[an error occurred while processing this directive]
The Art of Wardialing
Wardialing: A systematic approach to identifying or categorizing the use
of phone numbers by calling each number and recording the response.
Long before there was AOL or Earthlink or any of the other popular ISPs of today, people connected directly with distant computers via modems. Instead of dialing up to your ISP and surfing to a chat room or downloading your email, you would dial into your mail server or BBS to do your business. Along with these services, companies would set up specific numbers for employees to call while on the road to access corporate servers for email or private phone lines to make calls billed to the company. Phone companies would (and still do) use special numbers to test, trouble shoot and configure their networks remotely. Special tones or a sequence of tones could be sent down the phone lines in order to activate or deactivate certain services. (Imagine the joy of the first person that figured out what tone to send down a line to turn off the billing process of a call!) All of these things make communications easier and remote administration simpler and thus, must be a good thing....
It wasn't that long after these things were developed that people with less than honorable motives (disguised by the word "curiosity") began seeking out these special phone numbers and trying out their special tones. Thus Phreaking was born. A phreaker is a person that specializes in breaking into phone systems. What's the easiest way to discover these phone numbers? By calling each and every number in a set block of numbers and recording the responses. It wasn't long after that people's fingers got tired or sore and automated dialers were employed. Programs that would go thru number after number, dialing and recording until something interesting would pop up. Perhaps a modem tone, a fax machine or even a cute girl's voice :) What ever it was, the number was flagged for future exploration. This is wardialing.
What is the main goal of wardialing? Access. Access to a specific company's system, access to free long distance, access to an anonymous connection to further hack another computer, access to a place to hide your software.... whatever the case might be. They are looking for backdoor access into your phone system, your computers and your network.
Now, over 15 years after this type of attack was made famous in the movie WarGames, phone line security is still the least considered security threat but probably the easiest attack vector around. I have never ran a block of numbers without finding at least one modem that offered me some level of access that I shouldn't have otherwise had. Very few companies even consider their phone lines when they develop their security models!
- How many modems do you have in your company? Whatever numbers you just though of, I promise you, it's incorrect.
- Do you own a PBX? Does your vendor offer offsite support via a dial in number? Is he still using the default installation password? Are you sure?
- Out of every computer in your company, how many have modems in them? Are any of them configured to answer calls?
- What's to prevent JoeUser from sticking a modem on his computer so he can get around the firewall to use Instant Messenger? Who else is using that modem to get around your firewall?
- How many fax machines does your company own? Did you know, some of these machines could be designed to send courtesy copies to other phone numbers than where you want them to go? Other's still allow incoming calls to 'pull' faxes from their memory or even access network devices.
- How would you ever find a covert modem device that is wired into a phone closet, jacked into your network and activated between the hours of 1900 and 0500 allowing corporate spies access to your company's files?
These are very real and easily exploitable threats on our networks. Luckily, they are also fairly easy to find and disable or harden. How? By wardailing our own networks on a regular basis. It's not rocket science but there are a few things to consider before you start...
- Get Permission!
Before you even begin to set up a dialer, make sure you have the written permission of the actual owners of the phone numbers!
- Coordinate Everything with the Phone Guys.
This is a very important step. They will be able to help you generate a list of numbers to dial and also what numbers not to dial! Some companies set up redirected numbers (Dial 7411 for local fire department), auto reload numbers and other traps that may cost you your job if you dialed them. I once found a PBX that had a number set aside to reboot the PBX itself! All you had to do was call that number and it rebooted! This would be a good time to explain to the phone guys the repercussion of having a number like that. Most of your concerns here will be with auto-forward number to police, emergency, CEO's private line and the like. Always establish a list of 'taboo' numbers and have someone sign off on the dial list as well as the taboo list. By coordinating with the phone guys and keeping them inside the security loop, your chances of cooperation greatly increase. You may even be able to tighten security before you ever dial a number.
- Decide when to Wardial
Do you want to dial in the middle of the day, the evening or early in the morning? I would say yes to all of them. In the middle of the day, most all of the devices on the network will be turned on. In the middle of the night, you may find some things that were hiding during the day. I would run a few scans at different times of the day and night and then compare the results later.
- Establish a phone number to dial from and always use it.
Have the phone guys set the caller ID to "Wardail" or "PhoneAudit" so your employees know what you are doing. This isn't a big thing but, will make the users more security conscious. Hell, if they do have a rouge modem on their computer, this might be enough motivation to get rid of it and save you the time of tracking it down :)
- Don't do this from home
Most all phone companies can auto-detect block dialing and will more than likely disconnect your phone. It would have to be pretty random and very slow in order not to get caught. If you have the time, I guess anything is possible.
We're not out of the woods yet. It is very important to make sure whatever software you are using is set up right for your network. The biggest danger is crashing the PBX by filling up everyone's voice mail with white space. Imagine, your wardialer is set to time out the call after 20 seconds. Each phone ring takes about 2 seconds, your voice mail system is set to pick up after 4 rings and the average greeting is about 5 seconds long. That means, you have the potential of leaving 7 seconds of blank message in every voice mailbox! That can add up if you have a few hundred employees.
Most modems cannot tell the difference between a phone ringing, a person answering or a recording. Unless you have a high-end modem with the right 'X' registers, your modem will not be able to identify a voice or even count outgoing rings. You'll have to tweak the timeout settings to make sure things don't take forever or load up the PBX.
Also, when a modem is initialized (before it dials) it must be set to either FAX or MODEM. If it's set to FAX and a modem answers on the other line, it wont know what to do and vice versa. Each number needs to be dialed twice in order to be sure. Again, a high-end modem will be able to tell you "This is a FAX" but, it still wont be able to talk to it without re-initializing and re-dialing. The lower end and most common modems wont know anything about the distant end except that, "it's not what I expected". And would have to dial almost every number twice to be sure.
There are tons of free programs on the web to automate wardialing. Most of the free ones are tricky to configure and it's a good idea if you have an understanding of modem init strings and AT commands. Plus, scripting background wouldn't hurt to help generate the numbers and sort thru the results. Most of them are pretty dated and prefer to run on a Windows 9x machine. I'm not going to get into a discussion of which ones are better than the other ones... Just remember, you get what you pay for. The free ones have no support and sparse readme files and primitive GUIs (For those of you that need GUIs). They do work rather well, once set up correctly.
There are also companies out there that have commerical phone auditing software. These are very modern, database driven, GUI based, wizard configurable, task distributing programs that will make short work of a big wardial. They will also make short work of your budget too. These packages are usually licensed by the number of 'numbers' you are auditing and will cost well into the thousands of dollars range. Again, you get what you pay for. Full GUI, help files, auto-configuration... the works.
Lastly, you can brew your own beverage. This is not for the timid tho. You have to be pretty dern good at a programming language (take your pick but, PERL is my best friend) to the point that you can communicate at least with the serial port, have in depth knowledge of modem AT commands and init strings and have the time to actually write the code! I've been writing software to manage modem devices across a network for some time now and a wardialer seems like a cool task. If I ever get around to writing it, I am envisioning a client/server environment with a databased backend and CGI front end. Each client is told what to dial, init strings and the like by the server. Once the client finishes with a number, it wouldreport the results back to the server which, in turn, adds the information to the database. From this point, anything could happen; Search results, further automated tasks sent to clients, reports generated, new target lists... it's so much fun to imagine code ;)