summaryrefslogtreecommitdiffstats
path: root/nselib/iax2.lua
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--nselib/iax2.lua340
1 files changed, 340 insertions, 0 deletions
diff --git a/nselib/iax2.lua b/nselib/iax2.lua
new file mode 100644
index 0000000..cb6a9ad
--- /dev/null
+++ b/nselib/iax2.lua
@@ -0,0 +1,340 @@
+---
+-- A minimalistic Asterisk IAX2 (Inter-Asterisk eXchange v2) VoIP protocol implementation.
+-- The library implements the minimum needed to perform brute force password guessing.
+--
+-- @author Patrik Karlsson <patrik@cqure.net>
+--
+
+local math = require "math"
+local nmap = require "nmap"
+local os = require "os"
+local stdnse = require "stdnse"
+local string = require "string"
+local openssl = stdnse.silent_require "openssl"
+local table = require "table"
+_ENV = stdnse.module("iax2", stdnse.seeall)
+
+
+IAX2 = {
+
+ FrameType = {
+ IAX = 6,
+ },
+
+ SubClass = {
+ ACK = 0x04,
+ REGACK = 0x0f,
+ REGREJ = 0x10,
+ REGREL = 0x11,
+ CALLTOKEN = 0x28,
+ },
+
+ InfoElement = {
+ USERNAME = 0x06,
+ CHALLENGE = 0x0f,
+ MD5_RESULT = 0x10,
+ CALLTOKEN = 0x36,
+ },
+
+ PacketType = {
+ FULL = 1,
+ },
+
+ -- The IAX2 Header
+ Header = {
+
+ -- Creates a new Header instance
+ -- @param src_call number containing the source call
+ -- @param dst_call number containing the dest call
+ -- @param timestamp number containing a timestamp
+ -- @param oseqno number containing the seqno of outgoing packets
+ -- @param iseqno number containing the seqno of incoming packets
+ -- @param frametype number containing the frame type
+ -- @param subclass number containing the subclass type
+ new = function(self, src_call, dst_call, timestamp, oseqno, iseqno, frametype, subclass)
+ local o = {
+ type = IAX2.PacketType.FULL,
+ retrans = false,
+ src_call = src_call,
+ dst_call = dst_call,
+ timestamp = timestamp,
+ oseqno = oseqno,
+ iseqno = iseqno,
+ frametype = frametype,
+ subclass = subclass,
+ }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ -- Parses data, a byte string, and creates a new Header instance
+ -- @return header instance of Header
+ parse = function(data)
+ local header = IAX2.Header:new()
+ local frame_type, pos = string.unpack("B", data)
+ if ( (frame_type & 0x80) == 0 ) then
+ stdnse.debug2("Frametype %x not supported", frame_type)
+ return
+ end
+ header.type = IAX2.PacketType.FULL
+ header.src_call, pos = string.unpack(">I2", data)
+ header.src_call = (header.src_call & 0x7FFF)
+
+ local retrans = string.unpack("B", data, pos)
+ if ( (retrans & 0x80) == 8 ) then
+ header.retrans = true
+ end
+ header.dst_call, pos = string.unpack(">I2", data, pos)
+ header.dst_call = (header.dst_call & 0x7FFF)
+
+ header.timestamp, header.oseqno,
+ header.iseqno, header.frametype, header.subclass, pos = string.unpack(">I4BBBB", data, pos)
+
+ return header
+ end,
+
+ -- Converts the instance to a string
+ -- @return str containing the instance
+ __tostring = function(self)
+ assert(self.src_call < 32767, "Source call exceeds 32767")
+ assert(self.dst_call < 32767, "Dest call exceeds 32767")
+ local src_call = self.src_call
+ local dst_call = self.dst_call
+ if ( self.type == IAX2.PacketType.FULL ) then
+ src_call = src_call + 32768
+ end
+ if ( self.retrans ) then
+ dst_call = dst_call + 32768
+ end
+ return string.pack(">I2I2 I4BBBB", src_call, dst_call, self.timestamp,
+ self.oseqno, self.iseqno, self.frametype, self.subclass)
+ end,
+ },
+
+ -- The IAX2 Request class
+ Request = {
+
+ -- Creates a new instance
+ -- @param header instance of Header
+ new = function(self, header)
+ local o = {
+ header = header,
+ ies = {}
+ }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ -- Sets an Info Element or adds one, in case it's missing
+ -- @param key the key value of the IE to add
+ -- @param value string containing the value to set or add
+ setIE = function(self, key, value)
+ for _, ie in ipairs(self.ies or {}) do
+ if ( key == ie.type ) then
+ ie.value = value
+ end
+ end
+ table.insert(self.ies, { type = key, value = value } )
+ end,
+
+ -- Gets an information element
+ -- @param key number containing the element number to retrieve
+ -- @return ie table containing the info element if it exists
+ getIE = function(self, key)
+ for _, ie in ipairs(self.ies or {}) do
+ if ( key == ie.type ) then
+ return ie
+ end
+ end
+ end,
+
+ -- Converts the instance to a string
+ -- @return str containing the instance
+ __tostring = function(self)
+ local data = {}
+ for _, ie in ipairs(self.ies) do
+ data[#data+1] = string.pack("Bs1", ie.type, ie.value )
+ end
+
+ return tostring(self.header) .. table.concat(data)
+ end,
+
+ },
+
+
+ -- The IAX2 Response
+ Response = {
+
+ -- Creates a new instance
+ new = function(self)
+ local o = { ies = {} }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ -- Sets an Info Element or adds one, in case it's missing
+ -- @param key the key value of the IE to add
+ -- @param value string containing the value to set or add
+ setIE = function(self, key, value)
+ for _, ie in ipairs(self.ies or {}) do
+ if ( key == ie.type ) then
+ ie.value = value
+ end
+ end
+ table.insert(self.ies, { type = key, value = value } )
+ end,
+
+ -- Gets an information element
+ -- @param key number containing the element number to retrieve
+ -- @return ie table containing the info element if it exists
+ getIE = function(self, key)
+ for _, ie in ipairs(self.ies or {}) do
+ if ( key == ie.type ) then
+ return ie
+ end
+ end
+ end,
+
+ -- Parses data, a byte string, and creates a response
+ -- @return resp instance of response
+ parse = function(data)
+ local resp = IAX2.Response:new()
+ if ( not(resp) ) then return end
+
+ resp.header = IAX2.Header.parse(data)
+ if ( not(resp.header) ) then return end
+
+ local pos = 13
+ resp.ies = {}
+ repeat
+ local ie = {}
+ ie.type, ie.value, pos = string.unpack(">Bs1", data, pos)
+ table.insert(resp.ies, ie)
+ until( pos > #data )
+ return resp
+ end,
+
+ }
+
+}
+
+
+Helper = {
+
+ -- Creates a new Helper instance
+ -- @param host table as received by the action method
+ -- @param port table as received by the action method
+ -- @param options table containing helper options, currently
+ -- <code>timeout</code> socket timeout in ms
+ -- @return o instance of Helper
+ new = function(self, host, port, options)
+ local o = { host = host, port = port, options = options or {} }
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ -- Connects the UDP socket to the server
+ -- @return status true on success, false on failure
+ -- @return err message containing error if status is false
+ connect = function(self)
+ self.socket = nmap.new_socket()
+ self.socket:set_timeout(self.options.timeout or 5000)
+ return self.socket:connect(self.host, self.port)
+ end,
+
+ -- Sends a request to the server and receives the response
+ -- @param req instance containing the request to send to the server
+ -- @return status true on success, false on failure
+ -- @return resp instance of response on success,
+ -- err containing the error message on failure
+ exch = function(self, req)
+ local status, err = self.socket:send(tostring(req))
+ if ( not(status) ) then
+ return false, "Failed to send request to server"
+ end
+ local status, data = self.socket:receive()
+ if ( not(status) ) then
+ return false, "Failed to receive response from server"
+ end
+
+ local resp = IAX2.Response.parse(data)
+ return true, resp
+ end,
+
+ -- Request a session release
+ -- @param username string containing the extension (username)
+ -- @param password string containing the password
+ regRelease = function(self, username, password)
+
+ local src_call = math.random(32767)
+ local header = IAX2.Header:new(src_call, 0, os.time(), 0, 0, IAX2.FrameType.IAX, IAX2.SubClass.REGREL)
+ local regrel = IAX2.Request:new(header)
+
+ regrel:setIE(IAX2.InfoElement.USERNAME, username)
+ regrel:setIE(IAX2.InfoElement.CALLTOKEN, "")
+
+ local status, resp = self:exch(regrel)
+ if ( not(status) ) then
+ return false, resp
+ end
+
+ if ( not(resp) or IAX2.SubClass.CALLTOKEN ~= resp.header.subclass ) then
+ return false, "Unexpected response"
+ end
+
+ local token = resp:getIE(IAX2.InfoElement.CALLTOKEN)
+ if ( not(token) ) then
+ return false, "Failed to get token"
+ end
+
+ regrel:setIE(IAX2.InfoElement.CALLTOKEN, token.value)
+ status, resp = self:exch(regrel)
+ if ( not(status) ) then
+ return false, resp
+ end
+
+ local challenge = resp:getIE(IAX2.InfoElement.CHALLENGE)
+ if ( not(challenge) ) then
+ return false, "Failed to retrieve challenge from server"
+ end
+
+ regrel.header.iseqno = 1
+ regrel.header.oseqno = 1
+ regrel.header.dst_call = resp.header.src_call
+ regrel.ies = {}
+
+ local hash = stdnse.tohex(openssl.md5(challenge.value .. password))
+ regrel:setIE(IAX2.InfoElement.USERNAME, username)
+ regrel:setIE(IAX2.InfoElement.MD5_RESULT, hash)
+
+ status, resp = self:exch(regrel)
+ if ( not(status) ) then
+ return false, resp
+ end
+
+ if ( IAX2.SubClass.ACK == resp.header.subclass ) then
+ local data
+ status, data = self.socket:receive()
+ resp = IAX2.Response.parse(data)
+ end
+
+ if ( status and IAX2.SubClass.REGACK == resp.header.subclass ) then
+ return true
+ end
+ return false, "Release failed"
+ end,
+
+ -- Close the connection with the server
+ -- @return true on success, false on failure
+ close = function(self)
+ return self.socket:close()
+ end,
+
+
+}
+
+return _ENV;
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-12 18:10:40 +0000