[VOIPSEC] "SkypeSkryping" and Google Voice findings by Secure Science

Mon Apr 13 13:36:58 CDT 2009

On Sun, Apr 12, 2009 at 8:50 PM, Shawn Merdinger <shawnmer at gmail.com> wrote:
> Hi Sean,
>
> On Sat, Apr 11, 2009 at 4:08 PM, nnp <version5 at gmail.com> wrote:
>> OK, interesting I suppose. Although you could have summed up the
>> entire thing with a one-liner "Skype web access is vulnerable to CSRF"
>
> Fair enough, but I think the example detailed at
> http://www.securescience.net/xss/skype/skype.html provides exactly
> this summation:
>
> "http://www.securescience.net/xss/skype/skype1.html - CSRF
> demonstrates hijacking of incoming Skype calls. Please note you must
> be logged into your skype account for this example to work."
>
>> Is there some way to enumerate valid Skype accounts by the way?
>> Besides some lame dictionary attack. If not, then how do you propose
>> the attacker finds out who these online 15 million people are? That
>> would seem to be the more interesting part here.
>
> Good point, and obviously approaches to "harvesting" valid Skype
> usernames could range from basic searching to much more technical
> analysis.  With the objective of harvesting high-usage Skype users, a
> few ideas off the top of my head include the following:
>
> 1.  Registered Skype forum users at http://forum.skype.com.  Each user
> has a unique page, such as
> http://forum.skype.com/index.php?showuser=400 - there are sequential
> and run into plus-200K.  So something lame like this script to pull
> each page and grep the user.
>
> i=400
> while [ $i -le 200000 ]
> do
>  curl http://forum.skype.com/index.php?showuser=$i |grep "<title>" >> list
>  i=$(( $i + 1 ))
> done
>
> And the output from list file:
>
> <title>mohammed_atta_ - Viewing Profile</title>
> <title>nickclayton_ - Viewing Profile</title>
> <title>alexfriis_ - Viewing Profile</title>
> <title>andybiotikum_ - Viewing Profile</title>
> <title>China_ - Viewing Profile</title>
> <title>robertsp_ - Viewing Profile</title>
> <title>bella_ - Viewing Profile</title>
> ...
>
> 2.  SkypePrime directory - http://directory.skype.com/en/skypeprime/ -
> is where folks peddle services using Skype for communication.  Using
> the Google search limiter "site:" for searching out registered users,
> each with a unique page.
>
> Google search the following,
> "site:http://directory.skype.com/en/skypeprime/listing/" and there's
> plus-8K users.
>
> <insert l4m3 script here>
>
> 3.  Not all Skype traffic is encrypted.  When the Skype client
> searches for users, plaintext TCP traffic is sent to Skype servers.
> The packets contain a hash, the Skype username searched for, the Skype
> username doing the search, and the Skype client version.  With the
> right gateway or span port access in a Skype-rich environment,
> sniffing for this traffic on TCP/33033 could provide a number of
> usernames, of which at least one is known to be valid.  As a
> side-note, the returned usernames to the Skype client from the search
> are sent over encrypted UDP.
>
> 4.  The Skype client user search function is interesting in the types
> of search returns it provides.  I suggest folks try this for
> themselves to get a feel for it, but the key point here is a number of
> usernames are returned with whatever you enter into the search box.
> From a harvesting standpoint you can't cut/paste/grab the search
> result output, but I expect that with modified versions of Skype,
> debuggers, etc. there's potential to extract this data.
>
> 5.  Scapy folks have made progress into communicating with Skype, and
> it's possible there's some means of Skype username enumeration using
> Scapy.  Anyone have more on this?
>
> That's all I have for now, but please toss out ideas to the list :)
>
> Cheers,
> --scm
>

Hrm, I should be a smartarse more often if it illicits such responses
;-) Where did you hear about the Scapy/Skype stuff, I had a quick look
through the source and commit logs and couldn't find anything.

-- 
http://www.unprotectedhex.com
http://www.smashthestack.org