[PEN-TEST] OT - How secure is an ISDN line?

[Dave Cowen <dcowen () ENSTAR COM>]

Ok,
   This all breaks into something that most people seem to have removed
themselves from. When you are talking about sniffing any type of data/voice
communications line you are talking about the physical existence of it that
runs between the two termination points. So when you talk about sniffing a
PSTN/ISDN/PRI/T-#/OC-#/ line you can be talking about multiple things. I
will try to address them here.

PSTN ( I say PSTN but what I mean is the actual phone line that terminates
at a location not the entire network itself) - The actual physical base RF
medium and the signal there-in. When most people say that are trying to
/sniff/ a PSTN connection that is actually a voice connection then you are
actually going to be tapping the line (see the previous discussion on data
center wiring). You have to have physical access to the medium between the
end user and the termination of the local loop before it hits a point where
it goes digital (Multiplexed) or the CO itself (straight copper such as
DSL). Because of this you need to examine your target and decide at which
point the weak link lies. Obviously since we are talking about this on a
LEGAL basis it is very hard to get a client (unless they are huge) to get
the permission of a phone company to allow a penetration tester to have
access to the lines they control (everything after the demarc point and yes
I've had this approval but only once). So usually your focus will be at the
client side between the end user, PBX and the demarc itself. Since most PBX
systems today now take PRI connections you are really looking at the copper
between the end user and the PBX this day. If you are consolidating your
efforts on a single user with no type of private exchange system in between
then you most likely will have to insert some type of tap (bed of nails is
my preferred method, pierces the sheath without need of actually splicing,
thus loss of service, the line) into the copper to pick up the signal
itself.
        
        So ... once you have identified your target .. and you know what
type of signal is being sent down the line (Some newer PBX systems have
digital handsets that have a separate control channel to handle most call
signaling functions within them) you then take the output of your tap to a
piece of equipment that can handle it. In the case of a standard copper
analog connection you can just plug that into a speaker and record the wave
form directly from the line itself. If there is some sort of data
communications going over the line in a modem fashion then the hardest thing
to do is to actually stay in sync with the two connections. From what I've
been told you should attempt to passively sync with the initial negotiation
(see dialup) to be able to accurately capture the data within. You have to
be passive or be able to replay the signal back to a passive device because
a standard modem will attempt to sync itself to the connection which will
break the session (this is point to point not point to multipoint which is a
separate discussion usually reserved for wireless communication). Once you
have done this you can replay or monitor this session.
        
        A popular technique that has been documented as used in the wild
requires no physical access. You simply get the targets data number
forwarded to the machine of your choice that has two modems. The first modem
takes the call from the user while the second modem actually then connects
to the target system allowing you to monitor/inject/takeover the link at
anytime since you control the point in between. If the question of what
happens to additional calls comes up, then you activate the call forwarding
when busy feature that is available from most telco's.

ISDN/PRI - ISDN while having the same copper medium as its brethren has no
other real similarities after that point. ISDN and it's Big Brother PRI
share a common signaling system. Both ISDN and PRI have a channel actually
set aside for signaling information and each of its 3 (ISDN) 24 (PRI) and
the rest of the channels (2 64k Bearer Channels ISDN 23 64k Bearer Channels
PRI), are used for creating point to point connections that can be bonded
together for larger amounts of data. All of the information sent of this
line is actually digital so you cannot put a standard tap on this and expect
to hear anything. Also all of these channels exist within the same physical
medium.. there is not a separate pair for each channel.. and calls are
assigned to free channels as necessary unless you specify otherwise to the
switch. The signaling channel itself is worthy of a discussion of itself and
has been a focus of my research for some years.. but if you want to just
hear or capture the modulated data that is sent over bearer lines then you
can get an older analog 'TBIRD' which is a telecom diagnostic piece. The
older tbirds have the ability to put each channel back into an analog form
for monitoring while the newer TBIRDS are all digital and are made to test
and verify channels rather than monitor them (at least the models that I
have seen). If you want to do anything further within the ISDN/PRI
environment you need to get a passive terminal adapter (Motorola makes one
that I'm familiar with) and a layer 1-3 Stack emulator (I can provide
companies if needed) to interact either with the switch or the end user TA.
There is a lot of untested theory and functionality in ISDN based attacks
that I will not go into as they are unproven unless requested.

        So at this point the only weak point for a LEGAL (without telco
approval) target would be the area between the NT-1 of the customer premises
equipment and the smartjack demarc that it connects to.

T-# - T-1, T-3, etc.. Any of the time based multiplexing systems have two
layers you have to peel through before you can reconstruct the data streams
within. The first is the multiplexed time based division that takes place on
the overall stream that has to be synced with to bring out separate streams
of data. The second layer is the encoding layer (usually ESF, B8ZS, etc..)
that actually encodes the framing within the multiplexed traffic and allows
the actual data within to be seen. T-1's can be used for voice (when
channelized) or data so the type of output at the end of the stripping
should reveal the source media.

        Here once again the vulnerable LEGAL area is between the CSU/DSU
(basically a multiplexor) and the smartjack.

OC-# - OC-1,2-48 etc.. Any fiber optic medium is going to require you to
split the fiber itself at some point and redirect the signal into a third
party tap. From there you will once again have to reconstruct the data
stream from the multiplexed/frame encapsulated data within.. this applies to
almost any type of carrier.
        
        Optical circuits are usually privately owned and since telco's
rarely use them to run to a demarc if you are seeing one that is customer
operated you have free range to plug in at any point.

Dave Cowen, CISSP
Security Services Manager
Enstar
http://www.enstar.com
Tel: 972-929-5267
Fax: 972-915-6969
Email: dcowen () enstar com


-----Original Message-----
From: Kris Carlier [mailto:root () IGUANA BE]
Sent: Thursday, October 19, 2000 2:58 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: OT - How secure is an ISDN line?


Hi(gh, though down under) Clem,

just a reflection. How easy/difficult is it to actually sniff a PSTN or
ISDN line ? Cfr RAS, where you can use DES to encrypt the datastream
(provided you choose MSCHAP for your connection).

I'm like: sure, looks cool, but otoh, sniffing a network is easy enough.
Sniffing a PSTN line requires more - I presume - than your average
networkcard cq modem ? Or am I totally de-synchronized on this ?

In the ISDN-case, more specifically, isn't it so that as opposed to PSTN,
if you get an error on an ISDN-line, the connection will drop ? So the
sniffer should be pretty silent.

I'm not talking/asking about the pelco-people of course. how do you sniff
a phone line ? Van Eck monitoring probably ain't the right direction ? ;-)

kr=, wondering

                   \\\___///
                  \\  - -  //
                   (  @ @  )
 +---------------oOOo-(_)-oOOo-------------+
 |        kris carlier - kris () iguana be    |
 | Hiroshima 45, Tsjernobyl 86, Windows 95 |
 | Linux, the choice of a GNU gener8ion    |
 | KC62-RIPE          SMS: +32-75-61.43.05 |
 +------------------------Oooo-------------+
                  oooO   (   )
                 (   )    ) /
                  \ (    (_/
                   \_)