white hat hacker: how to use the president's landline to call you! - beehive network security

Posted by trammel at 2020-03-11

0x01 background:

     Many sci-fi blockbusters can use software such as "display at will" to make direct calls. Do you want to be so arrogant, but you don't need to be too happy. Many things are not popular for a reason. For example, in our article about VoIP stress testing, VoIP service is very uncommon and requires some operators to provide equipment to build some rings Environment. But fortunately, when I was working in a company, there was such a device, and there were related loopholes. The report I wrote at that time was handed in, but there was no feedback, but it was encouraged by a sentence. If I didn't leave now, I would be a manager, but I don't regret it. I'm still young, I can fight! (cough) it's been a long time. It's half a year. Now it's not too much to take this vulnerability that was originally submitted as a case, and no mosaic will be played in the whole process, because it's the intranet! Ha-ha

0x02 start:

The omnipotent weak password can really get through the intranet, just like this article. In retrospect, the articles I sent are so far simple, most of them are weak password. It seems that I am a vegetable chicken without weak password. As time goes by, I grow up unconsciously,

     As I said at the beginning, it doesn't matter if I don't play mosaic in the whole process, because it's the internal network. It doesn't matter if I don't play mosaic in the whole process. I'll simply say the beginning of things. As a company's network manager, there are often colleagues who say that where the phone can't be called, where the phone can't be connected, etc. every time, it's a problem with the voice gateway, just restart it, no matter whether it's to grab the packet or change the network cable, Later, I opened nmap script to scan. There are some voice gateways with port 80. After logging in, I still need an account and password. What should I do? Let's blow it up. It's been a day and a night,

What should I do? I look at this webpage and feel worried. I see what I'm covered with. Finally, I see the name of the device, that is, the big mx120. The password and account number are,, it's useless to go up and find that there's no egg. There's nothing to read the log, only After logging in, I found a note on the configuration page, which roughly means, please modify the default port 5060 to prevent flooding attack. Let me flash it, flooding attack, which is obviously DoS attack, and then I went to Google. The related vulnerability documents of VoIP and VoIP module under Kali, the result is really good,

Just as it happens, there are related tools under Kali for the stress test of VoIP service. After a brief look at the parameters, they are easy to use. Here are the relevant parameters and purposes

ro[email protected]:~# inviteflood eth0 5000 50000

Interface destination host name destination IP packet size sent by destination IP

inviteflood - Version 2.0

              June 09, 2006

source IPv4 addr:port   =

dest   IPv4 addr:port   =

targeted UA             = [email][email protected][/email]

Flooding destination with 50000 packets

After testing, sending 50000 packets can cause the voice gateway to fail to respond. I can't help but see the light in front of me. If I want to do sales, I want to have a rest and fight directly for a while. Ha ha, ha ha

We found something more interesting when we searched the related usage of the tool, which is in line with our title. That is to say, when we searched through Google, we found that we could change the number by forging data packets. The tool has been integrated into MSF. At that time, we simply tested it, but forgot the screenshot,

At that time, I tried many times to succeed, but the general idea is to use the MSF module directly. In fact, as long as I remember the name of the module, I can search directly. If I can't remember the module, I can't hurt it. The other one is similar to the MSF module That is to say, we can forge data packets and tamper with the phone number. Don't misunderstand this phone number. It's not the eleven digit phone we use, but the landline phone,

Let me give you some ideas. Let's talk about the function of this tool. First, it can attack the voice gateway with DOS, which leads to the failure of the voice gateway. Second, it can send a virtual packet and call another landline. (can you call the mobile phone without testing, but it's estimated that it's enough.) third, fourth, let's have a big brain hole,

0x03 reflection:

What are the vulnerabilities involved in this article?

The first is weak password, which uses the default password of the device,

Second, due to the negligence of developers, the default data port has not been modified, which makes it easy to conduct a denial of service attack according to the default port,

Third, the management personnel failed to perform their duties. The loophole was reported to the superior, but they did not face up to the problem and repeatedly refused to repair it

0x04 summary:

"Anything with electricity can be black" forget where I saw it. I don't think it's a joke or a nonsense. Look at the current equipment. Many of them can't live without electricity. If one day the electricity disappears, what should we do? On the contrary, enterprises always ignore the network security of the internal network, but they fail in the end,