0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-3880: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-04-19 03:00:28 +00:00 committed by gitbook-bot
parent 34c27bc4e1
commit a9e2d3b784
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
network-services-pentesting/pentesting-voip/README.md
View File

@ -420,6 +420,34 @@ You could also even make Asterisk **execute a script that will leak the call** w
exten => h,1,System(/tmp/leak_conv.sh &)
```
### RCE
In Asterisk you somehow manage to be able to **add extension rules and reload them** (for example by compromising a vulnerable web manager server), it's possible to get RCE using the **`System`** command.
```scss
same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)
```
There is command called **`Shell`** that could be used **instead of `System`** to execute system commands if necessary.
{% hint style="warning" %}
If the server is **disallowing the use of certain characters** in the **`System`** command (like in Elastix), check if the web server allows to **create files somehow inside the system** (like in Elastix or trixbox), and use it to **create a backdoor script** and then use **`System`** to **execute** that **script**.
{% endhint %}
#### Interesting local files and permissions
* **`sip.conf`** -> Contains the password of SIP users.
* If the **Asterisk server is running as root**, you could compromise root
* **mysql root user** might **doesn't have any password**.
* this could be used to create a new mysql user as backdoor
* **`FreePBX`**
* **`amportal.conf`** -> Contains the password of the web panel administrator (FreePBX)
* **`FreePBX.conf`** -> Constains the password of the user FreePBXuser used to access the database
* this could be used to create a new mysql user as backdoor
* **`Elastix`**
* **`Elastix.conf`** -> Contains several passwords in clear text like mysql root pass, IMAPd pass, web admin pass
* **Several folders** will belong to the compromised asterisk user (if not running as root). This user can read the previous files and also controls the configuration, so he could make Asterisk to load other backdoored binaries when executed.
### RTP Injection
It's possible to insert a **`.wav`** in converstions using tools such as **`rtpinsertsound`** (`sudo apt install rtpinsertsound`) and **`rtpmixsound`** (`sudo apt install rtpmixsound`).
@ -437,6 +465,10 @@ There are several ways to try to achieve DoS in VoIP servers.
* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
### OS Vulnerabilities
The easiest way to install a software such as Asterisk is to download an **OS distribution** that has it already installed, such as: **FreePBX, Elastix, Trixbox**... The problem with those is that once it's working sysadmins might **not update them again** and **vulnerabilities** are going to be discovered with time.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>