root@kali:~# rtpmixsound -h
rtpmixsound - Version 3.0 January 03, 2007 Usage:
Mandatory -
pathname of file whose audio is to be mixed into the targeted live audio stream. If the file extension is .wav, then the file must be a standard Microsoft RIFF formatted WAVE file meeting these constraints:
1) header 'chunks' must be in one of two sequences:
RIFF, fmt, fact, data or
RIFF, fmt, data
2) Compression Code = 1 (PCM/Uncompressed) 3) Number of Channels = 1 (mono)
4) Sample Rate (Hz) = 8000 5) Significant Bits/Sample = signed, linear 16-bit or unsigned, linear 8-bit
If the file name does not specify a .wav extension, then the file is presumed to be a tcpdump formatted file with a sequence of, exclusively, G.711 u-law RTP/UDP/IP/ETHERNET messages
Note: Yep, the format is referred to as 'tcpdump' even though this file must contain udp messages Optional -
-a source RTP IPv4 addr -A source RTP port
-b destination RTP IPv4 addr -B destination RTP port
-f spoof factor - amount by which to:
a) increment the RTP hdr sequence number obtained from the ith legitimate packet to produce the RTP hdr sequence number for the ith spoofed packet b) multiply the RTP payload length and add that
product to the RTP hdr timestamp obtained from the ith legitimate packet to produce the RTP hdr timestamp for the ith spoofed packet
174
c) increment the IP hdr ID number obtained from the ith legitimate packet to produce the IP hdr ID number for the ith spoofed packet
[ range: +/- 1000, default: 2 ] -i interface (e.g. eth0)
-j jitter factor - the reception of a legitimate RTP packet in the target audio stream enables the output of the next spoofed packet. This factor determines when that spoofed packet is actually transmitted.
The factor relates how close to the next legitimate packet you'd actually like the enabled spoofed packet to be transmitted. For example, -j 10 means 10% of the codec's transmission interval. If the transmission interval = 20,000 usec (i.e. G.711), then delay the output of the spoofed RTP packet until the time-of-day is within 2,000 usec (i.e. 10%) of the time the next legitimate RTP packet is expected. In other words, delay 100% minus the jitter factor, or 18,000 usec in this example. The smaller the jitter factor, the greater the risk you run of not outputting the
spoofed packet before the next legitimate RTP packet is received. Therefore, a factor >= 10 is advised.
[ range: 0 - 80, default: 80 = output spoof ASAP ] -p seconds to pause between setup and injection
-h help - print this usage -v verbose output mode
Note: If you are running the tool from a host with multiple ethernet interfaces which are up, be forewarned that the order those interfaces appear in your route table and the networks accessible from those interfaces might compel Linux to output spoofed audio packets to an interface different than the one stipulated by you on command line. This should not affect the tool unless those spoofed packets arrive back at the host through the interface you have specified on the command line (e.g. the interfaces have connectivity through a hub).
RTPMIXSOUND USAGE EX AMPLE
Mix the given audio file (/usr/share/rtpmixsound/stapler.wav) through the network displaying verbose output (-v): root@kali:~# rtpmixsound /usr/share/rtpmixsound/stapler.wav -v
Targeting interface eth0
libfindrtp_find_rtp(): using pcap filter "ip".
175
State: ip_a == | port_a == 0 | ip_b == | port_b == 0
CATEGORIES: S N I F F I N G / S P O O F I N GTAGS: S P O O F I N G , V O I P
sctpscan
SCTPSCAN PACKAGE DES CRIPTION
SCTPscan is a tool to scan SCTP enabled machines. Typically, these are Telecom oriented machines carrying SS7 and SIGTRAN over IP. Using SCTPscan, you can find entry points to Telecom networks. This is especially useful when doing pentests on Telecom Core Network infrastructures. SCTP is also used in high-performance networks (internet2).
Source: http://www.p1sec.com/corp/research/tools/sctpscan/
sctpscan Homepage | Kali sctpscan Repo
Author: Philippe Langlois
License: EGPLv2
TOOLS INCLUDED IN THE SCTPSCAN PACKAGE
sctpscan–SCTPnetworkscannerfordiscoveryandsecurity
root@kali:~# sctpscan
SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois.
SCTPscan comes with ABSOLUTELY NO WARRANTY; for details read the LICENSE or COPYING file.
Usage: sctpscan [options]
Options:
-p, --port <port> (default: 10000) port specifies the remote port number
-P, --loc_port <port> (default: 10000) port specifies the local port number
-l, --loc_host <loc_host> (default: 127.0.0.1)
loc_host specifies the local (bind) host for the SCTP stream with optional local port number
-r, --rem_host <rem_host> (default: 127.0.0.2)
rem_host specifies the remote (sendto) address for the SCTP stream with optional remote port number
-s --scan -r aaa[.bbb[.ccc]]
scan all machines within network -m --map
map all SCTP ports from 0 to 65535 (portscan) -F --Frequent
Portscans the frequently used SCTP ports
176
Frequent SCTP ports: 1, 7, 9, 20, 21, 22, 80, 100, 128, 179, 260, 250, 443, 1167, 1812, 2097, 2000, 2001, 2010, 2011, 2020, 2021, 2100, 2110, 2120, 2225, 2427, 2477, 2577, 2904, 2905, 2906, 2907, 2908, 2909, 2944, 2945, 3000, 3097, 3565, 3740, 3863, 3864, 3868, 4000, 4739, 4740, 5000, 5001, 5060, 5061, 5090, 5091, 5672, 5675, 600 0, 6100, 6110, 6120, 6130, 6140, 6150, 6160, 6170, 6180, 6190, 6529, 6700, 6701, 6702, 6789, 6790, 7000, 7001, 7102, 7103, 7105, 7551, 7626, 7701, 7800, 8000, 8001, 8471, 8787, 9006, 9084, 9899, 9911, 9900, 9901, 9902, 10000, 10001, 11146, 11997, 11998, 11999, 12205, 12235, 13000, 13001, 14000, 14001, 20049, 29118, 29168, 30000, 32905, 32931, 32768
-a --autoportscan
Portscans automatically any host with SCTP aware TCP/IP stack -i --linein
Receive IP to scan from stdin -f --fuzz
Fuzz test all the remote protocol stack -B --bothpackets
Send packets with INIT chunk for one, and SHUTDOWN_ACK for the other -b --both_checksum
Send both checksum: new crc32 and old legacy-driven adler32 -C --crc32
Calculate checksums with the new crc32 -A --adler32
Calculate checksums with the old adler32 -Z --zombie
Does not collaborate to the SCTP Collaboration platform. No reporting.
-d --dummyserver
Starts a dummy SCTP server on port 10000. You can then try to scan it from another machine.
-E --exec <script_name>
Executes <script_name> each time an open SCTP port is found.
Execution arguments: <script_name> host_ip sctp_port -t --tcpbridge <listen TCP port>
Bridges all connection from <listen TCP port> to remote designated SCTP port.
-S --streams <number of streams>
Tries to establish SCTP association with the specified <number of streams> to remote designated SCTP destination.
Scan port 9999 on 192.168.1.24
./sctpscan -l 192.168.1.2 -r 192.168.1.24 -p 9999
Scans for availability of SCTP on 172.17.8.* and portscan any host with SCTP stack ./sctpscan -s -l 172.22.1.96 -r 172.17.8
177
Scans frequently used ports on 172.17.8.*
./sctpscan -s -F -l 172.22.1.96 -r 172.17.8
Scans all class-B network for frequent port
./sctpscan -s -F -r 172.22 -l `ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | cut -d ' ' -f 1 `
Simple verification end to end on the local machine:
./sctpscan -d &
./sctpscan -s -l 192.168.1.24 -r 192.168.1 -p 10000
This tool does NOT work behind most NAT.
That means that most of the routers / firewall don't know how to NAT SCTP packets.
You _need_ to use this tool from a computer having a public IP address (i.e. non -RFC1918)
SCTPSCAN USAGE EXAMP LE
Scan (-s) for frequently used ports (-F) on the remote network (-r 192.168.1.*): root@kali:~# sctpscan -s -F -r 192.168.1.*
SCTPscan - Copyright (C) 2002 - 2009 Philippe Langlois.
Netscanning with Crc32 checksumed packet Portscanning Frequent Ports on 192.168.1.*.
CATEGORIES: S N I F F I N G / S P O O F I N GTAGS: F U Z Z I N G , P O R T S C A N N I N G , S P O O F I N G