Nostr

#asknostr So this is a bit of a long one.

TL;DR: "Hacking" tools recommendations?

In the scope of data safety ("Datenschutz") class, my class is told to run around the school and discover things that they shouldn't be able to in regards to data safety and privacy. Since I am almost blind and running around like a numpty isn't exactly my kinda beer, I was instead told to "sit in a room with a laptop ;)"

So, I need tooling. The typical Parrot/Kali and nmap are a no-brainer. But what other tools do you know of that I could throw at this school network? The only restriction: I can NOT interfere with the daily activity. Sniffing and such is totally legit, but I can not bring it down - however, I _can_ bring it under my control.

Best-case scenario for me would be to just present the domain admin creds to my teacher. No further comment, just the creds. xD But it ain't that easy, let alone that easy to pull off within 90 minutes.

So, throw me some of that "good stuff" you know of. =)

Reply to this note

Please Login to reply.

Discussion

Skhron - VPS for Bitcoin, Lightning and Monero 1y ago

I would recommend against such amateur penetration test. It is not a good idea from legal point of view and might have an impact on network because when used improperly, "hacking tooling" can be accidentally used to conduct Denial of Service.

Ingwie Phoenix (aka. birb) 1y ago

I am fully aware of that, and most definitively not a novice.

But the last time I dealt with this in a proper, non-theoretical way, was when Metasploit Framework was "the thing to use" - which it really isn't anymore, as far as I can tell.

So, I want to seek the proper alternatives. I have untill thursday to learn them, which is enough time to cover the basics, and probably more than enough for what I need.

This class assignment is rather basic, but I do want to deliver something - so, this is a great opportunity to learn those tools! ^^

Skhron - VPS for Bitcoin, Lightning and Monero 1y ago

I didn't meant to offend you, it seems I incorrectly assumed that it is the task for your students to try to breach the school network.

As for Metasploit alternative and "Kali/ParrotOS + nmap being a no-brainer" - I think you are messing different stages of an attack as per cyberkill chain framework. There are a lot of scripts and tooling available and they are developed to solve some specific task well.

Metasploit is mostly used for a weaponization and exploitation stages. And personally I see nothing wrong with using it to demostrate a basic attack.

I don't think there are good open-source drop-in replacements for it, but I consider demonstration of a specific vulnerability exploitation manually is a good option, but I am not sure if your goal is to cover some technical aspects of red team or something else.

Ingwie Phoenix (aka. birb) 1y ago

All good! But you were half-right; I am the student, and it is indeed my task. =) And mine alone, since I am the only blind student in the class - its the alternative to the "physical hacking", if you will.

> Metasploit is mostly used for a weaponization and exploitation stages

Duely noted! That is what I had known about it too. But, as said, it's been a good while since I last put my eyeballs on it. Last time I had brought it up - here on Nostr, no less - I was told that it was "outdated". o.o

The stated goal of this assignment is to:

- Find any kind of data that a mere student shouldn't be able to find.

Granted, I _am_ allowed to utilize the full arsenal of my knowledge in Linux, networking and therein. So the goal given to me in particular is to:

- Find any kind of attack vector that would allow exfiltration of data that I shouldn't be able to get.

The class is about stuff like the GDPR and friends - and since the handling of private/sensitive data also includes securing it, this is where I come in to play. Simply said, I am supposed to pentest our school and see how much damage I can do by just hooking up my laptop to their LAN.

Assume this rather generic scenario: Dude walks in and masquerades as a student, plugs into a LAN outlet (theres more than enough of those around) and starts to "do stuff". I am supposed to do that stuff, and this is why I am looking into prepping.

Thank you for the pointers and insights, I will keep those in mind! :)

If you've got more, I'd be more than happy to have'em =)

inpc 1y ago

I can’t help but good luck!

Josua Schmid 1y ago

Turn on the microphone of your laptop. Record everything.