This post is in continuation to my experiences with the security industry. To view previous post in the series here.
It was my fifth semester. My HOD and mentor Prof. B.V. Buddhadev referred me to a company named Pam Technologies Pvt. Ltd. At PAM Tech I was taking care of the security of their location tracking web portal. Meanwhile, there was a project related to VoIP which was bottlednecked because the team working on the project had just quit. Seeing my curiosity, my mentor BVB sir put me into the VoIP project. It was an interesting experience. Since I had hands-on experience of Linux systems for a few years it took very less time for me to grasp the open source telephony platform, Asterisk. I built an entire telephony system from the scratch with an interactive voice response just like customer center. It was integrated to ASP.NET Web Service via Mono.NET i.e. .NET for the Linux platform.
My college LDCE has a techfest called Teqnix. As a part of Teqnix they had already announced a Security and Ethical Hacking workshop. But they were still looking for speakers. Finally they asked me.
Now since I was working on Asterisk I was away from this security stuff and I also wanted someone more experienced to come over. So I passed it to Sunny Vaghela.
I was there at the day of the event. Sunny was all “suited up”. Surprisingly his assistant was even more suited up, with a noticable “bluetooth headset” on his ear. Remember this was 2009 and those devices still looked geeky. Sunny greeted all the faculties who were “lined up” and shook his right hand with them while placing a visiting card in the left ones. I was just seeing things – had never seen such stuff before.
Sunny opened his laptop and connected it with that Reliance Datacard.
We opened some windows. Still no luck.
“I can’t show demo without the internet”, he says.
“It’s okay, show the presentation”, I consoled. He asked me to copy the presentation file on a pendrive. For the record the PPT is still with me. I copied it to the laptop connected to the projector and moved away from the scene.
The presentation was on Mobile Spoofing – his classic signature, it was on SMS forging and Call forging. It was boring for me, I felt like a highschool student in kindergarten. Anyway I had taken leave from office for an hour so I returned back.
Back at home I opened the presentation. It grabbed my interest because it had some info about spoofing calls via Asterisk, which I was working upon. Now I had already tried caller ID spoofing by that time. Technically it was possible, Operationally it wasn’t. The Department of Telecom had made it mandatory to use original source phone number over PSTN and GSM lines.
And here this guy was showing call spoofing. This was the code that was interesting:
Download Asterisk@ home or Asterisk server from website.
Configure it.Add the followinf into Config file.
exten => 33,1,Answer
exten => 33,2,AGI(cidspoof.agi)Change CID information in the extension.conf file.Start Asterisk Again.Dial extention with the spoofed number.
I was like ROFL. The entire text had been copied from this document created way back in 2005.