Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pentesting Telephone-Systems
From: Volker Tanger <vtlists () wyae de>
Date: Tue, 6 Sep 2005 23:26:47 +0200


On 6 Sep 2005 07:51:37 -0000
sebastian.michel () ctl-loeper de wrote:

I spended much time to get technical informations about pentesting
telephone systems, but with no success. 

Basically it is as with any other pentesting. 

But the customer especially here is better off with a whitebox analysis
as pentesting usually is bound to break something. A bad idea for
telephony systems that are expected to show five-9 and more of

Where are security-flaws, 


Okay, basically the risks are:
        - fee fraud
        - eavesdropping (live and box)
        - impersonation (live and box)
        - availability/reliablility

The most common risks include
        - most user using default password 
          (usually "0000" or extension number)
        - too many, too risky/"intelligent" features active 
          (and changable for the end user)
        - unprotected trunk access
        - weak proection of admin access (modem)
        - "hung" sessions eating away channels and money

what methods are know to work

Be creative!  Usually more attacks work than you might expect even on
well administrated systems. TK systems are still thought of as cables
and relais, so even old school attacks surprisingly often work on TK
systems. The more computer based stuff the system has the better for 
the attacker - usually.

which tools are already available 

First and foremost: your brain, your imagination.

System/user documentation.

Wardialing, if necessary. Usually only finds few unknown systems, but
sometimes you hit it right on the spot. Best finds for me: INAX console
(phone+data line controller) or the "unused" video conference system of
the CEO that silently answered calls...

I heard that manufacturer are obligated to build in a backdoor for
secret services in their products. Is this right?

No. But most (enterprise) TK systems feature a "supervisor" mode where a
trainer/supervisor/agency can hook-on to a running session. The law
requiring agency taps only affects telephony providers (at least in

But I have encountered systems where there actually is a backdoor (e.g.
predefined password to gain admin access) built-in by the manufacturer.




Volker Tanger    http://www.wyae.de/volker.tanger/
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]