Re: [PEN-TEST] War Dialers

["Teicher, Mark" <mark.teicher () NETWORKICE COM>]

Todd,

There are several Voicemail systems on the market that allow network
connectivity to an IP network.  Terranova phone system recently acquired by
Lucent..  Now the Lucent DSA.  The newer phone switches are TCP/IP based.  .

I am not confused at all on the purpose of TeleSweep Secure, but as I said
before, the war dialers of today are not yet up to speed of the newer phone
switches.

In the point of VoIP, where a NAS device combined with a Unix server can be
utilized as a PBX (Active Voice) lots of system definitions have to be
added to account for the various bells and whistles that this type of PBX
can possibly have.

In the cases of a voicemail system, on the earlier releases of the
AT&T  phone switch, connected to the network via TCP/IP for Administrator
console, but gain access via the phone tree, setup a Out of Band direct
dial number, access it through a modem , and voila,

"Welcome to Ernst & Young".. Oh sorry.. :)

/mark

At 01:09 PM 9/3/00 -0500, Todd Beebe wrote:
> Mark,
>
> there still might be some confusion to the purpose of TeleSweep Secure.
>
> It is designed to test the vulnerability state of network devices which are
> connected to the PSTN via modem.  Its primary purpose is not to test the
> username/passwords of voicemail systems and/or PBXs.
>
> Since we are not aware of any voicemail system and/or PBX that allows remote
> network connectivity to an IP network, we have focused the TeleSweep Secure
> functionality to test the security (username/password strength) of network
> devices (routers, Unix servers, dialup systems, etc) that can be accessed
> externally.
>
> Since there are cases of customized login prompts, TeleSweep Secure allows
> the user to add new system definitions, as well as new username/password
> combinations that might be common to that organization.
> ex: http://telesweepsecure.securelogix.com/solution.htm?solutionid=44
>
> Alot of the network penetrations we have been involved in, or have read
> published accounts of, had the intruder gain access through a poorly secured
> dialup system.  If you are aware of some cases where the intruder gained
> access to the internal corporate network through the PBX and/or voicemail
> system could you please forward those to my attention?
>
> Thanks.
>
> Todd Beebe, CISSP
>
>
> -----Original Message-----
> From: Teicher, Mark [mailto:mark.teicher () NETWORKICE COM]
> Sent: Sunday, September 03, 2000 9:42 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] War Dialers
>
>
> I almost agree with Todd's points except that when a war dialer identifies
> a phone number except for ISP PPP NAS devices, the username password module
> may not work as planned since the prompt will be of NAS device or
> customized login prompt: if so modified.
>
> In a true PBX environment, most username/password schemes are made up a
> voicemail number (last 4 digits of a direct dial number for external
> callers and last 3 digits for internal, depending on the phone system ) and
> password (usually a combination of numbers ranging from 1 (very bad) to
> 8(limitation).  On some of the newer phone systems that forward voicemail
> to a person's email, (real usernames can be used).
>
> I have yet to find a war dialer that is capable of this type of
> username/password grinding.
>
> :)
>
>
>
> At 08:46 PM 9/1/00 -0500, Todd Beebe wrote:
> >Toneloc is good for finding modems.  But, the value of the commercial
> >products (both TeleSweep Secure and PhoneSweep) is the username/password
> >guessing (read vulnerability testing).
> >
> >Knowing you have 55 numbers that answer with a tone and knowing that you
> >have 55 numbers that answer with tone and have easily guessable
> >username/passwords are two different things.
> >
> >The comparison in the IP world is running a port scanner and a
> vulnerability
> >scanner.  You can either receive a list of xxx number of systems that MIGHT
> >be running vulnerable services and xxx number of systems that ARE running
> >vulnerable systems.
> >
> >If you use a war dialer or port scanner, someone will need to manually test
> >the target systems to find out if they need attention to fix the
> >vulnerabilities.
> >
> >
> >-----Original Message-----
> >From: Batten, Gerald [mailto:GBatten () EXOCOM COM]
> >Sent: Friday, September 01, 2000 12:30 PM
> >To: PEN-TEST () SECURITYFOCUS COM
> >Subject: Re: [PEN-TEST] War Dialers
> >
> >
> >I've used ToneLoc on several occasions, and it's worked perfectly for me.
> >It's even worked under NT using my pcmcia modem.  Who cares if it hasn't
> >been updated since 1994?  It tells me what numbers have a tone or not,
> which
> >ones have a busy signal, etc... that's all I need for an initial recon of
> my
> >client's phone system.  I usually take the list of detected carriers and
> >compare it to their phone list and see who owns the lines.
> >
> >My .02c worth.
> >
> >Gerald.
> >
> > > -----Original Message-----
> > > From: Alfred Huger [mailto:ah () SECURITYFOCUS COM]
> > > Sent: Friday, September 01, 2000 10:22 AM
> > > To: PEN-TEST () SECURITYFOCUS COM
> > > Subject: War Dialers
> > >
> > >
> > > Hey Folks,
> > >
> > > Anyone have any experiance with commercial war dialing
> > > packages compared
> > > to the free ones? In particular I am wondering about:
> > >
> > > 1. PhoneSweep
> > >    url: http://www.securityfocus.com/products/280
> > >
> > > Compared to:
> > >
> > > 2. ToneLoc (tools)
> > >    url: http://www.securityfocus.com/tools/48
> > >
> > >
> > > Alfred Huger
> > > VP of Engineering
> > > SecurityFocus.com
> > >