VOIP Scanning on the increase

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while. What is new is that they are getting detected more and more (and I'm getting more emails about this) which probably means that the scans are on the increase.

Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).

Here's some blogs and articles that mentioned SIPVicious scans:

• Belgian network security notes from Arbor networks
• Microsoft: What’s Travelling on the Wire (part 2)

If you came across any such scans or related stories drop me an email.

New SIPVicious release 0.2.4

Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-)

Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable!

Here's a link to the full Changelog.

Grab the tarball or the zip file.
To upgrade to the svn version simply run "svn update" as usual - enjoy

SIPVicious tools roadmap

I'm looking at improving SIPVicious and would appreciate your input for new features or any possible bug fixes. Send me an email with ideas, or simply leave a comment.

Check my current "to do" list here.

Storming SIP Security

Finally received a copy of the latest hakin9 magazine that includes my article on SIP security. enjoy =)

Most popular topics on SIPVicious blog

Here's the most popular articles or posts published since I opened up SIPVicious blog (July 2007):

• The SIPVicious introduction animation - I guess people just dig something that they can just sit back and watch. The 5 minute video takes you through the download of the tool suite up, identifying a target and up to cracking a SIP phone extension.
• svmap usage - shows you how to make use of svmap which is part of the tool suite and how each option can be used to scan a target network or just one host.
• Getting Started - explains to people on how to make use of SIPVicious for the first time. Includes hints on how quickly to set up a test environment with Trixbox (a free PBX linux distro), identify the PBX with svmap, find out which extensions work with svwar and finally crack the password with svcrack.
• SIPtap and tapping phone calls - SIPtap generated a lot of buzz, and my comments got a bit of google traffic simply because everyone seemed to be searching for "siptap download"
  
• Server impersonation and SIP and More on INVITEing phones to ring - These two posts described a feature of most SIP devices and softphones which allow anyone that can reach the phone via network to get it to ring and generate a call. We tested various SIP phones for this and reported back on the blog.
• How to get the job done - a short fictitious story describing how an internal attacker can make use of SIPVicious tools to lunch some interesting attacks on the phone system and use that to elevate his network privileges

Here are some ideas on upcoming topics of interest:

• Confidentiality issues which have to do with SIP. This seems to be a very important topic simply because it is the most obvious security hole in most VoIP setups: i.e. sniffing and listening on phone calls.
• Fingerprinting in SIPVicious - how it works. I'll work on this once I feel that the system is more stable and can be published ;-)
• Storming SIP Security - an article on hakin9 magazine which should be out real soon. Includes information on various attacks on SIP devices and PBX servers. We also included suggestions on how to mitigate the problems and tips on how to detect attacks with Snort and OSSEC.
  

Whats brewing on the SIPVicious front

Been quite for a while, but that does not mean that I've been resting. Instead I've been looking into fingerprinting SIP devices and not relying on the User-agent header to identify the a SIP network element's name.

This means that SIPVicious tools will soon be able to guess the name of the device. What's important is that the tools will be able to maintain do this without sacrificing speed and efficiency. Expect more news on this.

Other than that, I'm looking at how to integrate the dns stuff with svmap - things like the SRV records and ENUM.

And.. last but not least.. I've been working on an article for Hakin9 magazine which explains a lot of behind the scenes when it comes to how SIPVicious tool suite works.

Password policies for PBX servers

Password policies form an important part of computer security. Unfortunately a large number of VoIP PBX servers do not apply any policies when it comes to authentication. Because of the lack of such security mechanisms, bruteforce attacks are a viable way to attack PBX servers. Svcrack, which is part of the SIPVicious tool suite, demonstrates this.

Of course, vendors and developers should be cautious when implementing features that can cause a denial of service. For example, the Account Lockout policy (available in Microsoft's AD and other systems) allows anyone to deny service to another user. This is not such a good idea especially in the case of something as "real time" as the phone service.

On the other hand, trotting or slowing down authentication might be a solution to limit the chance of attackers guessing the password in a reasonable time. Password complexity should also be enforced to hinder brute-force and dictionary attacks.

introduction to svmap

Svmap is a network scanner for SIP. Similar to nmap - it will scan for devices on ports specified by passing the right command line options. Once svmap finds a device that supports SIP, it will extract information from the response and identify the type of device. Anyone running this tool will typically end up with a list of IP addresses of SIP devices and the names for those devices.

A penetration tester or security auditor will probably find this tool particularly useful especially during reconnaissance. With the IP address, device name and possibly version at hand, he or she can then target security weaknesses specific to that device. A security administrator or security analyst can also make use of svmap to list different active SIP user-agents on the network. Based on this information, the security administrator then has the ability to identify rogue and vulnerable devices which can cause a security concern.

Svmap is able to scan for SIP devices much faster than generic UDP port scanners. Typical port scanners such as nmap, scan UDP ports by sending a packet to each port and expecting an ICMP packet which indicates that the port is closed. If no ICMP error is received within a reasonable time, the port scanner assumes that the port is either open or else filtered. While this method has worked for years, it can never be considered efficient or neat, (at least) because of two reasons:

• The majority of UDP ports are closed - therefore having to wait for each ICMP error to confirm that the port is closed is not a good idea
• Nowadays a lot of devices are behind firewalls or NAT and will never reply with an ICMP error

Svmap works by sending a UDP packet containing a SIP request to a range of specified IP addresses, and listing those that send back a valid SIP response. Since UDP is a connectionless protocol, this method can be relatively fast. For example, during testing we were able to identify around 200 SIP devices on one particular network, out of a scan of IP addresses in less than 3 minutes. On the other hand when we scanned the same network with nmap version 4.20 (default options for sU scan on port 5060), it took longer than 20 minutes at which point we stopped the scan.

For examples on how to use svmap check out the wiki.
Download the whole SIPVicious tool suite from the project page.

SIPVicious version 0.2.1 released

Go get it from the usual place.

This is mostly a bug fix release but we still managed to squeeze in some minor features:

• Session state is now saved

• svmap supports sending INVITE to particular extensions

If you're on a system with subversion installed, you can simply run "svn update" to receive the latest version. Check out the Changelog to see what changed.

SIPVicious 0.2.1 public beta

Just wanted to let you know that v0.2.1 is public beta (meaning that it will be released soon). Go for it (and submit a bug report if you get any bad feelings) ;-)

Changelog:
v0.2.1 (maintenance)
General:

• Feature: updated the report function to include more information about the system. Python version and operating system is now included in the bug report. option now supports optional feedback.
• Feature: Store information about the state of a session. Sessions can be complete or incomplete, so that you can resume incomplete sessions but not complete ones.
• Bug fix: Added a check to make sure that the python version is supported. Anything less than version 2.4 is not supported
• Bug fix: IP in the SIP msg was being set to localhost when not explicitly set. This is not correct behavior and was fixed. As a result of this behavior some devices, such as Grandstream BT100 were not being detected. Thanks to robert&someone from bulgaria for reporting this
• Bug fix: fixed a bug in the database which was reported anonymously via the --reportback / -R option.Thanks whoever reported that. Bug concerns the dbm which does not support certain methods supported other database modules referenced by anydbm. Reproduced on FreeBSD. Thanks to Anthony Williams for help identifying this
• Bug fix: Ranges of extensions in svwar could not take long numeric extensions (xrange does not support long / large numbers). Thanks to Joern for reporting this
• Bug fix: svwar was truncating extension names containing certain characters. Fixed.
• Bug fix: when binding to a specific interface, the IP within the SIP message could be incorrect (when there are multiple interfaces). This has been fixed.
• Cosmetic: Certain PBXs reply with "603 Declined" when svwar finds that the extension does not exist. This creates extra noise. It is now being suppressed.

That's all folks!

How to get the job done - a short story

Just published a short story called "How to get the job done". The plot is a scenario showing how SIPVicious tool suite can possibly be used in a corporate environment by a malicious intern. Hope you guys like my shameless self promotion.

tshirts and mugs!

Mugs and shirts!
Been struggling with spreadshirt for a while to a shop to get some shirts with the SIPVicious design, without much luck. So I gave up for now, and went ahead and opened a Cafe Press account. Real easy. Visit the "Goodies for SIPVicious" page.

Wiki updates

We've updated some pages on the wiki:

• Usage of svmap and svwar with examples on how to use each option
• Mentions of sipvicious on various media are now being cataloged
• A Getting Started document - a step by step how to for newbies and the rest of us ;)
• The FAQ page has been updated to include a disclaimer like answer to the question: "Why did you publish tools that can be used for illegal purposes?"
• To do list has been updated with some excellent suggestions from sipvicious users.
  

On reporting bugs and recent bug fixes

Fixed a couple of bugs in the svn version. For more information check out the Changelog file.

To report any crashes (unhandled exceptions) that you may get, you may make use of the -R or --reportback option. This handles sending of bug report, and if you update to the svn version, allows you to include an optional message and email address.

$ ./svreport somehost.com -R

If the bug is not a crash, you may still contact the author through email, or open an issue.
To update to the latest version, simply run "svn update" in the sipvicious directory if you are on a system with subversion installed (typically Linux or Unix machines).

$ svn update

SIPVicious 0.2 released

After much bug fixing and feature creeping ... we announce SIPVicious tool suite 0.2!

Tarball download
Zip file download

Notable features include:

• Session support which allows you to resume previous scans as well as store the results in database format
• Exporting of previous results to various formats: pdf, xml (html), csv and plain text
• Easy updating by making use of subversion (svn update)
• Better UI, more intuitive help, clean output and more debug info when needed
• And my favorite feature: random scanning techniques

I also uploaded a screencast and tutorial on how to use SIPVicious tools to crack an extension on an Asterisk box here. Enjoy

Ladies and Gentlemen, please welcome

The new SIPVicious logo / mascot.