[VOIPSEC] Phone Parrot: Possible phiser
Dustin D. Trammell
dtrammell at tippingpoint.com
Tue Sep 5 16:54:16 CDT 2006
On Tue, 2006-09-05 at 16:26 -0400, J. Oquendo wrote:
> So I sit here wondering what with the little phone parrot do if say
> someone has this "tool" listening and repeating tones then piping it out
> to a wav file. Let's think of the danger on this...
>
> I (using my company's Asterisk PBX) go to check my account... Dial my
> account, passcodes, etc... In the interim, Phone Parrot has been reverse
> engineered to echo the tones it hears into /tmp/.something ...
>
> Funny. I should put it to the test when I have time
You could probably do this even easier without Phone Parrot. Asterisk
has a fairly robust interface for 3rd party application extensions
called the Asterisk Gateway Interface (AGI)[1]. All you would
essentially need to do is have all inbound calls go through your custom
AGI application "wrapper" before doing whatever they normally do (not
hard, you can do this via the dial-plan), and have your application
record any DTMF it detects into an audio file, or even interpret the
DTMF (perhaps via the AGI command "wait-for-digit"[2]) and just write
the associated numerical values to a text file. If you control the
Asterisk server, you can do pretty much anything you like to
manipulate/monitor the calls. Check out some of the AGI applications
listed[1] for some examples.
[1] http://www.voip-info.org/wiki-Asterisk+AGI
[2] http://www.voip-info.org/wiki/view/wait+for+digit
--
Dustin D. Trammell
VoIP Security Research
TippingPoint, a division of 3Com
More information about the Voipsec
mailing list