Phree as in Phone Call
The other end of the line
FILE_ID.DIZ
Advantages of phreaking with VoIP
Modern dialing setup Modern wardialing and scanning techniques
Identifying and classifying devices
Identifying and classifying devices Hacking dial-in lines
System types and login attacks IVR and voicemail systems
PIN brute-forcing PaBX’s PaBX’s
Exploiting featuresAdvantages of phreaking with VoIP
International destinations much more accessible
VoIP is cheap
Can scam free VoIP Don’t need to scan from home anymore
Don’t need to scan from home anymore
Less knocks at the door Parallelization
Can run savage burns Easier to perform certain attacks
CallerID spoofing
CallerID spoofing Automates hand scanning
Modems and VoIP
Most people think it can’t be done
Complex codecs cause havoc to connections
Modems can’t connect
Connections drop
Connections drop It can be done!
What you needWhat you need
What you need
What you need
VoIP account
Lots of cheap providers
voipjet.com
voipbuster.com
voipbuster.com
Trial accounts
Free calls Asterisk server
Routing
Call recording
Call recording
CallerID spoofingDevice configuration tricks
ATA
Compression disabled (G.711 ulaw!)
No echo cancellation (*99 on PAP2) Modem Modem
Disable local flow control
Error-correction
Disable data-compressionWhat can you connect to?
Modems all over the world
Control systems
SCADA systems
Alarm systems
Alarm systems International x.25 networks
India, Africa, Russia, China…
Banking Other interesting stuff
Obscure devices and networks
Obscure devices and networks
Bulletin boards (yep!)What can you connect to?
Wardialing
Automatically dialing numbers to find modems
Target identification
Inventory building Risks Risks
Time of day
Randomize numbers! Modern Wardialing
Use VoIP, UNIX and Asterisk
The Intelligent Wardialer (iWar)Wardialing
iWar
Multiple modems are no problems!
Serial to usb adapters
Scaleable banks of modems with limitless potentional
Scaleable banks of modems with limitless potentional
Remote system identification (126 banners)
MySQL support
CNAM lookup featureWardialing
Wardialing
What will we find?
Routers
Remote access servers
PPP dialins
PPP dialins
PC Anywhere
PaBX management systems
IVR systems
Network backdoors
Outdials
Outdials
Diverters (dialtones)Wardialing
Reducing time with blacklists
Internal / employee directories
DDI’s and other numbers harvested from websites
Business directories
Business directories
Websites
CDROMs
Fax directories
Do-not-call lists Special ranges Special rangesWardialing
Published research
Peter Shipley dialed 5.7M numbers over three years
50,000 carriers found Found unauthenticated access to
Found unauthenticated access to
Fire Department's dispatch system
Control system for high-voltage power transmission line
Internal networks of financial organizations
A leased line control system
Credit card number databases
Credit card number databasesWardialing
THC-Scan: Next Generation
Distributed wardialer!
Large modem pools
Large scan ranges - (09) 3XXXXXX
Large scan ranges - (09) 3XXXXXX
Global scanning effortsWardialing
Callus-free handscanning
iWar with IAX2 connection
Wifi at café, etc
Headphones
Headphones
Time and patience
Upsides
Safe and anonymous
Mostly automated
Handsfree!Hacking dial-in lines
Figuring out what you’re dealing with
System types and banners
Identifying different type login prompts and methods
Building username and password lists
Building username and password lists
Google for defaults Login Brute-forcing
ToolsHacking dial-in lines
Hacking dial-in lines
Hacking dial-in lines
Different login prompts and methods
Single auth
Dual auth
Limited or unlimited attempts?
Limited or unlimited attempts?Login brute forcing
Tools
Commercial war dialers (lame)
Modem login hacker for Linux
X.25 NUI/NUA scanners
X.25 NUI/NUA scanners Homebrew
Minicom runscript
Python serial libraryLogin brute forcing
Modem Login Hacker
Works against any ‘Username:’ or ‘Login:’ variations
Unix, Cisco, PaBXs
Customizable for different login formats
Customizable for different login formatsIVRs and voicemail
Fingerprinting voicemail systems
Default prompts
Default mailbox numbers and PINs
Admin mailbox
Admin mailbox
“Nudges” (*8, *81, *, #, 0)
Can you find the admin console? CallerID spoofing attacks
ANI or CID authentication is very bad! Call forwarding and out-dials Call forwarding and out-dials
IVRs and voicemail
Launching a PIN brute force attack
Things to figure out
Dial-in numbers and PIN length
Numbering format for mailboxes
Numbering format for mailboxesPIN brute forcing
Metalstorms mighty Hai2IVR
SIP-client for brute forcing DTMF prompts
Can record calls and scan in parallel
GUI for sorting and listening to the results
GUI for sorting and listening to the resultsPIN brute forcing
Components
Hai2IVR GTK interface
Handles the parallelization
GUI for reviewing results
GUI for reviewing results
metlodtmfzor
Makes the calls and sends the DTMF
Command line scriptable Hai2IVR setup
Route through Asterisk
Route through Asterisk
Authenticated SIPPredictable PINs Keypad patterns
Making shapes
L, X, O
Repeating numbers
Repeating numbers
2244, 9988
Patterns Other lists
Birth dates
Pop culture references
Pop culture references
1984, 1337 (WiteRabits PIN)Predictable PINs
PINPop.com
Research project into predictable PINs
PIN database analysis Goals Goals
Secure PIN selection patches to AsteriskPaBX hacking
Attack categories
Theft of service
Routing manipulation
Traffic analysis (stealing CDR’s)
Traffic analysis (stealing CDR’s)
Social engineeringPaBX hacking
The Holy Grail
Access to the maintenance console
Dial-in lines, extensions, computers Feature exploits
Conferencing
Three-way calling
Call forwarding
Direct Inwards System Access (DISA)
Test features that remotely activate mics Theft of CDR’s
Theft of CDR’s
Industrial espionage Advanced auditing
PaBX hacking
PaBX hacking
A hacked Meridian management console can:
Setup trunks to allow outgoing calls
Manipulate trunks
Re-route incoming / outgoing calls
Re-route incoming / outgoing calls
Eavesdrop extensions
Set a Meridian Mail box to auto logon temporarily
Shut down the PaBX
Make phones ring infinitely
Trace calls through CDR records
Trace calls through CDR recordsPaBX hacking
Lockdown methods
Restricted out dialing
Forwarding features disabled
Enforced minimum PIN size
Enforced minimum PIN size
Unused boxes deactivated
Lockout counters with manual reset
Timeouts on setup of new mailboxes
Challenge response systems
US Government classified VMSs need SecureID’s
US Government classified VMSs need SecureID’sPaBX hacking
CDR’s and datamining
Sensitive information can be gleaned from call records
Who called who and when
Current and potential clients, contractors
Current and potential clients, contractors
Recent company activities AMDOCS Example
Handles billing for most American telcos
FBI and NSA investigation into sending CDRs offshore
Possibility of Israeli's spying on American's through CDRsThe infinite power of Asterisk
Custom setups
Testing environment for tools
Anonymous voicemail servers
Encrypted voice
Encrypted voice
Private networks like DetoVoIP and Telephreak
Rogue PaBX’s for evesdropping Custom features
ProjectMF: A trip down phone-phreak memory lane
Asterisk patches to support MF in-band signaling
Asterisk patches to support MF in-band signaling
Lets you bluebox telephone callsThe infinite power of Asterisk
The infinite power of Asterisk
Call the ProjectMF server
Get dropped to a C5 trunk
Hold the phone up to the speakers
Seize the trunk with a 1 second burst of 2600Hz
Seize the trunk with a 1 second burst of 2600Hz
Send KP + 12588+ ST in multi-frequency tones (MF)
Call connectsThanks
Thanks & greats to:
SA.com
SLi
Andrew Horton
Andrew Horton
Metlstorm
Detonate
Kiwicon crew
Beave
Jfalcon
Jfalcon
M4phr1k