This is our walkthrough on a vulnerable VOIP PCAP. This lab was completed quite some time ago, but we have just been so busy lately we forgot all about it. The lab has since been retired, but knowledge and fun can be had from new-starter or experienced defenders wanting to learn more about VOIP hacking and/or forensics.
1) What is the transport protocol
2) The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite.
We guessed a popular SIP vulnerability tool
3) What is the User-Agent of the victim system?
Hint: Wireshark packet 2
Asterisk PBX 126.96.36.199-FONCORE-r40
4) Which tool was only used against the following extensions: 100,101,102,103, and 111?
5) Which extension on the honeypot does NOT require authentication?
6) How many extensions were scanned in total?
cat log.txt |grep -A 10 "friendly-scanner" |grep "To:" |cut -f 2 -d "\""|sort|uniq|wc -l 2653
This produces 2653, however, the answer hint is ***2, either 100 is not counted? so we -1 from this answer
7) There is a trace for a real SIP client. What is the corresponding user-agent? (two words, once space in between)
8) Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101?
9) What are the default credentials used in the attempted basic authentication? (format is username:password)
11) Which codec does the RTP stream use? (3 words, 2 spaces in between)
ITU-T G.711 PCMU
12) How long is the sampling time (in milliseconds)?
- Google G.711 sampling time
13) What was the password for the account with username 555?
14) Which RTP packet header field can be used to reorder out of sync RTP packets in the correct sequence?
15)The trace includes a secret hidden message. Can you hear it?
- Use wiresharks Telelphony plugin