Question hi guys, can you help? are you familiar with this hardware?

[DRKSKY]

What would this hardware be used for? this hardware will be used as OTH (one time hardware)

Buffalo TeraStation
8TB
5410DNX
4-Bay
NAS - (4 x 2TB)
Overclocked 12x
Overcooked 2x
Price - 1500 Euro (Approx)

MAS - ODL Mod (J Pack)
Octa-Core
REF Modulated
Web - (2 X 2TB)
Overclocked 8x
Overcoocked 2x
Price - 300 Euro (Approx)

De-Crypto R-N
ROM/ZEM Processed
2011 OEMR
Anti-Firewall -(1 x 2TB)
Overclocked 1x
Overcooked 2x
Price - 200 Euro (Approx)

OCR Mod
2x Penta Core
Dubbles+HDD included
VMR 2x
Pitching Speed - 7x
Patcher/DeAuth - (3 x 4TB)
Overclocked 5x
Overcooked 1x
Price - 200 Euro (Approx)

please get back to me, thanks

 

[USAFRet]

Anyone that states their NAS box needs to be overclocked for pen testing is either incompetent, lying straight to your face, or both.

 

[COLGeek]

Why do you say this? do you have experience in web hacking and coding? SQL, RFI and SH?

By the way, he does not claim to be a specialist in hardware, he just requires this list in order to execute the job at hand

There are 100s of years of technical experience commenting in this thread.

 

[USAFRet]

Why do you say this? do you have experience in web hacking and coding? SQL, RFI and SH?

By the way, he does not claim to be a specialist in hardware, he just requires this list in order to execute the job at hand

Experience in coding, SQL in particular?
Yes, 2 or 3 decades worth.

 

[DRKSKY]

Experience in coding, SQL in particular?
Yes, 2 or 3 decades worth.

Does this sound scammy to you, or somewhat shady? Can you suggest any ways I can prove the credibility of this individual? He has already carried out fully comp vulnerability tests on the site and seems to know what he's talking about.

I have already suggested payment on completion but this is not an option apparently.

 

[USAFRet]

For multiple reasons, both scammy and shady.

1. Is this your financial institution? Who is actually underwriting this?
2. "One time use". Who keeps the hardware after?
3. Who recommended this person to you?
4. Needing an overclocked NAS, because...
5. Upfront payment?
6. (speaking from personal experience) Who wrote and approved their actual attack scenario?

I could go on...

 

[DRKSKY]

1. Is this your financial institution? Who is actually underwriting this?

- The financial institution is a client of ours

1. "One-time use". Who keeps the hardware after?

- The hacker lives in Russia (we will not meet face to face) he said we can keep the hardware after the job is complete as he will not be able to use the hardware for hacking again. He also says we can't reuse it because the hardware ID will get traced by the firewall after we disconnect. The targets Firewalls update all over its database regarding suspicious hardware.

1. Who recommended this person to you?

- I was recommended to him through a forum

1. Needing an overclocked NAS, because...

- He says because we need to match the NAS of the target and it needs to be overclocked to make the speed higher than the targets.

1. Upfront payment?

- Yes 85% upfront payment for the hardware and then 15% after completion.

1. (speaking from personal experience) Who wrote and approved their actual attack scenario?

- He wrote the attack scenario himself

 

[USAFRet]

So much wrong with every answer there.

 

[DRKSKY]

So much wrong with every answer there.

So much wrong with every answer there.

any in particular? your advice on this?

 

[USAFRet]

"in particular"? All of it.

The financial institution is a client of ours
So this financial institution has hired you (and your company?) to carry this out.
In turn, you've hired some Russian guy from a forum.
What does the IT dept of the financial institution have to say? Generally, tests like this are done with the full cooperation of ALL parties involved.

we will not meet face to face
But you can keep the (now useless) hardware. When and how is the physical transfer supposed to happen?

He also says we can't reuse it because the hardware ID will get traced by the firewall after we disconnect.
The backend hardware ID does not travel through whatever connection he is going to make.

He says because we need to match the NAS of the target and it needs to be overclocked to make the speed higher than the targets.
The same, or faster? Can't be both.

Yes 85% upfront payment for the hardware and then 15% after completion.
bye bye 85%



your advice on this?
Please let us know what financial institution this is, so I can be sure not to entrust them with any of my money.


Good luck.

 

[COLGeek]

any in particular? your advice on this?

This reads like a bad TV plot that may prove to entertain the audience, but is certainly not based on reaility.

There are legitimate sources to conduct pen testing. This is not one of those instances.

Run, don't walk, away from this disaster in the making.

 

[bignastyid]

I think this has run it's course, especially considering the subject manner is a borderline violation of the forums hacking policy.

Thread Closed

 

[ex_bubblehead]

Agreed. Nothing about this passes the smell test.

 

[mrface]

1 Attain hardware listed - HW not needed; explanation below
2 Bring in hardware from a local vendor - see number 1
3 Install and Pre-Setup Hardware - see number 1 and number 4
4 Start working on target by gaining access by SH aka Session Hijacking (Admin Session) - Buy a low level dual core laptop with 8 gb of ram; install kali sana; banner grab to find what servers or website(since using php) is running, download payload from metasploit or milworm; also see what backup utility they are using; again search milworm/metasploit for backup vulns
5 Once Admin session is hijacked, Inject RFI module to edit PHP file to send user submitted data to another test email in real time. - inject payload with web attack tools from sana exploit php and utilize cross site scripting.
6 Remove logs, fingerprints and footprints and traces from target - from number 4, initiate backup from using payload from number 4, restore from day before "attack"
7 Logout and remove session - Test with few submits - use exfil from sana and wipe util from sana
8 Deliver and finalise with the company if the detection has been made - they wont have detected you
9 Work is done. - work is done

low level dual core laptop with 8gb ram can run 150$ shipped. and you never leave the house. no need for nas or any of that other stuff for that matter.

Cheers,
Cam