#!/bin/sh
# phorensix v.1
# J. Oquendo / sil @ infiltrated dot net
# 01/11/11
# Phorensix is a post-login VoIP forensics tool created for
# Asterisk (tested on Asterisk 1.4.5 to be exact).
# Phorensix takes a look at a rogue host connecting to a vulnerable
# account. Who is connecting, where are they coming from, what are they
# doing to my PBX, what are they doing ON MY PBX.
# It is a work in progress that can be scripted to take a list of
# accounts, and do the legwork... It uses tshark to capture a 2 minute
# network conversation between the attacker and host, does a quick
# lookup to see where the attacker is coming from, checks against
# rogue hosts via Shadowserver and can also block that subnet if need
# be.
# Because of the variances on Asterisk and the logging, I decided to
# ignore the bruteforcers, create an account (100) with a simple
# password (100) which would allow any brute forcer instance access
# to the account. This allows me to focus solely on people who are
# actually trying to make calls.
# Why shell, I use {perl,ruby,python,etc}@!? Simple; everyone's
# system differs. Rather than create a makefile and install yet more
# software on your machine, the system relies on what's almost
# always going to be available. Ugly, but functional.
# Requires: tshark and... that's it. Change the email address to get
# alerts sent upon the someone logging onto the honeypot.
#####################################################################
# #
# Sample extensions.conf context #
# #
#####################################################################
# [phorensix]
#
#
# ; First get and document the information for an attacker
# ; and place that information in a file
#
# exten => _X.,1,system(echo "${EXTEN} ${STRFTIME(${EPOCH},EDT,%F-%T)} - ${CALLERID} - ${CHANNEL}" >> /usr/phorensix/calls)
#
# ; Here we will answer a call 50% of the time. This variable is inverted
# ; so to answer say 10% of the calls, the number needs to be 90. Don't
# ; ask about the backwardness (Asterisk)
#
# exten => _X.,2,GotoIf($[${RAND(0,99)} + 50 >= 100]?s|1)
#
# ; Everything else simply gets recorded for evidence, etc., no one
# ; would want to consistently answer 1+ calls per second. It's not
# ; necessary.
#
# exten => _X.,1,system(/usr/local/bin/phorensix&)
# exten => _X.,2,Answer
# exten => _X.,3,Record(/usr/phorensix/recordings/phorensix%d:wav)
# exten => _X.,4,Wait(5)
# exten => _X.,5,Hangup
#
#
# exten => s,1,system(/usr/local/bin/phorensix&)
# exten => s,2,Dial(SIP/your.account.if.you.want.to.answer.phones)
# exten => s,3,Hangup
#####################################################################
# #
# Sample sip.conf context #
# #
#####################################################################
# [100]
# username=100
# secret=100
# canreinvite=no
# host=dynamic
# nat=yes
# canreinvite=no
# allow=ulaw
# disallow=all
# qualify=yes
# context=phorensix
# dtmfmode=rfc2833
# type=friend
# callerid=Phorensix 100<12125551212>
# alwaysauthreject=yes
#
peer='(Unspecified)'
while true ; do
if [ `asterisk -rx "sip show peer 100"|strings|awk '/Addr/{print $3}'` = "$peer" ] ; then
exit
else
now=`date +%Y%m%d`
attacker=`asterisk -rx "sip show peer 100"|strings|awk '/Addr/{print $3}'`
mkdir /usr/phorensix/$attacker-$now && cd /usr/phorensix/$attacker-$now
echo "whois -h whois.asn.shadowserver.org 'peer $attacker verbose' >> /usr/phorensix/$attacker-$now/shadowlookup-$attacker-$now.txt" | sh
echo "tshark -R \"ip.addr == $attacker\" -w /usr/phorensix/$attacker-$now/$attacker-$now.cap -a duration:120 | grep -vi specified" | sh &
traceroute $attacker > /usr/phorensix/$attacker-$now/$attacker-trace.txt
md5sum /usr/phorensix/$attacker-$now/shadowlookup-$attacker-$now.txt > /usr/phorensix/$attacker-$now/$attacker-$now-checksum.txt
md5sum /usr/phorensix/$attacker-$now/$attacker-$now.cap >> /usr/phorensix/$attacker-$now/$attacker-$now-checksum.txt
md5sum /usr/phorensix/$attacker-$now/$attacker-trace.txt >> /usr/phorensix/$attacker-$now/$attacker-$now-checksum.txt
echo `hostname` | mail -s "Phorensix on `hostname` has been triggered" your@email.address.goes.here.com
fi
done