Bi-directional Caller ID Spoofing with Asterisk
Caller ID spoofing has been around for a long time. Way back when (well, 2004), an article was published on rootsecure.net with an included Perl script, detailing how to use Asterisk to change your caller ID information, in order to pretend to be somebody else. I had some fun toying with that (heh...), and noticed that some commercial services began to pop up which offered the same capability for a price. SpoofCard is the one that I’ve seen around the most, but many exist. Bah. Setting up an Asterisk server is free if you have access to a Linux box, and outbound SIP trunking is dead cheap. With flowroute.com, I pay less than a cent per minute to place calls within the U.S. The perl script, obviously, is also free.
The other day I saw something as part of a commercial spoofing service that I hadn’t seen before: bidirectional caller ID spoofing. Basically, it will call friend A from friend B’s number, friend B from friend A’s number, and record the result. This leads to something along the lines of “You called me!” “No, you called me!” As fun as that is, websites like PrankDial are charging a lot of money to do something that is, in practice, very simple.
I haven’t seen a script to do this posted on the internet yet, so I created one and put it on github. You’ll have to set up the Asterisk server by yourself, but implementing the script is easy.
- Put dual_cid_spoof.py in the /usr/share/asterisk/agi-bin directory
- Make it executable to the asterisk user
- Add an extension to extensions.conf that calls the script, using pattern matching to give it arguments. For example:
[spoof] exten => _37NXXNXXXXXXNXXNXXXXXX,1,Answer exten => _37NXXNXXXXXXNXXNXXXXXX,2,AGI(dualcidspoof.py,${EXTEN:2:10},${EXTEN:12:10})
This uses the extension 37, but that part can be changed. This pattern matches any calls that have the number 37 followed by two 10-digit phone numbers, and then pulls those numbers out and uses them as arguments to the AGI script ${EXTEN:2:10} means take the extension, at index 2, and pull out 10 digits. To execute it with phone numbers 123-123-1111 and 222-202-2020, I would dial 3712312311112222022020.
MeetMe is required to use this script, since it works by placing both users into a conference room together. The default conference room number is 1234, but that can be changed in the script. Also necessary is changing the outgoing SIP trunk in the Python script from “flowroute” to whatever the name of your outgoing SIP trunk is. Both of these are variables at the top of the script. Execution flow works like this:
- Create two .call files, each with opposite CID/destination info. These files are set to dump the callees into a conference room when they answer.
- Place the files in /var/spool/outgoing/asterisk, to be automatically processed by the Asterisk spooler.
- Connect you into the same conference room as a muted admin, giving you the ability to kick users and listen without being heard.
Enjoy, and feel free to ask questions. Again, you can get the script here.
Pingback: Episode 714 – Asterisk, Assad Emails, Emergency Communications & BestBuy | InfoSec Daily()