💾 Archived View for spam.works › mirrors › textfiles › phreak › callback.dit captured on 2023-06-16 at 19:40:52.

View Raw

More Information

-=-=-=-=-=-=-


 *****      8      m      m

 *****  *       8  mmmmm  mmmmm    back, or dial in ...
 
------------------------------------------------------------------------------

The S-VER verification Callback.

Some BBSes have a Callback verification installed.
One populair type is the 'S-VER verification', developed by Steve Gabrilowitz.
It let's you enter your phonenumber, in order to hangup and callback, waiting
for you to enter your password. The poor guy must have starved now, since no
sysop appears to register the package...

Suppose you don't like to give your number away, for some reason. In that case
you can try a few tricks on the S-VER. If you're a sysop, you can test your
system's security, and understand the weak spots :-)

A few hints for common 'testing':

1) Collect information on the subject, the more you know, the more chance you
get to succeed. Version of software ? Required hardware ? Properties of the
latter ? In this case: obtain a copy of s_ver092 yourselves!

2) Make assumptions based on your info, where and when could the security fail ?
This requires knowledge of the system in use, experience and 'talent'.

3) How can I create a situation assumed at stage 2) ?
This often requires a lot of creativity, luck and again 'talent'.

4) Evaluate the results.
Why did it work ? or why not. You learn from your mistakes and successes.

Step by step:

Get your own S-VER software, and examine everything! You'll notice it's share-
ware, but did the sysops allready register it ???
After reading the docs, you can conclude that some phonenumbers can be excluded
from verification <now think what would happen if...>
Exceptional useful are the bugreports included in docs :-) Nice helpful people,
those shareware authors...

Assumption: Dial back BEFORE the callback seizes the line to call you.
That's the 'schoolbook' solution on callbacks.
Problem: you can't dialin faster than the S-VER seizes the line...
WORK ON THAT: You increase your dialin chance by making your modem dial faster,
try ATS11=2 setting or even ATS11=1, wow! that's lightingspeed dialing huh ? :-)
add a ATS10=1 inorder to detect a loss of carrier very quick.
With these settings you redial after the S-Ver has hung up on you with a/

With a bit of luck YOU are using the line before S-VER can, now pickup the phone
inorder to hold the line (You do have a phone don't you ?) and wait for the
S-VER (thinking to call you, but it isn't) to give a carrier, you respond with a
ata and type in your password...and you've passed a real dialback :-)

Not bad for a practice, I'd say. Ofcourse, this isn't a document on abusing
callbacks, I merely want to state that a callback ISN'T the ultimate security.
Allthough many people think it is. Do not rely on your security-systems with
blind faith !

-------------------------------------------------------------------------------
Document update:

After a lot of fieldwork, it appears that this fastdial trick even works on
expensive industrial modems with a build-in hardware dialback !
The key is to enable your modem to dial as fast as lightning. Try add some
extra's:

Here is my favorite initstring: AT L3 X4 S6=1 S10=1 S11=40 S12=0

You may call it 'The Default Hackerstring':
AT for waking up the microprocessor in your modem,
L3 for a louder speaker, since you want to hear what's going on.
X4 enables blind-dialing.
S6=1 set the dialtone waiting time to the minimum.
S10=1 minimizes the time after a carrier drop.
S11=40 let's your modem fire DTMF tones ... use the smallest number possible
       for as long as a succesful dial can be made, don't overdo it!
S12=0 disables any guardtime involved after a +++ sequence is given.

-------------------------------------------------------------------------------

Expensive HiSpeed modems often have 'remote command' modes. But the commands
are to divers to discribe, since almost every brand uses his own commandset.
But it is usually something like AT*A to set the other modem in a remote-mode.

Ofcourse you could allways try sending the string:

NO CARRIER

to the other end, hoping that the owners are really dorks from space, but you
never know...maybe you get an answer back i.e.

ATDT0,xxxxxx ....miracles still exists ;-)

Tracker



Oh, by the way, along with this document I've include another dialback package
from Michel Overtoom, I didn't ask for any permission, but I guess he won't
mind. Some good programming he preformed. (the nice fellow included the source)