Scanning the Intertubes for VOIP - Proidea

ENABLESECURITY 

Scanning the Intertubes for VOIP 

Telephony exposed on the ‘net 

Condence 2009


whoami 

• EnableSecurity 

• 9 years old 

• SIPVicious and VOIPPACK (for CANVAS) 

• Surfjack, Extended HTML Form attack 

Condence 2009


next few minutes 

• Brief intro to how VoIP is being abused 

• Scanning for VoIP systems 

• How to fingerprint VoIP systems 

• Possibilities for abuse 

Condence 2009


• SIP 

• IAX2 

• H.323 

• SCCP 

VoIP Scanning 

Condence 2009


A primer on SIP 

• Text based just like HTTP 

• UDP port 5060 

• INVITE gets things to buzz and ring 

• REGISTER sends phone calls your way 

• OPTIONS gives you supported options 

Condence 2009


A primer on IAX2 

• Binary protocol running on port 4569 

• POKE is like ping 

• PONG is like er.. pong 

• REGREQ is like REGISTER 

• REGREJ stands for registration rejected 

Condence 2009


VoIP and Cybercrime 

• Scans for SIP are on the rise 

• News of fraud 

• What is happening in the background? 

• What tools are they using? 

Condence 2009


Scans 

OPTIONS sip:2658@195.159.X.X SIP/2.0 

Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rport 

Max-Forwards: 70 

To: 

From: ;tag=723535DC-E71F-E3D4-D572-2B41E58782E8 

Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190F 

CSeq: 1 OPTIONS 

Contact: 

Accept: application/sdp 

Content-Length: 0 

Condence 2009


Honeypot 

• Some python code put together 

• Replies to requests and acts like a registrar 

Condence 2009


demo 

Condence 2009


SIP Scanning 

• OPTIONS is ideal for this 

• REGISTER adds value :-) 

• Tell between a registrar and an endpoint 

Condence 2009


scanner 

OPTIONS scan 

OPTIONS 

200 OK 

SIP 

Registrar 

Condence 2009


Condence 2009


scanner 

Scanning IAX2 

POKE 

PONG 

Asterisk 

Box 

Condence 2009


Condence 2009


Headers of interest 

SIP/2.0 404 Not found 

Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 

From: "test" ;tag=d5a5bd3213c46cdd060c 

To: "test" ;tag=as05610bff 

Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d 

CSeq: 1 REGISTER 

User-Agent: Asterisk PBX 

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY 


Condence 2009


Modified User-agent 







User-Agent: MyVeryOwn PBX 



Condence 2009


Give away 










Condence 2009


Give away 










Condence 2009


Fingerprinting To Tag 

Sipura / Linksys SPA [a-fA-F0-9]{16}i0 

Cisco VoIP Gateway 

[a-fA-F0-9]{6,8}-[a-fA- 

F0-9]{2,4} 

AVM FRITZ!Box [a-fA-F0-9]{16,29} 

Condence 2009


Order of headers 

SIP/2.0 200 OK 

Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 

From: "hello" ;tag=d90a4f2313c4cc438e14 

To: "hello" ;tag=as00ea0c68 

Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 


User-Agent: xxx voicemail 


Contact: 



Condence 2009



SIP/2.0 404 Not Found 


From: "hello" ;tag=d90a4f8a13c4d8bf89f5 

To: "hello" ;tag=as263e3393 

Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 


User-Agent: xxx asterisk 


Supported: replaces 



Condence 2009



SIP/2.0 200 OK 

SIP/2.0 404 Not Found 


Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- 


From: "hello" ;tag=d9 

To: "hello" ;tag=as00ea0c68To: 

"hello" ;tag=as26 

Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 



User-Agent: sipgate voicemail 

User-Agent: sipbox asterisk 

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, Allow: INVITE, NOTIFY ACK, CANCEL, OPTIONS, BYE, REF 

Contact: 

Supported: replaces 





Condence 2009



SIP/2.0 200 OK 

SIP/2.0 401 Unauthorized 






"hello" ;tag=cfbe3 

Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER 


Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 


WWW-Authenticate: Digest realm="sipgate.at", 

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, Content-Length: NOTIFY0 

Contact: 



Condence 2009


Case for header names 

SIP/2.0 200 OK 

SIP/2.0 401 Unauthorized 






"hello" ;tag=cfbe3 

Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER 


Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 


WWW-Authenticate: Digest realm="sipgate.at", 

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, Content-Length: NOTIFY0 

Contact: 



Condence 2009


Fingerprinting 

• Just one packet needed 

• To tag 

• Headers 

• Community effort 

Condence 2009


Community effort 

• SIPVicious 0.2.3 

• Included svlearnfp.py 

• Generated regular expressions for to tags 

• Generated hashes describing headers 

• SIPVicious 2.0 ... 

Condence 2009


Interesting facts 

• Random scans work pretty well 

• ADSL etc FRITZ!Box, Speedtouch 

• Asterisk 

• Cisco Gateways 

Condence 2009


demo 

Condence 2009


Introducing REGISTER 

• Binds an extension to an IP and port 

• Normally requires authentication 

• If no password is set it binds without auth 

Condence 2009


More interesting facts 

• The REGISTER scan 

• Dangerous 

• Useful for cheap honeypots :-) 

Condence 2009


Enumeration of 

extensions 

• Response to a REGISTER for non-existent 

extension 

• A different response indicates that the 

extension exists 

• If the extension has no password it sends a 

200 OK 

• Otherwise asks for authentication 

Condence 2009


REGISTER 100 

REGISTER 101 

REGISTER 102 

* 

Condence 2009


404 Not found 

200 OK 

401 Auth required 

* 

Condence 2009


demo 

Condence 2009


DDoS using IAX2? 

:-) 

REGREQ 

ACK 

ACK 

REGREJ 

* 

Condence 2009



}:-) 

REGREQ 

ACK 

REGREJ 

* 

Condence 2009



}:-) 

REGREQ 

ACK 

REGREJ 

REGREJ 

* 

Condence 2009



}:-) 

REGREQ 

ACK 

REGREJ 

REGREJ 

REGREJ 

* 

Condence 2009



}:-) 

:-/ 

REGREQ 

ACK 

REGREJ 

REGREJ 

REGREJ 

* 

Condence 2009



:-o 

}:-) 

********* 

Condence 2009



:’-( 

}:-) 

* ******** 

Condence 2009


Condence 2009


SIP Digest Auth 

• REGISTER usually gets a 401 Unauthorized 

• INVITE gets a 407 Proxy Authentication 

• Challenge response mechanism 

• Takes various properties + password 

• Nonce, Method, URI 

Condence 2009


Digest Leak 

INVITE 

200 OK 

Condence 2009


Digest Leak 

BYE 

407 

Challenge 

Condence 2009


demo 

Condence 2009


Vulnerable endpoints 

• X-lite 

• Gizmo5 

• Zoiper 

Condence 2009


Vulnerable endpoints 

• Cisco 7940 

• Grandstream GXP* 

• Patton Smartlink 

• Linksys SPA942 

• Fritzbox 

Condence 2009


But ... 

• There’s no SIP Phones on the ‘net! 

• There are ;-) 

• The ‘net is full of Fritzbox 

• Internal endpoints behind NAT 

Condence 2009


More at.. 

• EnableSecurity.com/research 

• Sipvicious.org 

• VOIPSA.org 

Condence 2009


• Sjur at usken.no 

• dudes from .mt =) 

Shoutouts! 

Condence 2009


Q.A 

Condence 2009


sandro@enablesecurity.com 

Condence 2009

Scanning the Intertubes for VOIP - Proidea

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?