War Dialing Part 2: Extrapolating Results and Validating Numbers

By Chris Patten ·

This is a continuation of our War Dialing series. Read Part 1 here.

Extrapolating the Results

Although manually traversing the database isn’t out of the question, I decided that it would be easier to have something that can pull the results quickly in the event that they are needed for reporting requirements. This is often the case when we are tasked with providing results for the entire list of phone numbers dialed during a war dialing assessment. For instance, it is necessary to understand which tones lead to modems, fax, voice and voicemail. All of these cases warrant their own assessment techniques.

For data extraction, I wrote a simple python script that interacts with the Warvox2 PostgreSQL database and dumps the relevant data to a specified output (e.g., json or csv). The script can be obtained from https://github.com/packetassailant/warvel.

 

The following code block values within the warvel.py file will need to be configured according to the Warvox2 implementation. For instance, if the PostgreSQL instance is running on the same host as Warvel, then the configuration might look similar to this; whereas the user and password values would contain the appropriate credentials:

A successful sample run against a file containing a newline, delimited list of phone numbers should present similar results to the following screenshot. Note that the “--project=” value needs to match the name of the project that is associated with the original Warvox2 project.

If everything went as planned, a list of results should have been produced based on the search criteria passed into our script. In this case, the search criteria explicitly dictated the need for modem results only.

Now that we have our list of modems, we can’t just start dialing and attempting to gain system access. We obviously don’t want to be accused of digital trespassing, so we need to attempt to derive ownership associated with each respective modem number. This leads us into the next section regarding how to validate a phone number.

Validate the Phone Numbers to Modems

The information returned when someone receives a phone call usually consists of a phone number and the Caller ID Name (CNAM). The phone number can also be queried against CNAM lookup data-stores in order to derive the owner of a particular phone number. I have had less than expected results on many free services as the data returned is often cached, dated and stale.

However, I have found that the OpenCNAM project located at https://www.opencnam.com/ provides an acceptable level of accuracy when using their paid query service. Conveniently, they provide an API that can be used when performing batch queries against numerous phone numbers. Once again, this is often the case when we have a lot of phone number results that need validation.

For this, I wrote another piece of code named CNAMulator that allows us to perform this task. It can be obtained at https://github.com/packetassailant/cnamulator.

In order to use this tool, an OpenCNAM sid and token are required. These can be obtained by creating an account on the previously mentioned OpenCNAM website.


The OpenCNAM API page containing SID and TOKEN values

 

Now with our sid and token values, the CNAMulator tool can be used to perform batch queries. The following screenshot provides a list of command line options that can be supplied for querying either a single phone number or a file containing a list of phone numbers.

By passing in a file of numbers, in this case stored in numbers.txt, and providing the relevant command line values for “-sid” and “-token”, the results should be similar to the following:

 

As a result, the phone numbers can now be associated with their derived Caller ID value. As stated earlier, having an approximation of valid ownership can help to narrow down valid attack targets while precluding any unnecessary trespassing of unauthorized systems. Additionally, the list can provide a good starting point when requesting validation of client-sanctioned resources.

With this information, the next step is to prepare our testing environment so that we can eventually interact with either the modem or the connected DTE device.