Friday, November 22, 2013

A new kind of old phones hacking way


Image source: www.itechfreak.com

After analysing some logs we got, it was obvious that the calls that had been made were successful attempts in placing calls to expensive and exotic numbers, and the biggest one was Sierra Leone. one of the most common places these thieves dial.

What was involved:

1) Two PaBXes, one PBX A and the other was Asterisk running FreePBX

2) TollFree number, e.g. 1800XX

Please note, this attempt was NOT via SIP (or hacked extensions) but pure PSTN and therefore can happen to anyone who connects to an Asterisk box or for that matter any kind of PaBX.

 

What happened?

image

  1. Thief dials tollfree 1800XX for example and realises there are a full PaBX in there
  2. Received by PBX A which just forwards to PBX B
  3. PBX B creates a forwarding number (via follow-me) to a queue. Because of this, the context which this user rides on is “from-internal”, therefore changing the entire context of “from-trunk” to “from-internal” or commonly known as the “ALLOW ANY” rule
  4. Then while reaching the destination of the forward, (upon answer or ring), the caller does a blind transfer in Asterisk/FreePBX by dialing ##
  5. Dials a new destination, therefore the arbitrary user created, e.g. 1000 is the source and whatever destination the thief dials is the destination.

Notes about this attack

  • Thief dials to 1800XX few hundreds of times wanting to do reconnaissance over which equipment you use
  • Once they find out, they will go up and research about the equipment you use, in this particular case it was Asterisk/FreePBX
  • They then attempts the call as per the flow chart above and successfully make calls

 

What you should know about this method

  1. It is do-able on any Asterisk/FreePBX if you have a forwarded context that’s not secure, e.g. from-internal or any kind of follow-me done on extensions or a particular extension itself, inheriting that extension’s context
  2. It is normally done with TollFree numbers so the attempts and calling from the thief for actual calls or reconnaissance is free for them

 

What should you do? – And make this a habit when deploying any Asterisk/FreePBX solution for your customers!

  1. Block international calls to exotic numbers (i have a list of numbers of very commonly used numbers for these kind of hacks and also very expensive calling routes)
  2. Change the from-internal-xfer context restricting it to calling internal extensions only
  3. Enable pin based dialling for International calls on your Outbound Routes
  4. Monitor international calls, always
  5. Inform your telco to monitor your calls and put a cap on the maximum amount of calls that can be made by you

Saturday, November 16, 2013

FreePBX/Asterisk – Per User Pin Set for the poor man

Firstly, FreePBX’s PRO module does this in such elegance http://www.schmoozecom.com/pinsetpro.php. Do support the FreePBX team and make the purchase and keep those devs motivated :-). Thank you for helping!

 

This article describes step by step to do a poor man’s PINSET per user/extension in FreePBX. Why? Cause users keep sharing pinsets and no one takes responsibility on its usage.

It may not be the prettiest way of doing things, but it sure does the job :-)

 

What do you need to use this, more info etc..

  1. FreePBX 2.8 /Asterisk 1.8 or higher (may work for lower versions)
  2. If using FreePBX 2.10 or higher, there’s a setting to bypass pin (pinless dialing), this guide/hack “supports”. Meaning if you enable pinless, you won’t need a pin.
  3. This method hacks the freepbx generated configs using the _override_ file, so be sure to know what is the repercussion of hacking this, e.g. you will lose some configs made in the GUI (except for record in CDR value)
  4. If using Record in CDR, this method honours this request and records it in Account Code column inside asteriskcdrdb
  5. If using the pinset number n in which we defined custom pinsets, it will go through the custom method (per user), otherwise, it will use back the pinsets generated in the PinSet module in FreePBX Gui and work per normal pinset module. Therefore, not affecting other PINsets that you’ve been doing/using.
  6. If a particular user does not have voicemail or you do not want voicemail for that extension, this method will not work. All you got to do is be creative and use another location/method to read
  7. Why i use voicemail password? Simple, cause its user manageable through Asterisk Recording Interface (freepbx gui) or voicemailmain app on Asterisk (when you dial *97)

 

Ok here are the steps:

  1. Create “USER-PINSET” in the Pin Set module, in FreePBX, optionally put the bla bla “Uses our…”
    image
  2. NOTE: You can select to Record in CDR or not, this will be honoured in this custom per use pinset way
  3. When pinsets are created, it will be in placed in a chronological order which it was created, so if you created this particular pinset as the 3rd one, remember that order/number, we will use it later. In my example, this is my first ever created pinset, so it has the chronological order of 1.
    image
  4. The second that i created (AA-Second) will be no 2 and so on …
  5. Now, create a file in /var/lib/asterisk/agi-bin/vmbasedpin.sh, paste the following content in there;
  6. Change the location of vmconfloc if needed. Most cases you don’t have to.

    #!/bin/bash
    #by sanjay@astiostech.com
    vmconfloc="/etc/asterisk/voicemail.conf"
    #
    while test -n "$1"; do
        case "$1" in
            -E)
                ext=$2
                shift
               ;;
    esac
    shift
    done
    #
    # ERROR CHECKING FOR INPUTS
    if [[ "$ext" == "" ]]; then
        echo "ERR" | tr -d '\n' | tr -d ' '
        exit 1
    fi
    #
    #Get pin stored in conf file
    mypin=`cat $vmconfloc | grep $ext | cut -d '>' -f2 | cut -d , -f1 | tr -d " " | tr -d "\n"`
    if [[ "$mypin" == "" ]]; then
        echo "ERR" | tr -d '\n' | tr -d ' '
        exit 1
    else
        echo "$mypin" | tr '\n' ' ' | tr -d ' '
        exit 0
    fi
    exit 2

  7. Make the file executable and make asterisk user own it, in my case asterisk user/group is asterisk
    #chmod +x /var/lib/asterisk/agi-bin/vmbasedpin.sh
    #chown asterisk:asterisk /var/lib/asterisk/agi-bin/vmbasedpin.sh
  8. The above script reads the voicemail configuration file, which normally is located in /etc/asterisk/voicemail.conf. It does read only, doesn’t write anything so no special permissions required. If this file don’t exist, it means no user has voicemail enabled on the system.
  9. Now, edit the file /etc/asterisk/extensions_override_freepbx.conf and paste the content/context below in it, somewhere
  10. Define which order this special “USER-PINSET” was created, in my case its the first pinset, therefore, its 1, see bold text below

    [macro-pinsets]
    include => macro-pinsets-custom
    exten => s,1,NoOp(Starting custom PINSETS)
    exten => s,n,Set(MYCUSTOMPIN=1)
    exten => s,n,GotoIf($["${MYCUSTOMPIN}" = "${ARG1}"]?mypinset,1)
    ;
    exten => s,n,GotoIf(${ARG2} = 1?cdr,1)
    exten => s,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?Authenticate(/etc/asterisk/pinset_${ARG1}))
    exten => s,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?ResetCDR())
    ;
    exten => cdr,1,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?Authenticate(/etc/asterisk/pinset_${ARG1},a))
    exten => cdr,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?ResetCDR())
    ;
    exten => mypinset,1,NoOp(Custom Pinsets)
    exten => mypinset,n,GotoIf($["${ARG2}" = "1"]?mypinset-cdr,1)
    exten => mypinset,n,Set(MYPRIVATEPIN=${SHELL(/var/lib/asterisk/agi-bin/vmbasedpin.sh -E ${AMPUSERCID})})
    exten => mypinset,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?Authenticate(${MYPRIVATEPIN}))
    exten => mypinset,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?ResetCDR())
    ;
    exten => mypinset-cdr,1,NoOp(Custom Pinsets)
    exten => mypinset-cdr,n,Set(MYPRIVATEPIN=${SHELL(/var/lib/asterisk/agi-bin/vmbasedpin.sh -E ${AMPUSERCID})})
    exten => mypinset-cdr,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?Authenticate(${MYPRIVATEPIN},a))
    exten => mypinset-cdr,n,ExecIf($["${DB(AMPUSER/${AMPUSER}/pinless)}" != "NOPASSWD"]?ResetCDR())

  11. Important: The variable AMPUSERCID must contain a value otherwise this will not work, or use your own variable if you know what you’re doing. FreePBX users need not worry, this value should always be there!
  12. You can first test to see if the script vmbasedpin.sh is executable or not, here i am testing for user 1000, which should return the value of 9999 (her voicemail pin number)
    #/var/lib/asterisk/agi-bin/vmbasedpin.sh -E 1001
  13. IMPORTANT: If there’s no voicemail password/pin defined, or there was an error or it can’t find the extension, or there’s no E value parsed, the output value ERR will be returned therefore, its impossible for a user to make that call particular call when this pinset is used. 
  14. Now, simply go edit your outbound route to use this pinset, like so;
    image  
  15. Go to a particular user’s configuration page, add/edit their vm password, like so;
    image  
  16. Click on Apply Config or reload the dialplan via CLI.
  17. And here’s how the CLI looks like when making a call…( i am using extension 1058, with a pin defined in my vm as 1012
    image
  18. Notice the MYPRIVATEPIN=1012, yes, that was read off the voicemail.conf file
  19. And since check the “Record in CDR” flag in that pinset inside FreePBX, the authentication parses the “,a” option
  20. Putting the value in CDR allows me to run reports using the FreePBX’s CDR Report tool and filter the “Account Code” section where the Pinset used when dialling are recorded.
  21. Enjoy and as usual, do give us feedback!