Embed Size (px)
Citation preview
Con!dence 2009
ENABLESECURITY
Scanning the Intertubes for VOIPTelephony exposed on the ‘net
Con!dence 2009
ENABLESECURITY
whoami
• EnableSecurity
• 9 years old
• SIPVicious and VOIPPACK (for CANVAS)
• Surfjack, Extended HTML Form attack
Con!dence 2009
ENABLESECURITY
next few minutes
• Brief intro to how VoIP is being abused
• Scanning for VoIP systems
• How to fingerprint VoIP systems
• Possibilities for abuse
Con!dence 2009
ENABLESECURITY
VoIP Scanning
• SIP
• IAX2
• H.323
• SCCP
Con!dence 2009
ENABLESECURITY
A primer on SIP
• Text based just like HTTP
• UDP port 5060
• INVITE gets things to buzz and ring
• REGISTER sends phone calls your way
• OPTIONS gives you supported options
Con!dence 2009
ENABLESECURITY
A primer on IAX2
• Binary protocol running on port 4569
• POKE is like ping
• PONG is like er.. pong
• REGREQ is like REGISTER
• REGREJ stands for registration rejected
Con!dence 2009
ENABLESECURITY
VoIP and Cybercrime
• Scans for SIP are on the rise
• News of fraud
• What is happening in the background?
• What tools are they using?
Con!dence 2009
ENABLESECURITY
Scans
OPTIONS sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rportMax-Forwards: 70To: <sip:[email protected]>From: <sip:[email protected]>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190FCSeq: 1 OPTIONSContact: <sip:@0.0.0.0:1498;transport=udp>Accept: application/sdpContent-Length: 0
Con!dence 2009
ENABLESECURITY
Honeypot
• Some python code put together
• Replies to requests and acts like a registrar
Con!dence 2009
ENABLESECURITY
demo
Con!dence 2009
ENABLESECURITY
SIP Scanning
• OPTIONS is ideal for this
• REGISTER adds value :-)
• Tell between a registrar and an endpoint
Con!dence 2009
ENABLESECURITY
OPTIONS scan
scannerSIP
Registrar
OPTIONS
200 OK
Con!dence 2009
ENABLESECURITY
Con!dence 2009
ENABLESECURITY
Scanning IAX2
scannerAsterisk
Box
POKE
PONG
Con!dence 2009
ENABLESECURITY
Con!dence 2009
ENABLESECURITY
Headers of interest
SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0
Con!dence 2009
ENABLESECURITY
Modified User-agent
SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0
Con!dence 2009
ENABLESECURITY
Give away
SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0
Con!dence 2009
ENABLESECURITY
Give away
SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0
Con!dence 2009
ENABLESECURITY
Fingerprinting To Tag
Sipura / Linksys SPA [a-fA-F0-9]{16}i0
Cisco VoIP Gateway [a-fA-F0-9]{6,8}-[a-fA-F0-9]{2,4}
AVM FRITZ!Box [a-fA-F0-9]{16,29}
Con!dence 2009
ENABLESECURITY
Order of headers
SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: xxx voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0
Con!dence 2009
ENABLESECURITY
SIP/2.0 404 Not FoundVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f8a13c4d8bf89f5To: "hello" <sip:[email protected]:5060>;tag=as263e3393Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: xxx asteriskAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesAccept: application/sdpContent-Length: 0
Order of headers
Con!dence 2009
ENABLESECURITY
Order of headers
SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0
SIP/2.0 404 Not FoundVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f8a13c4d8bf89f5To: "hello" <sip:[email protected]:5060>;tag=as263e3393Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipbox asteriskAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesAccept: application/sdpContent-Length: 0
Con!dence 2009
ENABLESECURITY
Order of headers
SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0
SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-57276;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f2813c40c17866cTo: "hello" <sip:[email protected]:5060>;tag=cfbe3ffc7182a98821d890d5d753dab6.dd37Cseq: 1 REGISTERCall-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663WWW-Authenticate: Digest realm="sipgate.at", nonce=" "Content-Length: 0
Con!dence 2009
ENABLESECURITY
Case for header names
SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0
SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-57276;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f2813c40c17866cTo: "hello" <sip:[email protected]:5060>;tag=cfbe3ffc7182a98821d890d5d753dab6.dd37Cseq: 1 REGISTERCall-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663WWW-Authenticate: Digest realm="sipgate.at", nonce=" "Content-Length: 0
Con!dence 2009
ENABLESECURITY
Fingerprinting
• Just one packet needed
• To tag
• Headers
• Community effort
Con!dence 2009
ENABLESECURITY
Community effort
• SIPVicious 0.2.3
• Included svlearnfp.py
• Generated regular expressions for to tags
• Generated hashes describing headers
• SIPVicious 2.0 ...
Con!dence 2009
ENABLESECURITY
Interesting facts
• Random scans work pretty well
• ADSL etc FRITZ!Box, Speedtouch
• Asterisk
• Cisco Gateways
Con!dence 2009
ENABLESECURITY
demo
Con!dence 2009
ENABLESECURITY
Introducing REGISTER
• Binds an extension to an IP and port
• Normally requires authentication
• If no password is set it binds without auth
Con!dence 2009
ENABLESECURITY
More interesting facts
• The REGISTER scan
• Dangerous
• Useful for cheap honeypots :-)
Con!dence 2009
ENABLESECURITY
Enumeration of extensions
• Response to a REGISTER for non-existent extension
• A different response indicates that the extension exists
• If the extension has no password it sends a 200 OK
• Otherwise asks for authentication
Con!dence 2009
ENABLESECURITY
*REGISTER 100
REGISTER 101
REGISTER 102
Con!dence 2009
ENABLESECURITY
*404 Not found
200 OK
401 Auth required
Con!dence 2009
ENABLESECURITY
demo
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?
:-) *ACK
ACKREGREJ
REGREQ
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?
}:-) *ACK
REGREJ
REGREQ
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?
}:-) *ACK
REGREJREGREJ
REGREQ
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?
}:-) *REGREQ
ACK
REGREJREGREJ
REGREJ
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?}:-)
*
REGREQ
ACK
REGREJREGREJ
REGREJ
:-/
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?
}:-)
*********:-o
Con!dence 2009
ENABLESECURITY
DDoS using IAX2?
}:-)
*:’-(
********
Con!dence 2009
ENABLESECURITY
Con!dence 2009
ENABLESECURITY
SIP Digest Auth
• REGISTER usually gets a 401 Unauthorized
• INVITE gets a 407 Proxy Authentication
• Challenge response mechanism
• Takes various properties + password
• Nonce, Method, URI
Con!dence 2009
ENABLESECURITY
Digest Leak
INVITE
200 OK
Con!dence 2009
ENABLESECURITY
Digest Leak
BYE
407 Challenge
Con!dence 2009
ENABLESECURITY
demo
Con!dence 2009
ENABLESECURITY
Vulnerable endpoints
• X-lite
• Gizmo5
• Zoiper
Con!dence 2009
ENABLESECURITY
Vulnerable endpoints
• Cisco 7940
• Grandstream GXP*
• Patton Smartlink
• Linksys SPA942
• Fritzbox
Con!dence 2009
ENABLESECURITY
But ...
• There’s no SIP Phones on the ‘net!
• There are ;-)
• The ‘net is full of Fritzbox
• Internal endpoints behind NAT
Con!dence 2009
ENABLESECURITY
More at..
• EnableSecurity.com/research
• Sipvicious.org
• VOIPSA.org
Con!dence 2009
ENABLESECURITY
Shoutouts!
• Sjur at usken.no
• dudes from .mt =)
Con!dence 2009
ENABLESECURITY
Q.A
