OAT: First ever M$ OCS Assessment Tool Released

Sipera VIPER Lab is in news again; this time by targeting Award Winning UC solution from Microsoft.  Viper Lab released first ever Microsoft Office Communication Server Assessment Tool (OAT) at VoiceCon 2009 in Orlando. Tool is named OAT and is develop to help IT manager and security practitioners evaluate the security architecture of their deployments and ensure that their mission-critical communications and systems are protected.


This tool is completely written in C# and released under BSD License. It has nice user friendly GUI with following features:

  • Online Dictionary Attack
  • Presence Stealing
  • Contact List Stealing
  • Single User Flood Mode
  • Domain Flood Mode
  • Call Walk
  • Play Spam Audio
  • Detailed Report Generation

A detailed description of what these features are and how they can be used can be found here.

Once Online Dictionary Attack is successful against the target user, attacker can launch different attacks on the users configured for Communication Server or on the Roaming contact of target user depending on OAT Attack mode.

According to the OAT documentation; OAT works in two different scenarios

  • Internal Network Attack Mode
    • OAT sits inside the corporate network and directly connects to Front End Pool Servers and Authenticate against Active Directory simulating the internal attacker scenario.
  • External Network Attack Mode
    • In this mode OAT can be launched anywhere from internet and connects to Access Edge Server for presence and IM; It is also authenticated using Active Directory and uses A/V Edge for other assessment features.

With the release of OAT, its clear that Security Researchers are gearing up for Microsoft UC Solution.



About this entry