[VoiceOps] Fraud fun

J. Oquendo sil at infiltrated.net
Wed May 18 16:18:45 EDT 2011 

On 5/18/2011 3:55 PM, anorexicpoodle wrote:
> its funny, I have used this approach on several personal servers that
> got an undeserved amount of attention from APNIC. Originally I
> followed similar methodology of simply blocking, but after a while I
> began having fun and using the script to have IP tables NAT all of the
> attackers back at one of them randomly. Admittedly these were mostly
> attacks against TCP based services.
>
> It was a lot like having an ant farm full of scammers and software
> pirates.
>
> Sorry for getting sorta off-topic....
>
> -anorexicpoodle
>

There is the phorensix dialplan/context/honeypot slash Incident Response
;) (http://www.infiltrated.net/scripts/phorensix) I once swapped over a
comprised account into that context and out of boreDumb did some
interesting things: "In order to place this call please enter a
callback" wish at the time I had that in Egyptian. Nevertheless you'd be
surprised at how many "scamsters" dial their own numbers trying to test
whether or not an account they compromised works. I also did some not so
interesting and outright juvenile things - made a dialplan that had them
conversate with Les Grossman
(http://www.google.com/search?q=les+grossman) to play back the captured
sound :D Hey I get bored!. Anyhow, I noticed while doing all of this,
there was A LOT of potential to do some interesting things. 

The biggest gripe I have with Asterisk and other open source based PBXs,
is the symmetry in logs. Its not fluid. One of the reasons I never built
an "all out" honeypot. I have to modify so much across different
versions. However, this is also the beauty of Asterisk and similar open
source type PBXs, there is so much you can do but it almost always needs
to be custom. I also have an insane expect to .bashrc script back to
expect + ssh key script which runs on an SBC, parses some of the SBC
logs, pushes the output to a Linux machine, gets re-parsed on the Linux
box, triggers alert (right now to my SIP Blackberry client & Snom) based
on predefined params (volume of calls, destination of calls) and has the
capability of doing trigger based blocking (expect). Right now though,
its only running on our nCite SBCs and once I become more comfortable
with our Acme's logging capabilities, I may do the same type of
scripting: From syslog based machine, parse elsewhere, sort out, pick
out a trigger, create a rule, send it via expect to some defense
mechanism. Depends on how REALLY bored I get and whether or not I
actually even start looking at our Acmes. (Personally, I'd rather leave
this to my colleague ;))


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

More information about the VoiceOps mailing list