Phree as in Phone Call
  The other end of the line




           Presented By: john@security-assessment.com
             ...
FILE_ID.DIZ

 Advantages of phreaking with VoIP
     Modern dialing setup
 Modern wardialing and scanning techniques
  ...
Advantages of phreaking with VoIP

 International destinations much more accessible
     VoIP is cheap
     Can scam fr...
Modems and VoIP

 Most people think it can’t be done
    Complex codecs cause havoc to connections
    Modems can’t con...
What you need

 Modems




           © 2008 Security-Assessment.com
What you need

 Analog telephony adaptors (ATA)




                                    © 2008 Security-Assessment.com
What you need

 VoIP account
    Lots of cheap providers
        voipjet.com
        voipbuster.com
    Trial account...
Device configuration tricks

 ATA
   Compression disabled (G.711 ulaw!)
   No echo cancellation (*99 on PAP2)
 Modem
 ...
Modem connection using VoIP




        © 2008 Security-Assessment.com
What can you connect to?

 Modems all over the world
     Control systems
     SCADA systems
     Alarm systems
 Inte...
What can you connect to?

 SCADA system example




                              © 2008 Security-Assessment.com
Wardialing

 Automatically dialing numbers to find modems
    Target identification
    Inventory building
 Risks
   ...
Wardialing

 iWar
    Multiple modems are no problems!
          Serial to usb adapters
          Scaleable banks of m...
Wardialing

 iWar in serial mode




                        © 2008 Security-Assessment.com
Wardialing

 What will we find?
    Routers
    Remote access servers
    PPP dialins
    PC Anywhere
    PaBX manag...
Wardialing

 Reducing time with blacklists
    Internal / employee directories
    DDI’s and other numbers harvested fr...
Wardialing

 Published research
    Peter Shipley dialed 5.7M numbers over three years
        50,000 carriers found
 ...
Wardialing

 THC-Scan: Next Generation
    Distributed wardialer!
        Large modem pools
    Large scan ranges - (0...
Wardialing

 Callus-free handscanning
    iWar with IAX2 connection
        Wifi at café, etc
        Headphones
     ...
Hacking dial-in lines

 Figuring out what you’re dealing with
    System types and banners
    Identifying different ty...
Hacking dial-in lines

 System types and banners




                             © 2008 Security-Assessment.com
Hacking dial-in lines

 System types and banners




                             © 2008 Security-Assessment.com
Hacking dial-in lines

 Different login prompts and methods
    Single auth
    Dual auth
    Limited or unlimited att...
Login brute forcing

 Tools
    Commercial war dialers (lame)
    Modem login hacker for Linux
    X.25 NUI/NUA scanne...
Login brute forcing

   Modem Login Hacker
     Works against any ‘Username:’ or ‘Login:’ variations
         Unix, Cis...
IVRs and voicemail

 Fingerprinting voicemail systems
    Default prompts
        Default mailbox numbers and PINs
    ...
IVRs and voicemail

 Launching a PIN brute force attack
    Things to figure out
        Dial-in numbers and PIN length...
PIN brute forcing

 Metalstorms mighty Hai2IVR
    SIP-client for brute forcing DTMF prompts
    Can record calls and s...
PIN brute forcing

 Components
    Hai2IVR GTK interface
        Handles the parallelization
        GUI for reviewing...
Predictable PINs

 Keypad patterns
     Making shapes
         L, X, O
     Repeating numbers
         2244, 9988
   ...
Predictable PINs




© 2008 Security-Assessment.com
Predictable PINs

 PINPop.com
    Research project into predictable PINs
    PIN database analysis
 Goals
    Secure ...
PaBX hacking

 Attack categories
    Theft of service
    Routing manipulation
    Traffic analysis (stealing CDR’s)
 ...
PaBX hacking

   The Holy Grail
      Access to the maintenance console
          Dial-in lines, extensions, computers
...
PaBX hacking

 Maintenance console banners




                                © 2008 Security-Assessment.com
PaBX hacking

 A hacked Meridian management console can:
    Setup trunks to allow outgoing calls
    Manipulate trunks...
PaBX hacking

 Lockdown methods
    Restricted out dialing
    Forwarding features disabled
    Enforced minimum PIN s...
PaBX hacking

 CDR’s and datamining
    Sensitive information can be gleaned from call records
        Who called who a...
The infinite power of Asterisk

 Custom setups
    Testing environment for tools
    Anonymous voicemail servers
    E...
The infinite power of Asterisk

 Blueboxing through a ProjectMF test server




                                         ...
The infinite power of Asterisk

 Call the ProjectMF server
    Get dropped to a C5 trunk
    Hold the phone up to the s...
Thanks

 Thanks & greats to:
    SA.com
    SLi
    Andrew Horton
    Metlstorm
    Detonate
    Kiwicon crew
    ...
NO CARRIER




http://www.security-assessment.com
   john@security-assessment.com




                                © 20...
Upcoming SlideShare
Loading in …5
×

Phree As In Phone Call

1,241 views

Published on

Presented at Kiwicon II (2008) This talk is the culmination of many years of whispering sweet nothings to phones and as such will focus on the interesting things which can be found on the remote end of phone lines (PaBX\'s, Voice Mail Systems, IVR\'s).
There will be a discussion of the latest techniques and tools and we will cover examples of what to look for when auditing and hacking phone systems. We\'ll delve into what can be found hidden in phat corporate number blocks, and touch on topics such as remote evesdropping and pin security. There will be demonstration of what can be gained by harnessing the awesome power of VoIP.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Phree As In Phone Call

  1. 1. Phree as in Phone Call The other end of the line Presented By: john@security-assessment.com © 2008 Security-Assessment.com
  2. 2. FILE_ID.DIZ  Advantages of phreaking with VoIP  Modern dialing setup  Modern wardialing and scanning techniques  Identifying and classifying devices  Hacking dial-in lines  System types and login attacks  IVR and voicemail systems  PIN brute-forcing  PaBX’s  Exploiting features  Eavesdropping and data-mining © 2008 Security-Assessment.com
  3. 3. Advantages of phreaking with VoIP  International destinations much more accessible  VoIP is cheap  Can scam free VoIP  Don’t need to scan from home anymore  Less knocks at the door  Parallelization  Can run savage burns  Easier to perform certain attacks  CallerID spoofing  Automates hand scanning  Callus free! © 2008 Security-Assessment.com
  4. 4. Modems and VoIP  Most people think it can’t be done  Complex codecs cause havoc to connections  Modems can’t connect  Connections drop  It can be done!  What you need  How to tweak it © 2008 Security-Assessment.com
  5. 5. What you need  Modems © 2008 Security-Assessment.com
  6. 6. What you need  Analog telephony adaptors (ATA) © 2008 Security-Assessment.com
  7. 7. What you need  VoIP account  Lots of cheap providers  voipjet.com  voipbuster.com  Trial accounts  Free calls  Asterisk server  Routing  Call recording  CallerID spoofing © 2008 Security-Assessment.com
  8. 8. Device configuration tricks  ATA  Compression disabled (G.711 ulaw!)  No echo cancellation (*99 on PAP2)  Modem  Disable local flow control  Error-correction  Disable data-compression  Limit the data rate to 1200 bps for scans © 2008 Security-Assessment.com
  9. 9. Modem connection using VoIP © 2008 Security-Assessment.com
  10. 10. What can you connect to?  Modems all over the world  Control systems  SCADA systems  Alarm systems  International x.25 networks  India, Africa, Russia, China…  Banking  Other interesting stuff  Obscure devices and networks  Bulletin boards (yep!)  Who knows? The PSTN is global! © 2008 Security-Assessment.com
  11. 11. What can you connect to?  SCADA system example © 2008 Security-Assessment.com
  12. 12. Wardialing  Automatically dialing numbers to find modems  Target identification  Inventory building  Risks  Time of day  Randomize numbers!  Modern Wardialing  Use VoIP, UNIX and Asterisk  The Intelligent Wardialer (iWar) © 2008 Security-Assessment.com
  13. 13. Wardialing  iWar  Multiple modems are no problems!  Serial to usb adapters  Scaleable banks of modems with limitless potentional  Remote system identification (126 banners)  MySQL support  CNAM lookup feature  Blacklist support © 2008 Security-Assessment.com
  14. 14. Wardialing  iWar in serial mode © 2008 Security-Assessment.com
  15. 15. Wardialing  What will we find?  Routers  Remote access servers  PPP dialins  PC Anywhere  PaBX management systems  IVR systems  Network backdoors  Outdials  Diverters (dialtones)  Unknown and forgotten devices © 2008 Security-Assessment.com
  16. 16. Wardialing  Reducing time with blacklists  Internal / employee directories  DDI’s and other numbers harvested from websites  Business directories  Websites  CDROMs  Fax directories  Do-not-call lists  Special ranges  Telco test equipment © 2008 Security-Assessment.com
  17. 17. Wardialing  Published research  Peter Shipley dialed 5.7M numbers over three years  50,000 carriers found  Found unauthenticated access to  Fire Department's dispatch system  Control system for high-voltage power transmission line  Internal networks of financial organizations  A leased line control system  Credit card number databases  Medical billing records. © 2008 Security-Assessment.com
  18. 18. Wardialing  THC-Scan: Next Generation  Distributed wardialer!  Large modem pools  Large scan ranges - (09) 3XXXXXX  Global scanning efforts  Log sharing and karma systems © 2008 Security-Assessment.com
  19. 19. Wardialing  Callus-free handscanning  iWar with IAX2 connection  Wifi at café, etc  Headphones  Time and patience  Upsides  Safe and anonymous  Mostly automated  Handsfree! © 2008 Security-Assessment.com
  20. 20. Hacking dial-in lines  Figuring out what you’re dealing with  System types and banners  Identifying different type login prompts and methods  Building username and password lists  Google for defaults  Login Brute-forcing  Tools  Homebrew scripting © 2008 Security-Assessment.com
  21. 21. Hacking dial-in lines  System types and banners © 2008 Security-Assessment.com
  22. 22. Hacking dial-in lines  System types and banners © 2008 Security-Assessment.com
  23. 23. Hacking dial-in lines  Different login prompts and methods  Single auth  Dual auth  Limited or unlimited attempts?  Username, password or both? © 2008 Security-Assessment.com
  24. 24. Login brute forcing  Tools  Commercial war dialers (lame)  Modem login hacker for Linux  X.25 NUI/NUA scanners  Homebrew  Minicom runscript  Python serial library  Procomm plus aspect script © 2008 Security-Assessment.com
  25. 25. Login brute forcing  Modem Login Hacker  Works against any ‘Username:’ or ‘Login:’ variations  Unix, Cisco, PaBXs  Customizable for different login formats  Includes PPP brute-forcing tool! © 2008 Security-Assessment.com
  26. 26. IVRs and voicemail  Fingerprinting voicemail systems  Default prompts  Default mailbox numbers and PINs  Admin mailbox  “Nudges” (*8, *81, *, #, 0)  Can you find the admin console?  CallerID spoofing attacks  ANI or CID authentication is very bad!  Call forwarding and out-dials  Free calls © 2008 Security-Assessment.com
  27. 27. IVRs and voicemail  Launching a PIN brute force attack  Things to figure out  Dial-in numbers and PIN length  Numbering format for mailboxes  Method of getting to the PIN prompt © 2008 Security-Assessment.com
  28. 28. PIN brute forcing  Metalstorms mighty Hai2IVR  SIP-client for brute forcing DTMF prompts  Can record calls and scan in parallel  GUI for sorting and listening to the results  Doubles as PaBX extension war dialer © 2008 Security-Assessment.com
  29. 29. PIN brute forcing  Components  Hai2IVR GTK interface  Handles the parallelization  GUI for reviewing results  metlodtmfzor  Makes the calls and sends the DTMF  Command line scriptable  Hai2IVR setup  Route through Asterisk  Authenticated SIP  CID spoofing © 2008 Security-Assessment.com
  30. 30. Predictable PINs  Keypad patterns  Making shapes  L, X, O  Repeating numbers  2244, 9988  Patterns  Other lists  Birth dates  Pop culture references  1984, 1337 (WiteRabits PIN)  Word numbers  Hell, love, krad, sexy © 2008 Security-Assessment.com
  31. 31. Predictable PINs © 2008 Security-Assessment.com
  32. 32. Predictable PINs  PINPop.com  Research project into predictable PINs  PIN database analysis  Goals  Secure PIN selection patches to Asterisk  Whitepaper on PIN selection psychology © 2008 Security-Assessment.com
  33. 33. PaBX hacking  Attack categories  Theft of service  Routing manipulation  Traffic analysis (stealing CDR’s)  Social engineering  Eavesdropping © 2008 Security-Assessment.com
  34. 34. PaBX hacking  The Holy Grail  Access to the maintenance console  Dial-in lines, extensions, computers  Feature exploits  Conferencing  Three-way calling  Call forwarding  Direct Inwards System Access (DISA)  Test features that remotely activate mics  Theft of CDR’s  Industrial espionage  Advanced auditing  Free Space Invaders: reverse engineering © 2008 Security-Assessment.com
  35. 35. PaBX hacking  Maintenance console banners © 2008 Security-Assessment.com
  36. 36. PaBX hacking  A hacked Meridian management console can:  Setup trunks to allow outgoing calls  Manipulate trunks  Re-route incoming / outgoing calls  Eavesdrop extensions  Set a Meridian Mail box to auto logon temporarily  Shut down the PaBX  Make phones ring infinitely  Trace calls through CDR records  Steal CDRs © 2008 Security-Assessment.com
  37. 37. PaBX hacking  Lockdown methods  Restricted out dialing  Forwarding features disabled  Enforced minimum PIN size  Unused boxes deactivated  Lockout counters with manual reset  Timeouts on setup of new mailboxes  Challenge response systems  US Government classified VMSs need SecureID’s  Logging © 2008 Security-Assessment.com
  38. 38. PaBX hacking  CDR’s and datamining  Sensitive information can be gleaned from call records  Who called who and when  Current and potential clients, contractors  Recent company activities  AMDOCS Example  Handles billing for most American telcos  FBI and NSA investigation into sending CDRs offshore  Possibility of Israeli's spying on American's through CDRs © 2008 Security-Assessment.com
  39. 39. The infinite power of Asterisk  Custom setups  Testing environment for tools  Anonymous voicemail servers  Encrypted voice  Private networks like DetoVoIP and Telephreak  Rogue PaBX’s for evesdropping  Custom features  ProjectMF: A trip down phone-phreak memory lane  Asterisk patches to support MF in-band signaling  Lets you bluebox telephone calls  Simulation of old (but not dead?) networks © 2008 Security-Assessment.com
  40. 40. The infinite power of Asterisk  Blueboxing through a ProjectMF test server © 2008 Security-Assessment.com
  41. 41. The infinite power of Asterisk  Call the ProjectMF server  Get dropped to a C5 trunk  Hold the phone up to the speakers  Seize the trunk with a 1 second burst of 2600Hz  Send KP + 12588+ ST in multi-frequency tones (MF)  Call connects  Re-seize, repeat © 2008 Security-Assessment.com
  42. 42. Thanks  Thanks & greats to:  SA.com  SLi  Andrew Horton  Metlstorm  Detonate  Kiwicon crew  Beave  Jfalcon  M4phr1k © 2008 Security-Assessment.com
  43. 43. NO CARRIER http://www.security-assessment.com john@security-assessment.com © 2008 Security-Assessment.com

×