As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration ‘fun’ in-between!
Assuming you’ve located the IP address, you can run a port scan and will find the following services listening (shortened for easy reference):
- 22/tcp open
- 53/tcp open domain
- 80/tcp open http
- 111/tcp open rpcbind
- 967/tcp open
- 3306/tcp open mysql
- 4445/tcp open
- 5038/tcp open asterisk
VoIP User Enumeration
In this demonstration I’m using SIPVicious to enumerate the SIP device/users and to help crack extension passwords.
The first thing to do is enumerate the end device. To do so we can use the command ./svmap.py –fingerprint 192.168.237.148
The next step is to locate valid SIP extensions. The initial command I used was ./svwar.py -D 192.168.237.148
It’s possible to specify the method used in the request. In this particular instance the INVITE request brings back valid responses ./svwar.py -D -m INVITE 192.168.237.148
If all went well you should find that 6 extensions exist. The –D option used in the previous command just searches for default extensions, so it’s generally best to use a custom range. I also found that if I specified the extensions to scan, i.e. –e100-3000, only the lower extensions were found, hence it may be best to split up long scans.