Penetration Testing mailing list archives
Re: [PEN-TEST] Modem detection without dialing
From: Jason Sheffield <jsheffield () AXENT COM>
Date: Tue, 28 Nov 2000 00:33:17 -0500
Yes, I work for a vendor, but this information should also be useful for other auditing tools as well. Normally this information should only be gleaned through the use of a privileged account, host based auditing tool, but due to the fact that not that many people will restrict the remote access of the NT registry, a network based scanner or a quick Perl script might also be able to pick up the below reg settings. <VENDOR SPECIFIC INFO> AXENT's Enterprise Security Manager (Host based auditing tool) has the capability of finding files or registry settings on a platform that an ESM agent is installed on. The point of this being that you have to know the location of said file or reg setting. The below settings would be created in a registry template, set as forbidden, and then added to a Policy to be used for a scheduled Policy Run. When the Policy run is completed, the corresponding report will include all of the (in this case) NT servers that have modems installed. </VENDOR SPECIFIC INFO> Under NT to find an installed modem in the registry: [HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM] <- A Modem Value will be defined here with the installed COM port. [HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\LOADED SERIAL DRIVER RESOURCES] <- A Modem Key with \Device\*modem Values defined within. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS\TAPI DEVICES] <- The Modem driver will have a Key here. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\] <- The actual modem device driver will be located here with a Key that looks like "LEGACY_LTMODEM". (Your Values will vary based on the actual modem driver used, so use wild cards when looking for values such as "*odem", or "mode*". This can be applied to other platforms as well, NT just happens to be the platform that I know the best. This technique can also be used to find trojans, virii, etc. As long as the file location or registry setting is known, the product can be set to look for it. Regards, Jason Sheffield Systems Engineer AXENT Technologies, Inc. The Woodlands, Texas -----Original Message----- From: Blair, Glenn [mailto:glenn.blair () SCOTIABANK COM] Sent: Monday, November 20, 2000 1:16 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Modem detection without dialing I am wondered if there is a product which can detect the existence of a modem, without the need for the modem to be connected ?. Specifically, in a LAN environment, can an administrator/pen tester identify a modem through the network, rather than through the telephone network. Any thoughts would be appreciated. Glenn Blair Sr. Security Specialist 888 Birchmount Rd 6th Floor tel. (416) 285-2498 fax (416) 288-5055 glenn.blair () scotiabank com
Current thread:
- Re: [PEN-TEST] Modem detection without dialing, (continued)
- Re: [PEN-TEST] Modem detection without dialing Eric (Nov 22)
- Re: [PEN-TEST] Modem detection without dialing Mark Curphey (Nov 22)
- Re: [PEN-TEST] Modem detection without dialing Rietveld, Peter (Nov 22)
- Re: [PEN-TEST] Modem detection without dialing Brooke, O'neil (EXP) (Nov 22)
- Re: [PEN-TEST] Modem detection without dialing Ng, Kenneth (US) (Nov 22)
- Re: [PEN-TEST] Modem detection without dialing Ben Ford (Nov 22)
- [PEN-TEST] WAP penetration TEST Roberto Poblete (Nov 23)
- Re: [PEN-TEST] WAP penetration TEST Jim Ovecka (Nov 23)
- Re: [PEN-TEST] WAP penetration TEST Drew Simonis (Nov 23)
- Re: [PEN-TEST] WAP penetration TEST Van der Zanden (Nov 23)
- [PEN-TEST] WAP penetration TEST Roberto Poblete (Nov 23)
- Re: [PEN-TEST] Modem detection without dialing Jason Sheffield (Nov 28)
- Re: [PEN-TEST] Modem detection without dialing Michael Gough (Nov 29)