#!/bin/sh # phorensix v.1 # J. Oquendo / sil @ infiltrated dot net # 01/11/11 # Phorensix is a post-login VoIP forensics tool created for # Asterisk (tested on Asterisk 1.4.5 to be exact). # Phorensix takes a look at a rogue host connecting to a vulnerable # account. Who is connecting, where are they coming from, what are they # doing to my PBX, what are they doing ON MY PBX. # It is a work in progress that can be scripted to take a list of # accounts, and do the legwork... It uses tshark to capture a 2 minute # network conversation between the attacker and host, does a quick # lookup to see where the attacker is coming from, checks against # rogue hosts via Shadowserver and can also block that subnet if need # be. # Because of the variances on Asterisk and the logging, I decided to # ignore the bruteforcers, create an account (100) with a simple # password (100) which would allow any brute forcer instance access # to the account. This allows me to focus solely on people who are # actually trying to make calls. # Why shell, I use {perl,ruby,python,etc}@!? Simple; everyone's # system differs. Rather than create a makefile and install yet more # software on your machine, the system relies on what's almost # always going to be available. Ugly, but functional. # Requires: tshark and... that's it. Change the email address to get # alerts sent upon the someone logging onto the honeypot. ##################################################################### # # # Sample extensions.conf context # # # ##################################################################### # [phorensix] # # # ; First get and document the information for an attacker # ; and place that information in a file # # exten => _X.,1,system(echo "${EXTEN} ${STRFTIME(${EPOCH},EDT,%F-%T)} - ${CALLERID} - ${CHANNEL}" >> /usr/phorensix/calls) # # ; Here we will answer a call 50% of the time. This variable is inverted # ; so to answer say 10% of the calls, the number needs to be 90. Don't # ; ask about the backwardness (Asterisk) # # exten => _X.,2,GotoIf($[${RAND(0,99)} + 50 >= 100]?s|1) # # ; Everything else simply gets recorded for evidence, etc., no one # ; would want to consistently answer 1+ calls per second. It's not # ; necessary. # # exten => _X.,1,system(/usr/local/bin/phorensix&) # exten => _X.,2,Answer # exten => _X.,3,Record(/usr/phorensix/recordings/phorensix%d:wav) # exten => _X.,4,Wait(5) # exten => _X.,5,Hangup # # # exten => s,1,system(/usr/local/bin/phorensix&) # exten => s,2,Dial(SIP/your.account.if.you.want.to.answer.phones) # exten => s,3,Hangup ##################################################################### # # # Sample sip.conf context # # # ##################################################################### # [100] # username=100 # secret=100 # canreinvite=no # host=dynamic # nat=yes # canreinvite=no # allow=ulaw # disallow=all # qualify=yes # context=phorensix # dtmfmode=rfc2833 # type=friend # callerid=Phorensix 100<12125551212> # alwaysauthreject=yes # peer='(Unspecified)' while true ; do if [ `asterisk -rx "sip show peer 100"|strings|awk '/Addr/{print $3}'` = "$peer" ] ; then exit else now=`date +%Y%m%d` attacker=`asterisk -rx "sip show peer 100"|strings|awk '/Addr/{print $3}'` mkdir /usr/phorensix/$attacker-$now && cd /usr/phorensix/$attacker-$now echo "whois -h whois.asn.shadowserver.org 'peer $attacker verbose' >> /usr/phorensix/$attacker-$now/shadowlookup-$attacker-$now.txt" | sh echo "tshark -R \"ip.addr == $attacker\" -w /usr/phorensix/$attacker-$now/$attacker-$now.cap -a duration:120 | grep -vi specified" | sh & traceroute $attacker > /usr/phorensix/$attacker-$now/$attacker-trace.txt md5sum /usr/phorensix/$attacker-$now/shadowlookup-$attacker-$now.txt > /usr/phorensix/$attacker-$now/$attacker-$now-checksum.txt md5sum /usr/phorensix/$attacker-$now/$attacker-$now.cap >> /usr/phorensix/$attacker-$now/$attacker-$now-checksum.txt md5sum /usr/phorensix/$attacker-$now/$attacker-trace.txt >> /usr/phorensix/$attacker-$now/$attacker-$now-checksum.txt echo `hostname` | mail -s "Phorensix on `hostname` has been triggered" your@email.address.goes.here.com fi done