Skip to main content


Showing posts from September, 2013

SIP extension enumeration in Bluebox-ng

There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them. This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment , in which the extension is the public email address of the user. But it's still important in some cases: To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force. Some RCE (Remote Code Execution) exploits need a valid extension to work. After a little research, these are the known vulns: CVE-2009-3727 : It's quite old and it's practically not present in real environments. It's still not imple

More brute-force modules in Bluebox-ng

The last day I said that now we're going to automate all VoIP tasks trying to build a VoIP/UC vulnerability scanner. But I realized that there are some other tasks which I need in each penetration test that we could add too. This way we could avoid to use another tools for an important part of the work. Normally, we're hired to deploy a VoIP specific penetration test, but we also like to check (in a minimal way) the rest of implied services. So I've added next modules brute-force modules: Asterisk AMI : It was a must because this is a very common scenario. MySQL : The most common DB engine among VoIP servers. MongoDB : It's not used in VoIP, but I've been playing lately with this system and I really like it. So I decided also to add a module. SSH / (S)FTP : More common protocols. HTTP(S) : Useful when we find a web management panel for a VoIP server. TFTP : Widely used in VoIP to auto-provisioning the softphones of an organization. LDAP : Sometimes the V

Bluebox-ng beta released

I've just pushed the last changes to Bluebox-ng repo to get what we consider a beta version. It's not yet finished but it's much more stable than the previous release. Here there is a resume of the changelog: IPv6 support. I would like to thank Olle E. Johansson ( @oej ) because of his research in SIP and IPv6 , it did my work really easy.  API support. DNS module finished. Nicer outputs. Simpler setup process. A network host/port scanner ( Evilscan ). Dirscan-node  upgraded to version 0.5. Added some numerical lists (with different paddings) to use with brute-force modules. Host list files and port ranges support included in SipScan module. Solved SipBrutePass module problem with too much asyncronous requests. A lot of refinements in the whole code. I want to say that we've decided to re-define the project like a "VoIP/UC vulnerability scanner", this way we can work more focused. Our idea is to write a tool to test in an