dec10

Members
  • Content count

    34
  • Joined

  • Last visited

Community Reputation

0 Neutral

About dec10

  • Rank
    H4x0r
  • Birthday 06/23/1991

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    North Carolina
  1. This isn't really a full connection, since it only sends the one REGISTER request, so I wouldn't think that the server would log it as a connection. However, the way the server's IDS (or whatever) heuristics would deal with it is something I can't really anticipate. If you modify the text fields to make it look like a completely legitimate request that was for some reason sent to the wrong place, it would be hard to classify it as an attack. This is less likely to show up in logs than a connection with a SIP client would be.
  2. I Googled "calling card spoof caller id" - the first result is SpoofCard. I think that's what you're looking for.
  3. Thanks man. I just realized after looking over this with a fresh mind that all those strcat calls could be replaced by one call to sprintf. Also, while looking through an old Ethereal capture of a call placed through FreeWorldDialup, I noticed that the FWD server switched from sending a "Server: Sip EXpress router (0.8.14-6 (i386/linux))" line to sending a "User-Agent: astlax01" line, but only for the "183 Session Progress" message directly before the RTP stream was esablished. I plugged "astlax01" into several search engines and came up blank. Does anyone know what this is? Some custom code that's only used by FWD maybe?
  4. Hey, I used to be around here a couple years ago. I acted really stupidly and bullshitted (poorly) to make myself seem more intelligent. Hopefully, I have a little more tact and skill now.
  5. This is a program I wrote that will search a given IP range for PBXs or anything else that uses SIP. Of course it's possible to do something like "nmap -sU -p 5060 <start> <end>" but what if the box was configured not to divulge any info to nmap scans (could send an ICMP port unreachable if someone sends something other than a SIP packet to UDP port 5060, for example)? My purpose in writing this was not to make the most efficient program, but to make the most successful program. Basically, if the host implements SIP correctly, this program will log the IP and what specific SIP service is running on port 5060 on that IP if that info is provided. /* ** sipscan.c - an SIP-based scanner - v1.0 ** Useful for scanning networks for VoIP servers. ** This sends an unauthorized but properly formatted SIP REGISTER request ** and looks for a response starting with "SIP/2.0", indicating a VoIP server ** on the other end. If the response contains a "User-Agent" or "Server" line ** indicating what service the server is running, that gets logged as well. ** ** by dec10 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <unistd.h> #include <time.h> unsigned int recvtimeout = 1; char local_name[300]; struct hostent *target; struct hostent *local; struct tm *tm; char logstr[60]; char *msgline = NULL; const char serverstr[8] = "Server:"; char servercomp[8]; const char uastr[12] = "User-Agent:"; char uacomp[8]; time_t currenttime; struct sigaction sa; static void sig_alrm(int signo) { return; } int main(int argc, char **argv) { if(argc != 4) { printf("sipscan v1.0 by dec10\n"); printf("Usage: %s <start address> <end address> <logfile>\n", argv[0]); printf("Example: %s 192.168.1.1 192.168.1.25 scan.txt\n", argv[0]); exit(1); } FILE *logfile; logfile = fopen(argv[3], "a"); if(logfile == NULL) { printf("fopen failed.\n"); exit(1); } sigemptyset(&sa.sa_mask); sa.sa_handler = sig_alrm; sa.sa_flags = 0; /* don't restart recvfrom when alarm goes off */ struct in_addr startaddr; struct in_addr endaddr; inet_aton(argv[1], &startaddr); inet_aton(argv[2], &endaddr); if(startaddr.s_addr == 0) { printf("inet_aton for startaddr failed.\n"); exit(1); } if(endaddr.s_addr == 0) { printf("inet_aton for endaddr failed.\n"); exit(1); } int udpsocket = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); if(udpsocket == 0) { printf("socket falied.\n"); exit(1); } struct sockaddr_in targetstruct; targetstruct.sin_family = AF_INET; targetstruct.sin_port = htons(5060); struct sockaddr_in from; int fromlen; char response[600]; const char SIPcomp[8] = "SIP/2.0"; char responsecheck[8]; unsigned long i; currenttime = time(NULL); tm = localtime(&currenttime); strftime(logstr, 50, "Scan started on %a %b %d at %T", tm); fprintf(logfile, "%s\n", logstr); printf("%s\n", logstr); for(i = ntohl(startaddr.s_addr); i <= ntohl(endaddr.s_addr); i++) { targetstruct.sin_addr.s_addr = htonl(i); target = gethostbyaddr(&targetstruct.sin_addr, sizeof(targetstruct.sin_addr), AF_INET); char *addrstr = inet_ntoa(targetstruct.sin_addr); if(target != NULL) { int reqlen = (136 + (strlen(target->h_name) * 4) + (strlen(addrstr) * 2)); char request[reqlen]; /* construct the request */ strcpy(request, "REGISTER sip:"); /* line 1 */ strcat(request, target->h_name); strcat(request, " SIP/2.0\r\n" "Via: SIP/2.0/UDP "); /* line 2 */ strcat(request, inet_ntoa(targetstruct.sin_addr)); strcat(request, ":5060\r\n"); strcat(request, "From: foo@"); /* line 3 */ strcat(request, target->h_name); strcat(request, "\r\n" "To: foo@"); /* line 4 */ strcat(request, target->h_name); strcat(request, "\r\n" "Contact: ""foo"" <sip:foo@"); /* line 5 */ strcat(request, inet_ntoa(targetstruct.sin_addr)); strcat(request, ":5060>\r\n"); strcat(request, "Call-ID: 12345@"); /* line 6 */ strcat(request, target->h_name); strcat(request, "\r\n" "CSeq: 1 REGISTER\r\n" /* line 7 */ "\r\n"); /* end of request */ if(-1 == sendto(udpsocket, request, strlen(request), 0, (struct sockaddr *)&targetstruct, sizeof(targetstruct))) printf("sendto failed.\n"); if(-1 == sigaction(SIGALRM, &sa, NULL)) printf("sigaction failed.\n"); alarm(recvtimeout); if(recvfrom(udpsocket, response, sizeof(response), 0, (struct sockaddr *)&from, &fromlen) >= 0) { strncpy(responsecheck, response, 7); if(!strcmp(responsecheck, SIPcomp)) { fprintf(logfile, "SIP server found at %s\n", inet_ntoa(targetstruct.sin_addr)); printf("SIP server found at %s\n", inet_ntoa(targetstruct.sin_addr)); for(msgline = strtok(response, "\r\n"); msgline != NULL; msgline = strtok(NULL, "\r\n")) { strncpy(servercomp, msgline, 7); if(!strcmp(servercomp, serverstr)) { fprintf(logfile, "%s\n", msgline); printf("%s\n", msgline); } strncpy(uacomp, msgline, 11); if(!strcmp(uacomp, uastr)) { fprintf(logfile, "%s\n", msgline); printf("%s\n", msgline); } } } alarm(0); } } } close(udpsocket); currenttime = time(NULL); tm = localtime(&currenttime); strftime(logstr, 60, "Scan ended on %a %b %d at %T", tm); fprintf(logfile, "%s\n", logstr); fclose(logfile); printf("%s\n", logstr); return 0; }
  6. I thought that was Voltorb...
  7. I know usually not one to go this route, but there's something I noticed hasn't been addressed at all: Since you say it's absolutely *impossible* to fool your system, what's to prevent someone from SE'ing a Tier 1 provider to validate their ANI? Sure, it would be hard, but how can you guarantee 100% that it will *never* happen? I mean, you can have all the technical protection you want, but people aren't infallible. I may be wrong here, someone please correct me if I am. EDIT: Clarity.
  8. I don't have a phone line in the room where my desktop is, so I can't dial in to check.
  9. 1.800.332.1037 1.800.332.1006 What are these numbers? They don't sound like carriers.
  10. I haven't been around here for a while, but I remember a while back I called a 105 Test I found on Bellsouth's website in my NPA and instead of sounding like a 105 test it read off those "7-11" numbers. This only happened once; when I called it again it was back to normal. Anyone know why this happened?
  11. STRICOM: Simulation, Training & Instrumentation Command Yeah, there are probably LOADS of juicy government secrets on that box. Don't mess with anything belonging to the feds.
  12. gdb ollydbg (if on win32) irc (seek and ye shall find)
  13. I found one as well. 800-895-0348
  14. I'll take 0000 to 0500.