Re: [PEN-TEST] War Dialers (and acoustic couplers)

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

I just use my trusty acoustic coupler for most tasks like this.  Some
digital systems will still accept DTMF over the handset, so a coupler
works fine.  Automated scans using a wardialer are impossible or really
hard using this method, as the digital phone doesn't know the status of
the modem's hook, ergo never hangs up and gives a fresh dial tone.  I
know one particular person who uses an acoustic coupler with ToneLoc on
a digital PBX, and just manually depress and release the hook.  Very
inefficient, but it works for him.

As a COMPLETE side-note
I wrote a nice article on how to build an el-cheapo coupler that will
give you about 2400 bps because of a complete lack of echo and noise
cancellation.  You can buy a Telecoupler II for $150, and it advertises
33.6k (and it works that fast on a good fone line), but it can't do more
than 2400 on a payphone, so IMHO, just build your own.  =P

http://hir.chewies.net/articles/hir9/hir9-5.txt



-----Original Message-----
From: Todd Beebe [mailto:todd () SECURELOGIX COM]
Sent: Tuesday, September 05, 2000 11:23 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: War Dialers


Gerald,

how do you clients handle outbound modem calls on digital phone lines (using
convertors such as Linestein) or outbound modem calls on analog fax lines?


-----Original Message-----
From: Batten, Gerald [mailto:GBatten () EXOCOM COM]
Sent: Tuesday, September 05, 2000 8:08 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] War Dialers


I agree, in an environment where dial-up modems are allowed, you need proper
penetration testing.  Most of my clients don't allow dial-up lines at all,
except for faxes, which is why ToneLoc is perfect for what I need to do.  If
the list of numbers don't match the list of known fax machines, we just
track down the offending line and cut it.  Most of my clients will just give
me their admin passwords for their dial-ups (after I've signed about a
million legal contracts), and I compare that to their password rules within
their policy.  It's more cost-effective for my client to just give me their
passwords than for me to try to guess the dial-up ones.  I'll do a brute
force on the network accounts, but not the dial-ups.

Just my 2c. worth.

Gerald.

> -----Todd's Message-----
> From: Todd Beebe [mailto:todd () SECURELOGIX COM]
> Sent: Friday, September 01, 2000 7:47 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: War Dialers
>
>
> Toneloc is good for finding modems.  But, the value of the commercial
> products (both TeleSweep Secure and PhoneSweep) is the
> username/password
> guessing (read vulnerability testing).
>
> Knowing you have 55 numbers that answer with a tone and
> knowing that you
> have 55 numbers that answer with tone and have easily guessable
> username/passwords are two different things.
>
> The comparison in the IP world is running a port scanner and
> a vulnerability
> scanner.  You can either receive a list of xxx number of
> systems that MIGHT
> be running vulnerable services and xxx number of systems that
> ARE running
> vulnerable systems.
>
> If you use a war dialer or port scanner, someone will need to
> manually test
> the target systems to find out if they need attention to fix the
> vulnerabilities.
>
>
> > Compared to:
> >
> > 2. ToneLoc (tools)
> >    url: http://www.securityfocus.com/tools/48
> >
> >
> > Alfred Huger
> > VP of Engineering
> > SecurityFocus.com