Hi Craig,
I've given a very similar presentation earlier this year, and shortly dusting
it off to deliver it again to a new audience.
I took a similar approach to show the limitations of traditional security
controls (firewalls, AV, etc.). I have a virtual 'lab' consisting of three
machines which simulate a small office. There is an endpoint desktop system,
running AV (in my case it's AVG Free--kept up-to-date), a server system hosting
shared files and a web site, and a security appliance (Untangle) providing
networking routing, firewall, content inspection, etc.
Lastly, I have a separate 'attacker' system, running Metasploit. I took
Metasploit's meterpreter payload, ran through some AV evasion techniques, and
encoded it up as a VBScript, which I embedded in an innocuous looking Word
document.
I demonstrate that the endpoint system is fully patched and has fully updated
AV. We try to access a few web sites which the security appliance blocks, to
show that it's working. We then open up the suspect Word document, which is
hosted on a professional looking web site, such as you might be sent a link to
in e-mail, IM, etc. The security appliance doesn't see a problem. IE doesn't
see anything wrong with it's download checker. We even test the file with AV
manually, just to be sure.
The 'user' opens up the Word document, the meterpreter payload runs, and we
have pwnage.
I then run through a few things in Metasploit: access sensitive files, cracking
passwords and pivoting to attack the server system.
Last time out, I mostly saw open jaws... and LOTS of questions, which was the
purpose of the presentation :)
Good luck!
Dave.
On 2010-09-08, at 4:59 PM, Craig Freyman wrote:
> I'm giving a security presentation to a room full of non IT folks in a few
> weeks. The point I want to drive home is that simply having AV and a Firewall
> doesn't make you bulletproof. There is a big gap between what the bad guys
> can do and what modern security apps can stop or catch. I think one way to
> help bridge this gap would be to raise user awareness and to get users
> thinking about security issues. I believe most users think that with
> AV/Firewall and not clicking on links, they're safe.
>
> I was planning on doing a live demo (crossing fingers) to make this point. I
> will set up a rogue AP ("FreeWIFI Connect to ME!"), connect a client machine
> and then demonstrate some MITM attacks. I'll also throw in some SET to have
> some meterpreter fun. Password stealing, key logging, sound recording etc...
> I know I cant get too technical and if I do, I'll loose the group. I think
> this demo would get their attention but was wondering if anyone has done this
> before and if so, what did you do?
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
--
Dave Ockwell-Jenner, President
Prime Information Security • Because business is risky enough™
www.primeinfosec.com • (519) 772-4929
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
