LiquidLayer.net | Tech
LiquidLayer private msg quote post Address this user
https://www.drvoip.com/blog/shoretel-support-and-service/hacking-shoretel-for-fun-and-profit/

The following is from the Blog.DrVoip.com - visit above for the full story ...




Hacking ShoreTel!

When you have been involved with the design, deployment and management of customer premise telephone systems for as long as we have, you think you have seen it all. Over the years as we learn from our mistakes we improve our “best practice” list to assure others gain from our experience. When I was barely a teenager, I learned how to assemble a string of MF tones using a Hammond organ keyboard. Recording two keys at a time, you could create toll call routing instructions that could be played back after making a 1-800 toll call before the terminating end answered! That, along with the famous Captain Crunch 2600Hz cereal box whistle, kept me and my friends entertained for years, stacking toll tandem switches and meeting other hackers in far away phone booths! Things have changed as in-band signaling has long ago been replaced with out of band signaling and whistles no longer work. Toll fraud however, continues to be a major source of unanticipated costs for business and the toll bandit syndrome is still alive and well in the Internet age.

Just like a web sever which uses well know port 8080 to serve up web pages, SIP phone systems use a common port. Scanning ports for open port 5060, then banging away for a user login and password to create a registration was child’s play and most companies now have this locked down. The fact that most Voice Mail systems used a common password was also a source of hacking entertainment, but now most manufacturers do not create mailboxes until someone needs one, eliminating a source of illegal phone calls though remote access. Direct Inward System Access or DISA used to be a favorite tool for making fraudulent toll calls. Users would call into the system, put in a pin and then be granted access to make phone calls. It did not take long to figure out how to abuse that feature!

Like I said, just when you think you have seen it all, something new shows up. You have to laugh at how obvious and simple it was. I was recently contacted by a guy who you would think has seen it all, Kevin Mitnick. If that name does not immediately “ring a bell,” then maybe you might remember a couple of his books: The Art of Intrusion, The Art of Deception and most recently Ghost in the Wires. Kevin has not only seen it all, he has done it all! Anyway, Kevin was researching a compromised ShoreTel system for a client and wanted to compare notes with DrVoIP. Apparently someone had gained unauthorized access to the system and was making toll calls that were costing the target company a small fortune. If you have ever experienced toll fraud you know that your vulnerability is broadcast all of the Internet in just a matter of minutes.You will find yourself explaining to Homeland Security why you are making so many phone calls to Dubai!

Kevin had a sheet of CDR records that showed the date and time of the calls. Unfortunately the calls seemed to be originating from the Automated Attendant so they could not be traced to a particular extension number within the system. We brain stormed some possibilities. I thought for sure this had to be an inside job! Maybe someone was using the “find me follow me” feature, but that would only send the call to a single number. These calls were all over the map! Literally all over the globe! ShoreTel does not have a DISA feature and VM boxes do not exist unless they are assigned to a user. The password must be changed as a part of the setup process. So how was this system hacked?

Well, I could tell you but that would take all the fun out of hearing from you as to your thoughts on how this was done. I will promise you that it takes one to know one and Kevin, genius that he is, figured this out, not I! Even DrVoIP was taken in by this clever ruse! Post your comments below with your thoughts on how this was accomplished and we will send you the puzzle answer Kevin uncovered. My thinking is that all we can ever hope to do is to raise the bar, keeping out the less sophisticated mice. There will always be someone smarter, someone more dedicated and focused, who will make it his mission to crack your safe!

Updated with Answer September 1, 2013 – Well a couple of people actually broke the code (excuse the pun)! What Kevin learned was that one of the great flaws in VoIP is the complete lack of control when it comes to secure Caller ID!

Simply stated, there is no security or verification of Caller ID! Using any number of readily available tools, it is possible to spoof your caller ID. You can make your phone display any number you want!

ShoreTel has a voice mail feature that enables you to listen to a voice message and then return the call by pushing a voice mail menu option key!

This is a very handy feature, especially if you are calling into your voice mail from you car, just hit the “return call” option and provided the system was able to capture the inbound Caller ID, the ShoreTel will place an outgoing call to that number and conference you in!

So lets put this simple ShoreTel hack together – the hackers gained control of a voice mail box, then called into the ShoreTel Voice Mail system with a spoofed Caller ID and the left a brief message.

Calling back into the system, this time to check their voice messages and then hit the “return call” option key, which then placed a call to an International Middle East location all billed to the the ShoreTel system owner and showing up only as a Call Detail Record owned by the Automated Attendant.

Great feature, but we would recommend that you don’t allow the VM system to place International phone calls! Thanks to all who took time to write and special thanks to Kevin Mitnick for a really fun Service Call!




Click link below to view or comment on this Dr. Voip authored blog post as of August 5th, 2013

https://www.drvoip.com/blog/shoretel-support-and-service/hacking-shoretel-for-fun-and-profit/
Post 1 IP   flag post
LiquidLayer private msg quote post Address this user
http://www.packetspoon.com/2012/11/tips-for-securing-your-shoretel-system-against-call-back-fraud/

Tips for securing your ShoreTel system against call-back fraud

* Note: Disabling Trunk to Trunk connections is one way to combat this, if you are in the office and you listen to a voicemail the 5-2 option will work as you are not on a trunk call. Out of the office as would a hacker would reside, the option will fail the call if you disable in COS.

Note, this will also prevent an inbound call from being transferred off site to another phone number. However if this is not needed / or you want to tighten up security not to mention save on a trunk to trunk transfer, as you pay for the entire length of the call / then disabling should be good.

NOTE: Usual disclaimer applies here. These are just my thoughts. Use the information at your own risk. Don’t trust just one guy on the Internet to secure your enterprise phone system. Ultimately no matter how much of a ‘belt and braces’ approach you take, it’s never going to be completely safe from attack. At the very least the threat from within is always going to remain. This post is more to ‘spread the word’ than to give any definitive advise.

Now that’s out of the way, we can continue. There has been a lot of bad press recently about call-back fraud and it’s costing UK businesses alone over £1 billion a year. I should say at this point that this is not a specific vulnerability within ShoreTel but rather an inherent issue with PBXs where a feature intended for convenience can be used for far more nefarious purposes.

There are a few key tips which can help reduce the attack surface and hence reduce the risk of a successful compromise by scammers. While this post focusses on how to achieve this on the ShoreTel system, the principles will be the same on many telephone systems.

1) Use a restrictive Class of Service by default

If you work for a company who never (or very rarely) has a reason to call Premium Rate or International Numbers – you are in luck. Set the global CoS to Long Distance only to avoid this being abused.

For a lot of companies however, this action would not go down well. It can take some research and time to get a picture of what is “normal” for foreign calls. Use the CDR tools. Involve management. Avoid blocking everything and then dealing with the aftermath.

2) Restrict call feature permissions

In a lot of cases, staff will tend to use the phone system on a fairly basic level…ie..to make calls. Find out how users use the system, and set the permissions accordingly. For instance, do most users require the trunk to trunk transfer feature? In my case, no, so for most user groups, this is not allowed.

The above to points take into account the well established Principle of Least Privelige

3) Ensure passwords are set to at least 6 digits – including workgroups

Not much to discuss here. Unfortunately, the system will not stop people using 000000, 123456, etc – ongoing monitoring of this is necessary. Don’t forget about workgroups. Those with a support contract can use the IDLint tool. Ask your ShoreTel partner if you are not sure how to get this.

4) Ensure new users passwords are not set to something easy

Simple tip really! Don’t use 0000 for new user PINs.

5) Don’t enable Voicemail by default

If users don’t need voicemail, simply disable it. Note, you can’t disable voicemail for a user with “Any IP Phone” set. It’s also no good for users who roam, as voicemail is needed to log off/on.

6) Set up Event Filters

Look for Event ID 1113 – This shows repeated failed login attempts to an extension.

7) Don’t forget meeting room phones, kiosks, etc!

Keep these locked down – Extension Only (no voicemail) and secure passwords.

And finally….Educate users & management

This is very much a non-technical yet important point but it’s one that’s often overlooked. Don’t just make this a typical inexplicable change that IT departments make. Prepare some information for your users, explain why it’s being done. Offer assistance. Doing all the above in one swift, brutal round of change will only cause a headache for you as your users won’t be happy. I personally take good measures to keep any negative perception of the phone system itself to a minimum. Of course, pigs will fly before all your users read the info – but this is not a barrier to not do it. Make it available.

So, theres a few ramblings to take into consideration.

See the full write up here:

http://www.packetspoon.com/2012/11/tips-for-securing-your-shoretel-system-against-call-back-fraud/
Post 2 IP   flag post
1096 2 2
Log in or sign up to compose a reply.