Penetration Testing mailing list archives
[PEN-TEST] OT - How secure is an ISDN line?
From: Dave Cowen <dcowen () ENSTAR COM>
Date: Fri, 20 Oct 2000 15:46:17 -0500
Ok, This all breaks into something that most people seem to have removed themselves from. When you are talking about sniffing any type of data/voice communications line you are talking about the physical existence of it that runs between the two termination points. So when you talk about sniffing a PSTN/ISDN/PRI/T-#/OC-#/ line you can be talking about multiple things. I will try to address them here. PSTN ( I say PSTN but what I mean is the actual phone line that terminates at a location not the entire network itself) - The actual physical base RF medium and the signal there-in. When most people say that are trying to /sniff/ a PSTN connection that is actually a voice connection then you are actually going to be tapping the line (see the previous discussion on data center wiring). You have to have physical access to the medium between the end user and the termination of the local loop before it hits a point where it goes digital (Multiplexed) or the CO itself (straight copper such as DSL). Because of this you need to examine your target and decide at which point the weak link lies. Obviously since we are talking about this on a LEGAL basis it is very hard to get a client (unless they are huge) to get the permission of a phone company to allow a penetration tester to have access to the lines they control (everything after the demarc point and yes I've had this approval but only once). So usually your focus will be at the client side between the end user, PBX and the demarc itself. Since most PBX systems today now take PRI connections you are really looking at the copper between the end user and the PBX this day. If you are consolidating your efforts on a single user with no type of private exchange system in between then you most likely will have to insert some type of tap (bed of nails is my preferred method, pierces the sheath without need of actually splicing, thus loss of service, the line) into the copper to pick up the signal itself. So ... once you have identified your target .. and you know what type of signal is being sent down the line (Some newer PBX systems have digital handsets that have a separate control channel to handle most call signaling functions within them) you then take the output of your tap to a piece of equipment that can handle it. In the case of a standard copper analog connection you can just plug that into a speaker and record the wave form directly from the line itself. If there is some sort of data communications going over the line in a modem fashion then the hardest thing to do is to actually stay in sync with the two connections. From what I've been told you should attempt to passively sync with the initial negotiation (see dialup) to be able to accurately capture the data within. You have to be passive or be able to replay the signal back to a passive device because a standard modem will attempt to sync itself to the connection which will break the session (this is point to point not point to multipoint which is a separate discussion usually reserved for wireless communication). Once you have done this you can replay or monitor this session. A popular technique that has been documented as used in the wild requires no physical access. You simply get the targets data number forwarded to the machine of your choice that has two modems. The first modem takes the call from the user while the second modem actually then connects to the target system allowing you to monitor/inject/takeover the link at anytime since you control the point in between. If the question of what happens to additional calls comes up, then you activate the call forwarding when busy feature that is available from most telco's. ISDN/PRI - ISDN while having the same copper medium as its brethren has no other real similarities after that point. ISDN and it's Big Brother PRI share a common signaling system. Both ISDN and PRI have a channel actually set aside for signaling information and each of its 3 (ISDN) 24 (PRI) and the rest of the channels (2 64k Bearer Channels ISDN 23 64k Bearer Channels PRI), are used for creating point to point connections that can be bonded together for larger amounts of data. All of the information sent of this line is actually digital so you cannot put a standard tap on this and expect to hear anything. Also all of these channels exist within the same physical medium.. there is not a separate pair for each channel.. and calls are assigned to free channels as necessary unless you specify otherwise to the switch. The signaling channel itself is worthy of a discussion of itself and has been a focus of my research for some years.. but if you want to just hear or capture the modulated data that is sent over bearer lines then you can get an older analog 'TBIRD' which is a telecom diagnostic piece. The older tbirds have the ability to put each channel back into an analog form for monitoring while the newer TBIRDS are all digital and are made to test and verify channels rather than monitor them (at least the models that I have seen). If you want to do anything further within the ISDN/PRI environment you need to get a passive terminal adapter (Motorola makes one that I'm familiar with) and a layer 1-3 Stack emulator (I can provide companies if needed) to interact either with the switch or the end user TA. There is a lot of untested theory and functionality in ISDN based attacks that I will not go into as they are unproven unless requested. So at this point the only weak point for a LEGAL (without telco approval) target would be the area between the NT-1 of the customer premises equipment and the smartjack demarc that it connects to. T-# - T-1, T-3, etc.. Any of the time based multiplexing systems have two layers you have to peel through before you can reconstruct the data streams within. The first is the multiplexed time based division that takes place on the overall stream that has to be synced with to bring out separate streams of data. The second layer is the encoding layer (usually ESF, B8ZS, etc..) that actually encodes the framing within the multiplexed traffic and allows the actual data within to be seen. T-1's can be used for voice (when channelized) or data so the type of output at the end of the stripping should reveal the source media. Here once again the vulnerable LEGAL area is between the CSU/DSU (basically a multiplexor) and the smartjack. OC-# - OC-1,2-48 etc.. Any fiber optic medium is going to require you to split the fiber itself at some point and redirect the signal into a third party tap. From there you will once again have to reconstruct the data stream from the multiplexed/frame encapsulated data within.. this applies to almost any type of carrier. Optical circuits are usually privately owned and since telco's rarely use them to run to a demarc if you are seeing one that is customer operated you have free range to plug in at any point. Dave Cowen, CISSP Security Services Manager Enstar http://www.enstar.com Tel: 972-929-5267 Fax: 972-915-6969 Email: dcowen () enstar com -----Original Message----- From: Kris Carlier [mailto:root () IGUANA BE] Sent: Thursday, October 19, 2000 2:58 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: OT - How secure is an ISDN line? Hi(gh, though down under) Clem, just a reflection. How easy/difficult is it to actually sniff a PSTN or ISDN line ? Cfr RAS, where you can use DES to encrypt the datastream (provided you choose MSCHAP for your connection). I'm like: sure, looks cool, but otoh, sniffing a network is easy enough. Sniffing a PSTN line requires more - I presume - than your average networkcard cq modem ? Or am I totally de-synchronized on this ? In the ISDN-case, more specifically, isn't it so that as opposed to PSTN, if you get an error on an ISDN-line, the connection will drop ? So the sniffer should be pretty silent. I'm not talking/asking about the pelco-people of course. how do you sniff a phone line ? Van Eck monitoring probably ain't the right direction ? ;-) kr=, wondering \\\___/// \\ - - // ( @ @ ) +---------------oOOo-(_)-oOOo-------------+ | kris carlier - kris () iguana be | | Hiroshima 45, Tsjernobyl 86, Windows 95 | | Linux, the choice of a GNU gener8ion | | KC62-RIPE SMS: +32-75-61.43.05 | +------------------------Oooo-------------+ oooO ( ) ( ) ) / \ ( (_/ \_)
Current thread:
- Re: [PEN-TEST] OT - How secure is an ISDN line?, (continued)
- Re: [PEN-TEST] OT - How secure is an ISDN line? van der Kooij, Hugo (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? JLJ (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Cold Fire (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Peter Van Epp (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? van der Kooij, Hugo (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Cold Fire (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Clem Colman (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Kris Carlier (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? van der Kooij, Hugo (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Kris Carlier (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Dunker, Noah (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Knowledgebase i-Net Security (Oct 19)
- [PEN-TEST] OT - How secure is an ISDN line? Dave Cowen (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? John Brand (Oct 24)
- Re: [PEN-TEST] How secure is an ISDN line? Fibre Optic TAPs Talisker (Oct 25)
- Re: [PEN-TEST] How secure is an ISDN line? Fibre Optic TAPs van der Kooij, Hugo (Oct 25)
- Re: [PEN-TEST] How secure is an ISDN line? Fibre Optic TAPs Peter Gamache (Oct 25)
- Re: [PEN-TEST] How secure is an ISDN line? Fibre Optic TAPs Carson Gaspar (Oct 26)
- Re: [PEN-TEST] How secure is an ISDN line? Fibre Optic TAPs Talisker (Oct 26)
- Re: [PEN-TEST] How secure is an ISDN line? Fibre Optic TAPs Talisker (Oct 25)