So you are looking for an easy way of surfing the hidden network of .onion domains?. Many people probably will use some of the proxies available to reach the .onion domains. Unfortunately this is not a good idea for your privacy since the proxy owner can spy all your communications.

So, I’m going to explain in 3 easy steps how to configure Firefox to access .onion domains directly through your local Tor daemon. This way, we ensure all traffic goes directly to the tor network.

1. Install Tor daemon.

On Debian/Ubuntu Linux distributions this is as easy as:

• 
sudo apt-get install tor

2. Configure Firefox to tunnel requests to .onion domains via the Tor network

This is the tricky part, because we only want Firefox to tunnel requests to .onion domains via the Tor network, but we don’t want Firefox tu tunnel all the other requests via the Tor network. To achieve this we are going to use a proxy configuration file.

• Save the following content in a file (for example as ~/.proxy_pac)

  function FindProxyForURL(url, host) {
      isp = "PROXY ip_address:port; DIRECT";
      tor = "SOCKS 127.0.0.1:9050";
      if (shExpMatch(host,"*.onion")) {
          return tor;
      }
      return "DIRECT";
  }
  

• And configure Firefox to use that file as a proxy configuration file (Edit->Preferences->Advanced->Network->Settings->Automatic proxy configuration URL).
  • You have to use the following syntax: file://absolute-path-to-the-file
  • If you are not sure, just open a new firefox window, and type on the browser location bar (the place where you type web addresses) the following URL file://. Now just browse your HDD to where you saved that file, right click on it and select Copy Link Location. Now paste such link location on the Automatic proxy configuration URL settings.
3. Configure Firefox to tunnel DNS queries via a SOCKS5 proxy

The last step is to tell Firefox that it should tunnel the DNS lookups via the Tor SOCKS5 proxy when we want to access a .onion domain. By default firefox will try to resolve .onion domains using our local DNS resolver, therefore it will fail to do that.
To fix this, we should enable network.proxy.socks_remote_dns on the advanced configuration page:

• In the browser location bar (the place where you type web addresses), type about:config and press Enter. This opens a different set of Firefox preferences. Where it says Search: at the top, type network.proxy.socks. The list of preferences will automatically change to show your proxy preferences.
  Highlight network.proxy.socks_remote_dns by clicking it only once. Then, right-click it. This opens a small pull-down menu. Select Toggle from the menu to change its value to true.

This will make Firefox to tunnel all the queries to .onion domains via our local Tor daemon. This also adds privacy by preventing DNS queries to .onion domains from leaking.

Now restart Firefox and you should be able to surf .onion domains directly.

Bluebox-ng

Bluebox-ng is a next generation UC/VoIP security tool. It has been written in CoffeeScript using Node.js powers. This project is "our 2 cents" to help to improve information security practices in VoIP/UC environments.

•  GitHub repo: https://github.com/jesusprubio/bluebox-ng
• Demo: http://www.youtube.com/watch?v=02AuYf66sx0

Install deps

•  cd bluebox-ng
• npm install

Run

• npm start

Features

• Automatic pentesting process (VoIP, web and service vulns)
• SIP (RFC 3261) and extensions compliant
• TLS and IPv6 support
• VoIP DNS SRV register support
• SIP over websockets (and WSS) support (draft-ietf-sipcore-sip-websocket-08)
• REGISTER, OPTIONS, INVITE, MESSAGE, SUBSCRIBE, PUBLISH, OK, ACK, CANCEL, BYE, Ringing and Busy Here requests support
• Extension and password brute-force through different methods (REGISTER, INVITE, SUBSCRIBE, PUBLISH, etc.)
• DNS SRV registers discovery
• SHODAN and Google Dorks
• SIP common vulns modules: scan, extension brute-force, Asterisk extension brute-force (CVE-2011-4597), invite attack, call all LAN endpoints, invite spoofing, registering hijacking, unregistering, bye teardown
• SIP DoS/DDoS audit
• SIP dumb fuzzer
• Common VoIP servers web management panels discovery and brute-force
• Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
• Automatic vulnerability searching (CVE, OSVDB)
• Geolocalization using WPS (Wifi Positioning System) or IP address (Maxmind database)
• Colored output
• Command completion

Roadmap

•  Tor support
• More SIP modules 
• SIP Smart fuzzing (SIP Torture RFC)
• Eavesdropping
• CouchDB support (sessions)
• H.323 support
• IAX support
• Web common panels post-explotation (Pepelux research)
• A bit of command Kung Fu post-explotation
• RTP fuzzing
• Advanced SIP fuzzing with Peach
• Reports generation
• Graphical user interface
• Windows support
• Include in Debian GNU/Linux
• Include in Kali GNU/Linux
• Team/multi-user support
• Documentation
• ...
• Any suggestion/piece of code ;) is appreciated.

Author

Jesús Pérez

• @jesusprubio
• jesusprubio gmail com
• http://nicerosniunos.blogspot.com/

Contributors

Damián Franco

• @pamojarpan
• pamojarpan google com

Jose Luis Verdeguer

• @pepeluxx](https://twitter.com/pepeluxx)
• pepelux enye-sec org
• http://www.pepelux.org/

Thanks to ...

• Quobis, some hours of work through personal projects program
• Antón Román (@AntonRoman), he speaks SIP and I'm starting to speak it thanks to him
• Sandro Gauci (@sandrogauci), SIPVicious was our inspiration
• Kamailio community (@kamailioproject]), my favourite SIP Server
• David Endler and Mark Collier (@markcollier46), authors of "Hacking VoIP Exposed" book
• John Matherly (@achillean) for SHODAN API and GHDB
• All VoIP, free software and security hackers that we read everyday
• Loopsize, a music hacker (and a friend) creator of the themes included in demos

License

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see .

I have spent some time analyzing which could be the best way to protect a privative version of a webphone based on QoffeeSIP that we are developing now at Quobis. I have seen this same question on different sites with quite confusing responses. So I'm going to share what I learned just in case it could help to anybody.

Well, I'm not going to define what is WebRTC because Internet is full of it this year (only overtaken by cats ;). For our purposes we have to consider that our app is a Javascript library. Really there is also HTML/CSS code but what I think that is important is Javascript, but HTML/CSS can also be protected in the same way but with other tools.

First of all I want to remark that protect your code in the sense of anybody could copy/modify and redistribute it is impossible since Javascript is only text. If anybody had enough time (or money) this code could be reversed. But, as always, we can do things trying to avoid it as far as possible.

In general, I found that there is a bit confusion between minimize and obfuscate terms so we're going to speak a bit about these techniques.

Minimization

The target is to get the code as small as possible. Obviously generated code is more difficult to understand, but it could be easily reversed with tools like JSbeautifier. (really not as easy depending of the minimizing tool)

Some common possible options at this point are:

• UglifyJS: The coolest thing right now xD. It is a Node.js package so it's easy to include. Some days ago version 2 was published. We will see that it's fast, really fast.
• Google Closure Compiler which uses Google to its apps. It is availiable a Java command line tool but there are node modules which use the online API.
• YUI Compressor from Yahoo, it was the facto standard but now last alternatives are beating it.

A little comparison: I can't find original link, sorry :(

• Average time: (lower is better)
• UglifyJS: 0.11554 seconds
• Closure: 1.41037 seconds
• Average reducction: (higher is better)
•  UglifyJS: 45.6%
• Closure: 51.5%

NOTE: Another one (more complete) with YUI included too.

In my experience Google Closure generated code is better because besides minimization tasks it includes code checking too. It provides warnings for dangerous or illegal Javascript. Moreover I like that you can use this online service to check your code while developing.



Obfuscation

It is defined as "the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret." (Wikipedia).

We have some options here when we are working with a web app:

• Encrypt the transport layer: needed to avoid sniffing to another users of the same LAN. So using HTTPS to serving the application is a must.
• Encryption: Encrypt application data and decrypt it on the fly via your own javascript enccryption library.
• Move functions to the server side, which it's not possible in the case of WebRTC because we want end to end media.
• Use a browser plugin, it has no sense since one of the advantages of WebRTC is that the user doesn't have to install anything.
• Implement the code in native client for Chrome browser. The advantaje is that common C code protections can be used and the app runs sandboxed. But it is not our case because we need multi-platform support.
• To avoid legal issues you should incude a note (a Javascript comment) referencing the copyright in each copy of the .js library. Something similar to Free Software Foundation recommendations for free Javascript code. An example could be:

NOTE: Really @source tag is proposed by FSF to include a link to source code of the app. But I think that it could be a good idea to use it because browser plugins that follow the recommendations should "understand" it.

Some weeks ago we published QoffeeSIP, the Javascript SIP over websockets stack which we use to develop our WebRTC products in Quobis. An example is IdentityCall, a system designed to provide call authentication in traditional VoIP and IMS environments. Now it achieves the same goal in WebRTC ones, interconnecting them at the same time with PSTN network.

Today I’m showing a different case of use that those proposed in examples (the "simplest-example" and a "webphone"). I’m going to write a simple (but for sure the first one in the world ;) SIP over websockets server scanner. It should send a valid SIP (over websockets) petition, parse the interesting info from the response ( i.e. "User-Agent") and print it. I’m using the simplest example as basis, here there are the description of the changes I made on the code:
- In this case no HTML video tags are provided to the constructor. The reason is that we are only using websocket features of the stack, not WebRTC ones.
- Some stuff deleted from the interface in order to ask only for needed parameters (ip address, port and optionally the extension used to made the registration).
- Media parts were also deleted from script.coffee file, which defines the logic of the app.
- Obviously we need to change this logic so I added some code at the end. In this case we are saying that when states 2 (Registering after challenge) or 3 (Registered) are reached, received message is going to be parsed.
- Then strings "User-Agent", "Server" and "Organization" are parsed from this response and printed. Really we are getting it from an object with the property "frame".
- Finally, makefile is modified in order to generate the output with the correct name.

script.coffee

##
# Copyright (C) Quobis
# Project site: https://github.com/Quobis/QoffeeSIP
# 
# Licensed under GNU-LGPL-3.0-or-later (http://www.gnu.org/licenses/lgpl-3.0.html)
##


# On document ready...
$ ->
    # Avoid page "reloading" on submit.
    $("form").submit (e) ->
        e.preventDefault()
        false

    # Declaration of api.
    api = null

    $("#init").submit =>
        options =
            server: {ip: $("#server-ip").val(), port: $("#server-port").val()}
            onopen: =>
                api.register "qoffeesip", "anonymous"
        api = new API options
        api.on "new-state", (state, message) ->
            switch state
                when 2,3
                    userAgentRE =  /User-Agent:(.*)/i
                    serverRE =  /Server:(.*)/i
                    organizationRE =  /Organization:(.*)/i

                    matchUa = userAgentRE.exec message.frame
                    matchServer = serverRE.exec message.frame
                    matchOrganization = organizationRE.exec message.frame

                    output = matchUa or matchServer or matchOrganization
                    $("#output").text(output[0])

index.jade

//-
//- @source: https://github.com/Quobis/QoffeeSIP
//- Copyright (C) Quobis
//- Licensed under GNU-LGPL-3.0-or-later (http://www.gnu.org/licenses/lgpl-3.0.html)
//-


!!!
head
    title SIP over websockets scanner
    script(src="lib/jquery-1.8.0.min.js")
    script(src="lib/spine.js")
    script(src="lib/underscore.js")
    script(src="lib/qoffeesip.js")
    script(src="script.js")

body
    form(id="init")
        input(id="server-ip", type="text", placeholder="Server IP", required)
        input(id="server-port", type="number", placeholder="Port", required)
        input(type="submit", value="Scan")

div(id="output") 

- Confirm you have installed coffeeScript and Jade in your system, if not you can use npm to install them ("coffee-script" and "jade").

Hi, some time ago I published this post about VoIP information gathering with Metasploit. For a minimal pentesting process, a module capable of bruteforcing discovered extensions password is needed. So I have developed it, if you know SIPvicious suite this module provides sipcrack tool features.

Based on available SIP related modules I implemented SIP Digest Authentication algorithm and Msf::Auxiliary::AuthBrute mixin does the magic with possible user/password combinations. This picture shows an example of use in which extension 100 password is discovered (100).


Source code:

• UDP version
• TCP version

In case you use the module outside a LAN is strongly recommended to add you external IP address (option "EXTIP"), trying to avoid SIP and NAT problems.

Bye ;)

This year G.P.U.L held a new workshop (4th edition) on Cryptography, Security and Privacy. It was great enjoying this event again.

In the previous edition, I was among the speakers where I talked about self-replicating computer code, infection techniques and how security software was handling all this stuff.

This year, Ross Anderson was among the speakers. Good news having one world-class security expert talking about cryptology and security. If you don’t know Ross maybe you would like to check his personal web page on Cambridge. Ross is professor of Security Engineering at the Cambridge’s Computer Laboratory where he runs serious and pragmatic research on topics resolving global security issues.

On the other hand, maybe you know Ross’ book: ‘Security Engineering: A Guide to Building Dependable Distributed Systems‘. This book is a comprehensive overview of the field while highlighting important details and fundamental security concepts. Currently, the second edition of this book is available. Though Ross released the first edition for free too.

Anyway, it was great sharing some thoughts and talking to Ross about economics and psychology of information security. I guess it is a topic where both of us shed great passion. We discussed about how the new emergent vulnerability markets split the different security bugs based on value, raise hidden bugs out of the underground economy or how new bad incentives appear in concrete software business models among other topics.

As usual, great management and coordination coming from G.P.U.L Congrats guys!

Hi, it has been a long time since my last post because of my new job and my final year project ("VoIP denegation of service attacks" for curious) but there is something I found during my tests with Freeswitch, Kamailio and Asterisk that I want to share.
NOTE: Really, guys of Security By Default blog published us (my good friend Roi Mallo and me) two articles about how to develop modules for Metasploit framework, another two are coming.  ;)

During my project, among others, I developed a Metasploit module which can flood SIP protocol with common frames (INVITE, OPTIONS, REGISTER, BYE), I wrote it at Quobis (nice job ;) in order to use it for some private tests because actual software didn´t fit our needs, so we are going to probe how is the behavior of different GPL VoIP servers against this kind of attacks:
- Asterisk: I think it needs no introduction, the famous softswitch/PBX software.
- Freeswitch: It´s a newer softswitch that seems to be Asterisk replacement and I really like.
- Kamailio (former OpenSER): It is the most known GPL SIP proxy.
First of all I want to be clear about two things:
- Test were made without any protection on the server side, in a real environment we shoud find (in theory xD) something like Iptables, Snort, Fail2ban, Pike or a propietary Session border controller in large arquitectures. Anyway, it should be enough for this proof of concept.
- Asterisk and Freeswitch are PBX software, they were not designed to run between the limits of the infrastructure and Internet, although they are usually placed there. In fact, one of the reason of this post is to show the importance of using a SIP Proxy because of security and performance reasons.

Next pictures show an example of the Metasploit module use and generated traffic, we will use the same attack against differents IPs, so I´m showing it once only:
I chose INVITE packets because they are much more effective against all kind of SIP devices and TIMEOUT to 0 trying to get more traffic. Then, the results:
NOTE: With Wireshark filter "sip.Method==REGISTER or sip.Status-Code==200 and !sdp" we can see if a softphone (Jitsi in this case) could be registered , this way we can confirm if tested software losts some REGISTER packages under attack.