Penetration Testing mailing list archives

Re: [PEN-TEST] RAS PT

From: Peter Van Epp <vanepp () SFU CA>
Date: Mon, 9 Oct 2000 11:41:03 -0700

<snip>

So are there any specific attacks or defense mechanisms that one could use
form the dial-up side exclusively?  How effective are dial-back accounts?
I've heard that there are ways around that as well.  For the sake of
argument, let's ignore such things as smart cards or SecurID tokens.

Gerald.


        The usual answer with dialback is have two banks of modems. One
(perhaps a single modem because it is low use) accepts incoming calls and
accepts the dialback request. The dialback controller then makes the outgoing
call on a different modem bank which does not accept incoming calls (this
can be programmed by the telco probably for a fee). The typical attack point
of single modem dial back is 1) attacker initiatest the dialback call. 2)
the server accepts the dialback call and hangs up the phone, but the attacker
doesn't (in many phone systems the call won't drop until the caller hangs
up). 3) Attacker now outputs "dialtone" on the line (20 hz signal as I recall)
4) server "picks up" the already open line, hears "dialtone" and dials.
5) attacker answers on "first ring" with modem tone, and is in having spoofed
the supposedly safe dialed back phone number.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

Current thread:

[PEN-TEST] RAS PT Batten, Gerald (Oct 04)
- Re: [PEN-TEST] RAS PT Nasir Farhat Khan (Oct 05)
- <Possible follow-ups>
- Re: [PEN-TEST] RAS PT Schwienteck, Matthew (Oct 05)
- Re: [PEN-TEST] RAS PT Thompson, Stephen (Oct 05)
- Re: [PEN-TEST] RAS PT Frank Knobbe (Oct 06)
- Re: [PEN-TEST] RAS PT H Carvey (Oct 06)
- Re: [PEN-TEST] RAS PT Batten, Gerald (Oct 09)
  - Re: [PEN-TEST] RAS PT Peter Van Epp (Oct 10)