[VOIPSEC] "SkypeSkryping" and Google Voice findings by Secure Science
shawnmer at gmail.com
Sun Apr 12 20:50:42 BST 2009
On Sat, Apr 11, 2009 at 4:08 PM, nnp <version5 at gmail.com> wrote:
> OK, interesting I suppose. Although you could have summed up the
> entire thing with a one-liner "Skype web access is vulnerable to CSRF"
Fair enough, but I think the example detailed at
http://www.securescience.net/xss/skype/skype.html provides exactly
"http://www.securescience.net/xss/skype/skype1.html - CSRF
demonstrates hijacking of incoming Skype calls. Please note you must
be logged into your skype account for this example to work."
> Is there some way to enumerate valid Skype accounts by the way?
> Besides some lame dictionary attack. If not, then how do you propose
> the attacker finds out who these online 15 million people are? That
> would seem to be the more interesting part here.
Good point, and obviously approaches to "harvesting" valid Skype
usernames could range from basic searching to much more technical
analysis. With the objective of harvesting high-usage Skype users, a
few ideas off the top of my head include the following:
1. Registered Skype forum users at http://forum.skype.com. Each user
has a unique page, such as
http://forum.skype.com/index.php?showuser=400 - there are sequential
and run into plus-200K. So something lame like this script to pull
each page and grep the user.
while [ $i -le 200000 ]
curl http://forum.skype.com/index.php?showuser=$i |grep "<title>" >> list
i=$(( $i + 1 ))
And the output from list file:
<title>mohammed_atta_ - Viewing Profile</title>
<title>nickclayton_ - Viewing Profile</title>
<title>alexfriis_ - Viewing Profile</title>
<title>andybiotikum_ - Viewing Profile</title>
<title>China_ - Viewing Profile</title>
<title>robertsp_ - Viewing Profile</title>
<title>bella_ - Viewing Profile</title>
2. SkypePrime directory - http://directory.skype.com/en/skypeprime/ -
is where folks peddle services using Skype for communication. Using
the Google search limiter "site:" for searching out registered users,
each with a unique page.
Google search the following,
"site:http://directory.skype.com/en/skypeprime/listing/" and there's
<insert l4m3 script here>
3. Not all Skype traffic is encrypted. When the Skype client
searches for users, plaintext TCP traffic is sent to Skype servers.
The packets contain a hash, the Skype username searched for, the Skype
username doing the search, and the Skype client version. With the
right gateway or span port access in a Skype-rich environment,
sniffing for this traffic on TCP/33033 could provide a number of
usernames, of which at least one is known to be valid. As a
side-note, the returned usernames to the Skype client from the search
are sent over encrypted UDP.
4. The Skype client user search function is interesting in the types
of search returns it provides. I suggest folks try this for
themselves to get a feel for it, but the key point here is a number of
usernames are returned with whatever you enter into the search box.
>From a harvesting standpoint you can't cut/paste/grab the search
result output, but I expect that with modified versions of Skype,
debuggers, etc. there's potential to extract this data.
5. Scapy folks have made progress into communicating with Skype, and
it's possible there's some means of Skype username enumeration using
Scapy. Anyone have more on this?
That's all I have for now, but please toss out ideas to the list :)
More information about the Voipsec