Wednesday, August 14, 2013

1-2-3 SET

So yesterday was my second SE campaign to enlighten a subset of our users. Here is a n00b's guide written by a self proclaimed n00b....


So using The Social Engineering Toolkit has been most of my hands-on knowledge when it comes to anything SE. I've only been using it for around 8 months at this point, and I've learned a little bit. When our company decided that it would be too expensive for regular user training we decided to try and make things interesting instead. The plan is still forming, but we've gotten good feedback so far.

The Plan:

The idea is to run a blatantly obvious SE attempt at a subset of users each month from a gmail account. I made the account SET will allow you to auth to gmail to send out the campaign email. The targets will receive a plain html email with a link that takes them to a credential harvester embedded in a cloned website of my choosing. After we obtain their credentials this is what they see:

This slideshow takes them through some normal "don't click shit" information, just in a professional format. I may upload the full slide deck, but it still needs a little work. As time goes on and we get less hits, we'll up the complexity.

First Attempt:

Using ./ from Marcus Carey (@marcusjcarey) I scanned for our domain to pull the first list of users, which got me about 50.

./ -d -l 500 -b google

Every year we fill out an employee survey with a third party company. Since we had just completed it I figured an email about the survey results being in would yield a good hit rate.

The link took them to a clone of Survey Monkey's login page. Which yielded a surprising 15/50 credentials being harvested, 3/50 reports of a suspicious email to our helpdesk, and 1 call from a nurse letting us know that she no longer has any respect for us and has lost our trust.

Second Attempt:

To gather a list of users that are more likely to be targeted from the outside we have an active sender list on our postfix mail filtering box. There are about 600 or so that normally get email from outside addresses, out of the 1,400 total mailboxes we have. I took the first 200 this month and will continue on until everyone has been hit with an easy campaign.

At the beginning of the year we switched to an HR system "in the cloud" that uses AD Federated Services to auth our users. I figured a clone of that site would work well, accompanied with this email.

So far we are at 47/200 and they are still rolling in.

1-2-3 SET:

What Comes Next?
So we're currently working on a database to bind to MS Active Directory and store the results of each month. It would allow us to run reports on most phished users, who each campaign hits, etc. All the data from the xml report will be pulled in also.

Wednesday, August 7, 2013

ldap on Apache to MS Active Directory

So I've recently struggled with ldap syntax in several different programs. Most recently I have setup viewvc on a Centos box to see config diffs easier in RANCID. After going around and around, knowing that I've done this in the past and struggled. I finally figured I should have a central repository for all the random things that I do and forget. So here it is. Part of my httpd.conf that allows for ldap to MS Active Directory.

I have yet to understand why some things have quotes and some don't....but it whatever

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Order allow,deny
    Allow from all

<Location "/">
    AuthType Basic
    AuthName "Whatever You Want Here"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN "CN=ldapuser,OU=Service Accounts,OU=IT,OU=Users,DC=domain,DC=local"
    AuthLDAPBindPassword "InsertPasswordHere"
    AuthLDAPURL "ldap://domain.local/OU=IT,OU=Users,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
    Require ldap-group CN=GroupNameHere,CN=Users,DC=domain,DC=local

Hello World

Creating this blog to document some of the practices, procedures, and tech solutions that I've put into place working in Healthcare IT and IT in general.

I'm a n00b at a lot of things, especially anything *nix related. But through Twitter, Vimeo, and a load of other online help I'm getting a little smarter. One step at a time. :)

You can follow me on Twitter @Infosystir