lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 9 Dec 2007 14:15:52 -0600
From: reepex <reepex@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Flash that simulates virus scan

the next response where simon describes the shortcomings of his company and
his wish to partner with people who actually know security

On Nov 1, 2007 10:36 AM, Simon Smith <simon@...soft.com> wrote:

> I am eagerly awaiting your response to my question. We're looking for
> companies like yours to partner with because we have a lot of overflow
> work. Or at least, I think we are, you haven't told me what company yet.
>
> reepex wrote:
> > I work at a less known security company that bans use of any automated
> > tools unless under extreme circumstances. These include times such as
> > when have 1000s of ip addresses all alive and running random windows
> > versions so we use mass scans to find any unpatched machines. We
> > strictly do not allow 'web scanners' no matter how large the size
> > because they are all crap and its quicker to find the bugs yourself
> > then verify all the false positives any web app scanner creates.
> >
> > How does your company handle these things?
> >
> > On 10/31/07, Simon Smith <simon@...soft.com> wrote:
> > Reepex,
> >         What company are you with? I'm actually interested in finding
> infosec
> > companies that perform real work as opposed to doing everything
> > automated. Nice to hear that you're a real tester.
> >
> >         With respect to your question, doesn't msf3 have some of that
> > functionality already built into it? Have you already hit all their
> > web-apps?
> >
> > reepex wrote:
> >>>> resulting to se in a pen test cuz you cant break any of the actual
> machines?
> >>>>
> >>>> lulz
> >>>>
> >>>> On 10/31/07, Joshua Tagnore <joshua.tagnore@...il.com> wrote:
> >>>>> List,
> >>>>>
> >>>>>     Some time ago I remember that someone posted a PoC of a small
> site that
> >>>>> had a really nice looking flash animation that "performed a virus
> scan" and
> >>>>> after the "virus scan" was finished, the user was prompted for a
> "Download
> >>>>> virus fix?" question. After that, of course, a file is sent to the
> user and
> >>>>> he got infected with some malware. Right now I'm performing a
> penetration
> >>>>> test, and I would like to target some of the users of the corporate
> LAN, so
> >>>>> I think this approach is the best in order to penetrate to the LAN.
> >>>>>
> >>>>>     I searched google but failed to find the URL, could someone send
> it to
> >>>>> me ? Thanks!
> >>>>>
> >>>>> Cheers,
> >>>>> --
> >>>>> Joshua Tagnore
> >>>>> _______________________________________________
> >>>>> Full-Disclosure - We believe in it.
> >>>>> Charter:
> >>>>> http://lists.grok.org.uk/full-disclosure-charter.html
> >>>>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>>>
> >>>> _______________________________________________
> >>>> Full-Disclosure - We believe in it.
> >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >>
>
> --
>
> - simon
>
> ----------------------
> http://www.snosoft.com
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ