Telephone Line Voice Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/voice/recorder metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Telephone Line Voice Scanner
Module: auxiliary/scanner/voice/recorder
Source code: modules/auxiliary/scanner/voice/recorder.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module dials a range of phone numbers and records audio from each answered call
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/scanner/voice/recorder
msf auxiliary(recorder) > show targets
... a list of targets ...
msf auxiliary(recorder) > set TARGET target-id
msf auxiliary(recorder) > show options
... show and set options ...
msf auxiliary(recorder) > exploit
Required Options
IAX_HOST: The IAX2 server to communicate with
TARGETS: A list of telephone masks in the format of 1-555-555-5XXX, separated by commas
OUTPUT_PATH: A local directory to store the resulting audio files
Knowledge Base
Vulnerable Application
This module dials a range of phone numbers and records audio from each answered call.
Verification Steps
- Start msfconsole
- Do:
use modules/auxiliary/scanner/voice/recorder
- Do:
set IAX_HOST [ip]
- Do:
set OUTPUT_PATH [path]
- Do:
set TARGETS [phone numbers]
- Do:
run
Scenarios
msf > use modules/auxiliary/scanner/voice/recorder
msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93
IAX_HOST => 10.0.183.93
msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio
OUTPUT_PATH => /root/voice
msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890
TARGETS => 123-456-7890
msf auxiliary(scanner/voice/recorder) > run
[*] Dialing 123-456-7890...
[*] Number: 123-456-7890 ringing Frames 0 DTMF ''
[*] Number: 123-456-7890 ringing Frames 0 DTMF ''
[*] Number: 123-456-7890 ringing Frames 0 DTMF ''
[*] Number: 123-456-7890 answered Frames 51 DTMF ''
[*] Number: 123-456-7890 answered Frames 101 DTMF ''
[*] Number: 123-456-7890 answered Frames 151 DTMF ''
[*] Number: 123-456-7890 answered Frames 201 DTMF ''
[*] Number: 123-456-7890 answered Frames 252 DTMF ''
[*] Number: 123-456-7890 answered Frames 302 DTMF ''
[*] Completed Number: 123-456-7890 State: hangup Frames: 302 DTMF ''
[+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/voice/recorder auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/voice/recorder
msf6 auxiliary(scanner/voice/recorder) > show info
Name: Telephone Line Voice Scanner
Module: auxiliary/scanner/voice/recorder
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CALL_TIME 52 yes The maximum time in seconds to spent on each call (ring + recording)
IAX_CID_NAME no The default caller ID name
IAX_CID_NUMBER 15555555555 yes The default caller ID number
IAX_HOST yes The IAX2 server to communicate with
IAX_PASS no An optional IAX2 password
IAX_PORT 4569 yes The IAX2 server port
IAX_USER no An optional IAX2 username
OUTPUT_PATH yes A local directory to store the resulting audio files
TARGETS yes A list of telephone masks in the format of 1-555-555-5XXX, separated by commas
Description:
This module dials a range of phone numbers and records audio from
each answered call
Module Options
This is a complete list of options available in the scanner/voice/recorder auxiliary module:
msf6 auxiliary(scanner/voice/recorder) > show options
Module options (auxiliary/scanner/voice/recorder):
Name Current Setting Required Description
---- --------------- -------- -----------
CALL_TIME 52 yes The maximum time in seconds to spent on each call (ring + recording)
IAX_CID_NAME no The default caller ID name
IAX_CID_NUMBER 15555555555 yes The default caller ID number
IAX_HOST yes The IAX2 server to communicate with
IAX_PASS no An optional IAX2 password
IAX_PORT 4569 yes The IAX2 server port
IAX_USER no An optional IAX2 username
OUTPUT_PATH yes A local directory to store the resulting audio files
TARGETS yes A list of telephone masks in the format of 1-555-555-5XXX, separated by commas
Advanced Options
Here is a complete list of advanced options supported by the scanner/voice/recorder auxiliary module:
msf6 auxiliary(scanner/voice/recorder) > show advanced
Module advanced options (auxiliary/scanner/voice/recorder):
Name Current Setting Required Description
---- --------------- -------- -----------
IAX_DEBUG false no Enable IAX2 debugging messages
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/voice/recorder module can do:
msf6 auxiliary(scanner/voice/recorder) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/voice/recorder auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/voice/recorder) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to call <NUMBER>
Here is a relevant code snippet related to the "Failed to call <NUMBER>" error message:
35: begin
36: ::Timeout.timeout( datastore['CALL_TIME'] ) do
37: print_status("Dialing #{number}...")
38: r = c.dial(number)
39: if not c
40: print_error("Failed to call #{number}")
41: next
42: end
43: lstate = c.state
44: while c.state != :hangup
45: print_status(" Number: #{number} State: #{c.state} Frames: #{c.audio_buff.length} DTMF: '#{c.dtmf}'")
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
Go back to menu.
See Also
Check also the following modules related to this module:
- exploit/windows/scada/realwin
- exploit/windows/scada/realwin_on_fc_binfile_a
- exploit/windows/scada/realwin_on_fcs_login
- exploit/windows/scada/realwin_scpc_initialize
- exploit/windows/scada/realwin_scpc_initialize_rf
- exploit/windows/fileformat/shadow_stream_recorder_bof
- post/osx/capture/keylog_recorder
- post/windows/capture/keylog_recorder
Authors
- hdm
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.