Skip to content

Voiphoney that Imulates D-Link DPH-150S VoIP phone and runs in docker container. It writes logs for Kibana in json and for human in log files. SIP Server - Python3, HTTP server - node.js, Telnet - cowrie, OSFooler - python2. Full size of image 512 Mb

Notifications You must be signed in to change notification settings

mostepunk/VoIPHoneypot

Repository files navigation

VoIP Honeypot

Switch to English

Ловушка, имитирующая поведение VoIP телефонии. Принимает запросы по протоколу udp/tcp и отвечает на запросы:

  • INVITE
  • INVITE Authorization
  • OPTIONS
  • ACK
  • BYE
  • CANCEL

Ссылки

Запуск

  • docer-compose up

Логирование

Ведет логирование сразу в два файла .json для Kibana и .log для контроля работы программы

Планы:

  • реализовать tcp протокол
  • В случае неправильной авторизации, возвращать ответы 400 Bad Request или 481: b"Call/Transaction Does Not Exist",
  • Доделать обманку для nmap

Аппарат D-Link DPH-150S

Сигнальные, медиа и сетевые протоколы
  • SIP RFC 3261
  • SDP RFC 2327
  • RTP RFC 1889
  • SNTP
  • DNS & DNS SRV
  • TFTP/FTP/HTTP для автоконфигурирования
  • IP/TCP/UDP/ARP/ICMP

Смена аппарата

Если вы хотите сменить модель определяемого телефона, Вам надо найти его fingerprint в базе данных nmap и вставить его в файл. После этого надо поменять переменную phonemodel в docker-compose. И, воздможно все заработает как и ожидалось, но это неточно, возможно еще где-то жестко прописана модель.

Примеры входящих сообщений:

=== OPTIONS ===
    OPTIONS sip:127.0.0.1 SIP/2.0
    Via: SIP/2.0/TCP 127.0.0.1:39338;rport;branch=z9hG4bKhKcExzavijtat7swla_1z84oc
    Max-Forwards: 70
    From: "Nmap NSE" <sip:user@127.0.0.1>;tag=vN3pq0L0SQnHqXpPGF9D
    To: "Nmap NSE" <sip:user@127.0.0.1>
    Call-ID: 9561yUXyBJAPZ3aaLmruyZhzw7B2gnsfinWW8tJ93JORCosOPZ8Dzf2kb4c8
    CSeq: 1234 OPTIONS
    User-Agent: Nmap NSE
    Contact: "Nmap NSE" <sip:user@127.0.0.1:39338>
    Expires: 300
    Allow: PRACK, INVITE ,ACK, BYE, CANCEL, UPDATE, SUBSCRIBE,NOTIFY, REFER, MESSAGE, OPTIONS
    Accept: application/sdp
    Content-Length:  0

=== INVITE ===
    INVITE sip:100@localhost SIP/2.0
    Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK87asdks7
    From: socketHelper
    To: 100@localhost
    Call-ID: 1395
    CSeq: 2 INVITE
    Contact: socketHelper
    Accept: application/sdp
    Content-Type: application/sdp
    Content-Length: 126

    v=0
    o=socketHelper 5566 7788 IN IP4 127.0.0.1
    s=SDP Subject
    i=SDP information
    c=IN IP4 127.0.0.1
    t=0 0
    m=audio 30123 RTP/AVP 0

=== INVITE Authorization ===
    INVITE sip:100@localhost SIP/2.0
    Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK87asdks7
    From: socketHelper
    To: 100@localhost
    Call-ID: 4512
    CSeq: 3 INVITE
    Contact: socketHelper
    Accept: application/sdp
    Content-Type: application/sdp
    Content-Length: 126
    Authorization: Digest username="100",
                   realm="100@localhost",
                   uri="sip:100@localhost",
                   nonce="a6b103fbb266224691906c0a60c41849",
                   response="dea6001bb802e6619a89cd5cf8d5d227"

    v=0
    o=socketHelper 5566 7788 IN IP4 127.0.0.1
    s=SDP Subject
    i=SDP information
    c=IN IP4 127.0.0.1
    t=0 0
    m=audio 30123 RTP/AVP 0

Результат сканирования Nmap

  • sudo nmap -sV -T4 -O -A -f --version-light 192.168.*.* - Настоящий телефон
        Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-26 12:54 MSK
        Nmap scan report for 192.168.*.*
        Host is up (0.0055s latency).
        Not shown: 997 closed ports
        PORT     STATE SERVICE VERSION
        23/tcp   open  telnet  VBrick 4300 video encoder telnetd
        80/tcp   open  http    RapidLogic httpd 1.1
        5060/tcp open  sip?
        |_sip-methods: INVITE, ACK, OPTIONS, BYE, CANCEL, REFER, NOTIFY, INFO, PRACK, UPDATE, MESSAGE
            Aggressive OS guesses: 
                Rockwell Automation 1769-L23E-QB1 PLC (93%),
                AirSpan ProST WiMAX access point (92%),
                HP ProCurve 2510 switch (91%),
                Cisco SPA 502G VoIP phone (91%),
                Xerox WorkCentre Pro 7245 printer (89%),
                Enterasys Matrix E1 switch (88%),
                HP MSA2000-series NAS device (88%),
                Nortel NVR1750D VPN router (87%),
                3Com 7760 WAP (87%),
                Linksys WRT54G or WRT54G2,
                or Netgear WGR614 or WPN824v2 wireless broadband router (87%)
        No exact OS matches for host (test conditions non-ideal).
        Network Distance: 3 hops
        Service Info: Device: media device
    
        TRACEROUTE (using port 143/tcp)
        HOP RTT     ADDRESS
        1   0.18 ms 192.168.*.*
        2   3.84 ms 10.2.8.1
        3   6.47 ms 192.168.*.*
    
        OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 45.35 seconds
    
  • sudo nmap -sV -T4 -O -A -f --version-light 172.28.3.2 - Ловушка
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-13 23:27 MSK
    Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
    ARP Ping Scan Timing: About 100.00% done; ETC: 23:27 (0:00:00 remaining)
    Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
    Service scan Timing: About 0.00% done
    Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
    Service scan Timing: About 50.00% done; ETC: 23:28 (0:00:19 remaining)
    WARNING: RST from 172.28.3.2 port 80 -- is this port really open?
    Nmap scan report for 172.28.3.2
    Host is up (0.081s latency).
    Not shown: 997 filtered ports
    PORT     STATE  SERVICE VERSION
    23/tcp   closed telnet
    80/tcp   open   http    RapidLogic httpd 1.1
    5060/tcp open   sip     (SIP end point; Status: 200 OK)
    |_sip-methods: INVITE, ACK, OPTIONS, BYE, CANCEL, REFER, NOTIFY, INFO, PRACK, UPDATE, MESSAGE
    MAC Address: 02:42:AC:1C:03:02 (Unknown)
    Device type: VoIP phone
    Running: D-Link embedded
    OS CPE: cpe:/h:dlink:dph-150s
    OS details: D-Link DPH-150S VoIP phone
    Network Distance: 1 hop

    TRACEROUTE
    HOP RTT      ADDRESS
    1   80.92 ms 172.28.3.2

    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 47.04 seconds

About

Voiphoney that Imulates D-Link DPH-150S VoIP phone and runs in docker container. It writes logs for Kibana in json and for human in log files. SIP Server - Python3, HTTP server - node.js, Telnet - cowrie, OSFooler - python2. Full size of image 512 Mb

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published