Penetration Testing mailing list archives

Re: Modem identification

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Wed, 26 Sep 2001 14:34:29 +0200

Perhaps it will, but that requires a separate connection most times. I.e.
dial up again. I would like to do this reliably in the most efficient manner
possible.

My intention is to make some kind of state table.

e.g.
Dial number

Got input?
Yes - Go to "classify input"
No (after timeout period) - go to "Nudge"

Classify input
Input looks like PPP (i.e. contains lots of {{{{{{ ) - Classify as PPP dial
up - go to "PPP Brute Force"
Input looks like text - go to "identify banner"

Nudge
Prompt with NT RAS string - go to "Got input?"
Prompt with CRLF - go to "Got input?"

Identify banner
Text contains login: - classify as "shell account" - go to "Enter password"
Text contains "AIX" - classify as IBM RS/6000
Text contains "@login" - classify as Shiva

etc

The difference between PPP and NT RAS is that the PPP server seems to spew
{{{{{'s to initiate the connection - play with wvdial for a bit to see how
it "intelligently" negotiates a dial-up connection. NT RAS on the other hand
sits silent until a special character sequence is sent, typically containing
non-printable/keyboard enterable characters.

I have attached my Perl program - it's VERY rough, so don't expect much from
it. At the moment, the most interesting thing about it is its ability to
speak to a serial port! It expects a list of numbers on STDIN, and logs its
findings to ${number}.asc and ${number}.bin.

Rogan
-----Original Message-----
From: olle [mailto:olle () nxs se]
Sent: 26 September 2001 02:16
To: Dawes, Rogan (ZA - Johannesburg)
Cc: pen-test () securityfocus com
Subject: Re: FW: RE Modem identification


On Tue, Sep 25, 2001 at 10:01:01AM +0200, Dawes, Rogan (ZA - Johannesburg)
wrote:


Re the prompting, one of the most common "Silent" modems seems to be

Windows

NT RAS. This sits there until you give it a particular string.  I am
intending to capture the initial string using PortMon, and replay it

blindly

whenever I get no initial characters. That should help identify a number

of

systems, I think.


NT RAS is just PP with MSCHAP authentication.

pppd will suffice both to identify and bf NT RAS.

/olle

Attachment: joshua.tar.gz
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Modem identification Perciaccante, Robert (Sep 21)
- Re: Modem identification Kurt Seifried (Sep 21)
- <Possible follow-ups>
- Re: Modem identification Dawes, Rogan (ZA - Johannesburg) (Sep 26)
  - Re: Modem identification H Carvey (Sep 28)