Yeah, I've got to agree with Kenneth on this one for a number of reasons. It is quite un-ethical first and foremost, and my housemates/family/co-workers KNOW that I can do this sort of thing, but they have *never* seen me do it because I respect their privacy, and frankly I have better things to do. Same thing with lock picking/bumping. I demonstrate it to people when I have to, or to teach them about it, not to 'teach someone a lesson'.
Where do you draw the line at that point? With the power to manipulate systems there is inherently a *lot* of potential that can happen. Sure it was fun when I was 16 to sniff AIM chat logs on public wifi, but again I've got better stuff to do then spy on friends and family (or anyone for that matter). It's a very slippery slope, especially because its hard to impossible to figure out *what* you actually did without seeing you do it. You should *never* use their computers for this kind of stuff anyway. Set up a test environment to show them that it's possible. It might not have the same impact as Sub7's matrix mode (or any kind of thing like that) but it will get at least some of your point across. I also agree with the fact that it won't make *any* difference to anyone. I've told the majority of my family that wireless encryption is necessary because without it I can sit there and sniff personal data, passwords, and credit card numbers with very minimal effort. They *still* have open wireless points. I put security on, they figure out how to take it off, because it's less convenient to enter a password. You can't expect people to have the same level of understanding or concern for security issues like us. We enjoy this as it's our passion, but it's like a mechanic explaining to me why it's not a good idea to accelerate fast out of intersections. He can do tell me till he's blue in the face - I'm still going to do it. It works, and there are no 'deal-breaker' problems with the method I'm using, so why should I change? I understand the want to demonstrate this kind of stuff to people, because you feel like you're not only helping, but you can get praise for being smart. I'm not saying that in a negative way, as that's why the majority of professors do what they do. We like to feel special and smart, and that's not bad or wrong by any means, but security is a process not un-like any other. You need to set up a test environment and start small. Learn about the capabilities of the tools you have, and you'll be much better equipped to use them to do a demonstration. It's like when I first started doing wireless hacking. I of course started with aircrack on backtrack 2, and following tutorials about how to do it without actually knowing what was going on, but the more I started to understand the underlying nonces of it, I became a lot more effective with it. I started branching out and learning about how to do things like de-auth clients and manipulate network access controls that way, instead of just hammering commands I found on the internet into a terminal and hoping for the best. That's the only way you can really hope to achieve something like this. I do get why you want a radical demonstration as tiny demos that don't impact something rarely get paid attention to. Like inserting a ' into a parameter and getting a mysql error. To most people they think "so what, you made an error...", but to us we think "JACKPOT!". It's not until you do a union select and dump everyone's username, password, social security & credit card numbers with a single request the people realize there's a problem. Another thing to keep in mind is that the compromise of a system is a very layered process. There are stable ways (psexec) and unstable ways (b0f) of demonstrating this kind of stuff, but again it requires you to have a depth of knowledge with the stuff you're working with, and to know where your limits should be. While it's true when you play with fire you might get burned, you also learn that fire == hot. There's important lessons to almost anything, the real test is if you can take those lessons and use them constructively. Thanks, Ryan Sears ----- Original Message ----- From: "Kenneth Voort" <[email protected]> To: [email protected] Sent: Wednesday, December 1, 2010 3:58:53 AM GMT -05:00 US/Canada Eastern Subject: Re: [Pauldotcom] Wake up call for friends and family using SET -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The ends cannot justify the means. I would advise against doing anything of this sort, for three reasons: 1. It is unprofessional, unethical, and illegal in nearly every country with a computer law. It is unequivocally banned by any professional organization worth mentioning. An act like this would (to me) be an egregious violation of familial trust and privacy as well. My friends and family know I can break their shit; they trust me not to predominantly because I never have. I can pick most common household deadbolts as well; I however do not demonstrate how easily most common household deadbolts can be picked by breaking into the homes of my family. I ask permission first. 2. It will make no difference. Sure, your family will understand that "you hacked them", but that's about it. I would fathom that the vast majority would understand neither the attack vector used nor any way to prevent a future recurrence. Most people would understand this about as well as they understand why a potato in a tailpipe will stop a car from starting. The passing of little jokes and recipes and pictures and whatnot through email is driven by social factors, and can by extension only be solved with social methods. Many will not only never trust you near a computer again, they will completely ignore you, as they do not have the technical expertise to connect your attack to chain emails and phishing attacks. 3. You may well do permanent damage. Consider that your attack model is predicated on known behaviours of computer systems, and then consider that many machines' logic may already be altered (by malware or otherwise), meaning that your targets' reactions will be undefinable. You may simply end up bluescreening a bunch of boxes, or possibly render some of them unbootable (yes, it has happened). It would be reckless and adversarial to carry this out where you cannot reliably predict the results, especially in light of your inexperience with the tools you intend to employ. For christ's sake, you don't even know that Meterpreter is memory resident only by default. You're playing with fire, and you may well get burned. This sort of unprofessional vigilante hacktivism is exactly why people like me get pulled aside at border crossings by a public that does not understand my profession. I utterly fail to understand why people think this is acceptable while breaking and entering is not. It is illegal, and with very good reason. Violating the privacy of those who trust you to make a point is unacceptable, whatever the reason and whatever the method. I strongly urge you to contemplate the legal, ethical, and possibly destructive (both to computers and friendships) implications of what you are considering. P.S. Your evil scheme may well fail entirely and serve only to both embarrass you and render your future soapbox lectures useless. That bears mentioning as well. On 10-11-30 8:27 PM, Brian Schultz wrote: > I'm tired of explaining to my family the reasons for not opening e-mails or > attachments from unknown > sources and then having them forward me some sketchy e-mail saying "this is > so funny, check it out". > I'm sure there are plenty of you out there in the corporate world that can > relate with your users. > > I figure it's time for me to arrange a wake up call and perform my own > pentest against friends and > family. I figure it would be easy enough to use SET to create a "malicious" > website that will change > their wallpaper and blast an e-mail out to everyone. My only concerns > are...how do I go about > getting Meterpreter off of their machine? The last thing I want to do is > screw up everyone's computer. > > Sorry if this comes across as a dumb question, I haven't played around with > SET or metasploit > before. I'll probably figure this out as soon as I click send but it would be > nice to hear from > someone else or at least a point in the right direction. Thanks - -- Kenneth Voort - kenneth {at} voort <SPAMGUARD> {dot} ca FDF1 6265 EBAB C05C FD06 1AED 158E 14D6 37CD E87F | pgp encrypted email preferred -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkz2Dk0ACgkQFY4U1jfN6H8q2gCcDtucGQNnDaBUHjS8qHj0zCN/ 4u0AoIhWH/NW9g71w7ffh9p748VZvl4+ =dvA8 -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
