Penetration Testing mailing list archives
Re: WarDialing: can't identify the system (binary signature)
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 23 May 2008 17:15:13 +0200 (ora solare Europa occidentale)
Hello, On Thu, 22 May 2008, Zgrp unknow wrote:
Hi pentestersI'm conducting a WarDialing assesment and I found some numbers from my range that "are connectable"... they are not unix-like systems (at last I *think*), the output produced by them is not human readable (like binary protocols).
Performing modem surveys you'll often find weird beasts like the one you just described. Unfortunately, most of the time there's no immediate and easy way to identify them... Here are a few tips off the top of my head:
- Connect via terminal emulator (such as minicom or hyperterminal, in fact trying multiple emulators isn't a bad idea either), send some input (e.g. enter, '@', "help", "connect", "access", terminal break, etc.), and inspect reactions of the remote system, if any. Just be creative and you may be rewarded. - Play with your terminal emulator settings (speed, parity, flow control, etc.) and try to connect again with different communication parameters. - Try to establish a PPP connection instead, set maximum log/debug level, and inspect your logs. If the remote device talks PPP, maybe you'll be able to infer more information about it. Try also to authenticate: which dial-in authentication protocols are supported (PAP, CHAP, etc.)? Guess/bruteforce access credentials, if the legal agreement allows you to do so for the defined scope. Beware of account lockout policies that may be in place, by the way.Most of the time, you won't be able to identify the remote system anyway. If that's the case, you may try another approach:
- Call the unidentified number from a phone internal to your Client company and check the description on the phone's display, if any. Consult the internal documentation and phone book, if available. Alternatively, ask the Client's contact person to do it for you. - Hack into the PBX (again, only if the legal agreement allows you to do so!) and inspect the configuration searching for hints. - If you can obtain physical access to the Client's premises where the unknown device is located, follow the phone cables and find it;)Once you detect the device type and/or purpose (e.g. remote support from vendors such as SAP, EMC2, Alcatel, and so on; remote maintenance of some other kind; file transfer and other proprietary applications; heating centrals, anti-theft systems, etc.) you can narrow the field a bit and increase your chances to find the appropriate ways to exploit the target, in order to obtain a remote access.
If I connect to some of them via Windows Hyperterminal I get strange texts like: "~?~?~?~?~?~?~?~?~?" "C??N??E??T??3??0??N??E??" Or other unreadable things like the above. Some detailed information from the WarDailing is below: - SENT ATDT NUMBER01<CR> - RECEIVED <CR><NL> 0d 0a - RECEIVED CONNECT 300 NoEC<CR><NL>43 4f 4e 4e45 43 54 20 33 30 30 20 4e 6f 45 43 0d 0a - RECEIVED ~?~?~?~?~?~?~?~?~?<?><NUL><BS><STX><SOH>@<DLE><BS><EOT><STX><SOH>@<DLE><BS><EOT><STX><SOH>@%<?>~?<?><EOT><DLE><?><?>D<?><?>~? 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f 7e 3f df 00 08 02 01 40 20 10 08 04 02 01 40 20 10 08 04 02 01 40 25 f6 7e 3f df 04 10 e0 d7 44 d5 f9 7e 3f - RECEIVED <CR><NL> 0d 0a - RECEIVED NO CARRIER<CR><NL> 4e 4f 20 4341 52 52 49 45 52 0d 0a
I found this old document referencing systems that look exactly as the ones you're facing now:
https://kiwicon.org/~pipes/wwhm/revenge/rez01.txt (search for "heaps")By the way, the "CONNECT 300 NoEC" is a pretty ugly connection string... Are you using a real modem or an *cough* soft modem for your wardialing?;)
Any tips, ideas, are welcome.
Good luck! -- Marco Ivaldi, OPST Red Team Coordinator Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- WarDialing: can't identify the system (binary signature) Zgrp unknow (May 22)
- Re: WarDialing: can't identify the system (binary signature) Marco Ivaldi (May 23)