Phree As In Phone Call

Phree as in Phone Call
The other end of the line

Presented By: john@security-assessment.com
© 2008 Security-Assessment.com

FILE_ID.DIZ

 Advantages of phreaking with VoIP
 Modern dialing setup
 Modern wardialing and scanning techniques
 Identifying and classifying devices
 Hacking dial-in lines
 System types and login attacks
 IVR and voicemail systems
 PIN brute-forcing
 PaBX’s
 Exploiting features
 Eavesdropping and data-mining


Advantages of phreaking with VoIP

 International destinations much more accessible
 VoIP is cheap
 Can scam free VoIP
 Don’t need to scan from home anymore
 Less knocks at the door
 Parallelization
 Can run savage burns
 Easier to perform certain attacks
 CallerID spoofing
 Automates hand scanning
 Callus free!


Modems and VoIP

 Most people think it can’t be done
 Complex codecs cause havoc to connections
 Modems can’t connect
 Connections drop
 It can be done!
 What you need
 How to tweak it


What you need

 Modems


What you need

 Analog telephony adaptors (ATA)


What you need

 VoIP account
 Lots of cheap providers
 voipjet.com
 voipbuster.com
 Trial accounts
 Free calls
 Asterisk server
 Routing
 Call recording
 CallerID spoofing


Device configuration tricks

 ATA
 Compression disabled (G.711 ulaw!)
 No echo cancellation (*99 on PAP2)
 Modem
 Disable local flow control
 Error-correction
 Disable data-compression
 Limit the data rate to 1200 bps for scans


Modem connection using VoIP


What can you connect to?

 Modems all over the world
 Control systems
 SCADA systems
 Alarm systems
 International x.25 networks
 India, Africa, Russia, China…
 Banking
 Other interesting stuff
 Obscure devices and networks
 Bulletin boards (yep!)
 Who knows? The PSTN is global!


What can you connect to?

 SCADA system example


Wardialing

 Automatically dialing numbers to find modems
 Target identification
 Inventory building
 Risks
 Time of day
 Randomize numbers!
 Modern Wardialing
 Use VoIP, UNIX and Asterisk
 The Intelligent Wardialer (iWar)


Wardialing

 iWar
 Multiple modems are no problems!
 Serial to usb adapters
 Scaleable banks of modems with limitless potentional
 Remote system identification (126 banners)
 MySQL support
 CNAM lookup feature
 Blacklist support


Wardialing

 iWar in serial mode


Wardialing

 What will we find?
 Routers
 Remote access servers
 PPP dialins
 PC Anywhere
 PaBX management systems
 IVR systems
 Network backdoors
 Outdials
 Diverters (dialtones)
 Unknown and forgotten devices


Wardialing

 Reducing time with blacklists
 Internal / employee directories
 DDI’s and other numbers harvested from websites
 Business directories
 Websites
 CDROMs
 Fax directories
 Do-not-call lists
 Special ranges
 Telco test equipment


Wardialing

 Published research
 Peter Shipley dialed 5.7M numbers over three years
 50,000 carriers found
 Found unauthenticated access to
 Fire Department's dispatch system
 Control system for high-voltage power transmission line
 Internal networks of financial organizations
 A leased line control system
 Credit card number databases
 Medical billing records.


Wardialing

 THC-Scan: Next Generation
 Distributed wardialer!
 Large modem pools
 Large scan ranges - (09) 3XXXXXX
 Global scanning efforts
 Log sharing and karma systems


Wardialing

 Callus-free handscanning
 iWar with IAX2 connection
 Wifi at café, etc
 Headphones
 Time and patience
 Upsides
 Safe and anonymous
 Mostly automated
 Handsfree!


Hacking dial-in lines

 Figuring out what you’re dealing with
 System types and banners
 Identifying different type login prompts and methods
 Building username and password lists
 Google for defaults
 Login Brute-forcing
 Tools
 Homebrew scripting



 System types and banners



 Different login prompts and methods
 Single auth
 Dual auth
 Limited or unlimited attempts?
 Username, password or both?


Login brute forcing

 Tools
 Commercial war dialers (lame)
 Modem login hacker for Linux
 X.25 NUI/NUA scanners
 Homebrew
 Minicom runscript
 Python serial library
 Procomm plus aspect script


Login brute forcing

 Modem Login Hacker
 Works against any ‘Username:’ or ‘Login:’ variations
 Unix, Cisco, PaBXs
 Customizable for different login formats
 Includes PPP brute-forcing tool!


IVRs and voicemail

 Fingerprinting voicemail systems
 Default prompts
 Default mailbox numbers and PINs
 Admin mailbox
 “Nudges” (*8, *81, *, #, 0)
 Can you find the admin console?
 CallerID spoofing attacks
 ANI or CID authentication is very bad!
 Call forwarding and out-dials
 Free calls


IVRs and voicemail

 Launching a PIN brute force attack
 Things to figure out
 Dial-in numbers and PIN length
 Numbering format for mailboxes
 Method of getting to the PIN prompt


PIN brute forcing

 Metalstorms mighty Hai2IVR
 SIP-client for brute forcing DTMF prompts
 Can record calls and scan in parallel
 GUI for sorting and listening to the results
 Doubles as PaBX extension war dialer


PIN brute forcing

 Components
 Hai2IVR GTK interface
 Handles the parallelization
 GUI for reviewing results
 metlodtmfzor
 Makes the calls and sends the DTMF
 Command line scriptable
 Hai2IVR setup
 Route through Asterisk
 Authenticated SIP
 CID spoofing


Predictable PINs

 Keypad patterns
 Making shapes
 L, X, O
 Repeating numbers
 2244, 9988
 Patterns
 Other lists
 Birth dates
 Pop culture references
 1984, 1337 (WiteRabits PIN)
 Word numbers
 Hell, love, krad, sexy


Predictable PINs


Predictable PINs

 PINPop.com
 Research project into predictable PINs
 PIN database analysis
 Goals
 Secure PIN selection patches to Asterisk
 Whitepaper on PIN selection psychology


PaBX hacking

 Attack categories
 Theft of service
 Routing manipulation
 Traffic analysis (stealing CDR’s)
 Social engineering
 Eavesdropping


PaBX hacking

 The Holy Grail
 Access to the maintenance console
 Dial-in lines, extensions, computers
 Feature exploits
 Conferencing
 Three-way calling
 Call forwarding
 Direct Inwards System Access (DISA)
 Test features that remotely activate mics
 Theft of CDR’s
 Industrial espionage
 Advanced auditing
 Free Space Invaders: reverse engineering


PaBX hacking

 Maintenance console banners


PaBX hacking

 A hacked Meridian management console can:
 Setup trunks to allow outgoing calls
 Manipulate trunks
 Re-route incoming / outgoing calls
 Eavesdrop extensions
 Set a Meridian Mail box to auto logon temporarily
 Shut down the PaBX
 Make phones ring infinitely
 Trace calls through CDR records
 Steal CDRs


PaBX hacking

 Lockdown methods
 Restricted out dialing
 Forwarding features disabled
 Enforced minimum PIN size
 Unused boxes deactivated
 Lockout counters with manual reset
 Timeouts on setup of new mailboxes
 Challenge response systems
 US Government classified VMSs need SecureID’s
 Logging


PaBX hacking

 CDR’s and datamining
 Sensitive information can be gleaned from call records
 Who called who and when
 Current and potential clients, contractors
 Recent company activities
 AMDOCS Example
 Handles billing for most American telcos
 FBI and NSA investigation into sending CDRs offshore
 Possibility of Israeli's spying on American's through CDRs


The infinite power of Asterisk

 Custom setups
 Testing environment for tools
 Anonymous voicemail servers
 Encrypted voice
 Private networks like DetoVoIP and Telephreak
 Rogue PaBX’s for evesdropping
 Custom features
 ProjectMF: A trip down phone-phreak memory lane
 Asterisk patches to support MF in-band signaling
 Lets you bluebox telephone calls
 Simulation of old (but not dead?) networks



 Blueboxing through a ProjectMF test server



 Call the ProjectMF server
 Get dropped to a C5 trunk
 Hold the phone up to the speakers
 Seize the trunk with a 1 second burst of 2600Hz
 Send KP + 12588+ ST in multi-frequency tones (MF)
 Call connects
 Re-seize, repeat


Thanks

 Thanks & greats to:
 SA.com
 SLi
 Andrew Horton
 Metlstorm
 Detonate
 Kiwicon crew
 Beave
 Jfalcon
 M4phr1k


NO CARRIER

http://www.security-assessment.com
john@security-assessment.com


Phree As In Phone Call

More Related Content

What's hot

Similar to Phree As In Phone Call

Recently uploaded

Phree As In Phone Call