Professional Documents
Culture Documents
Investigating Wireless
Attacks
Module 17
Module 17 – Investigating Wireless Attacks
1
Lab
I C O N K E Y The Challenge
Valuable Section 1:
information
Test your
Navigate to D:\Evidence Files\Forensics Challenges\HONEYNET
knowledge Challenges\Challenge 4 of the Forensic Challenge 2010 - VoIP and analyze the
Logs_v3.txt.
Web exercise
The logfile logs_v3.txt was generated from an unadvertised, passive honeypot
Workbook review located on the internet such that any traffic destined to it must be nefarious. The
honeypot was scanned by parties’ unkonwn, with a range tools and this activity is
represented in the logs_v3.txt file.
Notes on logs_v3.txt:
CHFI Lab Manual Page 2 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
b) What was the tool suite author's intended use of this tool suite? Who
was it designed to be used by?
c) One of these tools was only used against a small subset of extensions.
Which were these extensions and why were only they targeted with this
tool?
4. List the extensions:
a) How many extensions were scanned? Are they all numbered extensions,
or named as well? List them.
b) Categorize these extensions into the following groups, and explain to
method you used:
o Those that exist on the honeypot, and require authentication.
o Those that exist on the honeypot, and do not require
authentication.
o Those that do not exist on the honeypot.
5. Was a real SIP client used at any point? If it was, what time was it used, and
why?
6. List the following, include geo-location information.
a) Source IP addresses involved.
b) The real world phone numbers that were attempted to be dialed.
7. Draw a simple static or animated timeline of events, describing when and
where certain phases occurred from, and what the purpose of each phase
was.
8. Assuming this were a real incident, write 2 paragraphs of an Executive
summary of this incident. Assume the reader does not have IT Security or
VOIP experience.
a) First Paragraph: Write, in the minimum detail necessary a description
the nature and timings, and possible motives of the attack phases.
b) Second Paragraph: What actions would you recommend should occur
following this particular incident, include any priority/urgency. Also
describe any good practices that should be employed to mitigate future
attacks.
Section 2:
Navigate to D:\Evidence Files\Forensics Challenges\HONEYNET
Challenges\Challenge 4 of the Forensic Challenge 2010 - VoIP. Analyze the
Forensic_challenge_4.pcap and answer the following questions:
CHFI Lab Manual Page 3 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
Challenge Result
Note: The tools and methodologies used here, and results obtained are
provided for your reference. The actual results may vary according to your
selection of tools and methodologies.
Section 1:
1. Tools used: awk, vim, sort, uniq, grep, SIPlogparser.rb (custom tool)
Look at all the Via parameter of all the logged SIP messages.
grep "Via:" logs_v3.txt |awk '{match($0,"Via:
SIP\/2.0\/(TCP|UDP)");print substr($0,1,RLENGTH);}' |sort |uniq
franck@ODIN:~/Analysis/Sources/Honeynet/Challenge 4$ grep "Via:"
logs_v3.txt |awk '{match($0,"Via: SIP\/2.0\/(TCP|UDP)");print
substr($0,1,RLENGTH);}' |sort |uniq awk: AVERTISSEMENT: séquence
d'échappement « \/ » traitée simplement comme « / » Via: SIP/2.0/UDP
2. All the messages stored in this log file have used UDP as transport
protocol. This log cannot be the result of a simple Nmap scan
because Nmap does not speak SIP out-of-the-box.
CHFI Lab Manual Page 4 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
Actually with nmap is possible to do a lot more than simply probe the
UDP port by writing a lua script for NSA (Nmap Scripting Engine). So,
with a little lua coding it will be possible to perform a scan which leaves
a trace like this - even mimic/faking a sip vicious scan (UserAgent,
behaviour, etc.) - but it would no longer be a simple nmap scan.
3. Tool list:
a) Tools used: vim
The scanning tools are from SIPvicious suite.
More in detail: The svmap.py (one probe only), svwar.py and
swcrack.py tools.
100 -
101 30
102 29
103 22
104 43
This is because the REGISTER attempts for 101, 102, 103, and 111
received a 401 reply, so these extensions were reported by svwar.py
to be existent and marked with reqauth. Due to a lack of
Authorization header both in the svcrack.py and Zoiper attack
phases we can assume that extension 100 received a 200 during the
enumeration phase and was then reported by svwar.py to be existent
and marked with noauth.
Despite that, all these five extensions were later feeded into
swcrack.py for the cracking phase, even if cracking 100 was
pointless. There are only two log entries for 100 in the svcrack.py
phase, because the tool quitted after the 200 reply.
We can argue that the cracking dictionary (or number range) was the
same for all the probed extensions, so we can guess that 101, 102
and 103 where cracked while 111 would have been cracked only if
dictionary or range size was more than 43 items.
Other than that, there are no evidences that 102, 103 and 111 were
successfully cracked, while evidence exists that at least 101 was
cracked.
CHFI Lab Manual Page 5 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
4. Extension list:
a) Tools used: sed, sort, wc
Total: 2652
Numbered: 2608
Named: 44 (aaron abigail admin andrew asterisk christopher client
cpanel data fax freddy heaven help info jane jobs Joshua manager
market marketing mike news norman operator oracle orders owner
postfix postmaster richard sales samantha sarah sebastian service
shop spam steve steven support temp test trixbox user)
b) Tools used: vim, sed
Exists and require authentication: 101, 102, 103, and 111
Evidences: Authorization header is present in some of the log
entries, so server replied with 401 to the previous attempt.
Exists and do not require authentication: 100
Evidences: No “Authorization” header sent neither by the
svcrack.py, nor by Zoiper. So server always replied with 200 to the
requests for extension 100.
Not existent: Every other
Evidences: No more logs after the end of svwar.py scan at 2010-
05-02 01:49:46.992699, so we can assume that requests for these
extensions always returned 404.
CHFI Lab Manual Page 6 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
CHFI Lab Manual Page 7 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
CHFI Lab Manual Page 8 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
Section 2:
1. Tools used: Wireshark
a. SIP over UDP: Register extension 555, set-up and terminate a call
from 555 to 1000
b. RTCP: RTP quality monitoring and a little RTP session management
c. RTP: Audio streams
d. HTTP: Trixbox web administration interface browsing
e. ICMP: A couple of port unreachable (pcap seq 4445, 4447) from
172.25.105.3 elicited by RTP frames with RTP seq 38112 and 38113
(pcap seq 4440, 441) reaching 172.25.105.40 after port 63184/udp
was almost closed.
These stats indicate that the G.711 µ-law (or u-law) codec was used for
the VoIP call.
b) G.711 family of codecs uses a sampling frequency of 8 kHz (8000
Hz). Meaning, the voice or audio stream is sampled 8000 times in
one (1) second. So, the sampling time or length of one sample is
1/8000 s = 0.000125 s = 0.125 ms
CHFI Lab Manual Page 9 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
CHFI Lab Manual Page 10 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
CHFI Lab Manual Page 11 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
Section 3:
1. RTP injection is a kind of attack where the attacker is able to inject or
mix RTP packets in an ongoing call between two parties. One
objective of this attack can be to diffuse SPIT (SPams over Internet
Telephony) by injecting a pre-recorded audio message in an
established VoIP call. This attack targets only the media protocol (RTP)
and hence is totally independent of the signaling protocol used to setup
the call.
RTP injection is only possible when some specific conditions are met:
a. The targeted RTP stream must be unencrypted
b. The use of UDP protocol as transport protocol for RTP
c. The attacker must be able to capture at least one valid RTP packet
from the stream. This packet will be used as a template to construct
the spoofed RTP packets that will be later injected in the stream.
d. From this packet, the attacker has to get critical information on the
stream to successfully inject RTP packets.
The payload type
The RTP Sequence number
The RTP timestamps
Synchronization Source Identifier (SSRC)
IP ID
If all this conditions are met, the attacker should be able to correctly
craft RTP packets and to inject them in the on-going call.
2. At least two ways can be used to intercept and steal SIP password
digest:
By sniffing SIP traffic:
a. Attacker can take control of a poorly secure switch (password brute-
force, exploit, social engineering...) and the configure traffic
mirroring
b. Attacker can have previously attacked a poorly secure Wireless LAN
and then can sniff traffic over the air
c. Intrusive: attacker can insert a hub or a PC with two NIC cards on
the traffic path
By Redirecting SIP traffic flowing between a client and a server to
the attacker using Man-in-the-Middle (MitM) attack.
CHFI Lab Manual Page 12 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
Lab Analysis
Analyze and document the results related to the lab exercise.
CHFI Lab Manual Page 13 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 17 – Investigating Wireless Attacks
2
Lab
CHFI Lab Manual Page 14 Computer Hacking Forensic Investigation Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.