DialUp

Brute Force Scripting – The Home Grown Way  
(Excerpts from Hacking Exposed written by Stephan Barnes  "M4phr1k")

Once the results from the output from any of the war dialers is available, the next step is to categorize the results into what we call “domains”. experience with a large variety of dial-up servers and operating systems is irreplaceable.  How you choose which systems to further penetrate depends upon a series of factors such as how much time you are willing to spend, how much effort and computing bandwidth is at your disposal, and how good your guessing and scripting skills are. 

Dialing back the discovered listening modems with simple communications software is the first critical step to putting the results into domains for testing purposes.  When dialing a connection back it is important to try to understand the characteristics of the connection.   This will make sense when we discuss grouping the found connections into domains for testing.  There are important factors that characterize a modem connection and thus will help your scripting efforts. Here is a general list of factors to identify:

·        Whether or not the connection has a time-out or attempt-out threshold. 

·        Whether exceeding the thresholds renders the connection useless, which occasionally happens. 

·        Whether the connection is only allowed at certain times.

·        Whether you can correctly assume the level of authentication; i.e. userid only or userid and password only.

·        Whether the connection has a unique identification method that appears to be a challenge response such as SecureID

·        Whether you can determine the maximum amount of characters for responses to userid or password fields

·        Whether you can determine anything about the alphanumeric or special character makeup of the userid or password fields

·        Whether or not any additional information could be gathered from typing other types of break characters at the keyboard such as CTRL-C, CTRL-Z, ?, etc.

·        Whether or not the system banners are present or have changed since the first discovery attempts and what type of information is presented in the system banners.  This can be useful for guessing attempts or social engineering efforts.

Once you have this information you can generally put the connections into war-dialing penetration domains.  For purposes of illustration, there are 5 domains to consider when attempting to further penetrate the discovered systems.  LHF is really its own domain and the rest are "Brute Force Domains". It is easy to conceptualize your targeting and process this way.  So work down the complexity and go after Low Hanging Fruit (LHF) first.  Then proceed and put your targets into the other domains primarily based upon the amount of authentication mechanisms and the amount of attempts that are allowed to try to access those mechanisms.  Hence the domains can be shown as follows. 

LHF

Easily Guessed or Commonly Used Passwords for identifiable systems (experience counts here)

1. Single Authentication, Unlimited Attempts DOMAIN1

These are systems with only one type of password or id, and the modem does not disconnect after a pre-determined amount of failure attempts.

2. Single Authentication, Limited Attempts DOMAIN2

These are systems with only one type of password or id, and the modem disconnects after a pre-determined amount of failure attempts.

3. Dual Authentication, Unlimited Attempts DOMAIN3

These are systems where there are two types of authentication mechanisms such as id and password and the modem does not disconnect after a pre-determined amount of failure attempts.*

4. Dual Authentication, Limited Attempts DOMAIN4

These are systems where there are two types of authentication mechanisms such as id and password and the modem disconnects after a pre-determined amount of failure attempts.*

 

*Dual Authentication is not classic Two-Factor authentication where the user is required to produce two types of credentials: something they have and something they know.

In general, the further you go down the list of domains, the longer it can take to penetrate a system.  As you move down the domains the scripting process becomes more sensitive due to the amount of actions that need to be performed.   Go back up to the links in each above for the goods.

Comments