Phree As In Phone Call

Phree as in Phone Call The other end of the line

Presented By: [email protected] © 2008 Security-Assessment.com

FILE_ID.DIZ  Advantages of phreaking with VoIP

 Modern dialing setup  Modern wardialing and scanning techniques

 Identifying and classifying devices  Hacking dial-in lines

 System types and login attacks  IVR and voicemail systems

 PIN brute-forcing  PaBX’s

 Exploiting features  Eavesdropping and data-mining

© 2008 Security-Assessment.com

Advantages of phreaking with VoIP  International destinations much more accessible

 VoIP is cheap  Can scam free VoIP  Don’t need to scan from home anymore

 Less knocks at the door  Parallelization

 Can run savage burns  Easier to perform certain attacks

 CallerID spoofing  Automates hand scanning

 Callus free!

© 2008 Security-Assessment.com

Modems and VoIP  Most people think it can’t be done

 Complex codecs cause havoc to connections  Modems can’t connect  Connections drop  It can be done!

 What you need  How to tweak it

© 2008 Security-Assessment.com

What you need  Modems

© 2008 Security-Assessment.com

What you need  Analog telephony adaptors (ATA)

© 2008 Security-Assessment.com

What you need  VoIP account

 Lots of cheap providers  voipjet.com  voipbuster.com  Trial accounts  Free calls  Asterisk server

 Routing  Call recording  CallerID spoofing

© 2008 Security-Assessment.com

Device configuration tricks  ATA

 Compression disabled (G.711 ulaw!)  No echo cancellation (*99 on PAP2)  Modem

 Disable local flow control  Error-correction  Disable data-compression  Limit the data rate to 1200 bps for scans

© 2008 Security-Assessment.com

Modem connection using VoIP

© 2008 Security-Assessment.com

What can you connect to?  Modems all over the world

 Control systems  SCADA systems  Alarm systems  International x.25 networks

 India, Africa, Russia, China…  Banking  Other interesting stuff

 Obscure devices and networks  Bulletin boards (yep!)  Who knows? The PSTN is global!

© 2008 Security-Assessment.com

What can you connect to?  SCADA system example

© 2008 Security-Assessment.com

Wardialing  Automatically dialing numbers to find modems

 Target identification  Inventory building  Risks

 Time of day  Randomize numbers!  Modern Wardialing

 Use VoIP, UNIX and Asterisk  The Intelligent Wardialer (iWar)

© 2008 Security-Assessment.com

Wardialing  iWar

 Multiple modems are no problems!  Serial to usb adapters  Scaleable banks of modems with limitless potentional  Remote system identification (126 banners)  MySQL support  CNAM lookup feature  Blacklist support

© 2008 Security-Assessment.com

Wardialing  iWar in serial mode

© 2008 Security-Assessment.com

Wardialing  What will we find?

 Routers  Remote access servers  PPP dialins  PC Anywhere  PaBX management systems  IVR systems  Network backdoors  Outdials  Diverters (dialtones)  Unknown and forgotten devices

© 2008 Security-Assessment.com

Wardialing  Reducing time with blacklists

 Internal / employee directories  DDI’s and other numbers harvested from websites  Business directories  Websites  CDROMs  Fax directories  Do-not-call lists  Special ranges

 Telco test equipment

© 2008 Security-Assessment.com

Wardialing  Published research

 Peter Shipley dialed 5.7M numbers over three years  50,000 carriers found  Found unauthenticated access to

 Fire Department's dispatch system  Control system for high-voltage power transmission line  Internal networks of financial organizations  A leased line control system  Credit card number databases  Medical billing records.

© 2008 Security-Assessment.com

Wardialing  THC-Scan: Next Generation

 Distributed wardialer!  Large modem pools  Large scan ranges - (09) 3XXXXXX  Global scanning efforts  Log sharing and karma systems

© 2008 Security-Assessment.com

Wardialing  Callus-free handscanning

 iWar with IAX2 connection  Wifi at café, etc  Headphones  Time and patience  Upsides  Safe and anonymous  Mostly automated  Handsfree!

© 2008 Security-Assessment.com

Hacking dial-in lines  Figuring out what you’re dealing with

 System types and banners  Identifying different type login prompts and methods  Building username and password lists  Google for defaults  Login Brute-forcing

 Tools  Homebrew scripting

© 2008 Security-Assessment.com

Hacking dial-in lines  System types and banners

© 2008 Security-Assessment.com

Hacking dial-in lines  System types and banners

© 2008 Security-Assessment.com

Hacking dial-in lines

 Different login prompts and methods  Single auth  Dual auth  Limited or unlimited attempts?  Username, password or both?

© 2008 Security-Assessment.com

Login brute forcing  Tools

 Commercial war dialers (lame)  Modem login hacker for Linux  X.25 NUI/NUA scanners  Homebrew

 Minicom runscript  Python serial library  Procomm plus aspect script

© 2008 Security-Assessment.com

Login brute forcing 

Modem Login Hacker

 Works against any ‘Username:’ or ‘Login:’ variations  Unix, Cisco, PaBXs  Customizable for different login formats  Includes PPP brute-forcing tool!

© 2008 Security-Assessment.com

IVRs and voicemail  Fingerprinting voicemail systems

 Default prompts  Default mailbox numbers and PINs  Admin mailbox  “Nudges” (*8, *81, *, #, 0)  Can you find the admin console?  CallerID spoofing attacks

 ANI or CID authentication is very bad!  Call forwarding and out-dials

 Free calls

© 2008 Security-Assessment.com

IVRs and voicemail  Launching a PIN brute force attack

 Things to figure out  Dial-in numbers and PIN length  Numbering format for mailboxes  Method of getting to the PIN prompt

© 2008 Security-Assessment.com

PIN brute forcing  Metalstorms mighty Hai2IVR

 SIP-client for brute forcing DTMF prompts  Can record calls and scan in parallel  GUI for sorting and listening to the results  Doubles as PaBX extension war dialer

© 2008 Security-Assessment.com

PIN brute forcing  Components

 Hai2IVR GTK interface  Handles the parallelization  GUI for reviewing results  metlodtmfzor  Makes the calls and sends the DTMF  Command line scriptable  Hai2IVR setup

 Route through Asterisk  Authenticated SIP  CID spoofing

© 2008 Security-Assessment.com

Predictable PINs  Keypad patterns

 Making shapes  L, X, O  Repeating numbers  2244, 9988  Patterns  Other lists

 Birth dates  Pop culture references  1984, 1337 (WiteRabits PIN)  Word numbers  Hell, love, krad, sexy © 2008 Security-Assessment.com

Predictable PINs

© 2008 Security-Assessment.com

Predictable PINs  PINPop.com

 Research project into predictable PINs  PIN database analysis  Goals

 Secure PIN selection patches to Asterisk  Whitepaper on PIN selection psychology

© 2008 Security-Assessment.com

PaBX hacking  Attack categories

 Theft of service  Routing manipulation  Traffic analysis (stealing CDR’s)  Social engineering  Eavesdropping

© 2008 Security-Assessment.com

PaBX hacking 

The Holy Grail

 Access to the maintenance console  Dial-in lines, extensions, computers 

Feature exploits

 Conferencing  Three-way calling  Call forwarding  Direct Inwards System Access (DISA)  Test features that remotely activate mics 

Theft of CDR’s

 Industrial espionage 

Advanced auditing

 Free Space Invaders: reverse engineering

© 2008 Security-Assessment.com

PaBX hacking  Maintenance console banners

© 2008 Security-Assessment.com

PaBX hacking  A hacked Meridian management console can:

 Setup trunks to allow outgoing calls  Manipulate trunks  Re-route incoming / outgoing calls  Eavesdrop extensions  Set a Meridian Mail box to auto logon temporarily  Shut down the PaBX  Make phones ring infinitely  Trace calls through CDR records  Steal CDRs

© 2008 Security-Assessment.com

PaBX hacking  Lockdown methods

 Restricted out dialing  Forwarding features disabled  Enforced minimum PIN size  Unused boxes deactivated  Lockout counters with manual reset  Timeouts on setup of new mailboxes  Challenge response systems  US Government classified VMSs need SecureID’s  Logging

© 2008 Security-Assessment.com

PaBX hacking  CDR’s and datamining

 Sensitive information can be gleaned from call records  Who called who and when  Current and potential clients, contractors  Recent company activities  AMDOCS Example

 Handles billing for most American telcos  FBI and NSA investigation into sending CDRs offshore  Possibility of Israeli's spying on American's through CDRs

© 2008 Security-Assessment.com

The infinite power of Asterisk  Custom setups

 Testing environment for tools  Anonymous voicemail servers  Encrypted voice  Private networks like DetoVoIP and Telephreak  Rogue PaBX’s for evesdropping  Custom features

 ProjectMF: A trip down phone-phreak memory lane  Asterisk patches to support MF in-band signaling  Lets you bluebox telephone calls  Simulation of old (but not dead?) networks

© 2008 Security-Assessment.com

The infinite power of Asterisk  Blueboxing through a ProjectMF test server

© 2008 Security-Assessment.com

The infinite power of Asterisk  Call the ProjectMF server

 Get dropped to a C5 trunk  Hold the phone up to the speakers  Seize the trunk with a 1 second burst of 2600Hz  Send KP + 12588+ ST in multi-frequency tones (MF)  Call connects  Re-seize, repeat

© 2008 Security-Assessment.com

Thanks  Thanks & greats to:

 SA.com  SLi  Andrew Horton  Metlstorm  Detonate  Kiwicon crew  Beave  Jfalcon  M4phr1k

© 2008 Security-Assessment.com

NO CARRIER

http://www.security-assessment.com [email protected]

© 2008 Security-Assessment.com