I’m always on the lookout for new ways to do recon during an assessment, or be aware how folks could be performing recon against an organization. Being aware of recon methods helps make recommendations to remediate potential exposure. One of the things that can be highly successful for recon on a target is wireless. I’m not talking 802.11 wireless networks, but other wireless technologies; walkie talkies, cordless phones, etc.
Yes, cordless phones. We’ve talked about wireless headsets in the 900mhz range in the past, and we’ve even discussed assessments where they have been successful for gaining network credentials. Just use your programmable radio scanner outside of your target’s call center, and boom!
There are plenty of other places where I have observed cordless phones in use. There have been countless times in a small to mid to large business, often a franchise, and I noticed the manager on duty is carrying a cordless phone. I’ve witnessed them answer the phone to talk to customers, co-workers in another location, or even the tech support folks when they have computer issues (SCORE!).
Caution: In your country or jurisdiction it may be illegal to intercept cordless phone conversations (even though its “wireless” it can be considered “wiretapping”). In the United States, the laws vary per state, so check with your legal council.
Of course, this is easy with 900 Mhz phones/headsets and your police scanner. 2.4 and 5.8 Ghz phones require a bit more work, such as modding appropriate scanner, or obtaining an older model scanner. Don’t forget about baby monitors! They come in all frequency flavors as well, and from the best I can tell, the legality is of “wiretapping” may not apply in some cases, as thy are not usually connected to telephone infrastructure. I’m not a lawyer, so be certain to check with yours.
With the evolution of wireless communication gear, we get to upgrade to digital technology, or DECT (Digital Enhanced Cordless Telecommunications). With this move to digital transmissions, our police scanner is of little use. Even now, enterprise telecom infrastructure providers are beginning to implement DECT in their gear (think call center). Enter the deDECTed Project and the Dosch Amand DECT PCMCIA cards.
The deDECTed folks created an app to be able to interface with specific Dosh Amand DECT cards, and turn them into DECT sniffers. The software is readily available from dedected.org, but the PCMCIA cards are a little bit more difficult to acquire. Assuming we can get ahold of a card, let’s configure deDECTed and capture us some audio – with permission of course! A big thanks to Twitchy for loaning me his DECT PCMCIA card, as well as pointing me down the right path with deDECTed.
What you’ll need:
- A linux installation with build environment
- A Dosh Amand COM-ON-AIR Type 2 PCMCIA Card
Let’s get started. First we need to obtain a copy of deDECTed from SVN:
$ svn co https://dedected.org/svn/trunk dedected
Then we need to change into the new dedected directory and begin compiling our tools. We’ll be specifying just the tools directory here, as the rest of the project includes some other items that we aren’t concerned with at the moment, such as the Kismet plugin.
$ cd /dedected/com-on-air_cs-linux $ make && make -C tools
Once the compilation of the tools directory has completed, we need to make our drivers and create the system device. We now need to execute two more make commands, as root:
# make load # make node
A NOTE OF WARNING: After the system has detected and identified the PCMCIA card, do not eject the card; the system will instantly kernel panic. It is a known issue and know you know.
We then can verify that DECT goodies are showing up by issuing dmesg, and looking at the end of the output. Once we have verified that the system can see the card we now need to fire up the CLI interface appropriately named dect_cli. We need to be root to do so, in order to be able to access the raw device (or change the permisions on the device with “chmod 666 /dev/coa”)
$ cd tools # ./dect_cli
Now we have access to the dect_cli console. It doesn’t give you a nice prompt, just a blank line, waiting for input. Let’s give it a few commands:
This will set verbose output ON. Now, here in the US we need to set the appropriate channel range for “DECT 6.0”. Otherwise, in other countries, you’ll likely skip this step (But, what is to prevent someone from brining a US model abroad?)
In order to channel hop, auto discover calls and record them to pcap output, we use the following command:
This starts the channel hopping, and auto call recording. YET ANOTHER NOTE: At this time while auto call detection and recording is happening you still have access to the command line. In order to properly write out the pcap files you need to issue:
It you don’t the pcap files can be improperly terminated. I actually missed my first couple of recordings because I forgot to do this, and it didn’t write any files at all.
Well, ok that’s cool. We now have some pcap files, but how do I listen to them? the deDECTed folks have included some conversion tools to make .ima files. We also will want to convert them to .wav, so we will ned a few more tools, decode and sox.
I installed sox using apt-get, so this one will vary by os. I used:
# apt-get install sox
We also need a modified version of decode from http://www.ps-auxw.de/g72x++.tar.bz2. Here is how I obtained and compiled:
$ wget http://www.ps-auxw.de/g72x++.tar.bz2 $ bzip2 -d g72x++.tar.bz2 $ tar -xvf g72x++.tar $ cd g72x $ ./build.sh
After the build we can use the following script to use decode and sox to output wav files. Don’t forget to update the script to reflect the current paths for sox, decode-g72x, and pcap2stein (from the deDECTed tools) on your system. Here’s the script form the deDECTed project (at https://dedected.org/trac/wiki/COM-ON-AIR-Linux):
SOX=/usr/bin/sox for i in `/bin/ls -1 *.pcap` ; do ./pcapstein $i done #decoder for g.721 for i in *.ima ; do cat $i | ./decode-g72x -4 -a | sox -r 8000 -1 -c 1 -A -t raw - -t wav $i.g721.wav; done #decoder for g.726.R for i in *.ima ; do cat $i | ./decode-g72x -64 -l -R | sox -r 8000 -2 -c 1 -s -t raw - -t wav $i.g726.R.wav; done #decoder for g.726.L for i in *.ima ; do cat $i | ./decode-g72x -64 -l -L | sox -r 8000 -2 -c 1 -s -t raw - -t wav $i.g726.L.wav; done
Once converted, listen away, and enjoy the fruits of your labor. Hopefully the audio is not common drivel often found on personal phone calls or on baby monitors. Here’s hoping for credentials on all of your assessments!
On some additional notes, the deDECTed project work with all of the conversion tools and scripts can be found on the Chaox-ng live CD. It also appears that the Greengate DA099 PCMCIA card is a relabeled Dosch & Amand Type II card. Unfortunately I’ve not been able to scrounge up a Greengate card either.
– Larry “haxorthematrix” Pesce