Elastic Logo

Acoustic

This is our walkthrough on a vulnerable VOIP PCAP. This lab was completed quite some time ago, but we have just been so busy lately we forgot all about it. The lab has since been retired, but knowledge and fun can be had from new-starter or experienced defenders wanting to learn more about VOIP hacking and/or forensics.

Walkthrough

1) What is the transport protocol

Answer:

UDP

2) The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite.

We guessed a popular SIP vulnerability tool

Answer:

Sipvicious

3) What is the User-Agent of the victim system?

Hint: Wireshark packet 2

Answer:

Asterisk PBX 1.6.0.10-FONCORE-r40

4) Which tool was only used against the following extensions: 100,101,102,103, and 111?

Answer:

svcrack.py

5) Which extension on the honeypot does NOT require authentication?

Answer:

100

6) How many extensions were scanned in total?

Hint:

cat log.txt |grep -A 10 "friendly-scanner" |grep "To:" |cut -f 2 -d "\""|sort|uniq|wc -l 
2653

This produces 2653, however, the answer hint is ***2, either 100 is not counted? so we -1 from this answer

Answer:

2652

7) There is a trace for a real SIP client. What is the corresponding user-agent? (two words, once space in between)

Answer:

Zoiper rev.6751

8) Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101?

Answer:

00112524021

9) What are the default credentials used in the attempted basic authentication? (format is username:password)

Answer:

maint:password

11) Which codec does the RTP stream use? (3 words, 2 spaces in between)

Answer:

ITU-T G.711 PCMU

12) How long is the sampling time (in milliseconds)?

Hint:

  • Google G.711 sampling time Answer:
    0.125
    

13) What was the password for the account with username 555?

Answer:

1234

14) Which RTP packet header field can be used to reorder out of sync RTP packets in the correct sequence?

Answer:

timestamp

15)The trace includes a secret hidden message. Can you hear it?

Hint:

  • Use wiresharks Telelphony plugin

Answer:

MEXICO

Share on: