GNS3-cisco3745 SIP Server. Preparation for simulated VoIP attacks.
This will be a multi-staged tutorial. The purpose is to further explore the tools backtrack has to offer. The previous GNS3 tutorial demonstrated that cisco hardware platforms could be emulated with software to practice cisco auditing tools. Here I am expanding the tutorial and using the virtual cisco router as a call manager express IP PBX, using the VoIP protocol SIP in this instance. In later stages we will configure SIP and our softphones to register to our router. Similar things could be done with asterisk, but part of this it the intention of going further in the cisco realm and using GNS3 to emulate a router to act as an IPS. Those tutorials will be later. Asterisk is somewhat out of the scope of this.
Use the previous GNS3 guide to install gns3, uml-utilities, and configure the networking. I needed to use a certain IOS version and feature set to get this to work properly. I will list this below. I also added Cisco Call Manager Express full gui for the router, and you will need another file for this. I'll leave it up to you to find a similar IOS and find the CME web GUI.
Code:
c3745-ipvoicek9-mz.124-9.t
cme-full-7.1.0.0.tar
This HowTo is a work in progress, and will be split up into phases. I will be including videos covering the steps as well as some of the basics in text. I will assume that for the cisco router configuration the video demonstrations should do fine, and will also post my final config.
Phase one is starting GNS3, and adding a router after you have imported the IOS image you will be using for the given router platform. Next is configuring the hardware. We need quite a bit of flash space, so set PCMCIA disk0 to full capacity of 99MB. Then add another Fast Ethernet interface just for good measure. Start up the router, wait for it to become idle after booting. Calculate your IDLE-PC value. This is important as your CPU will be loaded hard if you do not. Again as GNS3 says, values marked with * are potientially better. Then we give our router a hostname, domain name,configure SSH, and clean up our flash.
I have included a video of opening GNS3 and beginning these tasks.
Phase 1
These here are the cisco commands I ran on the router for phase one.
Code:
Router> enable
Router# conf t
Router(config)# hostname VictimRouter
VictimRouter(config)# enable password cmepass
VictimRouter(config)# ip domain name pentest-client.com
VictimRouter(config)# ip ssh authentication-retries 5
VictimRouter(config)# ip ssh version 2
VictimRouter(config)# crypto key generate rsa
VictimRouter(config-line)# line con 0
VictimRouter(config-line)# no exec-timeout
VictimRouter(config-line)# no session-timeout
VictimRouter(config-line)# line vty 0 4
VictimRouter(config-line)# no exec-timeout
VictimRouter(config-line)# no session-timeout
VictimRouter(config-line)# login local
VictimRouter(config-line)# transport input ssh
VictimRouter(config-line)# exit
VictimRouter(config)# username iprouteth0 privilege 0 password 0 cmepass
VictimRouter(config)# int fa0/0
VictimRouter(config)# ip address dhcp
VictimRouter(config)# no shut
VictimRouter(config)# exit
VictimRouter# erase flash:
VictimRouter# format flash:
Phase two consists of uploading the Call Manager Express web gui to the router, configuring the web interface, and testing that it works. The web gui isnt strictly needed for the SIP VoIP testing, but it gives you something else to attack, and can be pretty cool to mess around with. Later I may include adding cisco style phone configurations as well(SCCP and MGCP VoIP protocols.) Uploading the cme-full tarball is needed for SCCP and MGCP phone registrations.
Video fpr Phase two
Here are the commands I used in the router for phase two.
Code:
VictimRouter# archive tar /xtract ftp://192.168.25.254/cme-full-7.1.0.0.tar flash:
VictimRouter# conf t
VictimRouter(config)# no ip http server
VictimRouter(config)# ip http secure-server
VictimRouter(config)# ip http path flash:/gui
VictimRouter(config)# telephony-service
VictimRouter(config-telephony)# web admin system name iprouteth0 password cmepass
VictimRouter(config-telephony)# dn-webedit
VictimRouter(config-telephony)# time-webedit
And on to phase three, with which we will be configuring our SIP server on the device, and setting up the configurations so our SIP phones can register to the CME router. I like to use twinkle, but there are any number of SIP softphones out there.
Code:
root@bt:~# apt-get install twinkle
The mac addresses used for the phone config are the addresses from the eth0 adapters for each backtrack VM. Two VMs are needed as with one softphone, port 5060 is used up on that device. Here are the commands I used for this phase in the router.
Code:
VictimRouter# conf t
VictimRouter(config)# voice service voip
VictimRouter(conf-voi-serv)# allow connections sip to sip
VictimRouter(conf-voi-serv)# sip
VictimRouter(conf-serv-sip)# registrar server
VictimRouter(conf-serv-sip)# exit
VictimRouter(conf-voi-serv)#exit
VictimRouter(config)# voice register global
VictimRouter(config-register-global)# mode cme
VictimRouter(config-register-global)# source-address 192.168.25.118 port 5060
VictimRouter(config-register-global)# max-dn 10
VictimRouter(config-register-global)# max-pool 10
VictimRouter(config-register-global)# authenticate realm pentest-client.com
VictimRouter(config-register-global)# tftp-path flash:
VictimRouter(config-register-global)# create profile
VictimRouter(config-register-global)# exit
VictimRouter(config)# voice register dn 1
VictimRouter(config-register-dn)# number 31337
VictimRouter(config-register-dn)# name 31337
VictimRouter(config-register-dn)# voice register dn 2
VictimRouter(config-register-dn)# number 4444
VictimRouter(config-register-dn)# name metasploit
VictimRouter(config-register-dn)# voice register pool 1
VictimRouter(config-register-pool)# id mac 0800.276c.0223
VictimRouter(config-register-pool)# number 1 dn 1
VictimRouter(config-register-pool)# username 31337 password cmepass
VictimRouter(config-register-pool)# codec g711ulaw
VictimRouter(config-register-pool)# voice register pool 2
VictimRouter(config-register-pool)# id mac 0800.27e2.51b1
VictimRouter(config-register-pool)# number 1 dn 2
VictimRouter(config-register-pool)# username 4444 password cmepass
VictimRouter(config-register-pool)# codec g711ulaw
And here is the phase three video
Please leave feedback if you feel this is at all useful for you or interesting. Also I appreciate said feedback and also your patience as I continue to work on documenting the related backtrack tools I will use. Currently transitioning from Virtualbox OSE to VMWare workstation 7 x86_64 to see if it will fix some gentoo alsa issues slowing my progress.
