Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Sunday, 2017-07-23, 5:38 AM
Main » 2012 » January » 22 » Phone pranks: hacker’s approach to IP-telephony
4:08 AM
Phone pranks: hacker’s approach to IP-telephony

The Clickatel service (a service that allows SMS sending from any number) seemed a real catch not so long ago. Everybody have just played with it but soon got tired. It's time to take the next step and figure out how to call and talk to somebody using some spontaneous number. And also try to figure out how to intercept the voice traffic, pick a password for a SIP-provider account and just make the best use of remarkable VoIP technology at the same time.


Where’s the damn low-cost communications?

There’re lots of different implementations of a technology which is generally known as Voice over IP technology. Let’s take a look at the well-known Skype. Skype creators have developed their own data transmission protocol which allows transferring the data among those users who aren’t able to establish a direct connection because of their firewalls and routers. By the way, Niklas Zennström and Janus Friis patented their brand-peer technology before selling the Skype to eBay, and now (after a few billion dollars transaction) they’re going to return their brainchild back. However, that’s not the point. The question is: "Who gives the most low-cost VoIP communications”? And the answer is simple - nobody.

The solution should be based on one’s needs and calls directions. Again, let’s take a look at the Skype. Generally they provide quite imputed prices and now they’re even ready to offer the unlimited calls package for a pretty small monthly fee (I have to mention that calls to Russia doesn’t fall under these conditions). On the other hand, you immediately become a hostage of the original software client and that means that you won’t be able to integrate your Skype-account in some hardware in one's turn. In order not to have one’s hands tied, many people prefer SIP (Session Initiation Protocol) and AIX (Inter-Asterisk eXchange) technologies which are actually used by a large number of providers. Inasmuch as these standards are open, there’re lots of options of using them including the implementation of numerous software and hardware. One of the most successful software phone implementations (which actually have no decent competitors) is the X-Lite software (www.counterpath.com).

There’re so many operators who provides services that use such technologies so making a review or a comparison among them would be silly. Instead, Let me tell you about an interesting company - the Betamax. This is one of the largest VoIP communications providers in Europe, which, however, doesn’t work directly with individuals but provides its facilities and technologies for many resellers. The trick is that each reseller has a certain target audience for which each of them adjusts personal tariffs. If there’s an operator who provides paid calls to Turkey then there’re chances to find an operator who provides them for free. By the way, the www.12voip.com is one of them. The question is how to find the right operator? There’s a special site where all reseller’s tariffs are automatically collected and grouped. Keep it secret: backsla.sh/betamax. If you browse that site you’ll find the appropriate operators to call almost all European countries absolutely for free. Alas, free calls to Russia are available only for St. Petersburg and Moscow.

There’s another interesting aspect. Each of the Betamax services provides the Direct Call service which allows both talkers to dispense only a single phone without any headset. Now, let’s see what the whole point is. You should type in your phone number and the phone number of your subscriber to appropriate proposed text fields and then immediately press the "Connect" button. In less than a couple of seconds you’ll get a call. So one talker is on line! Then service will call your subscriber and as soon as he takes up a direct connection will be established. It's so simple and effective. Except that you’ll be able to see the current subscriber’s state ("talking", "busy", "no answer") in real time.

Brute forcing a SIP account

Practice shows that Internet is full of PBXs (private branch exchange) which are incorrectly configured and SIP accounts that have weak passwords. To demonstrate this we’ll set up a software implementation of PBX based on Asterisk PBX project (www.asterisk.org) and check it for resistance using a SIPVicious (www.sipvicious.org)  special set of utility which is written in Python. In order not to bother with installing Linux and PBX further configuring we'll use the Trixbox project (www.trixbox.org) which already has all services set up sensibly. The only thing that you have to do is to enter a few settings using a user-friendly web interface. There’s an image of a VMware virtual machine on their official web site which can be launched with the free VMware Player utility (www.vmware.com/products/player/). After the first start you’ll have to install a few so-called extensions (extensions: 100, 101 and 123). We recommend you to set some simple numeric password for the first one, leave the password field blank for the second and lastly, set some simple word (something that occurs in any Brute Force dictionary. E.g. secret) for the third one. All these things have to be done to create a platform for experiments. SIPVicious package utilities are used in order to find some vulnerable accounts. Each of them works from inside console and can be launched both under the Win, and Tux.

The first step is scanning a given subnet (e.g. to find a PBX:

[you@box sipvicious]$ ./svmap
| SIP Device         | User Agent   |
| | Asterisk PBX |
[you@box sipvicious]$

Thus, we’ve found our PBX. Next thing you need is to analyze it and find some extensions:

[you@box sipvicious]$ ./svwar.py
| Extension | Authentication |
| 123       | reqauth        |
| 100       | reqauth        |
| 101       | noauth         |
[you@box sipvicious]$

The results aren’t surprising. We can see that number 101 doesn’t require authorization and numbers 100 and 123 require a password. Let's pick up the password for number 100, using the selection of numerical values (as they are used more than often):

[you@box sipvicious]$ ./svcrack.py -u 100
| Extension | Password |
| 100       | 100      |

The password is picked up! Now let’s try to pick up the password for the 123 account using the dictionary:

[you@box sipvicious]$ ./svcrack.py -u 123 -d dictionary.txt
| Extension | Password |
| 123       | secret   |

We have all passwords now. The only thing that has left is to check the login/password details in your SIP client.

Of course, the chances of successful brute force of some individual account are low, but among the hundreds of extensions there’s at least one that has a weak password. Moreover, the three step approach like: "Detect PBX, Find extension, Pick up the password” is one of the easiest for VoIP technologies. In the next issues we’ll return to this question in some detail.

How to fake a number?

Besides ability to call, having affordable prices is pretty good itself. But there’s a thing which won’t lead to something good. The subscriber will see a "number is hidden" notification or some incomprehensible number of VoIP-gateway instead of your number so he can’t call you back. Specifying your cell phone number or even any arbitrary number as CallerID is much more fun! In old days, not so long ago, the trick with Caller ID faking can be achieved by using the loyalty of SIP-operators configuration. Obviously, it takes a long time to find operators whose policies don’t strictly fix the CallerID field allowing the setting of an arbitrary value, among the huge number of SIP-providers. This focus can’t be repeated now, alas. So we decided to look for some other options.

Substituting the CallerID field by one’s cell phone number is allowed by most operators, but you’ll have to verify your identity to do that. You’ll be sent an SMS with a special verification code which you should enter on your operator’s web site. We expected to see something around that ordering a sipnet premium service which allows seeing a number of a calling person to all subscribers. Just as we expected, using that service you can enter their web site, register your cell phone number and expose it for outgoing calls. Just enter your personal office "Premium Services -> Caller ID -> Call Booking via SMS" and press the "register a cell phone" button. Then it appears that (attention!) the only needed thing is sending an SMS (from your cell phone of course) which contains a code that was shown on the web site. By the way, the SMS is absolutely free and has to be sent to some common federal number. See, what I’m trying to tell you? After all, I think everyone has tried sending SMS with a substitution of the sender’s number? Some services charge no fee for this option but they add some advertisement in the end of your message instead. What we need is to send nothing but a secure code in our SMS. Yakoon.com service is an ideal one for that purpose. Download their specific client application and register.

You’ll get your activation code on the e-mail you’ve specified during the registration. Then you’ll get an SMS containing the promo code for 3 free SMS. By the way, it is allowed to use the Latin characters to specify the sender’s name. So how can we turn tail on it? Create a new SMS – we’ve already got the number and the text (from the sipnet site) and the only thing that has left is specifying the sender’s number. You can specify any phone number, e.g., 123456789. Once the message is delivered, SMS sender’s number will appear in the premium Caller ID service. And now this number can be set as CallerID even if you call someone. It’s like taking candy from a baby!
Bear in mind that after the number is registered in sipnet, it is sent an SMS: "Your number is registered in sipnet". Incidentally, for new numbers registration convenience you can shove a little script which would seek the verification number by itself and send it to confirm a cell phone number via SMS using the Yakoon’s API.

How to eavesdrop on Skype and SIP calls?

Intercepting the VoIP data differs from the traditional sniffing with its own nuances, but in general data interception is going the same way. The nuance is that the voice traffic eavesdropping requires communications packet sniffing and associated media stream sniffing. Signal messages use different network protocol (UDP or TCP) and a port other than the data transmitting. At the same time, media stream is typically transmitted over UDP using the RTP (Real Time Protocol). Fortunately, the RTP packets intercepting and decoding, as well as session’s analysis can be automatically made with some advanced sniffer. Our favorite Wireshark (www.wireshark.org) has a corresponding option "Statistics -> VoIP Calls". After you get a list of VoIP calls you can explore the graphical chart on how the exchange of data has proceeded or you just can listen to the voice data. Ability to record VoIP traffic is also presented in other utilities such as Cain and Abel (www.oxid.it) and UCSniff (ucsniff.sourceforge.net). The latter is also can intercept traffic of video conferences. Of course, all this is valid only if the traffic is sent in an unprotected form. As an anti sniffer one’s can use TLS (Transport Layer Security) utility for SIP signals encryption and RTP (Secure Real Time Protocol) to protect the voice calls (but in most cases the voice is transmitted in unencrypted form).

In the context of security Skype looks much more advantageous because of mandatory crypt of all transmitted data. There’s no any solution for the interception and decryption of traffic in public. Many IS experts claim that even security services don’t have any tools to do that. Nevertheless, Skype calls eavesdropping is still possible, but only if you have access to the caller’s PC. Just a week before this issue had to go to the printery, Swiss software developer, Ruben Utteregger had published the source code of Trojan which can intercept the Skype conversations. Trojan accepts commands from a special server and sends it audio files. The greatest malware flair is a Skype-Tap model, which intercepts Skype’s API-calls, finds PCM audio data, converts it to MP3 files and sends it to the storage server in encrypted form. You can read some more about that Trojan and find its sources on the developer’s web site: www.megapanzer.com.

How to create a free phone number abroad?

One of the most interesting services of Skype is the SkypeIn option which allows creating a phone number somewhere in U.S. and calls receiving with a help of the Skype client. However, users are charged for that service. Now you can acquire your own phone number in some other country totally free. Groovy Tel (www.groovytel.com) provides a toll free number in the US. Each call to this number will be routed through one of the systems which have an implemented voice chat like: Google Talk, MSN Messenger, Yahoo Messenger, Free World Dialup or Gizmo. However, to register in their program you have to have a Facebook SN profile and have at least 20 friends. :) You’re offered to choose one from three phone numbers during the registration, but you can get the most suitable using the "Refresh” button. I’ve tested the system with GTalk: everything works fine and when you receive a call you’ve got the number displayed. There’s another service – the JetNumber, which will be useful if you need a number only for a few days. They have a three day trial period so the service is out of charge during that time. You can take a number in Argentina, France, Mexico, the United Kingdom and the United States for testing.

Of course, it’s great that Groovy Tel forwards all calls to IM-client but it would be even better if any SIP / IAX-operator could be specified as a point of destination. Such kind of service is provided by IPKall (www.ipkall.com). And you know what? It’s totally free again! :) A support of open protocols allows using not only software solutions but also hardware devices. Redirecting calls to some SIP-account (which can be bought on the same sipnet.ru) which is bonded with a VoIP-gateway is worth nothing. This kind of adapter allows you to connect an ordinary phone and receive all calls from your toll free number in the US using the IPKall's service. The bad news is that the service doesn’t have an instant registration so you’ll have to wait a bit for your application to be approved.

Making PBX from Wi-Fi access point!

It doesn’t mean you should buy an expensive device in order to set up a PBX. If you read our SYN / ACK section attentively, you probably already have a good look at how to set up an Asterisk (www.asterisk.org) based PBX software solution. In our case, we still need a computer with a set upped *Nix. If you have a wi-fi access point or some other tunable network device at home you can try to set up Asterisk server on it. I did this on my Asus Wl500gP (which I have repeatedly written about). After installing the "Oleg firmware” Asterisk set up can be done just in two commands:

ipkg uninstall asterisk
ipkg install asterisk14

Now the only thing that has left is adding a few users and assigning them an extension number. To do that you can use the beginner’s manual: http://www.en.voipforo.com/asterisk/asterisk-first-steps.php. Upon that, it’s necessary to install SIP-clients on user’s machines and lastly set up a server and the profiles.


Excellent VoIP software selection:

The list of providers granting a direct telephone numbers in different countries:


Some hotspot’s owners are deliberately blocking the SIP protocol so the clients couldn’t use the IP-telephony. All provided information is for educational purposes only. The editors are not responsible for use of this information for some illegal purposes.

Views: 88522 | Added by: XakepNews | Rating: 5.0/1
Total comments: 0
Name *:
Email *:
Code *: