Friday, February 22, 2008

Storming SIP Security

Finally received a copy of the latest hakin9 magazine that includes my article on SIP security. enjoy =)

Sunday, February 17, 2008

Detecting SIP attacks with Snort

Update: Put the snort rules here for easy download.

Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.

In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).

Rule for alerting of OPTIONS scan or flood attack:
alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)

The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.

Detecting 4xx SIP responses:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)



The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.

Detecting ghost calls:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)

A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)

Friday, February 8, 2008

SIP, TLS and Asterisk 1.6

Until a few weeks ago, to enable TLS support in Asterisk you had to apply patches to the source code. As of version 1.6, Asterisk will have native TLS support for SIP transport, making it one of the few IP PBX systems out there that support this security feature.

Too many experts suggest encryption as a solution to the VoIP confidentiality issues, but in reality the number of PBX and IP phones that support is still very low and many times it is not a viable solution. However, we hope that this might change.

So - is native SRTP support next on the to do list? ;-)


Monday, February 4, 2008

Most popular topics on SIPVicious blog

Here's the most popular articles or posts published since I opened up SIPVicious blog (July 2007):
  • The SIPVicious introduction animation - I guess people just dig something that they can just sit back and watch. The 5 minute video takes you through the download of the tool suite up, identifying a target and up to cracking a SIP phone extension.
  • svmap usage - shows you how to make use of svmap which is part of the tool suite and how each option can be used to scan a target network or just one host.
  • Getting Started - explains to people on how to make use of SIPVicious for the first time. Includes hints on how quickly to set up a test environment with Trixbox (a free PBX linux distro), identify the PBX with svmap, find out which extensions work with svwar and finally crack the password with svcrack.
  • SIPtap and tapping phone calls - SIPtap generated a lot of buzz, and my comments got a bit of google traffic simply because everyone seemed to be searching for "siptap download"
  • Server impersonation and SIP and More on INVITEing phones to ring - These two posts described a feature of most SIP devices and softphones which allow anyone that can reach the phone via network to get it to ring and generate a call. We tested various SIP phones for this and reported back on the blog.
  • How to get the job done - a short fictitious story describing how an internal attacker can make use of SIPVicious tools to lunch some interesting attacks on the phone system and use that to elevate his network privileges
Here are some ideas on upcoming topics of interest:
  • Confidentiality issues which have to do with SIP. This seems to be a very important topic simply because it is the most obvious security hole in most VoIP setups: i.e. sniffing and listening on phone calls.
  • Fingerprinting in SIPVicious - how it works. I'll work on this once I feel that the system is more stable and can be published ;-)
  • Storming SIP Security - an article on hakin9 magazine which should be out real soon. Includes information on various attacks on SIP devices and PBX servers. We also included suggestions on how to mitigate the problems and tips on how to detect attacks with Snort and OSSEC.