Thursday, November 29, 2007

introduction to svcrack

The purpose of svcrack is very straightforward.This tool will launch a password guessing attack extensions on the SIP registrar. Attackers will be after your SIP passwords because such knowledge allows them to:
  • Get free long distance calls
  • Hijack and spoof phone calls
  • Eat your spaghetti
The most obvious and damaging problem is toll fraud. Traditionally phone phreaks enjoyed free calls by abusing security flaws within the phone company's system as well as private companies' PABXs. By gaining access to an extension line which can make international calls, an attacker will be able to run large bills on the victim's account. On the other hand, the social engineering aspect should not be under estimated. Social engineering can be a very effective and reliable method that allows hackers to pull off some of the most interesting (sometimes amusing) attacks ever. From ordering free pizza as someone else, to hijacking the help desk's number and then asking for user's passwords, such attacks rely on human nature and can probably never be totally prevented.

This is how svcrack works:
  1. It starts sending REGISTER requests to register a specific extension line
  2. In the mean time the SIP server starts responding back asking for authentication.
  3. The response also contains a nonce, which is a unique number or bit string that should only be used once. This nonce is used as the challenge in the challenge-response mechanism.
  4. Svcrack uses the nonce and other properties to compute the challenge response then sends that back to the server

Svcrack will repeat the above procedure until the password gets cracked and an OK message is recieved, or until there are no more passwords to try.

During testing, we were able to run speeds up to 80 passwords per second - that is 6,912,000 passwords a day. These numbers are dependent on the SIP registrar and of course, on a real network, latency and other factors will seriously affect these results. Some registrars allow the attacker to reuse the nonce. This makes the registrar servers vulnerable to replay attacks. This feature is also useful during password cracking, since it can make the process faster. In fact, svcrack has an option which allows auditors to exploit this feature and possibly achieve faster speed.

Saturday, November 24, 2007

SIPtap and tapping phone calls

"Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files." - PC World

Unlike what others may say, this is not exactly the latest threat. When traffic is not encrypted, it can be recorded by anyone in between and later on replayed; and that includes VoIP. In fact several tools have been available for a while which are able to do the same thing that SIPtap (which is not publicly available for download) does. Examples:
Anyways, what the author of the tool does well is deliver the message (and market himself). He explains the threat quite well on his youtube video in a way that is probably reachable to people who are more .. technically challenged.

Found a similar post to mine at Mr. Blog

Wednesday, November 21, 2007

its the end of the world as we know it

Here are some apocalyptic scenarios related to VoIP and SIP:
Not exactly positive reports on VoIP - what they're effectively saying is that VoIP's increase in the phone market is a ticking bomb that will have great repercussions from a security point of view.

But IMHO, one thing's for sure - with big vendors like Microsoft, entering the market .. VoIP is here to stay.

Tuesday, November 20, 2007

introduction to svmap

Svmap is a network scanner for SIP. Similar to nmap - it will scan for devices on ports specified by passing the right command line options. Once svmap finds a device that supports SIP, it will extract information from the response and identify the type of device. Anyone running this tool will typically end up with a list of IP addresses of SIP devices and the names for those devices.

A penetration tester or security auditor will probably find this tool particularly useful especially during reconnaissance. With the IP address, device name and possibly version at hand, he or she can then target security weaknesses specific to that device. A security administrator or security analyst can also make use of svmap to list different active SIP user-agents on the network. Based on this information, the security administrator then has the ability to identify rogue and vulnerable devices which can cause a security concern.

Svmap is able to scan for SIP devices much faster than generic UDP port scanners. Typical port scanners such as nmap, scan UDP ports by sending a packet to each port and expecting an ICMP packet which indicates that the port is closed. If no ICMP error is received within a reasonable time, the port scanner assumes that the port is either open or else filtered. While this method has worked for years, it can never be considered efficient or neat, (at least) because of two reasons:
  • The majority of UDP ports are closed - therefore having to wait for each ICMP error to confirm that the port is closed is not a good idea
  • Nowadays a lot of devices are behind firewalls or NAT and will never reply with an ICMP error
Svmap works by sending a UDP packet containing a SIP request to a range of specified IP addresses, and listing those that send back a valid SIP response. Since UDP is a connectionless protocol, this method can be relatively fast. For example, during testing we were able to identify around 200 SIP devices on one particular network, out of a scan of IP addresses in less than 3 minutes. On the other hand when we scanned the same network with nmap version 4.20 (default options for sU scan on port 5060), it took longer than 20 minutes at which point we stopped the scan.

For examples on how to use svmap check out the wiki.
Download the whole SIPVicious tool suite from the project page.

Wednesday, November 7, 2007

SIPVicious version 0.2.1 released

Go get it from the usual place.

This is mostly a bug fix release but we still managed to squeeze in some minor features:
  • Session state is now saved
  • svmap supports sending INVITE to particular extensions
If you're on a system with subversion installed, you can simply run "svn update" to receive the latest version. Check out the Changelog to see what changed.

Monday, November 5, 2007

re-INVITE and authentication

The Madynes research team have published details of a way to steal the Digest Authentication response and be able to perform a relay attack.

This is the post on the Voipsa mailing list.

They published the info in a presentation / slideshow form.

Saturday, November 3, 2007

SIPVicious 0.2.1 public beta

Just wanted to let you know that v0.2.1 is public beta (meaning that it will be released soon). Go for it (and submit a bug report if you get any bad feelings) ;-)

v0.2.1 (maintenance)
  • Feature: updated the report function to include more information about the system. Python version and operating system is now included in the bug report. option now supports optional feedback.
  • Feature: Store information about the state of a session. Sessions can be complete or incomplete, so that you can resume incomplete sessions but not complete ones.
  • Bug fix: Added a check to make sure that the python version is supported. Anything less than version 2.4 is not supported
  • Bug fix: IP in the SIP msg was being set to localhost when not explicitly set. This is not correct behavior and was fixed. As a result of this behavior some devices, such as Grandstream BT100 were not being detected. Thanks to robert&someone from bulgaria for reporting this
  • Bug fix: fixed a bug in the database which was reported anonymously via the --reportback / -R option.Thanks whoever reported that. Bug concerns the dbm which does not support certain methods supported other database modules referenced by anydbm. Reproduced on FreeBSD. Thanks to Anthony Williams for help identifying this
  • Bug fix: Ranges of extensions in svwar could not take long numeric extensions (xrange does not support long / large numbers). Thanks to Joern for reporting this
  • Bug fix: svwar was truncating extension names containing certain characters. Fixed.
  • Bug fix: when binding to a specific interface, the IP within the SIP message could be incorrect (when there are multiple interfaces). This has been fixed.
  • Cosmetic: Certain PBXs reply with "603 Declined" when svwar finds that the extension does not exist. This creates extra noise. It is now being suppressed.
That's all folks!