VoIP-IRC bot
Mohamed Nassar, Radu State, Olivier Festor
VoIP security : a myth or a fact ? let's try this bot and we'll get the response later.
1) Use your favorite IRC client (mine is xchat) and connect to an IRC
server, create your own room to not disturb people. Preferably, work on
your testbed and have an IRC server.
2) Go to the machine where you like to install the bot
3) Install the zip file from my personal web page: www.loria.fr/~nassar/javabot.zip
4) Extract the contents, go a step into the directory and launch the
bot to connect to the specified irc server and room :
java
-classpath jmf.jar -jar voipbot.jar $number_of_the_bot
$hostname_of_the_server $name_of_the_room $local_SIP_port
($local_IP)
Dont insert the # character of the room, it will be added by the code.
5) To get the IP address of the machine, the bot uses the
InetAddress.getLocalHost() java function. In my unix, it goes to
/etc/hosts and reads the first line. Be sure that you have your public
IP address there and not another thing (e.g. the local loop 127.0.0.1).
If you experience problems and you dont have permissions to change the
configuration. May be you can solve the problem by telling the bot
about its IP directly (using local_IP)
6) Now that the bot has entered in the room and said "hi every body",
it is ready to receive commands. You can enter your commands publicly
in the room or you can have a private discussion with the bot. If you
are testing with many of these bots and want them all to execute the same
command, state it in the room. But if you need that just one bot
executes the command, state it privately.
7) What the VoIP IRC bot can do for you : Use LIST to see all the commands. In all the following, SIP port is assumed to be 5060 by default.
a) SPIT:
Send media audio to some SIP user: You need
to know the SIP user name and the IP address where it can be reached
(The IP of the phone or of the server where it is registered (the SIP
domain)).
The bot extracts the media from the url and send it by RTP for approximatively 20 seconds.
spit user@IP_address(:port) url_of_the_audio.wav
If you need a url for testing, use this one : http://www.arabji.com/Audio/ahwak.wav
If you type "local" instead of the url, the bot will send a song included in the ZIP.
b) DOS:
Send succecive INVITE with different
transactions to the target (IP phone or SIP server). To paralyze a SIP
server, you may need many bots.
dos user@IP_address(:port) duration_of_the_attack_in_ms
dos IP_address(:port) duration_of_the_attack_in_ms
The bot doesn't provide statistics about the attack, use ethereal (wireshark) to visualize that.
c) SCAN:
Take a list of destinations and send
respective OPTIONS messages to a SIP server. Depending on the response
of the server, a destination is matched as an existent user or not.
scan local_file_with_the_list_of_usernames IP_addresss(:port)
Test it with the sample file provided in the ZIP:
scan users.txt IP_address(:port)
d) CRACK:
If by scaning you discover the SIP username of one user, you can try to crack its password :
crack username local_file_with_the_list_of_passwords IP_address_of_the_registrar(:port)
Note that if the user employes a digest username different than his SIP
username, it will be harder to crack it since we have to know the
digest username.
Test it with the sample file provided in the zip:
crack username passwords.txt IP_address(:port)
e) REGISTER:
If by cracking you have the password of a user, you can register instead of him
register username password IP_address_of_the_registrar(:port)
The bot can by now receive calls (it chooses a random answer between
Busy, 3xx response, or accept the call and play whatever it gets it by
JMF. Listen time is random between 5 and 10 seconds)
We used it specially to receive SPIT calls from SPITTER/Asterisk tool.
f) SHOOT:
Shoot blindly a SIP message:
shoot user@IP_address(:port) url
If you type "local" instead of the url, the bot will send an INVITE message Included in the ZIP.
g) FINGERPRINT:
Fingerprint the type of the SIP agent found as
value of the "User-Agent" header or the "Server" header by sending
an OPTIONS message (active fingerprinting):
fingerprint user@IP_address(:port)
h)DISCOVER_n_FUZZ:
This option was used in a demo to send
special vulnerabilities towards targeted phones. It integrates an
OPTIONS fingerprinting in the first stage. The bot then sends a request to
an exploit server with the phone fingerprint and other data. The
exploit server manufactures locally the attack
signature (a message or serie of messages or may be a state machine)
and send them back to the bot. In the final state, the bot
performs the attack against the targeted phone and takes it
off. The protocol defining the interaction between the bot and the exploit server is an
ongoing work. Anyway, I dont provide the code here because most of the
used signatures are now out of date.
k) To order the bot to quit, just type and enter: quit
The software is not mature right now, it was tested with OpenSER and a
thomson2020 hardphone. the purpose was a proof of concept of a possible VoIP botnet.
Please send me feedback:
- The code was compiled and executed with JDK version "1.5.0_07". The
code is not working with java version 1.6. I dont really know the
reason (perhaps because of the used libraries are not comaptible with java1.6). If
some one can send me recommandations to upgrade to Java1.6, I will be
thankful. Plz send me email!
- I launch the media handling as
a seprate process, this may cause the media transfer to not work properly on other
systems rather than Linux. A minor changing in the process invocation
(in the code) is needed to fix it with respect to the Operating System.
Also if a real programmer sends me recommandation to make the code more
portable (or how to handle the media as a thread instead of a process while using JMF). I am just a student!
- JMF doesn't support A-law compression (as I know). In result, The
bot can't send SPIT over traditional telephony in Europe (it only
supports µ-law). Help me to test it against PSTN telephony!
nassar(at)loria.fr
Enjoy it !
Development note:
the irc-voip bot is coded on java. It uses :