SIPVicious

VIPER VAST includes SIPVicious

2009-10-05T08:01:00.000-07:00

A quick post to refer to the live bootable CD from Viperlabs called VIPER VAST. It's a Linux distribution that includes a good number of tools that can help in a VoIP security assessment. I think I'll be giving this a try next time around. What makes this useful is if you want to quickly have a machine with all the right libraries, drivers and packages installed to be able to run tools such as UCsniff. As for SIPVicious, it doesn't really have many requirements, just python. One can just run SIPVicious on most out of the box Linux and OSX. On windows one would need a python installation such as Activestate's distribution. However I am pleased to see SIPVicious being included. Congratulations to the Viper labs team for this new distro!

VoIP security workshop at BruCON 2009

2009-09-17T03:03:00.001-07:00

I'm back in my little island after SEC-T (which had excellent content btw!) but already need to leave again. This time to Brussels for BruCON, and together with Joffrey Czarny, I'll be hosting a workshop solely dedicated to VoIP security auditing.

Joffrey will be focusing on Cisco and other vendors and I'm really looking forward to that! I, on the other hand, will be talking more about freely available software such as Asterisk, Trixbox and X-lite. Here's a small preview of what's to come:

How to use siplib.py and iax2lib.py (used in VOIPPACK) to build security tools
We'll build scanners and extension enumeration tools in both SIP and IAX2
Showing that INVITE flood is just 3 lines of code which can bring down popular VoIP software (and we get to build those 3 lines of code!)
Showing denial of service issues (patched) in Asterisk
Reproducing the SIP digest leakage in less than 50 lines of code
Demonstration of web related issues that affect PBX servers
Show of how IPS systems can actually be harmful in the world of UDP

Looking forward to this .. if you want to join register at this page. Just 5 seats left!

SEC-T in Sweden and SIPVicious update in svn

2009-09-07T06:02:00.001-07:00

Its been a while since I updated SIPVicious, mostly because I have been working on SIPVicious 2.0 (being used in VOIPSCANNER.com). However I decided to add a few new options for svmap and svreport to help me with the research for this new presentation I'll be giving on Friday at SEC-T in Stockholm, Sweden.
The presentation is called "Searching for phones on the Internet" and subtitled "Adventures with SIPVicious".

Will be posting more details on the presentation later on, but lets describe the new features in svmap.py:

-d, --debug , which prints SIP messages received, very handy when you need to watch what's happening in the background
-I scan1, --inputtext=scan1, allows you to specify a text file containing ranges of IP addresses just like you would on the command line; however instead of putting a space between each range, you should put each range in a separate line
--first=100, allows you to specify the number of SIP messages to send until svmap quits; this is useful when you have large ranges of IP addresses and you only want to scan the first few thousand addresses; works well with --randomize

Svreport was also updated to support 2 new options:

stats : allows you to extract some basic statistics from the session files (saved svmap output)
search : which simply searches through svmap's sessions

To update your copy of SIPVicious run:
hostname:sipviciousdir user$ svn update

Please send me any feedback to sandro@enablesecurity.com and let me know if you found these new options useful.

HARrrr - Hacking at random

2009-08-13T07:29:00.000-07:00

It's that time of the year, HAR is with us and lots of hackers and other deviants gather to camp (or simply drink with campers) and attend a couple of events. I put up my list of interesting (for me) presentations / events to visit today at the EnableSecurity blog. From the VoIP side, there doesn't seem to be any talks of interest but there's eventphone.de which offers a SIP and IAX2 interface, and some people (French ;-)) who did get involved into VoIP and Security somehow or another.

Lastly if you're around, send me an email.

How law enforcement sees VoIP

2009-07-27T00:46:00.000-07:00

While browsing Wikileaks, I came across a document titled "An Overview of VOIP for Law Enforcement, 23 Dec 2008". It reads as a "VoIP explained" document for law enforcement , explaining the basics and the restrictions that law enforcement agencies have when it comes to VoIP. Here's a summary:

The difference between a traditional phone call and a VoIP phone call is discussed (signals and circuits versus packets)
With VoIP various devices may be used: software (softphones) installed on a pc, VoIP gateways and IP Phones
Discussion of caller id spoofing, how it makes it harder for LE to tell if the call is from a VoIP provider or a real number or not (anonymous calls)
Vishing, the act of phishing by involving VoIP
Actively tracing VoIP calls is almost impossible
911 emergency calls or VoIP E911 is mentioned
There are 4 ways to identify VoIP usage: the Caller ID (which may be spoofed), Phone records (where tracing is similar to tracing the source of email), VoIP hardware (eg. phones connected to ethernet) and VoIP software
CALEA was updated in 2005 to cover VoIP providers so that LE to allow tapping, recording and tracing of phone calls
Due to the international nature of the Internet, if the provider is not US-based, then it does not have to comply with these laws or LE requests

Scan your public facing PBX with VOIPSCANNER.com

2009-07-17T00:29:00.000-07:00

Announcing VOIPSCANNER.com, the SaaS Voice over IP Security scanner. If you're already familiar with SIPVicious, then you can guess what this tool does. This online tool makes it easier than ever to check if the Asterisk box you just installed, or most other SIP PBX servers, is misconfigured and contains weak credentials. Attackers on the 'net are already doing this for their own benefit, don't wait until they hit your PBX!

Using this tool consists of the following steps:

Register an account and buy credit (or use the time limited promo SIPV to get some for free)
Enter the IP address of your PBX server and scan away
Receive a report by email that shows the findings

How does it work really?
VoIPScanner.com is making use of the next generation of SIPVicious (2.0) in the background and right now it does the following automatically:

Checks if an IP PBX is listening on the given address
Does extension enumeration, just like svwar in SIPVicious
For each extension found it starts a password cracking attack
Generate a PDF report such as this one

Any feedback or affiliate requests, contact me.

Scanning the Intertubes for VoIP at CONFidence

2009-05-10T20:23:00.000-07:00

As I'm writing, plans are being made for my trip to Krakow, Poland for AppSecEU09 (OWASP) and CONFidence. Will be presenting at CONFidence on VoIP security and how it translates to the Internet. It will consist of a sample of the threats that exist out there and are or may be exploited by would be criminals.

What this means is that I'll be describing a healthy dose of SIP and IAX2 abuse together with various live and recorded demos. As usual my Twitter account will be getting some updates as long as I'm conscious and my laptop battery still has some juice left ;-)

Troopers09 & IAX2 support

2009-04-15T07:18:00.000-07:00

I will be co-presenting in Munich together with Wendel on Web Application Firewall insecurities and dropping some new tools. If any readers are going to be around the area for Troopers09 next week, drop me a note. Beer is mostly welcome.

My Twitter account will probably be getting a few updates ;-)

As a sidenote.. VOIPPACK now gets IAX2 support, with 3 additional tools. Most notable is IAX2autohack which is very similar to sipautohack but for the Asterisk protocol. The video demo can be found over here.

SaaS VoIP Security Scanning with VOIPSCANNER.com

2009-04-07T05:47:00.000-07:00

Apply for a beta code now while its still hot!

What is VOIPSCANNER.com?

VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.

beta.voipscanner.com demo from Sandro Gauci on Vimeo.

VoIPScanner, SIP Digest Leak tutorial and more!

2009-04-01T03:50:00.000-07:00

Check out the tutorial. This security flaw has been getting a bit of attention so I thought of preparing a tutorial on how to use VOIPPACK to demo it. There's the video that I posted earlier on which shows the attack in action. In the tutorial I explain how to do this step by step on a softphone and a hardphone as well.

SIP Digest Leak from Sandro Gauci on Vimeo.

Also started a new project called voipscanner.com which is currently in private beta. If you have an internet facing IP PBX that you'd like to scan, give me a ping ;-) You might just about qualify for the private beta. Public beta will be available later this week or earlier next week.

How to set up a VoIP lab

2009-03-24T07:11:00.000-07:00

Just published a tutorial called “How to set up a VoIP lab” which provides easy step-by-step instructions on how to get a VoIP lab up and running. Abstract:

Have you been wondering about what sort of security vulnerabilities apply to the VoIP network that’s coming up in your next assignment but have no equipment to test on yet?
Truth is that most of the times there is no need for a lot of expensive hardware to setup a basic lab for testing VoIP security.

Download the PDF version
Hope this helps!

Late March updates

2009-03-17T10:17:00.001-07:00

It's about time that we look at SIPVicious again. If you're making use of the SVN version, please update to the latest svn commit which includes some fixes for bugs that were creating unnecessary traffic.

I'm currently planning on a major update of SIPVicious - email me with your suggestions and VoIP needs please ;-) Cleaner and extensible code guaranteed.

VOIPPACK gets to target IP Phones this month, with 2 major new modules that highlight what can be done to both hardphones and softphones: Ghostcall and "SIP Digest Leak".

Ghostcall might remind some people of the movie "The Omega Man" where all phones ring at the same time. Of course, the phones in the movie are most probably not VoIP phones but could very well be.

Then there's "SIP Digest Leak" that highlights a vulnerability that affects many IP Phones. This tool allows penetration testers and other security dudes to force IP Phones to reveal the digest credentials and possibly recover the password used to access a PBX or a VoIP provider.

More information about these tools was posted the EnableSecurity blog. Actual demonstration videos on the Vimeo account. And here's a clip from "The Omega Man" showing a 70's version of Ghostcall:

How to identify Asterisk servers and upload MOSDEF on AsteriskNOW

2009-02-18T06:11:00.000-08:00

Originally posted this on EnableSecurity's blog but cross posting since not everyone is subscribed.

IAX2Scan and AsteriskNOW_Exec - security testing for Asterisk from Sandro Gauci on Vimeo.

Phone phreaks are now using call forwarding features to make free phonecalls!

2009-01-21T10:59:00.000-08:00

Actually, they have been doing that for quite a while; say a couple of years. Yet it still works, and we only hear about it when some organization is hit with a hefty phone bill because their PBX server has been abused.

The West Australian is running a feature article on various (undisclosed) cases where PBX systems, some traditional while others are IP-based (and exposed on the Internet) were abused to make phonecalls to foreign countries.

While looking for more information, an article from 2005 showed up which describes what happened to a couple of organizations (hospitals and businesses). The telco companies tend to ask the victim organizations to pay up the phone bill for calls that the phone phreaks made.

But now things are moving more towards the Internet, where attackers can be anywhere in the world and the cost of a packet is much less than that of a phonecall!

VOIPPACK released

2009-01-06T14:39:00.000-08:00

Yep its out! Check out the announcement on EnableSecurity. For more information about VOIPPACK refer to the products page.

This video is a demo of sipautohack in action (looks and sounds better than the previous):

Demonstrating sipautohack from Sandro Gauci on Vimeo.

VOIP Scanning on the increase

2009-01-06T13:34:00.000-08:00

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while. What is new is that they are getting detected more and more (and I'm getting more emails about this) which probably means that the scans are on the increase.

Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).

Here's some blogs and articles that mentioned SIPVicious scans:

If you came across any such scans or related stories drop me an email.

Introducing EnableSecurity VoIPPack

2008-12-13T01:34:00.000-08:00

EnableSecurity VoIPPack is a pack or addon for Immunity CANVAS that complements this tool with commercial-grade VoIP scanning capabilities. Probably the most intruiguing module currently is sipautohack.

The following is a taster showing sipautohack scanning a target network, identifying PBX server, enumerating the extensions intelligently and finally cracking the password for each extension on the PBX. More demos here.

.

For more information about VoIPPack take a look at the product page. EnableSecurity is currently running a private beta. Apply as a beta tester.

Off to RSA Europe 2008

2008-10-26T03:47:00.001-07:00

I'll be in the UK for the next few days to visit RSA Europe. Will probably be twittering on twitter.com/sandrogauci and updating the sister blog at EnableSecurity where I'll post the list of talks that I'm interested in visiting as soon as I get a chance. And of course - if any readers are around drop me a message ;-)

Analysis of a VoIP Attack

2008-10-24T00:06:00.000-07:00

Klaus Darilion published an interesting paper explaining what happened to German VoIP users and how to mitigate. I suggest that you read this one. Looks like attacks are becoming more and more widespread / mainstream.

Upcoming changes in SIPVicious

2008-09-09T22:24:00.000-07:00

The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:

svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000... 9000, 1001, 2001..9001, 1111,2222... 9999, 11111,22222...99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the --disabledefaults option to svwar.
svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.

That's it for now. Please let me know about your experience with the new features. To give the code a try simply run svn update from the sipvicious directory, or gte the latest by running the following:

svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only

Have fun!

Homeland Security Dept's PBX hacked?

2008-08-21T07:21:00.001-07:00

Ouch! ZDNet have a short article about a misconfigured PBX making 400 calls to some of the hottest countries around: Afghanistan, India, Yemen and Saudi Arabia. Very ugly .. hope that the details emerge. If anyone has more details email me or post here.

Promotional message: SIPVicious is free - test your SIP based PBX before someone else does ;-)

Update: Apparently it consisted of voicemail hacking - you know that thing from the 90s. So no VoIP or SIP involved, just plain old school default pin cracking.

Surf Jack - HTTPS will not save you

2008-08-11T04:07:00.000-07:00

Alert: this is not a VoIP security post. Just a repost from EnableSecurity.

I just released a new paper and tool on the subject of web application security.

Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself.

And if you did not do it already, please subscribe to my other site, EnableSecurity's RSS feed.

New SIPVicious release 0.2.4

2008-08-10T09:32:00.000-07:00

Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-)

Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable!

Here's a link to the full Changelog.

Grab the tarball or the zip file.
To upgrade to the svn version simply run "svn update" as usual - enjoy

Backtrack 3 out - with VoIP security tools

2008-06-20T05:40:00.000-07:00

The final Backtrack 3 is out and it features some VoIP tools in the /pentest directory:

SIPVicious (guess you know by now what this is about :)
Voiper - a SIP fuzzing toolkit which aims at identifying flaws in VoIP products that do SIP and SDP.
Sipbomber - a SIP testing tool which has test cases that are run against SIP enabled software / devices
SIP Rogue - allows application level man in the middle (MITM) attacks on SIP devices.

In the $PATH one can find:

VoIP Hopper - allows one to hop between VLANS.
VOIPONG - a Voice over IP sniffer - will record any phone calls that it sees.
sipdump / sipcrack - an offline password cracker for the digest authentication used by SIP

Tools that were previously found in Backtrack 2 are described on the tools page.

Grab Backtrack from the official site.

Ladies and Gentlemen please welcome..

2008-06-17T01:10:00.000-07:00

EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details.

So what sort of things am I doing?

Wireless security auditing
Web Application Security
VoIP security research
Reverse Engineering

I'll continue developing SIPVicious and publish additional tools to help security professionals get the job done.

And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week.