From 551efedf6a19463738ff6f5343e0b70b04920318 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 18 Apr 2023 04:09:32 +0000 Subject: [PATCH] GITBOOK-3877: change request with no subject merged in GitBook --- .../pentesting-voip/README.md | 141 +++++++++++++++++- 1 file changed, 138 insertions(+), 3 deletions(-) diff --git a/network-services-pentesting/pentesting-voip/README.md b/network-services-pentesting/pentesting-voip/README.md index 28899d115..a7d32dd9c 100644 --- a/network-services-pentesting/pentesting-voip/README.md +++ b/network-services-pentesting/pentesting-voip/README.md @@ -20,8 +20,6 @@ To start learning about how VoIP works check: [basic-voip-protocols](basic-voip-protocols/) {% endcontent-ref %} -## VoIP Red Team Methodology - ## VoIP Enumeration ### Telephone Numbers @@ -225,7 +223,7 @@ It's possible to send these codes in **INFO SIP messages**, in **audio** or insi multimon -a DTMF -t wac pin.wav ``` -### Asterisks Misconfigurations +### Asterisks Connections Misconfigurations In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**: @@ -257,6 +255,143 @@ For example, this configuration would be vulnerable:\ `type=friend` {% endhint %} +### Asterisks Context Misconfigurations + +In Asterisk a **context** is a named container or section in the dial plan that **groups together related extensions, actions, and rules**. The dial plan is the core component of an Asterisk system, as it defines **how incoming and outgoing calls are handled and routed**. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system. + +Each context is defined in the configuration file, typically in the **`extensions.conf`** file. Contexts are denoted by square brackets, with the context name enclosed within them. For example: + +```bash +csharpCopy code[my_context] +``` + +Inside the context, you define extensions (patterns of dialed numbers) and associate them with a series of actions or applications. These actions determine how the call is processed. For instance: + +```scss +[my_context] +exten => 100,1,Answer() +exten => 100,n,Playback(welcome) +exten => 100,n,Hangup() +``` + +This example demonstrates a simple context called "my\_context" with an extension "100". When someone dials 100, the call will be answered, a welcome message will be played, and then the call will be terminated. + +This is **another context** that allows to **call to any other number**: + +```scss +[external] +exten => _X.,1,Dial(SIP/trunk/${EXTEN}) +``` + +If the admin defines the **default context** as: + +``` +[default] +include => my_context +include => external +``` + +{% hint style="warning" %} +Anyone will be able to use the **server to call to any other number** (and the admin of the server will pay for the call). +{% endhint %} + +{% hint style="danger" %} +Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number. +{% endhint %} + +* **`sipinvite.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipinvite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number. + + For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass. + +{% code overflow="wrap" %} +```bash +# Trying to make a call to the number 555555555 (without auth) with source number 200. +python3 sipinvite.py -i 192.168.0.1 -fu 200 -tu 555555555 -v + +# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444. +python3 sipinvite.py -i 192.168.0.1 -tu 555555555 -t 444444444 +``` +{% endcode %} + +### Misconfigured IVRS + +IVRS stands for **Interactive Voice Response System**, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build **automated call handling** systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input. + +IVRS in VoIP systems typically consists of: + +1. **Voice prompts**: Pre-recorded audio messages that guide users through the IVR menu options and instructions. +2. **DTMF** (Dual-Tone Multi-Frequency) signaling: Touch-tone inputs generated by pressing keys on the phone, which are used to navigate through the IVR menus and provide input. +3. **Call routing**: Directing calls to the appropriate destination, such as specific departments, agents, or extensions based on user input. +4. **User input capture**: Collecting information from callers, such as account numbers, case IDs, or any other relevant data. +5. **Integration with external systems**: Connecting the IVR system to databases or other software systems to access or update information, perform actions, or trigger events. + +In an Asterisk VoIP system, you can create an IVR using the dial plan (**`extensions.conf`** file) and various applications such as `Background()`, `Playback()`, `Read()`, and more. These applications help you play voice prompts, capture user input, and control the call flow. + +#### Example of vulnerable configuration + +```scss +exten => 0,100,Read(numbers,the_call,,,,5) +exten => 0,101,GotoIf("$[${numbers}"="1"]?200) +exten => 0,102,GotoIf("$[${numbers}"="2"]?300) +exten => 0,103,GotoIf("$[${numbers}"=""]?100) +exten => 0,104,Dial(LOCAL/${numbers}) +``` + +The previous is a example where the user is asked to **press 1 to call** a department, **2 to call** another, or **the complete extension** if he knows it.\ +The vulnerability is the fact that the indicated **extension length is not checked, so a user could input the 5seconds timeout a complete number and it will be called.** + +### Extension Injection + +Using a extension such as: + +```scss +exten => _X.,1,Dial(SIP/${EXTEN}) +``` + +Where **`${EXTEN}`** is the **extension** that will be called, when the **ext 101 is introduced** this is what would happen: + +```scss +exten => 101,1,Dial(SIP/101) +``` + +However, if **`${EXTEN}`** allows to introduce **more than numbers** (like in older Asterisk versions), an attacker could introduce **`101&SIP123123123`** to call the phone number 123123123. And this would be the result: + +```scss +exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123) +``` + +Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**. + +### Click2Call + +Click2Call allows a **web user** (who for example might be interested in a product) to **introduce** his **telephone number** to get called. Then a commercial will be called, and when he **picks up the phone** the user will be **called and connected with the agent**. + +A common Asterisk profile for this is: + +```scss +[web_user] +secret = complex_password +deny = 0.0.0.0/0.0.0.0 +allow = 0.0.0.0/0.0.0.0 +displayconnects = yes +read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla +write = system,call,agent,user,config,command,reporting,originate +``` + +* The previos profile is allowing **ANY IP address to connect** (if the password is known). +* To **organize a call**, like specified previously, **no read permissions is necessary** and **only** **originate** in **write** is needed. + +With those permissions any IP knowing the password could connect and extract too much info, like: + +{% code overflow="wrap" %} +```bash +# Get all the peers +exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3 +``` +{% endcode %} + +**More information or actions could be requested.** +
☁️ HackTricks Cloud ☁️🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥