This topic contains 1 reply, has 2 voices, and was last updated by Shaw0xKey 1 month, 4 weeks ago.
- February 21, 2021 at 8:48 pm #365230
As the title says, I’m looking for hacks, tools, tricks that are suitable for demonstrating to non-professionals. As great as pass-the-hash or a buffer overflow is for professionals, they are unsuitable for explaining security to a person without IT affinity.
Here are a few examples of what I am already using:
* MicroJoiner, to quickly and graphically build a “dropper”.
* “Stealing” a browser history, which of course contains dirty pages
* Mimikatz to read Minesweeper from memory. This is a thousand times more understandable than a Kerberosticket.
* A small software keylogger
* and of course a Rubber Ducky or Teensys
* Accessing the camera of the alleged victim
The important thing is that the effect is obvious and makes the problem understandable.
What else do you suggest?
- February 21, 2021 at 8:48 pm #365231
These are all great methods, I think. What comes to mind further is demonstrating an email phishing attack, a social engineering scenario with caller ID spoofing, and access card cloning. Unless none of these is relevant in the given environment.
- February 21, 2021 at 8:48 pm #365232
A very simple method I use for execs or other audiences is to fire up aircrack/airmon-ng in the room , and watch all their devices beacon for their saved wireless networks. Then show how you can spoof those network names to create fake APs that they will connect to. From there you can show how MiTM or things like SSLstrip work.
- February 21, 2021 at 8:48 pm #365233
Maybe SQL injection. Although that could be hard to understand for people with no database knowledge.
Demonstrations of social engineering and phishing.
Brute forcing weak passwords.
- February 21, 2021 at 8:48 pm #365234
No macro in office documents?
Easy to create a spreadsheet which entices users to allow macros and then steal all their files / integrate with Outlook to email the doc to all their contacts.
Macros may be disabled in this environment though.
Dodgy browser extensions for stealing user data might be good demo as well
- February 21, 2021 at 8:48 pm #365235
Voila I log into your bank account
- February 21, 2021 at 8:48 pm #365236
Not sure if it fits in with the other hacks but maybe phishing? I don’t actually consider it hacking, more like social engineering, but I think it is one of those things your average layman is likely to actually encounter in the wild.
- February 21, 2021 at 8:48 pm #365237
There are many effective and practical vulnerabilities within a TLS attack.
You must be logged in to reply to this topic.