Scott Wunsch wrote:
>On Mon, 11-Dec-2006 at 11:24:51 -0600, Scott Walde wrote:
>
>
>
>>sasksk.webcall.ca to my hosts file. Other than that, it was fairly
>>straight forward. You can TFTP your config file from their provisioning
>>server and read your SIP password out of that file. If anyone is
>>interested, i can go into more detail.
>>
>>
>
>Yeah, I'm interested...
>
>
>
Cripes! I was just thinking about this, and realized how INSECURE their
system is. I'm almost unsure whether I _should_ publicly document it
now. Although, if I can crack it, anyone can...
(The following all assumes that you have already completed the normal
configuration of the Nortel ATA. I have reason to believe the password
does not get assigned until the ATA is configured with the supplied
software.)
On bootup the Nortel ATA TFTPs three files from webcall to get it's
configuration:
C01L029.00.02_NORTEL-GENERAL.CFG (contains instructions for the ATA to
_not_ send 411, 911, and 0 to PSTN.)
C01L029.00.02_NORTEL-sktnsk_webcall_ca.CFG (file not found)
C01L029.00.02_NORTEL-00028Axxxxxx.CFG (where 00028Axxxxxx is the MAC
address of the Nortel ATA.)
The third file contains:
voip_user_user0_username=MY-10-digit-phone#
voip_user_user0_password=MY-SIP-PASSWORD
pppoe_password=0
provision_group=sktnsk_webcall_ca
provision_server_address=142.165.149.31
provision_server_port=69
upgrade_server_address=142.165.149.31
upgrade_server_port=69
upgrade_filename=C01L029.00.02_NORTEL-V2.0.0-PV3.6.CPR
ntp_server_address=time1.sasknet.sk.ca
ntp_timezone=-6
ntp_expires=86400
voip_sip_domain=sktnsk.webcall.ca
voip_sip_proxy_address=142.165.100.33
voip_sip_proxy_port=5060
voip_sip_registrar_address=142.165.100.33
voip_sip_registrar_port=5060
voip_sip_proxy_require=com.nortelnetworks.firewall
voip_sip_ping=150
voip_rtp_port=50000
voip_fax_t38=0
sktnsk.webcall.ca does _not_ resolve on the public DNS system. I first
tried simply using the ip address in Asterisk, but after comparing
ethereal dumps of the Nortel box successfully registering, and Asterisk
NOT registering, I came to the conclusion that the only thing different
was that Asterisk was sending the registration as 'myph#@142.165.100.33'
and the nortel box was sending 'myph#@sasksk.webcall.ca'. After adding
'142.165.100.33 sasksk.webcall.ca' to my hosts file, and configuring
Asterisk to use that name instead of the IP address, it worked!
So, my sip.conf contains the following:
register => myph#@sktnsk.webcall.ca:mypasswd:myph#@sasksk.webcall.ca
[sasksk.webcall.ca]
type=peer
host=sktnsk.webcall.ca
fromdomain=sktnsk.webcall.ca
fromuser=myph#
authname=myph#
username=myph#
secret=mypasswd
context=incoming
canreinvite=no
dtmfmode=inband
disallow=all
allow=ulaw
allow=alaw
outgoinglimit=1
insecure=very
qualify=no
BUT... Nortel thought it would be a good idea to periodically check if
the ATA was still there. Every 6 to 10 minutes, it sends a proprietary
PING message to the ATA. If it doesn't get a 200 OK response, it drops
the call in progress. Asterisk, probably properly, replies with '403
Unauthorized' to the packet it doesn't understand. A small patch was
made for Asterisk 1.2.10, and it applies fairly easily to 1.2.13. (the
patch has _no_ context, so you will have to compare the chan_sip.c files
from 1.2.10 with your own version to figure out where to add the
patch.) The patch can be found here:
http://bugs.digium.com/view.php?id=5747
So... what's to stop me from TFTPing other people's usernames/passwords
and using them for outgoing toll calls?
2 minutes of TFTPing config files with MAC addresses near mine suggest
"nothing." (I successfully pulled a file with someone's password...
haven't tried using it, and don't intend to, but I don't see any reason
why it wouldn't work.)
ttyl
srw
Received on Mon Dec 11 12:53:21 2006
This archive was generated by hypermail 2.1.8 : Mon Dec 11 2006 - 12:53:31 CST