User manual
65
Content of Profile Should recycling be enabled?
Ten phone lines on first
system
No – these phone lines all reach the same system and a single
username/password database.
Twenty phone lines on
second system
No – these phone lines also share a single username/password
database
Fifteen miscellaneous phone
lines
Yes – Any modems connected to these phone lines probably reach
multiple systems, each with its own username/password database.
Small profiles are also easier to recreate and rescan if data gets corrupted from such occurrences as the
computer’s plug getting pulled or during a blackout (this has happened to customers with large profiles).
4.6.4 Find Modems First
The Find Modems First check box controls the order of operations in a Penetrate-mode scan and comes
checked as a default setting.
When checked, PhoneSweep first scans all numbers in a profile to identify which ones have modems, and
then goes back and attempt to bruteforce the modems it has discovered.
Find Modems First should always be enabled if username/password recycling is active; otherwise
PhoneSweep will try its entire username/password database against the first modem it discovers before
proceeding to any other number.
4.6.5 Limiting numbers of calls and brute-force attempts
Some systems lock a user out if there are too many unsuccessful attempts to log in to their account.
Therefore, PhoneSweep can be configured to set the maximum calls per phone number per day, as well as
maximum guesses per username per day. PhoneSweep’s default value for both is Unlimited. Use the
scrollbar in the lower left corner of the Effort dialog box to change these values.
If you limit the number of guesses per username per day, you should also limit the calls per number
per day. If you do not do this, PhoneSweep may call numbers that it cannot brute-force because that
guess would exceed the number of guesses per username per day. This results in a situation where
PhoneSweep cannot make any username/password guesses, but continues to dial phone numbers.
We do not recommend that maximum calls per day be limited when performing a scan in
Sequential mode. Limiting the maximum number of calls per day during a sequential scan may result in
PhoneSweep stopping, unable to make any calls. This happens when the next number in sequence has
already been called the allowed number of times.
If PhoneSweep calls a number that turns out to be busy, that call does not count against the maximum
number of calls that can be made to that number per day, since the call was not completed.
After you have configured PhoneSweep to the correct level of effort, be sure to save any changes you
have made.
4.6.6 The bruteforce.txt file
In Penetrate level of effort, PhoneSweep uses a file called bruteforce.txt, as username/password
combinations that PhoneSweep will use when it attempts to break into remote systems. This file is
initially read into an internal database for each new profile created, and can be viewed via the Setup-
>Effort tab. When a profile is copied using Copy or Rescan, the internal database is copied as well. The