Skip to main content

War Dialing Part 2: Extrapolating Results and Validating Numbers

November 17, 2014

This is a continuation of our War Dialing series. Read Part 1 here.

Extrapolating the Results

Although manually traversing the database isn’t out of the question, I decided that it would be easier to have something that can pull the results quickly in the event that they are needed for reporting requirements. This is often the case when we are tasked with providing results for the entire list of phone numbers dialed during a war dialing assessment. For instance, it is necessary to understand which tones lead to modems, fax, voice and voicemail. All of these cases warrant their own assessment techniques.

For data extraction, I wrote a simple python script that interacts with the Warvox2 PostgreSQL database and dumps the relevant data to a specified output (e.g., json or csv). The script can be obtained from

War Dialing Part 2.1


The following code block values within the file will need to be configured according to the Warvox2 implementation. For instance, if the PostgreSQL instance is running on the same host as Warvel, then the configuration might look similar to this; whereas the user and password values would contain the appropriate credentials:

War Dialing Part 2.2

A successful sample run against a file containing a newline, delimited list of phone numbers should present similar results to the following screenshot. Note that the “--project=” value needs to match the name of the project that is associated with the original Warvox2 project.

War Dialing Part 2.3

If everything went as planned, a list of results should have been produced based on the search criteria passed into our script. In this case, the search criteria explicitly dictated the need for modem results only.

Now that we have our list of modems, we can’t just start dialing and attempting to gain system access. We obviously don’t want to be accused of digital trespassing, so we need to attempt to derive ownership associated with each respective modem number. This leads us into the next section regarding how to validate a phone number.

Validate the Phone Numbers to Modems

The information returned when someone receives a phone call usually consists of a phone number and the Caller ID Name (CNAM). The phone number can also be queried against CNAM lookup data-stores in order to derive the owner of a particular phone number. I have had less than expected results on many free services as the data returned is often cached, dated and stale.

However, I have found that the OpenCNAM project located at provides an acceptable level of accuracy when using their paid query service. Conveniently, they provide an API that can be used when performing batch queries against numerous phone numbers. Once again, this is often the case when we have a lot of phone number results that need validation.

For this, I wrote another piece of code named CNAMulator that allows us to perform this task. It can be obtained at

In order to use this tool, an OpenCNAM sid and token are required. These can be obtained by creating an account on the previously mentioned OpenCNAM website.

War Dialing Part 2.4
The OpenCNAM API page containing SID and TOKEN values


Now with our sid and token values, the CNAMulator tool can be used to perform batch queries. The following screenshot provides a list of command line options that can be supplied for querying either a single phone number or a file containing a list of phone numbers.

War Dialing Part 2.5

By passing in a file of numbers, in this case stored in numbers.txt, and providing the relevant command line values for “-sid” and “-token”, the results should be similar to the following:

War Dialing Part 2.6


As a result, the phone numbers can now be associated with their derived Caller ID value. As stated earlier, having an approximation of valid ownership can help to narrow down valid attack targets while precluding any unnecessary trespassing of unauthorized systems. Additionally, the list can provide a good starting point when requesting validation of client-sanctioned resources.

With this information, the next step is to prepare our testing environment so that we can eventually interact with either the modem or the connected DTE device.

Related Blogs

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

December 15, 2017

Endpoint Security Assessment

Optiv can help validate the effectiveness of your endpoint security solution by identifying and exploiting vulnerabilities.

See Details

December 02, 2011

Security Assessment Pitfalls | Optiv

FishNet Securitys Assessment Team has delivered on thousands of projects involving Vulnerability Assessments, Penetration Tests, Wireless Security Ass...

See Details

October 18, 2012

Avoiding the pitfalls of an ordinary Security Assessment

How about taking a different approach to the ordinary Vulnerability Assessment or Penetration Test? It’s time to start thinking outside the compliance...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.