Scanning VoIP Service for SIP-based Vulnerabilities
(the version details and product specifcs belong to 2010)
Task Detail:
Scanning the state of SIP implementation in VoIP Service.
Background:
SIP (Session Initiation Protocol) is a popular protocol used for controlling multimedia connection session for VoIP based services. It is also used for providing some services in our Organization even over a public network. Thus, we required a security analysis of this service.
Execution Method:
Attackers are actively seeking exposed PBX systems to launch Phishing Scams & route fake calls.
In recent years scams have evolved to include SMS Solicitations (Smishing) and Fake Phone Calls through VoIP (Vishing).
Two common VoIP frauds are:
1. Compromise of server to allow outbound calls at owner's
expense
2. Use of VoIP in Vishing Scams {combined with phishing e-mails
or automated attendant}
There are many tools available to hackers supporting SIP exploitation like Cain-n-Abel, Intelligent War Dialer, Sipsak, siVus, Scapy, Vomit, SIPVicious, SIPCrack, Nessus, Protos, Asteroid SIP DoS and many more.
VoIPPack is now coming with SIPDigetsLeak.py which enables a user to send invite to IP Phone and collect the Digest Authentication Response. After enough collection of responses, it can launch brute-force attack on challenge-response and guess the password.
Tools/Technology Used:
Cain & Abel : http://www.oxid.it/cain.html
Sipsak : http://sipsak.org/
Scapy : http://www.secdev.org/projects/scapy/
VoIPPack : http://enablesecurity.com/products/voippack/
SIPVicious : http://code.google.com/p/sipvicious/
Inference:
VoIP systems should be configured keeping in mind the following points:
1. Check for weak Account Credentials
2. Build a Dial-Plan only allowing what is required
3. Limit exposure of your entire Network
4. Be informed of new exploits in the arena
All the VoIP enabled devices were running SIP service at its default port. So identifying the IP for devices to be exploited for SIP vulnerabilities was already made easy. As now, we had to provide the IP of those devices to self-sustained SIP fuzzing utilities to check for different kind of information. This information could range from extensions of various VoIP phones, passwords of devices to audio recording of actual conversation taking place using those devices.
New Updates to VOIPPack consists:
* two new tools called “bypassalwaysreject” and “sipopenrelay”
* DoS exploits for Asterisk PBX called “asteriskdiscomfort”, “asterisksscanfdos” and “iax2resourceexhaust”
* Generic DoS exploit “sipinviteflood”
* Optimizations for the SIP Digest leak tool “sipdigestleak” and the SIP digest cracker
(the version details and product specifcs belong to 2010)
Task Detail:
Scanning the state of SIP implementation in VoIP Service.
Background:
SIP (Session Initiation Protocol) is a popular protocol used for controlling multimedia connection session for VoIP based services. It is also used for providing some services in our Organization even over a public network. Thus, we required a security analysis of this service.
Execution Method:
Attackers are actively seeking exposed PBX systems to launch Phishing Scams & route fake calls.
In recent years scams have evolved to include SMS Solicitations (Smishing) and Fake Phone Calls through VoIP (Vishing).
Two common VoIP frauds are:
1. Compromise of server to allow outbound calls at owner's
expense
2. Use of VoIP in Vishing Scams {combined with phishing e-mails
or automated attendant}
There are many tools available to hackers supporting SIP exploitation like Cain-n-Abel, Intelligent War Dialer, Sipsak, siVus, Scapy, Vomit, SIPVicious, SIPCrack, Nessus, Protos, Asteroid SIP DoS and many more.
VoIPPack is now coming with SIPDigetsLeak.py which enables a user to send invite to IP Phone and collect the Digest Authentication Response. After enough collection of responses, it can launch brute-force attack on challenge-response and guess the password.
Tools/Technology Used:
Cain & Abel : http://www.oxid.it/cain.html
Sipsak : http://sipsak.org/
Scapy : http://www.secdev.org/projects/scapy/
VoIPPack : http://enablesecurity.com/products/voippack/
SIPVicious : http://code.google.com/p/sipvicious/
Inference:
VoIP systems should be configured keeping in mind the following points:
1. Check for weak Account Credentials
2. Build a Dial-Plan only allowing what is required
3. Limit exposure of your entire Network
4. Be informed of new exploits in the arena
All the VoIP enabled devices were running SIP service at its default port. So identifying the IP for devices to be exploited for SIP vulnerabilities was already made easy. As now, we had to provide the IP of those devices to self-sustained SIP fuzzing utilities to check for different kind of information. This information could range from extensions of various VoIP phones, passwords of devices to audio recording of actual conversation taking place using those devices.
New Updates to VOIPPack consists:
* two new tools called “bypassalwaysreject” and “sipopenrelay”
* DoS exploits for Asterisk PBX called “asteriskdiscomfort”, “asterisksscanfdos” and “iax2resourceexhaust”
* Generic DoS exploit “sipinviteflood”
* Optimizations for the SIP Digest leak tool “sipdigestleak” and the SIP digest cracker