RE: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

["Oftedahl, Douglas" <DOftedahl () chittenden com>]

 All,

Aren't we through with this topic?  If not we should be.


r/dougo

________________________________________________________________________
_____________________________________________________


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Pablo Cardoso
Sent: Tuesday, September 16, 2008 7:24 AM
To: pen-test () securityfocus com
Subject: Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

Yeah, but were you aware that it was Jon who wrote the script in the
first place? So the secretary was just following it... Doesn't seem to
far fetched to me.

BR

On Mon, Sep 15, 2008 at 7:52 PM, Tim March <march.tim () gmail com> wrote:
> I didn't miss the point -- just found the story questionable.
>
>
> T.
>
> Pablo Cardoso wrote:
> > Tim, I'm guessing you missed the point. The secretary called the
> > tech-support of Joe's company, she was the one requesting the
> > /etc/shadow file
> > from the server :P!!!
> >
> > Excellent scenario, Jon, thanks for sharing!
> >
> > Regards,
> > Pablo Cardoso
> >
> > On Mon, Sep 15, 2008 at 2:39 AM, Tim March <march.tim () gmail com>
wrote:
> > > A secretary with access to the '/etc/shadow' file... and the means
to
> > > pull it off of the machine and in to her email client... *giggles to
self*
> > > T.
> > >
> > > Jon Kibler wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > Erin Carroll wrote:
> > > > > List,
> > > > >
> > > > > Let's take Ray's tangent and run with it. What (if any) ways are
OOO
> > > > > messages useful from a pen-test perspective? How would you use the
> > > > > knowledge
> > > > > that someone is away/on vacation in a pen-test? Would you alter
your
> > > > > techniques or target those accounts specifically in the hopes that
> > > > > brute
> > > > > force or other account specific techniques might have a window to
go
> > > > > unnoticed?
> > > > >
> > > > > I'm just trying to get a conversational ball rolling here. I know
where
> > > > > I
> > > > > would modify my tactics but I'm curious to see what members say. I
know
> > > > > that
> > > > > one area many companies are historically weak is in logging of
security
> > > > > events. Or rather, in having someone actually pay attention to all
> > > > > those
> > > > > alerts.
> > > >
> > > > Okay, since I started this, you're on!
> > > >
> > > > Real world example...
> > > >
> > > > I was teaching a pen-test bootcamp several years ago. One of the
> > > > students (who I will call 'Joe') pooh-poohed the whole OOO message
> > > > issue. He even indicated that he used them all the time, that they
were
> > > > harmless, and they saved him from getting calls to his cell phone
at
> > > > roaming rates when he was out of town. (This was back in the days
before
> > > > nationwide calling plans.)
> > > >
> > > > I then sent Joe a test email message at his work email address. I
got
> > > > back an OOO message saying that he would be out of the office for
two
> > > > weeks of training and would only have very limited email at night.
His
> > > > signature line showed that he was the dep-CSO for his organization.
> > > >
> > > > I then displayed the email for the whole class to discuss. Next, I
> > > > proposed that we demonstrate why OOO messages are an issue.
> > > >
> > > > What I proposed was to social engineer the help desk into providing
> > > > sensitive information. Rather arrogantly, he said, "Sure, why not?
Those
> > > > guys are well trained and would never fall for anything you could
> > > > contrive." We then got permission (in writing) from the CIO, the
CSO,
> > > > and the organization's legal department to do the social
engineering
> > > > attack.
> > > >
> > > > Next, I wrote up a script for a secretary (who I will call 'Sue')
at
> > > > that ed center to use to call the organization's help desk. It
basically
> > > > went as follows:
> > > >
> > > >  Sue: "Hi, I'm Sue with abc training company. One of your
employees,
> > > > Joe, is taking a security course from us and he forgot that he was
> > > > supposed to bring the /etc/shadow file from the user file store
server.
> > > > He needs it to use in class to test password cracking. He asked
that you
> > > > please gzip it and email it to him."
> > > >
> > > >  Help Desk: "Okay, but I will have to check with his manager
first."
> > > >  Sue: "Oh, Joe said that if you needed to verify that he was taking
a
> > > > course from us, just send him an email and the OOO reply it will
have
> > > > everything you need to know."
> > > >
> > > >  Help Desk: "Alright, give me a minute. (Pause) Okay, I guess this
has
> > > > everything I need. But, it says that he has limited email access;
does
> > > > he want it sent to his office email address?"
> > > >
> > > > (This just shows that help desks are trained to be helpful!!!
Despite
> > > > continual security awareness training, the possibility that this
might
> > > > be social engineering attack never even occurred to this guy!)
> > > >
> > > >  Sue: "No, I was just about to tell you that he asked to have you
it
> > > > send to his Hotmail address, which is: joe.... () hotmail com."
> > > >
> > > >  Help Desk: "Okay, no problem, he should have it in about 5
minutes."
> > > > Needless to say, we had just created the hotmail account a few
minutes
> > > > prior to the phone call.
> > > >
> > > > In just a couple of minutes, we owned the shadow file from the file
> > > > server where all user accounts have their data stored. In other
words,
> > > > we now pwned the passwords for every one of his users.
> > > >
> > > > After that b-slap with a clue-by-4, Joe started singing a different
> > > > tune.
> > > >
> > > > Jon K.
> > > > - --
> > > > Jon R. Kibler
> > > > Chief Technical Officer
> > > > Advanced Systems Engineering Technology, Inc.
> > > > Charleston, SC  USA
> > > > o: 843-849-8214
> > > > c: 843-224-2494
> > > > s: 843-564-4224
> > > > http://www.linkedin.com/in/jonrkibler

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

IMPORTANT:  The security of electronic mail sent through the Internet is not guaranteed.  Do not send confidential 
information like social security numbers, tax ID numbers or account numbers via unsecured electronic mail.


The information contained in this communication is intended only for the named recipient(s), may be confidential and 
may contain trade secrets or other information that is exempt from disclosure under applicable law.  Any use, 
dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly 
prohibited.  If you have received this communication in error, please delete the email message.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------