Bluebox-ng

Bluebox-ng is a next generation UC/VoIP security tool. It has been written in CoffeeScript using Node.js powers. This project is "our 2 cents" to help to improve information security practices in VoIP/UC environments.

•  GitHub repo: https://github.com/jesusprubio/bluebox-ng
• Demo: http://www.youtube.com/watch?v=02AuYf66sx0

Install deps

•  cd bluebox-ng
• npm install

Run

• npm start

Features

• Automatic pentesting process (VoIP, web and service vulns)
• SIP (RFC 3261) and extensions compliant
• TLS and IPv6 support
• VoIP DNS SRV register support
• SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08)
• REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE, Ringing and Busy Here requests support
• Extension and password brute-force through different methods (REGISTER, INVITE, SUBSCRIBE, PUBLISH, etc.)
• DNS SRV registers discovery
• SHODAN and Google Dorks
• SIP common vulns modules: scan, extension brute-force, Asterisk extension brute-force (CVE-2011-4597), invite attack, call all LAN endpoints, invite spoofing, registering hijacking, unregistering, bye teardown
• SIP DoS/DDoS audit
• SIP dumb fuzzer
• Common VoIP servers web management panels discovery and brute-force
• Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
• Automatic vulnerability searching (CVE, OSVDB)
• Geolocalization using WPS (Wifi Positioning System) or IP address (Maxmind database)
• Colored output
• Command completion

Roadmap

•  Tor support
• More SIP modules 
• SIP Smart fuzzing (SIP Torture RFC)
• Eavesdropping
• CouchDB support (sessions)
• H.323 support
• IAX support
• Web common panels post-explotation (Pepelux research)
• A bit of command Kung Fu post-explotation
• RTP fuzzing
• Advanced SIP fuzzing with Peach
• Reports generation
• Graphical user interface
• Windows support
• Include in Debian GNU/Linux
• Include in Kali GNU/Linux
• Team/multi-user support
• Documentation
• ...
• Any suggestion/piece of code ;) is appreciated.

Author

Jesús Pérez

• @jesusprubio
• jesusprubio gmail com
• http://nicerosniunos.blogspot.com/

Contributors

Damián Franco

• @pamojarpan
• pamojarpan google com

Jose Luis Verdeguer

• @pepeluxx](https://twitter.com/pepeluxx)
• pepelux enye-sec org
• http://www.pepelux.org/

Thanks to ...

• Quobis, some hours of work through personal projects program
• Antón Román (@AntonRoman), he speaks SIP and I'm starting to speak it thanks to him
• Sandro Gauci (@sandrogauci), SIPVicious was our inspiration
• Kamailio community (@kamailioproject]), my favourite SIP Server
• David Endler and Mark Collier (@markcollier46), authors of "Hacking VoIP Exposed" book
• John Matherly (@achillean) for SHODAN API and GHDB
• All VoIP, free software and security hackers that we read everyday
• Loopsize, a music lhacker (creator of themes included in video demos)

License

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see .

I have spent some time analyzing which could be the best way to protect a privative version of a webphone based on QoffeeSIP that we are developing now at Quobis. I have seen this same question on different sites with quite confusing responses. So I'm going to share what I learned just in case it could help to anybody.

Well, I'm not going to define what is WebRTC because Internet is full of it this year (only overtaken by cats ;). For our purposes we have to consider that our app is a Javascript library. Really there is also HTML/CSS code but what I think that is important is Javascript, but HTML/CSS can also be protected in the same way but with other tools.

First of all I want to remark that protect your code in the sense of anybody could copy/modify and redistribute it is impossible since Javascript is only text. If anybody had enough time (or money) this code could be reversed. But, as always, we can do things trying to avoid it as far as possible.

In general, I found that there is a bit confusion between minimize and obfuscate terms so we're going to speak a bit about these techniques.

Minimization

The target is to get the code as small as possible. Obviously generated code is more difficult to understand, but it could be easily reversed with tools like JSbeautifier. (really not as easy depending of the minimizing tool)

Some common possible options at this point are:

• UglifyJS: The coolest thing right now xD. It is a Node.js package so it's easy to include. Some days ago version 2 was published. We will see that it's fast, really fast.
• Google Closure Compiler which uses Google to its apps. It is availiable a Java command line tool but there are node modules which use the online API.
• YUI Compressor from Yahoo, it was the facto standard but now last alternatives are beating it.

A little comparison: I can't find original link, sorry :(

• Average time: (lower is better)
• UglifyJS: 0.11554 seconds
• Closure: 1.41037 seconds
• Average reducction: (higher is better)
•  UglifyJS: 45.6%
• Closure: 51.5%

NOTE: Another one (more complete) with YUI included too.

In my experience Google Closure generated code is better because besides minimization tasks it includes code checking too. It provides warnings for dangerous or illegal Javascript. Moreover I like that you can use this online serviceto check your code while developing.



Obfuscation

It is defined as "the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret."(Wikipedia).

We have some options here when we are working with a web app:

• Encrypt the transport layer: needed to avoid sniffing to another users of the same LAN. So using HTTPS to serving the application is a must.
• Encryption: Encrypt application data and decrypt it on the fly via your own javascript enccryption library.
• Move functions to the server side, which it's not possible in the case of WebRTC because we want end to end media.
• Use a browser plugin, it has no sense since one of the advantages of WebRTC is that the user doesn't have to install anything.
• Implement the code in native client for Chrome browser. The advantaje is that common C code protections can be used and the app runs sandboxed. But it is not our case because we need multi-platform support.
• To avoid legal issues you should incude a note (a Javascript comment)referencing the copyright in each copy of the .js library. Something similar to Free Software Foundation recommendations for free Javascript code. An example could be:

NOTE: Really @source tag is proposed by FSF to include a link to source code of the app. But I think that it could be a good idea to use it because browser plugins that follow the recommendations should "understand" it.

• http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html
• http://snapvoip.blogspot.com.es/2009/02/calls-to-cuba-and-voip-attacks.html

Module parameters

Possible insecure system

Possible insecure system

Secure system to this vector

These are the links to both UDP and TCP version of the tool. I would like to remember that Metasploit modules which support TCP also support TLS. You can change the version of the protocol and another optional parameters with command“show advanced”.

• UDP
• TCP

Advanced options

Finally I want to say that last days I was reviewing my SIP Metasploit modules trying to add some more features (like SIP proxy support) and I found that they are a mess. There is a lot of repeated code and they are complex to maintain. So, after speaking with some Metasploit guys on irc channel, I’m going to write a new SIP Proto ("lib/rex/proto/sip.rb") class and a Mixin ("lib/msf/core/auxiliary/sip.rb") which uses it. Once solved this I’m going to add all SIP modules I have developed to official Metasploit distribution.

Ref: http://www.sinologic.net/blog/2009-02/la-voip-mal-configurada-llama-a-cuba/