_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | Number 22 - 06.04 | | | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreword I)ruid CAU News & Administrative Member Listing CAU Swag Now Available! General Stego/Crypto Hunt Challenge I)ruid BBS's: Extinction or Rebirth? I)ruid Capture the Flag I)ruid Hacking Featured Exploit intropy Prefix Scan: 817.738 I)ruid Phreaking Digital Wire-tapping UTP Local Scene Bulletin Board Systems 2600 Meetings DefCon Groups Meetings Events Contact Vectors & Feedback ############################################################################## Foreword Like a phoenix from the ashes, we just never really seem to go away... Well now. It's been a while. It's kind of difficult writing a foreword to an e-zine after about five years of idleness. A lot has happened since the last e-zine was released, and many things have changed. First and foremost, CAU has changed. It's members are a little older, and many of us actually have quite a few responsibilities and lives to take care of, which obviously takes away a little from our hobbies and 'scene' lives. But it seems we're still around and active, and are re-kindling the spirit that keeps the CAU presence alive. Even though we don't officially have any new members, our circle has grown to include many talented and skilled individuals, some of whom you will most likely see articles and columns by in this and upcoming e-zine releases. While our presence over the past few years has been minimal, CAU is and has been very much alive this whole time. Five years will give you some perspective. I've made some formatting changes to our e-zine, most notably the removal of the Closing. While I've been a fan of both a Foreword and a Closing in the past, now it just seems redundant. With the removal of the Closing, I will in the future attempt to make the Forward into more of an editorial and encompass all of the topics that I would have normally split up into Forward and Closing, as well as try to tie them all together in some cohesive manner. A new zine numbering scheme sounded like a good idea at the time, but as it is now painfully obvious that we do not put out zines regularly enough to make the new numbering scheme mentioned in e-zine #20 practical, we will be returning to a sequential numbering scheme. So, a little over five years later... welcome to what is officially named CAU e-Zine #22! I think we're also going to expand our 'Local Scene' to cover the Texas tri-city area, including Dallas, Austin, and Houston. Enough of us frequent all three cities to consider them 'local'. They aren't local according to Bell, but hey, FUCK BELL. So on to yet another e-zine. A re-emerging web site and a BBS returning from the past. New projects and old memories. It's good to be back in the public eye... I)ruid ############################################################################## CAU News & Administrative %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Member Listing (In the order in which they were brought into the CAU) ------------------------------------------------------------------------------ I)ruid E-Mail: druid@caughq.org Web: http://druid.caughq.org IRC (EFnet): I}ruid AIM: druid972 ICQ: 4948700 GPG Key: http://druid.caughq.org/druid.gpg ------------------------------------------------------------------------------ ultra violet E-Mail: uv@caughq.org Web: http://www.caughq.org/~uv/ ------------------------------------------------------------------------------ Crimson Assassin E-Mail: crimson@caughq.org Web: http://www.caughq.org/~crim/ ------------------------------------------------------------------------------ Fizban E-Mail: fizban@caughq.org Web: http://www.caughq.org/~fizban/ ------------------------------------------------------------------------------ int3l E-Mail: int3l@caughq.org Web: http://www.caughq.org/~int3l/ IRC (EFnet): int3l ------------------------------------------------------------------------------ intropy E-mail: intropy@caughq.org Web: http://www.caughq.org/~intropy/ IRC (EFnet): intropy GPG Key: http://www.caughq.org/~intropy/intropy.gpg ------------------------------------------------------------------------------ MajestiX E-Mail: majestix@caughq.org Web: http://www.caughq.org/~majestix/ ------------------------------------------------------------------------------ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% CAU Swag Now Available! That's right, now you too can have really kewl CAU stuff. Check out the Swag link at the main web site, http://www.caughq.org. ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Stego/Crypto Hunt Challenge Here's something new for our e-zine, something that we've never done before. Perhaps it will become a recurring item. This is a challenge, with a reward for anyone who accomplishes and succeeds in meeting the challenge. There are incremental rewards along the way, and one big reward at the end. Basically, the farther you go, the more you will be rewarded for your effort. Presented here for your challenge meeting amusement are two nuggets of information. Each one will take you on a separate path, but both paths will arrive at the same destination, and hence, the same final reward. The incremental rewards along the paths however, will NOT be the same from path to path. All paths are not created equal. One may be longer than the others. One may be more difficult than the others. One may fork into multiple paths to follow. One may require you to bend and/or break the law in order to achieve the next step along the path. One may require use of the force... brute force that is. The choice... is yours. Light Side: Target: Embedded clue within an image. Action: Find the image, determine how the clue is embedded, and retrieve the clue along with your first reward. Clue: The image is contained within a past zine distribution. Dark Side: Target: Embedded clue within a web page. Action: Find the page within the web site, determine how the clue is embedded, and retrieve the clue along with your first reward. Clue: The page is located three levels deep within a site, and the site is one of the CAU members' personal web sites. This challenge, and it's clues, will of course not be around forever. That would simply be a maintenance nightmare. I will make an effort to keep the paths from breaking as long as possible, but this is the disclaimer. If you truly hit a dead end, retrace your steps to the most recent fork, or start over from the beginning along the other path. Good Luck, and happy hunting (: I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% BBS's: Extinction or Rebirth? [ EDITOR'S NOTE: This article was written in the earlier months of 1999, shortly after the previous zine was released, so it never got published... until now. After the main article, I've included a follow-up to assess whether my original analysis was accurate or not (: ] I was sitting on IRC this morning, and a strange feeling came over me as I sat and watched the sea of endless idling nicks... I realized that I hadn't called a good old BBS in about 4 or 5 months. So I broke out Hyperterm of all things (all I had access to at the time was my Win95 laptop) and called up some of the local BBS's that we are listing in this zine. To my surprise, the couple of BBS's that I called were pretty active! I hadn't called in only 4 or 5 months, but there were loads of new messages and files. This started me to thinking... are BBS's making a comeback? Not only were there new files and messages, but there were also a few new BBS's that have been set up, which I have included in the BBS List in the local section of this zine. I started going over this topic in my head, and this article is the final result. First off, let's face it: File Areas are pointless. With an estimated 75% of people with computers having access to the Internet, there is no practical reason to have File Areas on a BBS. You can find pretty much any file you could never want, available on multiple web sites or ftp sites, right there on the Net. The only reason I can think of for even having ONE File Area on a BBS is for EXTREMELY unique and specialty files. The Internet has pretty much obsoleted one of the major functions of BBS software; file transfers, and that is one of the main reasons that BBS's began to die off and disappear. A similar effect began to happen with the creation of newsgroups and online message boards. Now with the ability to share BBS-like message bases with participants from all over the world, who needed to post on a BBS? This effect further helped along the BBS extinction process, however these newsgroups and message boards have since become so polluted with mindless dribble and crammed full of random messages and shameless advertisements, they have seemed to lose their purpose in my opinion. BBS's allow for a smaller community of participants, more people dedicated to a single special interest group or lifestyle. While on a few BBS's recently, I've noticed quite a few posts about how idle IRC networks are, how bloated newsgroups have become, and so on. This is one of the reasons that I believe that BBS's may be beginning to make a comeback. With the creation of modem emulation programs, which now allow SysOps to connect their BBS's to the Internet as well as dial-up phone lines, the BBS environment has found it's place on the Internet as well, which has also aided the revival by enabling some new BBS's to pop up. One of the major problems with BBS's that still exists is the lack of quality BBS software. With modem emulation programs, you can now use most of the BBS software that already exists that was originally designed for modem applications, but I have not found any quality BBS software that has been designed specifically for Internet use. Also, I have not found any decent BBS software written for other operating systems, such as flavors of UNIX, Mac OS, OS/2, etc. I have recently run into a little bit of Web-based BBS software, however most of it is poorly designed, and using a BBS through a web browser seems to take away from the entire BBSing experience. [ Now days, we call these 'online forums' (: ] When talking about the actual experience of BBSing, you can't beat actually dialing up to a local BBS with your modem and term program, and logging into the system at a lightning fast 2400 bps. Most people now days would use a faster modem, but I like to use my 2400 just for kicks... hell, sometimes I flip one if it's DIP switches and throw it down to 300bps and turn off error correction. Line noise really brings back the memories... I really believe that BBS's may be beginning to make a comeback, and the Internet, which once was the major threat to the BBS community, is now beginning to aid in building it back up, providing an invaluable resource of BBS software and files, as well as telnettable BBS solutions and public awareness. So break out your old dial directories and see if any BBS's are still around. You may be surprised to find that they are, and they're more active than ever. Because of this new-found awareness of BBS's, I've decided to put the old CAU BBS, Paranor, back up and make it available via telnet, and perhaps dial up just for fun. When Paranor goes back online, it will be available to the public, and information will be posted to the web site and mailing lists. Also, there are a few other upcoming CAU projects that have to do with BBS's, so stay tuned. I)ruid [ EDITOR'S NOTE: And now for my 5 year later follow-up... ] Yes, It would appear that I was correct, in my own humble opinion. Since the writing of the previous article, I have found some really advanced Internet-enabled BBS software called Synchronet[1], which runs on both Win32 and UNIX/x86 platforms (Linux, *BSD, etc.). It has it's own built-in telnet and ftp servers, and can support many of the old BBS platforms. I have recently begun reviving Paranor BBS using Synchronet, which will soon be open to the public, available both via telnet and dial-up, your choice. Also available is a UNIX flavor BBS/Message board called Citadel/UX[2]. As you can probably tell from the BBS List in the Local Scene section, even dial-up BBS's are still alive and thriving. The list you will find there are the local BBS's I was able to find and verify connection to in the span of about 48 hours. Hopefully by the next zine release I'll have refined that list into a more targeted list for our scene which includes some of our new 'local' areas as well as Dallas / Fort Worth area BBS's. In addition to all this, a central BBS listing site has arisen called BBSMates[3]. BBSMates provides Internet users with a central listing of as many old and no-longer existing BBS's as I've ever seen listed in one place, as well as a listing of current telnettable BBS's. In addition to this, they provide users with a way to flag BBS's that they once were (or still are) members of, and can then find their old BBS mates through the site. Kudos to nullvalue, the site's creator. I)ruid References: [1] Synchronet - http://www.synchro.net [2] Citadel/UX - http://uncensored.citadel.org/citadel/ [3] BBSMates - http://www.bbsmates.com %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Capture the Flag Over many years of purchasing 2600, I've realized that there's really only two reasons I trek to my local Barnes & Noble and pay the $5; the letters section, and the pay-phone pictures. While the articles and other 'technical' content is usually a bit lacking, I find the letters section to be vastly entertaining and the pay phone pictures to be fairly interesting. Due to this fact, I've been brainstorming to come up with some similar scheme to get readers to send in pictures of something, and I believe we're going to try... flags. That's right, send in your digital photographs of funny and amusing flags, and as we release new e-zines, the contributors will be awarded points for their images, which will in turn rank them on the new CAU Capture the Flag page[1]. The more amusing your flag, and the more obvious the proof that you actually 'captured' it (and not just digitally), the more points you will receive. For example, if your image is of a flag still on the pole, you'll most likely just get a single point, unless it's an extremely unique or amusing flag. If the picture is of you, wrapped in the flag, while the flag is on fire, then you'll probably get more points, unless the flag is an extremely common flag that you could have easily purchased at your local Walmart. All in all, the points given will be decided upon by the panel of judges (CAU), and the results posted both to the Capture the Flag page as well as listed in the zine as new zines are released. The images themselves will also be included in the zine pak, as well as linked to the user's listing on the page. Please submit any digital imagery to the contact vectors found at the end of this zine for it to be considered for pointage. Happy Hunting! I)ruid References: [1] Capture The Flag - http://www.caughq.org/CTF/ ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Featured Exploit: (previously 'Exploit of the Month') Windows Local Security Authority Service Remote Buffer Overflow While thinking about which exploit I would cover in this issue I couldn't help but notice the increased frequency of worms. These worms usually target recently uncovered vulnerabilities in the Microsoft Windows operating system (2k/xp/2k3). As you have most likely heard one of the most recent to pop up is Sasser. Sasser is a worm based on Microsoft Security Bulletin MS04-011. The flaw which is covered in the bulletin and the exploit used to leverage the vulnerability will be covered by this little ditty right here. Vulnerability: The vulnerability in the Windows LSA service was originally discovered by eEye[1] (supposedly on Oct 8 2003!) and their detailed article is available in the reference section. Now I will not be going step by step through their analysis but instead explaining some of the important aspects and basic flaws in the windows LSA service and the vector it is exploiting. First, an explanation of the LSA service. LSA stands for Local Security Authority and is used in authenticating smb sessions on port 139 and 443. The LSA service can be accessed via the LSARPC pipe without authentication over the IPC$ share enabled on most (if not all) windows boxes. The LSA RPC endpoint is handled by lsass.exe and subsequently the LSASRV.dll library and other imported functions. Our overflow resides in the function within lsasrv.dll that prints debug messages to a log named "DCPROMO.LOG". When the debug function is handed a long host entry and subsequent message a typical buffer overflow occurs. Our problem is that Microsoft didn't bother checking the size of the supplied data when it used vsprintf to copy the message to dcpromo.log. Exploit: Now the fun part. So far we know we must first connect to the IPC share on a vulnerable windows system. Once connected we must craft the appropriate packets to set up our RPC call overflowing LSASRV.dll. However, as eEye explains in their advisory there is one hurdle to jump when gaining system access. The Active Directory API calls use a wrapper, RpcImpersonateClient(), to drop its threads security context to that of the user. This will not be enough to write our log entry and gain access. Thankfully Microsoft provides us a workaround in the DsRoleUpgradeDownlevelServer() RPC function. The DsRoleUpgradeDownlevelServer() call will accept a NULL value for the host and thus will not distinguish between remote and local clients. From this function we pass our buffer and with polite accordance windows executes the vulnerable vsprintf function under system credentials. I think a fucking flow diagram is in order. Attacker | v ipc connection to target (\\target\IPC$) | v RPC function DsRoleUpgradeDownlevelServer sent with buffer | v Target hands buffer to vsprintf attempting to write to DCPROMO.log | v Overflow occurs executing our code | v Shell is spawned on specified port | v Target is owned Exploit Code: I did not see much need for re-inventing the wheel so I grabbed a decent exploit off the ol' intarweb and modified it some to suit our needs. Since it was originally windows code I also ported it to Linux (removed a few lines and added headers :)). This exploit has been tested on 2k/XP in Linux and is commented by myself to help you understand the concepts above. Please look through it for further technical details. Files: I have included several files to aid you in understanding the vulnerability/exploit: MS04-011.pcap: A capture of the exploit in action showing the appropriate smb/lsa packets/contents. (Packet 20 might be of interest) MS04-011.c: The Linux source code I have commented and tested. MS04-011: The compiled binary (gcc 3.2.3/Linux 2.6.5) MS04-011.exe: The original compiled binary (visC++/WinXP) Conclusion: Typical overflows like this should be nil in this day and age. But since Microsoft is closed source bugs like this will continue to be found forever. Is it true only upstanding security professionals are finding these...? hah not fucking likely. Is it true no exploit has been created before a patch was released by Microsoft...? not at all. I personally know that there are several undisclosed bugs in Microsoft code that wont see public attention for a while... and what comes after that? Another worm... have fun. Dis/Credit: As stated I do not take credit for the vulnerability or original exploit. So credit goes to houseofdaubs for the exploit and I guess eEye for the vuln. Dis-credit goes to the company... I mean random 18 year old kid in Germany who wrote sasser ;) intropy References: [1] eEye advisory: http://www.eeye.com/html/Research/Advisories/AD20040413C.html [2] Original exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/ \ HOD-ms04011-lsasrv-expl.c %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Prefix Scan: 817.738 This prefix was scanned during the last few weeks of 05/04. Please see the included dial log (817-738.log) for extended information such as system identification and prompts. 817-738-0039 C: CONNECT 2400/NONE 817-738-0638 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-0640 C: CONNECT 2400/ARQ/LAPM 817-738-0736 C: CONNECT 2400/NONE 817-738-1019 C: CONNECT 2400/NONE 817-738-1534 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-1770 C: CONNECT 2400/NONE 817-738-2151 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2157 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2293 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2370 C: CONNECT 2400/NONE 817-738-2372 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2475 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2526 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2529 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2564 C: CONNECT 2400/NONE 817-738-2636 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2699 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2864 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-2942 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-3161 C: CONNECT 2400/NONE 817-738-3215 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-3295 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-3327 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-3484 C: CONNECT 2400/ARQ/MNP 817-738-3509 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-3623 C: CONNECT 1200/NONE 817-738-3656 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-3865 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-4108 C: CONNECT 2400/NONE 817-738-4548 C: CONNECT 2400/ARQ/MNP 817-738-4571 C: CONNECT 817-738-5087 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5096 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5173 C: CONNECT 2400/ARQ/MNP 817-738-5182 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5215 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5241 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5313 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5456 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-5736 C: CONNECT 2400/NONE 817-738-5943 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-6057 C: CONNECT 2400/ARQ/MNP 817-738-6117 C: CONNECT 1200/NONE 817-738-6276 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-6444 C: CONNECT 2400/ARQ/LAPM 817-738-6446 C: CONNECT 1200/NONE 817-738-6452 C: CONNECT 2400/ARQ/LAPM 817-738-6473 C: CONNECT 2400/ARQ/LAPM 817-738-6595 C: CONNECT 1200/NONE 817-738-6726 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-6729 C: CONNECT 2400/NONE 817-738-6836 C: CONNECT 2400/NONE 817-738-6968 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-6979 C: CONNECT 2400/ARQ/LAPM 817-738-7018 C: CONNECT 2400/ARQ/LAPM 817-738-7062 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-7323 C: CONNECT 2400/NONE 817-738-7332 C: CONNECT 2400/NONE 817-738-7725 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-7796 C: CONNECT 2400/NONE 817-738-7830 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-7905 C: CONNECT 2400/ARQ/LAPM 817-738-8028 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-8143 C: CONNECT 2400/ARQ/MNP 817-738-8188 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-8232 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-8243 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-8307 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-8356 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-8441 C: CONNECT 2400/ARQ/LAPM 817-738-8679 C: CONNECT 1200/NONE 817-738-8904 C: CONNECT 1200/NONE 817-738-8978 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-9065 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-9175 C: CONNECT 2400/ARQ/LAPM/V42BIS 817-738-9259 C: CONNECT 2400/NONE 817-738-9528 C: CONNECT 2400/ARQ/LAPM/V42BIS I)ruid ############################################################################## Phreaking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Digital Wire-tapping: Infiltration of the SIP Architecture & Transparent Capture of RTP Data More and more, VoIP (Voice Over IP) is a buzzword that can be heard in the hallways of telephone companies and ISP's around the world. Finally, there is a cheap alternative to the archaic Class 5 switches that, for the most part, are dominated by GenericMegaCorp(tm). But as we all know, the closer you bring a technology to the 'Cloud', the more vulnerable it becomes to abuse. Competitive Local Exchange Carriers (CLECs) have dodged this bullet for years by running closed circuit networks that are primarily operated by 50-year-old men armed with the entire Nortel DMS Anthology. Fortunately, these days are numbered? The following document will serve as a Proof-of-Concept on various methods that can be used to exploit as well as secure a VoIP Network. The document assumes that you have a basic understanding of IP Routing & Telephony. As you're probably well aware, any information contained in this document is for self-edification only. If you choose to dive into your local Bell and 'Test the Waters', you do so at your own risk (But feel free to send me a postcard from your correctional facility). The main technology we will be reviewing is SIP (Session Initiation Protocol / RFC 2543)[1]. A standard SIP communication will look something like this: +....... sbc.com .......+ : : : (~~~~~~~~~~) : : ( Proxy ) : : ( Server ) : : (~~~~~~~~~~) : : ^ | : : | bob@sbc : : 2| 3| : : | | : : zloc | : +.. 10.10.1.0/24 ..+ 1: INVITE : | | : : : zloc@10.10.1.2 : | \/ 4: INVITE 5: ring : : aloc@10.10.1.1 =======================>(~~~~~~)=========>(~~~~~~) : : <........................( )<.........( ) : : : 7: 200 OK : ( )6: 200 OK ( ) : : : : ( endo ) ( sbc ) : : : 8: ACK : ( )9: ACK ( ) : : ========================>(~~~~~~)=========>(~~~~~~) : +.....................+ +...............................+ ====> SIP request ....> SIP response ^ | non-SIP protocols | Now that we have a general idea of the conversation path, lets look at little closer. The first thing that should trigger your thinking cap is the fact that, for the most part, SIP passes all of it's header / messaging data in plain text (Let that one sink in for a second.) For example, a standard SIP INVITE (Step 1) message might look something like this: INVITE sip:aloc@10.10.1.2:5061 SIP/2.0 v:SIP/2.0/UDP 10.10.1.1 f:sip:aloc@10.10.1.1 t:sip:zloc@10.10.1.2:5060 i:62729-27@10.10.1.1 m:aloc@10.0.1.1:5061 c:application/sdp Although the RFC provides guidelines for encrypting certain portions of this data, I can attest to the fact that a vast majority of this information is transmitted for the entire world to see. That in mind, we are presented with three important pieces of information: v:SIP/2.0/UDP 10.10.1.1 f:sip:aloc@10.10.1.1 t:sip:zloc@10.10.1.2:5060 Basically, this information displays the transport path specific to certain SIP associations. We can see that 't:' represents the destination; 'f:' represents the origination and 'v:' represents 'via' or hops passed. Now that we have a general idea about origination / destination of our call, lets look at some of the other more -interesting- fields: userinfo = user [ ":" password ] user = *( unreserved | escaped | "&" | "=" | "+" | "$" | "," ) password = *( unreserved | escaped | "&" | "=" | "+" | "$" | "," ) So as we can see here, SIP supports the ability to pass, in plain text, the username and password key. An example of such field might look something like this: sip:aloc:secret@sbc.com As you can probably guess, this brings us to our first 'flaw.' Placing a sniffer on the same Ethernet segment, an unencrypted SIP server will -hand feed- you username and password pairs. If you're asking yourself, "How do I get a sniffer on the same Ethernet segment as the server?" you're probably reading the wrong document, but I'll give you a hint; Most of the smaller companies that implement SIP based VoIP have neither the facilities, nor the expertise to segment their Layer 2 networks. That being said, it is not uncommon to find a provider that has their SIP Server, Shell Server, FTP Server, Web Server and Porn server all sitting on the exact same Ethernet Switch in the native VLAN? Follow? ;) So at this point, we have a username and password pair and we have the location of the SIP Server. Assuming there are no ACL (Access Control Lists), forged packets can be sent from the client to the server. All that's left is a little reconnaissance on the expected INVITE scheme of your far end SIP Server and a decent amount of Layer 3 distance for security. Lets jump back to your newly purchased shell account on SBC's network. Just as you sniffed out username / password pairs, what's to stop you from capturing packets in the RTP (Real Time Protocol / RFC 1889) stream? This data is passed, with time stamps and sequence numbers, between the client and the server. Furthermore, RTPC handles the control data for this flow and -everything- is usually passed unencrypted... Enter a tool such as VOMIT[2] (Voice Over Misconfigured Internet Telephones). This utility hashes through a TCPDump[3] and constructs a PCM Wav file based off the RTP Payload. Currently, it only supports a Cisco IP Phone using the G.711 codec, but the entire project is open source. The end product is a transparent wiretap that preys on the fundamental fact that Layer 2 Broadcast Domains are more vocal than an Asian hooker. Another viable exploit involves VoIP 'Forking'. Forking involves establishing multiple RTP Streams from a single call. For example, say you establish a call to 'zloc@10.10.1.2' but wish you to make a quick call to 'yloc@10.10.1.3' without hanging up on your initial call. 'Forking' will allow you pair off a second RTP stream for the additional call. Another example of 'Forking' is when a VoIP Server searches through a list of possible endpoints. More than likely, you have probably encountered a telephony message that states: "Trying to locate customer on the Network." During this time, the VoIP Server is sending requests to each of the designated destinations that the customer might be reached at. Successfully spoofing a response (Code 2xx) to the originating SIP Server will result in a call completion to you, instead of the intended recipient (assuming your response makes it before the final AWK). Obviously, you need to be prepared for the fact that two seconds later you will be ear to ear with somebody trying to contact Bob McGee? So pony up on those social skills! Now that we've discussed some of the ways to exploit a VoIP Network, it's time to address the other side of the fence: VoIP Security. First and foremost, a well designed Layer 2 / Layer 3 network will prove to be the most invaluable asset to your VoIP Network. The use of VLAN's will allow for logical segmentation of your broadcast domains and, in turn, limit the amount of broadcast traffic that is accessible by hosts in your network. Next, when dealing with point-to-point relationships, there is no reason to allow traffic from non-trusted hosts. That in mind, learn to love your ACL's: access-list 1 remark -- OSS IP -- access-list 1 permit my.necessary_service.ip.here access-list 1 remark -- SBC -- access-list 1 permit 10.10.1.0 0.0.0.255 By implementing this simple bit of configuration, you have safely secured your public interface from anybody outside the 10.10.1.0/24 network. With that in mind, you can now focus your security measures down to a single network rather than worrying about the entire Internet. VPN's / IPSec Tunnels are a great way to securely pass sensitive traffic across the Internet. By egressing your VoIP traffic through an encrypted tunnel, you can operate your network with piece of mind that, without the key, the data is useless. Granted, troubleshooting may be a little more difficult when dealing with encrypted data, but you will save yourself a lot of headache in the long run knowing that your calls are riding a secure path. Finally, do not pass data in plain text. Period. 90% of the services and technologies out there implement some form of encryption. If your specific application does not, you might want to consider taking your money elsewhere. Even the weakest form of encryption will dissuade many to avoid your network all together. By passing data in Plain Text, you might as well take those kinky sex pictures to Walmart and just 'hope' they don't end up on online (Hosted on a SSL secured Webserver? Irony?) The Internet is not safe. If you assume that it is, you just make it easier on the rest of us. Like it or not, VoIP is a key technology in the future of Telecommunications. Be it Cable Modem, DSL or Fiber to the Home; you will use VoIP at some point in the future. Phreaking passed away sometime in the late 80's to early 90's; but guess who's ready for a revival? ...And this time, we're not going to be armed with decrepit Bag Phones, Gator Clips, TSV-2's, Trunk Facilities, and Tone Generators. This time you won't even hear us. UTP References: [1] RFC 2543: SIP - http://www.faqs.org/rfcs/rfc2543.html [2] Voice Over Misconfigured Internet Telephones - http://vomit.xtdnet.nl [3] TCPDump - http://www.tcpdump.org ############################################################################## Local Scene %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Bulletin Board Systems In the future, we will hopefully reduce this list to Hack/Phreak related BBS's ONLY, but for now, since there are so few BBS's at all, we'll just list all the active ones we are aware of. ------------------------------- --- --- ---- -------------------------------- System Identification NPA.WC-.NUMS NOTES ------------------------------- --- --- ---- -------------------------------- Antilepsis 817.457.7435 Citylites BBS 817.249.5215 Collin County Station 972.562.8064 web-idiot.d2g.com Discovery 214.333.5385 Still connects, only prompt tho. Dumb Guy's BBS 972.234.5790 FidoNet mail only Eclectic BBS 214.987.2135 FamilyNet Dallas 972.496.0650 www.family-bbs.net KloneZone 817.367.2517 Lawrence-West Co. BBS 972.230.0034 Mars Den, The 972.276.6721 Mezzanine Mac User Group BBS 940.565.9165 Night Lights 817.428.1642 Connects, no menu or prompt Prison Board 972.329.0781 pb.darktech.org ------------------------------- --- --- ---- -------------------------------- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2600 Meetings First Friday of Every Month 6:00pm until 9:00pm -------------------------------------------- Dallas 2600 Meeting Mama's Pizza N.E. Corner of Campbell Rd at Preston Rd. (North Dallas) Dallas, Texas Pay-Phone: 972.931.3850 -------------------------------------------- Austin 2600 Meeting Dobie Mall Food Court -------------------------------------------- Houston 2600 Meeting Cafe Nicholas Galleria 1 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% DefCon Groups Meetings -------------------------------------------- DC214 Central Market 5750 E. Lovers Lane Second Wednesday Every Month 7:00pm until 9:00pm http://www.dc214.org %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Events First Saturday Sidewalk Sale First Saturday of Every Month Midnight through Saturday Afternoon Ross Avenue @ Pearl St Dallas, Texas ############################################################################## As always, readers may submit articles, send letters to the editor, inquire about general zine information or send general comments to: articles@caughq.org letters@caughq.org zine@caughq.org ############################################################################## ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground