Footprint

WARDIALING and FOOTPRINTING
(Excerpts from Hacking Exposed written by Stephan Barnes  "M4phr1k")

When you war dial your creating a footprint.  Just like the concepts explained in penetrating systems in Hacking Exposed,     A footprint is going to be the record of what phone numbers give back modem/carrier signals so that you can go back and attempt to penetrate those numbers.  Creating a footprint is similar to doing a ping sweep or scan of an IP subnet or using "nmap" or any other neat tools to do a port scan.  The goals are very similar; see which numbers are alive and have responses (carriers).   It's very low level and is the begining of developing the recon you need to analyze how to penetrate the entity further.  Performing the footprint fast and efficiently with a low signature of the event is preferred.   

CREATING THE FOOTPRINT
1. You could use "freeware" to create the initial footprint

I know many have their favorites but the one I use the most for this process is ToneLoc tl110.zip.  Other good runners up are THC (The Hackers Choice) which is a comparable tool (mentioned in my background section).  The reason I prefer ToneLoc for the initial footprint is that it 1) it is DOS based, 2) it has been used multiple times and proven itself in the wild, and 3) it's very simple and non-complex to understand.  Depending upon the computer and model, I have had a few (very small) instances of run-time errors with THC, meaning that different architecture might not even let the program run.  Hence ToneLoc is my favorite for the simple task of footprinting. Works in most DOS. Additionally we are talking about program execution and data movement that is is ASCII Based.  No complex forms or overlays etc to move data around like you would in a GUI world.  Low memory requirements and stability due to incomplexity are also important pro's.   Now before you say that ToneLoc has hiccup-ed on you in the past - not to worry.  I have the workaround that I have been using since 1995 to ensure that there are no hiccups.  I'll present it down below.  The freeware method is in comparison to using the commercial dialers like PhoneSweep and TeleSweep, which have complex engines that don't give you a lot of clues of what they are doing behind the scenes.  The downfall of ToneLoc is that if you don't like or haven't used DOS much, it's going to be a bit akward.  Matter of fact for a lot of the techniques discussed through my pages you will have to have some DOS background to use ToneLoc, BAT files (batch files) and BAS files (Qbasic files), and Procomm Plus TD (test drive).  And gang, let's face it, many of the systems you may encounter from a dial up perspective use good old VT-100 for emulation.

Hence most Dial-Up is not very complex and it's super simple.  Of course I am leaving out RAS and others like PPP, but even if you came upon a PPP connection it typically has a way to get the terminal window to come up in a VT-100 mode to login. You may rely on some windows gui but you could go interactive with it. The bottom line is that the more GUI the more headache for this type of hacking.

2. You could use commercial war dialing software to create the footprint

I have used both and talked to many people regarding these two popular commercial dialers.  Matter of fact I've been on to their each's tech support line or had others do it for me to go over numerous technical glitches with these programs.  Nonetheless they do have their merits. 

Hacking Exposed 2 and 3 discuss Phone Sweep while TeleSweep was left out.

PhoneSweep by Sandstorm who was acquired by NIKSUN in Jan 2010 demo available at CNET http://download.cnet.com/PhoneSweep/3000-2653_4-10588953.html

TeleSweep DISCONTINUED as product of JANUARY 2003 see the SecureLogix website to get a FREE Modem Scanner though

Apparently there is another commercial dialer to hit the scene called XISCAN; They contacted me and it seemed interesting. If anyone has had success please let me know. If you surf the PENTEST groups there is a freeware tool called tmap? I have not used either of these have no idea how it does; if you have let me know.

So, If you are going to use these dialers and I had to pick one at this point im not sure as I have encountered many false positives in penetrate mode on both PhoneSweep and TeleSweep (TeleSweep discontinued SecureScan so it is a moot point now). If you have to do multiple modems and big batches TeleSweep seemed (see the note about discontinued) to be better in the sense that you can set it up that way. PhoneSweep still uses a parallel port dongle to control the licensing and you can only set up an 800 number profile on the most simplest cheapest version. Both Telesweep and PhoneSweep's penetrate engines are lacking in terms of getting it right. The bottom line is that you can create a faster footprint with probably great looking FOUND logs with ToneLoc in a much quicker amount of time then the commercial dialers. 

Im talking to the solo act and the corporate security or audit function here also.  Dollars will come into play for these products too so consider that as a factor, and remember that ToneLoc is free.

Comments