Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pen Testing a PBX (Northern Telecom Meridian-1)
From: womber <womber () gmail com>
Date: Thu, 8 Sep 2005 15:47:13 -0500

On 7 Sep 2005 16:00:48 -0000, mmarrero () lloydstsb-usa com 
<mmarrero () lloydstsb-usa com> wrote:

    >>Hello list,

    >>I am about to start a pentest of a PBX system. I was wondering
if there are any >>vulnerabilities against this make and model of PBX.
Also, does anyone know of a paper >>on how to appropriately conduct a
pentest. I do not want to miss anything.

Not really any know vulnerabilities, but it is susceptible for misconfiguration.
If they have any add-ons such as symposium, Meridian mail, Voip they
you will have more avenues to explore, for instance older symposium
systems have a client tool that has a default password of "password"
of all things. Find a pc on the network that is running it and start
there. An account with admin rights has everything you would want
available (call routing, trunk access codes, scripting, etc.) Get
admin access there and it is game over. Think along the lines of
routing an incoming 800 number to any number you would like, or more
malicious, all incoming calls to their biggest competitor.
The PBX itself is pretty tight no banners for login, 5 attempts and
you are locked out until the night process runs. The os is unlike most
anything else. Everything is done in "software loads" and the
documentation is pretty tough to navigate for even when you know what
you are looking for.
Meridian Mail is another better target if they use it. Lots of default
passwords and if not set up correctly can be manipulated to allow
calling out from the system. In other words hack a box and just dial
into it locally and dial out to wherever you want.
Knowledgeable Telco people are few and far between and the people
paying the bills are usually not the same so it often takes a long
time before anyone notices that one.

Check out tek-tips.com, they have a nortel meridian forum, google for
info on Bars/Nars (how call routing is handled), and search for the
old standby " please transfer me to extension 90" oldy but I still
come across systems that are mis-configured that it will work on.

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]