Getting phonecalls during the middle of the night on your Asterisk server?

You're not alone. People with malicious intentions are scanning for open SIP servers all the time. Aster1sk from Geekhut.org posted a useful video for those of you using a badly configured FreePBX + Asterisk. I'm sure this will be useful for someone..

VIPER VAST includes SIPVicious

A quick post to refer to the live bootable CD from Viperlabs called VIPER VAST. It's a Linux distribution that includes a good number of tools that can help in a VoIP security assessment. I think I'll be giving this a try next time around. What makes this useful is if you want to quickly have a machine with all the right libraries, drivers and packages installed to be able to run tools such as UCsniff. As for SIPVicious, it doesn't really have many requirements, just python. One can just run SIPVicious on most out of the box Linux and OSX. On windows one would need a python installation such as Activestate's distribution. However I am pleased to see SIPVicious being included. Congratulations to the Viper labs team for this new distro!

VoIP security workshop at BruCON 2009

I'm back in my little island after SEC-T (which had excellent content btw!) but already need to leave again. This time to Brussels for BruCON, and together with Joffrey Czarny, I'll be hosting a workshop solely dedicated to VoIP security auditing.

Joffrey will be focusing on Cisco and other vendors and I'm really looking forward to that! I, on the other hand, will be talking more about freely available software such as Asterisk, Trixbox and X-lite. Here's a small preview of what's to come:

• How to use siplib.py and iax2lib.py (used in VOIPPACK) to build security tools
• We'll build scanners and extension enumeration tools in both SIP and IAX2
• Showing that INVITE flood is just 3 lines of code which can bring down popular VoIP software (and we get to build those 3 lines of code!)
  
• Showing denial of service issues (patched) in Asterisk
• Reproducing the SIP digest leakage in less than 50 lines of code
• Demonstration of web related issues that affect PBX servers
• Show of how IPS systems can actually be harmful in the world of UDP

Looking forward to this .. if you want to join register at this page. Just 5 seats left!

SEC-T in Sweden and SIPVicious update in svn

Its been a while since I updated SIPVicious, mostly because I have been working on SIPVicious 2.0 (being used in VOIPSCANNER.com). However I decided to add a few new options for svmap and svreport to help me with the research for this new presentation I'll be giving on Friday at SEC-T in Stockholm, Sweden.
The presentation is called "Searching for phones on the Internet" and subtitled "Adventures with SIPVicious".

Will be posting more details on the presentation later on, but lets describe the new features in svmap.py:

• -d, --debug , which prints SIP messages received, very handy when you need to watch what's happening in the background
• -I scan1, --inputtext=scan1, allows you to specify a text file containing ranges of IP addresses just like you would on the command line; however instead of putting a space between each range, you should put each range in a separate line
• --first=100, allows you to specify the number of SIP messages to send until svmap quits; this is useful when you have large ranges of IP addresses and you only want to scan the first few thousand addresses; works well with --randomize

Svreport was also updated to support 2 new options:

• stats : allows you to extract some basic statistics from the session files (saved svmap output)
• search : which simply searches through svmap's sessions

To update your copy of SIPVicious run:
hostname:sipviciousdir user$ svn update

Please send me any feedback to [email protected] and let me know if you found these new options useful.

HARrrr - Hacking at random

It's that time of the year, HAR is with us and lots of hackers and other deviants gather to camp (or simply drink with campers) and attend a couple of events. I put up my list of interesting (for me) presentations / events to visit today at the EnableSecurity blog. From the VoIP side, there doesn't seem to be any talks of interest but there's eventphone.de which offers a SIP and IAX2 interface, and some people (French ;-)) who did get involved into VoIP and Security somehow or another.

Lastly if you're around, send me an email.

How law enforcement sees VoIP

While browsing Wikileaks, I came across a document titled "An Overview of VOIP for Law Enforcement, 23 Dec 2008". It reads as a "VoIP explained" document for law enforcement , explaining the basics and the restrictions that law enforcement agencies have when it comes to VoIP. Here's a summary:

• The difference between a traditional phone call and a VoIP phone call is discussed (signals and circuits versus packets)
• With VoIP various devices may be used: software (softphones) installed on a pc, VoIP gateways and IP Phones
• Discussion of caller id spoofing, how it makes it harder for LE to tell if the call is from a VoIP provider or a real number or not (anonymous calls)
  
• Vishing, the act of phishing by involving VoIP
• Actively tracing VoIP calls is almost impossible
• 911 emergency calls or VoIP E911 is mentioned
• There are 4 ways to identify VoIP usage: the Caller ID (which may be spoofed), Phone records (where tracing is similar to tracing the source of email), VoIP hardware (eg. phones connected to ethernet) and VoIP software
• CALEA was updated in 2005 to cover VoIP providers so that LE to allow tapping, recording and tracing of phone calls
• Due to the international nature of the Internet, if the provider is not US-based, then it does not have to comply with these laws or LE requests
  

Scan your public facing PBX with VOIPSCANNER.com

Announcing VOIPSCANNER.com, the SaaS Voice over IP Security scanner. If you're already familiar with SIPVicious, then you can guess what this tool does. This online tool makes it easier than ever to check if the Asterisk box you just installed, or most other SIP PBX servers, is misconfigured and contains weak credentials. Attackers on the 'net are already doing this for their own benefit, don't wait until they hit your PBX!

Using this tool consists of the following steps:

1. Register an account and buy credit (or use the time limited promo SIPV to get some for free)
2. Enter the IP address of your PBX server and scan away
3. Receive a report by email that shows the findings
   

How does it work really?
VoIPScanner.com is making use of the next generation of SIPVicious (2.0) in the background and right now it does the following automatically:

1. Checks if an IP PBX is listening on the given address
2. Does extension enumeration, just like svwar in SIPVicious
3. For each extension found it starts a password cracking attack
   
4. Generate a PDF report such as this one
   

Any feedback or affiliate requests, contact me.

Scanning the Intertubes for VoIP at CONFidence

As I'm writing, plans are being made for my trip to Krakow, Poland for AppSecEU09 (OWASP) and CONFidence. Will be presenting at CONFidence on VoIP security and how it translates to the Internet. It will consist of a sample of the threats that exist out there and are or may be exploited by would be criminals.

What this means is that I'll be describing a healthy dose of SIP and IAX2 abuse together with various live and recorded demos. As usual my Twitter account will be getting some updates as long as I'm conscious and my laptop battery still has some juice left ;-)

Troopers09 & IAX2 support

I will be co-presenting in Munich together with Wendel on Web Application Firewall insecurities and dropping some new tools. If any readers are going to be around the area for Troopers09 next week, drop me a note. Beer is mostly welcome.

My Twitter account will probably be getting a few updates ;-)

As a sidenote.. VOIPPACK now gets IAX2 support, with 3 additional tools. Most notable is IAX2autohack which is very similar to sipautohack but for the Asterisk protocol. The video demo can be found over here.

SaaS VoIP Security Scanning with VOIPSCANNER.com

Apply for a beta code now while its still hot!

What is VOIPSCANNER.com?

VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.

beta.voipscanner.com demo from Sandro Gauci on Vimeo.

VoIPScanner, SIP Digest Leak tutorial and more!

Check out the tutorial. This security flaw has been getting a bit of attention so I thought of preparing a tutorial on how to use VOIPPACK to demo it. There's the video that I posted earlier on which shows the attack in action. In the tutorial I explain how to do this step by step on a softphone and a hardphone as well.


SIP Digest Leak from Sandro Gauci on Vimeo.

Also started a new project called voipscanner.com which is currently in private beta. If you have an internet facing IP PBX that you'd like to scan, give me a ping ;-) You might just about qualify for the private beta. Public beta will be available later this week or earlier next week.

How to set up a VoIP lab

Just published a tutorial called “How to set up a VoIP lab” which provides easy step-by-step instructions on how to get a VoIP lab up and running. Abstract:

Have you been wondering about what sort of security vulnerabilities apply to the VoIP network that’s coming up in your next assignment but have no equipment to test on yet?
Truth is that most of the times there is no need for a lot of expensive hardware to setup a basic lab for testing VoIP security.

Download the PDF version
Hope this helps!

Late March updates

It's about time that we look at SIPVicious again. If you're making use of the SVN version, please update to the latest svn commit which includes some fixes for bugs that were creating unnecessary traffic.

I'm currently planning on a major update of SIPVicious - email me with your suggestions and VoIP needs please ;-) Cleaner and extensible code guaranteed.

VOIPPACK gets to target IP Phones this month, with 2 major new modules that highlight what can be done to both hardphones and softphones: Ghostcall and "SIP Digest Leak".

Ghostcall might remind some people of the movie "The Omega Man" where all phones ring at the same time. Of course, the phones in the movie are most probably not VoIP phones but could very well be.

Then there's "SIP Digest Leak" that highlights a vulnerability that affects many IP Phones. This tool allows penetration testers and other security dudes to force IP Phones to reveal the digest credentials and possibly recover the password used to access a PBX or a VoIP provider.

More information about these tools was posted the EnableSecurity blog. Actual demonstration videos on the Vimeo account. And here's a clip from "The Omega Man" showing a 70's version of Ghostcall:

How to identify Asterisk servers and upload MOSDEF on AsteriskNOW

Originally posted this on EnableSecurity's blog but cross posting since not everyone is subscribed.


IAX2Scan and AsteriskNOW_Exec - security testing for Asterisk from Sandro Gauci on Vimeo.

Phone phreaks are now using call forwarding features to make free phonecalls!

Actually, they have been doing that for quite a while; say a couple of years. Yet it still works, and we only hear about it when some organization is hit with a hefty phone bill because their PBX server has been abused.

The West Australian is running a feature article on various (undisclosed) cases where PBX systems, some traditional while others are IP-based (and exposed on the Internet) were abused to make phonecalls to foreign countries.

While looking for more information, an article from 2005 showed up which describes what happened to a couple of organizations (hospitals and businesses). The telco companies tend to ask the victim organizations to pay up the phone bill for calls that the phone phreaks made.

But now things are moving more towards the Internet, where attackers can be anywhere in the world and the cost of a packet is much less than that of a phonecall!

VOIPPACK released

Yep its out! Check out the announcement on EnableSecurity. For more information about VOIPPACK refer to the products page.

This video is a demo of sipautohack in action (looks and sounds better than the previous):


Demonstrating sipautohack from Sandro Gauci on Vimeo.

VOIP Scanning on the increase

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while. What is new is that they are getting detected more and more (and I'm getting more emails about this) which probably means that the scans are on the increase.

Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).

Here's some blogs and articles that mentioned SIPVicious scans:

• Belgian network security notes from Arbor networks
• Microsoft: What’s Travelling on the Wire (part 2)

If you came across any such scans or related stories drop me an email.