This document provides an overview of a presentation on practical exploitation and cyberstalking. The presentation introduces tools like Metasploit and Social Engineering Toolkit (SET) and demonstrates how they can be used for both legal and illegal purposes, like cyberstalking. It discusses how easy it is to profile and target individuals online to steal identities or spread misinformation. The document emphasizes that while hacking can be fun, the implications of cyberstalking should be taken seriously due to its potential real-world consequences.
Mechele Gruhn, Microsoft
Are you perfect? We aren't. But we are trying to be better.
Please join us as we share the good, the bad, and the ugly stories of success and failure from the last crazy year, how we plan to improve in the next year, and how you can help.
This session will be targeted at BlueHat attendees both external and internal to Microsoft who interact with the Microsoft Security Response Center for resolution of vulnerabilities as part of coordinated vulnerability disclosure and will share lessons learned from the past as well as a look forward to the future.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
Mechele Gruhn, Microsoft
Are you perfect? We aren't. But we are trying to be better.
Please join us as we share the good, the bad, and the ugly stories of success and failure from the last crazy year, how we plan to improve in the next year, and how you can help.
This session will be targeted at BlueHat attendees both external and internal to Microsoft who interact with the Microsoft Security Response Center for resolution of vulnerabilities as part of coordinated vulnerability disclosure and will share lessons learned from the past as well as a look forward to the future.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureNETWAYS
Since the beginning of publications by Edward Snowden last year many of the presumedly exaggerated threat models in cryptography have become reality. When operating sensitive services it's more likely than not that communcation data will be tapped at large carriers as well as internet exchanges and stored indefinitily - this calls for strong and forward-secure encryption.
On the other hand we're faced with the problem that much of the software we're using in the datacenter today is not very secure when it comes to default encryption settings. On top of that, most developers and system administrators are not very fluent in the basic workings of encryption systems.
The talk will give an introduction to SSL/TLS and explain how to check for weaknesses in existing services with tools like nmap, sslscan and sslyze. For common daemons like apache, nginx, exim, postfix and dovecot best practice on improving cryptographic strength will be discussed.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
Introduction to Cybersecurity | IIT(BHU)CyberSecYashSomalkar
This is going to be series of Events around Cybersecurity, If you are lucky enough try to witness it live on our GDSC chapter.
Link of todays Event : https://gdsc.community.dev/events/details/developer-student-clubs-indian-institute-of-technology-varanasi-presents-introduction-to-cybersecurity-learn-to-hack-series/
Socials :
Website: https://copsiitbhu.co.in
LinkedIn : https://linkedin.com/company/cops-iitbhu
Instagram : https://instagram/cops.iitbhu/
Facebook : https://facebook.com/cops.iitbhu/
GitHub : https://github.com/COPS-IITBHU
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureNETWAYS
Since the beginning of publications by Edward Snowden last year many of the presumedly exaggerated threat models in cryptography have become reality. When operating sensitive services it's more likely than not that communcation data will be tapped at large carriers as well as internet exchanges and stored indefinitily - this calls for strong and forward-secure encryption.
On the other hand we're faced with the problem that much of the software we're using in the datacenter today is not very secure when it comes to default encryption settings. On top of that, most developers and system administrators are not very fluent in the basic workings of encryption systems.
The talk will give an introduction to SSL/TLS and explain how to check for weaknesses in existing services with tools like nmap, sslscan and sslyze. For common daemons like apache, nginx, exim, postfix and dovecot best practice on improving cryptographic strength will be discussed.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
Introduction to Cybersecurity | IIT(BHU)CyberSecYashSomalkar
This is going to be series of Events around Cybersecurity, If you are lucky enough try to witness it live on our GDSC chapter.
Link of todays Event : https://gdsc.community.dev/events/details/developer-student-clubs-indian-institute-of-technology-varanasi-presents-introduction-to-cybersecurity-learn-to-hack-series/
Socials :
Website: https://copsiitbhu.co.in
LinkedIn : https://linkedin.com/company/cops-iitbhu
Instagram : https://instagram/cops.iitbhu/
Facebook : https://facebook.com/cops.iitbhu/
GitHub : https://github.com/COPS-IITBHU
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
Explore the world of ethical hacking with CTF (Capture the Flag) in a fun and interactive way. Join us and ensure you bring your laptops to follow along with live CTF challenges. Cybersecurity may seem daunting, but CTF makes it accessible to all.
Since the beginning of publications by Edward Snowden last year many of the presumedly exaggerated threat models in cryptography have become reality. When operating sensitive services it's more likely than not that communcation data will be tapped at large carriers as well as internet exchanges and stored indefinitily - this calls for strong and forward-secure encryption.
On the other hand we're faced with the problem that much of the software we're using in the datacenter today is not very secure when it comes to default encryption settings. On top of that, most developers and system administrators are not very fluent in the basic workings of encryption systems.
The talk will give an introduction to SSL/TLS and explain how to check for weaknesses in existing services with tools like nmap, sslscan and sslyze. For common daemons like apache, nginx, exim, postfix and dovecot best practice on improving cryptographic strength will be discussed.
Things that go bump on the web - Web Application SecurityChristian Heilmann
My talk at the Web Directions North conference in Denver, Colorado. It covers basic technologies and methodologies of attacks of web applications, what we can do against them and a plea for making interfaces more educational about security than scaring users.
Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.
Special Topics Day for Engineering Innovation Lecture on CybersecurityMichael Rushanan
This particular presentation covers, at a high level, our national cybersecurity initiative. The content targets prospective high school students and delves into areas of computer science, information systems, and policy.
Similar to Practical exploitation and social engineering (20)
Slides from Bsides Lisbon 2023 about practical use cases for AI in cybersecurity - this presentation attempts to build the knowledge of cybersecurity professionals in the world of AI and present a set of tools and techniques they can use on their day to day.
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
We live in a Data-centric era. Nowadays we have at our disposal an enormous variety of services using data. Behind those services there are architectures supporting the flowing and processing of that data. BinaryEdge.io is no exception. Supporting our platform, we have a data architecture processing 1000s of events per second, which was built and is currently maintained by us. In this talk we are going to review the parts that compose a data architecture, and discuss which tools can be used at each step to arrive at a functional architecture. Note that the insights given will not be based of theoretical documents or truckloads of years of experience, but on our own experience of building and maintaining a large scale data infrastructure and architecture
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
Much like Eleven and the gang, we at BinaryEdge sometimes are confronted with real monsters. Unlike in the series "Stranger Things" however, the monsters we're faced with take different shapes. Our monsters are usually found in the shape of weird things people connect to the internet. Often we're asked "What is the craziest things you guys have found connected to the internet?" In this talk we intend to answer and show exactly that. If you've seen our previous talks and/or read our "World Security Report" for 2016 (ise.binaryedge.io) you know that we have found some of the weirdest things online. From water dams, to electricity grids, and nuclear laboratory sensors, people simply love connecting things to the internet. And in this talk, we are going to explore the top "things" we've found exposed, talk about the different protocols they use and also allow YOU live on talk to search for your own things! On this talk we will also release our 2017 report, where we show how we detected some of the NSA tools such as Double pulsar. We will also make an interesting reveal on this topic. :)
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
On this talk BinaryEdge looked at the state of the main Websites of Switzerland, we also looked at the 3 pillars that it stands on banking, insurance and pharma and how they looked from an external perspective.
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
In this talk we will present some techniques that we use on a day to day basis in our research, where we combine our internet-wide data scanning and acquisition platform with ML/Data science techniques which allows us to find things faster or extract results in a more automated way. We will focus on practical cases and examples that even our audience at home will be able to use if they want. A couple of examples we will look at is how to classify images such as VNC screenshots, we will look at network scans and using machine learning to classify them and also the use of natural language processing to analyze CVEs. We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used.
We will start by giving a very brief entry to the data science world and talk about:
Technologies
Techniques
How these relate to infosec
Algorithms and how they can be used
How people can come into the world of data and machine learning
Data visualization techniques and what are the best choices for different types of data
A couple of examples we will look at is how to classify images such as VNC or x11 screenshots, OCR, we will look at network scans and using machine learning to classify them and also the use of natural language processing to analyze CVEs. We will look at scoring and classification algorithms and how they can be used on ip addresses and we will talk about the use of learning and how we are applying it in real life.
We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used. Some specific examples of our research that should give you an idea of some things we will talk about can be seen here:
https://blog.binaryedge.io/2015/11/10/ssh/
https://blog.binaryedge.io/2015/09/30/vnc-image-analysis-and-data-science/
https://blog.binaryedge.io/2015/08/10/data-technologies-and-security-part-1/
Bruno Morisson e Herman Duarte (http://pt.linkedin.com/in/morisson /http://pt.linkedin.com/in/hcoduarte)
Título: (ab)using SSH - Tips & Tricks for Pentesters and Sysadmins
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
2. Speakers BSc, MSc, CEH, CHFI,thought I was going to be a PhD decided to become a ninja instead. BSc, MSc -Now works for ABBAN Breaking servers, sip trunks, and doing research into VoIP and IMS
3. Synopsis – wrong order, all content Introduction to practical exploitation Introduction to cyberstalking Introduction to Metasploit (short) History of metasploit Modules Exploits Payloads Tools Metasploit fundamentals Vulnerability Scanning MSF Databases commands Client side exploits Post Exploitation Meterpreter Armitage Social Engineering SET Types of attacks Infection Media Practical workshop Ps: I know you have high hopes that it will go by this order, but it wont, we are not that organized, and apologize in advance.
4. Workshop During the practical workshop, you will work in pairs, you will be given an IP address to a virtual machine. The objective of this workshop is very simple PWN the living crap out of these virtual machines using techniques that were taught to you during this presentation and read the file password.txt located at Windows/System32 or /home/just4meeting (depending if you get a windows box or a linux box), and sucessfully create your own account on the remote system.
5. Seriouz Business When presenting, we like to talk about both the fun side of things and the bit about serious implications these “fun things” can have in life. During this presentation you will hear a bit about cyberstalking and how these tools work from a cyberstalker perspective and a victim. To write this part of the presentation we worked along side with the brand new UK National Center for Cyberstalking Research, they are cool people and provided us with lots of data and information. http://www.beds.ac.uk/nccr/news
6. Practical exploitation Q:What do we call practical exploitation? On the interwebz you can find many definitions created by “security professionals”, we are not (security professionals), so here is our definition of practical exploitation: Get root and learn how to use current tools to automate and increase the speed when doing a penetration test. Understand how to use the tools past a script kiddie level – aka being able to extend the tool code if needed or combine multiple tools to achieve a target (!!root!!)
7. Cyberstalking Q: What is CYBERSTALKING? A: Cyberstalking is the use of internet and/or other electronic means to stalk or harass an individual. However cyberstalking can be legal and illegal. (To be explained further)
10. Cyberstalking Remember when 2 slides back we said cyberstalking could be both legal and illegal ? This is what we meant... Lets go through a scenario where Cyberstalking would be legal!
11. Cyberstalking Meet Tiago: As you can see, Tiago is ur average 23 year old stud, he likes to go out and party, when he does so he meetssssssssssssss
13. Cyberstalking Tiago has certain things he likes in girls and things he dislikes! Tiago like more then 500million people has a facebook account So Tiago goes and does a bit of Cyberstalking to decide which girls he wants to be friends with or not. Or even possible future girlfriends.
14. Cyberstalking Even without adding these girls to facebook he gets plenty information sometimes to decide if he wants to go further with them.
15. Cyberstalking So, as you can see this is an example of a situation where cyberstalking is perfectly acceptable and legal. You access public information about someone that is in the “cyber” world. This is also an action done sometimes by companies that are considering hiring a certain person, to get some background information on the person.
17. Cyberstalking – Scenario 2 Tiago also knows his way around computers and specifically security and the tools used in infosec. He also knows how to check securitytube and common security websites for different types of attacks. BLACKHAT ON!
18. Cyberstalking – Scenario 2 Analyzing the profiles Tiago decides he wants to go further and know a bit too much about one of these girls.
19. Profiling Tiago starts by getting all sorts of information he can on this girl that might be useful in any way: From the facebook profile we get that: Her name is Anna Konova She is both a Chelsea and Barça fan She likes Burberry, fashion events, dominoes pizza, and something called SIFE Her favorite music: MJ, Lady gaga, Beyoncé, Alicia Keys, Cheryl Cole Using the information collected from this facebook profile we go to google...
20. Profiling <<- OH LOOK THE SIFE THING Quite a few results lets have a look at a few....
21. Profiling From the facebook profile we get that: Her name is Anna Konova She is both a Chelsea and Barça fan She likes Burberry, fashion events, dominoes pizza, and something called SIFE Her favorite music: MJ, Lady gaga, Beyoncé, Alicia Keys, Cheryl Cole From twitter we get 0 From linkedIN: Project manager at Innovate Went to University of Bedfordshire Is looking for new career opportunities etc etc etc SIFE - SIFE is an international non-profit organization that works with leaders in business and higher education to mobilize university students to make a difference in their communities while developing the skills to become socially responsible business leaders.
22. Going over the line How can all this simple, easily accesible information help Tiago cyberstalk someone? Well let me introduce you to METASPLOIT.
24. DEMO 1 – PDF + Email As you can see it wasn’t an attack hard to setup and easily a real life scenario. For those of you that find that attack complicated, we have something for you later on....
25. A bit more on cyberstalking.... Following we will present some data that was provided to us by the Research Center! coz stats are always fun n giggles!
41. Metasploit Exploitation framework Lots of other tools and utilities First written in PERL Then changed to RUBY (THANK GOD) 3 versions – Pro, Express, free
42. Metasploit nowadays... We wont be able to look at all the different components so we will try to focus on the more commonly used ones.
51. Metasploit – Main Modules Exploits – Main module – used to pwn shit! :] Encoders – Used to transform raw versions of payloads Payload – Used to connect to the shit u pwn!
55. Metasploit - Essentials use module- start configuring module show options - show configurable options set varnamevalue - set option exploit - launch exploit module run - launch non-exploit sessions –i n - interact with a session help command - get help for a command
59. Meterpreter Meterpreter is COOL Meterpreter is VERY COOL Meterpreter because of a thing called RAILGUN = Full access to windows API What does that mean? This is what it means... You cyberstalkers!
61. Back to seriouz This is all good fun, but shows how easy you can “pwn” and cyberstalk some1 or even be cyberstalked. Advices are the usual: Anti virus updated, Software updated, Firewalls up and running (However that probably wont do you much) 2 best advices I can give: Do not read PDF’s, or if u do read them inside google chrome (coz at least ur sandboxed n shit :D ) ANDDDDDDDDDDD
63. KUDOS FILIPE REIS!!!!!!! ONE ELEVEN!!!!! And more FILIPE REIS! He helped recording the demos and is awesome. Center for Research on Cyberstalking for the data provided The girls for accepting that we had to stay up late. Oh and Chris Bockermann, Bruno Morisson and Oli for allowing me to go home yesterday to write these slides instead of getting us drunk.