Naturally, as more Voice over Internet Protocol systems and devices are placed somewhere in the vicinity of well... the Internet, more interesting things are likely to occur. A look through your firewall logs has been a semi frightening activity for some years now. In the world of Asterisk based VoIP and you had better be watching not only your firewall logs, but your Asterisk, Apache, MySQL logs and your CDR for added measure. Fortunately, we have tools such as OSSEC, fail2ban and Ethan Schroeder's excellent Abnormal Call Volume script ( see repost at end of article) to help us out.
While I routinely use Nessus to scan for vulnerabilities, I am always on the look out for new tools to test systems with and one of the new kids on the block is WarVOX. At the end of the day, WarVOX is an automated dialer, with roots to the old school autodialers of yore. Telephony hacking has been around for a long time and WarVOX is a another tool to assist you in auditing your DID's. On the other hand, you can also view WarVOX as something the dark side is going to be using (in force ) to map out things to exploit in some fashion. What do you think? "Would you like to play a game?"
While there has been some blogoshpere coverage, I hadn't seen much around building and using WarVOX, so using a nice hosted instance of Ubuntu 8.10, I used the following commands to make ready and install ( recreated the order from the log after a dependency battle):
sudo apt-get install libstdc++6
sudo apt-get install gcc-4.3-base
sudo apt-get install ruby1.8-dev
sudo apt-get install libopenssl-ruby1.8
sudo apt-get install build-essential libiaxclient-dev sox lame ruby rake rubygems libsqlite3-ruby gnuplot
gem install mongrel
Then...
wget http://warvox.org/releases/warvox-1.0.0.tar.gz
tar -xzvf warvox-1.0.0.tar.gz
cd warvox-1.0.0
make
Change the username and password in /warvox-1.0.0/etc/warvox.conf and if all goes well you can launch it with:
/bin/warvox.rb --address yourIPaddress --port 7777
Once it is running open a web browser and go to that address with port 7777 and after login you will be greated by the home page of your new WarVOX:
Now, you have to set up a few providers, at warvox.org they suggest the following:
When thinking war dialers, you usually were limited by the number of simultanious conntections to the PSTN you could make. WarVOX uses IAX providers which eliminates the need for PSTN connectivity and, if you have enough bandwitdh and multiple accounts, you can really speed up testing large blocks of DID's.
In testing you need to be mindful of the target. 555-XXXX will dial 10,000 numbers, where 555-555X will dial only 10.
The number of seconds is set at 53 seconds as a default. The concept there is that providers don't charge for calls that are not answered. In testing I found that many calls did go to voicemail and therefore constitute an answered call or more to the point - a chargeable call. Two cents each on Teliax. It is advisable to test this out and check you providers call records to find a number of seconds that works more to your favor, but still gets the job done. Of'course if you use multiple providers, this becomes a much trickier balance.
The maximum number of outgoing lines is considered to be limited by bandwitdh-->provider(s)-->trunks. I would imagine that horsepower of the box would play a part here, but that in most cases the number of trunks one can afford would bottom out before the CPU does.
The source Caller ID is probably another place to be mindful. Not all providers are going to allow spoofing a Caller ID. On the ones that do, you can use an area code and prefix that makes them standout in the CDR if you like. I use one of my own DID's as I only test systems I am responsible for. ***Note: Just as with any other "whitehat" style of system probing, prodding and cataloging - you might consider having some form of written permission to perform such tests on systems you do not own.
Once you hit the create button the job starts...
The page will refresh occationally until the job is finished and once the yellow bar goes away you can then check the results.
The next course of action is to click on the Analyze Calls which results (after several seconds) in this display.
The Analysis of Job ID 14 contains some interesting data including an audio files to listen to. At the moment, my test system is only maintaining one recording per job. If I scan a range, the only thing that plays back is the first thing recorded. The others appear to have been recorded in the log, so maybe I can sort that out. I did contact the developers and am hoping for a bug fix soon.
In larger scans, I was able to identify FAX and Voice lines and some curious time outs. Which was useful because a manual followup call to those timed out DID's showed I had a few, out of a block of 850, that were not functioning properly.
In conclusion, WarVOX is shaping up to be a very powerful tool and something that we should be on the lookout for in our CDR's. One thing I noticed is that while Caller ID is randomized, it seems to use just one ID per job. So, if you see a succession of calls through you DID's from one number... WarVOX maybe the culprit.
This topic, along with some of the other security topics mentioned will be covered during the next Open Telephony Training Seminar, April 21st~23rd in Seattle,Wa. This particular event, with lodging and gourmet meals included, is being held at a special venue called The Willows Inn and we will have the place to ourselves. This is a good event to bring a spouse. They can relax while you learn. Do consider joing us.
Contact me via email - rkeller at legoebayuc.com - for special discounts to the April 2009 Open Telephony Training Seminar.
(Reprinted of Ethan Schroeder's excellent script)
Well, since this thread got deleted and it contained really good information and was linked from my blog, I thought I would re-post it.
This is in reference to the following news story: http://www.news.com.au/technology/story/0,28348,24939188-5014239,...
As a result of this article, I wrote a script that runs once a day and sends email alerts if call volume increases in any of the following 4 areas:
1.) Total outbound calls in the last 24 hours is higher than the threshold % versus average outbound calls per week day over the last 30 days
2.) Total international outbound calls in the last 24 hours is higher than the threshold % versus average outbound international calls per week day over the last 30 days
3.) Total outbound call duration over the last 24 hours is higher than the threshold % versus average daily outbound call duration per week day over the last 30 days
4.) Total international outbound call duration over the last 24 hours is higher than the threshold % versus average daily outbound international call duration per week day over the last 30 days
To download and install:
Once editing the abnormal.php file, change the email address and if you would like daily reports regardless if thresholds were met, change $daily_report = false; to $daily_report = true; If you only want to receive reports if thresholds were reached, leave this as false. You can also change the threshold percentages if you so choose. By default an email alert gets triggered if any of the four areas described above increase by 20% or more in a day
While I routinely use Nessus to scan for vulnerabilities, I am always on the look out for new tools to test systems with and one of the new kids on the block is WarVOX. At the end of the day, WarVOX is an automated dialer, with roots to the old school autodialers of yore. Telephony hacking has been around for a long time and WarVOX is a another tool to assist you in auditing your DID's. On the other hand, you can also view WarVOX as something the dark side is going to be using (in force ) to map out things to exploit in some fashion. What do you think? "Would you like to play a game?"
While there has been some blogoshpere coverage, I hadn't seen much around building and using WarVOX, so using a nice hosted instance of Ubuntu 8.10, I used the following commands to make ready and install ( recreated the order from the log after a dependency battle):
sudo apt-get install libstdc++6
sudo apt-get install gcc-4.3-base
sudo apt-get install ruby1.8-dev
sudo apt-get install libopenssl-ruby1.8
sudo apt-get install build-essential libiaxclient-dev sox lame ruby rake rubygems libsqlite3-ruby gnuplot
gem install mongrel
Then...
wget http://warvox.org/releases/warvox-1.0.0.tar.gz
tar -xzvf warvox-1.0.0.tar.gz
cd warvox-1.0.0
make
Change the username and password in /warvox-1.0.0/etc/warvox.conf and if all goes well you can launch it with:
/bin/warvox.rb --address yourIPaddress --port 7777
Once it is running open a web browser and go to that address with port 7777 and after login you will be greated by the home page of your new WarVOX:
Now, you have to set up a few providers, at warvox.org they suggest the following:
When thinking war dialers, you usually were limited by the number of simultanious conntections to the PSTN you could make. WarVOX uses IAX providers which eliminates the need for PSTN connectivity and, if you have enough bandwitdh and multiple accounts, you can really speed up testing large blocks of DID's.
In testing you need to be mindful of the target. 555-XXXX will dial 10,000 numbers, where 555-555X will dial only 10.
The number of seconds is set at 53 seconds as a default. The concept there is that providers don't charge for calls that are not answered. In testing I found that many calls did go to voicemail and therefore constitute an answered call or more to the point - a chargeable call. Two cents each on Teliax. It is advisable to test this out and check you providers call records to find a number of seconds that works more to your favor, but still gets the job done. Of'course if you use multiple providers, this becomes a much trickier balance.
The maximum number of outgoing lines is considered to be limited by bandwitdh-->provider(s)-->trunks. I would imagine that horsepower of the box would play a part here, but that in most cases the number of trunks one can afford would bottom out before the CPU does.
The source Caller ID is probably another place to be mindful. Not all providers are going to allow spoofing a Caller ID. On the ones that do, you can use an area code and prefix that makes them standout in the CDR if you like. I use one of my own DID's as I only test systems I am responsible for. ***Note: Just as with any other "whitehat" style of system probing, prodding and cataloging - you might consider having some form of written permission to perform such tests on systems you do not own.
Once you hit the create button the job starts...
The page will refresh occationally until the job is finished and once the yellow bar goes away you can then check the results.
The next course of action is to click on the Analyze Calls which results (after several seconds) in this display.
The Analysis of Job ID 14 contains some interesting data including an audio files to listen to. At the moment, my test system is only maintaining one recording per job. If I scan a range, the only thing that plays back is the first thing recorded. The others appear to have been recorded in the log, so maybe I can sort that out. I did contact the developers and am hoping for a bug fix soon.
In larger scans, I was able to identify FAX and Voice lines and some curious time outs. Which was useful because a manual followup call to those timed out DID's showed I had a few, out of a block of 850, that were not functioning properly.
In conclusion, WarVOX is shaping up to be a very powerful tool and something that we should be on the lookout for in our CDR's. One thing I noticed is that while Caller ID is randomized, it seems to use just one ID per job. So, if you see a succession of calls through you DID's from one number... WarVOX maybe the culprit.
This topic, along with some of the other security topics mentioned will be covered during the next Open Telephony Training Seminar, April 21st~23rd in Seattle,Wa. This particular event, with lodging and gourmet meals included, is being held at a special venue called The Willows Inn and we will have the place to ourselves. This is a good event to bring a spouse. They can relax while you learn. Do consider joing us.
Contact me via email - rkeller at legoebayuc.com - for special discounts to the April 2009 Open Telephony Training Seminar.
(Reprinted of Ethan Schroeder's excellent script)
Well, since this thread got deleted and it contained really good information and was linked from my blog, I thought I would re-post it.
This is in reference to the following news story: http://www.news.com.au/technology/story/0,28348,24939188-5014239,...
As a result of this article, I wrote a script that runs once a day and sends email alerts if call volume increases in any of the following 4 areas:
1.) Total outbound calls in the last 24 hours is higher than the threshold % versus average outbound calls per week day over the last 30 days
2.) Total international outbound calls in the last 24 hours is higher than the threshold % versus average outbound international calls per week day over the last 30 days
3.) Total outbound call duration over the last 24 hours is higher than the threshold % versus average daily outbound call duration per week day over the last 30 days
4.) Total international outbound call duration over the last 24 hours is higher than the threshold % versus average daily outbound international call duration per week day over the last 30 days
To download and install:
wget http://public.schmoozecom.com/Abnorm...0-1.noarch.rpm |
Posts
1 comments:
i am new user, but unable to get results and facing following in terminal,whenever i dial any number i get the timeout graph
DEBUG: STARTED 00xx3335189516 BYTES=0 FILE=/home/professional/Desktop/warvox-1.0.1/data/20/00xx3335189516.raw
DEBUG: COMPLETED 00923335189516 BYTES=0 FILE=/home/professional/Desktop/warvox-1.0.1/data/20/00xx3335189516.raw FAIL=1 BUSY=0 RINGTIME=39
please help. my email is
alan4pro@gmail.com
Post a Comment