Wargames - You’ve seen the movie, maybe you experienced it, but that was 20 years ago, certainly things have improved since then, haven’t they?

As we enter the new security paradigm many fear we are faced with resourceful threats and exposures. While this is certainly true, companies need to address some age-old exposures in addition to looking into the future. Currently, many companies are concerned with Internet connectivity, spending large sums of money securing these connections to the world. As more and more companies secure this avenue, hackers begin to look for other ways to break-in. Often this other way is the same old way they used before, just with a few new twists. This makes securing your remote access crucial.

"Wargames" - You’ve seen the movie, maybe you experienced it, but that was 20 years ago, certainly things have improved since then, haven’t they? Don’t be too sure. Now more than ever companies need to understand all of their threats and vulnerabilities, coupled with their high value business objectives. Addressing dial-in risks, as part of any total security architecture makes good business sense.

This stuff doesn’t happen in real life, does it? The movie was based on a true story, as was Clifford Stoll’s now famous hacker book "The Cuckoo’s Egg". More importantly these techniques are still being mimicked today.

Just how do hackers break into a network through a phone line? It is a fairly simple technique known as war dialing (gaining the very name from the movie itself). The following case study was based on an actual company, a Healthcare provider, although the results are representative of findings across several industries. The case study will demonstrate the ease and effectiveness of using a war dialer to break into a corporate network.

The company’s name has been changed to protect the innocent, in this case ABC. When performing a war dialer, there are a few necessary requirements. First and foremost the hacker needs to obtain the company’s exchange. An exchange is the company’s registered phone extensions, for example 216-555-0000 through 216-555-9999; indicating the company owns approximately 10,000 numbers. Obtaining this information can be as trivial as looking in the phone book, referencing a business card or using the public accessible resources of the Internet. For our case study we will assume that ABC Company has three locations, all of which are in the same geographic location, thus having the same area code. Once we have obtained ABC’s exchange and range we next determine the phone numbers that have devices connected to them. Certain fax machines may carry the same characteristics as a modem; the war dialer can filter out these devices. A war dialer in simple terms will take the input range or exchange, which we have already obtained, in this instance 216.555-0,9999, 216.556-0,2000, and 216.557-1234-1244, and dial each number attempting to connect to any devices that answer.

There are a variety of software programs available to perform a war dial test. The most popular commercial package is PhoneSweep (http://www.sandstorm.net/phonesweep). Shareware tools Toneloc and The Hackers Choice (THC) are the most popular for hackers. For this case study we will be using THC. THC can be downloaded freely off any number of security web sites including http://www.6Ft-Under.com. Originally, THC was based off of Toneloc’s design and functionality. However, a newer version of THC has recently been released which has some added features making it the current hacker’s choice, surpassing Toneloc in ease-of-use and in functionality. Phonesweep, a commercial product is extremely functional and eliminates the need to analyze long cumbersome reports produced by the shareware products. This functionality is not inexpensive, Phonesweep can cost up to $2,500 depending on your specific needs.

The hardware needed to run a war dial is surprisingly minimal. Any PC running DOS 6.2 and a modem card, or external modem will suffice. Boot your machine, and configure the modem to live on COM2 and THC will do the rest. Configuring THC is also relatively straightforward, for the example above the following command will initiate and run the war dialer:

This will dial the 10,000 numbers selected; the default setting on the war dialer will dial a number and wait to detect a carrier for 30 seconds. This represents approximately 6 rings per number, not including dial and connect time. If you are dialing through a PBX and testing long-distance numbers, this may need to be increased. Running the war dialer continuously twenty-four hours a day will take approximately 3.5 days to complete a full exchange. In our case we have three ranges to dial. Using the above syntax modify the exchange to /m:216-556, the range to /r:0000-2000 for the next range, thus dialing 216-556-0001,0002,0003 etc until it reaches 2000. Finally run the last segment changing the exchange to /m:216-557, and the range to /r:1234-1244.

Once the war dialer has been configured and started as shown above, it will randomly dial each number looking for devices or carriers. When the war dialer connects to a device it immediately captures the information displayed and stores the banner in a text file for later viewing. The war dialer would classify this connect as a carrier. The war dialer will place each number into one of four categories as described below:

• Busy’s are numbers that, during dialing, were in use; these numbers are placed into a pool of numbers to be redialed. Periodically during testing the dialer will pull busy numbers from the busy pool and redial them. This process will be continued until the number is categorized as a Carrier, a No Carrier or a Timeout. After 8 attempts with the number being continuously busy, the number is marked as busy, and no further automated attempts are made.
• Carriers are numbers that had a device on the remote side to auto-answer and attempt to negotiate a data session, i.e. PC-Anywhere, Windows NT Remote Access Service (RAS). Note: any device that responds with a carrier, is a concern to the organization as they may provide a "gateway" into the internal network.
• No Carriers are numbers that answered, but did not attempt to negotiate a data session, these are typically voice response, or other non-machine oriented pickups, including any automated attendant-type phone numbers.
• Timeouts are numbers that were dialed with no response of any type.

Hackers are only interested in carriers found, or devices that answered with a data session. As noted earlier war dialers can determine fax machines from a true data connection. Once the war dialer is finished, the next step would be to view the banners that were captured. Below are examples that were captured during the case study:

Did the war dialer break in? No. The war dialer is only a tool in this overall process. There still needs to be some level of expertise involved to understand and analyze the war dialer results.

The first example is a banner captured from a machine running PC-Anywhere. Although not easily recognized by the naked eye, this banner is distinguishable by the:

_Please press <Enter>…_

Evident in Any PC-Anywhere banner.

Why is the banner so important? Without knowing the system you have connected to, it may be impossible to properly connect to that system. In this example the host is running PC-Anywhere software, thus in order to establish a proper connection the hacker must use the PC-Anywhere client. In this instance the host machine is not requesting any form of authentication. Once a hacker connects he has free access to the machine and possibly the entire network. For our case study, we were able to connect to five (5) machines running PC-Anywhere. These machines were all logged in as Administrator and we were able to map the internal network to identify additional targets. Further, we were able (using the file transfer feature of PC-Anywhere) to download and crack the SAM files and eventually take over the entire internal network. No one from the network security staff knew that we were connected and there were no logs of our activity. The security ramifications of this breach can be quite far reaching. Unrestricted access to the connected machines, and ABC’s entire internal network can obviously have serious consequences.

The second banner displays a Shiva remote access server, a very common centralized device used to authenticate users onto the network. This device can be recognized by the banner:

@Userid:

As demonstrated above the war dialer will attempt some very basic commands to try to gain access to the device or generate more information that may be used to identify the device in later steps.

That’s it, are we done? As demonstrated from the above example, running a war dialer is fairly simple, however understanding and analyzing the results takes some more detailed knowledge and understanding of remote access services. The war dialer can identify possible devices that may be used to gain entry into a company, but it is up to the perseverance and the expertise of the hacker to gain entry. The next step is to review the carrier logs and determine, using the method described above, what the device is.

Is there anything that can help me identify these devices? There is always an easier way. PhoneSweep has the potential to identify over 250 devices automatically while running the war dialer. It uses the same techniques described above matching known banner signatures to ones that have been preprogrammed. For our example we used a reference from a well know hacking magazine called Phrack (Volume Six, Issue Forty-Seven, File 6 of 22).

From our example we were able to connect to ABC’s network without authorization to over seven (7) different devices and from that we had the potential to download/modify/delete patient identifiable information.

Of course war dialing is illegal, right? As alluded to earlier, running a war dialer may be illegal. Some states restrict dialing a sequential range of numbers, hence the above example could possible be illegal. However, the hacking community, more specific THC, has worked around this by randomizing the numbers dialed in the range. This serves two purposes, one it eliminates or reduces the risk of legal liability, but more importantly stealth’s the war dialing activity. It is not long before employees notice phones ringing in sequential order from one cubical to the next and when they answer no one is there. This may seem strange but these laws were primary instituted to stop tele-markers from using similar methods to sell you stuff. It does not stop them, nor does it stop the hackers.

How can war dialing be prevented? While it is extremely difficult to stop war dialing, it is possible to make the practice less fruitful. When planning to secure remote access there are a several points that should be addressed:

Any remote access solution must be reliable, easy-to-use and secure. Does remote dial-in connectivity have a place in today’s fast paced Internet driven economy? The answer is an emphatic yes. There is no need to throw away your old dial-in solution for newer technologies. Solutions exist to allow users requiring PC-Anywhere access the ability to use the centrally controlled and monitored dial-in pool. The increasing mobility of today’s workers supports the need for corporate dial-in solutions. Many business users have Internet connectivity at their homes for personal use. This may suggest the use of Virtual Private Networks (VPN) for everyone. Unfortunately, users do not often have access to their local connections when travelling far from home. Additionally, VPN technology is not yet consumer ready. Wide scale deployment often requires a large technical staff capable of debugging often-difficult problems. Technically savvy users will have an easy time making connections. Others may find the technology difficult to use. There are other hurdles to entering the VPN game. Not all Internet Service Providers (ISP) provide the types of connections that can be leveraged to use VPN technology. This may limit choices for your users. Understanding this and other future needs and expectations will reduce the risk of rogue remote access points across the company. Consolidation of these access points into one centralized secure location is a win-win situation for users and for corporate security. As noted throughout this paper, having a centralized remote access solution can reduce administration time, increase security and overall enable business to perform at peak levels.

Cavalier and DisordeR. Phrack, General Source " Volume Six, Issue Forty-Seven, File 6 of 22", Internet Outdial List v3.0

Link: http://www.6ft-under.com/Tools/index.htm

Minor Threat & Mucho Maas. "ToneLoc v0.98 User Manual"

Link: http://www.textfiles.com/hacking/tl-user.txt

Dan Powell, Steve Schuster and Ed Amoroso, AT&T Labs. "Local Area Detection of Incoming War Dialer Activity". Columbia, MD.

Link: http://www.att.com/isc/docs/war_dial_detection.pdf

Stoll, Clifford. Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage

Amazon Link: http://www.amazon.com/exec/obidos/ASIN/0743411463/qid=1006294548/sr=8-1/
ref=sr_8_19_1/102-2960351-1015308

Mandia, Kevin and Prosise, Chris. Incident Response. New York. Osborne/ McGraw-Hill. 2001.

Amazon Link: http://www.amazon.com/exec/obidos/ASIN/0072131829/qid=1006295463/sr=8-1/
ref=sr_8_3_1/107-8423942-1846913

Stuart McClure, Joel Scambray, George Kurtz. Hacking Exposed: Network Security Secrets & Solutions. New York. Osbonre/ McGraw Hill. 2000.

Amazon Link: http://www.amazon.com/exec/obidos/ASIN/0072193816/qid=1006296197/sr=8-1/
ref=sr_8_7_1/107-4007216-1010936

to top of page | to Threats & Vulnerabilities | to Reading Room Home