News archive February 2009 - Koos van den Hout

Archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020

2009-02-17 (#) 11 years ago
I got reminded of my Alcatel stats again and some google searches and some combining of clues (the logical place would be in the 'td call' command) led me to the right answer at DMTv7 fŁr Speedtouch 516 536 546 585 608 706 716 780 to get the dsl linestats from a Speedtouch 546/546i: :td call cmd="tdsl getData all". Trying it:
*              ____/
*
------------------------------------------------------------------------
=>:td call cmd="tdsl getData all"

=====================DISCLAIMER======================
 Access to expert commands is intended for qualified 
 personnel only.                                     
==================END=OF=DISCLAIMER==================

Vendor Information
   phyType=2  phyMjVerNum=4  phyMnVerNum=0 
   phyVerStr=B2pBT004.d15b 
   drvMjVerNum=14  drvMnVerNum=20482 
   drvVerStr=15b 
And suddenly lots of data including the signal/noise ratio per carrier. So after stopping gathering Alcatel Speedtouch graphs in 2005 because I switched to a Speedtouch 546i I can now gather the stats again and create the graphs daily. In the mean time gnuplot changed a bit but with some tweaking of the plotscript I now have the first S/N graph of the 546i as I want it.

Tags: , , ,
2009-02-15 (#) 11 years ago
Vandaag zou het geen fietsweer worden dus was ik maar begonnen aan een project waar de onderdelen al even voor klaar lagen: de binnenbanden en buitenbanden van mijn ligfiets vernieuwen en de ketting schoonmaken. De buitenbanden hadden toch al naar schatting 7000 kilometer afgelegd, dus een keer vervangen was wel nuttig. Op de Nazca Pioneer zaten al Schwalbe Marathon banden, die zijn prima bevallen en dus heb ik weer gekozen voor deze banden. De overweging was nog even of de Marathon plus een keuze was, deze is nog lekbestendiger, maar de afweging extra lekbestendigheid versus rolweerstand kwam toch uit op 'niet meer rolweerstand'. Bij het er op leggen van banden heb ik altijd wat moeite om ze ervan te overtuigen dat 'rond' de ideale vorm is, meestal blijven er toch lichte hobbels achter ondanks duwen en trekken. Deze keer heb ik de methode 'gelijk terdege oppompen' geprobeerd en ergens bij 6 bar schoten zowel voor- als achterband in de goede ronde vorm. Maximum voor deze banden is 7 bar en daar ben ik voor gegaan.
Daarnaast heb ik de ketting eens schoongemaakt. Doordat ik de afgelopen tijd een paar keer door de regen had gefietst en niet direct de ketting schoongemaakt was deze nogal gaan roesten wat de snelheid ook niet ten goede kwam. De ketting heeft een nacht in een badje diesel gelegen en daarmee is de nodige rommel er uit gekomen. Ik heb nu ook de truukjes van de sluitschakel geleerd. Ik kan nu dus weer een pot vooruit, op volle snelheid.
Update 2009-02-16: Ja het werkt, gemiddelde snelheid naar mijn werk vanmorgen 23.94 kilometer per uur.

Tags: ,
2009-02-13 (#) 11 years ago
It being Friday afternoon I fired up vlc to see if there were any interesting announcements of multicast streams. And yet another university, this time one in the UK was leaking their entire TV program lineup (all UK terrestrial programs, which is quite a list). I tried the programs but nothing worked until I tried the last one: BBC HD. This one does work, giving over 20 megabit of video in HD. Screenshot of the BBC HD logo animation (1600x1080px)

Tags: , ,
2009-02-10 (#) 11 years ago
After the attack I saw on an asterisk server which was most likely scanning for valid user accounts to use in international dialing I am wondering if I can 'play' with users who try to abuse an asterisk setup.

For the hcc!pc gg netwerkgroep demo asterisk I scripted a sort of teaser for users trying to dial abroad:

[internationaltrick]
; not really dial an international number: play an interesting 'wrong number'

exten => _00XXXXXXXXXX.,1,Wait(5)
exten => _00XXXXXXXXXX.,n,Goto(wrongnumber,s,1)
The delay is to add confusion to how many digits it accepts (although someone using 'early dialing' could see when asterisk reports back it has seen enough digits). What the wrongnumber routine does is play a random 'wrong number' recording taken from Telephone world - International sounds & recordings so someone who tries this who is actually listening to call progress might think he is on to something and spend hours trying to find the right way.

Tags: , ,
2009-02-10 (#) 11 years ago
In verband met de nog ietwat lastige ribben en het vervelende weer was ik vanmorgen met de auto. Helaas vond de politie het nodig om op een van de drukste plekken op de route een uitgebreide controle te houden tijdens de ochtendspits: op de Sartreweg was in zuidelijke richting maar 1 rijbaan beschikbaar waardoor het verkeer enorm vastliep op de Kardinaal de Jongweg en de Biltse Rading, kaart op OpenStreetMap. Zo'n controle heb ik wel eens vaker gezien op dinsdag, ik gok dat er een verband is met de automarkt. Alleen is het knap vervelend dat de vertraging in de ochtendspits enorm toeneemt door zo'n controle.

Tags: ,
2009-02-09 (#) 11 years ago
I used the recumbent bicycle today to get to work. After the little snowboarding mishap I used the car last week but today I wanted to bicycle again as Dutch traffic is busy and I miss the exercise when I'm not bicycling. I did notice I do use muscles in the bruised area when bicycling: especially making speed was a bit painfull.

Tags: ,
2009-02-08 (#) 11 years ago
Another scan of the vhf/uhf spectrum in Brunssum, and this time I got lucky and found the VRT dvb-t bouquet at 506 MHz (UHF 25) from Genk. With scan:
scanning /usr/share/doc/dvb-utils/examples/scan/dvb-t/be-Genk
using '/dev/dvb/adapter0/frontend0' and '/dev/dvb/adapter0/demux0'
initial transponder 506000000 0 1 9 3 1 3 0
>>> tune to: 506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE
0x0000 0x1090: pmt_pid 0x1090 VRT -- Klara continuo (running)
0x0000 0x1080: pmt_pid 0x1080 VRT -- MNM (running)
0x0000 0x1070: pmt_pid 0x1070 VRT -- Studio Brussel (running)
0x0000 0x1060: pmt_pid 0x1060 VRT -- Klara (running)
0x0000 0x1040: pmt_pid 0x1040 VRT -- Radio 1 (running)
0x0000 0x1050: pmt_pid 0x1050 VRT -- Radio 2 (running)
0x0000 0x1010: pmt_pid 0x1010 VRT -- EEN (running)
0x0000 0x1020: pmt_pid 0x1020 VRT -- Canvas/Ketnet (running)
0x0000 0x10b0: pmt_pid 0x10b0 VRT -- Canvas+/Ketnet+ (running)
0x0000 0x10a0: pmt_pid 0x10a0 VRT -- Sporza (running)
0x0000 0x10c0: pmt_pid 0x10c0 VRT -- Nieuws+ (running)
0x0000 0x10d0: pmt_pid 0x10d0 VRT -- MNM hits (running)
Network Name 'VRTmux1'
>>> tune to: 482000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_1_2:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE
WARNING: >>> tuning failed!!!
>>> tune to: 482000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_1_2:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE (tuning failed)
WARNING: >>> tuning failed!!!
dumping lists (12 services)
Klara continuo:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4241:4240
MNM:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4225:4224
Studio Brussel:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4209:4208
Klara:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4193:4192
Radio 1:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4161:4160
Radio 2:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4177:4176
EEN:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:4113:4114:4112
Canvas/Ketnet:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:4129:4130:4128
Canvas+/Ketnet+:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:4273:4274:4272
Sporza:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4257:4256
Nieuws+:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4289:4288
MNM hits:506000000:INVERSION_AUTO:BANDWIDTH_8_MHZ:FEC_1_2:FEC_AUTO:QAM_64:TRANSMISSION_MODE_8K:GUARD_INTERVAL_1_4:HIERARCHY_NONE:0:4305:4304
In the evening reception was ok, during the day lots of errors. I guess an outside antenna with preamp could make this usable. I updated the DVB experiments with the new data. This brings the total listing of free-to-air services found in this place to 24 television and 24 radio stations. The tuning to 482 MHz is because that is the other VRTmux1 frequency.

Tags: , ,
2009-02-06 (#) 11 years ago
High level of friday afternoon in this one: Microsoft research came up with songsmith software and 'promotes' it with a very very cheesy video (notice the brand of the laptop?). Songsmith is software to add music to signing. What people started doing is taking voice tracks from existing music and letting songsmith add new music, leading to the most interesting ways to make you cringe: We Will Rock You - Queen versus Songsmith, "Beat It" by Michael Jackson, and a metal rickroll just to be sure.

Tags: , ,
2009-02-05 Witnessing an attack on an Asterisk server 11 years ago
Recently I was busy configuring the home asterisk server and I used a softphone to test connected to the demo server I run for several asterisk projects. It all started to work, I could leave voicemail, retrieve voicemail, delete voicemail. Great. Because I was debugging stuff, I had several asterisk consoles open to view messages about my tests.

That demo-server is connected to the internet-at-large. The idea is that one can take a sip-client and 'dial' sip:eham@idefix.net and hear the latest weather. So there is an Asterisk context for guest sip callers. It also has a few accounts for other tests.

While working on my stuff I suddenly saw lots of messages on the console of the demo-server. Loads and loads about failed registrations. Constantly flooding messages. Just as I was to going to tcpdump the traffic to save it it stopped: less than 10 minutes.

Log entries from the attack

I'm not going to post all 19511 entries.
First, what seems to be a probe:
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"613430211"<sip:613430211@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Then, possible accounts are enumerated:
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"0"<sip:0@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"1"<sip:1@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"2"<sip:2@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"3"<sip:3@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"4"<sip:4@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:31 NOTICE[28514] chan_sip.c: Registration from '"5"<sip:5@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Running through the numbers:
Feb  3 22:54:32 NOTICE[28514] chan_sip.c: Registration from '"98"<sip:98@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:32 NOTICE[28514] chan_sip.c: Registration from '"99"<sip:99@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:32 NOTICE[28514] chan_sip.c: Registration from '"100"<sip:100@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:32 NOTICE[28514] chan_sip.c: Registration from '"101"<sip:101@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:54:32 NOTICE[28514] chan_sip.c: Registration from '"102"<sip:102@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Only giving up at:
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9993"<sip:9993@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9994"<sip:9994@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9995"<sip:9995@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9996"<sip:9996@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9997"<sip:9997@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9998"<sip:9998@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
Feb  3 22:56:12 NOTICE[28514] chan_sip.c: Registration from '"9999"<sip:9999@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Username/auth name mismatch
It seems the reply tells the difference between valid and invalid account, because the attacker knows the valid accounts seen and starts trying those, probably trying to guess the password:
Feb  3 22:56:30 NOTICE[28514] chan_sip.c: Registration from '"1082"<sip:1082@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Wrong password
Feb  3 22:56:30 NOTICE[28514] chan_sip.c: Registration from '"1082"<sip:1082@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Wrong password
Feb  3 22:56:30 NOTICE[28514] chan_sip.c: Registration from '"1082"<sip:1082@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Wrong password
Feb  3 22:56:30 NOTICE[28514] chan_sip.c: Registration from '"1082"<sip:1082@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Wrong password
Feb  3 22:56:30 NOTICE[28514] chan_sip.c: Registration from '"1082"<sip:1082@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Wrong password
Feb  3 22:56:30 NOTICE[28514] chan_sip.c: Registration from '"1082"<sip:1082@xxx.yyy.zzz.xxx>' failed for '86.72.2.248' - Wrong password
The interesting difference: 98 tries for account 1082 and 9612 for account 1071. All failed: I guess using pwgen for sip passwords was a good idea after all.

It's a fast attack

Less than 10 minutes and if I would have had any weak passwords on one of the sip accounts I would have been toast. Most probable use of a found account: trying to call internationally on my dime.

I would almost consider setting up a dummy account with a bad password that would end up in a context where I just log all numbers tried. Almost.

What tools were probably used

Quite likely SIPVicious. I downloaded it myself and tried it on an asterisk server and got the same patterns in the logs. Using svwar you can map valid extension numbers and whether they need authorization and feed those to svcrack with a file of possible passwords.

How to defend against this

First of all: don't expose your SIP server to the Internet unless you really have good reasons to do so. And this is an interesting conflict: interesting SIP peering tricks depend on open access to your SIP port. But, at least Asterisk has an option to somewhat open yourself to the Internet at large but keep your own phones limited to your internal network: use deny and permit based acls.

Give your SIP accounts good passwords. Use pwgen or another password generating tool. A good reason to use automatic provisioning tools were both the configfile for the phone and the SIP account are autogenerated: you can use complicated generated passwords for your SIP accounts, add them to your PBX config automatically, add them to the phone config automatically and only the phone and the PBX need to know... that at least keeps out external attackers. The phone can still read the password from the config so an attacker with access to the config files can get at them too. And your provisioning tools can clean out any unused phone accounts so dormant accounts aren't abused either.


Tags: , ,
2009-02-04 (#) 11 years ago
More people considered programmig twitter, and thinkgeek sells a device to make your plants send a twitter message when they need water.

Tags: ,
2009-02-03 (#) 11 years ago
Ok, the imap storage for asterisk voicemail works like the proverbial charm. I needed some work on the home dialplan and setup before I could test it, but I was able to leave a message to the home mailbox, seeing it stored in the voicemail imap box and retrieve and delete it using a telephone connected to the ISDN port accessing the VoicemailMain application. The access number for voicemail is now set to 0140-1233 to (sort of) stay in line with the Dutch numbering plan. There is no customer-service at 0140-1200 planned...

Tags: , , ,
2009-02-03 (#) 11 years ago
Ok, got that bit fixed too: asterisk uses imap as storage backend for voicemail. In modules.conf:
noload => app_voicemail_odbc.so
noload => app_voicemail.so
load => app_voicemail_imap.so
This is with the ubuntu package recompiled to use misdn, so the selection of voicemail storage is a question of which .so to load. In voicemail.conf :
[general]
imapserver=koos.idefix.net
imapfolder=INBOX.calls

[default]
9911 => 19999,House mailbox,,,Tz=european|imapuser=housemail|imappassword=S3cr1t
Now voicemail is saved only on the imap-server, so I can view it with Thunderbird. Or use the asterisk voicemail application to retrieve and delete it. That bit is not tested yet. After all the testing of drivers including heavy torture it's now time to set up a dialplan for the home pbx. Rule 1 of playing with the phones at home is that normal dialing still has to work so my wife can call the numbers without having to dial '0' for an outside line or other tricks, and that the phone in the living room rings when a call comes in. So I have to set up a 'number plan' which allows for special things but also makes all normal numbers work as they should. Solution: I use the 0140 area code, which is reserved (in the Netherlands) for test-numbers for the telecom provider. I am my own telecom provider so I can divert 0140 and do stuff with it, like provide voicemail or internal dialing.

Tags: , ,
2009-02-03 (#) 11 years ago
IMAP can do great things, but more advanced things always seem half-documented and lots of searching. I tried to set up shared mailboxes. At home I want a shared mailbox for the voicemails from Asterisk so Mirjam and I can both check the imap inbox, listen to messages and delete them when they are not interesting anymore. Ideally I'd like asterisk to use IMAP as backend storage so we can still access the voicemail over the phone and deleting the voicemail via the phone menu is the same as deleting it from the imap server with a mail client (that's almost something like unified communications!). The next nicest option is to have the voicemails mailed to the shared voicemail mailbox. Still working on getting that fixed. Anyway, setting up the shared mailbox in courier is a bit vague. Not all documentation agrees, but finally the right answer is in /usr/share/doc/courier-base/README.sharedfolders.txt.gz how to set up a server shared mailbox via the shared mailbox index file set as IMAP_SHAREDINDEXFILE in /etc/courier/imapd. A lot of fiddling with rights was needed: by default shared mailbox users can't do anything with it. A light sprinkling of chmod 770 and chgrp voicemail fixed that. The last bit is that the imap server needs to know which other users have full access, using maildiracl to set this up. All now works and we can both read and delete mails. The shared box shows up as #shared.voicemail.calls next to the normal Inbox and Inbox.Sent.

Next needed was shared mailboxes at work so all members of the system group can see the mailboxes where cronjobs from all systems dump their stuff. I never got the same 'system shared mailbox' to work as at home so I decided to go for the 'filesystem shared mailbox' which is set up by creating a file shared-maildirs in your imap directory. That file just lists an alias and a base directory for the mailboxes to access. Rights on the shared boxes still need to be very open which is not my idea of a safe system. But that works, so everybody can see the 'postmaster', 'ups' and other boxes where system mail ends up and delete it when it is not an error message. Those shared boxes show up as shared.systeemgroep.ups and shared.systeemgroep.postmaster in Thunderbird and mutt (haven't checked other clients yet).


Tags: , ,
2009-02-01 (#) 11 years ago
Back from snowboarding holiday in .. SamoŽns, France. Yes, the same village as last year. The village, the Grand Massif ski area and especially the Viking Lodge apartment were so good we had to get back. I had fun snowboarding although I bruised a few ribs in a fall I had Wednesday on the Cascade piste: it turned icy and I lost balance and fell on my frontside.

Tags: , ,


, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: morenews.cgi,v 1.46 2019/10/20 15:42:02 koos Exp $ in 0.025119 seconds.