Penetration Testing mailing list archives
Re: [PEN-TEST] PBX Security
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 4 Oct 2000 10:44:00 -0500
I've only audited Meridian systems... but from my experience... you can get some pretty good information to start with. This is how I got the info I did: 1) Got installation manuals for the whole system. 2) Got copies of The system Coordinator Guides. For a Meridian Norstar PBX, These Books are called "Norstar Modular DR5 System Coordinator Guide", "Norstar Modular DR5 Installer Guide", and I got the Installation Guide for the voice-Mail system (which happened to be StarTalk Flash). I know I've seen a DR5.1 of these same manuals... I then called up a company that installs the systems, and acted like I was interested. Yes, this is social engineering a third party, but it was necessary for what I was doing. I asked to talk specifically to one of their installation and troubleshooting engineers because "one of my guys had some really technical questions". I took him out to lunch, drank some beer, and in the end, I got him to give me photocopies of some "undocumented" feature codes, including one which can reset the administrator PIN. I learned the default passwords for the PBX, and a whole ton of feature codes just from reading the manuals. With all the resources I got, any meridian norstar PBX is 100% open to me. It's unfair to use a known back-door when pen-testing. The back-door on Norstar is pretty hard to stumble across, but it is nice to know the default passcodes, and test for things like that. Good luck! -----Original Message----- From: Joe Traietta [mailto:JTraietta () ASAHIBANKNY COM] Sent: Wednesday, October 04, 2000 9:07 AM To: PEN-TEST () SECURITYFOCUS COM Subject: PBX Security I have been asked to perform a security review on the PBX system (NEC NEAX 2000 IVS) at my company. I have virtually no PBX experience, so I was hoping somebody could point me to a good resource, or pass along some personal experience about reviewing / auditing a PBX system. Thank you. Joseph Traietta Data Security Officer Asahi Bank, New York Branch
Current thread:
- [PEN-TEST] PBX Security Joe Traietta (Oct 04)
- Re: [PEN-TEST] PBX Security David Spinks (Oct 04)
- Re: [PEN-TEST] PBX Security Frasnelli, Dan (Oct 04)
- Re: [PEN-TEST] PBX Security Talisker (Oct 04)
- <Possible follow-ups>
- Re: [PEN-TEST] PBX Security PRAYAGSING MUKESH (Oct 04)
- Re: [PEN-TEST] PBX Security Dunker, Noah (Oct 04)
- Re: [PEN-TEST] PBX Security David Alexander (Oct 04)
- Re: [PEN-TEST] PBX Security Gallicchio, Florindo (2282) (Oct 04)
- Re: [PEN-TEST] PBX Security Loschiavo, Dave (Oct 04)
- Re: [PEN-TEST] PBX Security Mark L. Jackson (Oct 05)
- Re: [PEN-TEST] PBX Security Curphey, Mark (ISS Atlanta) (Oct 04)
- Re: [PEN-TEST] PBX Security Fricke, Gregory D. (Oct 04)
- Re: [PEN-TEST] PBX Security Ben Grubin (Oct 04)
- Re: [PEN-TEST] PBX Security Dunker, Noah (Oct 04)
- Re: [PEN-TEST] PBX Security Davidson,Sam (Oct 04)
- Re: [PEN-TEST] PBX Security Alex Balayan (Oct 04)