Monday, March 9, 2009

WarVOX - Place up to 10,000 calls in an 8 hour period

'War-Dialing' making a small comeback

Once, many moons ago, before even most people knew about the Internet, some hackers and self-motivated computer security enthusiasts used programs called war-dialers. The war-dialers were fairly simple programs; they would just dial telephone numbers in order, using a modem, and they would take note of any connections they could make. While 99.9% of the calls early war-dialers made would be made to some confused or annoyed person, trying to figure out what that squelching sound was, every blue moon a war-dialer might stumble upon an unprotected computer system that accepted incoming calls.

War-dialing is really old news; but like many other examples in network security, hacking methods and tools never fade away completely, they just get re-worked.

Penetration expert HD Moore has made a new war-dialer for 2009. It is free, and uses VOIP services to place up to 10,000 calls in an 8 hour period. The program is called WarVOX, and, like any self-respecting network security tool, it only runs in Linux.

Moore made the tool, he says, to assist network security auditors find holes in companies' phone systems. "Right now, the target audience for WarVOX is anyone who currently uses legacy war-dialing tools and is frustrated by the amount of time and money it takes to perform the audit," he was quoted as saying on the website Dark Reading.

"After playing with WarVOX over the last few weeks, I was surprised at how many lines I have found that expose some sort of security risk," Moore went on to say. "This includes the administrative interfaces to PBXes, lines that drop you to a fresh dial tone after a dozen rings, internal directories for large companies, and tons of sensitive information."

So you might be saying: "Big deal. So dude found some fresh dial tones -- so what?"

But for someone that really knows what they are doing, one small hole can be sometimes be tunneled and transformed into a gaping passageway into closed networks. Or war-dialing methods can be used just to gather restricted information about a company: "It's possible to reverse-engineer a company directory out of the voice mail greetings. Company directory information is useful, but running WarVOX at regular intervals and viewing the data over time can provide a lot of useful data about an organization, such as how many people they laid off, how many new people they hired, and who is picking up their phone at a given time and date," Moore said.

The WarVOX dialer also records any audio it can gather from the telephone call. So say you had audio archive of 9,000 calls made by the dialer -- the odds are you could filter the calls to the find the longest, and maybe, if you were lucky, something interesting might have been said in one of the calls.

Source: Dark Reading

No comments: