1. Dial-up, PBX, Voicemail, and VPN Hacking Lesson 13

2. Dial-up connections Interestingly, earlier versions of text didn’t have as robust a section on dial-ups, PBX’s, etc… It may be somewhat surprising, but many organizations still have analog dial-up connections into their systems May be authorized or not! Nice thing is that if you find one, you will probably be able to circumvent most of the organization’s security systems (e.g. firewalls, IDS…) Techniques have been around for a long time, war-dialers or demon dialers.

3. An interesting quote… “Dial-up access through a terminal server ensures that we will not be locked out of the network if the organization discovers it is under attack and decides to shut off all Internet access. Dial-up lines are almost always overlooked by security administrators or are managed by a separate group with minimal communication between the two groups.” “As all seasoned network professionals know, there’s always at least one employee who decides to set up his or her own remote access to a desktop machine using Symantec Corp.’s pcAnywhere or a similar product without a password.” Mark Abene “phiber optik”

4. Preparing to War-dial Need to know what numbers to try Phone number footprinting Check phone book, or a business card to get an idea Need a tool to do the war-dialing Public domain ToneLoc: the granddaddy, updated versions still available THC-Scan: Probably the most popular public version Commercial (may also include penetration attempts) PhoneSweep: powerful but costs TeleSweep: even better, but no longer supported Legal Issues In some locations it is illegal to dial large quantities of numbers in sequence Some locations specifically ban war-dialing Need to ensure you have explicit permission to dial an organization’s phone numbers and DON’T make a mistake!

5. War-dialing (cont.) Looking for numbers where a computer with a modem answers May also find PBX, Voice-mail system, SCADA or control system. War-dialers will often provide the capability to not only record possible numbers but may also record header information. Some other details you may need to fully characterize the possible connection: Timeout or maximum number of tries? What times are connections allowed? What type of challenge/response is used (does there seem to be an extra level such as a smart card)? What type of character data is used for ID and password

6. War dialing domains Low Hanging Fruit Common/default userid/password combo in use. With a little background info may be able to determine these. Single Authentication, unlimited attempts Only requires single authentication item (e.g. password but no userid) Brute-forcing possible here since you won’t be disconnected. Single Authentication, limited attempts After threshold reached connection disconnected Will need to repeatedly dial back Dual Authentication, Unlimited attempts Requires more than one piece of info (e.g. ID & Password) Brute-force still possible, just now for two items Dual Authentication, limited attempts Now need two items, and will have to dial back if you can’t come up with both in just a few attempts.

7. War dialing – some final notes Though high-speed access more ubiquitous, war dialing is still valuable as people still connect modems. Countermeasures: Policy War dial your own numbers. Only will find modems attached when you attempt the war dialing. Not effective if person using modem when you call Doesn’t solve problem, only may let you know you have one. Enforce policy, punish violators when you find them Telephone firewall

8. PBX Hacking Still common to have dial-up access to PBX for maintenance/management purposes. Textbook included several examples of the type of login screens one might see if a PBX connection is discovered. Like other systems, a number of default password/userid combinations exist which may not have been cleared from the system. Why worry about PBXs? Because they can be exploited, or at the very least, disrupted. Best countermeasure is to not leave this active dial- up port open. Only set it up when it is needed.

9. Voice-Mail Hacking Why play with voice-mail? Use forgotten ones for your own communication Listen in on other people for corporate espionage purposes Harassment Gives me something to do at nights What is needed for an attempt? Number to dial for voice-mail Box number (often just the extension) Voicemail box password (generally 4-6 digits) Just like text passwords, people pick easy to remember numbers/patterns for voicemail Same thing applies for “gated communities”

10. VPN Hacking With VPNs we are encapsulating the original packet within a new packet and encrypting the original. This hides both the data and information about the origin and destination. Number of different packages that allow you to set up a VPN. Text discusses a few potential problems but… chances are pretty good that we will not be “hacking” a VPN, too time consuming. This is not to say that somebody using a VPN is secure, if you can get in using another method, you can they utilize the VPN yourself in accessing other systems in the corporate domain. Since you will now be coming from inside a trusted domain the level of authentication may not be as high as somebody coming in from outside of the domain.

11. Summary What is the importance and significance of this material? Dial up still a possible avenue to access corporate networks. PBXs also may be vulnerable and are an asset that should be protected. How does this topic fit into the subject of “Security Risk Analysis”? Need to include dial-up to complete assessment of security perimeter. Also should look at PBXs, though this is often overlooked.