The Clickatel service (a service that allows SMS sending from any number)
seemed a real catch not so long ago. Everybody have just played with it but soon
got tired. It's time to take the next step and figure out how to call and talk
to somebody using some spontaneous number. And also try to figure out how to
intercept the voice traffic, pick a password for a SIP-provider account and just
make the best use of remarkable VoIP technology at the same time.
Where’s the damn low-cost communications?
There’re lots of different implementations of a technology which is generally
known as Voice over IP technology. Let’s take a look at the well-known Skype.
Skype creators have developed their own data transmission protocol which allows
transferring the data among those users who aren’t able to establish a direct
connection because of their firewalls and routers. By the way, Niklas Zennström
and Janus Friis patented their brand-peer technology before selling the Skype to
eBay, and now (after a few billion dollars transaction) they’re going to return
their brainchild back. However, that’s not the point. The question is: "Who
gives the most low-cost VoIP communications”? And the answer is simple - nobody.
The solution should be based on one’s needs and calls directions. Again,
let’s take a look at the Skype. Generally they provide quite imputed prices and
now they’re even ready to offer the unlimited calls package for a pretty small
monthly fee (I have to mention that calls to Russia doesn’t fall under these
conditions). On the other hand, you immediately become a hostage of the original
software client and that means that you won’t be able to integrate your
Skype-account in some hardware in one's turn. In order not to have one’s hands
tied, many people prefer SIP (Session Initiation Protocol) and AIX (Inter-Asterisk
eXchange) technologies which are actually used by a large number of providers.
Inasmuch as these standards are open, there’re lots of options of using them
including the implementation of numerous software and hardware. One of the most
successful software phone implementations (which actually have no decent
competitors) is the X-Lite software (www.counterpath.com).
There’re so many operators who provides services that use such technologies
so making a review or a comparison among them would be silly. Instead, Let me
tell you about an interesting company - the Betamax. This is one of the largest
VoIP communications providers in Europe, which, however, doesn’t work directly
with individuals but provides its facilities and technologies for many resellers.
The trick is that each reseller has a certain target audience for which each of
them adjusts personal tariffs. If there’s an operator who provides paid calls to
Turkey then there’re chances to find an operator who provides them for free. By
the way, the www.12voip.com
is one of them. The question is how to find the right operator? There’s a
special site where all reseller’s tariffs are automatically collected and
grouped. Keep it secret:
backsla.sh/betamax. If you browse that site you’ll find the appropriate
operators to call almost all European countries absolutely for free. Alas, free
calls to Russia are available only for St. Petersburg and Moscow.
There’s another interesting aspect. Each of the Betamax services provides the
Direct Call service which allows both talkers to dispense only a single phone
without any headset. Now, let’s see what the whole point is. You should type in
your phone number and the phone number of your subscriber to appropriate
proposed text fields and then immediately press the "Connect" button. In less
than a couple of seconds you’ll get a call. So one talker is on line! Then
service will call your subscriber and as soon as he takes up a direct connection
will be established. It's so simple and effective. Except that you’ll be able to
see the current subscriber’s state ("talking", "busy", "no answer") in real time.
Brute forcing a SIP account
Practice shows that Internet is full of PBXs (private branch exchange) which
are incorrectly configured and SIP accounts that have weak passwords. To
demonstrate this we’ll set up a software implementation of PBX based on Asterisk
PBX project (www.asterisk.org) and check it for resistance using a SIPVicious (www.sipvicious.org)
special set of utility which is written in Python. In order not to bother with
installing Linux and PBX further configuring we'll use the Trixbox project (www.trixbox.org)
which already has all services set up sensibly. The only thing that you have to
do is to enter a few settings using a user-friendly web interface. There’s an
image of a VMware virtual machine on their official web site which can be
launched with the free VMware Player utility (www.vmware.com/products/player/).
After the first start you’ll have to install a few so-called extensions (extensions:
100, 101 and 123). We recommend you to set some simple numeric password for the
first one, leave the password field blank for the second and lastly, set some
simple word (something that occurs in any Brute Force dictionary. E.g. secret)
for the third one. All these things have to be done to create a platform for
experiments. SIPVicious package utilities are used in order to find some
vulnerable accounts. Each of them works from inside console and can be launched
both under the Win, and Tux.
The first step is scanning a given subnet (e.g. 192.168.1.1/24) to find a PBX:
[you@box sipvicious]$ ./svmap 192.168.1.1/24
| SIP Device | User Agent
| 192.168.1.103:5060 | Asterisk PBX |
Thus, we’ve found our PBX. Next thing you need is to analyze it and find some
[you@box sipvicious]$ ./svwar.py 192.168.1.103
| Extension | Authentication |
| 123 | reqauth
| 100 | reqauth
| 101 | noauth
The results aren’t surprising. We can see that number 101 doesn’t require
authorization and numbers 100 and 123 require a password. Let's pick up the
password for number 100, using the selection of numerical values (as they are
used more than often):
[you@box sipvicious]$ ./svcrack.py 192.168.1.103 -u 100
| Extension | Password |
| 100 | 100 |
The password is picked up! Now let’s try to pick up the password for the 123
account using the dictionary:
[you@box sipvicious]$ ./svcrack.py 192.168.1.103 -u 123 -d
| Extension | Password |
| 123 | secret |
We have all passwords now. The only thing that has left is to check the login/password
details in your SIP client.
Of course, the chances of successful brute force of some individual account
are low, but among the hundreds of extensions there’s at least one that has a
weak password. Moreover, the three step approach like: "Detect PBX, Find
extension, Pick up the password” is one of the easiest for VoIP technologies. In
the next issues we’ll return to this question in some detail.
How to fake a number?
Besides ability to call, having affordable prices is pretty good itself. But
there’s a thing which won’t lead to something good. The subscriber will see a "number
is hidden" notification or some incomprehensible number of VoIP-gateway instead
of your number so he can’t call you back. Specifying your cell phone number or
even any arbitrary number as CallerID is much more fun! In old days, not so long
ago, the trick with Caller ID faking can be achieved by using the loyalty of
SIP-operators configuration. Obviously, it takes a long time to find operators
whose policies don’t strictly fix the CallerID field allowing the setting of an
arbitrary value, among the huge number of SIP-providers. This focus can’t be
repeated now, alas. So we decided to look for some other options.
Substituting the CallerID field by one’s cell phone number is allowed by most
operators, but you’ll have to verify your identity to do that. You’ll be sent an
SMS with a special verification code which you should enter on your operator’s
web site. We expected to see something around that ordering a sipnet premium
service which allows seeing a number of a calling person to all subscribers.
Just as we expected, using that service you can enter their web site, register
your cell phone number and expose it for outgoing calls. Just enter your
personal office "Premium Services -> Caller ID -> Call Booking via SMS" and
press the "register a cell phone" button. Then it appears that (attention!) the
only needed thing is sending an SMS (from your cell phone of course) which
contains a code that was shown on the web site. By the way, the SMS is
absolutely free and has to be sent to some common federal number. See, what I’m
trying to tell you? After all, I think everyone has tried sending SMS with a
substitution of the sender’s number? Some services charge no fee for this option
but they add some advertisement in the end of your message instead. What we need
is to send nothing but a secure code in our SMS.
Yakoon.com service is an
ideal one for that purpose. Download their specific client application and
You’ll get your activation code on the e-mail you’ve specified during the
registration. Then you’ll get an SMS containing the promo code for 3 free SMS.
By the way, it is allowed to use the Latin characters to specify the sender’s
name. So how can we turn tail on it? Create a new SMS – we’ve already got the
number and the text (from the sipnet site) and the only thing that has left is
specifying the sender’s number. You can specify any phone number, e.g.,
123456789. Once the message is delivered, SMS sender’s number will appear in the
premium Caller ID service. And now this number can be set as CallerID even if
you call someone. It’s like taking candy from a baby!
Bear in mind that after the number is registered in sipnet, it is sent an SMS: "Your
number is registered in sipnet". Incidentally, for new numbers registration
convenience you can shove a little script which would seek the verification
number by itself and send it to confirm a cell phone number via SMS using the
How to eavesdrop on Skype and SIP calls?
Intercepting the VoIP data differs from the traditional sniffing with its own
nuances, but in general data interception is going the same way. The nuance is
that the voice traffic eavesdropping requires communications packet sniffing and
associated media stream sniffing. Signal messages use different network protocol
(UDP or TCP) and a port other than the data transmitting. At the same time,
media stream is typically transmitted over UDP using the RTP (Real Time Protocol).
Fortunately, the RTP packets intercepting and decoding, as well as session’s
analysis can be automatically made with some advanced sniffer. Our favorite
has a corresponding option "Statistics -> VoIP Calls". After you get a list of
VoIP calls you can explore the graphical chart on how the exchange of data has
proceeded or you just can listen to the voice data. Ability to record VoIP
traffic is also presented in other utilities such as Cain and Abel (www.oxid.it)
and UCSniff (ucsniff.sourceforge.net).
The latter is also can intercept traffic of video conferences. Of course, all
this is valid only if the traffic is sent in an unprotected form. As an anti
sniffer one’s can use TLS (Transport Layer Security) utility for SIP signals
encryption and RTP (Secure Real Time Protocol) to protect the voice calls (but
in most cases the voice is transmitted in unencrypted form).
In the context of security Skype looks much more advantageous because of
mandatory crypt of all transmitted data. There’s no any solution for the
interception and decryption of traffic in public. Many IS experts claim that
even security services don’t have any tools to do that. Nevertheless, Skype
calls eavesdropping is still possible, but only if you have access to the
caller’s PC. Just a week before this issue had to go to the printery, Swiss
software developer, Ruben Utteregger had published the source code of Trojan
which can intercept the Skype conversations. Trojan accepts commands from a
special server and sends it audio files. The greatest malware flair is a
Skype-Tap model, which intercepts Skype’s API-calls, finds PCM audio data,
converts it to MP3 files and sends it to the storage server in encrypted form.
You can read some more about that Trojan and find its sources on the developer’s
web site: www.megapanzer.com.
How to create a free phone number abroad?
One of the most interesting services of Skype is the SkypeIn
option which allows creating a phone number somewhere in U.S. and calls
receiving with a help of the Skype client. However, users are charged for that
service. Now you can acquire your own phone number in some other country totally
free. Groovy Tel (www.groovytel.com)
provides a toll free number in the US. Each call to this number will be routed
through one of the systems which have an implemented voice chat like: Google
Talk, MSN Messenger, Yahoo Messenger, Free World Dialup or Gizmo. However, to
register in their program you have to have a Facebook SN profile and have at
least 20 friends. :) You’re offered to choose one from three phone numbers
during the registration, but you can get the most suitable using the "Refresh”
button. I’ve tested the system with GTalk: everything works fine and when you
receive a call you’ve got the number displayed. There’s another service – the
JetNumber, which will be useful if you need a number only for a few days. They
have a three day trial period so the service is out of charge during that time.
You can take a number in Argentina, France, Mexico, the United Kingdom and the
United States for testing.
Of course, it’s great that Groovy Tel forwards all calls to IM-client but it
would be even better if any SIP / IAX-operator could be specified as a point of
destination. Such kind of service is provided by IPKall (www.ipkall.com).
And you know what? It’s totally free again! :) A support of open protocols
allows using not only software solutions but also hardware devices. Redirecting
calls to some SIP-account (which can be bought on the same
sipnet.ru) which is bonded
with a VoIP-gateway is worth nothing. This kind of adapter allows you to connect
an ordinary phone and receive all calls from your toll free number in the US
using the IPKall's service. The bad news is that the service doesn’t have an
instant registration so you’ll have to wait a bit for your application to be
Making PBX from Wi-Fi access point!
It doesn’t mean you should buy an expensive device in order to set up a PBX.
If you read our SYN / ACK section attentively, you probably already have a good
look at how to set up an Asterisk (www.asterisk.org) based PBX software solution.
In our case, we still need a computer with a set upped *Nix. If you have a wi-fi
access point or some other tunable network device at home you can try to set up
Asterisk server on it. I did this on my Asus Wl500gP (which I have repeatedly
written about). After installing the "Oleg firmware” Asterisk set up can be done
just in two commands:
ipkg uninstall asterisk
ipkg install asterisk14
Now the only thing that has left is adding a few users and assigning them an
extension number. To do that you can use the beginner’s manual:
http://www.en.voipforo.com/asterisk/asterisk-first-steps.php. Upon that,
it’s necessary to install SIP-clients on user’s machines and lastly set up a
server and the profiles.
Excellent VoIP software selection:
The list of providers granting a direct telephone numbers in different
Some hotspot’s owners are deliberately blocking the SIP protocol so the
clients couldn’t use the IP-telephony. All provided information is for
educational purposes only. The editors are not responsible for use of this
information for some illegal purposes.