[VOIPSEC] Phorensix - Asterisk honeypot/forensics : NParse Netrake nCite SBC attack parser

J. Oquendo sil at infiltrated.net
Tue Jan 11 14:48:19 CST 2011 


Hey all. Over the past few daze (yes I know how to spell days) I
re-wrote a more simple based honeypot called phorensix targeted at
Asterisk. Thought others could benefit/learn from it.

(http://www.infiltrated.net/scripts/phorensix)

Phorensix is a post-login VoIP forensics tool created for Asterisk
(tested on Asterisk 1.4.5 to be exact). Phorensix takes a look at a
rogue host connecting to a known-to-be vulnerable account and documents
who is connecting, where are they coming from, what are they doing to my
PBX, what are they doing ON MY PBX.

It is a work in progress that can be scripted to take a list of
accounts, and do the legwork... It uses tshark to capture a 2 minute
network conversation between the attacker and host, does a quick lookup
to see where the attacker is coming from, checks against rogue hosts via
Shadowserver and can also block that subnet if need be.

Because of the variances on Asterisk and the logging, I decided to
ignore the bruteforcers, create an account (100) with a simple password
(100) which would allow any brute forcer instance access to the account.
This allows me to focus solely on people who are actually trying to make
calls.

Why shell, I use {perl,ruby,python,etc}@!? Simple; everyone's system
differs. Rather than create a makefile and install yet more software on
your machine, the system relies on what's almost always going to be
available. Ugly, but functional.

Requires: tshark and... that's it. Change the email address to get
alerts sent upon the someone logging onto the honeypot.

*todo ... Add p0f fingerprinting, drink coffee, re-write it for Ast 1.6
+ 1.8, finish coffee, revise the honeypot, review feedback

-----------------------------------



nparse - parses out alarm entries on Netrake nCite Session Border
Controllers for potential SIP based attackers. The data discovered can
be used for firewall rules or analysis of attackers targeting the nCite SBC.

(http://www.infiltrated.net/scripts/nparse.txt)

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list