FW: RE Modem identification

From: Stephan Barnes (stephan.barnes@foundstone.com)
Date: 09/22/01

Previous message: vh@reptile.rug.ac.be: "new THC releases"
Maybe in reply to: Nate.King@predictive.com: "RE Modem identification"
Next in thread: Bikar Dude: "Re: FW: RE Modem identification"
Reply: Bikar Dude: "Re: FW: RE Modem identification"
Reply: Stephan Barnes: "RE: FW: RE Modem identification"
Reply: Dawes, Rogan (ZA - Johannesburg): "RE: FW: RE Modem identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <5B8559F3126DD4119C5100B0D022A06D012F2FB0@mailwest>
From: Stephan Barnes <stephan.barnes@foundstone.com>
To: "'pen-test@securityfocus.com'" <pen-test@securityfocus.com>
Subject: FW: RE Modem identification
Date: Sat, 22 Sep 2001 08:39:01 -0700

Yes,

The age old question of correctly identifying the system
when war-dialing. Reliance is placed upon ASCII characters
in the banners. (Unless you are into war-dialing, ignore this
response which is a tad lengthy)

Here are two examples of readable text.

1 sample for a system that is known to be a Shiva Lan Rover
(@Userid)

1 sample of AIX where it is not hard to guess at all what the
system is (unless the banner is a decoy;
which is very rarely seen in the modem world)

(Shiva)
------------------------------------------------------------
30-Jun-XX 16:40:13 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/

@Userid:
@Userid:
------------------------------------------------------------
(AIX)
------------------------------------------------------------
30-Jun-XX 17:20:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
login:
------------------------------------------------------------

Then there are extended ASCII character identification issues
that in many cases can be rectified through parity and stop bit
changes:

Say the return in the banner looks like this:

30-Jun-XX 17:20:15 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
[m[2;19r[m[24;79H [22;1H[;1mThe password is incorrect.

Dialing back with any software like ProcommPlus and changing
the parity from 8-N-1 to E-7-1 in many cases resovles the
Extended ASCII characters into somtheing more readable.

Then there are extended ASCII character identification
issues Of this magnitude which sounds mostly like the problem
the original poster has encountered:

Say the return in the banner looks like this:

30-Jun-XX 17:20:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
xx|x

Or this:

30-Jun-XX 17:20:17 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

From just looking at these, positive identification would be
very tough to do because that string doesn't give you much
indication of what type of system it is. There are extended
ASCII characters in the mix. Hence you have to rely upon
experience and if you use a commercial war dialer you have
to rely upon that war-dialers' database of strings and
systems table to match up against what the modem is sending
back.

Regardless of TeleSweep or PhoneSweep it is an ASCII text
banner match issue. In our tests the jury is still out but
I would tend to agree with Nate that PhoneSweep might be
doing a better job of classifying the modems that were found
than TeleSweep as of late; most recent release against most
recent release. Run your own drag race and see.

The commercial war dialing tool makers ask the "community"
(we know, we've been asked countless times) for more banners
and postive identification of modems because some of their
databases are not growing; their stale. 305 systems is not
bad, however I would point out that in many cases you'll
see that there are 10-15 of those 350 that are the majority
of systems running out there on modems today and that the
rest have gone the way of the dinosaur and are rarely found
(In general).

We've seen the commercial tools miss simple stuff like the
@Userid banner and not be able to identify it as Shiva.
We've even seen them miss simple stuff like the AIX banner.
That is frustrating when that happens because the match is
not that complex. It's a simple match program and how well
that match program is written is what you rely upon.

I say rely upon your eyes and ears too. Modems whistle
differently than faxes for the most part so just manually
dialing a found number can tell you a lot with your ears.
In a typical war dial the expected found ratio's are
1 to 1.5% of the pool of original numbers so this is
generally not a long exercise.

Both commercial tools do a decent job of finding a modem
Carrier, but if you rely upon their identification engines
without independent verification you are probably asking
for some hurt, especially if you're a white hat testing or
performing in the name of the war-dial engagement for your
client.

A sharp eye, keen memory and mastery of the original free
war dial tool ToneLoc will get you a fast foot print and
much of the data you need 9 times out of 10. This can
be the independence you seek in many cases.

Then again knowing old school programs like Procomm Plus
will help you go back and become more successful at testing
condtions like changing stop bits and partiy to clean up
garbage banners. In the end if you get a bunch of extended
ASCII characters you can probably assume that there is some
type of client side (in general) software required to
establish a connection. For example, PcAnywhere, CarbonCopy,
Remotely Anywhere, Etc. Try that on and see if it works.

Just be advised that blind faith in the results of commercial
war dialers can possibly leave you compromised if you don't go
independently verify.

You can check out many techniques and tricks via the old-school
ways using ToneLoc at my site www.m4phr1k.com.

Regards,

Stephan Barnes
stephan.barnes@foundstone.com
http://www.foundstone.com

-----Original Message-----
From: Nate.King@predictive.com [mailto:Nate.King@predictive.com]
Sent: Friday, September 21, 2001 3:44 PM
To: pen-test@securityfocus.com
Subject: RE Modem identification

I prefer PhoneSweep by Sandstorm Enterprises at http://www.sandstorm.net/.
It has the capability to identify 305 different dial-up systems by name,
including ones that do not provide visible text banners. It is a commercial
product, however, and can be expensive.

I wrote an article for Information Security Magazine in June 2000 that
compared various commercial and free war dialing tools (PhoneSweep,
TeleSweep Secure, and THC-Scan). The URL is
http://www.infosecuritymag.com/articles/june00/features1.shtml. TeleSweep
Secure has probably changed the most since then, but hopefully it will help.

Good Luck,

Nate

********************************************************
Nate King, CISSP
Managing Consultant, Ethical Hacking Division
Global Integrity Information Security
Predictive Systems, Inc.

E-Mail: nate.king@predictive.com
http://www.predictive.com
********************************************************

>"Perciaccante, Robert" <Robert.Perciaccante@dowjones.com>
>09/21/2001 08:06 AM
>
>
> To: pen-test@securityfocus.com
> cc:
> Subject: Modem identification
>
>
>After identifying modems that are set to answer inbound dialing, I
>would like to figure out a better way to identify the types of dial-in
>systems these are. While some do spit banners, and aid in
>identification, most do not. Can anyone recommend a suitable "modem
>identifier"?
>
>Thanks,
>
>Bob Perciaccante

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Previous message: vh@reptile.rug.ac.be: "new THC releases"
Maybe in reply to: Nate.King@predictive.com: "RE Modem identification"
Next in thread: Bikar Dude: "Re: FW: RE Modem identification"
Reply: Bikar Dude: "Re: FW: RE Modem identification"
Reply: Stephan Barnes: "RE: FW: RE Modem identification"
Reply: Dawes, Rogan (ZA - Johannesburg): "RE: FW: RE Modem identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: SSHD revelaing too much information.
... hundreds of machines and really don't see this as a problem. ... The 'green' banner does not attract any ... This goes against my security ... > networks) then make sure you're running a known secure version. ...
(FreeBSD-Security)
RE: plugging old IIS FTP holes
... After weighing up the advantages of changing the banner (I could not ... think of any) I was also wondering if the integrity of the servers ... security can be compromised by running such tools to change banner (such ... plugging old IIS FTP holes ...
(Focus-Microsoft)
[NT] Foundstone Fscan Format String Bug
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... malicious service banner overwriting the stack and the EIP on the PC ... - Foundstone Fscan version 1.12 for Windows ... The vendor was contacted on the 14th of April, ...
(Securiteam)
CAPZLOCK SECURITY ADVISORY NO. 1
... CONFIDENTIAL INFORMATION - PLEASE DISTRIBUTE - CONFIDENTIAL INFORMATION ... This advisory is dedicated to the many hard-working penetrators ... in the security industry. ... Users can set the probability of displaying each banner. ...
(Bugtraq)
console port
... I've got a bunch of modems out there connected to console ports on ... send some modem AT commands to the modem. ... but the banner that gets sent first is messing ...
(comp.dcom.sys.cisco)