Monday, December 31, 2007

24c3 quick roundup

Originally posted on geekbazaar.
  • Lightning talks - consisting of 5 minute talks. The one that I liked best was regarding Mac OS X widgets. The idea is that since these widgets have access to the system() function and make use of Web 2.0 stuff most of the times, a simple injection (JSON injection / Cross site scripting) has further implications compared to normal web applications. This means that such flaws can easily give remote system access. The speaker (Thomas Roessler) then showed a gmail widget that was vulnerable to such attack. It would be interesting to find out if such vulnerabilities can also be present in the iPhone.
  • Just in Time compilers - breaking a VM. Interesting mostly because it shows what can be done with Just in time compilers and that includes not just Java but also other stuff like javascript and actionscript.
  • Modelling Infectious Diseases in Virtual Realities - a scientific talk which shows how a disease in a virtual reality, in this case it is WoW (world of warcraft) can be used to further understand modelling of infections and recovery. The speaker also gave ideas on how this knowledge can be used to efficiently contain an infection and also suggestions to Blizzard to reintroduce infections in WoW.
  • Toying with barcodes - just watched this one. Excellent stuff. The talk was very flowing and had a good sense of humor injected as well. The speaker (FX) showed how security is really underestimated in the technology that is probably most used to track physical objects - barcodes. He picked on postal services, automated dvd rental systems, newspapers showing 2d barcodes, and a few other examples.
  • "Building a hacker space" - some of the original ccc founders gave their ideas on what to do and what not to do if you want to start a hacker group. Stuff like providing the guests with ample caffeinated drinks .. fun and quite motivational I guess.
  • Making cool things with microcontrollers - where the speaker (Mitch) kept referring to his sexiest toy.. a mind bendin, hallucination inducing spectacles. Worth a watch.
  • Port scanning improved presents a very reasonable scenario where Phenoelit needed to build a faster port scanner which does nothing else but scan. Faster than nmap - in fact the talk was full of comparisons with nmap and showed how the authors of the tool went around congestion control.
  • DIY Survival by Bre of make magazine was totally hilarious. Gives a few excuses to add to the growing number of gadgets in the store room.
  • Crouching Powerpoint, Hidden Trojan: I didn't manage to get there from the start, but this talk details the findings of one researcher. Technically, nothing new came out of it really but it's always good to hear of unique accounts or experiences in the field of targeted attacks.
  • Not exactly a talk .. but the Phonoelit party was pretty kewl. Very geekfriendy ;-)

Friday, December 28, 2007

24c3 photos

Quick note: put up some photos from the first day @ 24c3 on my flickr account.




Wednesday, December 19, 2007

Whats brewing on the SIPVicious front

Been quite for a while, but that does not mean that I've been resting. Instead I've been looking into fingerprinting SIP devices and not relying on the User-agent header to identify the a SIP network element's name.

This means that SIPVicious tools will soon be able to guess the name of the device. What's important is that the tools will be able to maintain do this without sacrificing speed and efficiency. Expect more news on this.

Other than that, I'm looking at how to integrate the dns stuff with svmap - things like the SRV records and ENUM.

And.. last but not least.. I've been working on an article for Hakin9 magazine which explains a lot of behind the scenes when it comes to how SIPVicious tool suite works.

Tuesday, December 11, 2007

Password policies for PBX servers

Password policies form an important part of computer security. Unfortunately a large number of VoIP PBX servers do not apply any policies when it comes to authentication. Because of the lack of such security mechanisms, bruteforce attacks are a viable way to attack PBX servers. Svcrack, which is part of the SIPVicious tool suite, demonstrates this.

Of course, vendors and developers should be cautious when implementing features that can cause a denial of service. For example, the Account Lockout policy (available in Microsoft's AD and other systems) allows anyone to deny service to another user. This is not such a good idea especially in the case of something as "real time" as the phone service.

On the other hand, trotting or slowing down authentication might be a solution to limit the chance of attackers guessing the password in a reasonable time. Password complexity should also be enforced to hinder brute-force and dictionary attacks.

Thursday, November 29, 2007

introduction to svcrack

The purpose of svcrack is very straightforward.This tool will launch a password guessing attack extensions on the SIP registrar. Attackers will be after your SIP passwords because such knowledge allows them to:
  • Get free long distance calls
  • Hijack and spoof phone calls
  • Eat your spaghetti
The most obvious and damaging problem is toll fraud. Traditionally phone phreaks enjoyed free calls by abusing security flaws within the phone company's system as well as private companies' PABXs. By gaining access to an extension line which can make international calls, an attacker will be able to run large bills on the victim's account. On the other hand, the social engineering aspect should not be under estimated. Social engineering can be a very effective and reliable method that allows hackers to pull off some of the most interesting (sometimes amusing) attacks ever. From ordering free pizza as someone else, to hijacking the help desk's number and then asking for user's passwords, such attacks rely on human nature and can probably never be totally prevented.

This is how svcrack works:
  1. It starts sending REGISTER requests to register a specific extension line
  2. In the mean time the SIP server starts responding back asking for authentication.
  3. The response also contains a nonce, which is a unique number or bit string that should only be used once. This nonce is used as the challenge in the challenge-response mechanism.
  4. Svcrack uses the nonce and other properties to compute the challenge response then sends that back to the server

Svcrack will repeat the above procedure until the password gets cracked and an OK message is recieved, or until there are no more passwords to try.

During testing, we were able to run speeds up to 80 passwords per second - that is 6,912,000 passwords a day. These numbers are dependent on the SIP registrar and of course, on a real network, latency and other factors will seriously affect these results. Some registrars allow the attacker to reuse the nonce. This makes the registrar servers vulnerable to replay attacks. This feature is also useful during password cracking, since it can make the process faster. In fact, svcrack has an option which allows auditors to exploit this feature and possibly achieve faster speed.

Saturday, November 24, 2007

SIPtap and tapping phone calls

"Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files." - PC World

Unlike what others may say, this is not exactly the latest threat. When traffic is not encrypted, it can be recorded by anyone in between and later on replayed; and that includes VoIP. In fact several tools have been available for a while which are able to do the same thing that SIPtap (which is not publicly available for download) does. Examples:
Anyways, what the author of the tool does well is deliver the message (and market himself). He explains the threat quite well on his youtube video in a way that is probably reachable to people who are more .. technically challenged.



Found a similar post to mine at Mr. Blog

Wednesday, November 21, 2007

its the end of the world as we know it

Here are some apocalyptic scenarios related to VoIP and SIP:
Not exactly positive reports on VoIP - what they're effectively saying is that VoIP's increase in the phone market is a ticking bomb that will have great repercussions from a security point of view.

But IMHO, one thing's for sure - with big vendors like Microsoft, entering the market .. VoIP is here to stay.

Tuesday, November 20, 2007

introduction to svmap

Svmap is a network scanner for SIP. Similar to nmap - it will scan for devices on ports specified by passing the right command line options. Once svmap finds a device that supports SIP, it will extract information from the response and identify the type of device. Anyone running this tool will typically end up with a list of IP addresses of SIP devices and the names for those devices.

A penetration tester or security auditor will probably find this tool particularly useful especially during reconnaissance. With the IP address, device name and possibly version at hand, he or she can then target security weaknesses specific to that device. A security administrator or security analyst can also make use of svmap to list different active SIP user-agents on the network. Based on this information, the security administrator then has the ability to identify rogue and vulnerable devices which can cause a security concern.

Svmap is able to scan for SIP devices much faster than generic UDP port scanners. Typical port scanners such as nmap, scan UDP ports by sending a packet to each port and expecting an ICMP packet which indicates that the port is closed. If no ICMP error is received within a reasonable time, the port scanner assumes that the port is either open or else filtered. While this method has worked for years, it can never be considered efficient or neat, (at least) because of two reasons:
  • The majority of UDP ports are closed - therefore having to wait for each ICMP error to confirm that the port is closed is not a good idea
  • Nowadays a lot of devices are behind firewalls or NAT and will never reply with an ICMP error
Svmap works by sending a UDP packet containing a SIP request to a range of specified IP addresses, and listing those that send back a valid SIP response. Since UDP is a connectionless protocol, this method can be relatively fast. For example, during testing we were able to identify around 200 SIP devices on one particular network, out of a scan of IP addresses in less than 3 minutes. On the other hand when we scanned the same network with nmap version 4.20 (default options for sU scan on port 5060), it took longer than 20 minutes at which point we stopped the scan.

For examples on how to use svmap check out the wiki.
Download the whole SIPVicious tool suite from the project page.

Wednesday, November 7, 2007

SIPVicious version 0.2.1 released

Go get it from the usual place.

This is mostly a bug fix release but we still managed to squeeze in some minor features:
  • Session state is now saved
  • svmap supports sending INVITE to particular extensions
If you're on a system with subversion installed, you can simply run "svn update" to receive the latest version. Check out the Changelog to see what changed.

Monday, November 5, 2007

re-INVITE and authentication

The Madynes research team have published details of a way to steal the Digest Authentication response and be able to perform a relay attack.

This is the post on the Voipsa mailing list.

They published the info in a presentation / slideshow form.

Saturday, November 3, 2007

SIPVicious 0.2.1 public beta

Just wanted to let you know that v0.2.1 is public beta (meaning that it will be released soon). Go for it (and submit a bug report if you get any bad feelings) ;-)

Changelog:
v0.2.1 (maintenance)
General:
  • Feature: updated the report function to include more information about the system. Python version and operating system is now included in the bug report. option now supports optional feedback.
  • Feature: Store information about the state of a session. Sessions can be complete or incomplete, so that you can resume incomplete sessions but not complete ones.
  • Bug fix: Added a check to make sure that the python version is supported. Anything less than version 2.4 is not supported
  • Bug fix: IP in the SIP msg was being set to localhost when not explicitly set. This is not correct behavior and was fixed. As a result of this behavior some devices, such as Grandstream BT100 were not being detected. Thanks to robert&someone from bulgaria for reporting this
  • Bug fix: fixed a bug in the database which was reported anonymously via the --reportback / -R option.Thanks whoever reported that. Bug concerns the dbm which does not support certain methods supported other database modules referenced by anydbm. Reproduced on FreeBSD. Thanks to Anthony Williams for help identifying this
  • Bug fix: Ranges of extensions in svwar could not take long numeric extensions (xrange does not support long / large numbers). Thanks to Joern for reporting this
  • Bug fix: svwar was truncating extension names containing certain characters. Fixed.
  • Bug fix: when binding to a specific interface, the IP within the SIP message could be incorrect (when there are multiple interfaces). This has been fixed.
  • Cosmetic: Certain PBXs reply with "603 Declined" when svwar finds that the extension does not exist. This creates extra noise. It is now being suppressed.
That's all folks!

Tuesday, October 30, 2007

More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:
./svmap.py -m INVITE 192.168.1.4 -p5061
Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:
./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:
  • WengoPhone **
  • X-lite release 1011b
  • SJPhone 1.65.377a
  • Ekiga 2.0.11 (beta)
  • Yate
  • SIP Communicator
Some VoIP phones (hardware) were also tested and exhibit this behavior as well:
  • GrandStream GXP 2000
  • Grandstream BT100
  • Aastra 480i
  • Aastra 9133i
  • Polycom IP330
  • Cisco CP7940G*
  • Lancom VP 100*
  • Linksys SPA 921*
* Requires a valid extension
** Requires valid extension or no extension

how (not) to get your ex back

Just uploaded a short story showing how an unsolicited user can phone up a victim by knowing (or finding out) IP and port of the victim's VoIP phone. This story ties in with what we've been discussing in previous blog post.

You may check out the story here.

Sunday, October 28, 2007

Server impersonation and SIP

Was reading Sipera's latest advisories. The server impersonation advisory caught my eye mostly because we've seen something similar to this over here during testing. We hadn't published this information until now .. so here goes.

A good number of SIP softphones, and we would assume VoIP phones (hardware), will ring upon receiving an INVITE request. Three months ago we worked on 3 stories, two of which describe protagonists abusing this behavior and are still unpublished. I'm working on getting these two stories published soon.

As hinted by the Sipera advisory, this behavior has a few implications; major ones being that it can be abused for spamming and social engineering attacks.

These are the softphones that were found to display this behavior:
  • X-lite release 1011b
  • Ekiga 2.0.11 (beta)
  • SJPhone 1.65.377a
Also quickly tested Gizmo project 3.1.2 and it did not exhibit the same behavior. Did not try to spoof packet source ip etc.

How do you test for this?
Use your favorite SIP phone to call an address like sip:[email protected]:5060, where 192.168.1.1 is the destination IP of the SIP phone. There is no need to spoof IP addresses or anything like that for the above. In the story (that I'll try to publish tomorrow), the attacker makes use of X-lite. If making use of X-lite, select the option "target domain" in the "Send outbound via:" config.

If you have any results please post a comment or send me an email.

Tuesday, October 23, 2007

How to get the job done - a short story

Just published a short story called "How to get the job done". The plot is a scenario showing how SIPVicious tool suite can possibly be used in a corporate environment by a malicious intern. Hope you guys like my shameless self promotion.

Saturday, October 20, 2007

tshirts and mugs!

Mugs and shirts!
Been struggling with spreadshirt for a while to a shop to get some shirts with the SIPVicious design, without much luck. So I gave up for now, and went ahead and opened a Cafe Press account. Real easy. Visit the "Goodies for SIPVicious" page.

Thursday, October 18, 2007

Wiki updates

We've updated some pages on the wiki:
  • Usage of svmap and svwar with examples on how to use each option
  • Mentions of sipvicious on various media are now being cataloged
  • A Getting Started document - a step by step how to for newbies and the rest of us ;)
  • The FAQ page has been updated to include a disclaimer like answer to the question: "Why did you publish tools that can be used for illegal purposes?"
  • To do list has been updated with some excellent suggestions from sipvicious users.

Saturday, October 13, 2007

Friday, October 12, 2007

XSS in Linksys SPA941

Cross Scripting in an IP Phone? Of course - it has an HTTP interface!

What's more is that the HTTP interface shows a call history. The call history page makes use of information gathered from the SIP messages themselves to display which numbers tried to call the phone.

This post on full-disclosure mailing list shows how this feature can be abused so that malformed SIP messages are able to inject html scripts in the web interface itself.

This is a reminder that when changing from one format or protocol to another, the underlying code needs to make sure that the data is properly escaped. In this case, the http server or underlying scripts need to escape the miss call entries for html characters.

Thursday, October 11, 2007

On reporting bugs and recent bug fixes

Fixed a couple of bugs in the svn version. For more information check out the Changelog file.

To report any crashes (unhandled exceptions) that you may get, you may make use of the -R or --reportback option. This handles sending of bug report, and if you update to the svn version, allows you to include an optional message and email address.

$ ./svreport somehost.com -R


If the bug is not a crash, you may still contact the author through email, or open an issue.
To update to the latest version, simply run "svn update" in the sipvicious directory if you are on a system with subversion installed (typically Linux or Unix machines).

$ svn update

Monday, October 8, 2007

SIPVicious 0.2 released

After much bug fixing and feature creeping ... we announce SIPVicious tool suite 0.2!

Tarball download
Zip file download

Notable features include:
  • Session support which allows you to resume previous scans as well as store the results in database format
  • Exporting of previous results to various formats: pdf, xml (html), csv and plain text
  • Easy updating by making use of subversion (svn update)
  • Better UI, more intuitive help, clean output and more debug info when needed
  • And my favorite feature: random scanning techniques
I also uploaded a screencast and tutorial on how to use SIPVicious tools to crack an extension on an Asterisk box here. Enjoy

Saturday, October 6, 2007

Ladies and Gentlemen, please welcome

The new SIPVicious logo / mascot.

Wednesday, October 3, 2007

SIPVicious tools 0.1.9 .. aka 0.2 beta

Download Now and give feedback.

If you have svn installed, you can keep updated by running "svn update" in the sipvicious directory. To view the changes, the command is "svn diff".

A list of new features:
  • Session / database support allowing you to resume a scan as well as to store scans which can later be exported
  • A new script called svreport. Allows you to resolve ip addresses of previous scans, export previous scans to different file formats: pdf, xml (supporting html output via xlst), csv and plain text.
  • Random scanning
  • Svmap can scan various formats of IP ranges - CIDR and wildcards supported
  • Output is more clean. Added verbosity levels and quiet mode.
  • Help (--help) actually helps you now
  • Various bug fixes in svmap, svwar and svcrack
Known issues:
  • When scanning behind NAT, you'll end up loosing SIP responses from certain devices (eg. Cisco) and therefore give incorrect results. We hope to fix this by including UDP hole punching techniques (STUN anyone?)

Thursday, September 27, 2007

A SIP Introduction

For those not familiar with how SIP looks like and how it behaves, check out this easy read article on Trainsignal training. Of course the article is over simplified - RFC 3261 is still the place to look for the details.

Wednesday, September 26, 2007

Another interview with Robert Moore

Information Week published an interview with the notorious VoIP hacker who was charge with fraud last year. The main point that came out of the interview is that the password is the weakest link. He mentions two VoIP vendors - Cisco and MERA and how he felt comfortable with breaking into these systems because of default or easily guessable passwords. In a previous interview we learned that he mainly attacked H323 devices rather than SIP boxes, however the attacks that the attacker pulled off are quite similar to what you can do with SIPVicious tools.

Reference: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services

Tuesday, September 18, 2007

MediaDefender Phone Call was over VoIP

If you're not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.

Funnily enough (for some), during the phone call one of the parties says: "what we could do if you wanted, change the port ... change the login, obviously the password, if you guys need to know the password that we're using we can just communicate that by phone. .... If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion".

There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.

Which ever way this call was compromised, this show two things with regards to VoIP communications:
  • Phone traffic now goes over the Internet. Don't assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
  • Encryption definitely has an important place in VoIP security. In this case, it would probably have helped

Microsoft VoIP As You Are

I just saw Microsoft (relavitely) new VoIP ad compaign called "VoIP As You Are". The ads on the MS site are cute, showing two old PBXs having a chat. Apparently you get a different ad every time you click.. so keep clicking ;-)

So what this implies is that Microsoft is taking into account that the bigger companies will find it hard to switch to VoIP if they have to ditch their old system and start a new page. It also means that old vulnerabilities in PBX servers will probably be exposed to the less friendly networks (such as the Internet).

Tuesday, September 11, 2007

SIPVicious tools in the works

Been working on more features with regards to svmap. Some of these features find themselves in svwar and svcrack as well in the next release version. So what features of interest?
  • Svmap is now session based. This allows us to have the following features:
    • You may stop a current scan, go have a coffee and resume it later.
    • If the power cuts, a natural disaster occurs or anything bad happens, you can resume your scan later because of the autosave feature, provided you survived the accident.
    • Results are now stored in BSD database form. Svreport.py comes in quite handy .. more on this below.
  • You can now pass various types of host ranges to svmap, depending on your (bad) taste and habits. Examples:
    • 1.1.1.1-20 1.1.2-4.1-10
    • 1.1.1.*
    • 1.1.1.1-1.1.2.20
    • sipvicious.org/22
    • 10.0.0.1/24
    • sipvicious.org
  • Random scans. Two kinds of random scans:
    • Internet random - you don't pass svmap any host/ip ranges. It scans the IPs randomly, avoiding those that belong to private networks or reserved address space
    • Random targeted scan. You pass a range of hosts/ips and they are scanned randomly instead of sequentially.
  • Output to an ASCII table when the scan is complete. If you need to see the results instantly, then the verbose option is your friend. Double verbose gives out a lot of debug information.
  • Lots of bug fixes, optimizations and cleaning up ;)
Earlier I mentioned svreport.py which is a new script that will be soon added to the suite. It will grab previous sessions from SIPVicious tools and export them to the following formats:
  • PDF - Portable Document Format
  • XML - Extensible Markup Language
  • CSV - Comma delimited files
  • Text - Human friendly format
That's all for now. If you're curious check out the svn repository. Otherwise version 0.2 is on the way.

Saturday, September 8, 2007

SIP Security with Cullen Jennings of IETF and Cisco

Blue Box podcast has published a very interesting discussion / interview with someone who has a finger in the pie when it comes to SIP. He talks about some real issues when it comes to SIP and VoIP.

Friday, September 7, 2007

Security Analysis of Voice-over-IP Protocols

This paper talks about the state of security or lack of of the VoIP protocols. It talks a lot about encryption and introduces some attacks in that area. Of interest:
  • replay attack on SDES key exchange causing SRTP to use the same keystream in multiple sessions. This means that the attacker removes encryption from SRTP-protected data streams.
  • An attack on ZRTP involving unauthenticated uesr IDs. This allows bypassing / disabling of authentication or a DoS attack.
  • A security issue related to randomness in MIKEY

Thursday, August 30, 2007

VoIP security related blogs

Was checking out VOIPSA's blog and noticed that they mention a few blogs of interest which reminds me...

I've been asked to name VoIP security related material that one should check out, so here goes my list:
Will be adding more later on

Friday, August 24, 2007

How to turn a Grandstream SIP phone into a remote bug

The "Institut National de Recherche en Informatique" has done it again. They released details of their research regarding the Grandstream GXV-3000 SIP phone - specially on a bug that allows one to crash the phone, and set it off the hook without ringing. This last exploit effectively turns such phones into a spying device, allowing crooks and other evil entities to discretely listen on conversations in a room where the phone is installed.

Apparently, it is not just these Grandstream devices that are vulnerable to the same attack, but it affects "some SIP stack engines". The trick is to send a "183 Session Progress" SIP message to the phone following an INVITE request, which in turn makes it go all fuzzy and start sending RTP packets to the attacker. The full-disclosure post further illustrates this with a example code in perl.

Meanwhile, all this wouldn't have been possible for the Institute without using their SIP stateful fuzzer. The paper presenting this project can be found here. Least that I can say is that this is very cool stuff.

Updates to SIPVicious tools

In the past two days I've been busy working on updates for SIPVicious tools:
  • Scanning a large number of hosts does not take long for to start anymore
  • Fixed a few bugs / unhandled exceptions
  • we're doing 160 hosts per second now :)
  • updated user documentation for svmap
  • added some switches to svmap:
    • Verbose. The mode you add of these, the more debug information you get. -vvv for ub3r super debug info.
    • Binding ip -b. This allows you to specify an IP address to bind to. By default it binds to all IP addresses.
    • External IP -x. Allows you to specify your external IP address. Use this when you're behind NAT and / or have multiple network interfaces on the host.
Currently SIPVicious tools only support UDP. I hope to integrate TCP and TLS later on though not too soon. Any feedback is welcome. If you want to take a look .. look no further than the svn repository ;-)

Wednesday, August 22, 2007

Cisco IP Phone 7940 exploits

Is it just me, or is public exploit code for SIP devices and SIP software appearing more often? Published on milw0rm - two perl scripts which launch a DoS attack [1][2] on Cisco IP Phone 7940. The advisories[1][2] can be found on full disclosure.

These vulnerabilities seem to be related to sequence of certain SIP requests being sent to the IP phone. So how were these vulnerabilities found? The researchers were making use of their own fuzzer called Madynes VoIP fuzzer KIPH, which supports "state tracking".

Wednesday, August 8, 2007

SIP softphone buffer overflow demo

Someone was showing off a 0day exploit at Black Hat. The article is a bit sketchy and feels sensational, but it does show that various parties are concerned. Just like most other pieces of software, softphones will (and do) have security vulnerabilities lead to remote access.

Article can be found here.

Hardphones, on the other hand, are secure.. right? :-p

Friday, August 3, 2007

Interview with a VoIP hacker

Telecom Junkies published an interview with Robert Moore, who has been convicted of VoIP hacking / fraud. In the interview, Moore explains that they used easily guessable passwords as well as default ones to get free VoIP service. The VoIP-based attacks targeted H.323 not SIP. Similar attacks to ones described in the interview can be launched on SIP based PBXs by making use of svmap, svwar and svcrack.

Moral of the story: audit your PBX now before someone else does ;-)

References:

Sunday, July 29, 2007

SIPVicious tools for auditing SIP devices

SIPVicious tools version 0.1 have been uploaded on googlecode. These tools allow you to launch brute force password guessing attacks on PaBXs, identify SIP devices, softphones and hardphones on the network and guess live extensions on a PaBX.

Any feedback is welcome, tho some feedback is more welcome than other feedback ;-)

Download the latest (and earliest) version here.

SIPVicious launched

A brand new site providing an eye on VoIP security especially on matters related to SIP. This site is in blog form and we hope to provide the following as regards VoIP security:
  • news
  • software
  • advisories
  • articles and papers