Penetration Testing mailing list archives

Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]


From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Thu, 18 Sep 2008 10:21:46 -0700 (PDT)

Here's a real example from a recent pentest.  We knew from an OOO that the CSO was on vacation and had limited cell 
phone availability.  We concocted a phoney email thread in a text editor with all the headers and message quotes with a 
fictional conversation between him and our "support technician".  Our social engineer then shows up at one of the 
customer's remote locations to install an "intrusion detection sensor", using a printed copy of the phony email thread 
as his authority.  He was ushered right into the wiring closet where he installed our device which was designed to look 
plausibly like something that might be a sensor or sorts.  Now with access into their network from my desk, which could 
have been an arbitrary internet location, we proceeded to explore additional vulnerabilities.  Do you think we found 
any? :)

On Sun, Sep 14, 2008 at 2:01 PM, Erin Carroll <amoeba () amoebazone com> wrote:
List,

Let's take Ray's tangent and run with it. What (if any) ways are OOO
messages useful from a pen-test perspective? How would you use the knowledge
that someone is away/on vacation in a pen-test? Would you alter your
techniques or target those accounts specifically in the hopes that brute
force or other account specific techniques might have a window to go
unnoticed?

I'm just trying to get a conversational ball rolling here. I know where I
would modify my tactics but I'm curious to see what members say. I know that
one area many companies are historically weak is in logging of security
events. Or rather, in having someone actually pay attention to all those
alerts.


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of ray.hawkins () comcast net
Sent: Saturday, September 13, 2008 2:47 PM
To: Jon.Kibler () aset com; pen-test () securityfocus com
Cc: Jon Kibler
Subject: Re: OOO FLAME

Um - who cares?  If I go on vacation, come back and forget to turn OOO 'off"
then I am really in or am I really out?  Or am I just daring someone to hack
me?  Is no different than the carefully timed light controls people use to
make it appear they are at home while on vacation - if your house is being
cased by anyone with half a brain they'll figure out you really aren't home.
If the actual pesky messages bug you then create a rule to filter them from
your inbox.

Cookies and milk for all.

~Cheers


 -------------- Original message ----------------------
From: Jon Kibler <Jon.Kibler () aset com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<RANT>

Hey y'all,

This is supposed to be a group for pen testers. Isn't it kinda lame
for pen testers to be broadcasting OOO messages to the world?
Especially to other pen testers? Especially from your work email address?

Can you say, "Hack me please! I am not in the office to see what you
are doing to my (choose one or more of the following) network /
servers / web site / database / users."

Come on now, let's get with it! If you have to send OOO messages,
PLEASE at least filter them so that they do not get outside of your
organization -- or, especially to mailing lists!

Ever time I post to this group (and other SF groups), I seem to get
about a dozen bounces from either OOO messages or 'you do not have
permission to post to Google groups.'

Which brings up another point: What is with all the Google groups
bounces? If this is a SF auto-post thing, could someone in SF *PLEASE*
obfuscate the sender's email address so s/he does not get all those
(expletive deleted) bounces? If it is the result of some lamer in this
group, will you *PLEASE* find some other way to do the posting without
the author getting flamed for trying to post when they do not have
permission?

</RANT>

Thank you for your indulgence.

Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjK/OoACgkQUVxQRc85QlOEeQCeKdcWArFnoPiGIjg+ItDVIVfm
P2IAn3HscnmuK2iTkY7QA/Qb4GEsPT+G
=xWAK
-----END PGP SIGNATURE-----




      

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


Current thread: