NetTalk SIP via tftp

[vj244]

How to obtain NetTalk SIP information

The NetTalk configuration information is retrieved via tftp.

The name of your specific config file is 00_11_22_33_44_55_ABCD.cfg.
00_11_22_33_44_55 corresponds to the mac address of your NetTalk device.
ABCD corresponds to the last 4 digits of your NetTalk Serial number.

Assuming you have tftp enabled on your machine, you can obtain your NetTalk configuration like:

Code: Select all

tftp -i tftp.tktelco.net GET 00_11_22_33_44_55_ABCD.cfg

In the returned file, you will see a 10 digit number. This is your NetTalk username. Directly after that, you will see 10 alphabetic characters (e through n). This is your encoded NetTalk password.

The encoding is a simple substitution where

Code: Select all

e=0, f=1, g=2, h=3, i=4, j=5, k=6, l=7, m=8, n=9

On the back of your NetTalk Device, you will find your serial number, and MAC address.

I have automated the process of retrieving this information.



1) Enter your NetTalk Serial number in the first box (Note: we only need the last 4 digits)
2) Enter your NetTalk MAC Address
3) Press "Get SIP"

You can obtain the source code, and executable here: *mod edit deleted link. Brute force? Seriously dude? WTF*
(The executable is in the bin\Debug directory.)

Because simply getting one set of credentials is not that interesting, I added the ability to brute force as well.
Note: This tool is for educational use only. Do not use it to mass gather SIP credentials.

To brute force, choose the second tab:


Any fields left blank, will be brute forced.

For example, to brute force all SIP credentials for the MAC addresses in the range of:
00:25:12:34:56:00 through 00:25:12:34:56:FF

Leave the Serial Number blank, and enter the mac 00:25:12:34:56

The sleep time is the number of milliseconds to wait between packets.

Keep in mind that brute forcing can be very time consuming, as we need to try every possible 4 digit serial number 0000 through 9999 for every MAC address.

The tool runs fine under Linux using mono, as you can see from the above screen capture.

Let me know if this works for you, or if you encounter bugs.

[neo2121]

I will test tomorrow for you.

[genxweb]

I like to thank the original poster for this. I am being blamed by the nettalk owner for your release of this information. I have not nor will I ever purchase / own their product.

I am all for full disclousre but this has caused me a headache and I did not even do it. Be careful who posts here. I will post the email from thomas and my response in a few days after talking to my legal team and awaiting an apology from nettalk.

[Pablo123]

I dont see anywhere in this forum Nettalk blaming you for this hack? Where are you getting this harassment from?

[bitstopjoe]

I dont see anywhere in this forum Nettalk blaming you for this hack? Where are you getting this harassment from?

Ever hear of personal email?? Net Talk Forum?? I am sure it is one of the two. Someone from Net Talk must have READ a post here and then contacted him.
At least that is my assumption..

[Pablo123]

WOW, never heard either of those, I will google it now

Thanks Joe!

[Pablo123]

I googled genxweb and nettalk and didn't find anything.

[genxweb]

Thomas contacted me through linked in and then sent me a message. How he thinks that some one from India is me , especially since the user posted his website address and the whois points out of the US and gives the persons name and contact, I am baffled.

I googled genxweb and nettalk and didn't find anything.

You wont as I believe them to be just another magicjack. I rather go with a service that openely supports SIP so I can rely on my phone working and not wondering if they have blocked me or disable my account when I really need to make a call, IE 911.

side note they have all the right to block those that do this as it is their business and their rules. Cant hold this against either magic jack or nettalk. They offer a service and their service does not include SIP credentials or BYOD. Follow the rules and the service works great, break them and it doesnt.

[Pablo123]

Who is this Thomas guy? From Nettalk?

[genxweb]

Google their company and you will find him near the top of the engineering ladder. I wont post his last name here as it is not fair for him.

[Pablo123]

I googled it, but I didn't find anything, can you post the link or his email?

[genxweb]

I am working with nettalk customer service and awaiting a call from corporate.

[nailgunner]

Pretty amazing that with all the potential people to accuse they would pick out someone that actually has a reputation to protect. What, by posting a hack to NetTalk, more people will pay to use your service? If enough people use the hack it will eventually close down NetTalk and you will have eliminated a competitor?

I admit I understand very little of this SIP stuff, but I'm missing what they think you would gain from doing it.

[genxweb]

Pretty amazing that with all the potential people to accuse they would pick out someone that actually has a reputation to protect. What, by posting a hack to NetTalk, more people will pay to use your service? If enough people use the hack it will eventually close down NetTalk and you will have eliminated a competitor?

I admit I understand very little of this SIP stuff, but I'm missing what they think you would gain from doing it.

What he posted is not even the bad part it is what the guy told me that makes this so much worse. If corporate does not contact me by tonight or Monday the latest, I will be posting a article about this.

[Pablo123]

I mean who cares anyway? Why do you want to hear from Nettalk? Just let it be, not that big of a deal in my eyes.

[nailgunner]

I mean who cares anyway? Why do you want to hear from Nettalk? Just let it be, not that big of a deal in my eyes.

Well gee. Genxweb runs a company, while relatively small, that competes with NetTalk for VOIP users. NetTalk has accused him of sabotaging their company. So it is obvious that Genxweb would like to make it clear to anyone that has heard or will hear about this, that he has nothing to do with it. Makes sense to me.

[Pablo123]

If everybody believes it wasn't him, then leave the subject alone? Why create more publicity then needed? Just my poor little 2 cents just move on and be the better person.

Have a great weekend everyone!

[oldtimercurt]

Pablo, maybe it doesn't look like a big deal to you because you're not the one affected. Mike is, and from the sound of it he's concerned. That's good enough for me.

Good Luck, Mike.

OTC

[Pablo123]

Why can't we be friends, why can't we be friends? Lol

All the best for everyone, let god be with you

[genxweb]

I mean who cares anyway? Why do you want to hear from Nettalk? Just let it be, not that big of a deal in my eyes.

Thats why you are not a security person. By stealing others SIP credentials you can now not only call as them but receive their calls, impersonate them and carry out other Social engineering hacks and scams as that person through their number.

[Pablo123]

I'm sure the same person that hacked Nettalk can hack your company "voipmyway". Look the goverment gets hacked everyday, your information is never safe with anybody. Your right I'm not security expert and will never be, the technology changes to fast to be a expert.

[Pablo123]

It happens everyday, you think your information is safe today?????

http://www.usatoday.com/tech/news/2011- ... cked_n.htm

Anybody or any company can be hacked.

[vj244]

I like to thank the original poster for this. I am being blamed by the nettalk owner for your release of this information. I have not nor will I ever purchase / own their product.

I am all for full disclousre but this has caused me a headache and I did not even do it. Be careful who posts here. I will post the email from thomas and my response in a few days after talking to my legal team and awaiting an apology from nettalk.

Mr. Genxweb,

I am sorry you were blamed for this. You are certainly not responsible. If NetTalk wishes to blame someone, they should blame themselves. Their system was not designed to be secure. A simple substitution cipher to hide credentials is just child's play.

To Mr. Pablo123's point, this was not a hack. With this method, I just walked right up to the front door, and tried all of the keys. Brute force will always work. Even a combination lock can be opened if you have the patience to try all possible combinations.

To the moderators, my apologies for posting the brute force option. If you'd like, I can remove the brute force option, and repost the source code.

Regards,

Valavan

[genxweb]

Here is my write up

http://www.digitaloffensive.com/2011/06 ... a-privacy/

Nettalk knew about the TFTP issue and ignored it.

[neo2121]

That sucks you are catching the heat for this...I couldn't get it to work maybe they have already closed it up this morning.


**UPDATE
Seem to me that they have shutoff the tftp server aleady.

[genxweb]

That sucks you are catching the heat for this...I couldn't get it to work maybe they have already closed it up this morning.


**UPDATE
Seem to me that they have shutoff the tftp server aleady.

I posted this on their site as well.

[Pablo123]

newtoncd
NT Starter

Joined: Thu Jul 30, 2009 10:35 am
Posts: 81

 Re: Nettalk chooses not to protect Client’s data / Privacy
"The issue this was a open issue since day 1 of the duo. This one researcher might of publicized it but who knows how many others knew about this before him and was making use of it. On top of this their has been no official word sent to duo customers about this or what they plan to do to protect the clients, or what they are going to do for those that may of been already compromised."

>>>>>>>

According to the article, "An attacker can download the configuration of any Nettalk user by knowing the MAC address of the device and the last 4 digits of the device serial number; Using a simple brute force method you can quickly pull the configurations of multiple users in matter of hours, if not minutes"

If I get this right, the hacker has to break into my home network, identify the MAC address of my DUO and also determine the last four digits of the serial number.

Once they have that, they can start using my SIP credentials to make their own calls. Is that the extent of the issue? Or is the article implying that the netTALK site was compromised and the hackers now have a list of all DUOs and their serial numbers? I didn't get that from the article. A netTALK subscriber can check the netTALK website and their respective call logs to see if their device has been compromised.

All of this is now OBE since the TFTP exploit has been closed.


Last edited by newtoncd on Sat Jun 25, 2011 12:17 pm, edited 1 time in total.

[newtoncd]

I still appreciate the folks that identified this vulnerability.

[genxweb]

I still appreciate the folks that identified this vulnerability.

Netwoncd is correct as long as the tftp is off the vulnerability is gone. Though he is not correct about having to break into someones house to get the info in the first place. Brute force will try every possible combination of an and mac. It is computer term not a physical break in term.

I like to see how they plan to permantely fix this as the duo I believe may require the tftp for software updates, though I may be wrong as I don't have one. At some point they are gonna have to push new updates to the devcies.

[Pablo123]

They are still going to have to break in and get the last for digits of the serial number which is on the sticker on the bottom of the device.

[newtoncd]

I still appreciate the folks that identified this vulnerability.

Netwoncd is correct as long as the tftp is off the vulnerability is gone. Though he is not correct about having to break into someones house to get the info in the first place. Brute force will try every possible combination of an and mac. It is computer term not a physical break in term.

I like to see how they plan to permantely fix this as the duo I believe may require the tftp for software updates, though I may be wrong as I don't have one. At some point they are gonna have to push new updates to the devcies.

We were talking the same thing. What I tried to say was, "the hacker will have to hack into my home network to get access to my DUO". I didn't mean "physically breaking into my house", I meant via a hack into my home network. If that isn't the case, I guess I am not clear as to how they can brute force my DUO.

If they don't have to hack into my network to get at it, how they will get access to my device (the MAC and last four of the serial). I am guessing the hackers must have targeted my network with a packet sniffer to watch for the DUO to communicate with netTALK to get my SIP credentials? Or, are they targeting netTALK servers and watching packets in that direction?

Thanks.

[genxweb]

Newtoncd brute forcing means you remotely try every possiblility of miners till you find ones that work. You never have to hack the user. The user will never know that you did it.


te="newtoncd"]

I still appreciate the folks that identified this vulnerability.

Netwoncd is correct as long as the tftp is off the vulnerability is gone. Though he is not correct about having to break into someones house to get the info in the first place. Brute force will try every possible combination of an and mac. It is computer term not a physical break in term.

I like to see how they plan to permantely fix this as the duo I believe may require the tftp for software updates, though I may be wrong as I don't have one. At some point they are gonna have to push new updates to the devcies.

We were talking the same thing. What I tried to say was, "the hacker will have to hack into my home network to get access to my DUO". I didn't mean "physically breaking into my house, I meant via a hack into my home network. If that isn't the case, I guess I am not clear as to how they can brute force my DUO.

If they don't have to hack into my network to get at it, I guess I am not clear how they will get access to my device (the MAC and last four of the serial). I am guessing the hackers must have targeted my network with a packet sniffer to watch for the DUO to communicate with netTALK to get my SIP credentials? Or, are they targeting netTALK servers and watching packets in that direction?

Thanks.[/quote]

[Pablo123]

They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info.

[genxweb]

They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info.

Dude they need the last 4 numbers. So thy can brute force starting with 1111 then 1112 and so on. Eventually the attacker will find the right combo. It is like trying every possible combinations of a keypad on a door eventually you will get it. The difference is computers are faster.

[vj244]

They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info.

I did not hack into any home network. You are correct newtoncd, that to get YOUR personal credentials, I would need your MAC address.

In my approach, I tried all possible combinations from 0000 through 9999.

I knew that NetTalk MAC's started with 00:25... A simple google search would yield lots of possible candidates.

For example, in the google search above, lets take jesustalk.info's MAC. If I paste in his MAC into the tool I posted, it was a matter of at most 10,000 packets to get his SIP. Since the last 4 digits are random, we can find most SIP info in half that, or 5000 packets. So, it becomes a matter of how fast you can spit out the packets. Even on a slow network connection it takes less than a minute to retrieve one credential.

Now, expand your thinking. Don't try to get just one SIP credential, brute force many credentials at one time. For example, try all MAC's from: 00:25:F6:00:00:00 to 00:25:F6:00:FF:FF. This will yield about 65,000 username/password pairs, including our good friend jesustalk.

My testing was spread across about a dozen machines, and I tested for 3 or 4 weeks. So, how serious is this? I guess that depends if your MAC address was in the range of MAC's tested.

NetTalk should probably change everyone's SIP password, just to make sure this hole is actually patched.

In summary, I did not need your serial number, I just tried them all.

Valavan

[Pablo123]

VJ, your English is to Americanize, are you sure your from India? Or are you just trying to cover it up? Are you a MJ employee?

[genxweb]

Can you post this over in the nettalk forum under the thread I started this explains it well.

They still need to get the serial from the device. they can brute force all they want, but they need the serial number in order to get the SIP info.

I did not hack into any home network. You are correct newtoncd, that to get YOUR personal credentials, I would need your MAC address.

In my approach, I tried all possible combinations from 0000 through 9999.

I knew that NetTalk MAC's started with 00:25... A simple google search would yield lots of possible candidates.

For example, in the google search above, lets take jesustalk.info's MAC. If I paste in his MAC into the tool I posted, it was a matter of at most 10,000 packets to get his SIP. Since the last 4 digits are random, we can find most SIP info in half that, or 5000 packets. So, it becomes a matter of how fast you can spit out the packets. Even on a slow network connection it takes less than a minute to retrieve one credential.

Now, expand your thinking. Don't try to get just one SIP credential, brute force many credentials at one time. For example, try all MAC's from: 00:25:F6:00:00:00 to 00:25:F6:00:FF:FF. This will yield about 65,000 username/password pairs, including our good friend jesustalk.

My testing was spread across about a dozen machines, and I tested for 3 or 4 weeks. So, how serious is this? I guess that depends if your MAC address was in the range of MAC's tested.

NetTalk should probably change everyone's SIP password, just to make sure this hole is actually patched.

In summary, I did not need your serial number, I just tried them all.

Valavan

[jhonn]

where is the application to download