0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-3878: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-04-18 14:22:56 +00:00 committed by gitbook-bot
parent 551efedf6a
commit d8f6431f57
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
network-services-pentesting/pentesting-voip/README.md
View File

@ -187,6 +187,8 @@ If you find VoIP equipment inside an **Open Wifi network**, you could **sniff al
Among the network information, you could find **web credentials** to manage the equipment, user **extensions**, **username**, **IP** addresses, even **hashed passwords** and **RTP packets** that you could reproduce to **hear the conversation**, and more.
To get this information you could use tools such as Wireshark, tcpdump... but a **specially created tool to sniff VoIP conversations is** [**ucsniff**](https://github.com/Seabreg/ucsniff).
{% hint style="danger" %}
Note that if **TLS is used in the SIP communication** you won't be able to see the SIP communication in clear.\
The same will happen if **SRTP** and **ZRTP** is used, **RTP packets won't be in clear text**.
@ -392,6 +394,49 @@ exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecr
**More information or actions could be requested.**
### **Eavesdropping**
In Asterisk it's possible to use the command **`ChanSpy`** indicating the **extension(s) to monitor** (or all of them) to hear conversations that are happening. This command need to be assigned to an extension.
For example, **`exten => 333,1,ChanSpy('all',qb)`** indicate that if you **call** the **extension 333**, it will **monitor** **`all`** the extensions, **start listening** whenever a new conversation start (**`b`**) in quiet mode (**`q`**) as we don't want to interact on it. You could go from one conversation happening to another pressing **`*`**, or marking the extension number.
It's also possible tu use **`ExtenSpy`** to monitor one extension only.
Instead of listening the conversations, it's possible to **record them in files** using an extension such as:
{% code overflow="wrap" %}
```scss
[recorded-context]
exten => _X.,1,Set(NAME=/tmp/${CONTEXT}_${EXTEN}_${CALLERID(num)}_${UNIQUEID}.wav)
exten => _X.,2,MixMonitor(${NAME})
```
{% endcode %}
Calls will be saved in **`/tmp`**.
You could also even make Asterisk **execute a script that will leak the call** when it's closed.
```scss
exten => h,1,System(/tmp/leak_conv.sh &)
```
### RTP Injection
It's possible to insert a **`.wav`** in converstions using tools such as **`rtpinsertsound`** (`sudo apt install rtpinsertsound`) and **`rtpmixsound`** (`sudo apt install rtpmixsound`).
Or you could use the scripts from [http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/](http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/) to **scan conversations** (**`rtpscan.pl`**), send a `.wav` to a conversation (**`rtpsend.pl`**) and **insert noise** in a conversation (**`rtpflood.pl`**).
### DoS
There are several ways to try to achieve DoS in VoIP servers.
* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk
* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
* [**SIPp**](https://github.com/SIPp/sipp): Allows to analyze and generate SIP traffic. so it can be used to DoS also.
* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>