OAT: Office Communication Server Assessment Tool

OAT has a user friendly tabbed interface that begins with a password strength test feature. Once the OAT user has successfully elicited the password, attack modules from subsequent tabs can be used for launching UC attacks against valid, registered OCS users.
Download OAT Now!

Authors

Dictionary Attack

OAT tests the password strength of Microsoft Office Communication users. In online password breaking mode, OAT attempts to authenticate as a legitimate user. This mode imitates a real outside attack and thus serves as a valuable security auditing tool.

Presence Stealing

The "Presence Stealing" feature forms the basis of every attack module present in OAT. Once OAT fetches the contact list ( External Network) or SIP enabled users from the Domain Controller (Internal network), it tries to determine their presence status by sending special SERVICE requests to the OCS Server. Subscribing for Presence was not officially supported in UCMA SDK until version 2.0. OAT uses a SOAP-XML message body ( not officially supported by Microsoft) to "steal" the presence information.

This presence information is used for launching additional UC attacks against the target users. OFFLINE SIP users are not targeted by OAT in supported attacks.

Contact List Stealing

This feature is used from an External Network attack scenario. Once OAT successfully breaks the password of target user, it first registers itself as the target user. OAT then subcribes for the roaming contacts of the target users and elicits their presence status.

OAT also tries to subscribe for itself as well as trying to determine if someone else has subscribed for the target users. The objective behind subscribing itself is enumeration of the maximum target SIP users for launching attacks from outside of the perimeter IP network.

Internal Attack Modes

When launched from the Internal network, OAT can be used to flood in the two following modes. These features can be accessed from the third tab of the OAT user interface. Both of these modes are supported only in internal network attack.

Single User IM Flood

As the name suggests, this mode is used to flood only a single target user from the network. When selected, the attacker is required to enter the SIP URI of target user in the provided text box.

When the attack begins, OAT uses its Presence Stealing feature module and attempts to get presence status of target user. If the target is not offline, OAT will flood the user with 'n' number of IM messages. Number of spam messages can be specified before starting attack.

Domain Flood

This mode is completely different and has a higher service impact, as it floods all online user present in the domain. When launched from internal network, OAT attempts to fetch all SIP communication enabled users from the domain controller. This gives access to all users using OCS communicator within the enterprise network. After OAT elicits the required target base, it determines their presence and floods these users with SPAM messages.

OAT does not flood Offline users because sending Offline IM messages is not supported by OCS server.

Internal Call Walk

Call Walking is the process of calling every user in the network. In internal callwalking mode, OAT first fetches all of the SIP enabled users from the domain controller. Armed with their presence information, the attacker can run the call walking exploit. In this attack, OAT places a call to every online user.

Call Walk with Spam Audio

When attacking users with the call walk module, an attacker can choose to play any wma file as spam media. In this way, once the victim picks up a call, they will hear the SPAM audio selected by the attacker.

External Attack Modes

External attack is a more realistic attack mode and simulates a real world attack scenario. After successfully breaking target user's password sourced from the external IP network, OAT steals the contact list of the targeted user, and uses the contact list to build a target victim list. The attacker can then choose between the following attack modes from the External Network.

IM Flood

Call Walk

Call Walk with SPAM Audio

All above external attack modules are similar to the one mentioned above in Internal Attack modules. The key difference is that OAT is limited in reconnaisance of victim users from the external network.

Report Generation

OAT has a report generation capability in every attack module. The attacker needs to check the check box if they want OAT to generate a report. Reports will contains all steps performed by OAT in the attack process.

These reports can be viewed in the second last tab of OAT user interface. Attacker can save the selected report in Text format.

OAT

OCS Assessment Tool

What is OAT?

OAT is an Open Source Security tool designed to check the password strength of Microsoft Office Communication Server users. After a password is compromised, OAT demonstrates potential UC attacks that can be performed by legitimate users if proper security controls are not in place.