Discussion:
iWar newbie questions.
i***@public.gmane.org
2010-01-22 20:52:35 UTC
Permalink
Hey guys!

First of all, congratulations for the nice system.

I'm pretty new at iWar (I know the project from sometime, but never
tested) and now I have my change to test it.

A) I have no modem, so I will be using a VOIP provider. Do you suggest
me any VOIP provider? In special, someone in USA that allows me to set
my called ID? I'm sure you have a list of good providers to use with
iWar...

B) What you mean by "Remote system identification"? It will for
example tell me if it's a Cisco router, SunOS system, etc? This
feature works over VOIP / IAX protocol?

C) The file used on -L option should have what format? One number per line?

D) iWar is able to set for all the calls my caller ID to the same
value that I'm calling? I mean, on this way we can test and detect
poor configured voice mails...

E) Once we identify a system (in general Unix) over a line, the most
common attack is brute force for default accounts. iWar offer this
feature? If not, how do you do it in general with iWar?

Ah, just to make things clear, I'm authorized to do it.

Thanks
i***@public.gmane.org
2010-01-22 23:32:53 UTC
Permalink
Post by i***@public.gmane.org
Hey guys!
Howdy.
Post by i***@public.gmane.org
First of all, congratulations for the nice system.
The congrats all belong to Da Beave...
Post by i***@public.gmane.org
I'm pretty new at iWar (I know the project from sometime, but never
tested) and now I have my change to test it.
Excellent.
Post by i***@public.gmane.org
A) I have no modem, so I will be using a VOIP provider. Do you suggest
me any VOIP provider? In special, someone in USA that allows me to set
my called ID? I'm sure you have a list of good providers to use with
iWar...
If you're just using the IAX portion, you'll have to listen to each scan
and identify it until we get the recognition code in place.. (ala
WarVOX). Caller ID isn't really necessary unless you have a specific
need for it. So for providers, I'd just go with VoipBuster/VoipStunt.
If you have a need for something else, maybe TeleSIP (www.telasip.com)
or a business class VoIP provider. I'd stay away from Teliax and
Callcentric as they monitor their network very closely and have known to
be a little... anal. But at this time with the IAX portion, you will
*not* be able to connect to modems/faxes.
Post by i***@public.gmane.org
B) What you mean by "Remote system identification"? It will for
example tell me if it's a Cisco router, SunOS system, etc? This
feature works over VOIP / IAX protocol?
This feature is only for analog modems. It's a login banner
identification system.
Post by i***@public.gmane.org
C) The file used on -L option should have what format? One number per line?
Yes.
Post by i***@public.gmane.org
D) iWar is able to set for all the calls my caller ID to the same
value that I'm calling? I mean, on this way we can test and detect
poor configured voice mails...
Yes.
Post by i***@public.gmane.org
E) Once we identify a system (in general Unix) over a line, the most
common attack is brute force for default accounts. iWar offer this
feature? If not, how do you do it in general with iWar?
iWar is a wardialer. For brute force over dialup, THC has a login
hacker script that will work against Unix type logins.
Post by i***@public.gmane.org
Ah, just to make things clear, I'm authorized to do it.
We never thought otherwise. :-)
Post by i***@public.gmane.org
Thanks
No Problem...

-jf
i***@public.gmane.org
2010-01-23 01:17:31 UTC
Permalink
Post by i***@public.gmane.org
If you're just using the IAX portion, you'll have to listen to each scan
and identify it until we get the recognition code in place.. (ala
WarVOX). Caller ID isn't really necessary unless you have a specific
*not* be able to connect to modems/faxes.
Word. I have working code for one call at a time using the DSP,
but it's sorta pointless. Once I get caught up with yet another
project I intend to make iWar multi-threaded so it can handle multiple
calls at once.

Basically, something you've told me to do for a while jfalcon :)
i***@public.gmane.org
2010-01-23 01:21:23 UTC
Permalink
Post by i***@public.gmane.org
Word. I have working code for one call at a time using the DSP,
but it's sorta pointless. Once I get caught up with yet another
project I intend to make iWar multi-threaded so it can handle multiple
calls at once.
Basically, something you've told me to do for a while jfalcon :)
Just think of it as a precursor of all the fun we'll be having on USRP. :)
i***@public.gmane.org
2010-01-28 12:10:48 UTC
Permalink
Hi guys,

Thanks for all answers.

I did my first test with it, and I would like to share with you and
get some feedback from the advanced users.

I did my tests against 301 lines, as a result I got:

- 6 lines BUSY
- 293 lines TIMEOUT
- 2 lines CONNECTED

It's common to have this high value of timeout during the war dialing?

What called my attention, is that iWar never marked any system as
VOICE, TONE or SILENCE. Can it be because my modem is on of that poor
USB modems?

The two systems identified answer on the same way, with a non-text
string (in loop?) that looks like this "~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/} t?????~~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/}" and consequently iWar was unable to detect
it.

CONNECT [ Not Identified (Max. banner data received) ]

I was thinking, if you saved the non-text output as hex you probable
could use to do comparison with other databases like THC-Amap, not?

Any idea what this could be or how to fingerprint?

Is possible to record all the sound (Voice, DTMF, etc) during the
war-dialing to wav files for further analyze? How?

Reading about the IAX config (I hope to test it), I see this description:

# If you're using a Asterisk server, "spoof" your caller ID there.
# If you're using iWar directly with a IAX2 provider, then set this
# to your liking.

iax2_callerid_number 5551212

If my IAX2 provider runs Asterisks I can't spoof my caller ID? There
are not public providers that allow it?

Someone can point me to a documentation explaining how to configure a
local Asterisks to spoof caller ID? I mean, to setup a local Asterisks
just to spoof my call ID and redirect to my IAX2 service provider...

It appear really fun... :)

Thanks.
i***@public.gmane.org
2010-01-28 14:53:44 UTC
Permalink
Post by i***@public.gmane.org
Hi guys,
Thanks for all answers.
No Problem...
Post by i***@public.gmane.org
I did my first test with it, and I would like to share with you and
get some feedback from the advanced users.
- 6 lines BUSY
- 293 lines TIMEOUT
- 2 lines CONNECTED
It's common to have this high value of timeout during the war dialing?
Yup. Modems aren't used much anymore. This is where WarVOX does shine as
it can interpret other tones and such. If linked with some sort of voice
recognition software, it will begin creating pretty detailed maps of
exchanges.
Post by i***@public.gmane.org
What called my attention, is that iWar never marked any system as
VOICE, TONE or SILENCE. Can it be because my modem is on of that poor
USB modems?
Yup. These result codes are pretty much a defining feature of USR Courier
modems.
Post by i***@public.gmane.org
The two systems identified answer on the same way, with a non-text
string (in loop?) that looks like this "~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/} t?????~~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/}" and consequently iWar was unable to detect
it.
CONNECT [ Not Identified (Max. banner data received) ]
Those are both PPP connections.
Post by i***@public.gmane.org
I was thinking, if you saved the non-text output as hex you probable
could use to do comparison with other databases like THC-Amap, not?
Any idea what this could be or how to fingerprint?
Probably would be possible to do if it's just sending CHAP Challenges...
Is possible to record all the sound (Voice, DTMF, etc) during the
war-dialing to wav files for further analyze? How?
Via Asterisk - Yes. Just record() prior to Dial().
# If you're using a Asterisk server, "spoof" your caller ID there.
# If you're using iWar directly with a IAX2 provider, then set this
# to your liking.
iax2_callerid_number 5551212
If my IAX2 provider runs Asterisks I can't spoof my caller ID? There
are not public providers that allow it?
There are and there aren't. Some will allow you to set Caller ID. Most of
them you will have to give justification to do so (I usually say it's for
business purposes).
Post by i***@public.gmane.org
Someone can point me to a documentation explaining how to configure a
local Asterisks to spoof caller ID? I mean, to setup a local Asterisks
just to spoof my call ID and redirect to my IAX2 service provider...
It appear really fun... :)
Try it... you might get hooked.
Thanks.
Yup.

-jf
i***@public.gmane.org
2010-02-11 01:26:08 UTC
Permalink
Hi jf,

Great reply, was very helpful. Thanks.
Yup.  Modems aren't used much anymore.  This is where WarVOX does shine as
it can interpret other tones and such.  If linked with some sort of voice
recognition software, it will begin creating pretty detailed maps of
exchanges.
Very interesting. Thanks for the suggestion.
Post by i***@public.gmane.org
The two systems identified answer on the same way, with a non-text
string (in loop?) that looks like this "~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/} t?????~~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/}" and consequently iWar was unable to detect
it.
CONNECT [ Not Identified (Max. banner data received) ]
Those are both PPP connections.
You are right. Should not be a good idea add an pattern to it at iwar
to point it's a dial-up for dummy users like me? :)

I remember that you pointed me to thc login hacker if I had found a
system providing a login, however I just found a Dial-up server. Do
you suggest me any tool to brute force the dial-up tool? I'm trying by
hand, I create a dial-up connection and I add by hand common users and
password, but it's very slow and boring. Do you know some tool that
automate this process?

Thanks and congratulations for the nice too.
i***@public.gmane.org
2010-02-11 06:21:11 UTC
Permalink
Post by i***@public.gmane.org
Hi jf,
Howdy...
Post by i***@public.gmane.org
Great reply, was very helpful. Thanks.
Not a problem.
Post by i***@public.gmane.org
Post by i***@public.gmane.org
Yup. Modems aren't used much anymore. This is where WarVOX does shine as
it can interpret other tones and such. If linked with some sort of voice
recognition software, it will begin creating pretty detailed maps of
exchanges.
Very interesting. Thanks for the suggestion.
Beave is working on this for the next version.... so stay tuned...
Post by i***@public.gmane.org
Post by i***@public.gmane.org
Post by i***@public.gmane.org
The two systems identified answer on the same way, with a non-text
string (in loop?) that looks like this "~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/} t?????~~?}#?!}&}!} }0??}/}
t?????~~?}#?!}&}!} }0??}/}" and consequently iWar was unable to detect
it.
CONNECT [ Not Identified (Max. banner data received) ]
Those are both PPP connections.
You are right. Should not be a good idea add an pattern to it at iwar
to point it's a dial-up for dummy users like me? :)
The pattern can be different than what you are seeing. The characters
you're seeing are just the ASCII translated characters. But in fact
it's actually machine code coming down the pipe. It's all part of the
CHAP challenge which identifies itself. I usually like to review the
connect logs anyways... that's a reward in of itself.
Post by i***@public.gmane.org
I remember that you pointed me to thc login hacker if I had found a
system providing a login, however I just found a Dial-up server. Do
you suggest me any tool to brute force the dial-up tool?
Well, you could learn Perl and some serial port programming. THC Login
Hacker is made for Unix logins. You might find a script somewhere that
will hack a Cisco terminal server. But to be brutally honest, doing a
brute force attack takes *alot* of time that will probably yield little
result. Most of the time, the resources behind the terminal server are
going to be password protected. And if they use radius for access
control and auditing, you're gonna set off alarms. All of this effort
could be put towards mapping more exchanges... Some of the most
interesting stuff actually has very weak security.
Post by i***@public.gmane.org
I'm trying by
hand, I create a dial-up connection and I add by hand common users and
password, but it's very slow and boring. Do you know some tool that
automate this process?
Perl again... There are tons of scripting languages.. learning a few
wouldn't hurt.

-jf
i***@public.gmane.org
2010-02-17 22:14:22 UTC
Permalink
Hi jf,
Well, you could learn Perl and some serial port programming.  THC Login
Hacker is made for Unix logins.  You might find a script somewhere that will
hack a Cisco terminal server.  But to be brutally honest, doing a brute
force attack takes *alot* of time that will probably yield little result.
 Most of the time, the resources behind the terminal server are going to be
password protected.  And if they use radius for access control and auditing,
you're gonna set off alarms.  All of this effort could be put towards
mapping more exchanges... Some of the most interesting stuff actually has
very weak security.
I did think that dial-up brute force was a common attack. In general
when you find a dial-up server you just gave up or move to another
target?
Perl again...  There are tons of scripting languages.. learning a few
wouldn't hurt.
I will do it. Thanks
i***@public.gmane.org
2010-02-17 22:26:54 UTC
Permalink
Post by i***@public.gmane.org
Post by i***@public.gmane.org
Hacker is made for Unix logins. You might find a script somewhere that
will
Post by i***@public.gmane.org
hack a Cisco terminal server. But to be brutally honest, doing a brute
force attack takes *alot* of time that will probably yield little result.
Most of the time, the resources behind the terminal server are going to
be
Post by i***@public.gmane.org
password protected. And if they use radius for access control and
auditing,
Post by i***@public.gmane.org
you're gonna set off alarms. All of this effort could be put towards
mapping more exchanges... Some of the most interesting stuff actually has
very weak security.
I did think that dial-up brute force was a common attack. In general
when you find a dial-up server you just gave up or move to another
target?
Dictionary attacks are much more common because it reduces the noise you
push into a target. Also knowing something about your target helps so you
can try words/terms that are common within the vernacular of that system.
But brute forcing is like walking up and down every street in your town and
checking each and every door till you find one that is unlocked. In a small
town it's doable... in a large city like New York, you might do it before
you die... but try doing every door in a country... you better be
genetically related to Methuselah and still not smoke...

As for myself, it depends on the system I find. If it acted like a Cisco,
I'd check the defaults then move on... experience has taught me that it
would be a waste of time to brute force it. If it was something different,
I'd play with it for a while to see if I could get it to spit other
information that would identify it more or the type of system, etc...

-jf
i***@public.gmane.org
2010-02-17 22:56:51 UTC
Permalink
Hi
Post by i***@public.gmane.org
Dictionary attacks are much more common because it reduces the noise you
push into a target.   Also knowing something about your target helps so you
can try words/terms that are common within the vernacular of that system.
But brute forcing is like walking up and down every street in your town and
checking each and every door till you find one that is unlocked.  In a small
town it's doable... in a large city like New York, you might do it before
you die... but try doing every door in a country... you better be
genetically related to Methuselah and still not smoke...
Make a lot of sense...
Post by i***@public.gmane.org
As for myself,  it depends on the system I find.  If it acted like a Cisco,
I'd check the defaults then move on... experience has taught me that it
would be a waste of time to brute force it.  If it was something different,
I'd play with it for a while to see if I could get it to spit other
information that would identify it more or the type of system, etc...
But if it's only a dial-up server how could you identify if it's a
cisco or not? Or even make it split other information? Based on the
output of iWar all I see are this ascii chars that you pointed are
CHAP auth. There is some other toold that you use in debug mode to
decode / dissect it? I mean, like wireshark for .pcap files and
network protocols?

Thanks
i***@public.gmane.org
2010-02-17 23:15:49 UTC
Permalink
Post by i***@public.gmane.org
As for myself, it depends on the system I find. If it acted like a Cisco,
Post by i***@public.gmane.org
I'd check the defaults then move on... experience has taught me that it
would be a waste of time to brute force it. If it was something
different,
Post by i***@public.gmane.org
I'd play with it for a while to see if I could get it to spit other
information that would identify it more or the type of system, etc...
But if it's only a dial-up server how could you identify if it's a
cisco or not? Or even make it split other information? Based on the
output of iWar all I see are this ascii chars that you pointed are
CHAP auth. There is some other toold that you use in debug mode to
decode / dissect it? I mean, like wireshark for .pcap files and
network protocols?
if it's spills PPP right off the bat, then it's CHAP most likely... I
already know that the system is on a network and probably talking to a
RADIUS... if not also syslogging my caller id and other information into a
master file. What one can do is simply call via PPP with full debug logging
and see what transpires.

Loading...