[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Advanced Modem-Oriented BBS Security ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ]
Current issue : #34 | Release date : 1991-10-13 | Editor : Dispater
Introduction to Phrack 34Dispater & Crimson Death
Phrack LoopbackPhrack Staff
Phrack Prophile of The Disk JockeyThe Disk Jockey & Dispater
The AT&T Mail GatewayRobert Alien
The Complete Guide to Hacking WWIVInhuman
Hacking Voice Mail SystemsNight Ranger
An Introduction to MILNETBrigadier General Swipe
TCP/IP: A Tutorial Part 2 of 2The Not
Advanced Modem-Oriented BBS SecurityDead Cow & Laughing Gas
PWN/Part01Dispater
PWN/Part02Dispater
Title : Advanced Modem-Oriented BBS Security
Author : Dead Cow & Laughing Gas
                                ==Phrack Inc.==

                Volume Three, Issue Thirty-four, File #9 of 11

              ._._._._._._._._._._._._._._._._._._._._._._._._.
              !                                               !
              !      Advanced Modem-Oriented BBS Security     !
              !                                               !
              !          By Laughing Gas and Dead Cow         !
              !                                               !
              !     Written Exclusively for PHRACK 8/22/91    !
              !_._._._._._._._._._._._._._._._._._._._._._._._!


* Introduction =-= Things you need to know *

This is an introduction and guide to setting up your BBS and modem so that a
caller must know a certain code and append it to his dialing string in order to
access the BBS.  This lets you have yet another way (besides newuser passwords,
etc) to lock out unwanted callers.

You can also set a certain pattern for your board's numerical code based on the
day or the month or something, and distribute this pattern instead of having to
distribute the access code.
You must have an intelligent modem to be able to run a board which requires the
access method I'm going to be discussing in this file.  However you don't need
an intelligent modem to be able to call the same board, but you do have to
enter the code manually if you do not have an intelligent modem.  (So only
certain people can run a board with this method of access control, but >almost<
anyone can call one.)

All modem commands in this manual will be hayes 'AT' style commands, and some
may be available only to USRobotics Courier modems with v.42bis, or certain
other intelligent modems.  If you can't get it to work with your modem, your
modem may not be able to do it, but try looking in your modem manual, just in
case.

NOTE: The ONLY modem that this method has been tested with is a USRobotics
Courier HST modem, (the new kind) with the v.42bis.  I tested it with my modem
which is an older HST (14.4, but no v.42bis) and it did NOT accept the AT%T
command (it returned "ERROR"). Check page 83 of your HST manual for more info,
or type AT%$ for on-line help from the modem firmware. (about as helpful as the
manual, and neither are very detailed.)

Things to know:
        ATDT1234567;    This command causes your modem to dial 1234567 and
                       then return to command mode.
        ATDT1234567@1;  This command causes your modem to dial 1234567, wait for
                        an answer, dial 1 and return to command mode.
|-----> AT%T            This command causes every tone that goes into the modem
|                       to be identified and followed with a 0.
|
|---------------------- This is the key to the whole enchilada.

Alternate commands may be available depending on your modem type.

* Concept =-= How-To

The concept for the bbs access code would be as follows.

The caller dials the number to the BBS, when the BBS picks up, it sends a
digit, then the caller sends a responding set of digits.  If the digits which
the caller sends match the access code for the BBS, the BBS will send an answer
tone and the caller's modem will acknowledge and connection.

How it works is like this:
 (Sample Transcript)

CALLER> ATDT1234567@234
   BBS> RING
   BBS> ATDT1;
   BBS> OK
   BBS> AT%T
   BBS> 203040
   BBS> ATA

What happens is the caller dials 1234567 (the number of the BBS) the '@' tells
the callers modem to wait for a result (which is received when the BBS gets a
ring and sends a 1) then the callers modem dials 234 (the access code) after

the BBS sent the '1' it got a OK so it sent a AT%T which told it to monitor
tones.  This command returned "203040" which is 234 followed by 0's (the format
of the output of AT%T) the BBS software would have to watch for this string.
Since 234 was the right code, the board sent an ATA which would connect the
caller since it's dial command was still open.  If 234 hadn't been the code,
then the BBS would have sent a ATH0.

* Manual Dialing =-= Lame modems *

Anyway, if you don't have a modem that does the AT%T or ATDT1; commands you
CANNOT run a BBS with this type of security, unless your modem has EQUIVALENT
commands, or you can figure out a way to do it with the commands your modem
has.  The toughest part is the reading of tones, which, as far as I know, is
unique to the HST/Courier modems.

However, if your modem does not do the ATDT1@1 thing, then you can PROBABLY
still call a board using this security.  This is assuming you can just send a
"dial command" to your modem without a number (ie ATD on an HST.)  What you do
is dial the BBS number manually, then you'll here a beep, you dial the code,
then send the dial command to your modem and put the phone down.  This should
connect you in the same fashion.. (ie..)

CALLER> manually dials BBS
   BBS> ATDT1;
CALLER> hears beep and dials 234, then sends ATD to his modem and puts the
        phone down.
   BBS> OK
   BBS> AT%T
   BBS> 203040
   BBS> ATA
CALLER> his modem connects.

* Bells and Whistles =-= Wrapping It Up *

Your options when using this type of security.  There are many different things
you can do.

Method #1: You can say "Hey, the access code for my board is 234" and give
that to the people you want to call.

Method #2: Set a pattern for your access codes.  Say, the date (ie, for today,
8-22-91 the code would be 082291), or you could get more complex (add one to
each digit, run it through an algorithm, etc)

Method #3: Distribute a program that generates the code based on the day, the
month, what have you.  (However this is only a solution if you can either
distribute a program like this to EVERY type of operating system, or you only
want callers from one operating system (or several, the only ones you can
produce it for..)

Method #4: Have the BBS accept several codes, and give out  different code to
each class of users (say, newusers to apply = 1234, validated = 2345, elite =
3456) or something like that, this would allow for control of who calls when,
as well as logging of call class frequency, etc.

Method #5: Have a specific code for each user.  This would take a lot of
maintenance, but would provide for a VERY secure BBS environment.  This would
allow the same advantages above as well (logging, freq. etc).

Things to keep in mind however are if you have an access code generated by a
program or by the date, etc. you have to change the code whenever the program
would.

An interesting side note here is that the AT%T command can be used to call a
COCOT (private payfone) and record the tones, or possibly to record codes other
people entered, etc.  (Ie, bring your laptop with modem to a office, attach
it to an extension and wait for a person to pick up, issue the ATD; command
right away, then AT%T command.  If the person dials a 950, you should get
something like

        90500010003030 (pause) 203040506070

that is assuming the code is 234567.  Congratulations, you now have their code.
The modem can recognize the dtmf tones for 0-9, *, #, and the silver box tones
A, B, C, and E.  I'm sure other interesting uses for this feature can be
found, and I'd love to hear from the other people out there in the h/p world.
  I'm sure a lot of you have seen me around, for those that haven't I can be
reached on my board, Solsbury Hill or Ripco (312) or on Internet as
lgas@doomsday.spies.com.

(Note: Spies is down as of this writing, I have some other accounts, but I'd
prefer that most of them remain unknown... if anyone wants to offer me an
account I can use just for mail where I can have my alias for the account
name, on a stable system, please contact me.)


* Non-BBS Oriented Stuff =-= Conclusion *

In some issue of 2600 magazine someplace at some time they published an article
on how to build a tone detection device: Now you have your own, built in to the
modem.

An example application of this "in the field" would be calling a COCOT and
using the modem to decipher the tones.  That would be done:

ATDT3014283268;                      ;call the COCOT
AT%T                                 ;get tones

it should respond with the decoded tones.

You could fool around with it and get it to accept input from a tape recorder,
this gives you a way to decipher recorded VMB passcodes, or phone numbers, or
anything else that was recorded as it was dialed. Or use it with a radio
scanner set to scan the freqs that cordless fones operate on, and record those
tones. Then play 'em back into the modem and they're yours.

In conclusion... (ahem).. This is an area which I believe has never been
breached before, and this idea was brought to you by THUGS.  As long as
technology keeps advancing, we'll be here to bring you the latest tricks such
as this one.  Please contact me if you have any information about this area
(tone detection via modem, or anything relating to it at all..) especially if
you know of modems besides the v.42bis models of USRobotic's HSTs that can do
this.

Laughing Gas
Solsbury Hill BBS (301-428-3268)
_______________________________________________________________________________
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2014, Phrack Magazine.