GNS3-cisco3745 SIP Server. Preparation for simulated VoIP attacks.
This will be a multi-staged tutorial. The purpose is to further explore the tools backtrack has to offer. The previous GNS3 tutorial demonstrated that cisco hardware platforms could be emulated with software to practice cisco auditing tools. Here I am expanding the tutorial and using the virtual cisco router as a call manager express IP PBX, using the VoIP protocol SIP in this instance. In later stages we will configure SIP and our softphones to register to our router. Similar things could be done with asterisk, but part of this it the intention of going further in the cisco realm and using GNS3 to emulate a router to act as an IPS. Those tutorials will be later. Asterisk is somewhat out of the scope of this.
Use the previous GNS3 guide to install gns3, uml-utilities, and configure the networking. I needed to use a certain IOS version and feature set to get this to work properly. I will list this below. I also added Cisco Call Manager Express full gui for the router, and you will need another file for this. I'll leave it up to you to find a similar IOS and find the CME web GUI.
This HowTo is a work in progress, and will be split up into phases. I will be including videos covering the steps as well as some of the basics in text. I will assume that for the cisco router configuration the video demonstrations should do fine, and will also post my final config.Code:c3745-ipvoicek9-mz.124-9.t cme-full-7.1.0.0.tar
Phase one is starting GNS3, and adding a router after you have imported the IOS image you will be using for the given router platform. Next is configuring the hardware. We need quite a bit of flash space, so set PCMCIA disk0 to full capacity of 99MB. Then add another Fast Ethernet interface just for good measure. Start up the router, wait for it to become idle after booting. Calculate your IDLE-PC value. This is important as your CPU will be loaded hard if you do not. Again as GNS3 says, values marked with * are potientially better. Then we give our router a hostname, domain name,configure SSH, and clean up our flash.
I have included a video of opening GNS3 and beginning these tasks.
Phase 1
These here are the cisco commands I ran on the router for phase one.
Code:Router> enable Router# conf t Router(config)# hostname VictimRouter VictimRouter(config)# enable password cmepass VictimRouter(config)# ip domain name pentest-client.com VictimRouter(config)# ip ssh authentication-retries 5 VictimRouter(config)# ip ssh version 2 VictimRouter(config)# crypto key generate rsa VictimRouter(config-line)# line con 0 VictimRouter(config-line)# no exec-timeout VictimRouter(config-line)# no session-timeout VictimRouter(config-line)# line vty 0 4 VictimRouter(config-line)# no exec-timeout VictimRouter(config-line)# no session-timeout VictimRouter(config-line)# login local VictimRouter(config-line)# transport input ssh VictimRouter(config-line)# exit VictimRouter(config)# username iprouteth0 privilege 0 password 0 cmepass VictimRouter(config)# int fa0/0 VictimRouter(config)# ip address dhcp VictimRouter(config)# no shut VictimRouter(config)# exit VictimRouter# erase flash: VictimRouter# format flash:
Phase two consists of uploading the Call Manager Express web gui to the router, configuring the web interface, and testing that it works. The web gui isnt strictly needed for the SIP VoIP testing, but it gives you something else to attack, and can be pretty cool to mess around with. Later I may include adding cisco style phone configurations as well(SCCP and MGCP VoIP protocols.) Uploading the cme-full tarball is needed for SCCP and MGCP phone registrations.
Video fpr Phase two
Here are the commands I used in the router for phase two.
And on to phase three, with which we will be configuring our SIP server on the device, and setting up the configurations so our SIP phones can register to the CME router. I like to use twinkle, but there are any number of SIP softphones out there.Code:VictimRouter# archive tar /xtract ftp://192.168.25.254/cme-full-7.1.0.0.tar flash: VictimRouter# conf t VictimRouter(config)# no ip http server VictimRouter(config)# ip http secure-server VictimRouter(config)# ip http path flash:/gui VictimRouter(config)# telephony-service VictimRouter(config-telephony)# web admin system name iprouteth0 password cmepass VictimRouter(config-telephony)# dn-webedit VictimRouter(config-telephony)# time-webedit
The mac addresses used for the phone config are the addresses from the eth0 adapters for each backtrack VM. Two VMs are needed as with one softphone, port 5060 is used up on that device. Here are the commands I used for this phase in the router.Code:root@bt:~# apt-get install twinkle
Code:VictimRouter# conf t VictimRouter(config)# voice service voip VictimRouter(conf-voi-serv)# allow connections sip to sip VictimRouter(conf-voi-serv)# sip VictimRouter(conf-serv-sip)# registrar server VictimRouter(conf-serv-sip)# exit VictimRouter(conf-voi-serv)#exit VictimRouter(config)# voice register global VictimRouter(config-register-global)# mode cme VictimRouter(config-register-global)# source-address 192.168.25.118 port 5060 VictimRouter(config-register-global)# max-dn 10 VictimRouter(config-register-global)# max-pool 10 VictimRouter(config-register-global)# authenticate realm pentest-client.com VictimRouter(config-register-global)# tftp-path flash: VictimRouter(config-register-global)# create profile VictimRouter(config-register-global)# exit VictimRouter(config)# voice register dn 1 VictimRouter(config-register-dn)# number 31337 VictimRouter(config-register-dn)# name 31337 VictimRouter(config-register-dn)# voice register dn 2 VictimRouter(config-register-dn)# number 4444 VictimRouter(config-register-dn)# name metasploit VictimRouter(config-register-dn)# voice register pool 1 VictimRouter(config-register-pool)# id mac 0800.276c.0223 VictimRouter(config-register-pool)# number 1 dn 1 VictimRouter(config-register-pool)# username 31337 password cmepass VictimRouter(config-register-pool)# codec g711ulaw VictimRouter(config-register-pool)# voice register pool 2 VictimRouter(config-register-pool)# id mac 0800.27e2.51b1 VictimRouter(config-register-pool)# number 1 dn 2 VictimRouter(config-register-pool)# username 4444 password cmepass VictimRouter(config-register-pool)# codec g711ulaw
And here is the phase three video
Please leave feedback if you feel this is at all useful for you or interesting. Also I appreciate said feedback and also your patience as I continue to work on documenting the related backtrack tools I will use. Currently transitioning from Virtualbox OSE to VMWare workstation 7 x86_64 to see if it will fix some gentoo alsa issues slowing my progress.
