Intelligent Wardialer or iWar is wardialing software written completely in C by Da Beave (beave@softwink.com), an old-school hacker well-known in the underground since he used to run (and still does!) a very nice “good old times” BBS on an OpenVMS VAX and AXP cluster and connected to the Internet (http://deathrow.vistech.net/).
iWar supports many features, including MySQL support (very professional!) and IAX2 for VoIP support (see Chapter 7 for more information about VoIP attacks and countermeasures). At this time and as far as we know, iWar is the first wardialing tool supporting VoIP in this fancy way! iWar may also be used in order to perform voice mail-box (VMB) attacks.
Here is a description of iWar’s features:
• Full and normal logging Full logging records all possible events during dialing (busy signals, no answers, carriers, etc). By default, it only records things that you might fi nd interesting (carriers and possible telco equipment).
• ASCII fl at fi le and MySQL logging You can log to a traditional ASCII fl at fi le and record information in a MySQL database.
• Random or sequential dialing
• Remote system identifi cation When fi nding and connecting to a remote modem, iWar will remain connected and attempt to identify the remote system type.
• Keystroke marking When actively “listening” to iWar work, if you hear something interesting, you can manually “mark” it by pressing a key. You can also add a note about something you fi nd interesting.
• Multiple modem support Well, hey—this is UNIX. iWar will support as many modems as you can hook up to it.
• Nice “curses”-based display This means if you’re using iWar from a Linux console or a VT100-based terminal, it should work fi ne. This is not an escape sequence kludge, but true “curses.”
• Full modem control Unlike other kludges, iWar doesn’t just open the modem as a typical “fi le.” It controls the baud rate, parity, CTS/RTS (hardware fl ow control), and DTR (data terminal ready). This is important for controlling the modem and making it perform the way you want it to during scanning, for example, DTR hang-ups.
• Blacklisted phone number support For numbers the system should never dial.
• Save state If, within the middle of a wardialing session, you want to quit, you can save the current state to a fi le. This allows you to come back later and restart iWar where you left off (via the ' option).
• Load pregenerated numbers You can load a fi le (via the -L option) of numbers that you want to dial. This is useful for loading numbers generated by another routine (Perl or shell script, etc.).
• Tone location If your modem supports it, iWar uses two different methods:
traditional ATDT5551212w (Toneloc-like) and silence detection.
• System banners Records remote system banners on connection for later review.
• Attacks iWar can be used to attack PBXs and voicemail systems.
• Terminal window Allows you to watch modem interactions and carrier results in real time.
• Support for the Intra-Asterisk eXchange (IAX2) VoIP protocol This allows you to scan without needing additional hardware.
• Full-blown VoIP client In IAX2mode, key 0–9, * and # play their DTMF equivalents. In this mode, you can also talk directly to the remote target (using a microphone) if so desired.
• Caller ID number In IAX2 mode, if your VoIP provider supports it, you can
“set” your caller ID number for caller ID spoofi ng.
• Source code Comes with complete source code and is released under the GNU General Public License at http://www.gnu.org/copyleft/gpl.html.
Since iWar is so well written and full of functionalities, it is worth listing its usage and parameters (see Figures 6-1 and 6-2).
Chapter 6: Unconventional Data Attack Vectors
145
Usage:
iwar [parameters] -r [dial range]
Parameters:
-h : Prints this screen
-s : Speed/Baud rate [Serial default: 1200] [IAX2 mode disabled]
-p : Parity (None/Even/Odd) [Serial default 'N'one] [IAX2 mode disabled]
-d : Data bits [Serial default: 8] [IAX2 mode disabled]
-t : TTY to use (modem)[Serial default /dev/ttyS0] [IAX2 mode disabled]
-c : Use software handshaking (XON/XOFF)[Serial default is hardware flow control] [IAX2 mode disabled]
-f : Output log file [Default: iwar.log]
-e : Pre-dial string/NPA to scan [Optional]
-g : Post-dial string [Optional]
-a : Tone Location (Toneloc W; method) [Serial default: disabled] [IAX2 mode disabled]
-r : Range to scan (ie - 5551212-5551313) -x : Sequential dialing [Default: Random]
Figure 6-1 iWar wardialer
-F : Full logging (BUSY, NO CARRIER, Timeouts, Skipped, etc)
-b : Disable banners check [Serial Default: enabled] [IAX2 mode disabled]
-o : Disable recording banner data[Serial default: enabled] [IAX2 mode disabled]
-L : Load numbers to dial from file
-l : Load 'saved state' file (previously dialed numbers)
Requirements
Nothing special is required: All you need is a Linux box and a modem. Depending on the features you want to use, you may need ad hoc software/hardware.
You can download it from http://freshmeat.net/projects/iwar/.
Shokdial
Shokdial, written by the well-known w00w00 guys, is a pretty old wardialing tool (Shok atshok@dataforce.net). Given its age, it should run on all *NIX flavors, from the oldest to the latest ones.
Figure 6-2 iWar in action
Chapter 6: Unconventional Data Attack Vectors
147
Shokdial supports random and sequential scanning. You can force a range as well, but that is done under sequential scanning. For random scanning, use shokdial -r;
otherwise, it will, by default, use sequential scanning.
If no config file is specified, the output is written to wardailer.log, but you can specify a log file with -L or change it in the configuration file (see the help files).
Also, if the -d (daemon mode) option is given, the program will run in the background, so you could do other things. It will still log to the screen with -d; however, it is just writing to /dev/tty.
The-c (config file) option causes Shokdial to read from a configuration file. This can have any format and will not be checked so you can use multiple formats and various strings such as 5551234,,,,1,# for pagers.
Requirements
All you need is a modem and a telephone line.
You can download it from http://www.w00w00.org/files/misc/shokdial/.
ward
ward is a very nice, light, and fast wardialer written in C for UNIX systems, with the peculiarity of working over PSTN, ISDN, and GSM networks. Written by Marco “Raptor”
Ivaldi (raptor@0xdeadbeef.info), an actual OSSTMM contributor who is well known in the international underground scene, ward is a “classic” wardialer tool: It scans a list of phone numbers, hunting for modems answering on the other end, thus providing a nicely formatted output of the scan results. ward can generate a list of phone numbers from a user-supplied mask, in both incremental or random order (which can be extremely useful in some cases!).
ward is one of the fastest PBX scanners you will ever find, and it has been tested on Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows/cygwin. Do the tuning for your system and compile with: gcc ward.c -o ward -lm. Since ward is so well written and light, we’ll list its usage and its few, but useful, parameters here. You can see ward at work in Figure 6-3.
Usage:
./ward [ [-g file] [-n nummask] ] [-r] (generation mode) ./ward [-s file] [-t timeout] [-d dev] (scanning mode)
Parameters in generation mode:
-g : generate numbers list and save it to file -n : number mask to be used in generation mode -r : toggle random mode ON
Parameters in scanning mode:
-s : scan a list of phone numbers from file -t : set the modem timeout (default=60secs) -d : use this device (default=/dev/modem)
General parameters:
: -h print help
Requirements
All you need is a *NIX box, a modem, and a telephone line. Also, have fun with it using your GSM phone (Nokia is the most-suggested brand and old models like Nokia5110 do a great job!) when scanning for toll-free numbers.
You can download it from http://www.0xdeadbeef.info/code/ward.c.
Figure 6-3 ward
Chapter 6: Unconventional Data Attack Vectors