Penetration Testing mailing list archives

FW: RE Modem identification

From: Stephan Barnes <stephan.barnes () foundstone com>
Date: Sat, 22 Sep 2001 08:39:01 -0700

Yes,

The age old question of correctly identifying the system
when war-dialing.  Reliance is placed upon ASCII characters 
in the banners. (Unless you are into war-dialing, ignore this
response which is a tad lengthy)

Here are two examples of readable text.

1 sample for a system that is known to be a Shiva Lan Rover
(@Userid)

1 sample of AIX where it is not hard to guess at all what the 
system is (unless the banner is a decoy; 
which is very rarely seen in the modem world)

(Shiva)
------------------------------------------------------------
30-Jun-XX 16:40:13 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/

@Userid: 
@Userid: 
------------------------------------------------------------
(AIX)
------------------------------------------------------------
30-Jun-XX 17:20:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
login: 
------------------------------------------------------------

Then there are extended ASCII character identification issues 
that in many cases can be rectified through parity and stop bit 
changes:

Say the return in the banner looks like this:

30-Jun-XX 17:20:15 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM 
[m[2;19r[m[24;79H [22;1H[;1mThe password is incorrect.

Dialing back with any software like ProcommPlus and changing 
the parity from 8-N-1 to E-7-1 in many cases resovles the 
Extended ASCII characters into somtheing more readable.

Then there are extended ASCII character identification
issues Of this magnitude which sounds mostly like the problem
the original poster has encountered:

Say the return in the banner looks like this:

30-Jun-XX 17:20:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
   xx|x  

Or this:

30-Jun-XX 17:20:17 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

From just looking at these, positive identification would be

very tough to do because that string doesn't give you much 
indication of what type of system it is. There are extended 
ASCII characters in the mix.  Hence you have to rely upon 
experience and if you use a commercial war dialer you have 
to rely upon that war-dialers' database of strings and 
systems table to match up against what the modem is sending 
back.
  
Regardless of TeleSweep or PhoneSweep it is an ASCII text 
banner match issue.  In our tests the jury is still out but 
I would tend to agree with Nate that PhoneSweep might be 
doing a better job of classifying the modems that were found 
than TeleSweep as of late; most recent release against most 
recent release.  Run your own drag race and see.

The commercial war dialing tool makers ask the "community" 
(we know, we've been asked countless times) for more banners 
and postive identification of modems because some of their 
databases are not growing; their stale.  305 systems is not 
bad, however I would point out that in many cases you'll 
see that there are 10-15 of those 350 that are the majority 
of systems running out there on modems today and that the 
rest have gone the way of the dinosaur and are rarely found 
(In general).

We've seen the commercial tools miss simple stuff like the 
@Userid banner and not be able to identify it as Shiva.  
We've even seen them miss simple stuff like the AIX banner.  
That is frustrating when that happens because the match is 
not that complex.  It's a simple match program and how well 
that match program is written is what you rely upon.

I say rely upon your eyes and ears too.  Modems whistle 
differently than faxes for the most part so just manually 
dialing a found number can tell you a lot with your ears.  
In a typical war dial the expected found ratio's are 
1 to 1.5% of the pool of original numbers so this is 
generally not a long exercise.

Both commercial tools do a decent job of finding a modem 
Carrier, but if  you rely upon their identification engines 
without independent verification you are probably asking 
for some hurt, especially if you're a white hat testing or 
performing in the name of the war-dial engagement for your 
client.

A sharp eye, keen memory and mastery of the original free 
war dial tool ToneLoc will get you a fast foot print and 
much of the data you need 9 times out of 10.  This can
be the independence you seek in many cases.

Then again knowing old school programs like Procomm Plus 
will help you go back and become more successful at testing 
condtions like changing stop bits and partiy to clean up 
garbage banners.  In the end if you get a bunch of extended 
ASCII characters you can probably assume that there is some 
type of client side (in general) software required to 
establish a connection.  For example, PcAnywhere, CarbonCopy, 
Remotely Anywhere, Etc.  Try that on and see if it works.

Just be advised that blind faith in the results of commercial 
war dialers can possibly leave you compromised if you don't go
independently verify.

You can check out many techniques and tricks via the old-school 
ways using ToneLoc at my site www.m4phr1k.com.

Regards,

Stephan Barnes 
stephan.barnes () foundstone com
http://www.foundstone.com
 
-----Original Message-----
From: Nate.King () predictive com [mailto:Nate.King () predictive com] 
Sent: Friday, September 21, 2001 3:44 PM
To: pen-test () securityfocus com
Subject: RE Modem identification


I prefer PhoneSweep by Sandstorm Enterprises at http://www.sandstorm.net/.
It has the capability to identify 305 different dial-up systems by name,
including ones that do not provide visible text banners.  It is a commercial
product, however, and can be expensive.

I wrote an article for Information Security Magazine in June 2000 that
compared various commercial and free war dialing tools (PhoneSweep,
TeleSweep Secure, and THC-Scan).  The URL is
http://www.infosecuritymag.com/articles/june00/features1.shtml.  TeleSweep
Secure has probably changed the most since then, but hopefully it will help.

Good Luck,

Nate

********************************************************
Nate King, CISSP
Managing Consultant, Ethical Hacking Division
Global Integrity Information Security
Predictive Systems, Inc.

E-Mail: nate.king () predictive com
http://www.predictive.com
********************************************************

"Perciaccante, Robert" <Robert.Perciaccante () dowjones com>
09/21/2001 08:06 AM

       To:     pen-test () securityfocus com
       cc: 
       Subject:        Modem identification

After identifying modems that are set to answer inbound dialing, I
would like to figure out a better way to identify the types of dial-in 
systems these are.  While some do spit banners, and aid in 
identification, most do not.  Can anyone recommend a suitable "modem 
identifier"?

Thanks,

Bob Perciaccante




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE Modem identification Nate . King (Sep 21)
- <Possible follow-ups>
- FW: RE Modem identification Stephan Barnes (Sep 22)
  - Re: FW: RE Modem identification Bikar Dude (Sep 23)
- RE: FW: RE Modem identification Stephan Barnes (Sep 25)
- RE: FW: RE Modem identification Dawes, Rogan (ZA - Johannesburg) (Sep 25)
  - Re: FW: RE Modem identification olle (Sep 26)
  - Re: FW: RE Modem identification Pawel Krawczyk (Sep 26)