Hai2IVR is a SIP-client for brute forcing DTMF prompts in IVR systems.Many systems (banking, voicemail, calling card) rely on short PIN numbers (typically 4 digits) to authenticate a user. In the IT world, there's no way we'd rely on a 4 character, numeric-only password, so why do we do it in phone land? Well, because a) we've always done it and b) no one expects people to sit there and try 9999 possible PINs by hand.
VOIP is all about convergence, right? Well, converge this; running Hai2IVR against my test IVR system, brute forcing 4-digit pinspace (1000-9999) took about 20 mins, making 30 odd calls in parallel, eating ~1.5mbps of bandwidth (downstream only, so totally feasable for my home DSL connection). So, given a SIP to PSTN gateway that permits multiple calls (I have one of these) and some automation tools (like, uh, this one), we can crack passwords for IVR systems in the real world (assuming they dont have any auto-lockout-after-too-many-tries system, which most (I hope!) banks have...)
Hai2IVR consists of two components:
- metlodtmfzor: command line scriptable DTMF-guessing SIP client. Written in C, using the pjsip cross-platform SIP client library
- Hai2IVR: python-gtk GUI for metlodtmfzor that handles paralellization and provides pretty feedback. Writes output in XML and wav, and handles saving and resuming in-progress cracking sessions.
Metlodtmfzor makes the calls, sending DTMF tones at appropriate points, and records the calls to disk. Hai2IVR provides UI to control dialing, manage search space, and provides an interface for reviewing, sorting and listening to the resulting calls. There's no magic-speech-recognition-thing that finds out which PIN is the right one; that's left to the human, but there's a simple and highly effective heuristic: if you get the PIN right, it probably wont hang up on you quite so soon. Check out the longest three or four calls, and 9 out of 10 times you'll find that the right PIN was in one of those.
At present, it's basic (e.g. lacks support for SIP auth, only uses GSM codec, only does RFC-2833 DTMF encoding), but functional. I'm dithering between adding this stuff to it, or just saying "if you need anything fancy, proxy it through your own Asterisk rig, that's what I do".
The intention is to release it as GPL, but I'm still putting a few finishing touches to it. There's a build available below, but it is uh, pretty rough. Feel free to try it and offer feeback. If it makes any difference, I used it quite successfully to haxx a Serious Customer's Serious Voice Application, if you hear what I'm saying.
|
Last Update:
|
2007-02-23 18:51:08
|
