Digital Offensive

Posted on Wednesday, 7th July 2010 by Michael

CheckPoint Site to Site VPN Audit automation with “fwm logexport and scripting”

Up to recently we use to pay a third party SEIM provider to provide us reporting for all our site to site VPN tunnels. This is due to an audit requirement we had that said that our system administrators had to report on any time their vendor connected to the tunnel. If they connected they had to provide the start date & time, the end date & time, the duration of the connection, the source address and destination address, the protocol & port as well as the tunnel name.

Due to the cost of the third party SEIM provider as well as their not so wonderful service we decided to find a replacement. The only issue is the replacements we found all cost over 100,000 a year. This is when Michael Yan and I set forth to develop our own solution.

We are happy to bring you “CP-VPN-Auto-Audit 1.0”. This system is compromised of 4 scripts that run together to export your logs, format them into individual tunnel csv reports and then email them to the system administrators.
Read the rest of this entry…

Posted in Code | Comments (2)

Posted on Thursday, 10th June 2010 by Michael

MJSIP: Automating the Magic Jack SIP retrieval

What is it:

MJSIP is a simple Perl script written by a co-worker and myself. This script uses regular expression matching to automate the finding of your SIP password in the dump file.

MJSIP has been tested on over 50 Jacks that were purchased and registered this month (6/07/10). Each Magic Jack we tested worked flawlessly.

Though this tool has been tested and we have worked out many of the bugs there are two conditions that we are aware of that will cause MJSIP not to return a password back to you. The first condition is if you dumped the memory wrong using the SIPDump tool. The second condition is if your Magic Jack password contains the same letter or number more than 4 x in a row.

Read the rest of this entry…

Posted in Papers | Comments (27)

Posted on Wednesday, 9th June 2010 by Michael

Can you pop me now?

Like most programs Asterisks offers the ability to launch system commands from with inside the application. This means it is possible for either a developer or a malicious person to execute system commands by simply editing the dial plan and making a phone call.

This is nothing new the ability to execute system commands from within an Asterisk based PBX has been around since it was first developed. A quick Google on the topic of “Asterisk system command” shows me that it has at least been documented since 2007 according to the article found here:

http://www.voip-info.org/wiki/index.php?page_id=166

This article goes into great detail explaining how to set this up. The article also points out how this is insecure and provides a few additional dial plans that can be used to help thwart this command from being abused.

My article is going to look at this from the malicious standpoint and how to create a true phone home.

So you have just popped a Linux box and noticed that is running Asterisk besides the normal mischief you can cause such as racking up long distance calls and recording conversations. Let’s make sure you can get back in any time you want by simply making a call.

Read the rest of this entry…

Posted in Papers | Comments (0)

Posted on Wednesday, 5th May 2010 by Michael

Overcoming SIP over NAT

On most of the Asterisk based PBX forums on the internet one of the top help related questions posted is “the phone rings and I can answer it but there is no voice” or one of many variants of that question. The issue is most likely due to the fact you are running the PBX behind a NAT. Most likely your PBX is either behind your home router or your enterprise firewall and you are using a RFC 1918 IP address for it. You are also most likely either doing inbound port forwarding or one to one NATing depending on your firewall.

Read the rest of this entry…

Posted in Papers | Comments (1)

Posted on Friday, 2nd April 2010 by Michael

Blue Coat URL Redirection Vulnerability

The Blue Coat web filter is one of the industry’s leading web filtering solutions. It provides the organization the ability to filter where their employee’s, vendors, customers or guests can go online.

The Blue Coat Web filter has an issue where it will display a base64 encoded URL in the following format http://blue_coat_name/?cfru=aHR0cDovL3d3dy5nb29nbGUuY29tLw== when it has an error.

Read the rest of this entry…

Posted in Security Advisories | Comments (0)

Posted on Monday, 22nd March 2010 by Michael

After months of research of a simple way to create custom ringtones for Cisco IP phones I have come up with the following methods based on the Cisco documentation located at : http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/3_0_9/a3rings.html . Cisco requires that the custom ringtones meet strict guidelines. This baffles me as my cell phone can play full length mp3 files as a custom ringtones and costs a fraction of a Cisco IP phone. Oh well I digress. To accomplish this I chose to use the “sox” application. Sox is like a Swiss army knife for sound editing and the best part it is free.

I have created a simple shell script below that will automate the process for you. This script was written to run on the Linux based PBX (Trixbox, PBX in a Flash, Asterisk and so on). Though with a little editing of the script you can use it to just create the ringtones and not install them.

Read the rest of this entry…

Posted in Code | Comments (2)

Posted on Wednesday, 17th March 2010 by Michael

It has come to my attention through several comments and emails that a lot of the links that contain these tools no longer work. So in order to provide them to the masses I have uploaded them to my site. They can be accessed at this link: http://www.digitaloffensive.com/mj/mj.rar

If you like your SIP info retrieved for you, we offer remote retrieval support for $10.00 per Magic Jack:

I have also corrected the download link for the mjproxy source code in my article: http://www.digitaloffensive.com/mjproxy.c.tar.gz

Posted in Blog | Comments (6)

Posted on Thursday, 11th March 2010 by Michael

Hacking the Magic Jack in 2010 for use on Trixbox or any other SIP device

The concept and art of hacking the Magic Jack is actually really old. The reason I am writing this is that over the last year the process has become much harder. There is definitely ample information available online that if you were to spend weeks reading you could easily do this. But who wants to read through countless forums post trying each way to hack it only to find that way no longer works. Like you, I want the answer and I want it now.

Chapters:

1. Who wrote this document.
2. What is the Magic Jack.
3. Why did I buy it and my buying experience.
4. Required tools and knowledge.
5. Setup and registration of your Magic Jack.
6. Get SIP info and Proxy info.
7. Testing settings and using other SIP clients.
8. Configuring Trixbox

Read the rest of this entry…

Posted in Papers | Comments (83)

Posted on Friday, 5th March 2010 by Michael

Vista Antivirus 2010 Quick removal

Vista 2010 is a rogue anti-virus program that is usually advertised through the use of pop ups and fake security alerts that state that your computer is infected and that you should run an online anti-malware scan. Once the rogue program is installed, it will claim to scan your computer for malware and display a list of false threats just to confirm that your computer is infected with malware (usually Trojans and computer worms). Then it will ask you to pay for a full version of the program in order to remove the threats which as we already know don’t even exist. Most importantly, don’t buy it. If you did, then please contact your credit card company and dispute the charges.

Though this piece of malicious code is extremely annoying it is also very easy to remove. I have put a kit together for quick download to remediate this issue. The kit includes a custom batch file called avkill that will loop looking for the process av.exe and kill it automatically. This will allow you to execute other tools to remove the virus. It also includes a registry fix to remove the changes it makes to the registry. The file is called fix.reg and contains the following information:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]

@=”exefile”

“Content Type”=”application/x-msdownload”

To download the kit go to http://www.digitaloffensive.com/files/av2010.zip

The first thing you need to do is to extract the kit and open the avkill executable. This will stop the av.exe process that is associated with this virus. Once that is running just minimize it and let it continue to run. Then either use regedit or just double click the fix.reg file to remove the virus from your registry and to stop it from restarting. Once this is done successfully you can now stop the avkill executable. This process will stop the virus from running. Once it is stopped we suggest you go to http://www.malwarebytes.org/ and download their free scanner to remove the actual malicious files from your system.

If you have any questions or concerns please feel free to contact me.

Posted in Papers | Comments (2)

Posted on Monday, 22nd February 2010 by Michael

Cpanel remote FTP backup script

Years ago I did web hosting as a side source of income. This led to me developing  a lot of Linux based scripts to help automate my daily sysadmin responsibilities. Our hosting company was  called ezhostingpro.com. Since then another party owns the domain but googling that and my name will lead you to several of my scripts being hosted by other sites. I posting the code on my site as I am finding many people on http://www.getafreelancer.com using codes I post on this site to bid on projects and win them.

This script is in two parts. The first part creates the backup and the second part transfers the backup remotely. The first part of the script makes use of the built in backup commands in cpanel. The script needs minor changes to be used by resellers instead of dedicated server owners.

Script 1:

#!/bin/bash

############################################
## ##
## EZHOSTINGPRO BACKUP FTP SCRIPT v1.0 ##
## Created by Michael LaSalvia ##
## http://www.digitaloffensive.com ##
## 2/23/04 rev 1 ##
############################################
## 1. Create a file called cpbackup.txt in /root
## 2. Place account names you wanted backup
## 3. Save file in /root
############ DO NOT EDIT BELOW #############
cd /root
for users in $(cat cpbackup.txt)
do
rm -rf /home/$users/cpmove-$users.tar.gz
/scripts/pkgacct $users
mv /home/cpmove-$users.tar.gz /home/$users/
cd /home/$users
chown $users.$users cpmove-$users.tar.gz
chmod 777 cpmove-$users.tar.gz
/home/$users/bkftp.sh
cd /root
done

Script 2: This script needs to beedited with the users ftp credentials and placed in the user home dir.

#!/bin/bash

##################################
## EZHOSTINGPRO REMOTE BACKUP ##
## created by: Michael LaSalvia ##
##http://www.digitaloffensive.com##
## DO NOT EDIT THIS FILE ##
## Name this file bkftp.sh chmod 777 ##
##################################

### VARIABLES ###

var_cpaneluser=’cpanel_user_goes_here’
var_remote=’remote_server_goes_here’
var_ftpuser=’remote_server_ftp_username_goes_here’
var_ftppass=’remote_server_ftp_password_goes_here’

cd /home/$var_cpaneluser
ftp -n $var_remote <<END_SCRIPT
quote USER $var_ftpuser
quote PASS $var_ftppass
del cpmove-$var_cpaneluser.tar.gz
put cpmove-$var_cpaneluser.tar.gz
quit
END_SCRIPT
exit 0
rm -Rf cpmove-$var_cpaneluser.tar.gz

I believe the newer cpanel system actually provides a built in method to do this, though since I do not have access to one to test I will post this any way. If you have any questions comments or concerns please feel free to contact me.

Posted in Code | Comments (1)