Penetration Testing mailing list archives
Re: Modem identification
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Wed, 26 Sep 2001 14:34:29 +0200
Perhaps it will, but that requires a separate connection most times. I.e. dial up again. I would like to do this reliably in the most efficient manner possible. My intention is to make some kind of state table. e.g. Dial number Got input? Yes - Go to "classify input" No (after timeout period) - go to "Nudge" Classify input Input looks like PPP (i.e. contains lots of {{{{{{ ) - Classify as PPP dial up - go to "PPP Brute Force" Input looks like text - go to "identify banner" Nudge Prompt with NT RAS string - go to "Got input?" Prompt with CRLF - go to "Got input?" Identify banner Text contains login: - classify as "shell account" - go to "Enter password" Text contains "AIX" - classify as IBM RS/6000 Text contains "@login" - classify as Shiva etc The difference between PPP and NT RAS is that the PPP server seems to spew {{{{{'s to initiate the connection - play with wvdial for a bit to see how it "intelligently" negotiates a dial-up connection. NT RAS on the other hand sits silent until a special character sequence is sent, typically containing non-printable/keyboard enterable characters. I have attached my Perl program - it's VERY rough, so don't expect much from it. At the moment, the most interesting thing about it is its ability to speak to a serial port! It expects a list of numbers on STDIN, and logs its findings to ${number}.asc and ${number}.bin. Rogan -----Original Message----- From: olle [mailto:olle () nxs se] Sent: 26 September 2001 02:16 To: Dawes, Rogan (ZA - Johannesburg) Cc: pen-test () securityfocus com Subject: Re: FW: RE Modem identification On Tue, Sep 25, 2001 at 10:01:01AM +0200, Dawes, Rogan (ZA - Johannesburg) wrote:
Re the prompting, one of the most common "Silent" modems seems to be
Windows
NT RAS. This sits there until you give it a particular string. I am intending to capture the initial string using PortMon, and replay it
blindly
whenever I get no initial characters. That should help identify a number
of
systems, I think.
NT RAS is just PP with MSCHAP authentication. pppd will suffice both to identify and bf NT RAS. /olle
Attachment:
joshua.tar.gz
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Modem identification Perciaccante, Robert (Sep 21)
- Re: Modem identification Kurt Seifried (Sep 21)
- <Possible follow-ups>
- Re: Modem identification Dawes, Rogan (ZA - Johannesburg) (Sep 26)
- Re: Modem identification H Carvey (Sep 28)