Phree As In Phone Call

Phree as in Phone Call
The other end of the line

Presented By: john@security-assessment.com
© 2008 Security-Assessment.com

FILE_ID.DIZ

 Advantages of phreaking with VoIP
 Modern dialing setup
 Modern wardialing and scanning techniques
 Identifying and classifying devices
 Hacking dial-in lines
 System types and login attacks
 IVR and voicemail systems
 PIN brute-forcing
 PaBX’s
 Exploiting features
 Eavesdropping and data-mining


Advantages of phreaking with VoIP

 International destinations much more accessible
 VoIP is cheap
 Can scam free VoIP
 Don’t need to scan from home anymore
 Less knocks at the door
 Parallelization
 Can run savage burns
 Easier to perform certain attacks
 CallerID spoofing
 Automates hand scanning
 Callus free!


Modems and VoIP

 Most people think it can’t be done
 Complex codecs cause havoc to connections
 Modems can’t connect
 Connections drop
 It can be done!
 What you need
 How to tweak it


What you need

 Modems


What you need

 Analog telephony adaptors (ATA)


What you need

 VoIP account
 Lots of cheap providers
 voipjet.com
 voipbuster.com
 Trial accounts
 Free calls
 Asterisk server
 Routing
 Call recording
 CallerID spoofing


Device configuration tricks

 ATA
 Compression disabled (G.711 ulaw!)
 No echo cancellation (*99 on PAP2)
 Modem
 Disable local flow control
 Error-correction
 Disable data-compression
 Limit the data rate to 1200 bps for scans


Modem connection using VoIP


What can you connect to?

 Modems all over the world
 Control systems
 SCADA systems
 Alarm systems
 International x.25 networks
 India, Africa, Russia, China…
 Banking
 Other interesting stuff
 Obscure devices and networks
 Bulletin boards (yep!)
 Who knows? The PSTN is global!


What can you connect to?

 SCADA system example


Wardialing

 Automatically dialing numbers to find modems
 Target identification
 Inventory building
 Risks
 Time of day
 Randomize numbers!
 Modern Wardialing
 Use VoIP, UNIX and Asterisk
 The Intelligent Wardialer (iWar)


Wardialing

 iWar
 Multiple modems are no problems!
 Serial to usb adapters
 Scaleable banks of modems with limitless potentional
 Remote system identification (126 banners)
 MySQL support
 CNAM lookup feature
 Blacklist support


Wardialing

 iWar in serial mode


Wardialing

 What will we find?
 Routers
 Remote access servers
 PPP dialins
 PC Anywhere
 PaBX management systems
 IVR systems
 Network backdoors
 Outdials
 Diverters (dialtones)
 Unknown and forgotten devices


Wardialing

 Reducing time with blacklists
 Internal / employee directories
 DDI’s and other numbers harvested from websites
 Business directories
 Websites
 CDROMs
 Fax directories
 Do-not-call lists
 Special ranges
 Telco test equipment


Wardialing

 Published research
 Peter Shipley dialed 5.7M numbers over three years
 50,000 carriers found
 Found unauthenticated access to
 Fire Department's dispatch system
 Control system for high-voltage power transmission line
 Internal networks of financial organizations
 A leased line control system
 Credit card number databases
 Medical billing records.


Wardialing

 THC-Scan: Next Generation
 Distributed wardialer!
 Large modem pools
 Large scan ranges - (09) 3XXXXXX
 Global scanning efforts
 Log sharing and karma systems


Wardialing

 Callus-free handscanning
 iWar with IAX2 connection
 Wifi at café, etc
 Headphones
 Time and patience
 Upsides
 Safe and anonymous
 Mostly automated
 Handsfree!


Hacking dial-in lines

 Figuring out what you’re dealing with
 System types and banners
 Identifying different type login prompts and methods
 Building username and password lists
 Google for defaults
 Login Brute-forcing
 Tools
 Homebrew scripting



 System types and banners



 Different login prompts and methods
 Single auth
 Dual auth
 Limited or unlimited attempts?
 Username, password or both?


Login brute forcing

 Tools
 Commercial war dialers (lame)
 Modem login hacker for Linux
 X.25 NUI/NUA scanners
 Homebrew
 Minicom runscript
 Python serial library
 Procomm plus aspect script


Login brute forcing

 Modem Login Hacker
 Works against any ‘Username:’ or ‘Login:’ variations
 Unix, Cisco, PaBXs
 Customizable for different login formats
 Includes PPP brute-forcing tool!


IVRs and voicemail

 Fingerprinting voicemail systems
 Default prompts
 Default mailbox numbers and PINs
 Admin mailbox
 “Nudges” (*8, *81, *, #, 0)
 Can you find the admin console?
 CallerID spoofing attacks
 ANI or CID authentication is very bad!
 Call forwarding and out-dials
 Free calls


IVRs and voicemail

 Launching a PIN brute force attack
 Things to figure out
 Dial-in numbers and PIN length
 Numbering format for mailboxes
 Method of getting to the PIN prompt


PIN brute forcing

 Metalstorms mighty Hai2IVR
 SIP-client for brute forcing DTMF prompts
 Can record calls and scan in parallel
 GUI for sorting and listening to the results
 Doubles as PaBX extension war dialer


PIN brute forcing

 Components
 Hai2IVR GTK interface
 Handles the parallelization
 GUI for reviewing results
 metlodtmfzor
 Makes the calls and sends the DTMF
 Command line scriptable
 Hai2IVR setup
 Route through Asterisk
 Authenticated SIP
 CID spoofing


Predictable PINs

 Keypad patterns
 Making shapes
 L, X, O
 Repeating numbers
 2244, 9988
 Patterns
 Other lists
 Birth dates
 Pop culture references
 1984, 1337 (WiteRabits PIN)
 Word numbers
 Hell, love, krad, sexy


Predictable PINs


Predictable PINs

 PINPop.com
 Research project into predictable PINs
 PIN database analysis
 Goals
 Secure PIN selection patches to Asterisk
 Whitepaper on PIN selection psychology


PaBX hacking

 Attack categories
 Theft of service
 Routing manipulation
 Traffic analysis (stealing CDR’s)
 Social engineering
 Eavesdropping


PaBX hacking

 The Holy Grail
 Access to the maintenance console
 Dial-in lines, extensions, computers
 Feature exploits
 Conferencing
 Three-way calling
 Call forwarding
 Direct Inwards System Access (DISA)
 Test features that remotely activate mics
 Theft of CDR’s
 Industrial espionage
 Advanced auditing
 Free Space Invaders: reverse engineering


PaBX hacking

 Maintenance console banners


PaBX hacking

 A hacked Meridian management console can:
 Setup trunks to allow outgoing calls
 Manipulate trunks
 Re-route incoming / outgoing calls
 Eavesdrop extensions
 Set a Meridian Mail box to auto logon temporarily
 Shut down the PaBX
 Make phones ring infinitely
 Trace calls through CDR records
 Steal CDRs


PaBX hacking

 Lockdown methods
 Restricted out dialing
 Forwarding features disabled
 Enforced minimum PIN size
 Unused boxes deactivated
 Lockout counters with manual reset
 Timeouts on setup of new mailboxes
 Challenge response systems
 US Government classified VMSs need SecureID’s
 Logging


PaBX hacking

 CDR’s and datamining
 Sensitive information can be gleaned from call records
 Who called who and when
 Current and potential clients, contractors
 Recent company activities
 AMDOCS Example
 Handles billing for most American telcos
 FBI and NSA investigation into sending CDRs offshore
 Possibility of Israeli's spying on American's through CDRs


The infinite power of Asterisk

 Custom setups
 Testing environment for tools
 Anonymous voicemail servers
 Encrypted voice
 Private networks like DetoVoIP and Telephreak
 Rogue PaBX’s for evesdropping
 Custom features
 ProjectMF: A trip down phone-phreak memory lane
 Asterisk patches to support MF in-band signaling
 Lets you bluebox telephone calls
 Simulation of old (but not dead?) networks



 Blueboxing through a ProjectMF test server



 Call the ProjectMF server
 Get dropped to a C5 trunk
 Hold the phone up to the speakers
 Seize the trunk with a 1 second burst of 2600Hz
 Send KP + 12588+ ST in multi-frequency tones (MF)
 Call connects
 Re-seize, repeat


Thanks

 Thanks & greats to:
 SA.com
 SLi
 Andrew Horton
 Metlstorm
 Detonate
 Kiwicon crew
 Beave
 Jfalcon
 M4phr1k


NO CARRIER

http://www.security-assessment.com
john@security-assessment.com


Phree As In Phone Call

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Phree As In Phone Call

Ähnlich wie Phree As In Phone Call (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Phree As In Phone Call