Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] War Dialers
From: Todd Beebe <todd () SECURELOGIX COM>
Date: Sun, 3 Sep 2000 13:09:32 -0500

Mark,

there still might be some confusion to the purpose of TeleSweep Secure.

It is designed to test the vulnerability state of network devices which are
connected to the PSTN via modem.  Its primary purpose is not to test the
username/passwords of voicemail systems and/or PBXs.

Since we are not aware of any voicemail system and/or PBX that allows remote
network connectivity to an IP network, we have focused the TeleSweep Secure
functionality to test the security (username/password strength) of network
devices (routers, Unix servers, dialup systems, etc) that can be accessed
externally.

Since there are cases of customized login prompts, TeleSweep Secure allows
the user to add new system definitions, as well as new username/password
combinations that might be common to that organization.
ex: http://telesweepsecure.securelogix.com/solution.htm?solutionid=44

Alot of the network penetrations we have been involved in, or have read
published accounts of, had the intruder gain access through a poorly secured
dialup system.  If you are aware of some cases where the intruder gained
access to the internal corporate network through the PBX and/or voicemail
system could you please forward those to my attention?

Thanks.

Todd Beebe, CISSP


-----Original Message-----
From: Teicher, Mark [mailto:mark.teicher () NETWORKICE COM]
Sent: Sunday, September 03, 2000 9:42 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] War Dialers


I almost agree with Todd's points except that when a war dialer identifies
a phone number except for ISP PPP NAS devices, the username password module
may not work as planned since the prompt will be of NAS device or
customized login prompt: if so modified.

In a true PBX environment, most username/password schemes are made up a
voicemail number (last 4 digits of a direct dial number for external
callers and last 3 digits for internal, depending on the phone system ) and
password (usually a combination of numbers ranging from 1 (very bad) to
8(limitation).  On some of the newer phone systems that forward voicemail
to a person's email, (real usernames can be used).

I have yet to find a war dialer that is capable of this type of
username/password grinding.

:)



At 08:46 PM 9/1/00 -0500, Todd Beebe wrote:
Toneloc is good for finding modems.  But, the value of the commercial
products (both TeleSweep Secure and PhoneSweep) is the username/password
guessing (read vulnerability testing).

Knowing you have 55 numbers that answer with a tone and knowing that you
have 55 numbers that answer with tone and have easily guessable
username/passwords are two different things.

The comparison in the IP world is running a port scanner and a
vulnerability
scanner.  You can either receive a list of xxx number of systems that MIGHT
be running vulnerable services and xxx number of systems that ARE running
vulnerable systems.

If you use a war dialer or port scanner, someone will need to manually test
the target systems to find out if they need attention to fix the
vulnerabilities.


-----Original Message-----
From: Batten, Gerald [mailto:GBatten () EXOCOM COM]
Sent: Friday, September 01, 2000 12:30 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] War Dialers


I've used ToneLoc on several occasions, and it's worked perfectly for me.
It's even worked under NT using my pcmcia modem.  Who cares if it hasn't
been updated since 1994?  It tells me what numbers have a tone or not,
which
ones have a busy signal, etc... that's all I need for an initial recon of
my
client's phone system.  I usually take the list of detected carriers and
compare it to their phone list and see who owns the lines.

My .02c worth.

Gerald.

-----Original Message-----
From: Alfred Huger [mailto:ah () SECURITYFOCUS COM]
Sent: Friday, September 01, 2000 10:22 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: War Dialers


Hey Folks,

Anyone have any experiance with commercial war dialing
packages compared
to the free ones? In particular I am wondering about:

1. PhoneSweep
   url: http://www.securityfocus.com/products/280

Compared to:

2. ToneLoc (tools)
   url: http://www.securityfocus.com/tools/48


Alfred Huger
VP of Engineering
SecurityFocus.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault