Penetration Testing mailing list archives
Re: Pen Testing a PBX (Northern Telecom Meridian-1)
From: womber <womber () gmail com>
Date: Thu, 8 Sep 2005 15:47:13 -0500
On 7 Sep 2005 16:00:48 -0000, mmarrero () lloydstsb-usa com <mmarrero () lloydstsb-usa com> wrote:
>>Hello list, >>I am about to start a pentest of a PBX system. I was wondering if there are any >>vulnerabilities against this make and model of PBX. Also, does anyone know of a paper >>on how to appropriately conduct a pentest. I do not want to miss anything. Not really any know vulnerabilities, but it is susceptible for misconfiguration. If they have any add-ons such as symposium, Meridian mail, Voip they you will have more avenues to explore, for instance older symposium systems have a client tool that has a default password of "password" of all things. Find a pc on the network that is running it and start there. An account with admin rights has everything you would want available (call routing, trunk access codes, scripting, etc.) Get admin access there and it is game over. Think along the lines of routing an incoming 800 number to any number you would like, or more malicious, all incoming calls to their biggest competitor. The PBX itself is pretty tight no banners for login, 5 attempts and you are locked out until the night process runs. The os is unlike most anything else. Everything is done in "software loads" and the documentation is pretty tough to navigate for even when you know what you are looking for. Meridian Mail is another better target if they use it. Lots of default passwords and if not set up correctly can be manipulated to allow calling out from the system. In other words hack a box and just dial into it locally and dial out to wherever you want. Knowledgeable Telco people are few and far between and the people paying the bills are usually not the same so it often takes a long time before anyone notices that one. Check out tek-tips.com, they have a nortel meridian forum, google for info on Bars/Nars (how call routing is handled), and search for the old standby " please transfer me to extension 90" oldy but I still come across systems that are mis-configured that it will work on. Womber ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pen Testing a PBX (Northern Telecom Meridian-1) mmarrero (Sep 07)
- Re: Pen Testing a PBX (Northern Telecom Meridian-1) Volker Tanger (Sep 08)
- Re: Pen Testing a PBX (Northern Telecom Meridian-1) Hubert Seiwert (Sep 08)
- Re: Pen Testing a PBX (Northern Telecom Meridian-1) womber (Sep 11)
- <Possible follow-ups>
- Re: Pen Testing a PBX (Northern Telecom Meridian-1) Mark Teicher (Sep 11)