diff --git a/network-services-pentesting/pentesting-voip/README.md b/network-services-pentesting/pentesting-voip/README.md index 10e08ccd..28899d11 100644 --- a/network-services-pentesting/pentesting-voip/README.md +++ b/network-services-pentesting/pentesting-voip/README.md @@ -225,6 +225,38 @@ It's possible to send these codes in **INFO SIP messages**, in **audio** or insi multimon -a DTMF -t wac pin.wav ``` +### Asterisks Misconfigurations + +In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**: + +``` +host=10.10.10.10 +host=dynamic +``` + +If an IP address is specified, the host **won't need to send REGISTER** requests every once in a while (in the REGISTER packet is sent the time to live, usually 30min, which means that in other scenario the phone will need to REGISTER every 30mins). However, it'll need to have open ports allowing connections from the VoIP server to take calls. + +To define users they can be defined as: + +* **`type=user`**: The user can only receive calls as user. +* **`type=friend`**: It's possible to perform calls as peer and receive them as user (used with extensions) +* **`type=peer`**: It's possible to send and receive calls as peer (SIP-trunks) + +It's also possible to establish trust with the insecure variable: + +* **`insecure=port`**: Allows peer connections validated by IP. +* **`insecure=invite`**: Doesn't require authentication for INVITE messages +* **`insecure=port,invite`**: Both + +{% hint style="warning" %} +When **`type=friend`** is used, the **value** of the **host** variable **won't be used**, so if an admin **misconfigure a SIP-trunk** using that value, **anyone will be able to connect to it**. + +For example, this configuration would be vulnerable:\ +`host=10.10.10.10`\ +`insecure=port,invite`\ +`type=friend` +{% endhint %} +
☁️ HackTricks Cloud ☁️🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥