Today we're going to try something a bit different. This Wicked Wednesday post is most assuredly not a recommendation that you try out any of these suggestions, but some people might consider messing with people who mess with you to be funny. Adrian Crenshaw, who runs the information security website IronGeek and is also a researcher for Tenacity Institute, recently gave this humorous presentation at Notacon 2011, a conference that "explores and showcases technologies, philosophy and creativity often overlooked at many 'hacker cons'."
"Evil is an art form," Crenshaw said while giving a very amusing Notacon presentation called Funnypots and Skiddy Baiting. In the long run, skiddy baiting is about making a script kiddie hurt themselves when they attempt to hurt you. A funnypot is a bit like a honeypot except the emphasis is on personal entertainment value instead of research. Crenshaw regards neither approach as actually "hacking back," since the attackers are causing harm to themselves. From a legal standpoint, these stunts are for amusement value as opposed to anyone remotely suggesting you try out any of these tactics.
When asked what was his motivation for coming up with this talk, Crenshaw replied, "My motivation for that talk? Well, I always thought it was rather funny to use someone's USI (Unwarranted Self Importance) against them. The idea of making an attacker embarrass themselves when they try to embarrass you appeals to me. I'd read the old joke about giving someone your IP to attack in IRC, then telling them it's 127.0.0.1, and wanted to take it a few steps further."
Crenshaw suggests all kinds of fun tricks, from "packet swatting" to a "lemonwipe" to mess with people who might be trying to mess with you, but here are some of the "safer" highlights.
Many sites use a robots exclusion protocol, a robot.txt file, to tell search engine spiders what content to exclude when indexing a site. Some pentesters and hackers like to peek at robots.txt then go browse those semi-private files that a website owner doesn't want a search engine to index. Crenshaw's tactic was "Robots.txt Trolling" which might leave an attacker somewhat "scarred." After an attacker browses to a "secret" and specially-crafted redirect page, it logs the IP and then forwards the curious one to a shock site. Remember, what has been seen cannot be unseen.
Other ideas include:
When it comes to "DNS Fun," I agree with Crenshaw . . . you really should use WPA. However, if your neighbors are using your WiFi:
For the curious who might like to know how to set this up for Web 2.0, an example to "play with traffic" can be seen on g0tmi1k's blog. To see only the effects of the attack, skip to 3:40 in the video.
Another tactic is "fun with portable evil" like thumbdrives and USBs. Crenshaw pointed out the option of if an attacker were to mess with you and stick in a USB to copy your stuff, a person might decide to suck the data off the attacker's flash drive or install something unpleasant on their USB.
Crenshaw's steps to create a programmable Human Interface Device (HID) USB keyboard dongle was successfully used by penetration testing firm Netragard to pierce a client's network. The client had "excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas." Netragard used a booby-trapped USB mouse. After it was plugged in, it launched malware 60 seconds after user activity.
Homeland Security tested a social engineering ploy of scattering USBs in government and private contractors' parking lots and buildings. Government Security News reported DHS "found that 60 percent of the people who picked up the media plugged them into their computers. For the media labeled with logos, the percentage was even higher - 90 percent." Wham! Infiltration made easy because there still is no patch for human stupidity.
If you want to go beyond patronizing and make fun of a fail, then you might like what Crenshaw previously had setup on his site. If someone attempted an SQL or XSS injection, it triggered "Clippy" with the comment, "Hello, according to PHPIDS it looks like you are trying to pwn my site. Would you like some help with that?" That, in turn, linked them to a tutorial in an effort to "educate" skiddies.
A special thank you to Adrian Crenshaw for his funny presentation and permission to use his images and ideas.