Pentesting a SONUS / SIP Network

["Luis H. Gomez-Danes Mejia" <lgomez () gdm2000 com mx>]

Hello,

Does any body has any name of a standar to do a pen-tes to SIP/Network, Most
of this network is on Unix flavor so I have a very good idea of what to do,
I want to know if any of you knows any document or the name of the document
to stablish a base line to carry out this task

Thanks in advace. 


Luis H. Gomez-Danes Mejia
GDM2000 Consulting
Tel.  818 1159321
Mob.  818 2800432
lgomez () gdm2000 com mx

The information in this e-mail and attachment is confidential. It is
intended only for the use of the individual or entity to which it is
addressed and may contain information that is non-public, proprietary and
may be legally privileged. If you have received this e-mail in error or are
not the intended recipient, please immediately notify the sender by return
e-mail and delete this message from your computer. Any use, distribution, or
copying of this e-mail other than by the intended recipient is strictly
prohibited.


La información contenida en este correo electrónico y anexos es
confidencial. Esta dirigida únicamente para el uso del individuo o entidad a
la que fue dirigida y puede contener información propietaria que no es del
dominio público. Si has recibido este correo por error o no eres el
destinatario al que fue enviado, por favor notifica al remitente de
inmediato y borra este mensaje de tu computadora. Cualquier uso,
distribución o reproducción de este correo que no sea por el destinatario de
intención queda prohibido.
 
-----Original Message-----
From: Sebastian Muñiz [mailto:smuniz () elinpar com] 
Sent: Sunday, June 12, 2005 4:43 PM
To: J. K.; pen-test () securityfocus com
Subject: RE: Pentesting a HP-UX with SMSC

That's OK J.K... you had work to do ;)
About SMSs, what you could try is to reset the TCP connection of the ESME to
the SMSC so when it tries to reconnect, in the first data packet you will
see the username/password in plain text.
Good luck !!!!

-----Mensaje original-----
De: J. K. [mailto:pentest_ml () yahoo com]
Enviado el: Domingo, 12 de Junio de 2005 06:07 p.m.
Para: pen-test () securityfocus com
Asunto: RE: Pentesting a HP-UX with SMSC


Hello Sebastian,

yes, I am pretty sure that I am dealing with a SMSC server. Beside the CIMD2
banner that it provides, I found some hints in the machine I am connecting
from (a DMZ host I previously took over) that suggest that we are talking
about SMS traffic (even if it seems to be a testing environment: I see no
SMSs when sniffing the network).

I tried to fingerprint the server to figure out exactly what app is running
there, but with no success.

Anyway, I found an established connection between the client and this
mysterious server app; my next step will be to attach gdb to the process
owning that
connection: my hope is that username and password are still somewhere in its
memory space ;)

Cheers

j.k.

P.s.: sorry for the late reply: in the last 3-4 days I focused on another
part of the target network ;)

--- Sebastian Muñiz <smuniz () elinpar com> wrote:
> This apps Do install default user/password but depends on the one that 
> you found....
> You should try to indentify this one but thought SMSC has no tcp port 
> specially assigned to it, it won't help you unless this software 
> version is in the default port (and identifying the version of every 
> SMSC arround should be a very hard work)...
>
> If you want to connect to it, you should get an ESME (which is the 
> client that connects to a SMSC in this kind of Client-Server 
> architecture) but the protocol SMPP they use (Short Message Peer To 
> Peer) uses username and password (the password could be blank is the 
> SMSC admin wanted so).
> Here I sent you a link to a page where you can find the SMPP protocol 
> specification and a ESME client made in java to test against this 
> server of yours.
http://opensmpp.logica.com/CommonPart/Download/download2.html
> You could allways try to get the source code for this inplementation 
> (if this is available) and try to find bugs in it but it is a subject 
> for another post ;-)
>
> ohh... and i am not aware of any exploit arround for any 
> implementation of this protocol!!! :( But if you get one, let me know 
> :)
>
> anyway..... Are you sure it is an SMSC server that you found????
>
>    Cheers, Sebastian
>
> -----Mensaje original-----
> De: J. K. [mailto:pentest_ml () yahoo com] Enviado el: Miércoles, 08 de 
> Junio de 2005 11:05 a.m.
> Para: pen-test () securityfocus com
> Asunto: Pentesting a HP-UX with SMSC
>
>
> Hello fellow pen-testers,
>
> in my current engagement I bumped into a HP-UX
> (B.11.11) server protected by a firewall (not an internet facing 
> firewall, tho).
> The only open ports I can connect to are telnet and 9971.
>
> Connecting to 9971 I get the following:
>
> # telnet x.x.x.x 9971
> Trying x.x.x.x...
> Connected to x.x.x.x.
> Escape character is '^]'.
> CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4 Time = 
> 050608153449 AccessType = TCPIP_SOCKET PIN =
> 630777
>
> Googling around, I found that this daemon should be a SMSC (Short 
> Message Service Center). I also found that on HP-UX there are a few 
> SMSC apps available (Locus,
> FEELingK,...)
>
> My questions are:
> 1. Do you know of any vulnerability or attack avenue on this 
> protocol/service ?
> 2. Do you know if these SMSC apps install some default user whose 
> password I can try to guess ?
> 3. Any other idea ?
>
> Of course I could just fire off Hydra against the telnet server, but I 
> would like to find something less noisy ;)
>
> Thanks
>
> j.k. 
>
>
>               
> __________________________________
> Discover Yahoo! 
> Have fun online with music videos, cool games, IM and more. Check it 
> out!
> http://discover.yahoo.com/online.html



                
__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html