Jump to content

Moral dilemma


airman_dopey

Recommended Posts

So I have a bit of a moral dilemma (as the title states). If you guys haven't seen, Shadowblade and I released the passive fingerprinting script about a week ago as a teaser of things we're working on. Well, we are getting closer to releasing our second tool, the cred harvester. Basically this will be an easy to use tool incorporating sslstrip, ettercap, urlsnarf, dsniff, hamster & ferret, and ngrep. My dilemma is this: On one of Darren's episodes he shows strings capture credit card numbers. Assuming they work (I haven't had the ability to test it yet) this would give a lot of script kiddies using this site the ability to capture said information extremely easily. It seems to me that there was no problem including it on the pineapple at the time. However, it was pulled due to the tool being too "resource intensive".

My question is this: am I being socially irresponsible by making it super easy for people to capture that type of information? Should I leave it in a private copy of the program and released a defanged version? This probably sounds silly to a lot of the professionals here, but I am only now trying to get from a netadmin/sysad into the security scene and I am looking for a little guidance.

Thank you for anyone willing to offer advice.

Link to comment
Share on other sites

Tools don't make a criminal. Just like guns don't kill people. Its people wielding the gun that points and shoots people. If you feel in your heart it would be abused, and don't want that, its a personal choice. As a tool for pentesting, and on the job, plenty of pentesters see things they would never ordinarily see, nor need to have access to. But thats what they get hired to do, and then show proof to the people that hired them, "hey, we got xyz, and here is how it impacts your bottom line, financially, and in the public eye." So it comes down to personal preference. The fact you question it, tells me your moral dilemma is that you have a good moral compass, and worry about things like this, which shows you care. Preventing script kiddies from abusing tools is not your job though, although you have to ultimately decide what to put in and what to leave out.

BackTrack is used on a daily basis to attack, deface, and attack 1,000's of websites and systems all over the world. Is that what it was designed for? In a word, yes. But by people HIRED and given permission to do so in a professional pentest. We all know that tools on its distro, are widely abused and used for peoples own nefarious ill gotten gains, but that is not the responsibility of the tool makers.

If you do decide to leave any credential harvesting tools in the product, just be sure to leave a disclaimer as to what its intended use is for, and that you do not condone the blatant abuse of networks you were not given permission to test, and that you do so at your own risk. Some countries, the laws are very different, and in some parts of the world, even reverse engineering a protocol to find where its broken, is considered a crime, so take it with a grain of salt, your ethics show concern, which leads me to believe whether its in the tool or not, you will have no control over who does what with any of it, and its not your responsibility.

LOIC on Source Forge is a legit tool for stress testing a network. Its also what has gotten 90% of newer, younger members who call them self anonymous arrested. Its not the tool that is the problem, but the person wielding it. What people do, is their own responsibility, and should go without saying.

Link to comment
Share on other sites

For some it could be considered illegal, for others who understand it's true potential, it will just be another ordinary tool designed to detect weakness in a system. Even though you are doing a favor, by poiting out a flaw or weakness I don't believe you are being irresponsible or careless. On the contrary, you are simply making people aware of the dangers and giving them the opportunity to find solution for it.

Of course, there will always be someone, who will use this tool for their own personal gains and malicious purposes. Just like Digip said, guns don't kill people, people kill people with guns.

Edited by Infiltrator
Link to comment
Share on other sites

What credentials is it that you are worried about making it easy for script kiddies to get? Is it just credit card details that you are worried about?

If so, then you could always get your tool to replace the first 12 digits with X's and leave the last 4 digits. That should be enough for pen-testers to show that credit card details were obtainable without putting the details at further risk of being used. It would also mean that if a script kiddie wants to use your tool for nefarious purposes they would have to actively alter it.

Link to comment
Share on other sites

What credentials is it that you are worried about making it easy for script kiddies to get? Is it just credit card details that you are worried about?

If so, then you could always get your tool to replace the first 12 digits with X's and leave the last 4 digits. That should be enough for pen-testers to show that credit card details were obtainable without putting the details at further risk of being used. It would also mean that if a script kiddie wants to use your tool for nefarious purposes they would have to actively alter it.

Which not many, script kiddies will have the programming ability to alter it. But it's a good very good and valid point.

Link to comment
Share on other sites

Thanks guys. Very good points. I consider myself only a step above script kiddie myself as I'm working in bash scripts to automate a lot of these attacks (and not writing these eloquent tools in better languages), but I do agree that chances are the skiddies would have a difficult time just modifying something like that.

What credentials is it that you are worried about making it easy for script kiddies to get? Is it just credit card details that you are worried about?

If so, then you could always get your tool to replace the first 12 digits with X's and leave the last 4 digits. That should be enough for pen-testers to show that credit card details were obtainable without putting the details at further risk of being used. It would also mean that if a script kiddie wants to use your tool for nefarious purposes they would have to actively alter it.

I like that idea and I think that's exactly what I will do.

Thanks again guys.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...