Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Modem detection without dialing
From: Michael Gough <msecure () SOFTCOM NET>
Date: Tue, 28 Nov 2000 06:37:36 -0700

I have a script for just these sorts of needs.  In NT you just need to look for the Registry Keys and can use the "Reg 
Query" util from the Res Kit.  The key is hitting every system on your network which I accomplish using a script that 
hits every IP address that is live on a subnet.  I also place a maker file "modem.fnd" so I know I have been to that 
machine and can easily look for the existence of the file for follow up.

I have a script if your interested.


Mgough () softcom net
Email lists - msecure () softcom net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security is not a goal, it is a process, Security is not a product, it is a 
mindset.  Security is a never ending task.  If you think you are secure... 
just wait a few minutes until the next sploit is released.

-----Original Message-----
From:   Jason Sheffield [SMTP:jsheffield () AXENT COM]
Sent:   Monday, November 27, 2000 10:33 PM
To:     PEN-TEST () SECURITYFOCUS COM
Subject:        Re: [PEN-TEST] Modem detection without dialing

Yes, I work for a vendor, but this information should also be useful for
other auditing tools as well.  Normally this information should only be
gleaned through the use of a privileged account, host based auditing tool,
but due to the fact that not that many people will restrict the remote
access of the NT registry, a network based scanner or a quick Perl script
might also be able to pick up the below reg settings.

<VENDOR SPECIFIC INFO>
AXENT's Enterprise Security Manager (Host based auditing tool) has the
capability of finding files or registry settings on a platform that an ESM
agent is installed on.  The point of this being that you have to know the
location of said file or reg setting.  The below settings would be created
in a registry template, set as forbidden, and then added to a Policy to be
used for a scheduled Policy Run.  When the Policy run is completed, the
corresponding report will include all of the (in this case) NT servers that
have modems installed.
</VENDOR SPECIFIC INFO>

Under NT to find an installed modem in the registry:

[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM]      <- A Modem Value
will be defined here with the installed COM port.

[HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\LOADED SERIAL DRIVER RESOURCES] <-
A Modem Key with \Device\*modem Values defined within.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS\TAPI DEVICES] <- The Modem driver
will have a Key here.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\] <- The actual modem
device driver will be located here with a Key that looks like
"LEGACY_LTMODEM".

 (Your Values will vary based on the actual modem driver used, so use wild
cards when looking for values such as "*odem", or "mode*".

This can be applied to other platforms as well, NT just happens to be the
platform that I know the best.  This technique can also be used to find
trojans, virii, etc.  As long as the file location or registry setting is
known, the product can be set to look for it.

Regards,
Jason Sheffield
Systems Engineer
AXENT Technologies, Inc.
The Woodlands, Texas


-----Original Message-----
From: Blair, Glenn [mailto:glenn.blair () SCOTIABANK COM]
Sent: Monday, November 20, 2000 1:16 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Modem detection without dialing


I am wondered if there is a product which can detect the existence of a
modem,
without
the need for the modem to be connected ?.  Specifically, in a LAN
environment,
can an
administrator/pen tester identify a modem through the network, rather than
through the telephone
network.

Any thoughts would be appreciated.



Glenn Blair

Sr. Security Specialist
888 Birchmount Rd 6th Floor
tel. (416) 285-2498
fax (416) 288-5055
glenn.blair () scotiabank com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]