Tuesday, October 30, 2007

More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:
./svmap.py -m INVITE 192.168.1.4 -p5061
Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:
./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:
  • WengoPhone **
  • X-lite release 1011b
  • SJPhone 1.65.377a
  • Ekiga 2.0.11 (beta)
  • Yate
  • SIP Communicator
Some VoIP phones (hardware) were also tested and exhibit this behavior as well:
  • GrandStream GXP 2000
  • Grandstream BT100
  • Aastra 480i
  • Aastra 9133i
  • Polycom IP330
  • Cisco CP7940G*
  • Lancom VP 100*
  • Linksys SPA 921*
* Requires a valid extension
** Requires valid extension or no extension

how (not) to get your ex back

Just uploaded a short story showing how an unsolicited user can phone up a victim by knowing (or finding out) IP and port of the victim's VoIP phone. This story ties in with what we've been discussing in previous blog post.

You may check out the story here.

Sunday, October 28, 2007

Server impersonation and SIP

Was reading Sipera's latest advisories. The server impersonation advisory caught my eye mostly because we've seen something similar to this over here during testing. We hadn't published this information until now .. so here goes.

A good number of SIP softphones, and we would assume VoIP phones (hardware), will ring upon receiving an INVITE request. Three months ago we worked on 3 stories, two of which describe protagonists abusing this behavior and are still unpublished. I'm working on getting these two stories published soon.

As hinted by the Sipera advisory, this behavior has a few implications; major ones being that it can be abused for spamming and social engineering attacks.

These are the softphones that were found to display this behavior:
  • X-lite release 1011b
  • Ekiga 2.0.11 (beta)
  • SJPhone 1.65.377a
Also quickly tested Gizmo project 3.1.2 and it did not exhibit the same behavior. Did not try to spoof packet source ip etc.

How do you test for this?
Use your favorite SIP phone to call an address like sip:whatever@192.168.1.1:5060, where 192.168.1.1 is the destination IP of the SIP phone. There is no need to spoof IP addresses or anything like that for the above. In the story (that I'll try to publish tomorrow), the attacker makes use of X-lite. If making use of X-lite, select the option "target domain" in the "Send outbound via:" config.

If you have any results please post a comment or send me an email.

Tuesday, October 23, 2007

How to get the job done - a short story

Just published a short story called "How to get the job done". The plot is a scenario showing how SIPVicious tool suite can possibly be used in a corporate environment by a malicious intern. Hope you guys like my shameless self promotion.

Saturday, October 20, 2007

tshirts and mugs!

Mugs and shirts!
Been struggling with spreadshirt for a while to a shop to get some shirts with the SIPVicious design, without much luck. So I gave up for now, and went ahead and opened a Cafe Press account. Real easy. Visit the "Goodies for SIPVicious" page.

Thursday, October 18, 2007

Wiki updates

We've updated some pages on the wiki:
  • Usage of svmap and svwar with examples on how to use each option
  • Mentions of sipvicious on various media are now being cataloged
  • A Getting Started document - a step by step how to for newbies and the rest of us ;)
  • The FAQ page has been updated to include a disclaimer like answer to the question: "Why did you publish tools that can be used for illegal purposes?"
  • To do list has been updated with some excellent suggestions from sipvicious users.

Saturday, October 13, 2007

Friday, October 12, 2007

XSS in Linksys SPA941

Cross Scripting in an IP Phone? Of course - it has an HTTP interface!

What's more is that the HTTP interface shows a call history. The call history page makes use of information gathered from the SIP messages themselves to display which numbers tried to call the phone.

This post on full-disclosure mailing list shows how this feature can be abused so that malformed SIP messages are able to inject html scripts in the web interface itself.

This is a reminder that when changing from one format or protocol to another, the underlying code needs to make sure that the data is properly escaped. In this case, the http server or underlying scripts need to escape the miss call entries for html characters.

Thursday, October 11, 2007

On reporting bugs and recent bug fixes

Fixed a couple of bugs in the svn version. For more information check out the Changelog file.

To report any crashes (unhandled exceptions) that you may get, you may make use of the -R or --reportback option. This handles sending of bug report, and if you update to the svn version, allows you to include an optional message and email address.

$ ./svreport somehost.com -R


If the bug is not a crash, you may still contact the author through email, or open an issue.
To update to the latest version, simply run "svn update" in the sipvicious directory if you are on a system with subversion installed (typically Linux or Unix machines).

$ svn update

Monday, October 8, 2007

SIPVicious 0.2 released

After much bug fixing and feature creeping ... we announce SIPVicious tool suite 0.2!

Tarball download
Zip file download

Notable features include:
  • Session support which allows you to resume previous scans as well as store the results in database format
  • Exporting of previous results to various formats: pdf, xml (html), csv and plain text
  • Easy updating by making use of subversion (svn update)
  • Better UI, more intuitive help, clean output and more debug info when needed
  • And my favorite feature: random scanning techniques
I also uploaded a screencast and tutorial on how to use SIPVicious tools to crack an extension on an Asterisk box here. Enjoy

Saturday, October 6, 2007

Ladies and Gentlemen, please welcome

The new SIPVicious logo / mascot.

Wednesday, October 3, 2007

SIPVicious tools 0.1.9 .. aka 0.2 beta

Download Now and give feedback.

If you have svn installed, you can keep updated by running "svn update" in the sipvicious directory. To view the changes, the command is "svn diff".

A list of new features:
  • Session / database support allowing you to resume a scan as well as to store scans which can later be exported
  • A new script called svreport. Allows you to resolve ip addresses of previous scans, export previous scans to different file formats: pdf, xml (supporting html output via xlst), csv and plain text.
  • Random scanning
  • Svmap can scan various formats of IP ranges - CIDR and wildcards supported
  • Output is more clean. Added verbosity levels and quiet mode.
  • Help (--help) actually helps you now
  • Various bug fixes in svmap, svwar and svcrack
Known issues:
  • When scanning behind NAT, you'll end up loosing SIP responses from certain devices (eg. Cisco) and therefore give incorrect results. We hope to fix this by including UDP hole punching techniques (STUN anyone?)