Dial-up, VPN and Network Devices hacking

1
Dial-up, VPN and Network Devices hacking
2
Dial-up hacking

• Phone number footprinting phone directories
  (on-line and CD-ROM)
• Wardialing (scanning) automatically dialing a
  range of numbers, like in telemarketing, using a
  hardware/software combination.
• PC with serial ports and modems it is all that is
  needed
• Software ToneLoc, THC-Scan (free) and Phone
  Sweep (commercial). See book.
• Typically one modem can wardial 10,000 numbers
  in 7 days of 24 hours.
• Telcos take this seriously and in many areas this
  is illegal (ping sweep is not).
• Penetration Domains once logs are obtained the
  connections can be classified as (see book for
  examples in QBASIC)
• LHF - easily guessed or commonly used passwords
  for known systems
• Single authentication, unlimited attempts
• Single authentication, limited attempts
• Dual authentication, unlimited attempts
• Dual authentication, limited attempts
• Basic countermeasures Inventory and consolidate
  modem lines, use at least dual authentication
  with limited attempts, put in DMZ.

3
PBX, Voicemail, VPN

• PBX most PBX are no longer electro-mechanic
  machines, but rather computers with IP numbers,
  graphical interfaces, etc.
• Types Octel, Williams, Meridian, ROLM, ATT --
  all with specific ways to login (some very easy
  to hack, see book).
• Basic countermeasure only turn modem on when
  maintenance is needed, turn off most of the time.
• Voicemail low impact, brute force attempts, but
  no logs (voice answers).
• VPN tunneling private data through the Internet
  with encryption, reducing WAN costs, and
  supporting modern electronic commerce.
• Tunneling involves encapsulation of a datagram
  within another, be it IP within IP (IPSec) or PPP
  within GRE (PPTP)
• IPSec (replaces PPTP) and Layer 2 Tunneling
  Protocol - L2TP (replaces L2F) are the most used
  VPN standards.

4
VPN Hacking

• Microsoft PPTP originally had a weak encryption
  function, algorithm (RSA), the TCP port (1723)
  used for connection control was vulnerable to DoS
  attacks, only the data was encrypted. NT Service
  Pack 4 closed these vulnerabilities, Win 9x
  clients should be upgraded to DUN 1.3 to use
  these improvements.
• Win 2k, XP, 7 came with IPSec support as we saw
  previously. See VPN with Single Sign On in
  Windows 7.
• IPSec very difficult to understand, even by
  experts.
• Hackers do not seem to have figured it out yet,
  what is good.
• Schneier and Ferguson (renowned experts)
  conclusion IPSec is too complex to be secure,
  but it is better than any other security protocol
  in existence.
• Different implementations VPN requires the use
  of VPN gateways in the server side. Read this
  article to see a comparison of these types.
• VOIP hacking sniffing and enumeration. New
  tools potential.

5
Network Devices

• Detection use traceroute to find the border
  router.
• Port Scanning Use Nmap or SuperScan and WUPS to
  scan TCP and UDP ports. In linux use dig to
  obtain information e.g. dig -t mx ubalt.edu
• Routers ports (book page 398). If no ports found
  means security is in place.
• If you find ports open you may be able to
  identify the type of device (routers, switches,
  hubs) and their manufacturers.
• OS Identification using Nmap and other tools
  seen previously.
• Penetration Once telnet or shell ports are found
  we can connect and use the data base of passwords
  to login if the administrator failed to change
  the default password, but brute force also can be
  used.
• SNMP allow to check status, configuration and
  change the configuration. You should restrict its
  use, if allowing it at all through your border
  router.
• BackDoors accounts meant for vendors to enable
  them to bypass a locked-out administrator, but
  which offer hackers a back door. Vendors like
  3Com,Bay, Cisco, Shiva have created these
  accounts. Change the defaults!! See also more
  details in the book, if you manage one of these
  devices.

6
Other vulnerabilities

• Specific vulnerabilities Cisco and Ascend write
  MIB. Cisco weak password encryption. TFTP (most
  routers). Bay config file is clear text.
• Shared vs Switched shared media broadcasts to
  all nodes. Switched media builds a table of MAC
  addresses and send the messages to a specific
  MAC.
• Use Snmpsniff in Linux to sniff in shared media
  networks.
• Packet sniffing was developed for the shared
  media environment, but
• There are now packet-sniffing tools for switches.
  Dsniff is easily installed in Ubuntu use sudo
  apt-get install dsniff. Use sudo to run it. There
  is a FAQ to help you with its use. See example.
• Basic countermeasure use encryption in all your
  traffic, such as PKI (1,2). You can also use VPN
  to create more secure connections.
• Arp redirect arp redirect is part of the dsniff
  package (traffic goes through an attacker
  machine).
• RIP spoofing Again use WUPS or NMAP to scan port
  520 (RIP). A C program rprobe was written to
  demonstrate how to spoof/redirect.