What if you scanned your external network and found an open LDAP listener offering access to your corporate directory for anyone who happens to stop by? Chat has been a part of the Unix ecosystem since the days of talk, and in 2013 it has morphed to become a critical component of the Linux desktop, many applications, and a link to the world of mobile devices. Ten years ago the fledgling world of instant messaging was in the security spotlight as companies worried about compliance regulation and SPIM. Since that time we've stopped looking, but your instant messaging server's gotten a few new features.
A decade of inattention brings a lot of change, and while we've been distracted by mobile devices SIP and XMPP became the backbone of a suite of communications options. Voice, video, application sharing, mutli-party chat rooms, and even remote pair programming; your software can integrate with all of them by using a friendly XMPP stack in python, Java, C++ and a host of other languages. Large cloud providers offer federated networks so your application can talk to everyone. With such a rich feature set it's no wonder why XMPP is popping up in many new apps, but the transport offers a host of new issues that are waiting to be explored.
This talk focuses on the mechanics of XMPP, XMPP server-to-server federation, and how to query an XMPP system for the services and users that the system offers. We will complete the talk with a discussion of a practical abuse of these queries for passive reconnaissance via a custom tool built on the Swiften library.
Jason Bubolz is a Security Consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. Jason began his career in financial services and quickly followed a startup venture into financial communications software in 2000. In 2006, after serving as security engineer and project manager for a mutli-user messaging and presence product Jason moved to Microsoft in the unified communications space.