Yes, The age old question of correctly identifying the system when war-dialing. Reliance is placed upon ASCII characters in the banners. (Unless you are into war-dialing, ignore this response which is a tad lengthy) Here are two examples of readable text. 1 sample for a system that is known to be a Shiva Lan Rover (@Userid) 1 sample of AIX where it is not hard to guess at all what the system is (unless the banner is a decoy; which is very rarely seen in the modem world) (Shiva) ------------------------------------------------------------ 30-Jun-XX 16:40:13 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/ @Userid: @Userid: ------------------------------------------------------------ (AIX) ------------------------------------------------------------ 30-Jun-XX 17:20:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994. login: ------------------------------------------------------------ Then there are extended ASCII character identification issues that in many cases can be rectified through parity and stop bit changes: Say the return in the banner looks like this: 30-Jun-XX 17:20:15 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM [m[2;19r[m[24;79H [22;1H[;1mThe password is incorrect. Dialing back with any software like ProcommPlus and changing the parity from 8-N-1 to E-7-1 in many cases resovles the Extended ASCII characters into somtheing more readable. Then there are extended ASCII character identification issues Of this magnitude which sounds mostly like the problem the original poster has encountered: Say the return in the banner looks like this: 30-Jun-XX 17:20:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM xx|x Or this: 30-Jun-XX 17:20:17 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM From just looking at these, positive identification would be very tough to do because that string doesn't give you much indication of what type of system it is. There are extended ASCII characters in the mix. Hence you have to rely upon experience and if you use a commercial war dialer you have to rely upon that war-dialers' database of strings and systems table to match up against what the modem is sending back. Regardless of TeleSweep or PhoneSweep it is an ASCII text banner match issue. In our tests the jury is still out but I would tend to agree with Nate that PhoneSweep might be doing a better job of classifying the modems that were found than TeleSweep as of late; most recent release against most recent release. Run your own drag race and see. The commercial war dialing tool makers ask the "community" (we know, we've been asked countless times) for more banners and postive identification of modems because some of their databases are not growing; their stale. 305 systems is not bad, however I would point out that in many cases you'll see that there are 10-15 of those 350 that are the majority of systems running out there on modems today and that the rest have gone the way of the dinosaur and are rarely found (In general). We've seen the commercial tools miss simple stuff like the @Userid banner and not be able to identify it as Shiva. We've even seen them miss simple stuff like the AIX banner. That is frustrating when that happens because the match is not that complex. It's a simple match program and how well that match program is written is what you rely upon. I say rely upon your eyes and ears too. Modems whistle differently than faxes for the most part so just manually dialing a found number can tell you a lot with your ears. In a typical war dial the expected found ratio's are 1 to 1.5% of the pool of original numbers so this is generally not a long exercise. Both commercial tools do a decent job of finding a modem Carrier, but if you rely upon their identification engines without independent verification you are probably asking for some hurt, especially if you're a white hat testing or performing in the name of the war-dial engagement for your client. A sharp eye, keen memory and mastery of the original free war dial tool ToneLoc will get you a fast foot print and much of the data you need 9 times out of 10. This can be the independence you seek in many cases. Then again knowing old school programs like Procomm Plus will help you go back and become more successful at testing condtions like changing stop bits and partiy to clean up garbage banners. In the end if you get a bunch of extended ASCII characters you can probably assume that there is some type of client side (in general) software required to establish a connection. For example, PcAnywhere, CarbonCopy, Remotely Anywhere, Etc. Try that on and see if it works. Just be advised that blind faith in the results of commercial war dialers can possibly leave you compromised if you don't go independently verify. You can check out many techniques and tricks via the old-school ways using ToneLoc at my site www.m4phr1k.com. Regards, Stephan Barnes stephan.barnesat_private http://www.foundstone.com -----Original Message----- From: Nate.Kingat_private [mailto:Nate.Kingat_private] Sent: Friday, September 21, 2001 3:44 PM To: pen-testat_private Subject: RE Modem identification I prefer PhoneSweep by Sandstorm Enterprises at http://www.sandstorm.net/. It has the capability to identify 305 different dial-up systems by name, including ones that do not provide visible text banners. It is a commercial product, however, and can be expensive. I wrote an article for Information Security Magazine in June 2000 that compared various commercial and free war dialing tools (PhoneSweep, TeleSweep Secure, and THC-Scan). The URL is http://www.infosecuritymag.com/articles/june00/features1.shtml. TeleSweep Secure has probably changed the most since then, but hopefully it will help. Good Luck, Nate ******************************************************** Nate King, CISSP Managing Consultant, Ethical Hacking Division Global Integrity Information Security Predictive Systems, Inc. E-Mail: nate.kingat_private http://www.predictive.com ******************************************************** >"Perciaccante, Robert" <Robert.Perciaccanteat_private> >09/21/2001 08:06 AM > > > To: pen-testat_private > cc: > Subject: Modem identification > > >After identifying modems that are set to answer inbound dialing, I >would like to figure out a better way to identify the types of dial-in >systems these are. While some do spit banners, and aid in >identification, most do not. Can anyone recommend a suitable "modem >identifier"? > >Thanks, > >Bob Perciaccante ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 12:44:03 PDT