Re: Modem identification

From: Dawes, Rogan (ZA - Johannesburg) (rdawesat_private)
Date: Wed Sep 26 2001 - 05:34:29 PDT

Next message: Tirath Rai: "FileNet's Panagon product"

Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Non-GUI intrusion"
Maybe in reply to: Perciaccante, Robert: "Modem identification"
Next in thread: H Carvey: "Re: Modem identification"
Reply: H Carvey: "Re: Modem identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Perhaps it will, but that requires a separate connection most times. I.e.
dial up again. I would like to do this reliably in the most efficient manner
possible.

My intention is to make some kind of state table.

e.g.
Dial number

Got input?
Yes - Go to "classify input"
No (after timeout period) - go to "Nudge"

Classify input
Input looks like PPP (i.e. contains lots of {{{{{{ ) - Classify as PPP dial
up - go to "PPP Brute Force"
Input looks like text - go to "identify banner"

Nudge
Prompt with NT RAS string - go to "Got input?"
Prompt with CRLF - go to "Got input?"

Identify banner
Text contains login: - classify as "shell account" - go to "Enter password"
Text contains "AIX" - classify as IBM RS/6000
Text contains "@login" - classify as Shiva

etc

The difference between PPP and NT RAS is that the PPP server seems to spew
{{{{{'s to initiate the connection - play with wvdial for a bit to see how
it "intelligently" negotiates a dial-up connection. NT RAS on the other hand
sits silent until a special character sequence is sent, typically containing
non-printable/keyboard enterable characters.

I have attached my Perl program - it's VERY rough, so don't expect much from
it. At the moment, the most interesting thing about it is its ability to
speak to a serial port! It expects a list of numbers on STDIN, and logs its
findings to ${number}.asc and ${number}.bin.

Rogan
-----Original Message-----
From: olle [mailto:olleat_private]
Sent: 26 September 2001 02:16
To: Dawes, Rogan (ZA - Johannesburg)
Cc: pen-testat_private
Subject: Re: FW: RE Modem identification

On Tue, Sep 25, 2001 at 10:01:01AM +0200, Dawes, Rogan (ZA - Johannesburg)
wrote:
> 
> Re the prompting, one of the most common "Silent" modems seems to be
Windows
> NT RAS. This sits there until you give it a particular string.  I am
> intending to capture the initial string using PortMon, and replay it
blindly
> whenever I get no initial characters. That should help identify a number
of
> systems, I think.

NT RAS is just PP with MSCHAP authentication.

pppd will suffice both to identify and bf NT RAS.

/olle

application/octet-stream attachment: joshua.tar.gz

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

Next message: Tirath Rai: "FileNet's Panagon product"
Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Non-GUI intrusion"
Maybe in reply to: Perciaccante, Robert: "Modem identification"
Next in thread: H Carvey: "Re: Modem identification"
Reply: H Carvey: "Re: Modem identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 08:04:12 PDT