The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
sip fraud-prevention cisco cme, !*! Aleks305, 09-Сен-14, 17:18  [смотреть все]
Друзья,подскажите, как могли взломать cisco cme c публичным ip. Сейчас следующий конфиг был залит относительно SIP:
voice service voip
ip address trusted list
  ipv4 178.16.26.122 255.255.255.255
  ipv4 144.76.42.108 255.255.255.255
  ipv4 176.9.145.115 255.255.255.255
  ipv4 5.9.108.25 255.255.255.255
  ipv4 78.46.95.118 255.255.255.255
  ipv4 89.249.23.194 255.255.255.255
  ipv4 178.16.26.124 255.255.255.255
  ipv4 176.9.85.133 255.255.255.255
  ipv4 46.4.53.86 255.255.255.255
  ipv4 5.9.84.165 255.255.255.255
  ipv4 78.16.26.122 255.255.255.255
  ipv4 77.235.62.222 255.255.255.255
  ipv4 81.88.86.11 255.255.255.255
  ipv4 192.168.1.50 255.255.255.255
  ipv4 217.150.198.44 255.255.255.255
  ipv4 178.63.96.3 255.255.255.255
  ipv4 178.63.96.28 255.255.255.255
  ipv4 192.168.11.0 255.255.255.0
  ipv4 192.168.173.0 255.255.255.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
no supplementary-service sip moved-temporarily
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
  bind media source-interface Loopback1
  registrar server
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
codec preference 3 g711alaw
!
voice class codec 2
codec preference 1 g711alaw
codec preference 2 g729r8
!
voice class sip-profiles 10
request INVITE sip-header From modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\" <sip:чччч@92.63.x.x>"
!
voice class sip-profiles 20
request INVITE sip-header From modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\" <sip:ччччч@77.41.x.x>"
!
!
voice register global
mode cme
source-address 192.168.179.1 port 5060
max-dn 10
max-pool 5
authenticate register
tftp-path flash:
create profile sync 0883653009339013
!
voice register dn  1
number 150
no-reg
!
voice register dn  2
number 151
no-reg
!
voice register dn  3
number 152
no-reg
!
voice register dn  4
number 153
no-reg
!
voice register pool  1
registration-timer max 720 min 660
id mac 0005.9A3C.7800
session-transport tcp
number 1 dn 1
voice-class codec 1

!
voice register pool  2
registration-timer max 720 min 660
id mac 3694.2585.3255
session-transport tcp
type CiscoMobile-iOS
number 1 dn 2
voice-class codec 1

!
voice register pool  3
registration-timer max 720 min 660
id mac A098.0501.0C4F
session-transport tcp
number 1 dn 3
voice-class codec 1

Также был подключен E1, через него основная маршрутизация. Ограничений в виде ACL не было на внешнем, публичном интерфейсе.
Провайдер E1 сказал, что были попытки звонков в Африку, ну и заблокировал временно нас. Подскажите, кто сталкивался почему не сработал fraud-prevention, где ошибка в конфиге? не понимаю, как вообще смогли делать звонки без регистрации.
Спасибо.


Ответить | Сообщить модератору
  • sip fraud-prevention cisco cme, !*! mdenisov, 18:45 , 09-Сен-14 (1)
    Во-первых посмотрите аккаунтинг - как именно слили.
    Насколько я помню функционал CME не использует механизм ip address trusted list, т. е. SCCP устройству можно прописать правильный mac и CME его пустит. На SIP я этого не проверял.
    Кроме того можно впрямую слить трафик на адрес шлюза если на source адрес существует dial-peer с соответствующим session target'ом. Причем этот пир не обязан отматчиться как входящий. В этом случае trusted list не анализируется.
    Ответить | Сообщить модератору
    • sip fraud-prevention cisco cme, !*! Aleks305, 21:14 , 09-Сен-14 (2)
      > Во-первых посмотрите аккаунтинг - как именно слили.
      > Насколько я помню функционал CME не использует механизм ip address trusted list,
      > т. е. SCCP устройству можно прописать правильный mac и CME его
      > пустит. На SIP я этого не проверял.
      > Кроме того можно впрямую слить трафик на адрес шлюза если на source
      > адрес существует dial-peer с соответствующим session target'ом. Причем этот пир не
      > обязан отматчиться как входящий. В этом случае trusted list не анализируется.

      спасибо за отклик столь быстрый.
      Взлом был еще где-то 20 августа, меня не было в тот момент.тогда просто перекрыли доступ по SIP. Сейчас приехал, начал разбираться.В cdr за то число, которые в локальный файл сохраняется не могу понять, что откуда.Похоже, что через SIP судя по этим записям:
      1408568954,173578,0,2,"72E506B 27E511E4 AD2BCAF0 16E99558","","","*01:08:54.946 Moscow Thu Aug 21 2014","","*01:09:14.446 Moscow Thu Aug 21 2014","*01:09:14.446 Moscow Thu Aug 21 2014","","","answer",0,"",0,0,0,0,"1101","1101","810972595358613","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",0,"","1.1.228.3.31.0","0","0.0.0.0","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:810972595358613","ton:0,npi:0,pi:0,si:0,#:1101","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","08/21/2014 01:08:54.946","1101","810972595358613",0,19291,72E506B 27E511E4 AD2BCAF0 16E99558,2A60A,"","","","","","","","","",""
      1408568998,173586,0,2,"2D32FB39 27E511E4 AD38CAF0 16E99558","","","*01:09:58.730 Moscow Thu Aug 21 2014","","*01:09:58.930 Moscow Thu Aug 21 2014","*01:09:58.930 Moscow Thu Aug 21 2014","","","answer",0,"",0,0,0,0,"2000000","2000000","9810972598783507","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",0,"","1.1.228.3.31.0","0","0.0.0.0","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:9810972598783507","ton:0,npi:0,pi:0,si:0,#:2000000","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","08/21/2014 01:09:58.730","2000000","9810972598783507",0,19293,2D32FB39 27E511E4 AD38CAF0 16E99558,2A612,"","","","","","","","","",""

      1408569414,173648,0,2,"24A317A9 27E611E4 AD59CAF0 16E99558","","","*01:16:53.860 Moscow Thu Aug 21 2014","","*01:16:54.110 Moscow Thu Aug 21 2014","*01:16:54.110 Moscow Thu Aug 21 2014","","","answer",0,"",0,0,0,0,"2000000","2000000","0810972598783507","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",0,"","1.1.228.3.31.0","0","0.0.0.0","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:0810972598783507","ton:0,npi:0,pi:0,si:0,#:2000000","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","08/21/2014 01:16:53.862","2000000","0810972598783507",0,19294,24A317A9 27E611E4 AD59CAF0 16E99558,2A650,"","","","","","","","","",""

      1408569549,173664,0,2,"69FC646A 27E611E4 AD65CAF0 16E99558","","","*01:18:50.206 Moscow Thu Aug 21 2014","","*01:19:09.706 Moscow Thu Aug 21 2014","*01:19:09.706 Moscow Thu Aug 21 2014","","","answer",0,"",0,0,0,0,"100","100","888011447937420608","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",0,"","1.1.228.3.31.0","0","0.0.0.0","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:888011447937420608","ton:0,npi:0,pi:0,si:0,#:100","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","08/21/2014 01:18:50.206","100","888011447937420608",0,19295,69FC646A 27E611E4 AD65CAF0 16E99558,2A660,"","","","","","","","","",""

      1408569778,173698,0,2,"FE21CC87 27E611E4 AD79CAF0 16E99558","","","*01:22:58.754 Moscow Thu Aug 21 2014","","*01:22:58.994 Moscow Thu Aug 21 2014","*01:22:58.994 Moscow Thu Aug 21 2014","","","answer",0,"",0,0,0,0,"5666","5666","9810972597459073","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",0,"","1.1.228.3.31.0","0","0.0.0.0","","","","","","","","","","","","","","","","","","","","","","ton:0,npi:0,#:9810972597459073","ton:0,npi:0,pi:0,si:0,#:5666","","","","","","","","","","count:1","","Unknown","","","sipv2","","","TWC","08/21/2014 01:22:58.758","5666","9810972597459073",0,19296,FE21CC87 27E611E4 AD79CAF0 16E99558,2A682,"","","","","","","","","",""

      По поводу слива трафика, не совсем понял, как это делается.

      Активные dial-peer, которые были на момент взлома:
      dial-peer voice 100 pots
      translation-profile outgoing outgoing-e1
      destination-pattern 98..........
      port 0/0/0:15
      forward-digits all
      dial-peer voice 110 pots
      translation-profile incoming incoming-e1
      incoming called-number <внешний номер>
      direct-inward-dial
      dial-peer voice 101 pots
      translation-profile outgoing outgoing-e1
      destination-pattern 9.T
      port 0/0/0:15
      forward-digits all

      Что примечательно, что взлом произошел после подключения e1. До этого месяца полтора-два работало все через SIP-провайдера и вроде бы проблем никаких не было.
      Я уж думаю, может нас через e1 ломанули.
      Вот здесь описывается, кстати.
      http://www.anticisco.ru/forum/viewtopic.php?t=2826
      Жду детализацию от провайдера e1, пока не получил.

      Ответить | Сообщить модератору
      • sip fraud-prevention cisco cme, !*! mdenisov, 09:03 , 10-Сен-14 (4)
        Чо это за CDR'ы? Где там ANI, DNIS и с какого адреса трафик шел? Может быть там и номера пиров есть?
        Нужны voip'ные пиры, pots не интересно, очень маловероятно чтобы оператор занимался такой ерундой.
        Ответить | Сообщить модератору
        • sip fraud-prevention cisco cme, !*! Aleks305, 10:48 , 10-Сен-14 (5)
          > Чо это за CDR'ы? Где там ANI, DNIS и с какого адреса
          > трафик шел? Может быть там и номера пиров есть?
          > Нужны voip'ные пиры, pots не интересно, очень маловероятно чтобы оператор занимался такой
          > ерундой.

          На момент взлома был доступен только входящий voip диал-пир.
          dial-peer voice 3 voip
          translation-profile incoming incoming
          incoming called-number 141756
          voice-class codec 1
          voice-class sip bind control source-interface GigabitEthernet0/0
          voice-class sip bind media source-interface GigabitEthernet0/0
          dtmf-relay rtp-nte
          no vad

          voice translation-rule 1040
          rule 1 /^.*$/ /21/

          voice translation-profile incoming
          translate called 1040

          Остальные были выключены:
          dial-peer voice 4 voip
          description MEZHGOROD
          translation-profile outgoing outgoing-mezhdunarod
          shutdown
          destination-pattern 9375.........
          session protocol sipv2
          session target sip-server
          voice-class codec 2
          no voice-class sip outbound-proxy
          voice-class sip profiles 20
          voice-class sip bind control source-interface GigabitEthernet0/0
          voice-class sip bind media source-interface GigabitEthernet0/0
          dtmf-relay rtp-nte sip-notify
          no vad
          dial-peer voice 5 voip
          translation-profile outgoing outgoing-mezhdunarod
          shutdown
          destination-pattern 9.T
          session protocol sipv2
          session target sip-server
          voice-class codec 2
          no voice-class sip outbound-proxy
          voice-class sip profiles 20
          voice-class sip bind control source-interface GigabitEthernet0/0
          voice-class sip bind media source-interface GigabitEthernet0/0
          dtmf-relay rtp-nte sip-notify
          no vad
          dial-peer voice 1 voip
          description TO-RUSSIA
          paramspace callsetup after-hours-exempt FALSE
          shutdown
          session protocol sipv2
          session target ipv4:192.168.1.50:5060
          session transport udp
          voice-class codec 1
          no voice-class sip bandwidth video
          voice-class sip profiles 20
          no voice-class sip anat
          voice-class sip bind control source-interface GigabitEthernet0/0
          voice-class sip bind media source-interface GigabitEthernet0/0
          ip qos dscp cs3 signaling
          dial-peer voice 6 voip
          description TO-RUSSIA-NEW
          translation-profile outgoing outgoing
          shutdown
          destination-pattern 98..........
          session protocol sipv2
          session target sip-server
          voice-class codec 2
          no voice-class sip outbound-proxy
          voice-class sip profiles 20
          voice-class sip bind control source-interface GigabitEthernet0/0
          voice-class sip bind media source-interface GigabitEthernet0/0
          dtmf-relay rtp-nte sip-notify
          no vad

          Вот записи:
          ,0,"",0,0,0,0,"100","100","10950048587314419",""
          "answer",0,"",0,0,0,0,"100","100","10970048587314419"
          "answer",0,"",0,0,0,0,"652","652","810441904899510",

          652 или 100 - таких внутренних номеров вообще  нет.

          Ответить | Сообщить модератору
    • sip fraud-prevention cisco cme, !*! Aleks305, 22:07 , 09-Сен-14 (3)
      > Во-первых посмотрите аккаунтинг - как именно слили.
      > Насколько я помню функционал CME не использует механизм ip address trusted list,
      > т. е. SCCP устройству можно прописать правильный mac и CME его
      > пустит. На SIP я этого не проверял.
      > Кроме того можно впрямую слить трафик на адрес шлюза если на source
      > адрес существует dial-peer с соответствующим session target'ом. Причем этот пир не
      > обязан отматчиться как входящий. В этом случае trusted list не анализируется.

      Похоже все-таки через SIP - сейчас логи чистые с адекватными номерами и активностью.Как же найти, где был косяк в настройке, как без аутентификации звонили.

      Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру