Results 1 to 1 of 1

Thread: GNS3-cisco3745 SIP Server. Preparation for simulated VoIP attacks.

  1. #1
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Midwest, USA

    Default GNS3-cisco3745 SIP Server. Preparation for simulated VoIP attacks.

    This will be a multi-staged tutorial. The purpose is to further explore the tools backtrack has to offer. The previous GNS3 tutorial demonstrated that cisco hardware platforms could be emulated with software to practice cisco auditing tools. Here I am expanding the tutorial and using the virtual cisco router as a call manager express IP PBX, using the VoIP protocol SIP in this instance. In later stages we will configure SIP and our softphones to register to our router. Similar things could be done with asterisk, but part of this it the intention of going further in the cisco realm and using GNS3 to emulate a router to act as an IPS. Those tutorials will be later. Asterisk is somewhat out of the scope of this.

    Use the previous GNS3 guide to install gns3, uml-utilities, and configure the networking. I needed to use a certain IOS version and feature set to get this to work properly. I will list this below. I also added Cisco Call Manager Express full gui for the router, and you will need another file for this. I'll leave it up to you to find a similar IOS and find the CME web GUI.

    This HowTo is a work in progress, and will be split up into phases. I will be including videos covering the steps as well as some of the basics in text. I will assume that for the cisco router configuration the video demonstrations should do fine, and will also post my final config.

    Phase one is starting GNS3, and adding a router after you have imported the IOS image you will be using for the given router platform. Next is configuring the hardware. We need quite a bit of flash space, so set PCMCIA disk0 to full capacity of 99MB. Then add another Fast Ethernet interface just for good measure. Start up the router, wait for it to become idle after booting. Calculate your IDLE-PC value. This is important as your CPU will be loaded hard if you do not. Again as GNS3 says, values marked with * are potientially better. Then we give our router a hostname, domain name,configure SSH, and clean up our flash.

    I have included a video of opening GNS3 and beginning these tasks.
    Phase 1

    These here are the cisco commands I ran on the router for phase one.
    Router> enable
    Router# conf t
    Router(config)# hostname VictimRouter
    VictimRouter(config)# enable password cmepass 
    VictimRouter(config)# ip domain name
    VictimRouter(config)# ip ssh authentication-retries 5
    VictimRouter(config)# ip ssh version 2
    VictimRouter(config)# crypto key generate rsa
    VictimRouter(config-line)# line con 0
    VictimRouter(config-line)# no exec-timeout
    VictimRouter(config-line)# no session-timeout
    VictimRouter(config-line)# line vty 0 4
    VictimRouter(config-line)# no exec-timeout
    VictimRouter(config-line)# no session-timeout
    VictimRouter(config-line)# login local
    VictimRouter(config-line)# transport input ssh
    VictimRouter(config-line)# exit
    VictimRouter(config)# username iprouteth0 privilege 0 password 0 cmepass
    VictimRouter(config)# int fa0/0
    VictimRouter(config)# ip address dhcp
    VictimRouter(config)# no shut
    VictimRouter(config)# exit
    VictimRouter# erase flash:
    VictimRouter# format flash:

    Phase two consists of uploading the Call Manager Express web gui to the router, configuring the web interface, and testing that it works. The web gui isnt strictly needed for the SIP VoIP testing, but it gives you something else to attack, and can be pretty cool to mess around with. Later I may include adding cisco style phone configurations as well(SCCP and MGCP VoIP protocols.) Uploading the cme-full tarball is needed for SCCP and MGCP phone registrations.

    Video fpr Phase two

    Here are the commands I used in the router for phase two.
    VictimRouter# archive tar /xtract flash:
    VictimRouter# conf t
    VictimRouter(config)# no ip http server
    VictimRouter(config)# ip http secure-server
    VictimRouter(config)# ip http path flash:/gui
    VictimRouter(config)# telephony-service
    VictimRouter(config-telephony)# web admin system name iprouteth0 password cmepass
    VictimRouter(config-telephony)# dn-webedit
    VictimRouter(config-telephony)# time-webedit
    And on to phase three, with which we will be configuring our SIP server on the device, and setting up the configurations so our SIP phones can register to the CME router. I like to use twinkle, but there are any number of SIP softphones out there.
    root@bt:~# apt-get install twinkle
    The mac addresses used for the phone config are the addresses from the eth0 adapters for each backtrack VM. Two VMs are needed as with one softphone, port 5060 is used up on that device. Here are the commands I used for this phase in the router.
    VictimRouter# conf t
    VictimRouter(config)# voice service voip
    VictimRouter(conf-voi-serv)# allow connections sip to sip
    VictimRouter(conf-voi-serv)# sip
    VictimRouter(conf-serv-sip)# registrar server
    VictimRouter(conf-serv-sip)# exit
    VictimRouter(config)# voice register global
    VictimRouter(config-register-global)# mode cme
    VictimRouter(config-register-global)# source-address port 5060
    VictimRouter(config-register-global)# max-dn 10
    VictimRouter(config-register-global)# max-pool 10
    VictimRouter(config-register-global)# authenticate realm
    VictimRouter(config-register-global)# tftp-path flash:
    VictimRouter(config-register-global)# create profile
    VictimRouter(config-register-global)# exit
    VictimRouter(config)# voice register dn 1
    VictimRouter(config-register-dn)# number 31337
    VictimRouter(config-register-dn)# name 31337
    VictimRouter(config-register-dn)# voice register dn 2
    VictimRouter(config-register-dn)# number 4444
    VictimRouter(config-register-dn)# name metasploit
    VictimRouter(config-register-dn)# voice register pool 1
    VictimRouter(config-register-pool)# id mac 0800.276c.0223
    VictimRouter(config-register-pool)# number 1 dn 1
    VictimRouter(config-register-pool)# username 31337 password cmepass
    VictimRouter(config-register-pool)# codec g711ulaw
    VictimRouter(config-register-pool)# voice register pool 2
    VictimRouter(config-register-pool)# id mac 0800.27e2.51b1
    VictimRouter(config-register-pool)# number 1 dn 2
    VictimRouter(config-register-pool)# username 4444 password cmepass
    VictimRouter(config-register-pool)# codec g711ulaw

    And here is the phase three video

    Please leave feedback if you feel this is at all useful for you or interesting. Also I appreciate said feedback and also your patience as I continue to work on documenting the related backtrack tools I will use. Currently transitioning from Virtualbox OSE to VMWare workstation 7 x86_64 to see if it will fix some gentoo alsa issues slowing my progress.
    Last edited by iproute; 11-24-2010 at 10:45 PM.

Similar Threads

  1. Voip
    By Isohump in forum OLD BackTrack 4 General Support
    Replies: 1
    Last Post: 03-29-2010, 09:09 AM
  2. testing cisco vulnerability and GNS3
    By imported_IPRoute in forum OLD General IT Discussion
    Replies: 3
    Last Post: 09-14-2009, 09:14 AM
  3. bridge with GNS3-0.6
    By erwinvr in forum OLD BT3final Support
    Replies: 0
    Last Post: 12-31-2008, 04:35 PM
  4. VoIP sniffing
    By Booklet in forum OLD Newbie Area
    Replies: 6
    Last Post: 06-27-2008, 05:01 AM
  5. a simple GNS3 on BT3 tutorial
    By digital/divide in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 12-17-2007, 12:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts