googletts.agi script

While setting up an Asterisk server I needed a text to speech API. This was to be utilized for a testing environment. The production server was expected to use prerecorded messages but have not been recorded yet.

I come across a script called googletts script that utilizes the Asterisk AGI plugin system. The website is currently listed here: https://zaf.github.io/asterisk-googletts/

Do note that this method is not officially supported and may not work in the future. The install is fairly straight forward.

Ensure you have all the dependencies installed and copy the googletts.agi to your AGI directory.

Below is an example dial plan for how I am using the googletts.agi script in my test environment.

exten => 5305370260,1,Wait(3)
exten => 5305370260,n,answer()
exten => 5305370260,n,Monitor(wav,,b)
exten => 5305370260,n,agi(googletts.agi,"Thank you for calling Harrison Technology.",en)
exten => 5305370260,n,agi(googletts.agi,"Your Provider to custom solutions.",en)
exten => 5305370260,n,goto(internal,6001,1)
;exten => _5305370260,5,Queue(support)

Asterisk – Voicemail Feature Code

I was tasked with setting up a Asterisk server with no helper interface and scripts such as FreePBX. Setting up the voicemail portion turned out to be fairly easy. Below is portions of the dial plan that I configured.

extensions.conf

exten => *97,1,answer()
exten => *97,n,agi(googletts.agi,"You have reached the voice mail system")
exten => *97,n,VoiceMailMain(${CALLERID(num)}@Main)
exten => *97,n,Hangup()
exten => *98,1,answer()
exten => *98,n,agi(googletts.agi,"Routing you to the voicemail")
exten => *98,n,VoiceMail([email protected])
exten => *98,n,Hangup()

The above start codes allow you to check the voicemail. *97 will route to the extension callerID num. Such as extension 6001 and *98 will route to extension 6001.

voicemail.conf

[main]
7001 => 123

7002 => 456
6001 => 456

I utilize an AGI script called googletts.agi for my testing environment. It essentially converts text to speech and plays the audio. I will write in detail about it in another blog and link to the original script.

In order to route a call to voicemail, all you need to do is the following code.

exten => [extension],n,VoiceMail([extension]@main)
Example:
exten => 7001,n,VoiceMail([email protected])

AI Crimes are a thing

We live in an fascinating era, where technology is solving problems that we wouldn’t have thought was possible before. Helping the blind see(https://www.youtube.com/watch?v=y5bktGGkd9w), helping individual’s with Parkinson’s(https://www.youtube.com/watch?v=R6rAlFYDffQ) and more. Please feel free to review those two links for some uplifting news.

But with this technology comes opportunities that criminals can take advantage of. Artificial Intelligence, AI, is being used to generate fake images and sound. Criminals are now generating real time audio to sound like other individuals and perform criminal actions. Please review the link below and be cautious of the person you are speaking with on the phone.

https://www.theverge.com/2019/9/5/20851248/deepfakes-ai-fake-audio-phone-calls-thieves-trick-companies-stealing-money

Sysmon 10 & DNS Queries

On June 19th Mark Russinovich tweeted that the release of Sysmon version 10 will include DNS query logging. Packetbeat is currently being utilized for capturing DNS queries but with the addition of DNS queries in Sysmon this may change.

I have started upgrading sysmon in our environment. I am using the base of SwiftOnSecurity’s AlphaVersion for the new configuration file with some changes to fit better in our environment. The Github repository is located here https://github.com/SwiftOnSecurity/sysmon-config. Adding <DnsQuery onmatch=”exclude”/> to your existing configuration file should be enough but highly recommend against this method as it will be extremely noisy.

Currently the logs get shipped to Graylog3 via Winlogbeat and will be analyzed in Kibana and Graylog3.

Quick Graph from the logs coming in from Sysmon

Threat Hunting with DNS Queries

Majority of malware uses a command and control center to retrieve updates, commands to run and more. There are a few methods that malware can use to obtain the location on where the command and control center can be located.

Using an IP address would limit the command and control center to one location, while a DNS record would allow a system to move around as needed.

Logging the DNS queries will allow you to obtain a baseline of your environment and will allow you to query the domain names against lists of known bad domains.

This document will just go over the very basics of getting the DNS questions into GrayLog.

We will be using Packetbeat to log the queries and will be shipping the information to GrayLog via a LogBeat connector.

In the configuration for Packetbeat you need to specify what interface that will be used for monitoring. Finding the interface you want can be found by Packetbeat devices

Specify what protocols you want to monitor and the settings. You will also need to specify the logstash output.

The Packetbeat configuration below tells the software to monitor on interface 4. The Packbeatbeat.protocols tell the software to watch for DNS traffic and include_authorities The output below send the logs to Logstatsh at graylog.example.com.

packetbeat.interfaces.device: 4
packetbeat.protocols:
- type: dns
# Configure the ports where to listen for DNS traffic. You can disable
# the DNS protocol by commenting out the list of ports.
ports: [53]
# include_authorities controls whether or not the dns.authorities field
# (authority resource records) is added to messages.
include_authorities: true
# include_additionals controls whether or not the dns.additionals field
# (additional resource records) is added to messages.
include_additionals: true
output.logstash:
# The Logstash hosts
hosts: ["graylog.example.com:5048"]

Graylog Configuration

  1. Lets add a Beats Input in GrayLog by navigating to System / Inputs and selecting Inputs.

2. Select Beats in the drop down in the new section and click Launch new Input.

3. Select the node, title and port.

4. Start Packetbeat and your DNS queries will start going to GrayLog.

You are now on your way to threat hunting.

Note: I did not cover setting up TLS settings. I would recommend doing this as an additional step.