109 lines
4.6 KiB
Plaintext
109 lines
4.6 KiB
Plaintext
|
|
***** 8 m m
|
|
* 8 8 m m
|
|
* 8 8 m m
|
|
* 8 888 8 m m
|
|
***** * 8 mmmmm mmmmm back, or dial in ...
|
|
|
|
------------------------------------------------------------------------------
|
|
|
|
The S-VER verification Callback.
|
|
|
|
Some BBSes have a Callback verification installed.
|
|
One populair type is the 'S-VER verification', developed by Steve Gabrilowitz.
|
|
It let's you enter your phonenumber, in order to hangup and callback, waiting
|
|
for you to enter your password. The poor guy must have starved now, since no
|
|
sysop appears to register the package...
|
|
|
|
Suppose you don't like to give your number away, for some reason. In that case
|
|
you can try a few tricks on the S-VER. If you're a sysop, you can test your
|
|
system's security, and understand the weak spots :-)
|
|
|
|
A few hints for common 'testing':
|
|
|
|
1) Collect information on the subject, the more you know, the more chance you
|
|
get to succeed. Version of software ? Required hardware ? Properties of the
|
|
latter ? In this case: obtain a copy of s_ver092 yourselves!
|
|
|
|
2) Make assumptions based on your info, where and when could the security fail ?
|
|
This requires knowledge of the system in use, experience and 'talent'.
|
|
|
|
3) How can I create a situation assumed at stage 2) ?
|
|
This often requires a lot of creativity, luck and again 'talent'.
|
|
|
|
4) Evaluate the results.
|
|
Why did it work ? or why not. You learn from your mistakes and successes.
|
|
|
|
Step by step:
|
|
|
|
Get your own S-VER software, and examine everything! You'll notice it's share-
|
|
ware, but did the sysops allready register it ???
|
|
After reading the docs, you can conclude that some phonenumbers can be excluded
|
|
from verification <now think what would happen if...>
|
|
Exceptional useful are the bugreports included in docs :-) Nice helpful people,
|
|
those shareware authors...
|
|
|
|
Assumption: Dial back BEFORE the callback seizes the line to call you.
|
|
That's the 'schoolbook' solution on callbacks.
|
|
Problem: you can't dialin faster than the S-VER seizes the line...
|
|
WORK ON THAT: You increase your dialin chance by making your modem dial faster,
|
|
try ATS11=2 setting or even ATS11=1, wow! that's lightingspeed dialing huh ? :-)
|
|
add a ATS10=1 inorder to detect a loss of carrier very quick.
|
|
With these settings you redial after the S-Ver has hung up on you with a/
|
|
|
|
With a bit of luck YOU are using the line before S-VER can, now pickup the phone
|
|
inorder to hold the line (You do have a phone don't you ?) and wait for the
|
|
S-VER (thinking to call you, but it isn't) to give a carrier, you respond with a
|
|
ata and type in your password...and you've passed a real dialback :-)
|
|
|
|
Not bad for a practice, I'd say. Ofcourse, this isn't a document on abusing
|
|
callbacks, I merely want to state that a callback ISN'T the ultimate security.
|
|
Allthough many people think it is. Do not rely on your security-systems with
|
|
blind faith !
|
|
|
|
-------------------------------------------------------------------------------
|
|
Document update:
|
|
|
|
After a lot of fieldwork, it appears that this fastdial trick even works on
|
|
expensive industrial modems with a build-in hardware dialback !
|
|
The key is to enable your modem to dial as fast as lightning. Try add some
|
|
extra's:
|
|
|
|
Here is my favorite initstring: AT L3 X4 S6=1 S10=1 S11=40 S12=0
|
|
|
|
You may call it 'The Default Hackerstring':
|
|
AT for waking up the microprocessor in your modem,
|
|
L3 for a louder speaker, since you want to hear what's going on.
|
|
X4 enables blind-dialing.
|
|
S6=1 set the dialtone waiting time to the minimum.
|
|
S10=1 minimizes the time after a carrier drop.
|
|
S11=40 let's your modem fire DTMF tones ... use the smallest number possible
|
|
for as long as a succesful dial can be made, don't overdo it!
|
|
S12=0 disables any guardtime involved after a +++ sequence is given.
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
Expensive HiSpeed modems often have 'remote command' modes. But the commands
|
|
are to divers to discribe, since almost every brand uses his own commandset.
|
|
But it is usually something like AT*A to set the other modem in a remote-mode.
|
|
|
|
Ofcourse you could allways try sending the string:
|
|
|
|
NO CARRIER
|
|
|
|
to the other end, hoping that the owners are really dorks from space, but you
|
|
never know...maybe you get an answer back i.e.
|
|
|
|
ATDT0,xxxxxx ....miracles still exists ;-)
|
|
|
|
Tracker
|
|
|
|
|
|
|
|
Oh, by the way, along with this document I've include another dialback package
|
|
from Michel Overtoom, I didn't ask for any permission, but I guess he won't
|
|
mind. Some good programming he preformed. (the nice fellow included the source)
|
|
|
|
|
|
|