mailing list archives
Re: [PEN-TEST] Modem detection without dialing
From: Michael Gough <msecure () SOFTCOM NET>
Date: Tue, 28 Nov 2000 06:37:36 -0700
I have a script for just these sorts of needs. In NT you just need to look for the Registry Keys and can use the "Reg
Query" util from the Res Kit. The key is hitting every system on your network which I accomplish using a script that
hits every IP address that is live on a subnet. I also place a maker file "modem.fnd" so I know I have been to that
machine and can easily look for the existence of the file for follow up.
I have a script if your interested.
Mgough () softcom net
Email lists - msecure () softcom net
Security is not a goal, it is a process, Security is not a product, it is a
mindset. Security is a never ending task. If you think you are secure...
just wait a few minutes until the next sploit is released.
From: Jason Sheffield [SMTP:jsheffield () AXENT COM]
Sent: Monday, November 27, 2000 10:33 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Modem detection without dialing
Yes, I work for a vendor, but this information should also be useful for
other auditing tools as well. Normally this information should only be
gleaned through the use of a privileged account, host based auditing tool,
but due to the fact that not that many people will restrict the remote
access of the NT registry, a network based scanner or a quick Perl script
might also be able to pick up the below reg settings.
<VENDOR SPECIFIC INFO>
AXENT's Enterprise Security Manager (Host based auditing tool) has the
capability of finding files or registry settings on a platform that an ESM
agent is installed on. The point of this being that you have to know the
location of said file or reg setting. The below settings would be created
in a registry template, set as forbidden, and then added to a Policy to be
used for a scheduled Policy Run. When the Policy run is completed, the
corresponding report will include all of the (in this case) NT servers that
have modems installed.
</VENDOR SPECIFIC INFO>
Under NT to find an installed modem in the registry:
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM] <- A Modem Value
will be defined here with the installed COM port.
[HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\LOADED SERIAL DRIVER RESOURCES] <-
A Modem Key with \Device\*modem Values defined within.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS\TAPI DEVICES] <- The Modem driver
will have a Key here.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\] <- The actual modem
device driver will be located here with a Key that looks like
(Your Values will vary based on the actual modem driver used, so use wild
cards when looking for values such as "*odem", or "mode*".
This can be applied to other platforms as well, NT just happens to be the
platform that I know the best. This technique can also be used to find
trojans, virii, etc. As long as the file location or registry setting is
known, the product can be set to look for it.
AXENT Technologies, Inc.
The Woodlands, Texas
From: Blair, Glenn [mailto:glenn.blair () SCOTIABANK COM]
Sent: Monday, November 20, 2000 1:16 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Modem detection without dialing
I am wondered if there is a product which can detect the existence of a
the need for the modem to be connected ?. Specifically, in a LAN
administrator/pen tester identify a modem through the network, rather than
through the telephone
Any thoughts would be appreciated.
Sr. Security Specialist
888 Birchmount Rd 6th Floor
tel. (416) 285-2498
fax (416) 288-5055
glenn.blair () scotiabank com
- Re: [PEN-TEST] Modem detection without dialing, (continued)