introduction to svcrack

The purpose of svcrack is very straightforward.This tool will launch a password guessing attack extensions on the SIP registrar. Attackers will be after your SIP passwords because such knowledge allows them to:

• Get free long distance calls
• Hijack and spoof phone calls
• Eat your spaghetti
  

The most obvious and damaging problem is toll fraud. Traditionally phone phreaks enjoyed free calls by abusing security flaws within the phone company's system as well as private companies' PABXs. By gaining access to an extension line which can make international calls, an attacker will be able to run large bills on the victim's account. On the other hand, the social engineering aspect should not be under estimated. Social engineering can be a very effective and reliable method that allows hackers to pull off some of the most interesting (sometimes amusing) attacks ever. From ordering free pizza as someone else, to hijacking the help desk's number and then asking for user's passwords, such attacks rely on human nature and can probably never be totally prevented.

This is how svcrack works:

1. It starts sending REGISTER requests to register a specific extension line
2. In the mean time the SIP server starts responding back asking for authentication.
3. The response also contains a nonce, which is a unique number or bit string that should only be used once. This nonce is used as the challenge in the challenge-response mechanism.
4. Svcrack uses the nonce and other properties to compute the challenge response then sends that back to the server

Svcrack will repeat the above procedure until the password gets cracked and an OK message is recieved, or until there are no more passwords to try.

During testing, we were able to run speeds up to 80 passwords per second - that is 6,912,000 passwords a day. These numbers are dependent on the SIP registrar and of course, on a real network, latency and other factors will seriously affect these results. Some registrars allow the attacker to reuse the nonce. This makes the registrar servers vulnerable to replay attacks. This feature is also useful during password cracking, since it can make the process faster. In fact, svcrack has an option which allows auditors to exploit this feature and possibly achieve faster speed.

SIPVicious version 0.2.1 released

Go get it from the usual place.

This is mostly a bug fix release but we still managed to squeeze in some minor features:

• Session state is now saved

• svmap supports sending INVITE to particular extensions

If you're on a system with subversion installed, you can simply run "svn update" to receive the latest version. Check out the Changelog to see what changed.

re-INVITE and authentication

The Madynes research team have published details of a way to steal the Digest Authentication response and be able to perform a relay attack.

This is the post on the Voipsa mailing list.

They published the info in a presentation / slideshow form.

More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:

./svmap.py -m INVITE 192.168.1.4 -p5061

Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:

./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:

• WengoPhone **
  
• X-lite release 1011b
• SJPhone 1.65.377a
• Ekiga 2.0.11 (beta)
• Yate
• SIP Communicator

Some VoIP phones (hardware) were also tested and exhibit this behavior as well:

• GrandStream GXP 2000
• Grandstream BT100
• Aastra 480i
• Aastra 9133i
• Polycom IP330
• Cisco CP7940G*
• Lancom VP 100*
• Linksys SPA 921*

* Requires a valid extension
** Requires valid extension or no extension

how (not) to get your ex back

Just uploaded a short story showing how an unsolicited user can phone up a victim by knowing (or finding out) IP and port of the victim's VoIP phone. This story ties in with what we've been discussing in previous blog post.

You may check out the story here.

XSS in Linksys SPA941

Cross Scripting in an IP Phone? Of course - it has an HTTP interface!

What's more is that the HTTP interface shows a call history. The call history page makes use of information gathered from the SIP messages themselves to display which numbers tried to call the phone.

This post on full-disclosure mailing list shows how this feature can be abused so that malformed SIP messages are able to inject html scripts in the web interface itself.

This is a reminder that when changing from one format or protocol to another, the underlying code needs to make sure that the data is properly escaped. In this case, the http server or underlying scripts need to escape the miss call entries for html characters.

MediaDefender Phone Call was over VoIP

If you're not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.

Funnily enough (for some), during the phone call one of the parties says: "what we could do if you wanted, change the port ... change the login, obviously the password, if you guys need to know the password that we're using we can just communicate that by phone. .... If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion".

There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.

Which ever way this call was compromised, this show two things with regards to VoIP communications:

• Phone traffic now goes over the Internet. Don't assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
  
• Encryption definitely has an important place in VoIP security. In this case, it would probably have helped
  

Microsoft VoIP As You Are

I just saw Microsoft (relavitely) new VoIP ad compaign called "VoIP As You Are". The ads on the MS site are cute, showing two old PBXs having a chat. Apparently you get a different ad every time you click.. so keep clicking ;-)

So what this implies is that Microsoft is taking into account that the bigger companies will find it hard to switch to VoIP if they have to ditch their old system and start a new page. It also means that old vulnerabilities in PBX servers will probably be exposed to the less friendly networks (such as the Internet).

SIPVicious tools in the works

Been working on more features with regards to svmap. Some of these features find themselves in svwar and svcrack as well in the next release version. So what features of interest?

• Svmap is now session based. This allows us to have the following features:
• You may stop a current scan, go have a coffee and resume it later.
• If the power cuts, a natural disaster occurs or anything bad happens, you can resume your scan later because of the autosave feature, provided you survived the accident.
  
• Results are now stored in BSD database form. Svreport.py comes in quite handy .. more on this below.
• You can now pass various types of host ranges to svmap, depending on your (bad) taste and habits. Examples:
  
• 1.1.1.1-20 1.1.2-4.1-10
• 1.1.1.*
• 1.1.1.1-1.1.2.20
• sipvicious.org/22
• 10.0.0.1/24
• sipvicious.org
• Random scans. Two kinds of random scans:
• Internet random - you don't pass svmap any host/ip ranges. It scans the IPs randomly, avoiding those that belong to private networks or reserved address space
• Random targeted scan. You pass a range of hosts/ips and they are scanned randomly instead of sequentially.
• Output to an ASCII table when the scan is complete. If you need to see the results instantly, then the verbose option is your friend. Double verbose gives out a lot of debug information.
• Lots of bug fixes, optimizations and cleaning up ;)
  

Earlier I mentioned svreport.py which is a new script that will be soon added to the suite. It will grab previous sessions from SIPVicious tools and export them to the following formats:

• PDF - Portable Document Format
  
• XML - Extensible Markup Language
  
• CSV - Comma delimited files
  
• Text - Human friendly format
  

That's all for now. If you're curious check out the svn repository. Otherwise version 0.2 is on the way.

SIP Security with Cullen Jennings of IETF and Cisco

Blue Box podcast has published a very interesting discussion / interview with someone who has a finger in the pie when it comes to SIP. He talks about some real issues when it comes to SIP and VoIP.