OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass)

kingcopes´ blag

OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default).

With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default.

Especially FreeBSD systems are affected by the vulnerability because they have keyboard-interactive authentication enabled by default.

A simple way to exploit the bug is to execute this command:

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost

This will effectively allow up to 10000 password entries limited by the login grace time setting.

The crucial part is that if the attacker requests 10000 keyboard-interactive devices openssh will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded.

Here is a patch for openssh-6.9p1 that will allow to use a wordlist…

View original post 270 more words

It’s official: North America out of new IPv4 addresses

Remember how, a decade ago, we told you that the Internet was running out of IPv4 addresses? Well, it took a while, but that day is here now: Asia, Europe, and Latin America have been parceling out scraps for a year or more, and now the ARIN wait list is here for the US, Canada, and numerous North Atlantic and Caribbean islands. Only organizations in Africa can still get IPv4 addresses as needed. The good news is that IPv6 seems to be picking up the slack.

ARIN, the American Registry for Internet Numbers, has now activated its “IPv4 Unmet Requests Policy.” Until now, organizations in the ARIN region were able to get IPv4 addresses as needed, but yesterday, ARIN was no longer in the position to fulfill qualifying requests. As a result, ISPs that come to ARIN for IPv4 address space have three choices: they can take a smaller block (ARIN currently still has a limited supply of blocks of 512 and 256 addresses), they can go on the wait list in the hopes that a block of the desired size will become available at some point in the future, or they can transfer buy addresses from an organization that has more than it needs.

“If you take a smaller block, you can’t come back for more address space for 90 days,” John Curran, CEO of ARIN, told Ars. “We currently have nearly 500 small blocks remaining, but we handle 300 to 400 requests per month, [so] those remaining small blocks are going to last between two and four weeks.”

Doesn’t this allow for strategic behavior, where each ISP tries to request a block slightly smaller than the requests already on the wait list? “The wait list is a last resort as very little address space is returned to ARIN,” Curran said. “Trying to figure out how to game the wait list is not strategic. Trying to figure out how to use IPv6 for new customers is strategic.”

“ISPs will have to get used to the transfer market. If you need IPv4 addresses, go there,” Curran continued. “But I’m not sure how long a market is going to be around. Seven billion people with smartphones and home connections, a connection at work, then add Google, YouTube, Facebook, Bing… Four billion addresses, even with a perfectly working market, isn’t going to work in the future.”

IPv4 address markets

We spoke to Janine Goodman, vice president of Avenue4, a broker of IPv4 addresses, about what to expect in the short term.

“IPv6 is going to happen, that’s the direction it’s going,” she said. “But it’s going to take a while. Organizations are not ready to turn to IPv6 tomorrow; this will take a few years. A transfer market allows for the transition from IPv4 to IPv6 in a responsible way, not a panicked way.”

“The price for blocks of IPv4 addresses of 65,536 addresses (a /16) or smaller is about $7 to $8 per address in the ARIN region. In other regions, which have fewer addresses out there, the price tends to be a little higher,” Goodman said. “We expect the IPv4 market to be around for at least three to five years. During that time, the price per address will likely go up and then finally come back down as IPv6 is being widely deployed.”

Goodman stressed that buyers of addresses should make sure they are “clean” and have a known history. There have been reports of address sales where the addresses turned out to be in ongoing use after completion of the transaction.

ARIN CEO Curran also suggested that buyers do their due diligence. “With a car, the car and the registration are two different things. Not so with IP addresses: the registration in the whois database is the only thing,” he said. However, ARIN will only modify its whois records if the buyer of the addresses has a documented need for the amount of address space in question. As such, prospective buyers can pre-qualify with ARIN and then go out and buy the address space that covers their documented needs for the next two years, or they can find a seller of address space first and then come to ARIN to make sure they qualify.

Bring on the IPv6!

The Internet Engineering Task Force (IETF) saw the eventual depletion of IP addresses looming in the early 1990s, so they set out to solve the problem and came up with a new version of the Internet Protocol. The old IP has version number 4; the new version is 6. IPv6 increases the length of IP addresses to no fewer than 128 bits—sort of like increasing phone numbers from 10 to 40 digits. As a result, the number of available IPv6 addresses is, for all practical purposes, unlimited.

The trouble is that, of course, old systems can only handle the IPv4 with its 32-bit addresses. That problem has pretty much been solved in the intermediate decade, and today virtually all operating systems can handle 128-bit IPv6 addresses—although some applications can’t or don’t handle them properly.

The main issue remaining is that most networks simply haven’t enabled IPv6 yet. Although turning on IPv6 is not as hard as some people think, it’s not entirely trivial either in larger networks. Internet Service Providers, routers, firewalls, load balancers, and DNS servers must all be IPv6-ready and be reconfigured. And then there are all those little (and not so little) homegrown applications that keep businesses running. In almost all cases, a new IPv6 numbering plan is required, and DHCP works differently with IPv6 than with IPv4.

So for a long time, the number of Internet users who had IPv6 connectivity in addition to IPv4 connectivity, as well as the fraction of total Internet traffic that is IPv6, were rounding errors. Google’s statistics showed that only a few tenths of a percent of its users from 2009 to 2011 had IPv6 connectivity; that number reached one percent only at the end of 2012. A year ago, it hit 3.5 percent. Today, it stands between 6.5 (weekdays) and 7.5 percent (weekends).

Things get more interesting as we look at Google’s stats for individual countries. In early 2013, the US and Belgium weren’t notable players in the IPv6 adoption game, at 2.17 and 0.04 percent, respectively. Today, Belgium is the world leader at nearly 35 percent, and the US is third just behind Switzerland (both have about 21 percent adoption). According to Akamai’s numbers, seven countries now have IPv6 adoption rates above ten percent: Belgium, Switzerland, the US, Peru, Germany, Luxembourg, and Portugal—Greece will be the eighth very soon. Sixteen countries have more than five percent IPv6 deployment, and 32 countries have at least one percent.

Remarkably, neighboring countries may differ by an order of magnitude. The US is at nearly 21 percent, but Canada has only 0.5 percent IPv6 users. Belgium has nearly 35 percent, but the Netherlands has just three percent. Ireland is at 2.4 percent; the UK is at 0.2 percent.

Per-country IPv6 deployment

Per-country IPv6 deployment

Don’t be too alarmed by the colors of Google’s IPv6 deployment map. White means no IPv6, while darker shades of green mean more IPv6. Red is bad, as it not only indicates very little IPv6 but also that IPv6 is slower than IPv4. Orange means that there is significant IPv6 deployment, but IPv6 connectivity is slower than IPv4 connectivity. However, IPv6 packets often take just two hundredths of a second longer than IPv4 packets, which isn’t ideal but not as alarming as the orange coloring suggests.

However, there are also places, such as Belgium or Russia, where on average IPv6 is actually faster than IPv4. One explanation for this could be that “good” ISPs also tend to be the ones that have IPv6 deployed. Routing paths over worse-performing ISPs that are available to IPv4 packets aren’t available to IPv6 packets, so those have no other choice than to flow through better performing ISPs. But in places where IPv6 deployment is lacking, there’s always the risk that the ISP providing the shortest path doesn’t run IPv6, so IPv6 packets need to follow a longer path, slowing down communication.

So it looks like a future where the Internet remains largely IPv4-only, with more and more invasive translation devices that let more and more users share a single IPv4 address, is not the most likely outcome. We now know that getting a tenth of a country’s Internet users on IPv6 within a year is doable. And as someone smart recently said about ISPs adopting IPv6, referring to Metcalfe’s Law, “If everyone is doing it, you have to do it, too.”




Skynet actually exists!!! Skynet is a top secret program of NSA

National Security Agency (NSA) actually has a real program named Skynet

Skynet, which was an evil military computer system that launches war on human race in the Terminator movies franchise, it is learnt that NSA has a program with the same name.

As per The Intercept reports, the NSA does have a program called Skynet. However, it has a less lethal but legally dubious aims. This one is a surveillance program that makes use of phone metadata to record the call activities and location of doubtful terrorists. An Al Jazeera journalist reportedly became one of its victims after he was kept on a terrorist watch list.

Chief bureau of Al Jazeera’s Islamabad office, Ahmad Muaffaq Zaidan got traced by Skynet after he was recognized by US intelligence as a possible Al Qaeda member and given a watch list number. Zaidan, a Syrian national has taken a number of exclusive interviews with senior Al Qaeda leaders, including Osama bin Laden himself.

According to a 2012 government presentation The Intercept obtained from Edward Snowden says that Skynet makes use of phone location and call metadata from bulk phone call records to identify fishy patterns in their communication habits and physical movements of the suspects.

Says Wired:

The presentation indicates that SKYNET looks for terrorist connections based on questions such as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” It also looks for suspicious behaviors such as someone who engages in “excessive SIM or handset swapping” or receives “incoming calls only.” The goal is to identify people who move around in a pattern similar to Al Qaeda couriers who are used to pass communication and intelligence between the group’s senior leaders.

In addition to its misleading name, SKYNET has a few problems though. It happened to misidentify an Al-Jazeera reporter as a member of al-Qaida based on the criteria mentioned above. (It seems that the journalists meeting with sources and terrorists meeting with terrorist group leaders move in patterns that look same to the computer.) This misidentification would be disturbing even if the government did not make use of such metadata to make life-and-death decisions about who to kill with drone strikes. However, it does.

The NSA one should note has a second program too that is very similar to the Terminator‘s Skynet. As revealed by Edward Snowden in an interview with WIRED and James Bamford last year, this one is called MonsterMind. Like the film version of Skynet, MonsterMind is a defense surveillance system that would immediately and independently disarm foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. Algorithms under this program would remove massive repositories of metadata and examine it to recognize normal network traffic from anomalous or malicious traffic. Equipped with this knowledge, the NSA could immediately and autonomously find, and block, a foreign threat.

Snowden also stated that MonsterMind could one day be designed to automatically return fire without human interference against an attacker. Because an attacker could twist malicious code to keep away from detection, a counterstrike would be more successful in neutralizing future attacks. Sounds a lot like Skynet. However, there is no news from the NSA on why the iconic film name was not used for its real-world Skynet.


If you asked me, it seems quite serious guys who adhesives in the program:

Arnold Schwarzenegger, who later became governor of California.




Credit:  Kavita Iyer

AppUse – Android Pentest Platform Unified Standalone Environment

AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.

Faster & More Powerful
The system is a blessing to security teams, who from now on can easily perform security tests on Android applications. It was created as a virtual machine targeted for penetration testing teams who are interested in a convenient, personalized platform for android application security testing, for catching security problems and analysis of the application traffic.
Now, in order to test Android applications, all you will need is to download AppUse Virtual Machine, activate it, load your application and test it.


Easy to Use
There is no need for installation of simulators and testing tools, no need for SSL certificates of the proxy software, everything comes straight out of the box pre-installed and configured for an ideal user experience.
Security experts who have seen the machine were very excited, calling it the next ‘BackTrack’ (a famous system for testing security problems), specifically adjusted for Android application security testing.


AppUse VM closes gaps in the world of security, now there is a special and customized testing environment for Android applications; an environment like this has not been available until today, certainly not with the rich format offered today by AppUse VM.
This machine is intended for the daily use of security testers everywhere for Android applications, and is a must-have tool for any security person.


We at AppSec Labs do not stagnate, specifically at a time in which so many cyber attacks take place, we consider it our duty to assist the public and enable quick and effective security testing.


As a part of AppSec Labs’ policy to promote application security in general, and specifically mobile application security, AppUse is offered as a free download on our website, in order to share the knowledge, experience and investment with the data security community.


  • New Application Data Section
  •  Tree-view of the application’s folder/file structure
  •  Ability to pull files
  •  Ability to view files
  •  Ability to edit files
  •  Ability to extract databases
  •  Dynamic proxy managed via the Dashboard
  •  New application-reversing features
  •  Updated ReFrameworker tool
  •  Dynamic indicator for Android device status
  •  Bugs and functionality fixes



Credit:  kitploit

BlueMaho Project – Bluetooth Security Testing Suite

BlueMaho is GUI-shell (interface) for a suite of tools best used for Bluetooth security testing. It is freeware, opensource, written on python, uses wxPython. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.

I did get interested in Bluetooth for a while and the security implications of a personal area network protocol which includes discovery/broadcast etc. I ended up only posting one article at the time though which was about Haraldscan – BlueTooth Discovery Scanner.

BlueMaho Project - Bluetooth Security Testing Suite

I have a bunch more Bluetooth related resources to share though, so I’ll be putting them out from time to time. Some (like this) aren’t particularly up to date, but give you a great base to start with and play around.


  • Scan for devices, show advanced info, SDP records, vendor etc
  • Track devices – show where and how much times device was seen, its name changes
  • Loop scan – it can scan all time, showing you online devices
  • Alerts with sound if new device found
  • on_new_device – you can spacify what command should it run when it founds new device
  • It can use separate dongles – one for scaning (loop scan) and one for running tools or exploits
  • Send files
  • Change name, class, mode, BD_ADDR of local HCI devices
  • Save results in database
  • Form nice statistics (uniq devices by day/hour, vendors, services etc)
  • Test remote device for known vulnerabilities (see exploits for more details)
  • Test remote device for unknown vulnerabilities (see tools for more details)
  • Themes! you can customize it


The main requirements are:

  • OS (tested with Debian 4.0 Etch / 2.6.18)
  • Python 2.4
  • wxPython
  • BlueZ

You can download BlueMaho here:


Or read more here.



Credit: darknet

CheckPoint’s Firewall systems at risk of Shellshock Bash attacks

Companies should check whether their CheckPoint system’s has the widespread vulnerability

The Shellshock Bash bug was found in a typical CheckPoint system’s Admin panel (WebUI), opening up the possibility that many more of the business information security systems could be vulnerable if attacked.

The vulnerability exist at the CheckPoint firewall system’s administrative WebUI, DHCP component and more firewall’s system modules and affected all the CheckPoint Firewall’s versions of the Gaia, SecurePlatform, SecurePlatform 2.6, IPSO 6.2 and Gaia Embedded platforms and all appliance lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1

The bug uncovered this week in a widely used component of Linux, Unix and Mac OS X was found in the largest firewall vendor’s – CheckPoint Admin panel. Alexey Baltacov, Network Security Architect at Frogteam|Security, said Sunday “Because many vendors use similar servers, the vulnerability is likely widespread”.

Baltacov declined to expose the vulnerable path in the system but also said:

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can be also exploitable”.


A CheckPoint OS platform and the Admin panel, which often runs on Unix or Linux, is the main component of a CheckPoint Firewall system for managing and configuring the firewall hardware in the organization.

Many CheckPoint Firewalls hardware and servers run GNU Bash, which is the component with the critical flaw.

Bash, which stands for Bourne Again Shell, is the default command shell for the operating system.
The bug lets an attacker trick Bash into executing malicious command code by sending it via the Common Gateway Interface, an underlying component of the CheckPoint firewall’s administrative interface.

Eran Goldstein, Senior Cyber security and malware researcher at ZIMPERIUM said:

“Depending on the architecture of the firewall system, an attacker could manage and reconfigure all firewall hardware and  servers and gain access to a company’s internal network. Even if he you don’t have the username and password (for the Firewall server’s admin panel), he still can exploit the vulnerability. Also, once inside the firewall system’s admin panel, an hacker could infect components inside the organization network and IT environment.”


Security researchers reported Thursday that hackers were trying to exploit Shellshock in Web servers. On Friday, firewall vendor Incapsula reported that in a 12-hour period, it recorded 725 attacks per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

The attacks originated from 400 unique IP addresses. More than half of the attacks started from China and the U.S.

In general, the attackers were running automated scripts from compromised servers in existing botnets in an attempt to add more systems to the network. Several botnet operators were using re-purposed distributed denial of service (DDoS) bots in an attempt to exploit Shellshock.

Checkpoint respond in the company official website:

The OS WebUI may be susceptible to environment changes caused by the Shellshock exploit. At the time of Sep 2014, Check Point is not aware of any exploit on its solutions.


From CheckPoint website:

A Hotfix package is currently available for R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, and R77.20.

This Hotfix package is relevant to the main appliances lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1. For other appliances, see the relevant section below.

For other versions – R65, R70.20, R71.20, R75.10, R75.20 and R75.30, use the Early Availability (EA) solution below. A General Availability (GA) solution will be published within the week of September 29th.




Credit: Frogteam|Security

SIM Card Forensics

The SIM (subscriber identity module) is a fundamental component of cellular phones. It’s also known as an integrated circuit card (ICC), which is a microcontroller-based access module. It is a physical entity and can be either a subscriber identity module (SIM) or a universal integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted into another; it allows users to port identity, personal information, and service between devices. All cell phones are expected to incorporate some type of identity module eventually, in part because of this useful property. Basically, the ICC deployed for 2G networks was called a SIM and the UICC smart card running the universal subscriber identity module (USIM) application. The UICC card accepts only 3G universal mobile telecommunications service (UMTS) commands. USIMs are enhanced versions of present-day SIMs, containing backward-compatible information. A USIM has a unique feature in that it allows one phone to have multiple numbers. If the SIM and USIM application are running on the same UICC, then they cannot be working simultaneously.

The first SIM card was about the size of a credit card. As technology developed, the cell phone began to shrank in size and so did the SIM card. The mini-SIM card, which is about one-third the size of a credit card. But today we are using smartphones that use micro-SIM, which is smaller than mini-SIM. These SIM cards vary in size but all have the functionality for both the identification and authentication of the subscriber’s phone to its network and all contain storage for phone numbers, SMS, and other information, and allow for the creation of applications on the card itself.


SIM Structure and File Systems

A SIM card contains a processor and operating system with between 16 and 256 KB of persistent, electronically erasable, programmable read-only memory (EEPROM). It also contains RAM (random access memory) and ROM (read-only memory). RAM controls the program execution flow and the ROM controls the operating system work flow, user authentication, data encryption algorithm, and other applications. The hierarchically organized file system of a SIM resides in persistent memory and stores data as names and phone number entries, text messages, and network service settings. Depending on the phone used, some information on the SIM may coexist in the memory of the phone. Alternatively, information may reside entirely in the memory of the phone instead of available memory on the SIM.

The hierarchical file system resides in EEPROM. The file system consists of three types of files: master file (MF), dedicated files, and elementary files. The master file is the root of the file system. Dedicated files are the subordinate directories of master files. Elementary files contain various types of data, structured as either a sequence of data bytes, a sequence of fixed-size records, or a fixed set of fixed-size records used cyclically.


As can be seen in the above figure, dedicated files are subordinate directories under the MF, their contents and functions being defined by the GSM11.11 standards. Three are usually present: DF (DCS1800), DF (GSM), and DF (Telecom). Also present under the MF are EFs (ICCID). Subordinate to each of the DFs are supporting EFs, which contain the actual data. The EFs under DF (DCS1800) and DF (GSM) contain network-related information and the EFs under DF (Telecom) contain the service-related information.

All the files have headers, but only EFs contain data. The first byte of every header identifies the file type and the header contains the information related to the structure of the files. The body of an EF contains information related to the application. Files can be either administrative- or application-specific and access to stored data is controlled by the operating system.

Security in SIM

SIM cards have built-in security features. The three file types, MF, DF, and EF, contain the security attributes. These security features filter every execution and allow only those with proper authorization to access the requested functionality. There are different levels of access conditions in DF and EF files. They are:

  • Always—This condition allows to access files without any restrictions.
  • Card holder verification 1 (CHV1)—This condition allows access to files after successful verification of the user’s PIN or if PIN verification is disabled.
  • Card holder verification 2 (CHV2)—This condition allows access to files after successful verification of the user’s PIN2 or if the PIN2 verification is disabled.
  • Administrative (ADM)—The card issuer who provides SIM to the subscriber can access only after prescribed requirements for administrative access are fulfilled.
  • Never (NEV)—Access of the file over the SIM/ME interface is forbidden.

The SIM operating system controls access to an element of the file system based on its access condition and the type of action being attempted. The operating system allows only limited number of attempts, usually three, to enter the correct CHV before further attempts are blocked. For unblocking, it requires a PUK code, called the PIN unblocking key, which resets the CHV and attempt counter. If the subscriber is known, then the unblock CHV1/CHV2 can be easily provided by the service provider.

Sensitive Data in SIM


The SIM card contains sensitive information about the subscriber. Data such as contact lists and messages can be stored in SIM. SIM cards themselves contain a repository of data and information, some of which is listed below:

  • Integrated circuit card identifier (ICCID)
  • International mobile subscriber identity (IMSI)
  • Service provider name (SPN)
  • Mobile country code (MCC)
  • Mobile network code (MNC)
  • Mobile subscriber identification number (MSIN)
  • Mobile station international subscriber directory number (MSISDN)
  • Abbreviated dialing numbers (ADN)
  • Last dialed numbers (LDN)
  • Short message service (SMS)
  • Language preference (LP)
  • Card holder verification (CHV1 and CHV2)
  • Ciphering key (Kc)
  • Ciphering key sequence number
  • Emergency call code
  • Fixed dialing numbers (FDN)
  • Local area identity (LAI)
  • Own dialing number
  • Temporary mobile subscriber identity (TMSI)
  • Routing area identifier (RIA) network code
  • Service dialing numbers (SDNs)

These data have forensics value and can be scattered from EF files. Now we will discuss some of these data.

A. Service Related Information

ICCID: The integrated circuit card identification is a unique numeric identifier for the SIM that can be up to 20 digits long. It consists of an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier number, and an individual account identification number.
Twenty-digit ICCIDs have an additional “checksum” digit. One example of the interpretation of a hypothetical nineteen digit ICCID (89 310 410 10 654378930 1) is shown below.

  • Issuer identification number (IIN) is variable in length up to a maximum of seven digits:

The first two digits are fixed and make up the Industry Identifier. “89″ refers to the telecommunications industry.

-The next two or three digits refer to the mobile country code (MCC) as defined by ITU-T recommendation E.164. “310″ refers to the United States.

-The next one to four digits refer to the mobile network code (MNC). This is a fixed number for a country or world zone. “410″ refers to the operator, AT&T Mobility.

-The next two digits, “10,” pertain to the home location register.

  • Individual account information is variable in length:

The next nine digits, “654378930,” represent the individual account identification number. Every number under one IIN has the same number of digits.

  • Check digit—the last digit, “1,” is computed from the other 18 digits using the Luhn algorithm.

IMSI: The international mobile subscriber identity
is a unique 15-digit number provided to the subscriber. It has a similar structure to ICCID and consists of the MCC, MNC, and MSIN. An example of interpreting a hypothetical 15-digit IMSI (302 720 123456789) is shown below:

  • MCC—The first three digits identify the country. “302″ refers to Canada.
  • MNC—The next two (European Standard) or three digits (North American Standard) identify the operator. “720″ refers to Rogers Communications.
  • MSIN—The next nine digits, “123456789,” identify the mobile unit within a carrier’s GSM network

MSISDN—The Mobile Station International Subscriber Directory Number is intended to convey the telephone number assigned to the subscriber for receiving calls on the phone. An example of the MSISDN format is shown below:

  • CC can be up to 3 digits.
  • NDC usually 2 or 3 digits.
  • SN can be up to a maximum 10 digits.

B. Phonebook and Call Information

1. Abbreviated dialing numbers (ADN)—Any number and name dialed by the subscriber is saved by the ADN EF. The type of number and numbering plan identification is also maintained under this. This function works on the subscriber’s commonly dialed numbers. The ADN cannot be changed by the service provider and they can be attributed to the user of the phone. Most SIMs provide 100 slots for ADN entries.

2. Fixed dialing numbers (FDN)—The FDN EF works similar to the ADN because it involves contact numbers and names. With this function, the user doesn’t have to dial numbers; by pressing any number pad of the phone, he can access to the contact number.

3. Last number dialed (LND)—The LND EF contains the number most recently dialed by the subscriber. The number and name associated with that number is stored in this entry. Depending upon the phone, it is also conceivable that the information may be stored in the handset and not on the SIM. Any numbers that may be present can provide valuable information to an investigator.


XML Phonebook Entry

C. Messaging Information—Messaging is a communication medium by which text is entered on one cell phone and delivered via the mobile phone network. The short message service contains texts and associated parameters for the message. SMS entries contain other information besides the text itself, such as the time an incoming message was sent, as recorded by the mobile phone network, the sender’s phone number, the SMS center address, and the status of the entry. An SMS is limited to either 160 characters (Latin alphabet) or 70 characters (for other alphabets). Longer messages are broken down by the sending phone and reassembled by the receiving phone.

Tools for SIM Forensics

To perform forensic investigation on a SIM card, it has to be removed from the cell phone and connect to a SIM card reader. The original data of SIM card is preserved by the elimination of write requests to the SIM during its analysis. Then we calculate the HASH value of the data; hashing is used for checking the integrity of the data, that is, whether it has changed or not. There are lots of forensic tools are available but all tools are not able to extract data from every type of cell phone and SIM card. Now we will discuss about some famous tools:

Encase Smartphone Examiner: This tool is specifically designed for gathering data from smartphones and tablets such as iPhone, iPad, etc. It can capture evidence from devices that use the Apple iOS, HP Palm OS, Windows Mobile OS, Google Android OS, or RIM Blackberry OS. It can acquire data from Blackberry and iTunes backup files as well as a multitude of SD cards. The evidence can be seamlessly integrated into EnCase Forensic.


MOBILedit! Forensic: This tool can analyze phones via Bluetooth, IrDA, or cable connection; it analyzes SIMs through SIM readers and can read deleted messages from the SIM card.


pySIM: A SIM card management tool capable of creating, editing, deleting, and performing backup and restore operations on the SIM phonebook and SMS records.


AccessData Mobile Phone Examiner (MPE) Plus: This tool supports for than 7000 phones including iOS , Android , Blackberry, Windows Mobile, and Chinese devices and can be purchased as hardware with a SIM card reader and data cables. File systems are immediately viewable and can be parsed in MPE+ to locate lock code, EXIF, and any data contained in the mobile phone’s file system.


SIMpull: SIMpull is a powerful tool, a SIM card acquisition application that allows you to acquire the entire contents of a SIM card. This capability includes the retrieval of deleted SMS messages, a feature not available on many other commercial SIM card acquisition programs. SIMpull first determines if the card is either a GSM SIM or 3G USIM, then performs a logical acquisition of all files defined in either ETSI TS 151.011 (GSM) or ETSI TS 131.102 (USIM) standards.


As can be seen in above figure, by using the SIMpull application we can see the information of SMS such as a SMS text and its length, the SMS sender’s number information, service center information, etc.


CREDIT:  Rohit Shaw – eforensicsmag