Upcoming changes in SIPVicious

The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:

1. svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000... 9000, 1001, 2001..9001, 1111,2222... 9999, 11111,22222...99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the --disabledefaults option to svwar.
   
2. svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.
   

That's it for now. Please let me know about your experience with the new features. To give the code a try simply run svn update from the sipvicious directory, or gte the latest by running the following:

svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only

Have fun!

introduction to svcrack

The purpose of svcrack is very straightforward.This tool will launch a password guessing attack extensions on the SIP registrar. Attackers will be after your SIP passwords because such knowledge allows them to:

• Get free long distance calls
• Hijack and spoof phone calls
• Eat your spaghetti
  

The most obvious and damaging problem is toll fraud. Traditionally phone phreaks enjoyed free calls by abusing security flaws within the phone company's system as well as private companies' PABXs. By gaining access to an extension line which can make international calls, an attacker will be able to run large bills on the victim's account. On the other hand, the social engineering aspect should not be under estimated. Social engineering can be a very effective and reliable method that allows hackers to pull off some of the most interesting (sometimes amusing) attacks ever. From ordering free pizza as someone else, to hijacking the help desk's number and then asking for user's passwords, such attacks rely on human nature and can probably never be totally prevented.

This is how svcrack works:

1. It starts sending REGISTER requests to register a specific extension line
2. In the mean time the SIP server starts responding back asking for authentication.
3. The response also contains a nonce, which is a unique number or bit string that should only be used once. This nonce is used as the challenge in the challenge-response mechanism.
4. Svcrack uses the nonce and other properties to compute the challenge response then sends that back to the server

Svcrack will repeat the above procedure until the password gets cracked and an OK message is recieved, or until there are no more passwords to try.

During testing, we were able to run speeds up to 80 passwords per second - that is 6,912,000 passwords a day. These numbers are dependent on the SIP registrar and of course, on a real network, latency and other factors will seriously affect these results. Some registrars allow the attacker to reuse the nonce. This makes the registrar servers vulnerable to replay attacks. This feature is also useful during password cracking, since it can make the process faster. In fact, svcrack has an option which allows auditors to exploit this feature and possibly achieve faster speed.

Microsoft VoIP As You Are

I just saw Microsoft (relavitely) new VoIP ad compaign called "VoIP As You Are". The ads on the MS site are cute, showing two old PBXs having a chat. Apparently you get a different ad every time you click.. so keep clicking ;-)

So what this implies is that Microsoft is taking into account that the bigger companies will find it hard to switch to VoIP if they have to ditch their old system and start a new page. It also means that old vulnerabilities in PBX servers will probably be exposed to the less friendly networks (such as the Internet).