Look for nice, small, demonstrable hacks understandable for laymen – Digitalmunition




Home Forums Look for nice, small, demonstrable hacks understandable for laymen

This topic contains 1 reply, has 2 voices, and was last updated by  Shaw0xKey 1 month, 4 weeks ago.

  • Author
    Posts
  • #365230

    anonymous
    Participant

    As the title says, I’m looking for hacks, tools, tricks that are suitable for demonstrating to non-professionals. As great as pass-the-hash or a buffer overflow is for professionals, they are unsuitable for explaining security to a person without IT affinity.
    Here are a few examples of what I am already using:

    * MicroJoiner, to quickly and graphically build a “dropper”.
    * “Stealing” a browser history, which of course contains dirty pages
    * Mimikatz to read Minesweeper from memory. This is a thousand times more understandable than a Kerberosticket.
    * A small software keylogger
    * and of course a Rubber Ducky or Teensys
    * Accessing the camera of the alleged victim

    The important thing is that the effect is obvious and makes the problem understandable.

    What else do you suggest?

  • #365231

    Shaw0xKey

    These are all great methods, I think. What comes to mind further is demonstrating an email phishing attack, a social engineering scenario with caller ID spoofing, and access card cloning. Unless none of these is relevant in the given environment.

  • #365232

    Sh00t3rMcg4vin

    A very simple method I use for execs or other audiences is to fire up aircrack/airmon-ng in the room , and watch all their devices beacon for their saved wireless networks. Then show how you can spoof those network names to create fake APs that they will connect to. From there you can show how MiTM or things like SSLstrip work.

  • #365233

    VestigialHead

    Maybe SQL injection. Although that could be hard to understand for people with no database knowledge.

    Demonstrations of social engineering and phishing.

    Brute forcing weak passwords.

  • #365234

    finite_turtles

    No macro in office documents?

    Easy to create a spreadsheet which entices users to allow macros and then steal all their files / integrate with Outlook to email the doc to all their contacts.

    Macros may be disabled in this environment though.

    Dodgy browser extensions for stealing user data might be good demo as well

  • #365235

    vincenttjia

    Session stealing?

    Voila I log into your bank account

  • #365236

    jyggorath

    Not sure if it fits in with the other hacks but maybe phishing? I don’t actually consider it hacking, more like social engineering, but I think it is one of those things your average layman is likely to actually encounter in the wild.

  • #365237

    JoyOfSolitude

    https://tools.ietf.org/html/rfc7457

    There are many effective and practical vulnerabilities within a TLS attack.

You must be logged in to reply to this topic.