Apologies for not posting recently. I’ve been pretty busy (and still am) with a couple of new projects that require a lot of PR work from me.
Anyways, recently, there was an OOO flame on the SecurityFocus Pen-Test mailing list. Following that, a “real life scenario” was shared by Jon R. Kibler, CTO of Advanced Systems Engineering Technology, Inc.
I was teaching a pen-test bootcamp several years ago. One of the students (who I will call ‘Joe’) pooh-poohed the whole OOO message issue. He even indicated that he used them all the time, that they were harmless, and they saved him from getting calls to his cell phone at roaming rates when he was out of town. (This was back in the days before nationwide calling plans.)
I then sent Joe a test email message at his work email address. I got back an OOO message saying that he would be out of the office for two weeks of training and would only have very limited email at night. His
signature line showed that he was the dep-CSO for his organization.I then displayed the email for the whole class to discuss. Next, I proposed that we demonstrate why OOO messages are an issue.
What I proposed was to social engineer the help desk into providing sensitive information. Rather arrogantly, he said, “Sure, why not? Those guys are well trained and would never fall for anything you could contrive.” We then got permission (in writing) from the CIO, the CSO, and the organization’s legal department to do the social engineering attack.
Next, I wrote up a script for a secretary (who I will call ‘Sue’) at that ed center to use to call the organization’s help desk. It basically went as follows:
Sue: “Hi, I’m Sue with abc training company. One of your employees, Joe, is taking a security course from us and he forgot that he was supposed to bring the /etc/shadow file from the user file store server. He needs it to use in class to test password cracking. He asked that you please gzip it and email it to him.”
Help Desk: “Okay, but I will have to check with his manager first.”
Sue: “Oh, Joe said that if you needed to verify that he was taking a course from us, just send him an email and the OOO reply it will have everything you need to know.”
Help Desk: “Alright, give me a minute. (Pause) Okay, I guess this has everything I need. But, it says that he has limited email access; does he want it sent to his office email address?”
(This just shows that help desks are trained to be helpful!!! Despite continual security awareness training, the possibility that this might be social engineering attack never even occurred to this guy!)
Sue: “No, I was just about to tell you that he asked to have you it send to his Hotmail address, which is: joe….@hotmail.com.”
Help Desk: “Okay, no problem, he should have it in about 5 minutes.”
Needless to say, we had just created the hotmail account a few minutes prior to the phone call.
In just a couple of minutes, we owned the shadow file from the file server where all user accounts have their data stored. In other words, we now pwned the passwords for every one of his users.
After that b-slap with a clue-by-4, Joe started singing a different tune.
Looks like an interesting story, except that I find a number of seeming loopholes in it. Or perhaps it’s just my bad understanding.
- The helpdesk operator knows how to operate Linux and retrieve the /etc/shadow file
- The helpdesk operator has access to the /etc/shadow file =O
- I don’t see any link between “having limited email at night” and the need to send it to a different email account.
Maybe it’s just me. Let’s see how the conversation evolves…
