Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] War Dialers
From: Kurt Buff <kurtbuff () LIGHTMAIL COM>
Date: Sun, 3 Sep 2000 11:45:10 -0700

Respectfully, I suggest that you might want to expand your horizons a bit,

There are now several representatives in a new class of PBX, mostly aimed at
small businesses, that feature VOIP (voice over IP), network connectivity,
PSTN connectivity, and/or other neato features. Usually they also offer
either their own embedded HTTP server, or work with one already present on
the platform, and sometimes offer their own SMTP/POP3 server, and often
offer other things, such as integration with MS Exchange or other enterprise
mail platforms.

A good starting point for your research (if you're interested...) is:




The particular product I'm most familiar with is from Altigen:


It's a pretty good system, but I'd bet there are some vulnerabilities in it,
and in its competitors, also.

Cisco and 3Com offer systems, as does Sphere Communications (though I
haven't heard from them in a while), and a host of others.

As a special bonus, here's a (probably wrapped) URL for a book that looks


That having been said, I don't know of any PBXs that allow you to dial in
and use the PBX itself as a gateway to the network, although I'd bet that
someone has that feature either now or RSN.


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Todd Beebe
Sent: Sunday, September 03, 2000 11:10
Subject: Re: War Dialers


there still might be some confusion to the purpose of TeleSweep Secure.

It is designed to test the vulnerability state of network devices which are
connected to the PSTN via modem.  Its primary purpose is not to test the
username/passwords of voicemail systems and/or PBXs.

Since we are not aware of any voicemail system and/or PBX that allows remote
network connectivity to an IP network, we have focused the TeleSweep Secure
functionality to test the security (username/password strength) of network
devices (routers, Unix servers, dialup systems, etc) that can be accessed

Since there are cases of customized login prompts, TeleSweep Secure allows
the user to add new system definitions, as well as new username/password
combinations that might be common to that organization.
ex: http://telesweepsecure.securelogix.com/solution.htm?solutionid=44

Alot of the network penetrations we have been involved in, or have read
published accounts of, had the intruder gain access through a poorly secured
dialup system.  If you are aware of some cases where the intruder gained
access to the internal corporate network through the PBX and/or voicemail
system could you please forward those to my attention?


Todd Beebe, CISSP

-----Original Message-----
From: Teicher, Mark [mailto:mark.teicher () NETWORKICE COM]
Sent: Sunday, September 03, 2000 9:42 AM
Subject: Re: [PEN-TEST] War Dialers

I almost agree with Todd's points except that when a war dialer identifies
a phone number except for ISP PPP NAS devices, the username password module
may not work as planned since the prompt will be of NAS device or
customized login prompt: if so modified.

In a true PBX environment, most username/password schemes are made up a
voicemail number (last 4 digits of a direct dial number for external
callers and last 3 digits for internal, depending on the phone system ) and
password (usually a combination of numbers ranging from 1 (very bad) to
8(limitation).  On some of the newer phone systems that forward voicemail
to a person's email, (real usernames can be used).

I have yet to find a war dialer that is capable of this type of
username/password grinding.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]