RE: Hacking to Xp box

From: chad@mr-lew.com
Date: Sat Sep 03 2005 - 14:24:54 EDT

• Next message: Jeremy: "Help Your Romance Wíth Víagra"
• Previous message: Kaj Huisman: "Re: Multiple Spoofed HTTP Requests"
• Maybe in reply to: Juan B: "Hacking to Xp box"
• Next in thread: Eduardo Suzuki: "RE: Hacking to Xp box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Juan,
    Another approach would be to create a CD with a
malicious autorun program. You could easily create a little
script to use netcat (nc.exe) to connect out to your machine
and take control of the box with the same privilege level as
the user who loaded the CD. With a little bit of work you
could make a legitimate looking CD of something the CEO
normally uses, and reburn it with something nasty you
implanted. Making it work is simple, the tricky part is just
getting him to put it in his machine. I covered the scenario
for my GCFW practical.
 
http://www.giac.org/certified_professionals/practicals/gcfw/0
480.php

    Also, if users have the ability to access personal e-
mail via the web, run a sniffer for a few days and monitor
when the CEO checks his personal e-mail (or anything else
personal with a password). Once you find out a time that he
normally does it, set up a sniffer to capture his traffic
(like ethereal). Then show him how the Follow TCP Stream
option will show you everything he did. I would make sure he
understands beforehand that by proving the point that more
money needs to be spent on security, you may end up showing
a problem that "could" be embarassing.

    Once you show the CEO the WIIFM (What's In It For Me),
he may be more apt to realize you are raising valid concerns.

Good Luck

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Jeremy: "Help Your Romance Wíth Víagra"
• Previous message: Kaj Huisman: "Re: Multiple Spoofed HTTP Requests"
• Maybe in reply to: Juan B: "Hacking to Xp box"
• Next in thread: Eduardo Suzuki: "RE: Hacking to Xp box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:49 EDT