Re: WarDialing: can't identify the system (binary signature)

[Marco Ivaldi <raptor () mediaservice net>]

Hello,

On Thu, 22 May 2008, Zgrp unknow wrote:

> Hi pentesters
>
> I'm conducting a WarDialing assesment and I found some numbers from my 
> range that "are connectable"... they are not unix-like systems (at last 
> I *think*), the output produced by them is not human readable (like 
> binary protocols).

Performing modem surveys you'll often find weird beasts like the one you 
just described. Unfortunately, most of the time there's no immediate and 
easy way to identify them... Here are a few tips off the top of my head:

- Connect via terminal emulator (such as minicom or hyperterminal, in fact
  trying multiple emulators isn't a bad idea either), send some input
  (e.g. enter, '@', "help", "connect", "access", terminal break, etc.),
  and inspect reactions of the remote system, if any. Just be creative and
  you may be rewarded.
- Play with your terminal emulator settings (speed, parity, flow control,
  etc.) and try to connect again with different communication parameters.
- Try to establish a PPP connection instead, set maximum log/debug level,
  and inspect your logs. If the remote device talks PPP, maybe you'll be
  able to infer more information about it. Try also to authenticate:
  which dial-in authentication protocols are supported (PAP, CHAP, etc.)?
  Guess/bruteforce access credentials, if the legal agreement allows you
  to do so for the defined scope. Beware of account lockout policies that
  may be in place, by the way.

Most of the time, you won't be able to identify the remote system anyway. 
If that's the case, you may try another approach:

- Call the unidentified number from a phone internal to your Client
  company and check the description on the phone's display, if any.
  Consult the internal documentation and phone book, if available.
  Alternatively, ask the Client's contact person to do it for you.
- Hack into the PBX (again, only if the legal agreement allows you to do
  so!) and inspect the configuration searching for hints.
- If you can obtain physical access to the Client's premises where the
  unknown device is located, follow the phone cables and find it;)

Once you detect the device type and/or purpose (e.g. remote support from 
vendors such as SAP, EMC2, Alcatel, and so on; remote maintenance of some 
other kind; file transfer and other proprietary applications; heating 
centrals, anti-theft systems, etc.) you can narrow the field a bit and 
increase your chances to find the appropriate ways to exploit the target, 
in order to obtain a remote access.

> If I connect to some of them via Windows Hyperterminal
> I get strange texts like:
>
> "~?~?~?~?~?~?~?~?~?"
> "C??N??E??T??3??0??N??E??"
>
> Or other unreadable things like the above.
>
> Some detailed information from the WarDailing is
> below:
>
>
> - SENT            ATDT NUMBER01<CR>
> - RECEIVED        <CR><NL>                0d 0a
> - RECEIVED        CONNECT 300 NoEC<CR><NL>43 4f 4e
> 4e45 43 54 20 33 30 30 20 4e 6f 45 43 0d 0a
> - RECEIVED
> ~?~?~?~?~?~?~?~?~?<?><NUL><BS><STX><SOH>@<DLE><BS><EOT><STX><SOH>@<DLE><BS><EOT><STX><SOH>@%<?>~?<?><EOT><DLE><?><?>D<?><?>~?
> 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f
> df 00 08 02 01 40 20 10 08 04 02 01 40 20 10 08 04 02
> 01 40 25 f6 7e 3f df 04 10 e0 d7 44 d5 f9 7e 3f
> - RECEIVED        <CR><NL>        0d 0a
> - RECEIVED        NO CARRIER<CR><NL>      4e 4f 20
> 4341 52 52 49 45 52 0d 0a

I found this old document referencing systems that look exactly as the 
ones you're facing now:

https://kiwicon.org/~pipes/wwhm/revenge/rez01.txt
(search for "heaps")

By the way, the "CONNECT 300 NoEC" is a pretty ugly connection string... 
Are you using a real modem or an *cough* soft modem for your wardialing?;)

> Any tips, ideas, are welcome.

Good luck!

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------