Re: [PEN-TEST] War Dialers

[Kurt Buff <kurtbuff () LIGHTMAIL COM>]

Respectfully, I suggest that you might want to expand your horizons a bit,
then.

There are now several representatives in a new class of PBX, mostly aimed at
small businesses, that feature VOIP (voice over IP), network connectivity,
PSTN connectivity, and/or other neato features. Usually they also offer
either their own embedded HTTP server, or work with one already present on
the platform, and sometimes offer their own SMTP/POP3 server, and often
offer other things, such as integration with MS Exchange or other enterprise
mail platforms.

A good starting point for your research (if you're interested...) is:

http://www.commweb.com

or

http://www.computertelephony.com/

The particular product I'm most familiar with is from Altigen:

http://www.altigen.com

It's a pretty good system, but I'd bet there are some vulnerabilities in it,
and in its competitors, also.

Cisco and 3Com offer systems, as does Sphere Communications (though I
haven't heard from them in a while), and a host of others.

As a special bonus, here's a (probably wrapped) URL for a book that looks
interesting:

http://www.telecombooks.com/scripts/store/vsc/store/products/3401.htm?L+/htd
ocs/ctstore/config/store+cgqh3365


That having been said, I don't know of any PBXs that allow you to dial in
and use the PBX itself as a gateway to the network, although I'd bet that
someone has that feature either now or RSN.

Kurt

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Todd Beebe
Sent: Sunday, September 03, 2000 11:10
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: War Dialers


Mark,

there still might be some confusion to the purpose of TeleSweep Secure.

It is designed to test the vulnerability state of network devices which are
connected to the PSTN via modem.  Its primary purpose is not to test the
username/passwords of voicemail systems and/or PBXs.

Since we are not aware of any voicemail system and/or PBX that allows remote
network connectivity to an IP network, we have focused the TeleSweep Secure
functionality to test the security (username/password strength) of network
devices (routers, Unix servers, dialup systems, etc) that can be accessed
externally.

Since there are cases of customized login prompts, TeleSweep Secure allows
the user to add new system definitions, as well as new username/password
combinations that might be common to that organization.
ex: http://telesweepsecure.securelogix.com/solution.htm?solutionid=44

Alot of the network penetrations we have been involved in, or have read
published accounts of, had the intruder gain access through a poorly secured
dialup system.  If you are aware of some cases where the intruder gained
access to the internal corporate network through the PBX and/or voicemail
system could you please forward those to my attention?

Thanks.

Todd Beebe, CISSP


-----Original Message-----
From: Teicher, Mark [mailto:mark.teicher () NETWORKICE COM]
Sent: Sunday, September 03, 2000 9:42 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] War Dialers


I almost agree with Todd's points except that when a war dialer identifies
a phone number except for ISP PPP NAS devices, the username password module
may not work as planned since the prompt will be of NAS device or
customized login prompt: if so modified.

In a true PBX environment, most username/password schemes are made up a
voicemail number (last 4 digits of a direct dial number for external
callers and last 3 digits for internal, depending on the phone system ) and
password (usually a combination of numbers ranging from 1 (very bad) to
8(limitation).  On some of the newer phone systems that forward voicemail
to a person's email, (real usernames can be used).

I have yet to find a war dialer that is capable of this type of
username/password grinding.

:)