Scanning The Intertubes For Voip

Con!dence 2009

ENABLESECURITY

Scanning the Intertubes for VOIPTelephony exposed on the ‘net

Con!dence 2009

ENABLESECURITY

whoami

• EnableSecurity

• 9 years old

• SIPVicious and VOIPPACK (for CANVAS)

• Surfjack, Extended HTML Form attack

Con!dence 2009

ENABLESECURITY

next few minutes

• Brief intro to how VoIP is being abused

• Scanning for VoIP systems

• How to fingerprint VoIP systems

• Possibilities for abuse

Con!dence 2009

ENABLESECURITY

VoIP Scanning

• SIP

• IAX2

• H.323

• SCCP

Con!dence 2009

ENABLESECURITY

A primer on SIP

• Text based just like HTTP

• UDP port 5060

• INVITE gets things to buzz and ring

• REGISTER sends phone calls your way

• OPTIONS gives you supported options

Con!dence 2009

ENABLESECURITY

A primer on IAX2

• Binary protocol running on port 4569

• POKE is like ping

• PONG is like er.. pong

• REGREQ is like REGISTER

• REGREJ stands for registration rejected

Con!dence 2009

ENABLESECURITY

VoIP and Cybercrime

• Scans for SIP are on the rise

• News of fraud

• What is happening in the background?

• What tools are they using?

Con!dence 2009

ENABLESECURITY

Scans

OPTIONS sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rportMax-Forwards: 70To: <sip:[email protected]>From: <sip:[email protected]>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190FCSeq: 1 OPTIONSContact: <sip:@0.0.0.0:1498;transport=udp>Accept: application/sdpContent-Length: 0

mailto:[email protected]






Con!dence 2009

ENABLESECURITY

Honeypot

• Some python code put together

• Replies to requests and acts like a registrar

Con!dence 2009

ENABLESECURITY

demo

Con!dence 2009

ENABLESECURITY

SIP Scanning

• OPTIONS is ideal for this

• REGISTER adds value :-)

• Tell between a registrar and an endpoint

Con!dence 2009

ENABLESECURITY

OPTIONS scan

scannerSIP

Registrar

OPTIONS

200 OK

Con!dence 2009

ENABLESECURITY

Con!dence 2009

ENABLESECURITY

Scanning IAX2

scannerAsterisk

Box

POKE

PONG

Con!dence 2009

ENABLESECURITY

Con!dence 2009

ENABLESECURITY

Headers of interest

SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0

Con!dence 2009

ENABLESECURITY

Modified User-agent

SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0

Con!dence 2009

ENABLESECURITY

Give away




Con!dence 2009

ENABLESECURITY

Give away




Con!dence 2009

ENABLESECURITY

Fingerprinting To Tag

Sipura / Linksys SPA [a-fA-F0-9]{16}i0

Cisco VoIP Gateway [a-fA-F0-9]{6,8}-[a-fA-F0-9]{2,4}

AVM FRITZ!Box [a-fA-F0-9]{16,29}

Con!dence 2009

ENABLESECURITY

Order of headers

SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: xxx voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0



Con!dence 2009

ENABLESECURITY

SIP/2.0 404 Not FoundVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f8a13c4d8bf89f5To: "hello" <sip:[email protected]:5060>;tag=as263e3393Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: xxx asteriskAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesAccept: application/sdpContent-Length: 0

Order of headers

Con!dence 2009

ENABLESECURITY

Order of headers

SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0

SIP/2.0 404 Not FoundVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f8a13c4d8bf89f5To: "hello" <sip:[email protected]:5060>;tag=as263e3393Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipbox asteriskAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesAccept: application/sdpContent-Length: 0









Con!dence 2009

ENABLESECURITY

Order of headers


SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-57276;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f2813c40c17866cTo: "hello" <sip:[email protected]:5060>;tag=cfbe3ffc7182a98821d890d5d753dab6.dd37Cseq: 1 REGISTERCall-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663WWW-Authenticate: Digest realm="sipgate.at", nonce=" "Content-Length: 0









Con!dence 2009

ENABLESECURITY

Case for header names


SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-57276;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f2813c40c17866cTo: "hello" <sip:[email protected]:5060>;tag=cfbe3ffc7182a98821d890d5d753dab6.dd37Cseq: 1 REGISTERCall-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663WWW-Authenticate: Digest realm="sipgate.at", nonce=" "Content-Length: 0









Con!dence 2009

ENABLESECURITY

Fingerprinting

• Just one packet needed

• To tag

• Headers

• Community effort

Con!dence 2009

ENABLESECURITY

Community effort

• SIPVicious 0.2.3

• Included svlearnfp.py

• Generated regular expressions for to tags

• Generated hashes describing headers

• SIPVicious 2.0 ...

Con!dence 2009

ENABLESECURITY

Interesting facts

• Random scans work pretty well

• ADSL etc FRITZ!Box, Speedtouch

• Asterisk

• Cisco Gateways

Con!dence 2009

ENABLESECURITY

demo

Con!dence 2009

ENABLESECURITY

Introducing REGISTER

• Binds an extension to an IP and port

• Normally requires authentication

• If no password is set it binds without auth

Con!dence 2009

ENABLESECURITY

More interesting facts

• The REGISTER scan

• Dangerous

• Useful for cheap honeypots :-)

Con!dence 2009

ENABLESECURITY

Enumeration of extensions

• Response to a REGISTER for non-existent extension

• A different response indicates that the extension exists

• If the extension has no password it sends a 200 OK

• Otherwise asks for authentication

Con!dence 2009

ENABLESECURITY

*REGISTER 100

REGISTER 101

REGISTER 102

Con!dence 2009

ENABLESECURITY

*404 Not found

200 OK

401 Auth required

Con!dence 2009

ENABLESECURITY

demo

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?

:-) *ACK

ACKREGREJ

REGREQ

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?

}:-) *ACK

REGREJ

REGREQ

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?

}:-) *ACK

REGREJREGREJ

REGREQ

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?

}:-) *REGREQ

ACK

REGREJREGREJ

REGREJ

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?}:-)

*

REGREQ

ACK

REGREJREGREJ

REGREJ

:-/

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?

}:-)

*********:-o

Con!dence 2009

ENABLESECURITY

DDoS using IAX2?

}:-)

*:’-(

********

Con!dence 2009

ENABLESECURITY

Con!dence 2009

ENABLESECURITY

SIP Digest Auth

• REGISTER usually gets a 401 Unauthorized

• INVITE gets a 407 Proxy Authentication

• Challenge response mechanism

• Takes various properties + password

• Nonce, Method, URI

Con!dence 2009

ENABLESECURITY

Digest Leak

INVITE

200 OK

Con!dence 2009

ENABLESECURITY

Digest Leak

BYE

407 Challenge

Con!dence 2009

ENABLESECURITY

demo

Con!dence 2009

ENABLESECURITY

Vulnerable endpoints

• X-lite

• Gizmo5

• Zoiper

Con!dence 2009

ENABLESECURITY

Vulnerable endpoints

• Cisco 7940

• Grandstream GXP*

• Patton Smartlink

• Linksys SPA942

• Fritzbox

Con!dence 2009

ENABLESECURITY

But ...

• There’s no SIP Phones on the ‘net!

• There are ;-)

• The ‘net is full of Fritzbox

• Internal endpoints behind NAT

Con!dence 2009

ENABLESECURITY

More at..

• EnableSecurity.com/research

• Sipvicious.org

• VOIPSA.org

Con!dence 2009

ENABLESECURITY

Shoutouts!

• Sjur at usken.no

• dudes from .mt =)

Con!dence 2009

ENABLESECURITY

Q.A

Con!dence 2009

ENABLESECURITY

[email protected]

Scanning The Intertubes For Voip

Documents

test tag

register useragent

register regrej

ring register

2e6a05421e7d cseq

myveryown pbx

way options

http udp port