Wardialer - Metasploit


This page contains detailed information about how to use the auxiliary/scanner/telephony/wardial metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Wardialer
Module: auxiliary/scanner/telephony/wardial
Source code: modules/auxiliary/scanner/telephony/wardial.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Scan for dial-up systems that are connected to modems and answer telephony indials.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/telephony/wardial
msf auxiliary(wardial) > show options
    ... show and set options ...
msf auxiliary(wardial) > set RHOSTS ip-range
msf auxiliary(wardial) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(wardial) > set RHOSTS 192.168.1.3-192.168.1.200

Example 2:

msf auxiliary(wardial) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(wardial) > set RHOSTS file:/tmp/ip_list.txt

Go back to menu.

Msfconsole Usage

Here is how the scanner/telephony/wardial auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/telephony/wardial

msf6 auxiliary(scanner/telephony/wardial) > show info

       Name: Wardialer
     Module: auxiliary/scanner/telephony/wardial
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  I)ruid <[email protected]>

Check supported:
  No

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  DIALMASK    202.358.XXXX     yes       Dial Mask (e.g. 1.800.95X.99XX, (202) 358-XXXX, 358.####, etc.)
  DIALPREFIX  ATDT             yes       Dial Prefix
  INITSTRING  AT X6 S11=80     yes       Initialization String
  SERIALPORT  /dev/ttyS0       yes       Serial Port (e.g. 0 (COM1), 1 (COM2), /dev/ttyS0, etc.)
  THREADS     1                yes       The number of concurrent threads (max one per host)

Description:
  Scan for dial-up systems that are connected to modems and answer 
  telephony indials.

Module Options

This is a complete list of options available in the scanner/telephony/wardial auxiliary module:

msf6 auxiliary(scanner/telephony/wardial) > show options

Module options (auxiliary/scanner/telephony/wardial):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   DIALMASK    202.358.XXXX     yes       Dial Mask (e.g. 1.800.95X.99XX, (202) 358-XXXX, 358.####, etc.)
   DIALPREFIX  ATDT             yes       Dial Prefix
   INITSTRING  AT X6 S11=80     yes       Initialization String
   SERIALPORT  /dev/ttyS0       yes       Serial Port (e.g. 0 (COM1), 1 (COM2), /dev/ttyS0, etc.)
   THREADS     1                yes       The number of concurrent threads (max one per host)

Advanced Options

Here is a complete list of advanced options supported by the scanner/telephony/wardial auxiliary module:

msf6 auxiliary(scanner/telephony/wardial) > show advanced

Module advanced options (auxiliary/scanner/telephony/wardial):

   Name                 Current Setting   Required  Description
   ----                 ---------------   --------  -----------
   BaudRate             19200             yes       Baud Rate
   ConnTimeout          45                yes       Timeout per data connection in seconds
   DataBits             8                 yes       Data Bits (4 is Windows Only) (Accepted: 4, 5, 6, 7, 8)
   DialDelay            1                 yes       Time to wait between dials in seconds (rec. min. 1)
   DialSuffix                             no        Dial Suffix
   DialTimeout          40                yes       Timeout per dialed number in seconds
   DisplayModem         false             no        Displays modem commands and responses on the console
   FlowControl          None              yes       Flow Control (Accepted: None, Hardware, Software, Both)
   InitInterval         30                yes       Number of dials before reinitializing modem
   LogMethod            File              yes       Log Method (Accepted: File)
   NudgeString          \x1b\x1b\r\n\r\n  no        Nudge String
   Parity               None              no        Parity (Mark & Space are Windows Only) (Accepted: None, Even, Odd, Mark, Space)
   RedialBusy           false             no        Redials numbers found to be busy
   ShowProgress         true              yes       Display progress messages during a scan
   ShowProgressPercent  10                yes       The interval in percent that progress should be shown
   StopBits             1                 yes       Stop Bits (Accepted: 1, 2)
   VERBOSE              false             no        Enable detailed status messages
   WORKSPACE                              no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the scanner/telephony/wardial module can do:

msf6 auxiliary(scanner/telephony/wardial) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the scanner/telephony/wardial auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/telephony/wardial) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

The Telephony module is not available: <TELEPHONY_ERROR>

Here is a relevant code snippet related to the "The Telephony module is not available: <TELEPHONY_ERROR>" error message:

89:	    end
90:	  end
91:	
92:	  def run
93:	    if ! @telephony_loaded
94:	      print_error("The Telephony module is not available: #{@telephony_error}")
95:	      raise RuntimeError, "Telephony not available"
96:	    end
97:	
98:	    @confdir      = File.join(Msf::Config.get_config_root, 'wardial')
99:	    @datadir      = File.join(Msf::Config.get_config_root, 'logs', 'wardial')

Telephony not available

Here is a relevant code snippet related to the "Telephony not available" error message:

90:	  end
91:	
92:	  def run
93:	    if ! @telephony_loaded
94:	      print_error("The Telephony module is not available: #{@telephony_error}")
95:	      raise RuntimeError, "Telephony not available"
96:	    end
97:	
98:	    @confdir      = File.join(Msf::Config.get_config_root, 'wardial')
99:	    @datadir      = File.join(Msf::Config.get_config_root, 'logs', 'wardial')
100:

No previous scan data found (<DATFILE>)

Here is a relevant code snippet related to the "No previous scan data found (<DATFILE>)" error message:

172:	      select = dialrange.select {|key, value|
173:	        value[:busy] == true
174:	      }
175:	      num_busy = select.size
176:	    else
177:	      print_status( "No previous scan data found (#{datfile})" )
178:	      dialrange = build_dialrange(dialmask)
179:	      num_identified = 0
180:	      num_carriers   = 0
181:	      num_faxes      = 0
182:	      num_busy       = 0

No Carrier

Here is a relevant code snippet related to the "No Carrier" error message:

304:	            dialrange[dialnum][:result] = result
305:	            dialrange[dialnum][:girl] = true
306:	            dialrange[dialnum][:timestamp] = Time.now
307:	            modem.hangup
308:	          when /NO CARRIER/i
309:	            print_status( "No Carrier" )
310:	            dialrange[dialnum][:identified] = true #TODO: should this be false?
311:	            dialrange[dialnum][:result] = result
312:	            dialrange[dialnum][:timestamp] = Time.now
313:	          when /BUSY/i
314:	            print_status( "Busy" )

Error during dial process: <E.CLASS> <E> <E.BACKTRACE>

Here is a relevant code snippet related to the "Error during dial process: <E.CLASS> <E> <E.BACKTRACE>" error message:

341:	      modem.hangup
342:	      Object.save_to_file(dialrange, datfile)
343:	      #dialrange.save_to_file(datfile)
344:	      raise $!
345:	    rescue ::Exception => e
346:	      print_error("Error during dial process: #{e.class} #{e} #{e.backtrace}")
347:	      return
348:	    end
349:	
350:	    print_status("Dialing Complete")
351:	    modem.close

Error resetting modem

Here is a relevant code snippet related to the "Error resetting modem" error message:

353:	
354:	  def initmodem(modem, initstring)
355:	    print_status("Initializing Modem")
356:	    result = modem.put_command('ATZ', 3)
357:	    if result != 'OK'
358:	      print_error("Error resetting modem")
359:	      return false
360:	    end
361:	    result = modem.put_command(initstring, 3)
362:	    if result != 'OK'
363:	      print_error("Error initializing modem")

Error initializing modem

Here is a relevant code snippet related to the "Error initializing modem" error message:

358:	      print_error("Error resetting modem")
359:	      return false
360:	    end
361:	    result = modem.put_command(initstring, 3)
362:	    if result != 'OK'
363:	      print_error("Error initializing modem")
364:	      return false
365:	    end
366:	
367:	    return true
368:	  end

Go back to menu.

Authors

  • I)ruid

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.