Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome or Safari browser. Firefox 10 (to be released soon) will also handle it.





CXML | VXML Auditing for IVR Pentesters




About Me:

Rahul Sasi @FB1H2S

Security Researcher @ iSIGHT Partners

Member Garage 4 Hackers


Garage

Hackers

 

http://Garage4Hackers.com
Team W00t W00t [ RTFM ]

What Made Me Interested in IVR Application

 

My Phone Banking.

#It Allowed me to Login to My Banking account via Phone Call.

#I just need to call my Bank IVR and type in my Account_No and Password[ATM PIN].

How was it Dangerous / Hackable
"In theory :P, Probability Theory
Probability that event A occurs
P(A) = n(A) / n(S).
where,
n(A) - number of event occurs in A
n(S) - number of possible outcomes
n(A) = n no of customers (huge)
n(S) = no of pin combination (9000)

So if we make a program that dials into IVR and tries to authenticates into users account, Starting form account no 1000 to 2000 for password/pin 6666


The chances of 1000 users having 6666as pin for there accounts is very high


The lowest possibility lets say 10 accounts.
Now

 

More theories:


Individual Users after 3 invalid attempts, there account gets blocked.

And every night at 12 clock your account would be automatically activated

So if I start my brute force program at night 10 O'clock , I could try 5 different pins for 1000 accounts with out blocking any accounts

AT Commands Basic:


Serial Port Communication:
Yea we could use Python

Brute Forcing IVR Applications

POC Tested on Personal Account Only.

Go Go

This is Just the Begining

CXML VXML Attacks

IVR Hacks

Use a spacebar or arrow keys to navigate