Phree As In Phone Call

Phree as in Phone CallThe other end of the line

© 2008 Security-Assessment.com

Presented By: [email protected]

FILE_ID.DIZ

Advantages of phreaking with VoIP

Modern dialing setup

Modern wardialing and scanning techniques

Identifying and classifying devices Identifying and classifying devices

Hacking dial-in lines

System types and login attacks

IVR and voicemail systems

PIN brute-forcing

PaBX’s


PaBX’s

Exploiting features

Eavesdropping and data-mining

Advantages of phreaking with VoIP

International destinations much more accessible

VoIP is cheap

Can scam free VoIP

Don’t need to scan from home anymore Don’t need to scan from home anymore

Less knocks at the door

Parallelization

Can run savage burns

Easier to perform certain attacks

CallerID spoofing


CallerID spoofing

Automates hand scanning

Callus free!

Modems and VoIP

Most people think it can’t be done

Complex codecs cause havoc to connections

Modems can’t connect

Connections drop Connections drop

It can be done!

What you need

How to tweak it


What you need

Modems


What you need

Analog telephony adaptors (ATA)


What you need

VoIP account

Lots of cheap providers

voipjet.com

voipbuster.com voipbuster.com

Trial accounts

Free calls

Asterisk server

Routing

Call recording


Call recording

CallerID spoofing

Device configuration tricks

ATA

Compression disabled (G.711 ulaw!)

No echo cancellation (*99 on PAP2)

Modem Modem

Disable local flow control

Error-correction

Disable data-compression

Limit the data rate to 1200 bps for scans


Modem connection using VoIP


What can you connect to?

Modems all over the world

Control systems

SCADA systems

Alarm systems Alarm systems

International x.25 networks

India, Africa, Russia, China…

Banking

Other interesting stuff

Obscure devices and networks


Obscure devices and networks

Bulletin boards (yep!)

Who knows? The PSTN is global!

What can you connect to?

SCADA system example


Wardialing

Automatically dialing numbers to find modems

Target identification

Inventory building

Risks Risks

Time of day

Randomize numbers!

Modern Wardialing

Use VoIP, UNIX and Asterisk

The Intelligent Wardialer (iWar)


The Intelligent Wardialer (iWar)

Wardialing

iWar

Multiple modems are no problems!

Serial to usb adapters

Scaleable banks of modems with limitless potentional Scaleable banks of modems with limitless potentional

Remote system identification (126 banners)

MySQL support

CNAM lookup feature

Blacklist support


Wardialing

iWar in serial mode


Wardialing

What will we find?

Routers

Remote access servers

PPP dialins PPP dialins

PC Anywhere

PaBX management systems

IVR systems

Network backdoors

Outdials


Outdials

Diverters (dialtones)

Unknown and forgotten devices

Wardialing

Reducing time with blacklists

Internal / employee directories

DDI’s and other numbers harvested from websites

Business directories Business directories

Websites

CDROMs

Fax directories

Do-not-call lists

Special ranges


Special ranges

Telco test equipment

Wardialing

Published research

Peter Shipley dialed 5.7M numbers over three years

50,000 carriers found

Found unauthenticated access to Found unauthenticated access to

Fire Department's dispatch system

Control system for high-voltage power transmission line

Internal networks of financial organizations

A leased line control system

Credit card number databases


Credit card number databases

Medical billing records.

Wardialing

THC-Scan: Next Generation

Distributed wardialer!

Large modem pools

Large scan ranges - (09) 3XXXXXX Large scan ranges - (09) 3XXXXXX

Global scanning efforts

Log sharing and karma systems


Wardialing

Callus-free handscanning

iWar with IAX2 connection

Wifi at café, etc

Headphones Headphones

Time and patience

Upsides

Safe and anonymous

Mostly automated

Handsfree!


Handsfree!


Figuring out what you’re dealing with

System types and banners

Identifying different type login prompts and methods

Building username and password lists Building username and password lists

Google for defaults

Login Brute-forcing

Tools

Homebrew scripting









Different login prompts and methods

Single auth

Dual auth

Limited or unlimited attempts? Limited or unlimited attempts?

Username, password or both?


Login brute forcing

Tools

Commercial war dialers (lame)

Modem login hacker for Linux

X.25 NUI/NUA scanners X.25 NUI/NUA scanners

Homebrew

Minicom runscript

Python serial library

Procomm plus aspect script


Login brute forcing

Modem Login Hacker

Works against any ‘Username:’ or ‘Login:’ variations

Unix, Cisco, PaBXs

Customizable for different login formats Customizable for different login formats

Includes PPP brute-forcing tool!


IVRs and voicemail

Fingerprinting voicemail systems

Default prompts

Default mailbox numbers and PINs

Admin mailbox Admin mailbox

“Nudges” (*8, *81, *, #, 0)

Can you find the admin console?

CallerID spoofing attacks

ANI or CID authentication is very bad!

Call forwarding and out-dials


Call forwarding and out-dials

Free calls

IVRs and voicemail

Launching a PIN brute force attack

Things to figure out

Dial-in numbers and PIN length

Numbering format for mailboxes Numbering format for mailboxes

Method of getting to the PIN prompt


PIN brute forcing

Metalstorms mighty Hai2IVR

SIP-client for brute forcing DTMF prompts

Can record calls and scan in parallel

GUI for sorting and listening to the results GUI for sorting and listening to the results

Doubles as PaBX extension war dialer


PIN brute forcing

Components

Hai2IVR GTK interface

Handles the parallelization

GUI for reviewing results GUI for reviewing results

metlodtmfzor

Makes the calls and sends the DTMF

Command line scriptable

Hai2IVR setup

Route through Asterisk


Route through Asterisk

Authenticated SIP

CID spoofing

Predictable PINs

Keypad patterns

Making shapes

L, X, O

Repeating numbers Repeating numbers

2244, 9988

Patterns

Other lists

Birth dates

Pop culture references


Pop culture references

1984, 1337 (WiteRabits PIN)

Word numbers

Hell, love, krad, sexy

Predictable PINs


Predictable PINs

PINPop.com

Research project into predictable PINs

PIN database analysis

Goals Goals

Secure PIN selection patches to Asterisk

Whitepaper on PIN selection psychology


PaBX hacking

Attack categories

Theft of service

Routing manipulation

Traffic analysis (stealing CDR’s) Traffic analysis (stealing CDR’s)

Social engineering

Eavesdropping


PaBX hacking

The Holy Grail

Access to the maintenance console

Dial-in lines, extensions, computers

Feature exploits

Conferencing

Three-way calling

Call forwarding

Direct Inwards System Access (DISA)

Test features that remotely activate mics

Theft of CDR’s


Theft of CDR’s

Industrial espionage

Advanced auditing

Free Space Invaders: reverse engineering

PaBX hacking

Maintenance console banners


PaBX hacking

A hacked Meridian management console can:

Setup trunks to allow outgoing calls

Manipulate trunks

Re-route incoming / outgoing calls Re-route incoming / outgoing calls

Eavesdrop extensions

Set a Meridian Mail box to auto logon temporarily

Shut down the PaBX

Make phones ring infinitely

Trace calls through CDR records


Trace calls through CDR records

Steal CDRs

PaBX hacking

Lockdown methods

Restricted out dialing

Forwarding features disabled

Enforced minimum PIN size Enforced minimum PIN size

Unused boxes deactivated

Lockout counters with manual reset

Timeouts on setup of new mailboxes

Challenge response systems

US Government classified VMSs need SecureID’s


US Government classified VMSs need SecureID’s

Logging

PaBX hacking

CDR’s and datamining

Sensitive information can be gleaned from call records

Who called who and when

Current and potential clients, contractors Current and potential clients, contractors

Recent company activities

AMDOCS Example

Handles billing for most American telcos

FBI and NSA investigation into sending CDRs offshore

Possibility of Israeli's spying on American's through CDRs


Possibility of Israeli's spying on American's through CDRs

The infinite power of Asterisk

Custom setups

Testing environment for tools

Anonymous voicemail servers

Encrypted voice Encrypted voice

Private networks like DetoVoIP and Telephreak

Rogue PaBX’s for evesdropping

Custom features

ProjectMF: A trip down phone-phreak memory lane

Asterisk patches to support MF in-band signaling


Asterisk patches to support MF in-band signaling

Lets you bluebox telephone calls

Simulation of old (but not dead?) networks


Blueboxing through a ProjectMF test server



Call the ProjectMF server

Get dropped to a C5 trunk

Hold the phone up to the speakers

Seize the trunk with a 1 second burst of 2600Hz Seize the trunk with a 1 second burst of 2600Hz

Send KP + 12588+ ST in multi-frequency tones (MF)

Call connects

Re-seize, repeat


Thanks

Thanks & greats to:

SA.com

SLi

Andrew Horton Andrew Horton

Metlstorm

Detonate

Kiwicon crew

Beave

Jfalcon


Jfalcon

M4phr1k

NO CARRIER

http://[email protected]


Technology

Phree As In Phone Call