Penetration Testing mailing list archives
Re: Pentesting Telephone-Systems
From: Volker Tanger <vtlists () wyae de>
Date: Tue, 6 Sep 2005 23:26:47 +0200
Greetings! On 6 Sep 2005 07:51:37 -0000 sebastian.michel () ctl-loeper de wrote:
I spended much time to get technical informations about pentesting telephone systems, but with no success.
Basically it is as with any other pentesting. But the customer especially here is better off with a whitebox analysis as pentesting usually is bound to break something. A bad idea for telephony systems that are expected to show five-9 and more of reliablility...
Where are security-flaws,
Everywhere. ;-) Okay, basically the risks are: - fee fraud - eavesdropping (live and box) - impersonation (live and box) - availability/reliablility The most common risks include - most user using default password (usually "0000" or extension number) - too many, too risky/"intelligent" features active (and changable for the end user) - unprotected trunk access - weak proection of admin access (modem) - "hung" sessions eating away channels and money
what methods are know to work
Be creative! Usually more attacks work than you might expect even on well administrated systems. TK systems are still thought of as cables and relais, so even old school attacks surprisingly often work on TK systems. The more computer based stuff the system has the better for the attacker - usually.
which tools are already available
First and foremost: your brain, your imagination. System/user documentation. Wardialing, if necessary. Usually only finds few unknown systems, but sometimes you hit it right on the spot. Best finds for me: INAX console (phone+data line controller) or the "unused" video conference system of the CEO that silently answered calls...
I heard that manufacturer are obligated to build in a backdoor for secret services in their products. Is this right?
No. But most (enterprise) TK systems feature a "supervisor" mode where a trainer/supervisor/agency can hook-on to a running session. The law requiring agency taps only affects telephony providers (at least in Germany). But I have encountered systems where there actually is a backdoor (e.g. predefined password to gain admin access) built-in by the manufacturer. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pentesting Telephone-Systems sebastian . michel (Sep 06)
- Re: Pentesting Telephone-Systems Volker Tanger (Sep 07)
- <Possible follow-ups>
- RE: Pentesting Telephone-Systems Beauford, Jason (Sep 07)
- RE: Pentesting Telephone-Systems Nicolas Gregoire (Sep 08)