Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Hacking demo - most spectacular techniques
From: "talisker" <talisker () networkintrusion co uk>
Date: Wed, 3 Oct 2001 22:11:03 +0100

Ilici

Good choice!  it's one thing to scare them witless but I'd suggest that you
take the opportunity to let them know that with a little work (and money)
the problems can be largely fixed.

My suggestion is make it quick, simple and remote

1a. recon.  run a vulnerability scanner against a host and demonstrate the
kind of info your network has on offer to the hacker.

1b. defense.  Run the same attack again this time but with a remotely
installed BlackICE Agent (NNIDS) in full paranoid mode on the target.

This demonstrates not only how quickly a defense can be deployed, but the
lack of returns to the attacker is evidence that the defense works (simple).

Another option is to use an auto responding NIDS to protect the target but
this is a touchy subject.

2a.  attack.  Run one of the many exploits that you mention, but have a Host
IDS installed which will alert on it's use.

2b.  Defense.  Run a host vulnerability scanner against the host that will
auto-fix and close the exploitable hole  SecurityExpressions by Pedestal
will do an NT host in just over a minute, but there are a few others that
are good.  There you go scare and fix

I mentioned remote, it's important to not go near the target machine,(or
they'll cry foul) all the above could be carried out across the globe with
ease.  Attack from a laptop ideally a tiny one like the Toshiba Libretto
(size of a video cassette)

Hopefully the above will not only introduce your sceptics to the threat but
also demonstrate a large proportion of the defense in depth arsenal


-andy
http://www.networkintrusion.co.uk
----- Original Message -----
From: "Ilici Ramirez" <ilici_ramirez () yahoo com>
To: <pen-test () securityfocus com>
Sent: Monday, October 01, 2001 8:53 AM
Subject: Hacking demo - most spectacular techniques


Hi all,

We intend to make a short demonstration of hacking as
part of a longer seminar with more than 100 IT
managers, vice-presindents, and other high-level
morons. The goal is to explain how easy is to hack an
unsecured system or network.

For them to understand and to realize how just only an
unsecured computer could lead to compromise of an
entire business we need to show some hacking examples
real spectacular.

So I need your help to make a top short list. I will
insert here my humble opinion, but I expect more from
all of you experienced pen-testers.

1. Remote VNC install - GUI session on target machine
2. BO2K or Subseven
3. Port redirection with fpipe - a firewall is not
always enough
4. Remote shell with netcat
5. Null session - information gathering with no right

Ilici R

__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault