Penetration Testing mailing list archives
RE: Pentesting Telephone-Systems
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Tue, 6 Sep 2005 15:05:16 -0400
I know that a lot of Voice Mail systems come with default passwords that are remote enabled by default. There are some VM products which use the word "SYSTEM" as the default password. You can actually dial up the number, get the voice prompt, type in the numeric equivilent to "SYSTEM" (=7977836) and have full access to configuration options. As some SMB's (Small-Medium Business) don't have an adequate IT Staff or Telephony staff, often this goes overlooked. This can allow for making outbound phone calls from a remote location. For instance if your phone bill suddenly starts showing calls made to Lebanon or Turkey, you'll know you have a problem. This is actually how a lot of Phone system hacks are done - use of default passwords. I wonder if anyone has a compilation of SYSTEM - DEFAULT PASSWORD combinations. That would be a nifty little list. Here's one to get you started: LINGO Voicemail uses the above mentioned "SYSTEM" password. As for products from the same manufacturer like Repartee and Audix, I would GUESS they use the same as well. I'm sure they even provide documentation on their website for the initial configs. www.activevoice.com -jmb =| -----Original Message----- =| From: sebastian.michel () ctl-loeper de =| [mailto:sebastian.michel () ctl-loeper de] =| Sent: Tuesday, September 06, 2005 3:52 AM =| To: pen-test () securityfocus com =| Subject: Pentesting Telephone-Systems =| =| Hi, =| =| I spended much time to get technical informations =| about pentesting telephone systems, but with no success. =| =| Where are security-flaws, what methods are know to =| work, which tools are already available and so on. =| Did someone have informations about this or can tell =| me something? =| =| I heard that manufacturer are obligated to build in a =| backdoor for secret services in their products. Is this right? =| =| =| thanks, =| =| =| S.Michel =| =| ------------------------------------------------------ ------------------------ =| Audit your website security with Acunetix Web =| Vulnerability Scanner: =| =| Hackers are concentrating their efforts on attacking =| applications on your website. Up to 75% of cyber =| attacks are launched on shopping carts, forms, login =| pages, dynamic content etc. Firewalls, SSL and =| locked-down servers are futile against web =| application hacking. Check your website for =| vulnerabilities to SQL injection, Cross site =| scripting and other web attacks before hackers do! =| Download Trial at: =| =| http://www.securityfocus.com/sponsor/pen-test_050831 =| ------------------------------------------------------ ------------------------- =| =| ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pentesting Telephone-Systems sebastian . michel (Sep 06)
- Re: Pentesting Telephone-Systems Volker Tanger (Sep 07)
- <Possible follow-ups>
- RE: Pentesting Telephone-Systems Beauford, Jason (Sep 07)
- RE: Pentesting Telephone-Systems Nicolas Gregoire (Sep 08)