Penetration Testing mailing list archives
Re: [PEN-TEST] War Dialers
From: Todd Beebe <todd () SECURELOGIX COM>
Date: Tue, 5 Sep 2000 11:23:15 -0500
Gerald, how do you clients handle outbound modem calls on digital phone lines (using convertors such as Linestein) or outbound modem calls on analog fax lines? -----Original Message----- From: Batten, Gerald [mailto:GBatten () EXOCOM COM] Sent: Tuesday, September 05, 2000 8:08 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] War Dialers I agree, in an environment where dial-up modems are allowed, you need proper penetration testing. Most of my clients don't allow dial-up lines at all, except for faxes, which is why ToneLoc is perfect for what I need to do. If the list of numbers don't match the list of known fax machines, we just track down the offending line and cut it. Most of my clients will just give me their admin passwords for their dial-ups (after I've signed about a million legal contracts), and I compare that to their password rules within their policy. It's more cost-effective for my client to just give me their passwords than for me to try to guess the dial-up ones. I'll do a brute force on the network accounts, but not the dial-ups. Just my 2c. worth. Gerald.
-----Todd's Message----- From: Todd Beebe [mailto:todd () SECURELOGIX COM] Sent: Friday, September 01, 2000 7:47 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: War Dialers Toneloc is good for finding modems. But, the value of the commercial products (both TeleSweep Secure and PhoneSweep) is the username/password guessing (read vulnerability testing). Knowing you have 55 numbers that answer with a tone and knowing that you have 55 numbers that answer with tone and have easily guessable username/passwords are two different things. The comparison in the IP world is running a port scanner and a vulnerability scanner. You can either receive a list of xxx number of systems that MIGHT be running vulnerable services and xxx number of systems that ARE running vulnerable systems. If you use a war dialer or port scanner, someone will need to manually test the target systems to find out if they need attention to fix the vulnerabilities.Compared to: 2. ToneLoc (tools) url: http://www.securityfocus.com/tools/48 Alfred Huger VP of Engineering SecurityFocus.com
Current thread:
- Re: [PEN-TEST] War Dialers, (continued)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 02)
- [PEN-TEST] War Dialers, Brute Force, etc. Vanja Hrustic (Sep 02)
- Re: [PEN-TEST] War Dialers Teicher, Mark (Sep 03)
- Re: [PEN-TEST] War Dialers Laumann, Dave (Sep 02)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 03)
- Re: [PEN-TEST] War Dialers Kurt Buff (Sep 03)
- Re: [PEN-TEST] War Dialers Teicher, Mark (Sep 05)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 03)
- Re: [PEN-TEST] War Dialers Batten, Gerald (Sep 05)
- Re: [PEN-TEST] War Dialers iNature - David Martin (Sep 05)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 05)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 05)
- Re: [PEN-TEST] War Dialers Teicher, Mark (Sep 05)
- Re: [PEN-TEST] War Dialers Batten, Gerald (Sep 05)
- Re: [PEN-TEST] War Dialers O'Grady, Michael (Sep 05)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 05)
- Re: [PEN-TEST] War Dialers Todd Beebe (Sep 02)