Penetration Testing on VoIP Asterisk Server (Part 2)

In the previous article we learned about Enumeration, Information Gathering, Call Spoofing. We introduced a little about the Asterisk Server. This time we will focus more on the Asterisk Manager Interface and some of the commands that can be run on the Asterisk server and we will also look at the AMI Brute force Attack.

Table of Content

  • Introduction to AMI
  • AMI Setup
  • AMI Bruteforce Attack
  • AMI Login
  • AMI Help
  • Enumerating SIP Users
  • Enumerating Specific User
  • Enable Debugging
  • Enumerating Dial Plan
  • Enumerating Core Settings
  • Enumerating CDR (Call Detail Records)
  • Enumerate Live Calls

Introduction to AMI

AMI means Asterisk Manager Interface; AMI allows the client program to connect the asterisk server and issues commands or read events using TCP port. By default, AMI port 5038.

With the Manager interface, we can control the PBX server, originate calls, check mailbox status, monitor the channels and SIP accounts, queues as well as execute Asterisk commands. We configure AMI setting by editing the config file located at etc/asterisk/manager.conf. By default, AMI is disabled, it can be enabled by making changes in manager.conf. AMI commands are called “actions”. The VOIP server generates “response”. AMI will also send “Events” containing various information messages about changes within the Asterisk.

While configuring the AMI, we can change Manager Headers and Response ID too. The manager can handle subscribes to extension status reports from all channels, which enable them to generate events when an extension or device changes state. There are lots of details in these events that may depend on the channel and device configuration. All channel’s or Trunk configuration file for more information in (/etc/asterisk/sip_custom.conf or /etc/asterisk/extensions_custom.conf)

Note: Before using AMI, make sure all the asterisk modules are loaded. If modules are not loaded the application might not send AMI actions.

AMI Setup

The AMI setup requires that we make some configuration changes that we discussed in the Introduction. To make necessary changes, we need to log in to the VoIP server using SSH service.

Make the following changes in the file.

After saving configuration restart the VoIP server so that config change can come in effect.

Now, let’s see if we have the port 5038 running. Let’s perform a nmap scan to confirm the AMI port is opened.

As we can see that AMI is working on port 5038.

AMI Bruteforce Attack

For brute force, we create a dictionary of possible users and passwords. We are going to use the asterisk_login auxiliary for this attack.

Here, we can see that we can extract the AMI login username and Password. Most of the Asterisk-based VoIP server default username “admin” and password “amp111”.

AMI Login

Now let’s try logging on the Asterisk server using the credentials. We can use telnet for connecting to the AMI. After connecting we need to tell the AMI what kind of action we want to perform. In this instance, we are trying to login. So, after providing the action, we give the credentials and get access. Here we can see that we have the system privileges. 

AMI Help

As we don’t know much about the command that can be used to work around the Asterisk. We ran the help command to get a better understand of all the different tasks that can be performed using the AMI.

Enumerating SIP Users

Let’s enumerate the SIP User’s data, which can have the Extensions, Usernames, and their respective secrets. For this, we will need to specify the action. We use “command” as action. After specifying we ran the command that will show us the data of the SIP Users.

Here, we found the 4-sip user id’s and password.

Enumerating Specific User

We found 4 users in the previous practical. Now let’s enumerate information about one of the particular user. The action will remain the same for this as well. But we will use the username for targeting a particular user.

Here we can see the specific SIP peer details. We would be able to get the MD5 passwords if it was set to that particular user. We could also figure out the Permission this user has. We could also see the Caller ID of this user as well.

We can also find the Mail Box details, Server IP details. Here, IP means the IP network registration allowed for that user. We could see what kind of device the user uses as well.

Enable Debugging

Debugging can be used to monitor the hardware configuration and fault errors we can find, as well as observe the configuration and call handling information, code, and modules.

Here we can see SIP debugging enabled. If in case we do not turn off debug backend it will run until then we stop.

Enumerating Dial Plan

Asterisk based VoIP server common dial plan context from-internal it shows about call routing information.

As we can see here to type of dial plan available by default one is from-internal-xfer and another one bad-number.

Enumerating Core Settings

It will show about all the asterisk default information, asterisk version, build options, verbosity information, start time, free memory load, AMI information, default language, call record feature,

Enumerating CDR (Call Detail Records)

CDR is the most useful service in asterisk. CDR is the system that provides one or more call records for each call depending on what version of Asterisk. It is useful for administrators who need a simple way to track what calls have taken place on the Asterisk system.

Here we can CDR logging is enabled, as well as the database server running, CDR registered at backed to MySQL. We can enumerate the CDR database details using the following command.

The amount of time the user is connected to the database and the logs entered in the database can be observed in the screenshot below.

Enumerate Live Calls

We can also enumerate the active calls and processed call list which tells us about different calls that are currently in session.

If you want to know more commands that can be used to enumerate an AMI, Please refer to the official Asterisk Wiki

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter

Penetration Testing on VoIP Asterisk Server

Today we will be learning about VoIP Penetration Testing this includes, how to enumeration, information gathering, User extension, and password enumeration, sip registration hijacking and spoofing.

Table of Content

  • Introduction to VoIP
    • Uses of VoIP
  • SIP Protocol
    • SIP Requests
    • SIP Responses
    • SIP Interaction Structure
  • Real-Time Transport Protocol
  • Configurations Used in Practical
  • Setting Viproy VoIP Kit
  • Identifying SIP Servers
  • Extension Brute-force
  • Extension Registration
  • Call Spoofing
  • Log Monitoring
  • Sniffing Calls using Wireshark

Introduction to VoIP

VoIP means Voice over Internet Protocol, it’s called IP telephony, VoIP is used for communication purpose. VoIP technology allows you to make audio calls using the Internet connection instead of a regular phone (Landlines, mobile phones). Some VoIP partners may only allow you to call other people using the same service, but others may allow you to call anyone who has a telephone number – including local, long-distance, mobile, and international numbers. Also, while some VoIP services only work over your computer or a special VoIP phone (example a Cisco or Polycom, etc.).

VoIP by default use 5060 as its SIP signaling port. This used for registration When a phone (example a Cisco, Polycom, etc.) registers with Asterisk on port 5060.

The below mention functionality commonly used within VoIP installations that are not common in legacy telephony networks:

  • Usage of multiple lines (PRI lines, BRI Lines) and extensions
  • Voicemail service
  • Voice recording
  • Administrative Control
  • Register calls
  • Modular Configurations
  • IVR and welcome messages

SIP Protocol

The Session Initiation Protocol (SIP) allows us to establish communication, end or change voice or video calls. The voice or video traffic is transmitted via the Real-Time Protocol (RTP) protocol. SIP is an application layer protocol that uses UDP or TCP for traffic. By default, SIP uses port 5060 UDP/TCP for unencrypted traffic or port 5061 for TLS encrypted traffic. As we will see later, Man-in-the-Middle (MITM) attack vectors exist for all types of communication, including VoIP/SIP. Therefore, encryption is a necessary compensating control to have in place regardless of the environment or service method Session Initiation Protocol is ASCII based and very similar to the HTTP protocol as it uses a Request/Response Model. Requests to the SIP client are made through SIP URI and AGI via a user-agent similar to an HTTP request made by a web browser.

SIP Requests

The following request types are common within SIP:

Sno. Request Description
1. INVITE The client is being invited to participate in a call session
2. ACK Confirms that the client has received a final response to an INVITE request
3. BYE Terminates a call and can be sent by either the caller or the caller
4. CANCEL Deletes any pending request
5. OPTIONS Queries the capabilities of servers
6. REGISTER Registers the address listed in the header field with a SIP server
7. PRACK Provisional Acknowledgement
8. SUBSCRIBE Subscribes for an Event of Notification from the Notifier
9. NOTIFY Notify the subscriber of a new Event
10. PUBLISH Publishes an event to the Server
11. INFO Sends mid-session information that does not modify the session state
12. REFER Asks recipient to issue SIP request (Call Transfer)
13. MESSAGE Transports instant messages using SIP

 

Based on modifies the state of the session without changing the state of the dialogue

SIP Responses

We can understand the Responses using the Response code. The general categories of the Response codes are given below:

  • 1xx (Informational)
  • 2xx (Success)
  • 3xx (Redirection)
  • 4xx (Failed requests)
  • 5xx (Web server cannot complete request)
  • 6xx (Global errors)

SIP Interaction Structure               

The Typical SIP Interaction Structure consists of the following:

  1. The sender initiates an INVITE request.
  2. The receiver sends back a 100 (Trying) response.
  3. The sender starts ringing by sending a 180 (Ringing) response.
  4. The receiver picks up the phone and a 200  success response is sent (OK).
  5. ACK is sent by the initiator.
  6. The call started using RTP.
  7. BYE request sent to end the call.

Real-time Transport Protocol

The RTP is a network protocol for delivering audio and video over networks. RTP protocol is used in communication and entertainment systems that involve streaming media such as telephony and video or teleconference applications. RTP default port from 16384 to 32767, those ports used for sip calls. In our scenario, we are using the UDP port range 10000-20000 for RTP-the media stream, voice, and video channels.

Configurations used in Practical

  • Attacker:
    • OS: Kali Linux 2020.1
    • IP: 192.168.1.4
  • Target:
    • VOIP Server: Trixbox
    • VOIP Client: Zoiper
    • IP: 192.168.1.7

We have already published an article on How to Setup a VoIP Server. Please read it before proceeding further. We will be using the same server that we configured in that article

Lab Setup for VOIP Penetration Testing

Setting up Viproy VoIP Kit

Before beginning with the Penetration Testing, we need to add the Viproy-VoIP kit to our Metasploit. A detailed procedure on how to add modules in Metasploit can be found here. The steps depicted are taken form Rapid7 and Viproy Author.

We need to install some dependencies. First, we will be updating our sources and then install the following dependencies.

Once we are done with installing all the dependencies, its time to clone the Viproy Repository to our Kali Linux. It contains the modules that we need to add in our Metasploit Framework

Here we can see that we have the lib directory and the modules directory as well as the kaliinstall script.

Before running the script, we need to manually copy the contents of the lib directory and the modules directory to the Metasploit’s lib and modules directory respectively.

Now we need to make the entries of the modules we copied in the Mixins Files located at /usr/share/Metasploit-framework/lib/msf/core/auxiliary/.

This can be done manually as well or using another text editor.

This is all that we needed to do. If this method doesn’t work or gives some errors. The author was kind enough to give a pre-compiled version. To install that we will be following these steps.

First, we will clone the precompiled version form the GitHub.

Then we will traverse into the directory and install the viproy using gem.

It will take some time. After it’s done we will need to reload the modules in Metasploit Framework.

That was the installation of the Viproy Toolkit. Let’s start Penetration Testing on our VoIP Server.

In a VoIP network, information that can be proven useful is VoIP gateway’s or servers, IP-PBX systems, client software (softphones)/VoIP phones and user extensions. Let’s have a look at some of the widely used tools for enumeration and fingerprinting.

Identifying SIP Servers

By using sip Metasploit Scanner Module identify systems by providing a single IP or a range of IP addresses we can scan all the VoIP Servers and their enabled options.

Here, we can see that our scan gave us a VoIP Server running on 192.168.1.7. We can also see that it has a User-Agent as “Asterisk” and we can see that it has multiple Requests enabled on it.

Extension Bruteforce

Next, we will be doing a brute-force on the target server to extract the Extensions and Passwords or secrets. For this particular practical, we made 2 dictionaries. One for the usernames and other for the passwords. Next, we need to define the range for the extensions. We chose the range 0000000 to 99999999. And then we run the exploit

Here, we can see that we were able to extract 10 extensions. Ensure that the secret that we setup for the extension is difficult to guess to prevent brute-force of this kind.

Extension Registration

Since we have the extensions and the secrets. Now it’s time to move one step ahead and register the extensions so that we can be able to initiate calls from the attacker machine. We chose the extension 99999999. We cracked its secret to be 999. Now, all we had to do is provide the server IP address and the extension and secret. As soon as we run the auxiliary, we get a 200 OK response from the server telling us that the extension is registered with this IP Address.

Here, we have to register the software as we don’t have a trunk line or PSTN lines or PRI line for making the outgoing calls. Hence, we are testing the extension to extension calling.

Call Spoofing

In the previous practical, we registered the extension 99999999, now we will be using it for calling the extension 00000000. Here we can spoof the Caller ID to whatever we want. We have set it to Hacker. We need to define the login to true so that we can log in to the server with the 999 secret. We also have to set the numeric user true so that it can accept the numeric extensions.

As soon as we run the auxiliary, we can see that there is a call initiated from the extension 999999999 to the extension 00000000 which we set on our Zoiper Client. We can also see that we have the Hacker Caller ID that we set in the auxiliary.

Log Monitoring

We can monitor the logs on the VoIP Server which contains the information about all the calls that were initiated, connected, dropped. All the extensions and other important information. We can always brute-force it or check for default credentials. First, we will connect the server using the ssh and then we will run the following command to open up the asterisk console panel. This panel records the logs in real-time.

Sniffing Calls using Wireshark

When users initiate a phone call, we can observe the captured SIP traffic using Wireshark. We launch the Wireshark and choose the network adapter on which the VoIP server is working on. Then we start capturing packets. If we observe closely, we can see that there is a tab called Telephony in Wireshark’s Menu. In the drop-down menu, we have the first option “VoIP Calls”.

As soon as we click on the VoIP Calls, a window opens up showing all the calls that have been captured during the sniffing. We see that there is a sequence of packets from one IP Address to another.

If we click on the Flow Sequence button at the bottom, we could see the SIP Communication handshakes that we learned about in the Introduction.

In this picture, we can analyze a call in-detail. In a SIP call flow, there are several SIP transactions. A SIP transaction consists of several requests and answers and the way to group them in the same transaction is using the CSeq:103 parameter.

The first step is the must be registering the extension. After extension registration corresponds to a session establishment. From extension 99999999 session consists of an INVITE request of the user to the 00000000. Immediately, the proxy sends a TRYING 100 to stop the broadcastings and reroute the request to the extension 00000000.

The extension 00000000 sends a Ringing 180 when the telephone begins to ring and it is also rerouting by the proxy to the A user. Finally, the OK 200 message corresponds to the accept process (the extension 00000000 response the call). After ringing the call server try to assign the RTP ports and the RTP transport protocol starts with the parameters (ports, addresses, codecs, etc.) of the SDP protocol. The last transaction corresponds to a session end. This is carried out with an only BYE request to the Proxy and later reroute to extension 00000000.

This user replies with an OK 200 message to confirm that the final message has been received correctly. The call has been initiated by a user named hacker with the extension 99999999 to extension 00000000. The duration of the call and the current state can be seen in the above example. Wireshark assembled the call packets and now we can listen to the entire phone call. After disconnecting we play the entire phone call conversion.

When we click the Play Streams button it asks the output device based on your laptop driver. Then we can click on Play Button and we can hear the conversation that was made on that VoIP Call.

This was one of the articles in a series of articles that we are currently researching on VoIP. Stay Tuned for more!

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter

Comprehensive Guide on CryptCat

In this article, we will provide you with some basic functionality of CryptCat and how to get a session from it using this tool.

Table of Content

  • Introduction
  • Chat
  • Verbose mode
  • Protect with Password
  • Reverse Shell
  • Randomize port
  • Timeout and Delay interval
  • Netcat vs CryptCat 

Introduction

CryptCat is a standard NetCat enhanced tool with two-way encryption. It is the simplest Unix utility tool, which reads and writes data across network connections. It can use TCP or UDP protocol while encrypting the data that is transmitted over the network. It is a reliable back-end tool that is easily driven by other programs and scripts. It is considered to be a network debugging and exploration tool.

CryptCat can act as a TCP/UDP client or server when connected to or when it acts as a listener to the socket. It can take a password and adds a salt to encrypt the data that is being sent over the connections. Without providing a specified password, it will take the default password i.e. “metallica”.

We can explore its working and usage by exploring its available options.

Chat

CryptCat can be used to chat between two users. We need to establish a stable connection before the chat. To do this, we need two systems out of these two systems one will be a listener and the other will be an initiator. So that communication can be done from both ends.

Here, we are trying to create a scenario of chat between two users with different operating systems.

User 1

OS: Kali Linux

IP Address: 192.168.0.107

Role: Listener

To initiate listener in Kali Linux, follow this command to create a listener:

User 2

OS: Ubuntu

IP Address: 192.168.0.108

Role: Initiator

To create an initiator, we will just provide the IP Address of the system where we started the listener followed by its port number.

Verbose mode

In CryptCat, the verbose mode can be initiated by using the [-v] parameter. Now, the verbose mode is made for generating extended information from our actions. We will try the above chatting mechanism with verbose mode. We can see that when we add [-v] to the CryptCat command it displays the information about the process that its performance while connecting.

At Listener Side

At Initiator Side

Protect with password

In CryptCat, we can protect our connection of chatting with a password and password can be applied by using the [-k] parameter. We know that CryptCat provides us end to end encryption, but by using the [-k] parameter we can provide the extra layer of protection to our connection. So that it is almost impossible to decrypt our connection. We can apply for this protection with the following commands.

At listener side, we apply [-k] parameter along with the password.

At the Initiator side, we need to apply the same password applied by the listener so that we can connect to some connection.

Reverse shell

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine receives the connection through a port by providing a password. To activate the listener on the target machine for getting shell, use the following command:

Now, at the attacker side, we just need to connect to the victim. Then we can authenticate our self as we got its root access or by the help of whoami command.

Randomize port

If we cant decide our port number to start the listener or establish our CryptCat connection. Well then, CryptCat has a special [-r] parameter for us which gives us a randomize local port.

Timeout and Delay interval

Most of us are confused between these terms. Timeout is supposed to be a time to complete our task or program. Whereas the delay interval is the interval time between two individual requests or tasks. So in CryptCat, we have [-w] parameter for timeout and [-i] parameter for delay interval. To apply these two individual parameters to get our desired results.

At listener side, we apply both times out and the delay interval

At the initiator, we are only applying timeout.

Netcat vs CryptCat

Well before comparing these two first, we need to know about the Netcat or nc. It is a utility tool use TCP and UDP connection to read and write in a network. It can be used for both security and hacking purposes.

In the case of hacking, it can be used with the help of scripts which makes it quite dependable. And if we need to talk about security, it helps us to debug the network along with investing it. If we want to learn all the working of the Netcat. We have covered netcat in our previous article and to read that article click here.

And when it comes to CryptCat, it is a more advanced version of Netcat. It provides us with the two-way encryption that makes our connection more secure. We are comparing these two amazing tools based on connection encryption of the chatting feature by intercepting their network interface with the help of Wireshark.

Netcat:

As we know we apply a listener and an initiator to start this connection for chatting. Along with that, we initiated the Wireshark to intercept its network interface.

At the listener side, we are using [-l] parameter for listening and [-p] parameter for the port number.

At the Initiator side, we just need to provide a port number, along with the listeners IP Address.

Now, we have to check whether our Wireshark was able to catch something or not. As we can see that we successfully intercepted the network and see this network chat.4

Cryptcat:

In cryptcat, we already know that it provides us with two-ways encryption. Which makes the connection network more secure that Netcat. But we need to check this as well by intercepting its chatting with the help of Wireshark. For that connection, we needed a listener and an initiator for connecting a connection.

At the Listener site, we will use the [-p] parameter for port and [-l] for initiating the listener.

At the initiator side, we just need to provide IP Address along with listeners port number.

Now check whether we can acquire anything or not. As we can see that this chat is in encrypted mode.

That is the main difference between the Netcat and the Cryptcat. One provides encryption in its network and the other is not. Some people might say that CryptCat = encryption + Netcat.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.

Comprehensive Guide to tcpdump (Part 3)

This is the third article in the Comprehensive Guide to tcpdump Series. Please find the first and second articles of the series below.

In this part, we will cover some of the advance features which we were unable to cover in the previous parts of the series. So we can get more benefits from this tool.

Table of Content

  • Version Information
  • Quick mode
  • Verbose mode
  • HTTP Requests
  • User Agent
  • Port Range
  • Destination
  • Source
  • Network
  • TCP Packets
  • Tcpdump to Wireshark

Version Information

Let’s begin with one of the simplest commands so that we can understand and relate all the practicals during the article. We can use this parameter to print the tcpdump, libpcap and OpenSSL version string.

Quick Mode

Arguably if the network is very quite, performing any operation during that time will take more time than usual. The person who developed tcpdump thought of this conundrum and gave us the way to speed up the process by using the “-q” parameter. It will print less information about protocols and data packets to save time.

Verbose Mode

The verbose mode is famous to provide extra information regarding operations. in TCPDump, verbose mode provides such the information too. For instance, time to live, identification, total length. It can also enable additional packet integrity checks such as verifying the IP and ICMP header checksum values.

TCPDump provides us with plenty of parameters that are moved around this mode like -v, -vv, -vvv, where each parameter has its unique efficiency.

  • -v parameter is the traditional verbose mode.
  • -vv parameter is more than the traditional verbose mode, additional fields are printed from NFS (Network File System) reply packets and SMB packets are fully decoded.
  • -vvv parameter has something more to provide like tenet options etc.

HTTP Requests

As we all know, HTTP Requests is an information message from the client to a server over the hypertext transfer protocol (HTTP). It has various methods to deliver this information. These methods are case-sensitive and always mentioned in the UPPERCASE. Through tcpdump, we can capture these request to analyze the traffic sent over the said protocol traffic.

The method which we can capture through tcpdump are the following :

  • GET- This method is used to retrieve the information from the given server using a given URL. Requests using GET should only retrieve data and have no other effect on it. We can also capture this request with the help of tcpdump.

  • POST- This request is used to send data to the server. Like customer information, file upload, etc. using HTML forms. Traffic over this protocol can analyzed using the following command :

  • Request-URL- It is a uniform resource identifier, which identifies the resource on which we need to apply requests. The most common form of this is used to identify a resource on a server. If a client wants to retrieve the data directly from the server, where it originated, then it would create a connection to port 80 of the host and send the request. These requests can be captured using the following commands:

User Agent

With TCPDump, you can also see which traffic is generated from which application. We can also find the user agents in our data traffic by using the following command :

Port Range

Some ordinary port filters help us to analyze the traffic on a particular port. But in tcpdump, we give our scan a range of ports through which it can monitor the destination of TCP/UDP or other port-based network protocols.

Destination

To check the flow of data in network traffic towards a particular destination, use the following command for this :

Source

To check the data traffic coming from a particular source, we can follow the command given below :

Network

To find the packets going to or from in a particular network, we can use the following function to analyze this traffic:

TCP Packets

TCP packet is the format consists of the fields such as source port and destination port field. Through these fields, we can identify the endpoints of the connections and can also capture these TCP packets in its various flag format. i.e. SYN, RST and ACK.

  • SYN- SYN flag is known as Synchronizes sequence numbers to initiate a TCP connection. We can capture this particular packet from traffic with the help of tcpdump.

  • RST- RST flag is known as reset flag. This flag is sent from the receiver to the sender if a packet is sent to a particular host that was expecting it. RST flag is used to re-establish a TCP end-to-end connection. We can capture this flag from our data traffic with the help of tcpdump.

  • ACK- ACK flag is known as the Acknowledgement flag. This flag is used to acknowledge that our data packet has been successfully received. We can capture these flags with tcpdump to study our data traffic.

Tcpdump to Wireshark

The only difference between the Wireshark and TCPDump is that Wireshark is GUI while tcpdump is a command-line tool. But with the help of a few sources, we use a command on tcpdump and view our data traffic results in Wireshark which, we find is the best way to analyze our traffic. This can be done using the following command :

After running this command it will immediately open the Wireshark and will ask a few questions about our scan. Press OK to move further.

After this, it will ask you which network interface we want to capture the data packets. In our case it will be eth0, so we are selecting that network interface.

After completing all the formalities our live data capture screen will appear with our captured data packets.

By following these steps we can run a command for tcpdump and capture its results in Wireshark.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.