home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
phrk2
/
phrack17.8
< prev
next >
Wrap
Text File
|
1992-09-26
|
12KB
|
212 lines
% = % = % = % = % = % = % = %
= =
% P h r a c k X V I I %
= =
% = % = % = % = % = % = % = %
Phrack Seventeen
07 April 1988
File 8 of 12 : Dialback Modem Security
In article <906@hoptoad.uucp> gnu@hoptoad.UUCP writes:
>Here are the two messages I have archived on the subject...
>[I believe the definitive article in that discussion was by Lauren Weinstein,
>vortex!lauren; perhaps he has a copy.
What follows is the original article that started the discussion.
I do not know whether it qualifies as the "definitive article" as I
think I remember Lauren and I both posted further comments.
- Dave
** ARTICLE FOLLOWS **
----------------------------------------------------------------------
An increasingly popular technique for protecting dial-in ports from the ravages
of hackers and other more sinister system penetrators is dial back operation
wherein a legitimate user initiates a call to the system he desires to connect
with, types in his user ID and perhaps a password, disconnects and waits for
the system to call him back at a prearranged number. It is assumed that a
penetrator will not be able to specify the dial back number (which is carefully
protected), and so even if he is able to guess a user-name/password pair he
cannot penetrate the system because he cannot do anything meaningful except
type in a user-name and password when he is connected to the system. If he has
a correct pair it is assumed the worst that could happen is a spurious call to
some legitimate user which will do no harm and might even result in a security
investigation.
Many installations depend on dial-back operation of modems for their principle
protection against penetration via their dial up ports on the incorrect
presumption that there is no way a penetrator could get connected to the modem
on the call back call unless he was able to tap directly into the line being
called back. Alas, this assumption is not always true - compromises in the
design of modems and the telephone network unfortunately make it all too
possible for a clever penetrator to get connected to the call back call and
fool the modem into thinking that it had in fact dialed the legitimate user.
The problem areas are as follows:
Caller control central offices
Many older telephone central office switches implement caller control in which
the release of the connection from a calling telephone to a called telephone is
exclusively controlled by the originating telephone. This means that if the
penetrator simply failed to hang up a call to a modem on such a central office
after he typed the legitimate user's user-name and password, the modem would be
unable to hang up the connection.
Almost all modems would simply go on-hook in this situation and not notice that
the connection had not been broken. If the same line was used to dial out on
as the call came in on, when the modem went to dial out to call the legitimate
user back the it might not notice (there is no standard way of doing so
electrically) that the penetrator was still connected on the line. This means
that the modem might attempt to dial and then wait for an answerback tone from
the far end modem. If the penetrator was kind enough to supply the answerback
tone from his modem after he heard the system modem dial, he could make a
connection and penetrate the system. Of course aome modems incorporate dial
tone detectors and ringback detectors and in fact wait for dial tone before
dialing, and ringback after dialing but fooling those with a recording of dial
tone (or a dial tone generator chip) should pose little problem.
Trying to call out on a ringing line
Some modems are dumb enough to pick up a ringing line and attempt to make a
call out on it. This fact could be used by a system penetrator to break dial
back security even on joint control or called party control central offices. A
penetrator would merely have to dial in on the dial-out line (which would work
even if it was a separate line as long as the penetrator was able to obtain
it's number), just as the modem was about to dial out. The same technique of
waiting for dialing to complete and then supplying answerback tone could be
used - and of course the same technique of supplying dial tone to a modem which
waited for it would work here too.
Calling the dial-out line would work especially well in cases where the
software controlling the modem either disabled auto-answer during the period
between dial-in and dial-back (and thus allowed the line to ring with no action
being taken) or allowed the modem to answer the line (auto-answer enabled) and
paid no attention to whether the line was already connected when it tried to
dial out on it.
The ring window
However, even carefully written software can be fooled by the ring window
problem. Many central offices actually will connect an incoming call to a line
if the line goes off hook just as the call comes in without first having put
the 20 hz. ringing voltage on the line to make it ring. The ring voltage in
many telephone central offices is supplied asynchronously every 6 seconds to
every line on which there is an incoming call that has not been answered, so if
an incoming call reaches a line just an instant after the end of the ring
period and the line clairvointly responds by going off hook it may never see
any ring voltage.
This means that a modem that picks up the line to dial out just as our
penetrator dials in may not see any ring voltage and may therefore have no way
of knowing that it is connected to an incoming call rather than the call
originating circuitry of the switch. And even if the switch always rings
before connecting an incoming call, most modems have a window just as they are
going off hook to originate a call when they will ignore transients (such as
ringing voltage) on the assumption that they originate from the going-off-hook
process. [The author is aware that some central offices reverse battery (the
polarity of the voltage on the line) in the answer condition to distinguish it
from the originate condition, but as this is by no means universal few if any
modems take advantage of the information supplied]
In Summary
It is thus impossible to say with any certainty that when a modem goes off hook
and tries to dial out on a line which can accept incoming calls it really is
connected to the switch and actually making an outgoing call. And because it
is relatively easy for a system penetrator to fool the tone detecting circuitry
in a modem into believing that it is seeing dial tone, ringback and so forth
until he supplies answerback tone and connects and penetrates system security
should not depend on this sort of dial-back.
Some Recommendations
Dial back using the same line used to dial in is not very secure and cannot be
made completely secure with conventional modems. Use of dithered (random) time
delays between dial in and dial back combined with allowing the modem to answer
during the wait period (with provisions made for recognizing the fact that this
wasn't the originated call - perhaps by checking to see if the modem is in
originate or answer mode) will substantially reduce this window of
vulnerability but nothing can completely eliminate it.
Obviously if one happens to be connected to an older caller control switch,
using the same line for dial in and dial out isn't secure at all. It is easy
to experimentally determine this, so it ought to be possible to avoid such
situations.
Dial back using a separate line (or line and modem) for dialing out is much
better, provided that either the dial out line is sterile (not readily tracable
by a penetrator to the target system) or that it is a one way line that cannot
accept incoming calls at all. Unfortunately the later technique is far
superior to the former in most organizations as concealing the telephone number
of dial out lines for long periods involves considerable risk. The author has
not tried to order a dial out only telephone line, so he is unaware of what
special charges might be made for this service or even if it is available.
A final word of warning
In years past it was possible to access telephone company test and verification
trunks in some areas of the country by using mf tones from so called "blue
boxes". These test trunks connect to special ports on telephone switches that
allow a test connection to be made to a line that doesn't disconnect when the
line hangs up. These test connections could be used to fool a dial out modem,
even one on a dial out only line (since the telephone company needs a way to
test it, they usually supply test connections to it even if the customer can't
receive calls).
Access to verification and test ports and trunks has been tightened (they are a
kind of dial-a-wiretap so it ought to be pretty difficult) but in any as in any
system there is always the danger that someone, through stupidity or ignorance
if not mendacity will allow a system penetrator access to one.
** Some more recent comments **
Since posting this I have had several people suggest use of PBX lines that can
dial out but not be dialed into or outward WATS lines that also cannot be
dialed. Several people have also suggested use of call forwarding to forward
incoming calls on the dial out line to the security office. [ This may not
work too well in areas served by certain ESS's which ring the number from which
calls are being forwarded once anyway in case someone forgot to cancel
forwarding. Forwarding is also subject to being cancelled at random times by
central office software reboots]
And since posting this I actually tried making some measurements of how wide
the incoming call window is for the modems we use for dial in at CRDS. It
appears to be at least 2-3 seconds for US Robotics Courier 2400 baud modems. I
found I could defeat same-line-for-dial-out dialback quite handily in a few
dozen tries no matter what tricks I played with timing and watching modem
status in the dial back login software. I eventually concluded that short of
reprogramming the micro in the modem to be smarter about monitoring line state,
there was little I could do at the login (getty) level to provide much security
for same line dialback.
Since it usually took a few tries to break in, it is possible to provide some
slight security improvement by sharply limiting the number of unsucessful
callbacks per user per day so that a hacker with only a couple of passwords
would have to try over a significant period of time.
Note that dialback on a dedicated dial-out only line is somewhat secure.
David I. Emery Charles River Data Systems 617-626-1102
983 Concord St., Framingham, MA 01701.
uucp: decvax!frog!die
--
David I. Emery Charles River Data Systems
983 Concord St., Framingham, MA 01701 (617) 626-1102 uucp: decvax!frog!die
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+