Next message: Craig Holmes: "binary switching, no killing"
Yes,
The age old question of correctly identifying the system
when war-dialing. Reliance is placed upon ASCII characters
in the banners. (Unless you are into war-dialing, ignore this
response which is a tad lengthy)
Here are two examples of readable text.
1 sample for a system that is known to be a Shiva Lan Rover
(@Userid)
1 sample of AIX where it is not hard to guess at all what the
system is (unless the banner is a decoy;
which is very rarely seen in the modem world)
(Shiva)
------------------------------------------------------------
30-Jun-XX 16:40:13 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/
@Userid:
@Userid:
------------------------------------------------------------
(AIX)
------------------------------------------------------------
30-Jun-XX 17:20:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
login:
------------------------------------------------------------
Then there are extended ASCII character identification issues
that in many cases can be rectified through parity and stop bit
changes:
Say the return in the banner looks like this:
30-Jun-XX 17:20:15 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
�[m��[2;19r�[m��[24;79H �[22;1H�[;1m�The password is incorrect.
Dialing back with any software like ProcommPlus and changing
the parity from 8-N-1 to E-7-1 in many cases resovles the
Extended ASCII characters into somtheing more readable.
Then there are extended ASCII character identification
issues Of this magnitude which sounds mostly like the problem
the original poster has encountered:
Say the return in the banner looks like this:
30-Jun-XX 17:20:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
xx|x
Or this:
30-Jun-XX 17:20:17 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
From just looking at these, positive identification would be
very tough to do because that string doesn't give you much
indication of what type of system it is. There are extended
ASCII characters in the mix. Hence you have to rely upon
experience and if you use a commercial war dialer you have
to rely upon that war-dialers' database of strings and
systems table to match up against what the modem is sending
back.
Regardless of TeleSweep or PhoneSweep it is an ASCII text
banner match issue. In our tests the jury is still out but
I would tend to agree with Nate that PhoneSweep might be
doing a better job of classifying the modems that were found
than TeleSweep as of late; most recent release against most
recent release. Run your own drag race and see.
The commercial war dialing tool makers ask the "community"
(we know, we've been asked countless times) for more banners
and postive identification of modems because some of their
databases are not growing; their stale. 305 systems is not
bad, however I would point out that in many cases you'll
see that there are 10-15 of those 350 that are the majority
of systems running out there on modems today and that the
rest have gone the way of the dinosaur and are rarely found
(In general).
We've seen the commercial tools miss simple stuff like the
@Userid banner and not be able to identify it as Shiva.
We've even seen them miss simple stuff like the AIX banner.
That is frustrating when that happens because the match is
not that complex. It's a simple match program and how well
that match program is written is what you rely upon.
I say rely upon your eyes and ears too. Modems whistle
differently than faxes for the most part so just manually
dialing a found number can tell you a lot with your ears.
In a typical war dial the expected found ratio's are
1 to 1.5% of the pool of original numbers so this is
generally not a long exercise.
Both commercial tools do a decent job of finding a modem
Carrier, but if you rely upon their identification engines
without independent verification you are probably asking
for some hurt, especially if you're a white hat testing or
performing in the name of the war-dial engagement for your
client.
A sharp eye, keen memory and mastery of the original free
war dial tool ToneLoc will get you a fast foot print and
much of the data you need 9 times out of 10. This can
be the independence you seek in many cases.
Then again knowing old school programs like Procomm Plus
will help you go back and become more successful at testing
condtions like changing stop bits and partiy to clean up
garbage banners. In the end if you get a bunch of extended
ASCII characters you can probably assume that there is some
type of client side (in general) software required to
establish a connection. For example, PcAnywhere, CarbonCopy,
Remotely Anywhere, Etc. Try that on and see if it works.
Just be advised that blind faith in the results of commercial
war dialers can possibly leave you compromised if you don't go
independently verify.
You can check out many techniques and tricks via the old-school
ways using ToneLoc at my site www.m4phr1k.com.
Regards,
Stephan Barnes
stephan.barnesat_private
http://www.foundstone.com
-----Original Message-----
From: Nate.Kingat_private [mailto:Nate.Kingat_private]
Sent: Friday, September 21, 2001 3:44 PM
To: pen-testat_private
Subject: RE Modem identification
I prefer PhoneSweep by Sandstorm Enterprises at http://www.sandstorm.net/.
It has the capability to identify 305 different dial-up systems by name,
including ones that do not provide visible text banners. It is a commercial
product, however, and can be expensive.
I wrote an article for Information Security Magazine in June 2000 that
compared various commercial and free war dialing tools (PhoneSweep,
TeleSweep Secure, and THC-Scan). The URL is
http://www.infosecuritymag.com/articles/june00/features1.shtml. TeleSweep
Secure has probably changed the most since then, but hopefully it will help.
Good Luck,
Nate
********************************************************
Nate King, CISSP
Managing Consultant, Ethical Hacking Division
Global Integrity Information Security
Predictive Systems, Inc.
E-Mail: nate.kingat_private
http://www.predictive.com
********************************************************
>"Perciaccante, Robert" <Robert.Perciaccanteat_private>
>09/21/2001 08:06 AM
>
>
> To: pen-testat_private
> cc:
> Subject: Modem identification
>
>
>After identifying modems that are set to answer inbound dialing, I
>would like to figure out a better way to identify the types of dial-in
>systems these are. While some do spit banners, and aid in
>identification, most do not. Can anyone recommend a suitable "modem
>identifier"?
>
>Thanks,
>
>Bob Perciaccante
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30
: Sat Sep 22 2001 - 12:44:03 PDT