I've been lurking for a long time here now, finally strong enough to post.
I've been with an idea in my head for a long time. I love scripting small things, but i barely do something with it because it never really does something.
I work in an IT company. The people I work with (but also my customers) think security is not important... Webhosting, wireless networks, RDP, VPN, all that stuff. They barely secure it... With a simple password mayby.
I want to show them their security sucks ass! I want to show everybody it sucks, not just by breaking in the system, but really SHOWING IT!
I need help with a script, this is the information i need:
- What language?
- script: lock mouse and keyboard OR lock application + all windows keybinds (alt+tab, alt+f4, etc).
- load an image (so it's not stored locally)
- what extention? .exe?
I'm getting sick of people thinking to easy about computers, people have to LEARN that it's not safe to just put a WEP/WPA code on their router and be done with it.
Show them that virusscanners are plain bullshit to intruders.
I'm getting tired of these people who keep saying "yah, but i pay 50 euro's each month for my virus-scanner so i'm save"...
So /prog/, what do you think about it? Could you help atleast with the language?
Name:
Medic2012-08-03 14:49
For language, you're going to want to go for either C++ or just plain C. Doing this wouldn't be too hard at all, in fact I would say it would be easy. You should learn more about the Windows Architecture and what happens behind the scenes, and learn how the OS works. (Learn what the stack is, what buffer overflow is, etc etc)
Locking the keyboard and mouse could be simple, and you could even remap the keyboard if you want (Make Alt+F4 pull up a smiley face picture or something, or make it so whenever they press "E" it types a "C".) For extension, you're going to want to go for an .exe. I doubt you care enough to make it kill the antivirus or inject in DLLs or anything, so I'm not going to bother with that. To load an image, you HAVE to store it locally unless you're opening it in a web browser. Also, you're going to have to get someone to run the program (You could just name it Firefox.exe and delete the firefox icon on the desktop and replace it with your virus, it's as easy as that) for it to work.
If you want maximum lulz, you could make it uninstall all the drivers, then replace the .exe for the windows driver repair with an .exe that just pulls up a funny picture.
Anyway, hit me up here if you have any more questions.
You only get fired that way.
Dont bother, just wait till their asses get owned and laugh.
Stupid and naive people will stay stupid and naive.
Name:
Anonymous2012-08-03 14:51
>>1 The people I work with (but also my customers) think security is not important...
Security is harmful! Only terrorists and paedophiles want computer security; after all, what do you fear if you have nothing to hide??
Name:
Medic2012-08-03 14:54
>>3 I like your name. Can you wait for the new VIPTronic album? I'm dying for it.
Anyway, wouldn't you rather teach the stupid people their mistakes, rather then let them learn by getting their Credit Card stolen because they got their computer hacked by a hacker who was actually malicious?
>>4 I almost raged at you until I read the entire post. Nice trolling there. And anyway, in the eyes of the government, aren't we all terrorists?
Name:
Lizzy2012-08-03 15:01
>>2
I was more thinking about making a autorun script on the PC, that when selected it will implent the "virus" in the map Start up. It's not ment to be really harmfull, just more like a little shock.
People don't learn when you tell them, people learn when you let them feel it.
>>4
With no security somebody can easily break into you network, then break into your pc. When he is in your pc he can post CP on the internet. Also, I've seen ALOT of nude pictures on customers computers. They think that when a virus is implented on their computer it is "broken" and has to be reinstalled. To bad windows has a nice save-mode and it works 9 out of 10 times. Lurk pictures > Profit.
I don't do anything with the pictures beside of laughing.
Shame on me, I red it and had to reply in an instant.
No time to read it a second time/think about it.
But still i've made my point again how stupid people are.
Offtopic, i don't understand why you would make nude pics of yourself and store them in your picture folder.
>stupidity level /sane
I've seen ALOT of nude pictures on customers computers.
pics or it didn't happen
Name:
Anonymous2012-08-03 16:48
delete the exif so you dont get blackmailed
Name:
Medic2012-08-03 21:46
Aaaannnndddd now this thread has turned into a troll thread, providing you with no useful information whatsoever.
But what do you mean an autorun script? Do you have access to the computers you want to infect? So, are you saying just have an exe file added to the "Start at windows boot" list of programs?
So... basically, you want to do unauthorized pen testing against your company to 'show them how crap their security is.."
Why don't you drop a grand and pre order one of those pwnie express power pwns or other goodies?
ps. 99% of av doesn't do shit.
pps. this sounds like a good way to get fired or just a bad idea in general.
You should just try to talk the higher-ups into letting a real security professional come out and demonstrate just how easily there shit can be fucked up on so many levels -- including the physical level. IMO, the physical level of security is the one most commonly overlooked and often it's the biggest gaping vuln in a system like the one you described.
no one ever thinks about security until it's too late.
ppps. I just don't get what you are trying to do.. everything you need as far as tools to achieve your goals already exist and mostly in the open source. There is no need to "write" anything, unless you want to get really fancy, but there really isn't any need for that.
Don't do anything yourself, unless thats what you are paid to do - is my advice. Look into hiring a physical pen tester to come out (under cover, of course) and do his thing... when they see just how easily they can be physically pwned (physical access>anything else) its WILL scare them straight.
pppps. 99.9% of AV is a fucking fraud, scam and joke. It's just a little token which helps dumb people FEEL safer, but it doesn't really do shit. I know for a fact, the same people that work for many AV vendors at day are getting paid by someone else to write exploits come night. There ARE better ways to secure a system at the applications layer, but most AV isn't one of them.
As an aspiring security professional, this is literally the most common question people ask me... "what AV do you recommended" , security people here this question more than anything else X 9000. I don't really have a good answer right now.