View previous topic :: View next topic |
Author |
Message |
vj244 MagicJack Newbie
Joined: 09 Mar 2008 Posts: 6 Location: India
|
Posted: Wed Jun 22, 2011 10:14 pm Post subject: NetTalk SIP via tftp |
|
|
How to obtain NetTalk SIP information
The NetTalk configuration information is retrieved via tftp.
The name of your specific config file is 00_11_22_33_44_55_ABCD.cfg.
00_11_22_33_44_55 corresponds to the mac address of your NetTalk device.
ABCD corresponds to the last 4 digits of your NetTalk Serial number.
Assuming you have tftp enabled on your machine, you can obtain your NetTalk configuration like:
Code: | tftp -i tftp.tktelco.net GET 00_11_22_33_44_55_ABCD.cfg |
In the returned file, you will see a 10 digit number. This is your NetTalk username. Directly after that, you will see 10 alphabetic characters (e through n). This is your encoded NetTalk password.
The encoding is a simple substitution where Code: | e=0, f=1, g=2, h=3, i=4, j=5, k=6, l=7, m=8, n=9 |
On the back of your NetTalk Device, you will find your serial number, and MAC address.
I have automated the process of retrieving this information.
1) Enter your NetTalk Serial number in the first box (Note: we only need the last 4 digits)
2) Enter your NetTalk MAC Address
3) Press "Get SIP"
You can obtain the source code, and executable here: *mod edit deleted link. Brute force? Seriously dude? WTF*
(The executable is in the bin\Debug directory.)
Because simply getting one set of credentials is not that interesting, I added the ability to brute force as well.
Note: This tool is for educational use only. Do not use it to mass gather SIP credentials.
To brute force, choose the second tab:
Any fields left blank, will be brute forced.
For example, to brute force all SIP credentials for the MAC addresses in the range of:
00:25:12:34:56:00 through 00:25:12:34:56:FF
Leave the Serial Number blank, and enter the mac 00:25:12:34:56
The sleep time is the number of milliseconds to wait between packets.
Keep in mind that brute forcing can be very time consuming, as we need to try every possible 4 digit serial number 0000 through 9999 for every MAC address.
The tool runs fine under Linux using mono, as you can see from the above screen capture.
Let me know if this works for you, or if you encounter bugs. |
|
Back to top |
|
|
neo2121 Dan isn't smart enough to hire me
Joined: 09 Jan 2008 Posts: 282
|
Posted: Wed Jun 22, 2011 11:47 pm Post subject: |
|
|
I will test tomorrow for you. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Fri Jun 24, 2011 8:59 am Post subject: |
|
|
I like to thank the original poster for this. I am being blamed by the nettalk owner for your release of this information. I have not nor will I ever purchase / own their product.
I am all for full disclousre but this has caused me a headache and I did not even do it. Be careful who posts here. I will post the email from thomas and my response in a few days after talking to my legal team and awaiting an apology from nettalk. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 9:05 am Post subject: |
|
|
I dont see anywhere in this forum Nettalk blaming you for this hack? Where are you getting this harassment from? |
|
Back to top |
|
|
bitstopjoe Future magicJack CEO
Joined: 13 Sep 2008 Posts: 2844 Location: North East Pennsylvania
|
Posted: Fri Jun 24, 2011 9:15 am Post subject: |
|
|
Pablo123 wrote: | I dont see anywhere in this forum Nettalk blaming you for this hack? Where are you getting this harassment from? |
Ever hear of personal email?? Net Talk Forum?? I am sure it is one of the two. Someone from Net Talk must have READ a post here and then contacted him.
At least that is my assumption.. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 9:21 am Post subject: |
|
|
WOW, never heard either of those, I will google it now
Thanks Joe! |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 9:37 am Post subject: |
|
|
I googled genxweb and nettalk and didn't find anything. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Fri Jun 24, 2011 9:38 am Post subject: |
|
|
Thomas contacted me through linked in and then sent me a message. How he thinks that some one from India is me , especially since the user posted his website address and the whois points out of the US and gives the persons name and contact, I am baffled.
Quote: | I googled genxweb and nettalk and didn't find anything. |
You wont as I believe them to be just another magicjack. I rather go with a service that openely supports SIP so I can rely on my phone working and not wondering if they have blocked me or disable my account when I really need to make a call, IE 911.
side note they have all the right to block those that do this as it is their business and their rules. Cant hold this against either magic jack or nettalk. They offer a service and their service does not include SIP credentials or BYOD. Follow the rules and the service works great, break them and it doesnt.
Last edited by genxweb on Fri Jun 24, 2011 9:43 am; edited 2 times in total |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 9:41 am Post subject: |
|
|
Who is this Thomas guy? From Nettalk? |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Fri Jun 24, 2011 9:44 am Post subject: |
|
|
Google their company and you will find him near the top of the engineering ladder. I wont post his last name here as it is not fair for him. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 9:49 am Post subject: |
|
|
I googled it, but I didn't find anything, can you post the link or his email? |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Fri Jun 24, 2011 5:06 pm Post subject: |
|
|
I am working with nettalk customer service and awaiting a call from corporate. |
|
Back to top |
|
|
nailgunner MagicJack Sensei
Joined: 18 Mar 2010 Posts: 1548
|
Posted: Fri Jun 24, 2011 5:54 pm Post subject: |
|
|
Pretty amazing that with all the potential people to accuse they would pick out someone that actually has a reputation to protect. What, by posting a hack to NetTalk, more people will pay to use your service? If enough people use the hack it will eventually close down NetTalk and you will have eliminated a competitor?
I admit I understand very little of this SIP stuff, but I'm missing what they think you would gain from doing it. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Fri Jun 24, 2011 6:13 pm Post subject: |
|
|
nailgunner wrote: | Pretty amazing that with all the potential people to accuse they would pick out someone that actually has a reputation to protect. What, by posting a hack to NetTalk, more people will pay to use your service? If enough people use the hack it will eventually close down NetTalk and you will have eliminated a competitor?
I admit I understand very little of this SIP stuff, but I'm missing what they think you would gain from doing it. |
What he posted is not even the bad part it is what the guy told me that makes this so much worse. If corporate does not contact me by tonight or Monday the latest, I will be posting a article about this. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 6:27 pm Post subject: |
|
|
I mean who cares anyway? Why do you want to hear from Nettalk? Just let it be, not that big of a deal in my eyes. |
|
Back to top |
|
|
nailgunner MagicJack Sensei
Joined: 18 Mar 2010 Posts: 1548
|
Posted: Fri Jun 24, 2011 6:40 pm Post subject: |
|
|
Pablo123 wrote: | I mean who cares anyway? Why do you want to hear from Nettalk? Just let it be, not that big of a deal in my eyes. |
Well gee. Genxweb runs a company, while relatively small, that competes with NetTalk for VOIP users. NetTalk has accused him of sabotaging their company. So it is obvious that Genxweb would like to make it clear to anyone that has heard or will hear about this, that he has nothing to do with it. Makes sense to me. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 6:44 pm Post subject: |
|
|
If everybody believes it wasn't him, then leave the subject alone? Why create more publicity then needed? Just my poor little 2 cents just move on and be the better person.
Have a great weekend everyone! |
|
Back to top |
|
|
oldtimercurt Dan isn't smart enough to hire me
Joined: 07 Feb 2009 Posts: 281 Location: Pensacola
|
Posted: Fri Jun 24, 2011 6:45 pm Post subject: |
|
|
Pablo, maybe it doesn't look like a big deal to you because you're not the one affected. Mike is, and from the sound of it he's concerned. That's good enough for me.
Good Luck, Mike.
OTC |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Fri Jun 24, 2011 6:49 pm Post subject: |
|
|
Why can't we be friends, why can't we be friends? Lol
All the best for everyone, let god be with you |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Sat Jun 25, 2011 8:47 am Post subject: |
|
|
Pablo123 wrote: | I mean who cares anyway? Why do you want to hear from Nettalk? Just let it be, not that big of a deal in my eyes. |
Thats why you are not a security person. By stealing others SIP credentials you can now not only call as them but receive their calls, impersonate them and carry out other Social engineering hacks and scams as that person through their number. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Sat Jun 25, 2011 9:22 am Post subject: |
|
|
I'm sure the same person that hacked Nettalk can hack your company "voipmyway". Look the goverment gets hacked everyday, your information is never safe with anybody. Your right I'm not security expert and will never be, the technology changes to fast to be a expert. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
|
Back to top |
|
|
vj244 MagicJack Newbie
Joined: 09 Mar 2008 Posts: 6 Location: India
|
Posted: Sat Jun 25, 2011 10:20 am Post subject: |
|
|
genxweb wrote: | I like to thank the original poster for this. I am being blamed by the nettalk owner for your release of this information. I have not nor will I ever purchase / own their product.
I am all for full disclousre but this has caused me a headache and I did not even do it. Be careful who posts here. I will post the email from thomas and my response in a few days after talking to my legal team and awaiting an apology from nettalk. |
Mr. Genxweb,
I am sorry you were blamed for this. You are certainly not responsible. If NetTalk wishes to blame someone, they should blame themselves. Their system was not designed to be secure. A simple substitution cipher to hide credentials is just child's play.
To Mr. Pablo123's point, this was not a hack. With this method, I just walked right up to the front door, and tried all of the keys. Brute force will always work. Even a combination lock can be opened if you have the patience to try all possible combinations.
To the moderators, my apologies for posting the brute force option. If you'd like, I can remove the brute force option, and repost the source code.
Regards,
Valavan |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
|
Back to top |
|
|
neo2121 Dan isn't smart enough to hire me
Joined: 09 Jan 2008 Posts: 282
|
Posted: Sat Jun 25, 2011 12:00 pm Post subject: |
|
|
That sucks you are catching the heat for this...I couldn't get it to work maybe they have already closed it up this morning.
**UPDATE
Seem to me that they have shutoff the tftp server aleady. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Sat Jun 25, 2011 12:38 pm Post subject: |
|
|
neo2121 wrote: | That sucks you are catching the heat for this...I couldn't get it to work maybe they have already closed it up this morning.
**UPDATE
Seem to me that they have shutoff the tftp server aleady. |
I posted this on their site as well. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Sat Jun 25, 2011 2:01 pm Post subject: |
|
|
newtoncd
NT Starter
Joined: Thu Jul 30, 2009 10:35 am
Posts: 81
�Re: Nettalk chooses not to protect Client�s data / Privacy
"The issue this was a open issue since day 1 of the duo. This one researcher might of publicized it but who knows how many others knew about this before him and was making use of it. On top of this their has been no official word sent to duo customers about this or what they plan to do to protect the clients, or what they are going to do for those that may of been already compromised."
>>>>>>>
According to the article, "An attacker can download the configuration of any Nettalk user by knowing the MAC address of the device and the last 4 digits of the device serial number; Using a simple brute force method you can quickly pull the configurations of multiple users in matter of hours, if not minutes"
If I get this right, the hacker has to break into my home network, identify the MAC address of my DUO and also determine the last four digits of the serial number.
Once they have that, they can start using my SIP credentials to make their own calls. Is that the extent of the issue? Or is the article implying that the netTALK site was compromised and the hackers now have a list of all DUOs and their serial numbers? I didn't get that from the article. A netTALK subscriber can check the netTALK website and their respective call logs to see if their device has been compromised.
All of this is now OBE since the TFTP exploit has been closed.
Last edited by newtoncd on Sat Jun 25, 2011 12:17 pm, edited 1 time in total. |
|
Back to top |
|
|
newtoncd Dan isn't smart enough to hire me
Joined: 09 Jan 2009 Posts: 216
|
Posted: Sat Jun 25, 2011 5:46 pm Post subject: |
|
|
I still appreciate the folks that identified this vulnerability. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Sun Jun 26, 2011 10:14 am Post subject: |
|
|
newtoncd wrote: | I still appreciate the folks that identified this vulnerability. |
Netwoncd is correct as long as the tftp is off the vulnerability is gone. Though he is not correct about having to break into someones house to get the info in the first place. Brute force will try every possible combination of an and mac. It is computer term not a physical break in term.
I like to see how they plan to permantely fix this as the duo I believe may require the tftp for software updates, though I may be wrong as I don't have one. At some point they are gonna have to push new updates to the devcies. |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Sun Jun 26, 2011 10:23 am Post subject: |
|
|
They are still going to have to break in and get the last for digits of the serial number which is on the sticker on the bottom of the device. |
|
Back to top |
|
|
newtoncd Dan isn't smart enough to hire me
Joined: 09 Jan 2009 Posts: 216
|
Posted: Sun Jun 26, 2011 10:27 am Post subject: |
|
|
genxweb wrote: | newtoncd wrote: | I still appreciate the folks that identified this vulnerability. |
Netwoncd is correct as long as the tftp is off the vulnerability is gone. Though he is not correct about having to break into someones house to get the info in the first place. Brute force will try every possible combination of an and mac. It is computer term not a physical break in term.
I like to see how they plan to permantely fix this as the duo I believe may require the tftp for software updates, though I may be wrong as I don't have one. At some point they are gonna have to push new updates to the devcies. |
We were talking the same thing. What I tried to say was, "the hacker will have to hack into my home network to get access to my DUO". I didn't mean "physically breaking into my house", I meant via a hack into my home network. If that isn't the case, I guess I am not clear as to how they can brute force my DUO.
If they don't have to hack into my network to get at it, how they will get access to my device (the MAC and last four of the serial). I am guessing the hackers must have targeted my network with a packet sniffer to watch for the DUO to communicate with netTALK to get my SIP credentials? Or, are they targeting netTALK servers and watching packets in that direction?
Thanks. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Sun Jun 26, 2011 10:53 am Post subject: |
|
|
Newtoncd brute forcing means you remotely try every possiblility of miners till you find ones that work. You never have to hack the user. The user will never know that you did it.
te="newtoncd"] genxweb wrote: | newtoncd wrote: | I still appreciate the folks that identified this vulnerability. |
Netwoncd is correct as long as the tftp is off the vulnerability is gone. Though he is not correct about having to break into someones house to get the info in the first place. Brute force will try every possible combination of an and mac. It is computer term not a physical break in term.
I like to see how they plan to permantely fix this as the duo I believe may require the tftp for software updates, though I may be wrong as I don't have one. At some point they are gonna have to push new updates to the devcies. |
We were talking the same thing. What I tried to say was, "the hacker will have to hack into my home network to get access to my DUO". I didn't mean "physically breaking into my house, I meant via a hack into my home network. If that isn't the case, I guess I am not clear as to how they can brute force my DUO.
If they don't have to hack into my network to get at it, I guess I am not clear how they will get access to my device (the MAC and last four of the serial). I am guessing the hackers must have targeted my network with a packet sniffer to watch for the DUO to communicate with netTALK to get my SIP credentials? Or, are they targeting netTALK servers and watching packets in that direction?
Thanks.[/quote] |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Sun Jun 26, 2011 10:57 am Post subject: |
|
|
They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info. |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Sun Jun 26, 2011 11:56 am Post subject: |
|
|
Pablo123 wrote: | They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info. |
Dude they need the last 4 numbers. So thy can brute force starting with 1111 then 1112 and so on. Eventually the attacker will find the right combo. It is like trying every possible combinations of a keypad on a door eventually you will get it. The difference is computers are faster. |
|
Back to top |
|
|
vj244 MagicJack Newbie
Joined: 09 Mar 2008 Posts: 6 Location: India
|
Posted: Sun Jun 26, 2011 11:57 am Post subject: |
|
|
Pablo123 wrote: | They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info. |
I did not hack into any home network. You are correct newtoncd, that to get YOUR personal credentials, I would need your MAC address.
In my approach, I tried all possible combinations from 0000 through 9999.
I knew that NetTalk MAC's started with 00:25... A simple google search would yield lots of possible candidates.
For example, in the google search above, lets take jesustalk.info's MAC. If I paste in his MAC into the tool I posted, it was a matter of at most 10,000 packets to get his SIP. Since the last 4 digits are random, we can find most SIP info in half that, or 5000 packets. So, it becomes a matter of how fast you can spit out the packets. Even on a slow network connection it takes less than a minute to retrieve one credential.
Now, expand your thinking. Don't try to get just one SIP credential, brute force many credentials at one time. For example, try all MAC's from: 00:25:F6:00:00:00 to 00:25:F6:00:FF:FF. This will yield about 65,000 username/password pairs, including our good friend jesustalk.
My testing was spread across about a dozen machines, and I tested for 3 or 4 weeks. So, how serious is this? I guess that depends if your MAC address was in the range of MAC's tested.
NetTalk should probably change everyone's SIP password, just to make sure this hole is actually patched.
In summary, I did not need your serial number, I just tried them all.
Valavan |
|
Back to top |
|
|
Pablo123 Dan isn't smart enough to hire me
Joined: 07 Jan 2011 Posts: 172
|
Posted: Sun Jun 26, 2011 12:10 pm Post subject: |
|
|
VJ, your English is to Americanize, are you sure your from India? Or are you just trying to cover it up? Are you a MJ employee? |
|
Back to top |
|
|
genxweb Dan isn't smart enough to hire me
Joined: 11 Mar 2010 Posts: 257
|
Posted: Sun Jun 26, 2011 12:56 pm Post subject: |
|
|
Can you post this over in the nettalk forum under the thread I started this explains it well.
vj244 wrote: | Pablo123 wrote: | They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info. |
I did not hack into any home network. You are correct newtoncd, that to get YOUR personal credentials, I would need your MAC address.
In my approach, I tried all possible combinations from 0000 through 9999.
I knew that NetTalk MAC's started with 00:25... A simple google search would yield lots of possible candidates.
For example, in the google search above, lets take jesustalk.info's MAC. If I paste in his MAC into the tool I posted, it was a matter of at most 10,000 packets to get his SIP. Since the last 4 digits are random, we can find most SIP info in half that, or 5000 packets. So, it becomes a matter of how fast you can spit out the packets. Even on a slow network connection it takes less than a minute to retrieve one credential.
Now, expand your thinking. Don't try to get just one SIP credential, brute force many credentials at one time. For example, try all MAC's from: 00:25:F6:00:00:00 to 00:25:F6:00:FF:FF. This will yield about 65,000 username/password pairs, including our good friend jesustalk.
My testing was spread across about a dozen machines, and I tested for 3 or 4 weeks. So, how serious is this? I guess that depends if your MAC address was in the range of MAC's tested.
NetTalk should probably change everyone's SIP password, just to make sure this hole is actually patched.
In summary, I did not need your serial number, I just tried them all.
Valavan |
|
|
Back to top |
|
|
jhonn MagicJack Newbie
Joined: 21 Mar 2008 Posts: 3
|
Posted: Mon Oct 01, 2012 9:51 pm Post subject: |
|
|
where is the application to download |
|
Back to top |
|
|
|