Repeatedly dial phone numbers looking for a modem to answer or other things War Dialers – used to find modems ToneLoc – 1994 by Minor Threat & Mucho Maas THC-Scan – VanHouser, releaces by Hackers Choice Win9x, NT, W2000 100 lines/hour TBA – LOpht () War dialing on a PALM Demon Dialers – once a modem is found repeatedly dial it and guess passwords Other things Free phone calls – if the phone answers and gives a dial tone you have dialed into a number the will let you dial another number, some companies do this so that roaming employees can dial into the company or into a company. | Scanning CS-480b Dick Steflik What Can We Scan For Modems (and other telephone devices) Live Hosts TCP ports UDP ports Promiscuous NICs Modems Repeatedly dial phone numbers looking for a modem to answer or other things War Dialers – used to find modems ToneLoc – 1994 by Minor Threat & Mucho Maas THC-Scan – VanHouser, releaces by Hackers Choice Win9x, NT, W2000 100 lines/hour TBA – LOpht () War dialing on a PALM Demon Dialers – once a modem is found repeatedly dial it and guess passwords Other things Free phone calls – if the phone answers and gives a dial tone you have dialed into a number the will let you dial another number, some companies do this so that roaming employees can dial into the company or into a company owned 800 number Live Hosts Try pinging (ICMP Echo request) all hosts on a particular subnet to see who replies No reply indicates host is not live Incoming ICMP messages are blocked It’s a good idea to block incoming ICMP messages at the firewall If no reply a hacker would try connecting to a commonly open port (TCP port 80) or sending a UDP packet to a commonly open port. In java (which doesn’t do ICMP) send a ping using JNI to execute the ping command as an OS command line command. Mapping your network Once the live hosts are known, a map of your network can be arrived at by determining how the hosts are connected together traceroute (unix/linux) / tracert (w2000) Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. C:\users>tracert Tracing route to [] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 2 <10 ms <10 ms <10 ms 3 <10 ms <10 ms <10 ms [] Trace complete. Mapping (more) By doing repetitive traceroutes to the hosts discovered in the host scan the network topology can be discovered. Another way to do this is by using a mapping program like Cheops . | Scanning CS-480b Dick Steflik What Can We Scan For Modems (and other telephone devices) Live Hosts TCP ports UDP ports Promiscuous NICs Modems Repeatedly dial phone numbers looking for a modem to answer or other things War Dialers – used to find modems ToneLoc – 1994 by Minor Threat & Mucho Maas THC-Scan – VanHouser, releaces by Hackers Choice Win9x, NT, W2000 100 lines/hour TBA – LOpht () War dialing on a PALM Demon Dialers – once a modem is found repeatedly dial it and guess passwords Other things Free phone calls – if the phone answers and gives a dial tone you have dialed into a number the will let you dial another number, some companies do this so that roaming employees can dial into the company or into a company owned 800 number Live Hosts Try pinging (ICMP Echo request) all hosts on a particular subnet to see who replies No reply indicates host is not live Incoming ICMP messages are blocked It’s a good idea to block incoming ICMP .