Penetration Testing mailing list archives
Re: [PEN-TEST] RAS PT
From: Peter Van Epp <vanepp () SFU CA>
Date: Mon, 9 Oct 2000 11:41:03 -0700
<snip>
So are there any specific attacks or defense mechanisms that one could use form the dial-up side exclusively? How effective are dial-back accounts? I've heard that there are ways around that as well. For the sake of argument, let's ignore such things as smart cards or SecurID tokens. Gerald.
The usual answer with dialback is have two banks of modems. One (perhaps a single modem because it is low use) accepts incoming calls and accepts the dialback request. The dialback controller then makes the outgoing call on a different modem bank which does not accept incoming calls (this can be programmed by the telco probably for a fee). The typical attack point of single modem dial back is 1) attacker initiatest the dialback call. 2) the server accepts the dialback call and hangs up the phone, but the attacker doesn't (in many phone systems the call won't drop until the caller hangs up). 3) Attacker now outputs "dialtone" on the line (20 hz signal as I recall) 4) server "picks up" the already open line, hears "dialtone" and dials. 5) attacker answers on "first ring" with modem tone, and is in having spoofed the supposedly safe dialed back phone number. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada
Current thread:
- [PEN-TEST] RAS PT Batten, Gerald (Oct 04)
- Re: [PEN-TEST] RAS PT Nasir Farhat Khan (Oct 05)
- <Possible follow-ups>
- Re: [PEN-TEST] RAS PT Schwienteck, Matthew (Oct 05)
- Re: [PEN-TEST] RAS PT Thompson, Stephen (Oct 05)
- Re: [PEN-TEST] RAS PT Frank Knobbe (Oct 06)
- Re: [PEN-TEST] RAS PT H Carvey (Oct 06)
- Re: [PEN-TEST] RAS PT Batten, Gerald (Oct 09)
- Re: [PEN-TEST] RAS PT Peter Van Epp (Oct 10)