Penetration Testing mailing list archives
Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]
From: Tim March <march.tim () gmail com>
Date: Tue, 16 Sep 2008 20:29:09 +0930
I was possibly a little blaze with the wording in my original email. Let me clarify my understanding for you:
The "secretary" mounted a scripted social engineering attack via telephone against the "helpdesk" to obtain the /etc/shadow file from the "user "file store server.
Again; I didn't miss the point -- just found the story questionable. Reasonable, maybe, for illustrative purposes -- but questionable from a practical viewpoint.
T. Hill, Pete wrote:
Sorry Tim, but I think you have missed the point a little as have a number of others. The secretary was not the one with access to the file. The secretary was the secretary at the education centre that staged the attack. Allshe did was request the file from "Joes" companies helpdesk.-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tim March Sent: 15 September 2008 23:52 To: pen-test () securityfocus com Subject: Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] I didn't miss the point -- just found the story questionable. T. Pablo Cardoso wrote:Tim, I'm guessing you missed the point. The secretary called the tech-support of Joe's company, she was the one requesting the /etc/shadow file from the server :P!!!Excellent scenario, Jon, thanks for sharing! Regards, Pablo Cardoso On Mon, Sep 15, 2008 at 2:39 AM, Tim March <march.tim () gmail com>wrote:A secretary with access to the '/etc/shadow' file... and the means topull it off of the machine and in to her email client... *giggles to self*T. Jon Kibler wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erin Carroll wrote:List,Let's take Ray's tangent and run with it. What (if any) ways are OOO messages useful from a pen-test perspective? How would you use the knowledge that someone is away/on vacation in a pen-test? Wouldyou alter your techniques or target those accounts specifically in the hopes that brute force or other account specific techniques might have a window to go unnoticed?I'm just trying to get a conversational ball rolling here. I know where I would modify my tactics but I'm curious to see what memberssay. I know that one area many companies are historically weak is in logging of security events. Or rather, in having someone actually pay attention to all those alerts.Okay, since I started this, you're on! Real world example...I was teaching a pen-test bootcamp several years ago. One of the students (who I will call 'Joe') pooh-poohed the whole OOO message issue. He even indicated that he used them all the time, that they were harmless, and they saved him from getting calls to his cell phone at roaming rates when he was out of town. (This was back in the days before nationwide calling plans.)I then sent Joe a test email message at his work email address. I got back an OOO message saying that he would be out of the office for two weeks of training and would only have very limited email at night. His signature line showed that he was the dep-CSO for hisorganization.I then displayed the email for the whole class to discuss. Next, I proposed that we demonstrate why OOO messages are an issue.What I proposed was to social engineer the help desk into providing sensitive information. Rather arrogantly, he said, "Sure, why not? Those guys are well trained and would never fall for anything you could contrive." We then got permission (in writing) from the CIO, the CSO, and the organization's legal department to do the socialengineering attack.Next, I wrote up a script for a secretary (who I will call 'Sue') atthat ed center to use to call the organization's help desk. It basically went as follows:Sue: "Hi, I'm Sue with abc training company. One of your employees, Joe, is taking a security course from us and he forgot that he was supposed to bring the /etc/shadow file from the userfile store server.He needs it to use in class to test password cracking. He asked thatyou please gzip it and email it to him." Help Desk: "Okay, but I will have to check with his managerfirst."Sue: "Oh, Joe said that if you needed to verify that he was takinga course from us, just send him an email and the OOO reply it will have everything you need to know."Help Desk: "Alright, give me a minute. (Pause) Okay, I guess this has everything I need. But, it says that he has limited email access; does he want it sent to his office email address?"(This just shows that help desks are trained to be helpful!!! Despite continual security awareness training, the possibility that this might be social engineering attack never even occurred to this guy!)Sue: "No, I was just about to tell you that he asked to have you it send to his Hotmail address, which is: joe.... () hotmail com."Help Desk: "Okay, no problem, he should have it in about 5minutes."Needless to say, we had just created the hotmail account a few minutes prior to the phone call.In just a couple of minutes, we owned the shadow file from the file server where all user accounts have their data stored. In other words, we now pwned the passwords for every one of his users.After that b-slap with a clue-by-4, Joe started singing a differenttune.Jon K. - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjNccsACgkQUVxQRc85QlOwCwCgl54SNlQMmB6/USWoYaKXTGiz 74kAoIuGzu3M2pYIcOuiQNiVewO478Rd =BBer -----END PGP SIGNATURE----- ==================================================Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.-------------------------------------------------------------------- ---- -------------------------------------------------------------------- ---- This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slideswww.cenzic.com/landing/securityfocus/hackinar -------------------------------------------------------------------- ------ Tim March P: +61 (0)406 577 276 E: march.tim () gmail com --------------------------------------------------------------------- --- This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slideswww.cenzic.com/landing/securityfocus/hackinar --------------------------------------------------------------------- ------------------------------------------------------------------------- -- This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ---------------------------------------------------------------------- -------------------------------------------------------------------------- This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails that ask for confidential, personal security information or details regarding your account status. The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract. The contents of this message and all attachments have been sent in confidence for the attention of the addressee only. If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the sender immediately of the error in transmission. "sit-up ltd, registered in England No: 03877786. Registered Office: sit-up House, 179-181 The Vale, London W3 7RW. sit-up ltd is wholly owned by a subsidiary of Virgin Media."
-- Tim March e: march.tim () gmail com p: 0406 577 276 ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME], (continued)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Trygve Aasheim (Sep 15)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Jon Kibler (Sep 16)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Tim March (Sep 14)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] R. DuFresne (Sep 15)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] David Howe (Sep 16)
- Message not available
- EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Pablo Cardoso (Sep 15)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Tim March (Sep 15)
- RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Ashvin Oogorah (Sep 16)
- Questionable Security Policy [WAS: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]] Veal, Richard (Sep 16)
- RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Hill, Pete (Sep 16)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Tim March (Sep 16)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Pablo Cardoso (Sep 16)
- RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Oftedahl, Douglas (Sep 16)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Pete Herzog (Sep 16)
- RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Alexandru Bradescu-Popa (Sep 15)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Michael Boman (Sep 15)
- RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Alexandru Bradescu-Popa (Sep 16)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] David Howe (Sep 16)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Micheal Cottingham (Sep 15)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] Jorge L. Vazquez (Sep 15)
- Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] M.B.Jr. (Sep 17)