BreakingPoint Systems



Similar documents
Troubleshooting Tools to Diagnose or Report a Problem February 23, 2012

Hardware Overview. Ooma Linx devices These are installed around the office and are used to connect phones and other devices to your Ooma Office system

IP- PBX. Functionality Options

Evolution PBX User Guide for SIP Generic Devices

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

Metasploit Framework Telephony

VoIP Solutions Guide Everything You Need to Know

Frequently Asked Questions about Integrated Access

NEC s SonicView IP Recorder Release Notes. Version 1.2. Release Notes

ONE POS User Manual. A brief hand guide for ONE ERP POS SYSTEM MYIT SOLUTION. Latest update on: 03/09/12

Back Office Recorder 4iP Installation Guide Intelligent Recording Limited

ATA: An Analogue Telephone Adapter is used to connect a standard telephone to a high-speed modem to facilitate VoIP and/or calls over the Internet.

Gateways and Their Roles

IPChitChat VoIP Service User Manual

GMSVoIP s PBX. Hosted model, running on provider s server, features rich PBX plus Class 5 broadband phone services

Rev

Phree as in Phone Call The other end of the line

Intermedia Cloud Softphone. User Guide

Welcome to ScopServ. ScopTEL ACD Module

Device SIP Trunking Administrator Manual

With 360 Cloud VoIP, your company will benefit from more advanced features:

Alert VoIP Softphone Tests Tutorial

BP_UserGuide_1113. Business Phone User Guide

PREDICTIVE DIALER AND REMOTE AGENT SETUP GUIDE

Alcatel-Lucent OXO Configuration Guide. For Use with AT&T s IP Flexible Reach Service. Version 1 / Issue 1 Date July 28, 2009

Your Phone. Your Business. Your World. SM SM

Dialplate Receptionist Console Version

Digital Phone Installation & User Guide

Single-User VoIP Service User Manual. Version Revised

BP_UserGuide_0113. Business Phone User Guide

Orchestra Call Centre Agent Software Version 3

Easy-VoipTel. Virtual PBX. Description. Advantages

The 21 st Century Business Telephone System. VOIP PBX Telephone System

Licensed Functionality: Remote Monitoring

one Managing your PBX Administrator ACCESSING YOUR PBX ACCOUNT CHECKING ACCOUNT ACTIVITY

A Guide to Connecting to FreePBX

Cisco CCA Tool SIP Security methods

Van Buren County Unified Voice Communication RFP

3CX + PBXMate Set up guide

Internet Telephony PBX System

No more nuisance phone calls! Internet Control Panel & Weblink Guide

UC Suite FOR UNIVERGE SV9100. Smart Communications for Small and Medium Business. necam.com

H.323 / SIP VoIP Gateway VIP GW. Quick Installation Guide

The 21 st Century Business Telephone System. VOIP PBX Telephone System

1 VoIP/PBX Axxess Server

Voice Call Addon for Ozeki NG SMS Gateway

Hosted Voice. Administrator Guide

DOMIQ, SIP and Mobotix cameras

Inbound Routing with NetSatisFAXTion

NF1Adv VOIP Setup Guide (for Generic VoIP Setup)

TAXONOMY OF TELECOM TERMS

Quick Start Guide v1.0

VoIP became simpler. Prima IP PBX

VoIP H.323 Series. VoIP Gatways: VoIP 422/404/440/800 VoIP Routers: VoIP 404R/440R/200R/110R. Quick Setup Guide

iview (v2.0) Administrator Guide Version 1.0

Configuring CyberData Devices for Intermedia Hosted PBX

Mistral Hosted PBX. The future of business phone systems

Applies to: F1PG200ENau Belkin Analogue Telephone Adapter (ATA) Firmware release notes

What is ViP? ViP is a complete package for your hosted/voip telephone solution. The ViP package has been created to keep things simple for you.

Businesses Save Money with Toshiba s New SIP Trunking Feature

alternative solutions, including: STRONG SECURITY for managing these security concerns. PLATFORM CHOICE LOW TOTAL COST OF OWNERSHIP

Best Practices for Securing IP Telephony

IP Telephony Deployment Models

SIPPBX 6200GS, 6200S PRODUCT DATA. IP-PBX for Enterprise office PBX application. SIPPBX 6200GS, Up-to 400 employees. SIPPBX 6200S, Up-to 200 employees

Voice over IP Phone Feature Guide

Connecting Your Enterprise With Asterisk: IAX to Carriers. Dayton Turner Voxter Communications

Titanium 3.0. Features. Virtual PBX Technology - Business Phone System

Adutante Call Recording

Voice Rate Plans. A Call Path + Inbound Phone Number combination is commonly referred to as a Phone Line.

The 3CXIPPBX Tutorial

Combining Clear Voice with our Business Class connectivity services gives you the first major stepping stone in convergence.

Web Portal User Guide

DigiDial- VoIP SSMM Service Overview No Boundaries outside the box of traditional telephony P er ver OecioV

Door Phone VoIP. User manual IPDPS 01C IPDPS 02C IPDPS 01 IPDPS 02

Internet: Telephone Calls for Free with Vo I P I 19/1. Your PC can Make Telephone Calls to Anywhere in the World for Free!

8335 Guilford Road Suite H Columbia MD

Copyright ZYCOO All Rights Reserved 1 / 8

Truffle Broadband Bonding Network Appliance

Technology/Internet Usage Workshop

Crystal Gears. Crystal Gears. Overview:

Introducing Cisco Voice and Unified Communications Administration Volume 1

Pharos Control User Guide

Wildix Management System (WMS) White Paper

Data Transmission Using Codan HF Radios. R. Aston GCP/INT/651/NOR EMPRES. Improving Pesticide Application Techniques for Desert Locust Control

Standard Features What it does Price Exc VAT Price Inc VAT Page. Number Withhold Allows you to withhold your number Free Free 2

VoIPOffice. VoIPOffice Hosted Edition provides advanced features such as Unified Messaging, Automatic Call Distribution,

Bob Eager. 16 th February 2015

HOW A BETTER PHONE SERVICE WILL IMPROVE YOUR BUSINESS

How To Use A Pplx On A Pc Or Cell Phone (For A Business)

Cisco Unified Communications Manager SIP Trunk Configuration Guide

PhonEX ONE Microsoft Sample Reports November 2010

IP-PBX Quick Start Guide

The Problem with Faxing over VoIP Channels

Transcription:

Warvox

H D Moore <hdm [at] metasploit.com> metasploit Project lead BreakingPoint Systems Director of Security Research

Telephone Fun Time Way back when... Modems were how you got access to things Modems were poorly protected, easy to find Nights were spent in front of TONELOC Found all sorts of interesting things UNIX machines, remote access, PPP/SLIP Routers, switches, various data services HVAC, SCADA, power mgmt, radio gear

TONELOC Maps Displays 10,000 number blocks Dial an entire exchange: 123-456-XXXX Plot as a 100x100 grid colored by type Vertical rows are sequential numbers Number classification CARRIER, BUSY, VOICE, FAX,TIMEOUT Manual classification (GIRL, AHOLE, etc)

Wardialing Today Wardialing Search for modems, faxes, and tones Still effective against large organizations Connect modems to phone lines Dial until you find something Slow and inefficient Requires hardware and line investment Commercial software is expensive

Commercial Tools Sandstorm's PhoneSweep PhoneSweep Basic starts at $1,186.00 Limit of one modem, not included 60/calls per hour PhoneSweep Plus 16 starts at $35,600.00 Includes 16 modems, rackmount server 1000/calls per hour FREE! SecureLogix's TeleSweep

Open Source Tools MS-DOS (WinXP & DOSEmu) TONELOC THC-SCAN UNIX Systems iwar PAWS Metasploit: I)ruid's wardial module Others: ShokDial, ward.c, etc

Wardialing + VoIP Required hardware investment Modem + IAXY + Asterix + SIP provider Modem + SIP ATA + SIP provider Modem + Time Warner ATA Software is not quite there yet iwar does not handle VoIP properly iaxmodem can only handle fax machines

Wardialing with Metasploit Hardware setup US-Robotics USB modem (v.90) Generic dual-stack SIP/IAX ATA Software Checkout latest Metasploit SVN snapshot use auxiliary/scanner/telephony/wardial Find a VoIP Service Provider...

Wardialing with VoIP Reality check on unlimited ISPs Common rate is $40 USD/mo Limited to one outgoing call Limited to 250 total destination numbers Aggressive auto-dialer policies Contract locks

Wardialing with VoIP Per-minute ISPs are much nicer Common rate is $0.01 per minute Better protocol support (IAX and SIP) Multiple outgoing calls (~10 is normal) Happy as long as they get paid Still some hidden fees (vitelity.net) Minimum of one minute, rounded ~6 secs Include ring time in the count...

Wardialing is Boring Dialed for 48 hours straight Covered approximately 2000 numbers Lots of 300 BAUD mangled carriers (faxes) Approximately ~45% answer rate Approximately ~4% carriers Dialing results Found close to 100 carriers (most 300B) Bill from vitelity.net was $13.25

OCD + Impatience Limited by the hardware Only one modem, only one ATA device Limited to one outgoing call at a time Software modems are limited Requires real codec/dsp in software iaxmodem, but it does FAX only iwar is a nice idea, but not implemented

Stepping Back Modern wardialing misses the point Only ~4% of numbers are modems Dialing these with a modem is a waste What about the rest of the numbers? TONELOC Half the fun was listening to the audio Manual classification of interesting lines Found strange and insecure things

War Voicing WarVOX is the solution Call each number using VoIP Record an audio sample (~20 secs) Process the audio later on Benefits over traditional dialing Scalable and cheap using VoIP Opens the door to new attacks Archival audio data

WarVOX Implementation Softphone that records audio iaxrecord: dial over IAX and save raw samples Ruby on Rails Web UI Configure VoIP providers Launch a new dial job Analyze the audio Classify the lines Visualize the data

WarVOX Speeds VoIP ISP allows ~50 concurrent calls Scan over 3,000 numbers/hour Scan ~10,000 numbers in 3 hours 45% pickup == $45.00 in VoIP fees Analysis is resource intensive Lots of processing (mp3, png, fft, etc) Averaging ~20 seconds per audio sample Can use multiple CPU cores :-)

Call Analysis Generate a simple signal graph Scripted through GNUPlot Visually identify similar lines

Call Analysis Ghettotastic signature generation Developed with Efrain Torres of Metasploit Look for silence vs noise patterns Format is Type, Length, Average L,16194,16 H,1380,3096 L,320,8 L,569,18 H,29822,3096 H,739,2549

Call Analysis Noise vs Silence signatures Carriers and tones are small Voice systems are long Humans are mostly silence

WarVOX (voice) 23

WarVOX (fax) 24

WarVOX (human) 25

Automatic Grouping Match each sample against the rest Fuzzy matching of Silence vs Noise signature Automatically group similar calls Group up the faxes and modems Find similar sounding audio This call is being answered by Audix Welcome to Cisco Unity Call Manager This ABC Internal Number is not in service

Practical Uses Identify similar voice greetings Find all incoming lines for a company Target specific PBX vendors The outliers are interesting Corporate phones forwarded to mobiles International forwarding (UK ring tones) Teleconferencing systems Lots of weird stuff

Modems vs Faxes Modems sound a lot like faxes The signal graphs look very similar Some people can tell them apart by ear Noise vs Silence signatures fail Lets look closer...

WarVOX (fax) 29

WarVOX (modem) 30

Modems vs Faxes Determine difference by frequency Require spectrum analysis of the audio Hacked up Ruby-KissFFT for WarVOX Fax Machines 2100hz + 1625hz, 1660hz, 1850hz... Modems 2250hz + 1625hz, 1850hz, 2000hz...

Automatic Grouping Browsing the groups Use HTML5 Canvas object to TONEMAP Plot 100x100 numbers by group Each group its own color Drilling down into groups Click to select any group Hide other groups Link MP3 + graphics

Grouped by Silence vs Noise

Grouped by Peak Frequency

Spectrum Analysis Provides us with tone detection Signature specific BEEPs and tones Group phone systems by BEEP Find loops and other oddness A quick frequency challenge What is the following signal?

WarVOX (350hz + 440hz) 36

Moving Forward Latest online at WARVOX.ORG Version 1.0.0 is now public! Limited documentation Features coming in 1.0.1.. Import and export calls by type Browser-based TONELOC maps Integrated auto-grouping Tons more :-)

Legal Aspects Fax.com ruined it for everyone Wardialed every # for fax machines Spammed them with advertisements Settled for $6.5 million TCPA amended in 2003... Prohibits calling for fax vs voice detection Could easily apply to most wardialers More at http://warvox.org/legal.html

Demonstrations

questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information