한국어

소프트스위치

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

     페북공유

   ◎위챗 : speedseoul


  
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app


http://nicerosniunos.blogspot.kr/


Hi again guys, here there is my new personal project. I think that README file is complete enough so I paste it on this post.

Next month I'll be with my colleague Antón at Kamalio World Conference showing a bit more about it. If you are there and want to talk a bit about VoIP security (or WebRTC) get in contact with us please. :)

Finally, we would like to publish the first version in one ore two months, sorry but we're developing it mostly in our free time :(. I've promised Yago to do it onSecurity by Default blog so stay tuned. 

Moreover this tool was included in Quobis personal project plan so you can always follow Quobis planet in which we publish all our experiments.

Nothing else, I hope you like it and all kind of suggestions (and coders) are welcomed :).


Bluebox-ng

Bluebox-ng is a next generation UC/VoIP security tool. It has been written in CoffeeScript using Node.js powers. This project is "our 2 cents" to help to improve information security practices in VoIP/UC environments.

Install deps

  •  cd bluebox-ng
  • npm install

Run

  • npm start

Features

  • Automatic pentesting process (VoIP, web and service vulns)
  • SIP (RFC 3261) and extensions compliant
  • TLS and IPv6 support
  • VoIP DNS SRV register support
  • SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08)
  • REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE, Ringing and Busy Here requests support
  • Extension and password brute-force through different methods (REGISTER, INVITE, SUBSCRIBE, PUBLISH, etc.)
  • DNS SRV registers discovery
  • SHODAN and Google Dorks
  • SIP common vulns modules: scan, extension brute-force, Asterisk extension brute-force (CVE-2011-4597), invite attack, call all LAN endpoints, invite spoofing, registering hijacking, unregistering, bye teardown
  • SIP DoS/DDoS audit
  • SIP dumb fuzzer
  • Common VoIP servers web management panels discovery and brute-force
  • Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
  • Automatic vulnerability searching (CVE, OSVDB)
  • Geolocalization using WPS (Wifi Positioning System) or IP address (Maxmind database)
  • Colored output
  • Command completion

Roadmap

  •  Tor support
  • More SIP modules 
  • SIP Smart fuzzing (SIP Torture RFC)
  • Eavesdropping
  • CouchDB support (sessions)
  • H.323 support
  • IAX support
  • Web common panels post-explotation (Pepelux research)
  • A bit of command Kung Fu post-explotation
  • RTP fuzzing
  • Advanced SIP fuzzing with Peach
  • Reports generation
  • Graphical user interface
  • Windows support
  • Include in Debian GNU/Linux
  • Include in Kali GNU/Linux
  • Team/multi-user support
  • Documentation
  • ...
  • Any suggestion/piece of code ;) is appreciated.

Author

Jesús Pérez

Contributors

Damián Franco
Jose Luis Verdeguer

Thanks to ...

  • Quobis, some hours of work through personal projects program
  • Antón Román (@AntonRoman), he speaks SIP and I'm starting to speak it thanks to him
  • Sandro Gauci (@sandrogauci), SIPVicious was our inspiration
  • Kamailio community (@kamailioproject]), my favourite SIP Server
  • David Endler and Mark Collier (@markcollier46), authors of "Hacking VoIP Exposed" book
  • John Matherly (@achillean) for SHODAN API and GHDB
  • All VoIP, free software and security hackers that we read everyday
  • Loopsize, a music lhacker (creator of themes included in video demos)

License

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see .

2/26/2013

How to protect your WebRTC app code?

I have spent some time analyzing which could be the best way to protect a privative version of a webphone based on QoffeeSIP that we are developing now at Quobis. I have seen this same question on different sites with quite confusing responses. So I'm going to share what I learned just in case it could help to anybody.

Well, I'm not going to define what is WebRTC because Internet is full of it this year (only overtaken by cats ;). For our purposes we have to consider that our app is a Javascript library. Really there is also HTML/CSS code but what I think that is important is Javascript, but HTML/CSS can also be protected in the same way but with other tools.

First of all I want to remark that protect your code in the sense of anybody could copy/modify and redistribute it is impossible since Javascript is only text. If anybody had enough time (or money) this code could be reversed. But, as always, we can do things trying to avoid it as far as possible.

In general, I found that there is a bit confusion between minimize and obfuscate terms so we're going to speak a bit about these techniques.

Minimization

The target is to get the code as small as possible. Obviously generated code is more difficult to understand, but it could be easily reversed with tools like JSbeautifier. (really not as easy depending of the minimizing tool)

Some common possible options at this point are:

  • UglifyJS: The coolest thing right now xD. It is a Node.js package so it's easy to include. Some days ago version 2 was published. We will see that it's fast, really fast.
  • Google Closure Compiler which uses Google to its apps. It is availiable a Java command line tool but there are node modules which use the online API.
  • YUI Compressor from Yahoo, it was the facto standard but now last alternatives are beating it.
A little comparison: I can't find original link, sorry :(
  • Average time: (lower is better)
    • UglifyJS: 0.11554 seconds
    • Closure: 1.41037 seconds
  • Average reducction: (higher is better)
    •  UglifyJS: 45.6%
    • Closure: 51.5%
NOTE: Another one (more complete) with YUI included too.

In my experience Google Closure generated code is better because besides minimization tasks it includes code checking too. It provides warnings for dangerous or illegal Javascript. Moreover I like that you can use this online serviceto check your code while developing.



Obfuscation

It is defined as "the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret."(Wikipedia).

We have some options here when we are working with a web app:
  • Encrypt the transport layer: needed to avoid sniffing to another users of the same LAN. So using HTTPS to serving the application is a must.
  • Encryption: Encrypt application data and decrypt it on the fly via your own javascript enccryption library.
  • Move functions to the server side, which it's not possible in the case of WebRTC because we want end to end media.
  • Use a browser plugin, it has no sense since one of the advantages of WebRTC is that the user doesn't have to install anything.
  • Implement the code in native client for Chrome browser. The advantaje is that common C code protections can be used and the app runs sandboxed. But it is not our case because we need multi-platform support.
  • To avoid legal issues you should incude a note (a Javascript comment)referencing the copyright in each copy of the .js library. Something similar to Free Software Foundation recommendations for free Javascript code. An example could be:
NOTE: Really @source tag is proposed by FSF to include a link to source code of the app. But I think that it could be a good idea to use it because browser plugins that follow the recommendations should "understand" it.

// @source: https://qoffeesip.quobis.com
// Copyright (C) Quobis
// Licensed under Quobis Commercial license
// (http://www.quobis.com/licenses/commercial-1.0.html)

I also want to point out some common obfuscation/encryption problems:
  • Performance decrement, specially speed.
  • Increase troubleshooting difficult.
  • Compatibility problems (IE!!).
  • Size increase.
  • As it was said, a skilled expert could always reverse it and get a code equivalent to ours.
All these problems are more important on the case of encryption, except the last one logically. So at this point we have some options, but I've reduced them to these ones:
  • A paid option like JsCrambler: This is the reference tool, generated code seems to be really dificult to recover and it supports an important number of encryption algorithms.
  • A free solution provided by my colleague DamiánHorrible.js. It implements obfuscation and a kind of simple (so light) optional (through "factor" parameter) encryption. Next picture shows an example using it with the three different factors.

Finally, if you don't like the ugly generated code you can always use Nice.js to get something like this example: xD



In conclusion, I like Horrible.js with factor 3. In my opinion, it has no sense to paid for mitigating a risk impossible to solve completely.

1/19/2013

SIP INVITE attack with Metasploit

Some days ago my friend @pepeluxx wrote another post about INVITE attacks. He spoke about a @sinologic project which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples:


I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because SIP RFC says that an extension has not to be registered to be able to make a call, only to receive it. Really most SIP servers implement authentication both in registering and calling process (and even to hang up a call), this is useful in eavesdropping scenarios in order to avoid SIP Teardown (BYE) attacks. But only a few systems have this configuration enabled by default, most of them use authentication only to register. In example, for Asterisk we should change “allowguest=no” in "sip.conf" file to ask for authentication in each call (INVITE). Apart from this, sysadmins should be also very carefully defining the dialplan to be secure. A common example of what not to do is the next one, in where outbound (to PSTN) calls context is included in default one:

(sip.conf file)
[general]
context=default

(extensions.conf file)
[default]
include  => outbound

I committed the module to my Github project, it only implements a SIP INVITE request where the user can provide next parameters:

Module parameters

You should try to call to a common phone number (you can see it in last picture) and with an extension because servers normally work in a different way. The code simply sends an INVITE request with provided options and then it parses the response. If it is a “Trying” you could be in a problem man. ;)

Possible insecure system

Possible insecure system

Secure system to this vector

These are the links to both UDP and TCP version of the tool. I would like to remember that Metasploit modules which support TCP also support TLS. You can change the version of the protocol and another optional parameters with command“show advanced”.
Advanced options

Finally I want to say that last days I was reviewing my SIP Metasploit modules trying to add some more features (like SIP proxy support) and I found that they are a mess. There is a lot of repeated code and they are complex to maintain. So, after speaking with some Metasploit guys on irc channel, I’m going to write a new SIP Proto ("lib/rex/proto/sip.rb") class and a Mixin ("lib/msf/core/auxiliary/sip.rb") which uses it. Once solved this I’m going to add all SIP modules I have developed to official Metasploit distribution.

Ref: http://www.sinologic.net/blog/2009-02/la-voip-mal-configurada-llama-a-cuba/

조회 수 :
38973
등록일 :
2013.04.06
22:44:35 (*.160.42.88)
엮인글 :
http://webs.co.kr/index.php?document_srl=19770&act=trackback&key=20f
게시글 주소 :
http://webs.co.kr/index.php?document_srl=19770
List of Articles
번호 제목 글쓴이 조회 수 추천 수 날짜
162 Opensips Gateway between SIP and SMPP messages admin 250   2019-02-19
 
161 smpp sms opensips admin 239   2019-02-19
 
160 Busy Lamp Field (BLF) feature on Opensips 2.4.0 with Zoiper configuration admin 1972   2018-05-29
 
159 Documentation -> Tutorials -> WebSocket Transport using OpenSIPS admin 1860   2018-05-17
 
158 List of SIP response codes admin 3512   2017-12-20
 
157 opensips/modules/event_routing/ Push Notification Call pickup admin 3071   2017-12-20
 
156 opensips push notification How to detail file admin 2987   2017-12-20
 
155 OpenSIPS routing logic admin 3044   2017-12-12
 
154 OpenSIPS example configuration admin 3024   2017-12-12
 
153 opensips log output admin 3039   2017-12-11
 
152 opensips complete configuration example admin 3136   2017-12-10
 
151 Opensips1.6 ebook detail configuration and SIP signal and NAT etc file admin 3113   2017-12-10
 
150 dictionary.opensips radius admin 4062   2017-12-09
 
149 what is record_route() in opensips ? admin 3987   2017-12-09
 
148 what is loose_route() in opensips ? file admin 4136   2017-12-09
 
147 in opensips what is lookup(domain [, flags [, aor]]) admin 4022   2017-12-09
 
146 in opensips db_does_uri_exist() what is admin 3856   2017-12-09
 
145 in opensips what is has_totag() admin 4033   2017-12-09
 
144 opensips exec module admin 4200   2017-12-08
 
143 opensips push notification How to admin 3996   2017-12-07
 
142 OpenSIPS Module Interface admin 4111   2017-12-07
 
141 opensips configuration config explain easy basic 오픈쉽스 컨피그레이션 기본 설명 file admin 4177   2017-12-07
 
140 openssl 을 이용한 인증서 생성 절차를 정리한다. 개인키 CSR SSL 인증서 파일 생성 admin 5286   2017-09-14
 
139 Documentation -> Tutorials -> TLS opensips.cfg admin 5043   2017-09-14
 
138 Using TLS in OpenSIPS v2.2.x admin 5029   2017-09-14
 
137 opensips tls cfg admin 5125   2017-09-14
 
136 How to setup a Jabber / XMPP server on Debian 8 (jessie) using ejabberd admin 5688   2017-09-13
 
135 SIP to XMPP Gateway + SIP Presence Server opensips admin 4993   2017-09-13
 
134 OpenSIPS command line tricks admin 4960   2017-09-13
 
133 Fail2Ban Freeswitch How to secure admin 5261   2017-09-12
 
132 opensips.cfg. sample admin 4932   2017-09-12
 
131 Advanced SIP scenarios with Event-based-Routing admin 5100   2017-09-11
 
130 PUSH SERVER 푸시서버 안드로이드 애플 admin 5559   2017-09-11
 
129 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅(리눅스 기준) admin 13814   2017-09-09
 
128 rtpengine config basic and opensips configuration and command admin 5276   2017-09-06
 
127 WebSocket Transport using OpenSIPS configuration 웹 소켓 컨피그레이션 기본 admin 5088   2017-09-06
 
126 OpenSIPS basic configuration script 기본 컨피그 admin 5195   2017-09-05
 
125 rtpengine install and config admin 5165   2017-09-05
 
124 Installing RTPEngine on Ubuntu 14.04 admin 5264   2017-09-05
 
123 compile only the textops module make modules=modules/textops modules admin 5150   2017-09-05
 
122 opensips command /sbin/opensipsctl detail admin 5241   2017-09-04
 
121 2017 08 31 opensips 2.32 install debian8.8 module install compile err modules admin 5168   2017-09-04
 
120 Build-Depends debian 8.8 opensips 2.3 admin 5070   2017-09-04
 
119 What is new in 2.3.0 opensips admin 5893   2017-09-04
 
118 ubuntu 安装配置opensips,rtpproxy,mediaproxy admin 5433   2017-09-04
 
117 How to install Mediaproxy 2.5.2 on CentOS 6 64 bit admin 5673   2017-09-04
 
116 Using TLS in OpenSIPS v2.2.x configuration admin 5332   2017-09-04
 
115 How to 2.3 download , OpenSIPS new apt repository. DEBs for Debian / Ubuntu admin 5290   2017-09-02
 
114 You can install CDRTool in the following ways: admin 5608   2017-09-01
 
113 How to Install OpenSIPS 2.1.2 Server on Ubuntu 15.04 admin 5494   2017-09-01
 
112 Opensips 2.32 download admin 5270   2017-09-01
 
111 OpenSIPS 2.3 install admin 5601   2017-09-01
 
110 JsSIP: The JavaScript SIP Library admin 5556   2017-09-01
 
109 WebSocket Transport using OpenSIPS admin 5644   2017-09-01
 
108 A2Billing and OpenSIPS – Part 1 admin 5330   2017-08-29
 
107 A2Billing and OpenSIPS – Part 2 admin 5242   2017-08-29
 
106 A2Billing and OpenSIPS – Part 3 admin 5450   2017-08-29
 
105 OpenSIPS 2.3 philosophy admin 6006   2017-08-17
 
104 The timeline for OpenSIPS 2.3 is admin 6142   2017-08-17
 
103 OpenSIPS Control Panel and Homer integration admin 6179   2017-08-17
 
102 Opensips sip capture re designed admin 5625   2017-07-16
 
101 WebRTC with OpenSIPS WebSocket is a protocol provides full-duplex admin 10653   2015-04-04
 
100 WebSocket Support in OpenSIPS 2.1 admin 11941   2015-04-04
 
99 OpenSIPS 2.1 (rc) is available, download now! admin 10530   2015-03-22
 
98 Service Provision Using Asterisk & OpenSIPS - AstriCon 2014 admin 12327   2015-02-25
 
97 SIP Signaling-Messages OpenSIPS Running On Multicore Server file admin 19858   2014-11-02
 
96 opensips.cfg for Asterisk admin 22103   2014-10-20
 
95 A2Billing and OpenSIPS config admin 21427   2014-10-20
 
94 Jitsi Videobridge meets WebRTC admin 23059   2014-10-18
 
93 A Survey of Open Source Products for Building a SIP Communication Platform admin 21048   2014-10-18
 
92 Script Function , Module Index v1.11 함수 모듈 opensips admin 21257   2014-10-14
 
91 Opensips TM module enables stateful processing of SIP transactions admin 18944   2014-10-04
 
90 kamailio.cfg configuration Example admin 21210   2014-10-04
 
89 opensips NAT Traversal Module admin 20501   2014-10-02
 
88 UAC Registrant Module admin 22270   2014-09-28
 
87 MediaProxy 2.3.x & OpenSIPS 1.5.x Integration admin 21443   2014-08-24
 
86 RTPPROXY Admin Guide admin 21789   2014-08-24
 
85 CANCEL MESSAGE not handled correctly admin 21589   2014-08-23
 
84 [Sipdroid] SIP data collection study tour admin 22013   2014-08-23
 
83 [OpenSIPS-Users] Opensips 1.10 NAT radius aaa admin 22006   2014-08-23
 
82 OpenSIPS Consultancy Pricing module install Server 판매 또는 설치및 컨설팅 가이드 admin 21900   2014-08-23
 
81 ICE: The ultimate way of beating NAT in SIP admin 21548   2014-08-23
 
80 Many OPENSIPS Configuration Examples This will Help you admin 21209   2014-08-23
 
79 Real-time Charging System for Telecom & ISP environments admin 21963   2014-08-23
 
78 OPENSIPS EBOOK admin 22105   2014-08-21
 
77 Opensips Documentation Function admin 21801   2014-08-21
 
76 Presence Tutorial OpenXCAP setup admin 21391   2014-08-18
 
75 Opensips Modules Documentation admin 22070   2014-08-18
 
74 A lightweight RPC library based on XML and HTTP admin 21247   2014-08-18
 
73 opensips Nat script with RTPPROXY - English Good perfect admin 20038   2014-08-15
 
72 OpenSIPS Control Panel (OCP) Installation Guide Good admin 20249   2014-08-13
 
71 Installation and configuration process record opensips opensips-cp admin 46469   2014-08-13
 
70 OpenSIPS as Homer Capture server admin 19157   2014-08-13
 
69 OpenSIPS , default script , Types of Routs , Routing in SIP, Video lecture admin 21333   2014-08-13
 
68 Configuracion de Kamailio 3.3 con NAT Traversal y XCAP. admin 21816   2014-08-12
 
67 Under RHEL6.5 install OpenSIPS 1.11.1 tls admin 21100   2014-08-12
 
66 OpenSIPS/OpenSER-a versatile SIP Server cfg admin 21968   2014-08-11
 
65 Kamailio Nat Traversal using RTPProxy admin 21529   2014-08-11
 
64 MediaProxy wiki page install configuration admin 21585   2014-08-11
 
63 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅 admin 40287   2014-08-11
 
62 MediaProxy Installation Guide admin 21102   2014-08-10
 
61 RTPProxy 1.2.x Installation & Integration with OpenSIPS 1.5x admin 22341   2014-08-10
 
60 Opensips Installation, How to. Good guide wiki page admin 19345   2014-08-10
 
59 OpenSIPS Installation Notes admin 18858   2014-08-09
 
58 Installation and configuration process record opensips 1.9.1 admin 32355   2014-08-09
 
57 opensips 1.11.2 install Good Giide admin 22422   2014-08-09
 
56 fusionPBX install debian wheezy admin 21287   2014-08-09
 
55 opensips 1.11.2 install guide good 인스톨 가이드 admin 21596   2014-08-09
 
54 SigIMS IMS Platform admin 21848   2014-05-24
 
53 2013 2012년 분야별 최고의 오픈소스 소프트웨어 124선 admin 26301   2014-04-05
 
52 Video conference server OpenMCU-ru - Introduction admin 24522   2014-04-01
 
51 SIPSorcery admin 22280   2014-03-18
 
50 Ekiga (formely known as GnomeMeeting) is an open source SoftPhone admin 22693   2014-03-12
 
49 telepresence: Open Source SIP Telepresence/MCU admin 46880   2014-03-12
 
48 SIP PBX - OpenSIPS and Asterisk configuration admin 35424   2014-03-12
 
47 Conference Support in Kamailio (OpenSER) admin 29902   2014-03-12
 
46 OpenSIPS configuration for 2 or more FreeSWITCH installs admin 20862   2014-03-12
 
45 The Impact of TLS on SIP Server Performance file admin 22307   2014-03-12
 
44 book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki admin 21556   2014-03-12
 
43 Where to check OpenSIPS does not start? admin 21646   2014-03-09
 
42 opensips-1.10.0_src.tar.gz experimental source code documentation admin 22683   2014-03-09
 
41 Kamailo OpenSIPs installation on Debian admin 28344   2014-03-09
 
40 Using the openSIPS Registrant Module admin 23141   2014-03-09
 
39 RTPproxy Frequentry Asked Questions (FAQ) ¶ admin 21106   2014-03-07
 
38 Building Telephony Systems with OpenSIPS 1.6 RTPProxy + OpenSIPS 1.7 admin 22195   2014-03-07
 
37 Installing RTPproxy Start RTPproxy in Bridged mode very good admin 35906   2014-03-07
 
36 OpenSIPS Control Panel (OCP) Installation Guide admin 20848   2014-03-06
 
35 OpenSIPS Control Panel install guide admin 22087   2014-03-06
 
34 rtpproxy Module admin 21978   2014-03-06
 
33 MediaProxy Installation Guide admin 30294   2014-03-06
 
32 How to install OpenSIPS on CentOS debian module add xcap admin 22857   2014-03-06
 
31 Problem with presence_xml module Opensips 1.9 admin 22359   2014-03-06
 
30 Building Telephony Systems with OpenSIPS 1.6 books file admin 23361   2014-03-06
 
29 Multimedia Service Platform admin 21683   2014-03-06
 
28 How to install OpenSIPS on CentOS Debian etc admin 22463   2014-03-05
 
27 Opensips Installation, How to. admin 19156   2014-03-05
 
26 100% CPU usage opensips admin 21860   2014-03-05
 
25 A2Billing and OpenSIPS admin 23661   2014-03-04
 
24 Opensips_1.9 install guide this is great I like this admin 29193   2014-03-04
 
23 Opensips install debian admin 22992   2014-03-03
 
22 Open Source VOIP applications, both clients and servers. admin 23390   2013-11-20
 
21 OfficeSIP Server is freeware VoIP, SIP server for Windows admin 24587   2013-09-11
 
» My new toy: Bluebox-ng admin 38973   2013-04-06
http://nicerosniunos.blogspot.kr/ Hi again guys, here there is my new personal project. I think that README file is complete enough so I paste it on this post. Next month I'll be with my colleague ...  
19 Flooding Asterisk, Freeswitch and Kamailio with Metasploit admin 41412   2013-04-06
 
18 Asterisk Installation Asterisk Realtime configuration admin 27473   2013-04-06
 
17 The SIP Router Project admin 26440   2013-04-06
 
16 Kamailio :: A Quick Introduction admin 23944   2013-04-06
 
15 Welcome to the Smartvox Knowledgebase admin 24247   2013-04-06
 
14 Kamailio 3.3.x and Asterisk 10.7.0 Realtime Integration using Asterisk Database admin 29162   2013-04-06
 
13 OpenSIPS vs Asterisk admin 72597   2013-04-06