Professional Documents
Culture Documents
As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration
fun in-between!
Assuming youve located the IP address, you can run a port scan and will find the following services
listening (shortened for easy reference):
22/tcp open
967/tcp open
4445/tcp open
The next step is to locate valid SIP extensions. The initial command I used was ./svwar.py -D
192.168.237.148
Its possible to specify the method used in the request. In this particular instance the INVITE request
brings back valid responses ./svwar.py -D -m INVITE 192.168.237.148
If all went well you should find that 6 extensions exist. The D option used in the previous command
just searches for default extensions, so its generally best to use a custom range. I also found that if
I specified the extensions to scan, i.e. e100-3000, only the lower extensions were found, hence it
may be best to split up long scans.
Now that weve located extensions we really want to crack the associated passwords. Again
SIPVicious can be used to perform this attack by using a command such as ./svcrack.py -u2000 -d
passwords.txt 192.168.237.148
You might find that some extensions are easy to crack, others are a bit more testing! In this
particular case, luckily, we have another unusual method of obtaining extension passwords.
Referring back to the port scan you can see that TCP port 5038 (Asterisk Call Manager) is open
and available to external probes! If you performed a vulnerability scan this may have shown up
stating that default credentials are in place.
It is possible to connect to the service using the telnet protocol on port 5038 with the default
username admin and password amp111.
Using the command action with the actual command of sip show users it is possible to pull out a
complete list of users, shown below:
The acm interface can also be used to locate voicemail users (useful for the next exercise!)
Further Exploitation
As weve located a single user with voicemail capability, and we have the extension password, it is
possible to use a soft-phone to log in with the credentials and attempt to gain access to the users
voicemail inbox. For this particular example Im using X-Lite.
Referencing Asterisk documentation its possible to see that *97 can be used to obtain voicemail. As
we dont know the voicemail password were going to have to bruteforce the manual way! Hint 0000
may get you in In case youre still struggling the voicemail goes along the lines of the following:
Hey Mark, I think the support web access account has been compromised. I have changed the
password to securesupport123 all one word and lowercase. You can log on at the usual address.
See you in the morning
After listening to the voicemail you should now have the username and password for the support
account. To test these out navigate to the HTTP interface and enter the credentials
support/securesupport123
Upon login youll be presented with the main administrative interface. A key piece of info is found in
the FreePBX version details (research for vulnerabilities).
One particular vulnerability of interest can be found here, of which an extract follows:
1.
2.
3.
4.
This compressed file name needs to follow the given rule, i.e. name-version.tgz.
The following command can be used to compress: tar -czvf webshell-1.0.tgz webshell/.
Upload via the FreePBX modules interface
Using the webshell to perform a basic command (to ensure all is working as expected).
The handler (exploit/multi/handler) was used to listen and wait for incoming connections.
TFTP can be used to upload the binary to the host using the PHP webshell as previously created,
by using the command tftp *HOST_IP*-c get rev_shell.
Permissions of the uploaded file will need to be altered, i.e. chmod 777 rev_shell - not a great idea
to use lax permissions like these in real life
Upon gaining access via the Meterpreter shell it makes things easier (continue reading)
The user asterisk can surprisingly run nmap as root! Theres a little trick here
Set the relevant options (note, the extension we use for this either has to go to voicemail or the call
needs to be answered). For this exploit were going to use the support extension. Well assume that
we havent yet cracked user credentials to any extensions and, this being the only one with
voicemail, leaves us with just one choice.
Exploit!
We have root shell. Now how cool and easy was that!
There are a few more funky things we can do with VulnVoIP, such as SIP spoofing. However well
cover that in a separate post and in the meantime have some fun!