>>>> >>> <mailto:[email protected]>> wrote: >>>>> >>> >>>>> >>> I got a little late to the party... this is *not* a hack, but it >>>>> >>> shuts >>>>> >>> everyone the hell up because it scares them. And I've never had >>>>> >>> any >>>>> >>> follow up questions >>>>> >>> >>>>> >>> Here's what you do. It costs a few dollars (pounds in your case >>>>> >>> right?), but it's so worth it. ssh into a server that's running >>>>> >>> some >>>>> >>> form of VoIP software. (skype can work for you i suppose, but I >>>>> >>> don't >>>>> >>> know CLI for skype) Setup a call group that has the phone number >>>>> >>> of a >>>>> >>> good amount of people at the party... the more numbers you have, >>>>> >>> the >>>>> >>> better. Have the VoIP software call the group all at once (the >>>>> >>> PC to >>>>> >>> phone rate is where you have to spend $) ... all phones ring at >>>>> >>> the >>>>> >>> same time. Even stranger, when they answer the call, they are >>>>> >>> all >>>>> >>> talking to each other. Warning: the effect is highly creepy. I >>>>> >>> thought folks would think it was funny (cause it is!) but it >>>>> >>> really >>>>> >>> freaked everyone out. >>>>> >>> >>>>> >>> That said, I tend to laugh off the "prove it" requests, unless >>>>> >>> it's >>>>> >>> some hot girl... in which case I wake up from my pleasant dream >>>>> >>> and >>>>> >>> remember there are no parties where hot ladies are asking anyone >>>>> >>> to >>>>> >>> show 1337 skills. ;-) >>>>> >>> >>>>> >>> - Mick >>>>> >>> >>>>> >>> >>>>> >>> On Mon, May 3, 2010 at 5:27 PM, Robin Wood < >>>>> >>> <mailto:[email protected]>[email protected] >>>>> >>> <mailto:[email protected]>> wrote: >>>>> >>> > Thanks for all the suggestions, I think I like this one the >>>>> >>> best, I >>>>> >>> > might set something up on a site so I can access it from my >>>>> >>> phone. Tie >>>>> >>> > this with an SMS service I've got that lets me specify the >>>>> >>> sender >>>>> >>> > number I could have some fun. Email and SMS the person from >>>>> >>> someone >>>>> >>> > else in the room. >>>>> >>> > >>>>> >>> > Robin >>>>> >>> > >>>>> >>> > On 3 May 2010 20:55, Andrew Ellis < >>>>> >>> <mailto:[email protected]>[email protected] >>>>> >>> <mailto:[email protected]>> wrote: >>>>> >>> >> A trick I've used for a while is keeping a protected email >>>>> >>> spoofing >>>>> >>> >> form on my web server. That way when I'm asked to "demo" my >>>>> >>> skills, I >>>>> >>> >> can simply send the person an email from theirself or the >>>>> >>> like. >>>>> >>> >> >>>>> >>> >> This has the advantage of looking pretty cool to laymen and, >>>>> >>> as >>>>> >>> far as >>>>> >>> >> I know, isn't illegal. >>>>> >>> >> >>>>> >>> >> It's definitely not a "1337 hack" but it's a nice way to show >>>>> >>> the >>>>> >>> >> types of things that can be done without getting in too much >>>>> >>> trouble. >>>>> >>> >> >>>>> >>> >> -Andrew >>>>> >>> >> >>>>> >>> >> On 5/3/10, Chris Clymer < >>>>> >>> <mailto:[email protected]>[email protected] >>>>> >>> <mailto:[email protected]>> wrote: >>>>> >>> >>> Rather than a live demo, better tactic might be telling a >>>>> >>> story about >>>>> >>> >>> a vulnerability in joe sixpack terms. The pizza coupon thing >>>>> >>> >>> (dominos?) a few months back is a good example. >>>>> >>> >>> >>>>> >>> >>> I see a lot of downsides to letting folks at a party pressure >>>>> >>> you into >>>>> >>> >>> a live demo. You are basically allowing strangers to SE you. >>>>> >>> If you >>>>> >>> >>> show a successful demo, you just know the next question will >>>>> >>> come: so >>>>> >>> >>> can you hack into so-and-so's facebook account? ;) >>>>> >>> >>> >>>>> >>> >>> When you consider the potential for demo fail too, this is >>>>> >>> really a >>>>> >>> >>> lose/lose situation :( >>>>> >>> >>> >>>>> >>> >>> ------------------------- >>>>> >>> >>> <http://securityjustice.com>securityjustice.com >>>>> >>> <http://securityjustice.com> | >>>>> >>> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>>>> >>> >>> >>>>> >>> >>> >>>>> >>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < >>>>> >>> <mailto:[email protected]>[email protected] >>>>> >>> <mailto:[email protected]>> wrote: >>>>> >>> >>> >>>>> >>> >>>> Hi >>>>> >>> >>>> At a party the other day I was asked the normal question of >>>>> >>> what do I >>>>> >>> >>>> do for a living. I said security and kept it a bit vague but >>>>> >>> was >>>>> >>> >>>> pressed so explained what pen-testing is and roughly what I >>>>> >>> do. I then >>>>> >>> >>>> got the challenge, prove it, prove you can hack a company. >>>>> >>> >>>> >>>>> >>> >>>> People would say to a dentist, prove you can do a filling >>>>> >>> but >>>>> >>> this >>>>> >>> >>>> person insisted they wanted a demo. I explained the >>>>> >>> legalities and >>>>> >>> >>>> finally fobbed them off and got away but it got me thinking, >>>>> >>> has >>>>> >>> >>>> anyone got any good party tricks that they can pull in this >>>>> >>> kind of >>>>> >>> >>>> situation that give an instant wow but are easy to do and >>>>> >>> legal? Not >>>>> >>> >>>> quite legal but I was thinking if I knew any big sites with >>>>> >>> XSS I >>>>> >>> >>>> could rewrite but none came to mind at that time. >>>>> >>> >>>> >>>>> >>> >>>> Robin >>>>> >>> >>>> _______________________________________________ >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>> >>>> >>>> >>>> -- >>>> http://www.kingbin.net/ >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
