GITBOOK-3877: change request with no subject merged in GitBook

network-services-pentesting/pentesting-voip/README.md

@@ -20,8 +20,6 @@ To start learning about how VoIP works check:
 [basic-voip-protocols](basic-voip-protocols/)
 {% endcontent-ref %}
 
-## VoIP Red Team Methodology
-
 ## VoIP Enumeration
 
 ### Telephone Numbers
@@ -225,7 +223,7 @@ It's possible to send these codes in **INFO SIP messages**, in **audio** or insi
 multimon -a DTMF -t wac pin.wav
 ```
 
-### Asterisks Misconfigurations
+### Asterisks Connections Misconfigurations
 
 In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**:
 
@@ -257,6 +255,143 @@ For example, this configuration would be vulnerable:\
 `type=friend`
 {% endhint %}
 
+### Asterisks Context Misconfigurations
+
+In Asterisk a **context** is a named container or section in the dial plan that **groups together related extensions, actions, and rules**. The dial plan is the core component of an Asterisk system, as it defines **how incoming and outgoing calls are handled and routed**. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system.
+
+Each context is defined in the configuration file, typically in the **`extensions.conf`** file. Contexts are denoted by square brackets, with the context name enclosed within them. For example:
+
+```bash
+csharpCopy code[my_context]
+```
+
+Inside the context, you define extensions (patterns of dialed numbers) and associate them with a series of actions or applications. These actions determine how the call is processed. For instance:
+
+```scss
+[my_context]
+exten => 100,1,Answer()
+exten => 100,n,Playback(welcome)
+exten => 100,n,Hangup()
+```
+
+This example demonstrates a simple context called "my\_context" with an extension "100". When someone dials 100, the call will be answered, a welcome message will be played, and then the call will be terminated.
+
+This is **another context** that allows to **call to any other number**:
+
+```scss
+[external]
+exten => _X.,1,Dial(SIP/trunk/${EXTEN})
+```
+
+If the admin defines the **default context** as:
+
+```
+[default]
+include => my_context
+include => external
+```
+
+{% hint style="warning" %}
+Anyone will be able to use the **server to call to any other number** (and the admin of the server will pay for the call).
+{% endhint %}
+
+{% hint style="danger" %}
+Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number.
+{% endhint %}
+
+*   **`sipinvite.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipinvite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
+
+    For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
+
+{% code overflow="wrap" %}
+```bash
+# Trying to make a call to the number 555555555 (without auth) with source number 200.
+python3 sipinvite.py -i  192.168.0.1 -fu 200 -tu 555555555 -v
+
+# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
+python3 sipinvite.py -i 192.168.0.1 -tu 555555555 -t 444444444
+```
+{% endcode %}
+
+### Misconfigured IVRS
+
+IVRS stands for **Interactive Voice Response System**, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build **automated call handling** systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input.
+
+IVRS in VoIP systems typically consists of:
+
+1. **Voice prompts**: Pre-recorded audio messages that guide users through the IVR menu options and instructions.
+2. **DTMF** (Dual-Tone Multi-Frequency) signaling: Touch-tone inputs generated by pressing keys on the phone, which are used to navigate through the IVR menus and provide input.
+3. **Call routing**: Directing calls to the appropriate destination, such as specific departments, agents, or extensions based on user input.
+4. **User input capture**: Collecting information from callers, such as account numbers, case IDs, or any other relevant data.
+5. **Integration with external systems**: Connecting the IVR system to databases or other software systems to access or update information, perform actions, or trigger events.
+
+In an Asterisk VoIP system, you can create an IVR using the dial plan (**`extensions.conf`** file) and various applications such as `Background()`, `Playback()`, `Read()`, and more. These applications help you play voice prompts, capture user input, and control the call flow.
+
+#### Example of vulnerable configuration
+
+```scss
+exten => 0,100,Read(numbers,the_call,,,,5)
+exten => 0,101,GotoIf("$[${numbers}"="1"]?200)
+exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
+exten => 0,103,GotoIf("$[${numbers}"=""]?100)
+exten => 0,104,Dial(LOCAL/${numbers})
+```
+
+The previous is a example where the user is asked to **press 1 to call** a department, **2 to call** another, or **the complete extension** if he knows it.\
+The vulnerability is the fact that the indicated **extension length is not checked, so a user could input the 5seconds timeout a complete number and it will be called.**
+
+### Extension Injection
+
+Using a extension such as:
+
+```scss
+exten => _X.,1,Dial(SIP/${EXTEN})
+```
+
+Where **`${EXTEN}`** is the **extension** that will be called, when the **ext 101 is introduced** this is what would happen:
+
+```scss
+exten => 101,1,Dial(SIP/101)
+```
+
+However, if **`${EXTEN}`** allows to introduce **more than numbers** (like in older Asterisk versions), an attacker could introduce **`101&SIP123123123`** to call the phone number 123123123. And this would be the result:
+
+```scss
+exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
+```
+
+Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.
+
+### Click2Call
+
+Click2Call allows a **web user** (who for example might be interested in a product) to **introduce** his **telephone number** to get called. Then a commercial will be called, and when he **picks up the phone** the user will be **called and connected with the agent**.
+
+A common Asterisk profile for this is:
+
+```scss
+[web_user]
+secret = complex_password
+deny = 0.0.0.0/0.0.0.0
+allow = 0.0.0.0/0.0.0.0
+displayconnects = yes
+read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla
+write = system,call,agent,user,config,command,reporting,originate
+```
+
+* The previos profile is allowing **ANY IP address to connect** (if the password is known).
+* To **organize a call**, like specified previously, **no read permissions is necessary** and **only** **originate** in **write** is needed.
+
+With those permissions any IP knowing the password could connect and extract too much info, like:
+
+{% code overflow="wrap" %}
+```bash
+# Get all the peers
+exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3
+```
+{% endcode %}
+
+**More information or actions could be requested.**
+
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>