 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study War Dial Industry: Entertainment Location: UK This case study describes a component of a larger project in which Internet exposures were found to be well managed and focus duly shifted to dial in systems. The subject of the test was a PSTN and ISDN number range of several thousand numbers. The challenge was to locate, identify and penetrate points of dial in access. It was not known beforehand how many if any dial in points were present as no such project had been executed previously and dial in points were not well documented within the organisation. The engagement was executed as a penetration test. The process was automated using simple war dialling software to find out if a modem was answering the as each telephone number was dialled sequentially. The initial war dial revealed several PSTN modems, this included some offering plain text login, PPP, proprietary protocols and some unidentified systems. One of the few systems offering plain text login were investigated and seen to present a banner. A brute force was started using common usernames and passwords and strings from the banner. The credentials were found quickly and used to log in to the system manually. It was seen to be Cisco equipment, after perusing the configuration it was found to also accept PPP connections. The brute forced credentials were used to establish a PPP session with the Cisco equipment. Now that IP connectivity was established the network inside the organisation was surveyed. No internal segmentation was applied meaning the internal network could be fully perused. After basic enumeration of the local network banners were collected from selected departmental servers for presentation to the client. This engagement highlights how telecoms risks which are overlooked can prove to be the weak link that an attacker needs. The business impact from this one security issue could have proved to be very far reaching. Having an unguarded access point to the corporate LAN could lead to critical information leaving the organisation and HR or client data being divulged. What makes the discovery more critical is the fact that no logging or monitoring was being performed. An attacker who found the dial in access point could have had open access for some time. This access could have been used to compromise critical internal machines such as the domain controllers and to gather sensitive information unnoticed. |
