

				MODEM LOGIN HACKER

			      (Minicom Scripter Tool)

			(c) 2003 by van Hauser / THC <vh@thc.org>
				http://www.thc.org



INTRODUCTION
------------
The internet is not the only door into a network. In this new days, wavelans
are becoming popular, in old days, there were dial-in modems. But today,
dial-in modems are still present in any company.
While tools for wardialing (scanning phone numbers for modems by dialing
every number and checking if there's a carrier) are available for all
operating systems for years, there were only a very few tools for trying to
guess login/passwords against modem carriers, and they were all for MS-DOS
only. Years ago, I wrote such a tool called LOGIN-HACKER, which is still in
use by many people, just because there's no real choice.

About 5 years ago I completely moved from MS-DOS to UNIX (Linux and OpenBSD)
so executing penetration tests became a pain in the ass for modem login
hacking. Finally I wrote some scripts to hack into modem carriers for Unix
as well. To make it flexible and portable, I chose not to write my own
terminal program and scripting language, like I did with LOGIN-HACKER.
I just use simple Minicom scripts. And they are very effective!
Also they could include more commands to interact with the operating system
while the script is running, I made it possible, to autodetect almost any
prompt, and detect if a login/password, or password only prompt was
successfully passed or not.


WHAT DO YOU NEED
----------------
An installed UNIX operating system.
Minicom installed (comes with any Linux distribution).
This package.
A modem connected to your system and /dev/modem pointing to the right
seriell port.
A phone number with remote modem to answer and presenting a login/password
prompt ;-)

NEW: with v1.1 I added my check_ppp script which connects to the number and
then starts pppd to check for ppp dial-ins which might be passwordless.


HACKING TYPES
-------------
For this modem login hacker we support three different types.

type1:	the target is a login/password prompt, e.g.
		asd23d login: test
		Password:
		Login incorrect.
		asd23d login:
	and you want to attack it with a colon seperated file with
	a login and password pair per line.
	A colon seperated file (or COLONFILE) looks like this
		login:pass
		admin:admin
		guest:guest
		test:1234
type2:	is the same like type1, except that you want to attack it with a
	file containing all logins to try, and the same for passwords.
	For every login, all passwords from the password file are tried.
type3:	the target is a password-only prompt (it does not ask for a login name):
		Password:
		Password:
		Password:
		% Bad passwords
	and similar systems. You feed this with a file containing all the
	passwords to try.

If you want to know exactly what types of login/password | password-only
systems these scripts support, look below in the LOGIN/PASSWORD TYPES
SUPPORTED section.


HOW TO RUN
----------
Syntax:
  ./login_hacker PHONENUMBER type1 COLONFILE
  ./login_hacker PHONENUMBER type2 LOGINFILE PASSWORDFILE
  ./login_hacker PHONENUMBER type3 PASSWORDFILE
  ./login_hacker PHONENUMBER your_own_script INPUTFILE [INPUTFILE]
 
Options:
  PHONENUMBER    number to call and try to break in
  LOGINFILE      input file with logins to try
  PASSWORDFILE   input file with passwords to try
  COLONFILE      input file with LOGIN:PASSWORD entries
 
Types:
  type1+type2    should work against any login/password type modem prompts
  type3          should work against any password type modem prompts

Examples:
	A Cisco Router password-only authentication:
		User Access Verification
		Password:
		% Bad passwords
	./login_hacker PHONENUMBER type3 your_file_with_cisco_default_passwords

	A Unix login authentication:
		Login: asdf
		Password:
		Login incorrect.
		Login:
	./login_hacker PHONENUMBER type2 unix_default_logins common_passwords

	A ROLM PABX authentication:
		Login: test
		Invalid login.
 
		Login: tech
		Password:
		Invalid login.
	./login_hacker PHONENUMBER type1 rolm_pabx_colon_file


CONTACT
-------
You can reach me at vh@thc.org for script enhancements or bug reports.
DONT ask me for good default login/password lists or similar!!!

Have fun and remember: this tool is only for legal purposes!

Ciao...
	van Hauser / THC


LOGIN/PASSWORD TYPES SUPPORTED
------------------------------
Almost all types are supported:
It works against modem prompt types:
      Login: asdf
      Password:
      Login incorrect.
      Login:
and
      Enter login name: asdf
      Enter login name: qwert
      Enter login name: admin
      password:
and
      Login: bin
      Welcome to system abc.
      Last login: never
      $
and
      Username: asdf
      Password:
      % Authentication failed
      Username:
and
      @login: root
      password:
      password:
      password:
and combinations of these.
Works for Unix, Cisco, ROLM PABX, Shiva and many, many more.

Also these work without problems:
      Password:
      Password:
      Password:
      % Bad passwords
and
      Password                (3 tries, no echo/change)
and
      PASSWORD> ####
      PASSWORD> ###
      PASSWORD> #######
and
      Enter password:
      Enter password:
      Enter password:
and
      Password please: *****
      Password please: *****
      Password please: *****
      Invalid passwords, bye!
and combinations of these.
Works for Cisco, Modem protection, and many more.

