Background

BACKGROUND on HACKING DIAL-UP, PBX, VOICEMAIL and on M4phr1k

Security is not a destination but a journey...

That's the best way to sum up IT security and the best way to sum up my travels to date. There are multiple ways to try to hack Modems and Dial-Up connections, PBX's and Voicemail boxes, and I'll explain the most popular ones here throughout my site  As always, I welcome your comments and suggestions in this process as this is the culmination of almost 20 years of below and above ground experience in War-Dialing, PBX and Voicemail hacking. The M4prh1k's Wall of Voodoo site has been around for almost 20 years. A few years back (1999) when I hooked up with Stuart McClure, George Kurtz, Joel Scambray and all the others that came to create Foundstone and they wrote the original  Hacking Exposed, I got a chance to help take over the sections devoted to this area when it came to the Second through Sixth editions of Hacking Exposed.

A lot of connections are still based upon Modems. Don't forget this. Firewalls are here and they are a necessary part of any good infrastructure but they are not the only way to hook up. Many hundreds of thousands of modems still exist and still should be considered and treated as potential avenues for compromise.

How I got started

This is my area of specialty primarily because of the fact that these were the ways of the old Internet. BBS, SprintNet, TymeNet, X.25, X.29, PAD, etc. The newer (IP based protocol) Internet hacking is cool and always pushing the envelope but the art form when it comes to my specialty is just that. There are not a lot of tools that are built to easily do your dial-up hacking and those that do exist you have to second guess quite a bit. In order to understand the seemingly complex yet surprisingly simple form of hacking a dial-up connection you need to become a master at scripting an attack. If you really want to try to comprehensively hack a dial-up connection that doesn't fall easy to simple password guess techniques at the command line/terminal window this is a must (mastering scripting). What you get from me within this site is a ton of experience regarding POTS hacking. I use simple DOS based tools to get the job done because gang most times you don't need a bunch of fancy .DLL's and API's and GUI"s etc. to get the job done. The old Internet; the command line Internet if you will, the connected world via modem before the state it is today, is how I had to connect up and communicate so Im fairly experienced at hacking it. There were no such things back then as they are today and I keep this art form alive so that those that come after me will be able to understand it's simplicity.

M4phr1k (Stephan Barnes)

Where does my alias M4phr1k come from:  I'm a big "Top Gun" (the movie) fan being the product of Military (Air Force Brat of 3 Fighter Pilot Fathers) and Military and Defense Contractors and Agencies (Northrop, DOD,etc), so my handle while in those areas of service became similar to Maverick's (in Top Gun) with some play on words. 

M4phr1k - Say it like "Maverick" to say it how I do in hacker speak.  They way I pronounce it sounds the way like when "Iceman" was grilling Maverick about being a lone ranger in his flying skills and not really needing or asking or relying for help from his wingmen.  It has the same type of word play Like Mark Abene's handle ---PhiberOptik

This odd name has been my hacker handle for many years since at least around 1985 when the original Top Gun movie came out. I was running around on the old BBS systems of the day, especially the Maverick BBS (remember that?) and it's a play on words of Maverick from the movie, and a play on being a Maverick (at the time) in terms of phone and dial up hacking and the play on words of being a phone phreaker although I didn’t really get into the blue boxing, red boxing, and other hard core phreak tricks although they are neat and i've seen them. Folks like CapnCrunch were some of the innovators of the time back then. I heard of folks like Kevin Mitnick back then back but no one really ran in packs, we were mostly solo acts and it was all a new scene for me at the time. That time was much more information sharing and much more underground.

I know Kevin and he knows me and I wish him the best. He acknowledged me in his Art of Deception book.  His books and company can be found at (Mitnick Security). These days you have to be careful. I have a good real job so no monkey business for me at this point of my life and everything is by the book (well mostly hehehe). I guess the real crafty ones just never got caught. Some stayed low some went high and some got popped.

I probably could have gone the bad route but I got a job at Northrop on the B-2 in July of 85 (I was only 19) and I got a very strict security clearance to work on this and other very secret things. 

I went the good path before I could get into any real trouble. I went to work for Northrop (now Northrop Grumman) and for a little bit the DoD and as I progressed I always had an interest in security, always a need to test security. I worked on various black world things (I can only admit to a few). Im glad I did. Then in 93 I got out of Northrop and worked at Arthur Andersen then Ernst and Young in their attack and penetration teams in Southern California and eventually at EY I started working with Stu McClure (Hacking Exposed) and once Stu and others decided to leave to create Foundstone I joined shortly after as the VP of Sales. 

I worked there for 6 years even after McAfee bought us for 86 Million and then worked at Special Ops Security, Mandiant, Symosis, and Ciphent.  I now work for KRAA Security with Gary Bahadur who was one of the Foundstone originals.

Why my site is called Wall of Voodoo?

Well I started into hacking (uh exploring ...) around the early 80's and by the time War Games came out this album was already playing around on MTV and the radio kind of. Remember the song "Mexican Radio".

I figured some of the stuff I was getting into was kind of like Voodoo (if you will) so there you have it. I started to create and try to be a sysop and maintain an ANSI BBS site for the underground called M4phr1k's (Wall of Voodoo). At that time a lot of the boards back then had legit looking fronts but they had secret areas where you could get further access and then further files.   That was going to be my purpose but it went sideways quickly.  In 1988 I remember a board called Atlantis that (see the video) Minor Threat ran but it was hard to get in to and didn’t last for long but that was all I needed to know about to get me hooked.   I think that hacking and BBS’s were great ways to meet other people that were also in to the scene.  You really didn’t know what to do testing by yourself so you spent a long time trying stuff that you didn’t really know what you were doing but the experience was invaluable.

Man was it painful to try to run and maintain my own BBS back then and it didn’t last for long.  Imagine all these phone calls coming in and everyone around you at your house going WTF?  Eventually and not too much longer down the road the Internet and better IP based methods were coming of age.  I kept my activities pretty quiet from family, girlfriends, friends, etc. because I wasn't quite sure of all the legalities at the time. The Wall of Voodoo was really the alias for voodoo (if you want to call it that) I was getting in too.  Im not really a "fan of the band" Wall of VooDoo but they had some cool songs but the name was just topical of the time.  If you think about guys like Mucho Maas and Minor Threat (the guys that wrote Tone Loc) that’s where I was trying to find out more about voicemail and tone scanning etc.  I was attempting to write a war dialer in BASIC since I learned BASIC well but once Tone Loc hit the underground it was pointless.  Tone Loc solved so many problems and was beautiful in design.  It was a great tool and still is!

But here is the Wall of Voodoo album and hence where it got it's name

Through the years 1985 to current I have moved the M4phr1k site around from BBS to BBS, and from ISP to ISP (it was at Maverick BBS, Liberty BBS, Delphi Internet, IDT Internet, and MMinternet and now it resides at Google Sites.

I currently own the www.m4phr1k.com domain and just redirect to wherever im being hosted :)

There are many wayz to war

Please be aware that my techniques are only ONE of many simple ways to get the objectives of war dialing and hacking Dial-Up, PBX and Voicemail boxes accomplished.  It is a period piece if you will because I know that the concepts and foundations I have set out here can probably be better and further programmed in C or other languages for ease. However I like breaking a relatively simple problem into relatively simple parts. I agree that there are ways to group some of the concepts I demonstrate together and simplify the construction process.  

In order to do what we need to do in these pages you will need some tools.  Here is a general list and these are provided in my pages later.  Procomm Plus (Test DrivePCPLUSTD is provided however many of the concepts that will be shown here can be applied across various communication software and their respective scripting systems.  I just use Procomm Plus because for many years I grew up writing ASPECT scripts which are the scripting language in Procomm that allows you to automate tasks regarding dialing and modems and such.  This will become important later. 

So what do you need to make it through these pages ill provide them so don't worry:

·         A modem!

·         toneloc:  tl110.zip (as far as im concerned this is the Swiss Army Knife of war dialers)

·         qbasic.exe and qbasic.hlp (this will help when you want to mass produce the ASP scripts - i'll explain later)

·         Communications Software capable of scripting. I use Procomm Plus (it doesn't matter if it's old school or new school but I'll show you the old school with PCPLUSTD (test drive) included.

  • Plenty of ingenuity and patience - those that want a super simple easy way out may get frustrated.

Now you can use the commercial war dialers like Phone Sweep and TeleSweep but they cost money - they are not that expensive but their "Penetration Modes" concern me because of the high rate of false positives and the potential for simple folks to rely on their results. This is where I take a different path. Is my path harder? Yes probably initially, but is it a path that you can see and rely upon? Most definitely. To boot, it seems like Secure Logix is kind of hiding the TeleSweep product (lately) behind most of it's other products so who knows.   If you want my opinion and don’t want to get into this type of technique stop here and get Phone Sweep.  It will cost some money but its results are pretty decent.  Phone Sweep has done a decent job at identifying modems and a somewhat decent job at classification of modems. For the most part these tools simply grab the banner of the modem (if there is one) and try to ASCII match it back to a database of known products/banners.   Just don’t try to rely on the brute force routines without secondary confirmation.

Hence the truly educated will run their own drag races, actually populating the userid and password dictionaries that come with these products to test their effectiveness. Try your favorite PPP account. Put in the UID and PWD and see if either tool 1) finds the modem (probably will) 2) Identifies it as PPP (gets a little shaky there) and 3) correctly runs the right brute forcing routine scripting the whole process of guessing and re-dialing etc. Those of us who test know. That's all I can tell you. I've witnessed this last part (penetration mode) go horribly wild, potentially giving you a false sense of security.

Bottom line is that they do a good job at finding modems and IF your ONLY goal is to eliminate modems, then you'll like those products for the most part.

But heck, if that is your ONLY GOAL (eliminate the modems) then why pay for a product when Tone Loc (FREE) will find them just as easy and as accurate.

And for all you THC-SCAN folks and fans I have not forgotten you. Im just taking the SIMPLEST least complicated approach to having YOU the PEN TESTER understand what is going on behind the scene.

THC-SCAN is a good tool too, on par and possibly slightly above Tone Loc for its configuration ability but Tone Loc is just a preference with me - that's all.

Conclusion

The experience you get from doing the exercise like the way we will go through my site is invaluable. It will teach you to be weary of the results of some of these products. By the way TeleSweep did not make it into HE2 because of time, but it WAS generally a decent tool and it has some merit. It is discontinued now as of Jan 2003. We were up and down with it's stability and I guess at least TeleSweep died (but check Secure Logix site they seem to go back and forth about it) so understanding the basics of war dialing first is important so that you don't blindly go use some commercial tool that is riddled with false positives.  When you use a GUI without understanding the concepts behind the icons and the GUI it can make you dumb, so get smart first in the basics and the GUI yourself later if you want to pay or don't have the time to go through the exercise like this.

Comments