stunner v0.5.3 releases: test and exploit STUN, TURN and TURN over TCP servers
Stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers. TURN is a protocol mostly used in videoconferencing and audio chats (WebRTC).
If you find a misconfigured server you can use this tool to open a local socks proxy that relays all traffic via the TURN protocol into the internal network behind the server.
Let’s say you find a service using WebRTC and want to test it.
The first step is to get the required data. I suggest to launch Wireshark in the background and just join a meeting via Burp to collect all HTTP and Websocket traffic. Next search your burp history for some keywords related to TURN like 3478, password, credential, and username (be sure to also check the websocket tab for these keywords). This might reveal the turn server and the protocol (UDP and TCP endpoints might have different ports) and the credentials used to connect. If you can’t find the data in burp start looking at Wireshark to identify the traffic. If it’s on a non-standard port (anything else than 3478) decode the protocol in Wireshark via a right-click as STUN. This should show you the username used to connect and you can use this information to search burps history even further for the required data. Please note that Wireshark can’t show you the password as the password is used to hash some package contents so it can not be reversed.
The next step would be to issue the info command to the turn server using the correct port and protocol obtained from burp.
If this works, the next step is a range-scan. If this allows any traffic to internal systems you can exploit this further but be aware that UDP has only limited use cases.
If TCP connections to internal systems are allowed simply launch the socks command and access the allowed IPs via a browser and set the socks proxy to 127.0.0.1:1080. You can try out 127.0.0.1:443 and other ips to find management interfaces.