Introducing EnableSecurity VoIPPack

EnableSecurity VoIPPack is a pack or addon for Immunity CANVAS that complements this tool with commercial-grade VoIP scanning capabilities. Probably the most intruiguing module currently is sipautohack.

The following is a taster showing sipautohack scanning a target network, identifying PBX server, enumerating the extensions intelligently and finally cracking the password for each extension on the PBX. More demos here.

.

For more information about VoIPPack take a look at the product page. EnableSecurity is currently running a private beta. Apply as a beta tester.

Off to RSA Europe 2008

I'll be in the UK for the next few days to visit RSA Europe. Will probably be twittering on twitter.com/sandrogauci and updating the sister blog at EnableSecurity where I'll post the list of talks that I'm interested in visiting as soon as I get a chance. And of course - if any readers are around drop me a message ;-)

Analysis of a VoIP Attack

Klaus Darilion published an interesting paper explaining what happened to German VoIP users and how to mitigate. I suggest that you read this one. Looks like attacks are becoming more and more widespread / mainstream.

Upcoming changes in SIPVicious

The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:

1. svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000... 9000, 1001, 2001..9001, 1111,2222... 9999, 11111,22222...99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the --disabledefaults option to svwar.
   
2. svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.
   

That's it for now. Please let me know about your experience with the new features. To give the code a try simply run svn update from the sipvicious directory, or gte the latest by running the following:

svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only

Have fun!

Homeland Security Dept's PBX hacked?

Ouch! ZDNet have a short article about a misconfigured PBX making 400 calls to some of the hottest countries around: Afghanistan, India, Yemen and Saudi Arabia. Very ugly .. hope that the details emerge. If anyone has more details email me or post here.

Promotional message: SIPVicious is free - test your SIP based PBX before someone else does ;-)

Update: Apparently it consisted of voicemail hacking - you know that thing from the 90s. So no VoIP or SIP involved, just plain old school default pin cracking.

Surf Jack - HTTPS will not save you

Alert: this is not a VoIP security post. Just a repost from EnableSecurity.

I just released a new paper and tool on the subject of web application security.

Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself.

And if you did not do it already, please subscribe to my other site, EnableSecurity's RSS feed.

New SIPVicious release 0.2.4

Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-)

Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable!

Here's a link to the full Changelog.

Grab the tarball or the zip file.
To upgrade to the svn version simply run "svn update" as usual - enjoy

Backtrack 3 out - with VoIP security tools

The final Backtrack 3 is out and it features some VoIP tools in the /pentest directory:

• SIPVicious (guess you know by now what this is about :)
• Voiper - a SIP fuzzing toolkit which aims at identifying flaws in VoIP products that do SIP and SDP.
• Sipbomber - a SIP testing tool which has test cases that are run against SIP enabled software / devices
• SIP Rogue - allows application level man in the middle (MITM) attacks on SIP devices.

In the $PATH one can find:

• VoIP Hopper - allows one to hop between VLANS.
• VOIPONG - a Voice over IP sniffer - will record any phone calls that it sees.
  
• sipdump / sipcrack - an offline password cracker for the digest authentication used by SIP

Tools that were previously found in Backtrack 2 are described on the tools page.

Grab Backtrack from the official site.

Ladies and Gentlemen please welcome..

EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details.

So what sort of things am I doing?

• Wireless security auditing
• Web Application Security
• VoIP security research
• Reverse Engineering

I'll continue developing SIPVicious and publish additional tools to help security professionals get the job done.

And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week.

SIPVicious tools roadmap

I'm looking at improving SIPVicious and would appreciate your input for new features or any possible bug fixes. Send me an email with ideas, or simply leave a comment.

Check my current "to do" list here.

SIPVicious version 0.2.3 with fingerprinting and dns goodies

Just posted a new version of SIPVicious v0.2.3. This includes some new features as well as bug fixes. However be warned - bugs have been invariably introduced in the course of adding these new features, so please help me test it out ;-)

Here's the link you've been looking for.

From the Changelog:

v0.2.3

• Feature: Fingerprinting support for svmap. Included fphelper.py and 3 databases used for fingerprinting.
• Feature: Added svlearnfp.py which allows one to add new signatures to db and send them to the author.
• Feature: Added DNS SRV check to svmap. Use ./svmap.py --srv domainname.com to give it a try
  

v0.2.svn

• Feature: added the ability for svreport to count results when doing a list
• Bug fix: fixed a bug related to resuming a scan which does not have an extension
  

VoIP and identity fraud on the BBC

The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.

What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:

• There is no indication that stolen VoIP details were harvested because of the lack of encryption
  
• If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)
  
• There was no indication as to the size or volume of the VoIP credentials trading

Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).

I'm interested in learning which method is being used to steal credentials. Take your pick:

• Sniffing at WiFi internet cafe's / hacked service providers etc and offline password attacks
• Active password attacks (such as those supported by SIPVicious svcrack). Such attacks have been previously used by Robert Moore and obviously others which were not caught ;-)
• Hacked VoIP service providers or end users
• Phishing attacks

My feeling is that active password attacks will give you the best results when the target is simply "the Internet". But in the end, what matters is what's being currently abused and how we can prevent and mitigate.

Update: Dave Gladwin updated the Newport Networks Blog to provide more details on the subject.

Defcon 15 videos - VoIP related talks

Just in case anyone missed Defcon 15 (like I did), here's two talks of interest with relation to VoIP:

• T210: INTERSTATE: A Stateful Protocol Fuzzer for SIP by Ian G. Harris
• T442: Real-time Steganography with RTP by |)ruid

For the rest of the videos check out this list.

Thanks for Anthony of Iron::Guard for the pointer.

OSSEC v1.5 now has builtin Asterisk rules

A new OSSEC version has been released. Along with a number of updates, OSSEC now includes the Asterisk rules that were first published in my hakin9 article and then here. The rest of the updates are described in the Changelog.

Grab it now.

Infosec Europe 2008

If anyone's going to be at Infosec Europe tomorrow or the next day and would like to have a chat (and maybe offer a beer), contact me.

Time to update twitter

New instructional videos and articles

Archangel Amael posted two new videos related to SIPVicious:

• Setting up a Vmware image of trixbox
• Abusing VOIP Networks

On his blog you'll also find a tutorial on setting up trixbox for testing, which is a companion to one of the videos.

Storming SIP Security - now available just a click away

Time to release the hakin9 article to the public. This article was first released in the February edition of the English hakin9 magazine.

Download now (takes you to EnableSecurity).


Added: The listings can be found here.
Thanks for Chris Gates for noticing that I forgot to include the listings.

Blackhat Europe Briefings Day 2

Second day talks that I attended to were:

• The URI abuse talk. This was a talk which lists different attack vectors that apply to URI's. The speakers demoed a Picasa vulnerability that relies on DNS rebinding to be able to expose images from your Picasa to the evil hacker and his little brother. Then they talked about an iPhoto format string vuln that can be exploited via the photo:// URI. More information about this can be found at the speaker's blog. There was also mention of some tools which can help with finding new URI flaws, like duh4mac.c which lists all URI's on a Mac and the associated applications. While this talk had nothing which was not already available elsewhere, I thought that it was well delivered and inspiring.
• The LDAP injection talk touched on an interesting subject that hasn't been covered much elsewhere except for a few scattered papers. While the subject matter was good, the speakers took long to get to the interesting part, which was a demo of a vulnerable web app and how they could manipulate to do privilege escalation on a web application. The most interesting part was when they showed how specifying an asterisk for a username can give access to the 1st user that matches. Then the speakers went on to describe more complex things such as blind injection, which took approaches similar to blind SQL injection.
  Finally, the speakers did not really expand on solutions and what do to to prevent such attacks. Their suggestion was to filter out malicious characters, such as the "*". However on further discussion with the speakers, they agreed that having a whitelist of characters might be a much better solution.
  
• The Dtrace talk was well delivered. You could see that people got excited at the thought of being able to use that when doing reverse engineering on a Mac. Quotes like "dont think of draces as just gdb on steriods" were thrown at us when the speakers were explaining why making use of dtrace is better than making use of gdb or pydbg. And finally they presented a ruby wrapper around dtrace, making it all even more powerful. I know that I'll be adding dtrace to my arsenal of tools ;-)
• Then it was time for the GSM cracking talk. This was a sort of update on how the whole project is going. They reminded us that there's a hell lot more GSM phones than computers, and that is one reason why their research is useful. As people who follow these security conferences know, these guys are making use of Pico computing's FPGAs to be able to generate rainbow tables that help with the cracking of GSM. They only got another month to go until their rainbow table is complete. Then they finally announced that they are considering selling a kit that allows you to crack GSM and we were left with the interesting question of "who is your target market?"
• Hacking Secondlife talk: I found this talk to be a bit frustrating because the author took his time to arrive to the juicy stuff and when he actually did, then things were not as exciting as I would have liked them to be. In my opinion, the speaker should have named the talk "Hacking with SecondLife" instead of "hacking SecondLife", because his demonstrations were about making use of the scripting in SecondLife to get other Avatars to send http requests to a target website. He showed off slikto, which scans websites for known vulnerable scripts just like nikto, but makes use of Avatars on SecondLife that click on the evil ball. Least that I can say is that I wasn't impressed, and this sort of thing can be done on a much larger scale and much more efficiently with botnets, or by making use of DNS rebinding attacks and many other ways.
• The final talk that I went to was the Maltego talk about investigating people by making use of open source information. Actually I wanted to watch the PDF malware talk, but started snoozing and decided that I'd rather switch track. The Maltego talk was very well delivered, the speakers were entertaining and showed some real funky visualization in the next version of their application. The talk was mostly about presentation of data to turn that into useful information (or intelligence). They also talked about bypassing google's human verification checks and the legal problems that they had with various search engines.
  

Blackhat Europe Briefings Day 1

These are some of the talks I've been @ :

• Keynote by the Angel of Doom was on Digital Security and why it will fail. His conclusion is that we are in the right business and that we got job security. He gave ideas about how security solutions that do not take the big picture into perspective are bound to fail. Had a chat with him during lunch, very interesting conversation.
• The talk from the GNUcitizen people called Client-side security was enjoyable. They were presenting stuff that (i think all) was publicly available either on their site or their friend's site. Most of their exploits seem to have one thing in common - they use multiple technologies to abuse the system.
• Attacking Anti-virus talk by SoWhat was interesting. It was not flowing but the subject material was good. By making use of fuzzing of filetypes, he gave live demos of AV software crashing. Some of the vulnerabilities seem to be exploitable to run arbitrary code and SoWhat was able to show a few unpatched vulnerabilities as well.
• The Cisco IOS Forensics talk was very well researched. We learned about how the base OS on IOS works - there is no real kernel, there are no separate processes. If one thing crashes, the whole box goes down. We also learned that some of the issues are warez/illegally downloaded IOS updates which contain 3rd party modifications (i.e. backdoors). TCL backdoors were also mentioned. These are most of the times created by legitimate users for later use and abuse (read getting things done or disgruntled ex-employees). Recurity-labs's new project called CIR would allow us to inspect Cisco crash dumps and identify all this and more. It is available online for free at http://cir.recurity-labs.com/
• The Multimedia fuzzing talk was ok. They talked about fuzzing codecs and mp3 tags and all that. Also showed a demo of flac123 spawning shellcode exploiting an overflow. The same guys who gave the talk have released 2 tools of interest:
• Fuzzbox, which allows you to create different fuzzed samples based on a valid media file.
• RTPInject, which allows one to inject arbitrary audio in a VoIP conversation.
• Managed to grab the Iron Chef Challenge in the last minute when they were presenting the results. The teams were draw and there was no clear winner. All the flaws identified were theoretical :-(
• Started watching the 0day patch talk but all the graphs got to my head and I quickly switched to the lockpicking talk. Mr. Ollam gave an excellent talk as usual and updated us with the latest details on the locks and safes.

After that we went to the Microsoft party, which was okey. Met a few interesting chaps from the AV industry and the Pentest business.

Blackhat Europe && Twitter

The briefings started today and till now its been a very interesting experience. I'll be updating my twitter account on BH Europe at: http://twitter.com/sandrogauci

Blackhat Europe

In the next few days I'll be visiting Amsterdam and going to be at the Blackhat briefings. If any readers are around drop me a message ;-)

SIPVicious tool suite on Backtrack 3 beta

Backtrack, the popular live cd that comes with lots of Penetration Testing tools now includes SIPVicious tools in its list of packages. The latest is the BT 3 beta which has a corrupt version of
SIPVicious. A quick fix is posted on the Backtrack forums themselves here.

Archangel Amael was also kind enough to write up a short guide to SIPVicious.

Using OSSEC to detect attacks on an Asterisk box

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX's end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:

• User/Extension enumeration
• Password cracking attacks
  

The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:

<include>asterisk.xml</include>

Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:

<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Note: Check out Laureano's post on how to just reload the logger configuration.

That's it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)

Swatters using VoIP to spoof caller id

Its no news really to whoever is familiar with swatting, but this is something that recently came into the light in the public media as a few people have been found guilty of this real bad prank.

What is swatting? It's basically someone calling the 911 service, spoofing the callerid and pretending to be under attack from some maniac. What happens then is that a SWAT team is sent to the residence on which the spoofed phone number is registered. Obviously the end result is the SWAT team end up harassing the family / residents living there on behalf of the person who spoofed the call in the first place.

Quite a nasty joke if you ask me - and VoIP caller-id spoofing makes it very easy to pull off.

Storming SIP Security

Finally received a copy of the latest hakin9 magazine that includes my article on SIP security. enjoy =)

Detecting SIP attacks with Snort

Update: Put the snort rules here for easy download.

Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.

In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).

Rule for alerting of OPTIONS scan or flood attack:

alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)

The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.

Detecting 4xx SIP responses:

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)

The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.

Detecting ghost calls:

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)

A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)

SIP, TLS and Asterisk 1.6

Until a few weeks ago, to enable TLS support in Asterisk you had to apply patches to the source code. As of version 1.6, Asterisk will have native TLS support for SIP transport, making it one of the few IP PBX systems out there that support this security feature.

Too many experts suggest encryption as a solution to the VoIP confidentiality issues, but in reality the number of PBX and IP phones that support is still very low and many times it is not a viable solution. However, we hope that this might change.

So - is native SRTP support next on the to do list? ;-)

Most popular topics on SIPVicious blog

Here's the most popular articles or posts published since I opened up SIPVicious blog (July 2007):

• The SIPVicious introduction animation - I guess people just dig something that they can just sit back and watch. The 5 minute video takes you through the download of the tool suite up, identifying a target and up to cracking a SIP phone extension.
• svmap usage - shows you how to make use of svmap which is part of the tool suite and how each option can be used to scan a target network or just one host.
• Getting Started - explains to people on how to make use of SIPVicious for the first time. Includes hints on how quickly to set up a test environment with Trixbox (a free PBX linux distro), identify the PBX with svmap, find out which extensions work with svwar and finally crack the password with svcrack.
• SIPtap and tapping phone calls - SIPtap generated a lot of buzz, and my comments got a bit of google traffic simply because everyone seemed to be searching for "siptap download"
  
• Server impersonation and SIP and More on INVITEing phones to ring - These two posts described a feature of most SIP devices and softphones which allow anyone that can reach the phone via network to get it to ring and generate a call. We tested various SIP phones for this and reported back on the blog.
• How to get the job done - a short fictitious story describing how an internal attacker can make use of SIPVicious tools to lunch some interesting attacks on the phone system and use that to elevate his network privileges

Here are some ideas on upcoming topics of interest:

• Confidentiality issues which have to do with SIP. This seems to be a very important topic simply because it is the most obvious security hole in most VoIP setups: i.e. sniffing and listening on phone calls.
• Fingerprinting in SIPVicious - how it works. I'll work on this once I feel that the system is more stable and can be published ;-)
• Storming SIP Security - an article on hakin9 magazine which should be out real soon. Includes information on various attacks on SIP devices and PBX servers. We also included suggestions on how to mitigate the problems and tips on how to detect attacks with Snort and OSSEC.
  

SIP Fingerprinting in SVN

I finally added fingerprinting to svmap. This gives it the ability to guess what is running on a SIP network entity even if the user-agent header is missing. You're welcome to give it a try.
If you already have sipvicious:
$ svn update

If you don't:
svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only

Any bug reports please send to me
Enjoy

Call Jacking: Phreaking the BT home hub

Enjoy

Vishing alarming rise

As phishers keep searching for new ways to dupe their victims into submission, they will start eying VoIP more and more. Check out this the register article where the FBI issued a new warning. Nothing really new from a security social engineering perspective.

image stolen from blogantivirus

VoIP Security Vulnerabilities - a SANS GIAC paper

The SANS Institute just posted an interesting paper by David Persky on VoIP security here. Although there is a growing number of papers and articles on VoIP security, but its very hard to find one that when stripped out of the marketing fluff, has any useful information at all. This paper on the other hand presents specific examples and has some real content.