War Dialing/Telephony Penetration Testing (aka Phone Hacking)
One of the many avenues of entry/information gain is via remote access through a dial-up connection to other phone controlled systems (IVR, DISA etc) The attack method is known as War Dialing and is now being easier to perform due to the explosion in VOIP services and providers.
War Dialing is technique used to perform "port scanning" but for telephones. Numbers are dialed systematically and the answering tones are assessed. Just as with a port scanner, available A War Dialing assessment looks for answering resources and then the attacker can then attempt to attack the service in order to gain access.
HackLabs' War Dialing Penetration Test follows documented security testing methodologies which include:
- Footprinting of organisation phone ranges
- Connection testing of discovered ranges (War dialing)
- Attempt access to discovered services (eg. Modems, PABX DISA services, Voicemail Systems, Menu systems etc.)
Why should we perform a War Dialing Penetration Test?
A Penetration testing allows organisations to test, if an attacker is able to discover the services and then the likelihood of an attacker to gain access to data or perform service abuse at the cost of the victim.
While dial-based exposures were the original hackers’ entry points, in recent years IT managers have focused assessment monies on Internet-based vulnerabilities, largely ignoring those associated with their telephone systems. But these phone-based vulnerabilities represent the easy way into many network environments still to this day. The best firewall cannot protect against rogue modems operating on critical servers or user desktops.
Best Practice recommends that each organisation perform a Penetration Test as part of their regular Security Program in order to ensure the security of their telecom security defenses.