Stay up to date with Payatu blog
Automating IVR pentesting
The call might get disconnected if you put some invalid DTMF value and you would have to make a call again and enter all those DTMF values manually to reach to that stage where you can enter a different payload. So, I thought of automating it because I couldn’t find any tool on the internet which can do this. Objective To develop a generic tool which can automate the IVR call flow and also automate the process of sending attack vectors through a interactive program so that it can save a pentester’s time. What is IVR? Interactive voice response (IVR) is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad. In telecommunications, IVR allows customers to interact with a company’s host system via a telephone keypad or by speech recognition, after which services can be inquired about through the IVR dialogue. IVR systems can respond with prerecorded or dynamically generated audio to further direct users on how to proceed. Where it is used?
Automating Stuff with Python
What is Automation? The use of any machine or computer to perform your task efficiently and in very less time can be termed as automation. Why do we need automated scripts? Humans can do great stuff, but sometimes we are too lazy to perform some. For example, if I ask you to multiply 345*246 most of you people will open calculator in your devices to calculate the result, rather than using pen paper to solve it. So using automated scripts make our task easy and is less time consuming. Ever wondered why do we need automated scripts is security testing? If so then the answer to your question is here. While performing security testing you can across a task that needs to be done multiple times like placing 1 lakh orders to check that the application can be flooded with multiple request. Now, sitting and creating each and every request manually will be a very tough job. So, here we can use automated scripts to perform our job.
Attacking interactive applications with python’s pexpect
While available shelf penetration programs/tools are used widely, there can be situations when certain tools might fail. Security Professionals love to automate pentesting tasks and write their own set of tools while testing. For example one can write his/her own port scanner program when nmap fails. Here a custom script would send packets to the static host and gives out result but how about the case when we are trying to attack an interactive service such as SSH, FTP, TELNET etc. Lets say we wish to bruteforce the ssh service on the remote machine and there are a series of prompts that are expected depending upon the interaction between client and ssh server. Lets check out some of the prompts ssh service sends to a connecting client – 1. When connecting to a ssh server for the first time, a yes/no prompt gets introduced. 2. While trying password.