usken.no - VoIP news! » Uncategorized

Another VoIP hacking in Norway

sjur — Wed, 28 Jul 2010 08:46:09 +0000

The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.

If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.

The simplest ways is that inbound calls is routed out again if no local destination is found. A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!

Norwegian version

English version

The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.

Using botnets to do SIP scanning

sjur — Sun, 11 Jul 2010 10:40:53 +0000

The lastest week there has been a tremendous SIP scanning from IPs all over the world latest week. The scannings are coming from a lot of IPs but the same signature, so it is probably only one person/firm behind this.

The scanning is this:

OPTIONS sip:100@X.X.X.X SIP/2.0
Via: SIP/2.0/UDP 192.168.1.9:5060;branch=

z9hG4bK-31055767;rport
Content-Length: 0
From: “sipsscuser”; tag=01669016334862887007103185718785156498385702949

Accept: application/sdp
User-Agent: sundayddr
To: “sipssc”
Contact: sip:100@192.168.1.9:5060
CSeq: 1 OPTIONS

Call-ID: 022827170099429274868738305
Max-Forwards: 70

The lay-out of the OPTIONS messages is the same as in SIPVicious scannings, so the author has taken this python code and just changed the User-Agent.

And this is just the beginning….

Test your VoIP skills!

sjur — Tue, 01 Jun 2010 08:09:22 +0000

The Honeynet Project has released a real VoIP attack challenge! It is real data and YOU must find out how the hacker does the attack! Are you up for it? You will learn more about VoIP and get an understanding of the current VoIP attack methods! Go for it here! Deadline in 3 weeks!

The Chinese speaking members of the Honeynet Project has translated it even to simplified Chinese! Have fun and learn a lot!

Extreme SIP scanning latest week

sjur — Wed, 14 Apr 2010 16:17:37 +0000

There have never been so many SIP scannings in so short time for all my VoIP honeypots.They have tried all types, INVITES, REGISTER, SUBSCRIBES and OPTIONS. A short list of some of the attackes latest 48 hours. Normally just doing a couple hundred extensions and passwords, some of these IPs trying up to 10 000 different extensions/passwords.

IP addresses [User-agent] Provider

119.147.116.157    [Asterisk]
193.47.153.14         [SIPVicious]
86.47.46.147      [First SIPVicious, then SIPPER for PhonerLite]
174.143.245.120 [SIPVicious]
174.129.52.240    [SIPVicious]     Amazone EC2
24.190.38.4            [SIPVicious]

So keep your systems ready for the flood to come! This is just the start.

A great challenge awaits you!

sjur — Mon, 18 Jan 2010 07:40:18 +0000

Slightly interested in security?

Do you want to learn more about investigating attacks?

Here is your challenge!

The Honeynet Project has released this years first Scan of the Month challenge! It has many levels and now you can test if you are up to it!

Article about the Honeynet Project

sjur — Tue, 24 Nov 2009 09:28:23 +0000

Computerworld in Norway published an article about The Honeynet Project and the Norwegian Honeynet Chapter. This is one of the main tools to learn the tools of how attackers abuse VoIP targets. Her is the Norwegian and English version.

Another day, another (VoIP) fraud…

sjur — Wed, 21 Oct 2009 17:32:35 +0000

What the heck is the customers Asterisk calling Guatemala about quarter to five in the morning? 1000 calls to Guatemala, but very few actually went through or had any long duration. This was around 11 o’clock in the evening for Guatemala. What was the purpose of this abuse?

It would have been nice to have a tap into this unsecure Asterisk and listen in on the abuse calls. Was this open PBX sold as a gateway to a cash calling card company, or was it used to just free calling for the hacker itself? Ideas and comments are appreciated!

Embarrasing with the Norwegian Police website…

sjur — Tue, 01 Sep 2009 15:00:34 +0000

The Norwegian Police are limping after web 2.0 and finally made a website where you can report a crime (only if your wallet, bicycle or mobile phone is stolen). The only stupid thing is that it results in an e-mail sent to another system. But hey, they promise to send a letter in your (snail) mail within 14 days after the report. Great promise when you know only 3% of bicycle thefts are solved.

I think it is great that the police are trying to make it easier for you and me. The only problem is when they also make it easy for the bad guys. The Norwegian police is using the URL to point to graphics and then it is open for you and me to write whatever we want ourselves… great… no wonder this hits the front page on the largest tabloid newspaper (Link in Norwegian).

The Linux Media Center Solution! Awesome!

sjur — Sun, 10 May 2009 15:05:18 +0000

Browsed through the Internet for the Freedom Fone Project and came over the LinuxMCE. I have been dreaming about a project like this, and was really amazed about the possibilities included already.
They have done a smart thing dividing it up in two parts;

one powerful core server for doing encoding of incoming media
one or more clients connected to each screen around in the house.

Some of the features:

Surveillance camera
Intrusion alarm
Heat/Cooling control
Lightning control
Full media center functionality
Telephone central

All these features are knit together into a nice user interface where you only need a remote with three (3) buttons (+ OK and cancel) to operate. And it’s even cooler with a gyro remote control (anyone played with the Nintendo wii??)

What I’m missing for my immediate use:

heat control for radiators (a small motor to turn the knob..)
interface to my proprietary doorphone. (can probably be done with a Cisco/Linksys SPA3100 ATA)

I have already e-mailed several of my friends who are looking for this and will definely spread the word!

When it is also running on the Asus EEE Top (15,6″ touch screen and can do full HD video) it will be great! Or the even better MSI Wind Top EA 1900 (who makes these names by the way…)

Keep up the good work! The future will be fantastic!

The Freedom Fone Project for Africa!

sjur — Sun, 10 May 2009 11:26:55 +0000

There are not much publicity about this project, so I wanted to explain what it’s all about.The ultimate goal is to make it easy to spread information e.g. people send a SMS and get a call informing them about HIV/AIDS or the weather.

The Freedom Fone is a universal media conveyor, it should take most media input from people (mobile, skype, web, e-mail) and generate output (sms, call, radio, web) in the best possible way.

The limitations are the usual one in Africa. No power, little or no Internet connection, few people to run it, harsh environmental conditions, etc…

Our solution seems easy, but there is some work behind it. Take a standard netbook (asus preferred) and plug in a USB to cellphone (mobigater). Install Ubuntu with Freeswitch and several other tools. Glue it all together with a lot of customization, and BINGO! We have a Freedom Fone Server!

Usage scenarios

An organization wants to spread information about specific topics. We create a SMS word people can send to be called back and informed.

Farmers want to know about the weather and subscribes on a daily or weekly weather forecast.

Ex.pats living abroad wants to help out and makes an informative radio program. This is aired on the local radio station

Others? Please comment!