Once the results from the output from any of the war dialers are available, the next step is to categorize the results into what we call “domains”. Experience with a large variety of dial-up servers and operating systems is irreplaceable. How you choose which systems to further penetrate depends upon a series of factors such as how much time you are willing to spend, how much effort and computing bandwidth is at your disposal, and how good your guessing and scripting skills are.
Dialing back the discovered listening modems with simple communications software is the first critical step to putting the results into domains for testing purposes. When dialing a connection back it is important to try to understand the characteristics of the connection. This will make sense when we discuss grouping the found connections into domains for testing. There are important factors that characterize a modem connection and thus will help your scripting efforts. Here is a general list of factors to identify:
· Whether or not the connection has a time-out or attempt-out threshold.
· Whether exceeding the thresholds renders the connection useless, this occasionally happens.
· Whether the connection is only
allowed at certain times.
· Whether you can correctly assume the
level of authentication; i.e. userid only or userid and password only.
· Whether the connection has a unique
identification method that appears to be a challenge response such as SecureID
· Whether you can determine the
maximum amount of characters for responses to userid
or password fields
· Whether you can determine anything
about the alphanumeric or special character makeup of the userid
or password fields
· Whether or not any additional
information could be gathered from typing other types of break characters at
the keyboard such as CTRL-C, CTRL-Z, ?, etc.
· Whether or not the system banners are
present or have changed since the first discovery attempts and what type of
information is presented in the system banners.
This can be useful for guessing attempts or social engineering efforts.
Once you
have this information you can generally put the connections into war-dialing
penetration domains. For purposes of
illustration, there are 5 domains to consider when attempting to further penetrate the discovered systems. LHF is really its own domain and the rest are
"Brute Force Domains". It is easy to conceptualize your targeting and
process this way. So work down the
complexity and go after Low Hanging Fruit (LHF) first. Then proceed and put your targets into the
other domains primarily based upon the amount of authentication mechanisms and
the amount of attempts that are allowed to try to access those mechanisms. Hence the domains can be shown as follows.
|
Easily
Guessed or Commonly Used Passwords for identifiable systems (experience
counts here) |
|
|
These
are systems with only one type of password or id, and the modem does not
disconnect after a pre-determined amount of failure attempts. |
|
|
These
are systems with only one type of password or id, and the modem disconnects
after a pre-determined amount of failure attempts. |
|
|
These
are systems where there are two types of authentication mechanisms such as id
and password and the modem does not disconnect after a pre-determined amount
of failure attempts.* |
|
|
These
are systems where there are two types of authentication mechanisms such as id
and password and the modem disconnects after a pre-determined amount of
failure attempts.* |
*Dual Authentication is not classic Two-Factor authentication where the user is required to produce two types of credentials: something they have and something they know.
In general, the further you go down the list of domains, the longer it can take to penetrate a system. As you move down the domains the scripting process becomes more sensitive due to the amount of actions that need to be performed. Go back up to the links in each above for the goods.