Categories
Asterisk Hacking

Hacking voicemail: Warning, it’s scary simple.

Disclaimer: I do not under any circumstance condone hacking/phreaking or any other illegal activities.  This is an extremely simple proof of concept attack that should raise your awareness about the lack of security in voicemail networks and why you should never leave confidential information on any voicemail system.

Stealing voicemail is much easier simpler than most people believe.  Many voicemail systems use the caller ID number as the username for authentication for voicemail.  When no PIN number is set, simply spoofing caller ID allows an attacker to access to listen and delete voicemail, listen to deleted voicemail messages, modify call forwarding, and other account options.  I discovered this accidentally during testing while working on setting up my own phone server’s outbound caller ID.

How hard is it to spoof caller ID?  It’s extremely easy, a simple Asterisk phone server setup and a SIP PSTN service provider is all you need (to be anonymous, simply sign up for a SIP account using an email address only ever accessed through a VPN tunnel/Tor).  Just set the outbound caller ID to the number to be attacked and then dial the number to be attacked.  If there is a PIN number set, a simple script to try the last 4 digits of the number being attacked and the most common sequences (1234, 1111, etc) is easy enough to write.  Ensure the phone server is connecting to the SIP provider through anonymizing services such as VPN/Tor when making calls.

I have tested this on numbers that I own or manage voicemail on across several major US service providers.  I have been able to successfully attack all of them.  Some providers will pass the call through to the attacked phone (leaving a missed call) but will eventually go to voicemail if unanswered.

So why am I giving instructions?  Really, it’s more of a warning.  If you don’t have a PIN set, get it set.  If you see missed calls from your own number, then there is a good chance that someone is trying to hack your voicemail.  Don’t ever leave confidential or sensitive information in a voicemail.

Categories
Asterisk

FreePBX Star Wars Ring Cadence Hack


I spend most of my time working on Asterisk based phone systems.  The majority of the installs that I work on are based on the FreePBX distro which is quite user friendly but limited in ability to change very low level settings.  When building out my own personal system, I opted to use the FreePBX distro but also wanted to add fun customization to the system.  Below is an outline of how I setup FreePBX to playback a custom Star Wars Theme cadence (thanks to O’Reilly eBook – Asterisk: The Definitive Guide for the cadence structure).

DO NOT DO THIS ON A PRODUCTION SYSTEM

  • Ring cadences for Asterisk are stored in a core Asterisk file /etc/asterisk/indications.conf.  This file is not directly editable as FreePBX overwrites this file with data stored in a MySQL database.
  • Personally, my MySQL CLI skills are not up to scratch so I cheated and installed phpMyAdmin.  If you have installed FreePBX straight from the distro then you are running Centos; the command to install phpMyAdmin is:yum install phpmyadmin
  • Log into phpMyAdmin (http://{PBX Server Address}/phpmyadmin)
  • You should have a database called “asterisk” available to browse, drill down into that database.
    image
  • Next find the table within the database named: indications_zonelist
    image
  • In the table that opens, copy the country zone that you are currently in, we only want to change the ring cadenceimage
  • This should open an editor, see changes below.  Press “Go” when done.  Don’t worry about the blob right now.
    image
  • You should be back at the table now, download the blob for “The Rebel Alliance” zone and open it in a text editor.image
  • Find the ring section of the file and delete both of the cadences following “ring =” and replace them with:
    ring = 262/400,392/500,0/100,349/400,330/400,294/400,524/400,392/500,0/100,349/400,330/400,294/400,524/400,392/500,0/100,349/400,330/400,349/400,294/500,0/2000
    image
  • Save the edited file and upload the blob back to “The Rebel Alliance” indication zone.  Click “Go” to upload and save.
    image
  • Next we need to locate an Asterisk database table “freepbx_settings”
    image
  • Find and edit an entry called “TONEZONE”
    image
  • Within “TONEZONE” find the “Options” line.  Copy and paste the entry into a text editor.
    image
  • The syntax is as follows:
    The first line is the total number of items in the list, increment this number by 1 (in my case I went from 53 to 54).The entry syntax is “s:{total number of characters in the short description}:”{short description}”;s:{total number of characters in the long description}:”{long description}”;  If you used the naming convention above then your entry will look like below:s:8:”StarWars”;s:18:”The Rebel Alliance”;
  • Paste the line into a position that reflects it’s position alphabetically.  Press “Go” to save.
  • Head back over to your FreePBX web GUI and head to the advanced settings page.
    image
  • Scroll down and find “Country Indication Tones” and change it to your newly created group, save setting, and reload.
    image

You should now be able to test calling between 2 SIP phones with your new ring cadence.

Enjoy!