Scanning the Intertubes for VOIP - Proidea
Scanning the Intertubes for VOIP - Proidea
Scanning the Intertubes for VOIP - Proidea
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ENABLESECURITY<br />
<strong>Scanning</strong> <strong>the</strong> <strong>Intertubes</strong> <strong>for</strong> <strong>VOIP</strong><br />
Telephony exposed on <strong>the</strong> ‘net<br />
Condence 2009
ENABLESECURITY<br />
whoami<br />
• EnableSecurity<br />
• 9 years old<br />
• SIPVicious and <strong>VOIP</strong>PACK (<strong>for</strong> CANVAS)<br />
• Surfjack, Extended HTML Form attack<br />
Condence 2009
ENABLESECURITY<br />
next few minutes<br />
• Brief intro to how VoIP is being abused<br />
• <strong>Scanning</strong> <strong>for</strong> VoIP systems<br />
• How to fingerprint VoIP systems<br />
• Possibilities <strong>for</strong> abuse<br />
Condence 2009
ENABLESECURITY<br />
• SIP<br />
• IAX2<br />
• H.323<br />
• SCCP<br />
VoIP <strong>Scanning</strong><br />
Condence 2009
ENABLESECURITY<br />
A primer on SIP<br />
• Text based just like HTTP<br />
• UDP port 5060<br />
• INVITE gets things to buzz and ring<br />
• REGISTER sends phone calls your way<br />
• OPTIONS gives you supported options<br />
Condence 2009
ENABLESECURITY<br />
A primer on IAX2<br />
• Binary protocol running on port 4569<br />
• POKE is like ping<br />
• PONG is like er.. pong<br />
• REGREQ is like REGISTER<br />
• REGREJ stands <strong>for</strong> registration rejected<br />
Condence 2009
ENABLESECURITY<br />
VoIP and Cybercrime<br />
• Scans <strong>for</strong> SIP are on <strong>the</strong> rise<br />
• News of fraud<br />
• What is happening in <strong>the</strong> background?<br />
• What tools are <strong>the</strong>y using?<br />
Condence 2009
ENABLESECURITY<br />
Scans<br />
OPTIONS sip:2658@195.159.X.X SIP/2.0<br />
Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rport<br />
Max-Forwards: 70<br />
To: <br />
From: ;tag=723535DC-E71F-E3D4-D572-2B41E58782E8<br />
Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190F<br />
CSeq: 1 OPTIONS<br />
Contact: <br />
Accept: application/sdp<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Honeypot<br />
• Some python code put toge<strong>the</strong>r<br />
• Replies to requests and acts like a registrar<br />
Condence 2009
ENABLESECURITY<br />
demo<br />
Condence 2009
ENABLESECURITY<br />
SIP <strong>Scanning</strong><br />
• OPTIONS is ideal <strong>for</strong> this<br />
• REGISTER adds value :-)<br />
• Tell between a registrar and an endpoint<br />
Condence 2009
ENABLESECURITY<br />
scanner<br />
OPTIONS scan<br />
OPTIONS<br />
200 OK<br />
SIP<br />
Registrar<br />
Condence 2009
ENABLESECURITY<br />
Condence 2009
ENABLESECURITY<br />
scanner<br />
<strong>Scanning</strong> IAX2<br />
POKE<br />
PONG<br />
Asterisk<br />
Box<br />
Condence 2009
ENABLESECURITY<br />
Condence 2009
ENABLESECURITY<br />
Headers of interest<br />
SIP/2.0 404 Not found<br />
Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061<br />
From: "test" ;tag=d5a5bd3213c46cdd060c<br />
To: "test" ;tag=as05610bff<br />
Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d<br />
CSeq: 1 REGISTER<br />
User-Agent: Asterisk PBX<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Modified User-agent<br />
SIP/2.0 404 Not found<br />
Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061<br />
From: "test" ;tag=d5a5bd3213c46cdd060c<br />
To: "test" ;tag=as05610bff<br />
Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d<br />
CSeq: 1 REGISTER<br />
User-Agent: MyVeryOwn PBX<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Give away<br />
SIP/2.0 404 Not found<br />
Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061<br />
From: "test" ;tag=d5a5bd3213c46cdd060c<br />
To: "test" ;tag=as05610bff<br />
Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d<br />
CSeq: 1 REGISTER<br />
User-Agent: MyVeryOwn PBX<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Give away<br />
SIP/2.0 404 Not found<br />
Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061<br />
From: "test" ;tag=d5a5bd3213c46cdd060c<br />
To: "test" ;tag=as05610bff<br />
Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d<br />
CSeq: 1 REGISTER<br />
User-Agent: MyVeryOwn PBX<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Fingerprinting To Tag<br />
Sipura / Linksys SPA [a-fA-F0-9]{16}i0<br />
Cisco VoIP Gateway<br />
[a-fA-F0-9]{6,8}-[a-fA-<br />
F0-9]{2,4}<br />
AVM FRITZ!Box [a-fA-F0-9]{16,29}<br />
Condence 2009
ENABLESECURITY<br />
Order of headers<br />
SIP/2.0 200 OK<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9<br />
From: "hello" ;tag=d90a4f2313c4cc438e14<br />
To: "hello" ;tag=as00ea0c68<br />
Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663<br />
CSeq: 1 OPTIONS<br />
User-Agent: xxx voicemail<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br />
Contact: <br />
Accept: application/sdp<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Order of headers<br />
SIP/2.0 404 Not Found<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061<br />
From: "hello" ;tag=d90a4f8a13c4d8bf89f5<br />
To: "hello" ;tag=as263e3393<br />
Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663<br />
CSeq: 1 OPTIONS<br />
User-Agent: xxx asterisk<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br />
Supported: replaces<br />
Accept: application/sdp<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Order of headers<br />
SIP/2.0 200 OK<br />
SIP/2.0 404 Not Found<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-<br />
From: "hello" ;tag=d90a4f2313c4cc438e14<br />
From: "hello" ;tag=d9<br />
To: "hello" ;tag=as00ea0c68To:<br />
"hello" ;tag=as26<br />
Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663<br />
CSeq: 1 OPTIONS<br />
CSeq: 1 OPTIONS<br />
User-Agent: sipgate voicemail<br />
User-Agent: sipbox asterisk<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, Allow: INVITE, NOTIFY ACK, CANCEL, OPTIONS, BYE, REF<br />
Contact: <br />
Supported: replaces<br />
Accept: application/sdp<br />
Accept: application/sdp<br />
Content-Length: 0<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Order of headers<br />
SIP/2.0 200 OK<br />
SIP/2.0 401 Unauthorized<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-<br />
From: "hello" ;tag=d90a4f2313c4cc438e14<br />
From: "hello" ;tag=d90<br />
To: "hello" ;tag=as00ea0c68To:<br />
"hello" ;tag=cfbe3<br />
Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER<br />
CSeq: 1 OPTIONS<br />
Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663<br />
User-Agent: sipgate voicemail<br />
WWW-Au<strong>the</strong>nticate: Digest realm="sipgate.at",<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, Content-Length: NOTIFY0<br />
Contact: <br />
Accept: application/sdp<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Case <strong>for</strong> header names<br />
SIP/2.0 200 OK<br />
SIP/2.0 401 Unauthorized<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9<br />
Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-<br />
From: "hello" ;tag=d90a4f2313c4cc438e14<br />
From: "hello" ;tag=d90<br />
To: "hello" ;tag=as00ea0c68To:<br />
"hello" ;tag=cfbe3<br />
Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER<br />
CSeq: 1 OPTIONS<br />
Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663<br />
User-Agent: sipgate voicemail<br />
WWW-Au<strong>the</strong>nticate: Digest realm="sipgate.at",<br />
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, Content-Length: NOTIFY0<br />
Contact: <br />
Accept: application/sdp<br />
Content-Length: 0<br />
Condence 2009
ENABLESECURITY<br />
Fingerprinting<br />
• Just one packet needed<br />
• To tag<br />
• Headers<br />
• Community ef<strong>for</strong>t<br />
Condence 2009
ENABLESECURITY<br />
Community ef<strong>for</strong>t<br />
• SIPVicious 0.2.3<br />
• Included svlearnfp.py<br />
• Generated regular expressions <strong>for</strong> to tags<br />
• Generated hashes describing headers<br />
• SIPVicious 2.0 ...<br />
Condence 2009
ENABLESECURITY<br />
Interesting facts<br />
• Random scans work pretty well<br />
• ADSL etc FRITZ!Box, Speedtouch<br />
• Asterisk<br />
• Cisco Gateways<br />
Condence 2009
ENABLESECURITY<br />
demo<br />
Condence 2009
ENABLESECURITY<br />
Introducing REGISTER<br />
• Binds an extension to an IP and port<br />
• Normally requires au<strong>the</strong>ntication<br />
• If no password is set it binds without auth<br />
Condence 2009
ENABLESECURITY<br />
More interesting facts<br />
• The REGISTER scan<br />
• Dangerous<br />
• Useful <strong>for</strong> cheap honeypots :-)<br />
Condence 2009
ENABLESECURITY<br />
Enumeration of<br />
extensions<br />
• Response to a REGISTER <strong>for</strong> non-existent<br />
extension<br />
• A different response indicates that <strong>the</strong><br />
extension exists<br />
• If <strong>the</strong> extension has no password it sends a<br />
200 OK<br />
• O<strong>the</strong>rwise asks <strong>for</strong> au<strong>the</strong>ntication<br />
Condence 2009
ENABLESECURITY<br />
REGISTER 100<br />
REGISTER 101<br />
REGISTER 102<br />
*<br />
Condence 2009
ENABLESECURITY<br />
404 Not found<br />
200 OK<br />
401 Auth required<br />
*<br />
Condence 2009
ENABLESECURITY<br />
demo<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
:-)<br />
REGREQ<br />
ACK<br />
ACK<br />
REGREJ<br />
*<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
}:-)<br />
REGREQ<br />
ACK<br />
REGREJ<br />
*<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
}:-)<br />
REGREQ<br />
ACK<br />
REGREJ<br />
REGREJ<br />
*<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
}:-)<br />
REGREQ<br />
ACK<br />
REGREJ<br />
REGREJ<br />
REGREJ<br />
*<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
}:-)<br />
:-/<br />
REGREQ<br />
ACK<br />
REGREJ<br />
REGREJ<br />
REGREJ<br />
*<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
:-o<br />
}:-)<br />
*********<br />
Condence 2009
ENABLESECURITY<br />
DDoS using IAX2?<br />
:’-(<br />
}:-)<br />
* ********<br />
Condence 2009
ENABLESECURITY<br />
Condence 2009
ENABLESECURITY<br />
SIP Digest Auth<br />
• REGISTER usually gets a 401 Unauthorized<br />
• INVITE gets a 407 Proxy Au<strong>the</strong>ntication<br />
• Challenge response mechanism<br />
• Takes various properties + password<br />
• Nonce, Method, URI<br />
Condence 2009
ENABLESECURITY<br />
Digest Leak<br />
INVITE<br />
200 OK<br />
Condence 2009
ENABLESECURITY<br />
Digest Leak<br />
BYE<br />
407<br />
Challenge<br />
Condence 2009
ENABLESECURITY<br />
demo<br />
Condence 2009
ENABLESECURITY<br />
Vulnerable endpoints<br />
• X-lite<br />
• Gizmo5<br />
• Zoiper<br />
Condence 2009
ENABLESECURITY<br />
Vulnerable endpoints<br />
• Cisco 7940<br />
• Grandstream GXP*<br />
• Patton Smartlink<br />
• Linksys SPA942<br />
• Fritzbox<br />
Condence 2009
ENABLESECURITY<br />
But ...<br />
• There’s no SIP Phones on <strong>the</strong> ‘net!<br />
• There are ;-)<br />
• The ‘net is full of Fritzbox<br />
• Internal endpoints behind NAT<br />
Condence 2009
ENABLESECURITY<br />
More at..<br />
• EnableSecurity.com/research<br />
• Sipvicious.org<br />
• <strong>VOIP</strong>SA.org<br />
Condence 2009
ENABLESECURITY<br />
• Sjur at usken.no<br />
• dudes from .mt =)<br />
Shoutouts!<br />
Condence 2009
ENABLESECURITY<br />
Q.A<br />
Condence 2009
ENABLESECURITY<br />
sandro@enablesecurity.com<br />
Condence 2009