Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

From: "Ashvin Oogorah" <ashvin.oogorah () emtelnet com>
Date: Tue, 16 Sep 2008 08:36:19 +0400
It might be questionable but not necessarily impossible.
As a matter of security, we should consider all avenues of attacks.
And social engineering being the least costly, not requiring much IT
skills/expertise, it is quite probable.
It is better to prevent than cure!!



Ashvin Oogorah
Information Security Analyst
Emtel Ltd.
Mobile: +230 421 6080  
Sent from Emtel Blackberry Service

EMTEL Note: SAVE A TREE. Don't print this e-mail unless it's really necessary!
This email and all contents are subject to the following Disclaimer:"<http://www.emtel-ltd.com/email-disclaimer.php>" 
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Tim March
Sent: Tuesday, 16 September 2008 2:52 AM
To: pen-test () securityfocus com
Subject: Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]


I didn't miss the point -- just found the story questionable.


T.

Pablo Cardoso wrote:

Tim, I'm guessing you missed the point. The secretary called the
tech-support of Joe's company, she was the one requesting the
/etc/shadow file
from the server :P!!!

Excellent scenario, Jon, thanks for sharing!

Regards,
Pablo Cardoso

On Mon, Sep 15, 2008 at 2:39 AM, Tim March <march.tim () gmail com>

wrote:

A secretary with access to the '/etc/shadow' file... and the means to

pull it off of the machine and in to her email client... *giggles to
self*




T.

Jon Kibler wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erin Carroll wrote:

List,

Let's take Ray's tangent and run with it. What (if any) ways are

OOO

messages useful from a pen-test perspective? How would you use the

knowledge

that someone is away/on vacation in a pen-test? Would you alter

your

techniques or target those accounts specifically in the hopes that

brute

force or other account specific techniques might have a window to

go

unnoticed?

I'm just trying to get a conversational ball rolling here. I know

where I

would modify my tactics but I'm curious to see what members say. I

know that

one area many companies are historically weak is in logging of

security

events. Or rather, in having someone actually pay attention to all

those

alerts.



Okay, since I started this, you're on!

Real world example...

I was teaching a pen-test bootcamp several years ago. One of the
students (who I will call 'Joe') pooh-poohed the whole OOO message
issue. He even indicated that he used them all the time, that they

were

harmless, and they saved him from getting calls to his cell phone at
roaming rates when he was out of town. (This was back in the days

before

nationwide calling plans.)

I then sent Joe a test email message at his work email address. I

got

back an OOO message saying that he would be out of the office for

two

weeks of training and would only have very limited email at night.

His

signature line showed that he was the dep-CSO for his organization.

I then displayed the email for the whole class to discuss. Next, I
proposed that we demonstrate why OOO messages are an issue.

What I proposed was to social engineer the help desk into providing
sensitive information. Rather arrogantly, he said, "Sure, why not?

Those

guys are well trained and would never fall for anything you could
contrive." We then got permission (in writing) from the CIO, the

CSO,

and the organization's legal department to do the social engineering

attack.


Next, I wrote up a script for a secretary (who I will call 'Sue') at
that ed center to use to call the organization's help desk. It

basically

went as follows:

  Sue: "Hi, I'm Sue with abc training company. One of your

employees,

Joe, is taking a security course from us and he forgot that he was
supposed to bring the /etc/shadow file from the user file store

server.

He needs it to use in class to test password cracking. He asked that

you

please gzip it and email it to him."

  Help Desk: "Okay, but I will have to check with his manager

first."


  Sue: "Oh, Joe said that if you needed to verify that he was taking

a

course from us, just send him an email and the OOO reply it will

have

everything you need to know."

  Help Desk: "Alright, give me a minute. (Pause) Okay, I guess this

has

everything I need. But, it says that he has limited email access;

does

he want it sent to his office email address?"

(This just shows that help desks are trained to be helpful!!!

Despite

continual security awareness training, the possibility that this

might

be social engineering attack never even occurred to this guy!)

  Sue: "No, I was just about to tell you that he asked to have you

it

send to his Hotmail address, which is: joe.... () hotmail com."

  Help Desk: "Okay, no problem, he should have it in about 5

minutes."


Needless to say, we had just created the hotmail account a few

minutes

prior to the phone call.

In just a couple of minutes, we owned the shadow file from the file
server where all user accounts have their data stored. In other

words,

we now pwned the passwords for every one of his users.

After that b-slap with a clue-by-4, Joe started singing a different

tune.


Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjNccsACgkQUVxQRc85QlOwCwCgl54SNlQMmB6/USWoYaKXTGiz
74kAoIuGzu3M2pYIcOuiQNiVewO478Rd
=BBer
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.






------------------------------------------------------------------------




------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar


------------------------------------------------------------------------

--
Tim March
P: +61 (0)406 577 276
E: march.tim () gmail com



------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar


------------------------------------------------------------------------






------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar


------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: