Phree as in Phone CallThe other end of the line
© 2008 Security-Assessment.com
Presented By: [email protected]
FILE_ID.DIZ
Advantages of phreaking with VoIP
Modern dialing setup
Modern wardialing and scanning techniques
Identifying and classifying devices Identifying and classifying devices
Hacking dial-in lines
System types and login attacks
IVR and voicemail systems
PIN brute-forcing
PaBX’s
© 2008 Security-Assessment.com
PaBX’s
Exploiting features
Eavesdropping and data-mining
Advantages of phreaking with VoIP
International destinations much more accessible
VoIP is cheap
Can scam free VoIP
Don’t need to scan from home anymore Don’t need to scan from home anymore
Less knocks at the door
Parallelization
Can run savage burns
Easier to perform certain attacks
CallerID spoofing
© 2008 Security-Assessment.com
CallerID spoofing
Automates hand scanning
Callus free!
Modems and VoIP
Most people think it can’t be done
Complex codecs cause havoc to connections
Modems can’t connect
Connections drop Connections drop
It can be done!
What you need
How to tweak it
© 2008 Security-Assessment.com
What you need
Modems
© 2008 Security-Assessment.com
What you need
Analog telephony adaptors (ATA)
© 2008 Security-Assessment.com
What you need
VoIP account
Lots of cheap providers
voipjet.com
voipbuster.com voipbuster.com
Trial accounts
Free calls
Asterisk server
Routing
Call recording
© 2008 Security-Assessment.com
Call recording
CallerID spoofing
Device configuration tricks
ATA
Compression disabled (G.711 ulaw!)
No echo cancellation (*99 on PAP2)
Modem Modem
Disable local flow control
Error-correction
Disable data-compression
Limit the data rate to 1200 bps for scans
© 2008 Security-Assessment.com
Modem connection using VoIP
© 2008 Security-Assessment.com
What can you connect to?
Modems all over the world
Control systems
SCADA systems
Alarm systems Alarm systems
International x.25 networks
India, Africa, Russia, China…
Banking
Other interesting stuff
Obscure devices and networks
© 2008 Security-Assessment.com
Obscure devices and networks
Bulletin boards (yep!)
Who knows? The PSTN is global!
What can you connect to?
SCADA system example
© 2008 Security-Assessment.com
Wardialing
Automatically dialing numbers to find modems
Target identification
Inventory building
Risks Risks
Time of day
Randomize numbers!
Modern Wardialing
Use VoIP, UNIX and Asterisk
The Intelligent Wardialer (iWar)
© 2008 Security-Assessment.com
The Intelligent Wardialer (iWar)
Wardialing
iWar
Multiple modems are no problems!
Serial to usb adapters
Scaleable banks of modems with limitless potentional Scaleable banks of modems with limitless potentional
Remote system identification (126 banners)
MySQL support
CNAM lookup feature
Blacklist support
© 2008 Security-Assessment.com
Wardialing
iWar in serial mode
© 2008 Security-Assessment.com
Wardialing
What will we find?
Routers
Remote access servers
PPP dialins PPP dialins
PC Anywhere
PaBX management systems
IVR systems
Network backdoors
Outdials
© 2008 Security-Assessment.com
Outdials
Diverters (dialtones)
Unknown and forgotten devices
Wardialing
Reducing time with blacklists
Internal / employee directories
DDI’s and other numbers harvested from websites
Business directories Business directories
Websites
CDROMs
Fax directories
Do-not-call lists
Special ranges
© 2008 Security-Assessment.com
Special ranges
Telco test equipment
Wardialing
Published research
Peter Shipley dialed 5.7M numbers over three years
50,000 carriers found
Found unauthenticated access to Found unauthenticated access to
Fire Department's dispatch system
Control system for high-voltage power transmission line
Internal networks of financial organizations
A leased line control system
Credit card number databases
© 2008 Security-Assessment.com
Credit card number databases
Medical billing records.
Wardialing
THC-Scan: Next Generation
Distributed wardialer!
Large modem pools
Large scan ranges - (09) 3XXXXXX Large scan ranges - (09) 3XXXXXX
Global scanning efforts
Log sharing and karma systems
© 2008 Security-Assessment.com
Wardialing
Callus-free handscanning
iWar with IAX2 connection
Wifi at café, etc
Headphones Headphones
Time and patience
Upsides
Safe and anonymous
Mostly automated
Handsfree!
© 2008 Security-Assessment.com
Handsfree!
Hacking dial-in lines
Figuring out what you’re dealing with
System types and banners
Identifying different type login prompts and methods
Building username and password lists Building username and password lists
Google for defaults
Login Brute-forcing
Tools
Homebrew scripting
© 2008 Security-Assessment.com
Hacking dial-in lines
System types and banners
© 2008 Security-Assessment.com
Hacking dial-in lines
System types and banners
© 2008 Security-Assessment.com
Hacking dial-in lines
Different login prompts and methods
Single auth
Dual auth
Limited or unlimited attempts? Limited or unlimited attempts?
Username, password or both?
© 2008 Security-Assessment.com
Login brute forcing
Tools
Commercial war dialers (lame)
Modem login hacker for Linux
X.25 NUI/NUA scanners X.25 NUI/NUA scanners
Homebrew
Minicom runscript
Python serial library
Procomm plus aspect script
© 2008 Security-Assessment.com
Login brute forcing
Modem Login Hacker
Works against any ‘Username:’ or ‘Login:’ variations
Unix, Cisco, PaBXs
Customizable for different login formats Customizable for different login formats
Includes PPP brute-forcing tool!
© 2008 Security-Assessment.com
IVRs and voicemail
Fingerprinting voicemail systems
Default prompts
Default mailbox numbers and PINs
Admin mailbox Admin mailbox
“Nudges” (*8, *81, *, #, 0)
Can you find the admin console?
CallerID spoofing attacks
ANI or CID authentication is very bad!
Call forwarding and out-dials
© 2008 Security-Assessment.com
Call forwarding and out-dials
Free calls
IVRs and voicemail
Launching a PIN brute force attack
Things to figure out
Dial-in numbers and PIN length
Numbering format for mailboxes Numbering format for mailboxes
Method of getting to the PIN prompt
© 2008 Security-Assessment.com
PIN brute forcing
Metalstorms mighty Hai2IVR
SIP-client for brute forcing DTMF prompts
Can record calls and scan in parallel
GUI for sorting and listening to the results GUI for sorting and listening to the results
Doubles as PaBX extension war dialer
© 2008 Security-Assessment.com
PIN brute forcing
Components
Hai2IVR GTK interface
Handles the parallelization
GUI for reviewing results GUI for reviewing results
metlodtmfzor
Makes the calls and sends the DTMF
Command line scriptable
Hai2IVR setup
Route through Asterisk
© 2008 Security-Assessment.com
Route through Asterisk
Authenticated SIP
CID spoofing
Predictable PINs
Keypad patterns
Making shapes
L, X, O
Repeating numbers Repeating numbers
2244, 9988
Patterns
Other lists
Birth dates
Pop culture references
© 2008 Security-Assessment.com
Pop culture references
1984, 1337 (WiteRabits PIN)
Word numbers
Hell, love, krad, sexy
Predictable PINs
© 2008 Security-Assessment.com
Predictable PINs
PINPop.com
Research project into predictable PINs
PIN database analysis
Goals Goals
Secure PIN selection patches to Asterisk
Whitepaper on PIN selection psychology
© 2008 Security-Assessment.com
PaBX hacking
Attack categories
Theft of service
Routing manipulation
Traffic analysis (stealing CDR’s) Traffic analysis (stealing CDR’s)
Social engineering
Eavesdropping
© 2008 Security-Assessment.com
PaBX hacking
The Holy Grail
Access to the maintenance console
Dial-in lines, extensions, computers
Feature exploits
Conferencing
Three-way calling
Call forwarding
Direct Inwards System Access (DISA)
Test features that remotely activate mics
Theft of CDR’s
© 2008 Security-Assessment.com
Theft of CDR’s
Industrial espionage
Advanced auditing
Free Space Invaders: reverse engineering
PaBX hacking
Maintenance console banners
© 2008 Security-Assessment.com
PaBX hacking
A hacked Meridian management console can:
Setup trunks to allow outgoing calls
Manipulate trunks
Re-route incoming / outgoing calls Re-route incoming / outgoing calls
Eavesdrop extensions
Set a Meridian Mail box to auto logon temporarily
Shut down the PaBX
Make phones ring infinitely
Trace calls through CDR records
© 2008 Security-Assessment.com
Trace calls through CDR records
Steal CDRs
PaBX hacking
Lockdown methods
Restricted out dialing
Forwarding features disabled
Enforced minimum PIN size Enforced minimum PIN size
Unused boxes deactivated
Lockout counters with manual reset
Timeouts on setup of new mailboxes
Challenge response systems
US Government classified VMSs need SecureID’s
© 2008 Security-Assessment.com
US Government classified VMSs need SecureID’s
Logging
PaBX hacking
CDR’s and datamining
Sensitive information can be gleaned from call records
Who called who and when
Current and potential clients, contractors Current and potential clients, contractors
Recent company activities
AMDOCS Example
Handles billing for most American telcos
FBI and NSA investigation into sending CDRs offshore
Possibility of Israeli's spying on American's through CDRs
© 2008 Security-Assessment.com
Possibility of Israeli's spying on American's through CDRs
The infinite power of Asterisk
Custom setups
Testing environment for tools
Anonymous voicemail servers
Encrypted voice Encrypted voice
Private networks like DetoVoIP and Telephreak
Rogue PaBX’s for evesdropping
Custom features
ProjectMF: A trip down phone-phreak memory lane
Asterisk patches to support MF in-band signaling
© 2008 Security-Assessment.com
Asterisk patches to support MF in-band signaling
Lets you bluebox telephone calls
Simulation of old (but not dead?) networks
The infinite power of Asterisk
Blueboxing through a ProjectMF test server
© 2008 Security-Assessment.com
The infinite power of Asterisk
Call the ProjectMF server
Get dropped to a C5 trunk
Hold the phone up to the speakers
Seize the trunk with a 1 second burst of 2600Hz Seize the trunk with a 1 second burst of 2600Hz
Send KP + 12588+ ST in multi-frequency tones (MF)
Call connects
Re-seize, repeat
© 2008 Security-Assessment.com
Thanks
Thanks & greats to:
SA.com
SLi
Andrew Horton Andrew Horton
Metlstorm
Detonate
Kiwicon crew
Beave
Jfalcon
© 2008 Security-Assessment.com
Jfalcon
M4phr1k