airman_dopey Posted February 8, 2013 Share Posted February 8, 2013 So I have a bit of a moral dilemma (as the title states). If you guys haven't seen, Shadowblade and I released the passive fingerprinting script about a week ago as a teaser of things we're working on. Well, we are getting closer to releasing our second tool, the cred harvester. Basically this will be an easy to use tool incorporating sslstrip, ettercap, urlsnarf, dsniff, hamster & ferret, and ngrep. My dilemma is this: On one of Darren's episodes he shows strings capture credit card numbers. Assuming they work (I haven't had the ability to test it yet) this would give a lot of script kiddies using this site the ability to capture said information extremely easily. It seems to me that there was no problem including it on the pineapple at the time. However, it was pulled due to the tool being too "resource intensive". My question is this: am I being socially irresponsible by making it super easy for people to capture that type of information? Should I leave it in a private copy of the program and released a defanged version? This probably sounds silly to a lot of the professionals here, but I am only now trying to get from a netadmin/sysad into the security scene and I am looking for a little guidance. Thank you for anyone willing to offer advice. Quote Link to comment Share on other sites More sharing options...
digip Posted February 8, 2013 Share Posted February 8, 2013 Tools don't make a criminal. Just like guns don't kill people. Its people wielding the gun that points and shoots people. If you feel in your heart it would be abused, and don't want that, its a personal choice. As a tool for pentesting, and on the job, plenty of pentesters see things they would never ordinarily see, nor need to have access to. But thats what they get hired to do, and then show proof to the people that hired them, "hey, we got xyz, and here is how it impacts your bottom line, financially, and in the public eye." So it comes down to personal preference. The fact you question it, tells me your moral dilemma is that you have a good moral compass, and worry about things like this, which shows you care. Preventing script kiddies from abusing tools is not your job though, although you have to ultimately decide what to put in and what to leave out. BackTrack is used on a daily basis to attack, deface, and attack 1,000's of websites and systems all over the world. Is that what it was designed for? In a word, yes. But by people HIRED and given permission to do so in a professional pentest. We all know that tools on its distro, are widely abused and used for peoples own nefarious ill gotten gains, but that is not the responsibility of the tool makers. If you do decide to leave any credential harvesting tools in the product, just be sure to leave a disclaimer as to what its intended use is for, and that you do not condone the blatant abuse of networks you were not given permission to test, and that you do so at your own risk. Some countries, the laws are very different, and in some parts of the world, even reverse engineering a protocol to find where its broken, is considered a crime, so take it with a grain of salt, your ethics show concern, which leads me to believe whether its in the tool or not, you will have no control over who does what with any of it, and its not your responsibility. LOIC on Source Forge is a legit tool for stress testing a network. Its also what has gotten 90% of newer, younger members who call them self anonymous arrested. Its not the tool that is the problem, but the person wielding it. What people do, is their own responsibility, and should go without saying. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 8, 2013 Share Posted February 8, 2013 (edited) For some it could be considered illegal, for others who understand it's true potential, it will just be another ordinary tool designed to detect weakness in a system. Even though you are doing a favor, by poiting out a flaw or weakness I don't believe you are being irresponsible or careless. On the contrary, you are simply making people aware of the dangers and giving them the opportunity to find solution for it. Of course, there will always be someone, who will use this tool for their own personal gains and malicious purposes. Just like Digip said, guns don't kill people, people kill people with guns. Edited February 8, 2013 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted February 8, 2013 Share Posted February 8, 2013 What credentials is it that you are worried about making it easy for script kiddies to get? Is it just credit card details that you are worried about? If so, then you could always get your tool to replace the first 12 digits with X's and leave the last 4 digits. That should be enough for pen-testers to show that credit card details were obtainable without putting the details at further risk of being used. It would also mean that if a script kiddie wants to use your tool for nefarious purposes they would have to actively alter it. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 8, 2013 Share Posted February 8, 2013 What credentials is it that you are worried about making it easy for script kiddies to get? Is it just credit card details that you are worried about? If so, then you could always get your tool to replace the first 12 digits with X's and leave the last 4 digits. That should be enough for pen-testers to show that credit card details were obtainable without putting the details at further risk of being used. It would also mean that if a script kiddie wants to use your tool for nefarious purposes they would have to actively alter it. Which not many, script kiddies will have the programming ability to alter it. But it's a good very good and valid point. Quote Link to comment Share on other sites More sharing options...
airman_dopey Posted February 8, 2013 Author Share Posted February 8, 2013 Thanks guys. Very good points. I consider myself only a step above script kiddie myself as I'm working in bash scripts to automate a lot of these attacks (and not writing these eloquent tools in better languages), but I do agree that chances are the skiddies would have a difficult time just modifying something like that. What credentials is it that you are worried about making it easy for script kiddies to get? Is it just credit card details that you are worried about? If so, then you could always get your tool to replace the first 12 digits with X's and leave the last 4 digits. That should be enough for pen-testers to show that credit card details were obtainable without putting the details at further risk of being used. It would also mean that if a script kiddie wants to use your tool for nefarious purposes they would have to actively alter it. I like that idea and I think that's exactly what I will do. Thanks again guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.