Episode212

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Sponsors & Announcements

"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its PaulDotCom Security Weekly!"

"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable – Unified Security Monitoring!"

"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."

"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"


PaulDotCom Security Weekly - Episode 212 - For Thursday September 23d, 2010.

  • Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend.
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Dan King discusses War dialing over VoIP systems & Using TOR as a transparent proxy

Dan enjoys exposing flaws in client-side document formats and likes nothing better than to break security products to expose threats. In previous roles, he served in a market leading Security Operations Center providing IDS analysis and incident response services to a global base of clients. Dan is currently a pen tester with SecureWorks.

Background: WarVOX is a free, open-source war dialing tool for exploring, classifying, and auditing telephone systems. WarVOX processes the raw audio from each call and does not use a modem directly. WarVOX finds and classifies telephone lines using signal processing techniques. WarVOX uses Internet-based VoIP providers instead of the typical telephony hardware used by traditional war dialers. By comparing the pauses between words, WarVOX can help pick out numbers that used the same voicemail system. Legality Before we continue I would like to bring up some legality issues with the practice of war dialing. First, I am not a lawyer and this does not constitute legal advice. In 2003 the United States updated the Telephone Consumer Protection Act to state: "No person or entity may (7) Use any technology to dial any telephone number for the purpose of determining whether the line is a facsimile or voice line" Also, because of how WarVOX works, issues of wiretapping come up. WarVOX records the audio from the calls it makes. Currently there are twelve states in the United States require more than one party to be aware that a call is being recorded. Since the lines will not be notified that recording is occurring, this may violate wiretapping laws. More information about these issues can be found here: • http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=47&PART=64&SECTION=1200&TYPE=TEXThttp://www.rcfp.org/taping/http://www.warvox.org/legal.html


Starting it up WarVOX is conviently prepackage on the Linux distribution Backtrack4. I would recommend only running it on a backtrack system that you’ve installed to a hard drive or mount a rather large volume on network storage. The data files can get rather large pretty fast. You can find it here: /pentest/voip/warvox/bin/warvox.rb After you execute it, it will start up a web service on port 7777. Use a web browser to connect by using the following URL http://127.0.0.1:7777 As soon as you connect, you will be asked for the username and password. The default for BackTrack is admin/warvox. This can be changed in the warvox.conf file located here: /pentest/voip/warvox/etc/warvox.conf Configuration Now that you’ve started the service and connected, you’ll need to configure it. The first step is to configure your VoIP service providers. Click on “Providers” on the menu bar at the top. You will be presented with the following fields: 1. Nickname 2. IAX2 server name 3. IAX2 port (default 4569) 4. Username 5. Password 6. Number of available outbound lines You should be able to get this information from your provider. Once entered, press create. Starting a job Click on the “Jobs” on the menu bar at the top. This screen will allow you to configure a new job and see any active or submitted jobs. To create a new job, you must enter the following fields: 1. Target telephone range 2. Seconds of audio to capture 3. Maximum number outgoing lines 4. Source caller ID range

Once this information has been entered, press “create” to kick off the job.

Checking Results Once a job completes, you can view the results under the “Results” on the menu bar. This screen will give you the following: 1. Number dialed 2. Caller ID used 3. Provider used 4. Completed status 5. Busy signal 6. Seconds 7. Ring time

This information will allow you to see if you are getting any useful data back. If you’re not, there may be something wrong.


Analyzing Data Once the results are check, you will have the ability to analyze the results. To start analyzing the data, click on “Analysis” on the menu bar. This page will give you a graph identifying the following system types: 1. Fax machines 2. Modems 3. Silence 4. Voice 5. Voicemail On this page, you will also have the ability to LISTEN to the file recorded from the remote number. This can lead to epic lulz. (people get really confused when they call themselves!) Choosing a provider Choosing the correct VoIP provider is more of an art than a science. There is one hard requirement. They must support IAX2 protocol. SIP will NOT work with WarVOX. There are many websites dedicated to VoIP. Here are a few that will help get you started: • http://www.voip-list.comhttp://www.voip-info.comhttp://www.voipreview.orghttp://voipproviderslist.org

A couple of things to keep in mind while choosing a provider: • Check their rates based on where you’ll be calling • If you’re going to be dialing internationally, do they support that • How is billing done? 6 seconds? • Do they require proper identification? • What country they are located in

Guest Interview: Travis Goodspeed

Travis Goodspeed is one of the best known hardware hackers in the world and is known, when necessary, to deploy both nitric acid and hypodermic needles to the task of extracting unexpected functionality from circuitry. He is also co-creator of the Party Mode Belt Buckle, a Belt Buckle that instantly causes rabid frenzy in party chicks everywhere.


  1. How did you get your start in computer security
  2. How did you get your start in embedded edevice hackery?
  3. What would be your suggestion for people that would like to get their own start in the world of hardware hacking?
  4. What is the most extreme method you have used to extract firmware or any data of a piece of hardware?
  5. Why is analyzing hardware important?
  6. Why is analyzing the software that tuns on said hardware even more important?
  7. Is the work that you are doing actually helping to improve embedded device security
  8. How is the SmartGrid Skunkworks list working out do you think problems can be solved.
  9. Tell us about the beltbuckle. I mean, why a belt buckle?
  10. How often have you been forced to deploy "Party Mode"?
  11. How many people are entrusted with "Party Mode" power?
  12. Are 7 BuckleMasters required for Party Mode (similar to Kaminsky's DNSSec reboot).
  13. Got any current and upcoming projects that you can tell us about?
  14. How about your experience with making first impressions with business folks?

Stories For Discussion

  1. Social Engineering bank robbers, via @HumanHacker
  2. Twitter pwned with onMouseOver thanks to an update
  3. Google Apps moving to 2 factor authentication
  4. Why McAf.ee url shortener is stupid Not sure if there is more research done on this but what is the point. So what if they actually did check the URLs properly. Bob will just use another shortener instead people will click on anything if it offers free stuff.
  5. Wireless, what physical layer? - [Larry] - An interesting way to break into cars; hang around with a wireless jammer so that the victim's car never locks. Kinda like DoSing wirlesss networks with a microwave…
  6. Got Facebook? - [Larry] - If not, you should. Technically we're talking about the evil twin attack here (similar to Robin Sage…) but if the Interpol Chief can get evil twined, so can your company or staff…ok, so now what can they do?
  7. Mac get hacked? Sue apple! - [Larry] Talk about the blind leading the stupid…your Mac gets hacked, you call Apple support and they can't help you (for whatever reason), so you sue them for not helping and claiming that they are hiding information. Hmm, let's try this on Microsoft…
  8. Two factor auth, doing it right? - [Larry] I like the fact that Google can set up two factor auth for business customers with SMS messages, much like paypal. They also have a smartphone client, like a token generator. I u how this would work with clients such as thunderbird…with the web client you can specify that you are on a trusted computer and remember the code, which generates a cookie. Nah, that could NEVER go wrong…
  9. Roll your own encryption? [Larry] - Yup, I'm guessing that Microsoft did, and now millions of ASP websites are paying the price. Apparently by brute forcing cipher text to an ASP.net app, and looking at the error messages you can then guess the encryption key for session cookies, remote server data and conduct information disclosure form the remote web server. Sigh.

Other Stories of Interest