Penetration Testing mailing list archives
Re: [PEN-TEST] PBX Security Dunker, Noah
From: "Ruso, Anthony" <aruso () POSITRON QC CA>
Date: Wed, 4 Oct 2000 12:17:17 -0400
How about some of those some "undocumented" feature codes for us. -----Original Message----- From: Dunker, Noah [mailto:NDunker () FISHNETSECURITY COM] Sent: Wednesday, October 04, 2000 11:44 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] PBX Security I've only audited Meridian systems... but from my experience... you can get some pretty good information to start with. This is how I got the info I did: 1) Got installation manuals for the whole system. 2) Got copies of The system Coordinator Guides. For a Meridian Norstar PBX, These Books are called "Norstar Modular DR5 System Coordinator Guide", "Norstar Modular DR5 Installer Guide", and I got the Installation Guide for the voice-Mail system (which happened to be StarTalk Flash). I know I've seen a DR5.1 of these same manuals... I then called up a company that installs the systems, and acted like I was interested. Yes, this is social engineering a third party, but it was necessary for what I was doing. I asked to talk specifically to one of their installation and troubleshooting engineers because "one of my guys had some really technical questions". I took him out to lunch, drank some beer, and in the end, I got him to give me photocopies of some "undocumented" feature codes, including one which can reset the administrator PIN. I learned the default passwords for the PBX, and a whole ton of feature codes just from reading the manuals. With all the resources I got, any meridian norstar PBX is 100% open to me. It's unfair to use a known back-door when pen-testing. The back-door on Norstar is pretty hard to stumble across, but it is nice to know the default passcodes, and test for things like that. Good luck! -----Original Message----- From: Joe Traietta [mailto:JTraietta () ASAHIBANKNY COM] Sent: Wednesday, October 04, 2000 9:07 AM To: PEN-TEST () SECURITYFOCUS COM Subject: PBX Security I have been asked to perform a security review on the PBX system (NEC NEAX 2000 IVS) at my company. I have virtually no PBX experience, so I was hoping somebody could point me to a good resource, or pass along some personal experience about reviewing / auditing a PBX system. Thank you. Joseph Traietta Data Security Officer Asahi Bank, New York Branch
Current thread:
- Re: [PEN-TEST] PBX Security Dunker, Noah Ruso, Anthony (Oct 04)