SIPVicious

Scanning the Intertubes for VoIP at CONFidence

2009-05-10T20:23:00.000-07:00

As I'm writing, plans are being made for my trip to Krakow, Poland for AppSecEU09 (OWASP) and CONFidence. Will be presenting at CONFidence on VoIP security and how it translates to the Internet. It will consist of a sample of the threats that exist out there and are or may be exploited by would be criminals.

What this means is that I'll be describing a healthy dose of SIP and IAX2 abuse together with various live and recorded demos. As usual my Twitter account will be getting some updates as long as I'm conscious and my laptop battery still has some juice left ;-)

Troopers09 & IAX2 support

2009-04-15T07:18:00.000-07:00

I will be co-presenting in Munich together with Wendel on Web Application Firewall insecurities and dropping some new tools. If any readers are going to be around the area for Troopers09 next week, drop me a note. Beer is mostly welcome.

My Twitter account will probably be getting a few updates ;-)

As a sidenote.. VOIPPACK now gets IAX2 support, with 3 additional tools. Most notable is IAX2autohack which is very similar to sipautohack but for the Asterisk protocol. The video demo can be found over here.

SaaS VoIP Security Scanning with VOIPSCANNER.com

2009-04-07T05:47:00.000-07:00

Apply for a beta code now while its still hot!

What is VOIPSCANNER.com?

VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.

beta.voipscanner.com demo from Sandro Gauci on Vimeo.

VoIPScanner, SIP Digest Leak tutorial and more!

2009-04-01T03:50:00.000-07:00

Check out the tutorial. This security flaw has been getting a bit of attention so I thought of preparing a tutorial on how to use VOIPPACK to demo it. There's the video that I posted earlier on which shows the attack in action. In the tutorial I explain how to do this step by step on a softphone and a hardphone as well.

SIP Digest Leak from Sandro Gauci on Vimeo.

Also started a new project called voipscanner.com which is currently in private beta. If you have an internet facing IP PBX that you'd like to scan, give me a ping ;-) You might just about qualify for the private beta. Public beta will be available later this week or earlier next week.

How to set up a VoIP lab

2009-03-24T07:11:00.000-07:00

Just published a tutorial called “How to set up a VoIP lab” which provides easy step-by-step instructions on how to get a VoIP lab up and running. Abstract:

Have you been wondering about what sort of security vulnerabilities apply to the VoIP network that’s coming up in your next assignment but have no equipment to test on yet?
Truth is that most of the times there is no need for a lot of expensive hardware to setup a basic lab for testing VoIP security.

Download the PDF version
Hope this helps!

Late March updates

2009-03-17T10:17:00.001-07:00

It's about time that we look at SIPVicious again. If you're making use of the SVN version, please update to the latest svn commit which includes some fixes for bugs that were creating unnecessary traffic.

I'm currently planning on a major update of SIPVicious - email me with your suggestions and VoIP needs please ;-) Cleaner and extensible code guaranteed.

VOIPPACK gets to target IP Phones this month, with 2 major new modules that highlight what can be done to both hardphones and softphones: Ghostcall and "SIP Digest Leak".

Ghostcall might remind some people of the movie "The Omega Man" where all phones ring at the same time. Of course, the phones in the movie are most probably not VoIP phones but could very well be.

Then there's "SIP Digest Leak" that highlights a vulnerability that affects many IP Phones. This tool allows penetration testers and other security dudes to force IP Phones to reveal the digest credentials and possibly recover the password used to access a PBX or a VoIP provider.

More information about these tools was posted the EnableSecurity blog. Actual demonstration videos on the Vimeo account. And here's a clip from "The Omega Man" showing a 70's version of Ghostcall:

How to identify Asterisk servers and upload MOSDEF on AsteriskNOW

2009-02-18T06:11:00.000-08:00

Originally posted this on EnableSecurity's blog but cross posting since not everyone is subscribed.

IAX2Scan and AsteriskNOW_Exec - security testing for Asterisk from Sandro Gauci on Vimeo.

Phone phreaks are now using call forwarding features to make free phonecalls!

2009-01-21T10:59:00.000-08:00

Actually, they have been doing that for quite a while; say a couple of years. Yet it still works, and we only hear about it when some organization is hit with a hefty phone bill because their PBX server has been abused.

The West Australian is running a feature article on various (undisclosed) cases where PBX systems, some traditional while others are IP-based (and exposed on the Internet) were abused to make phonecalls to foreign countries.

While looking for more information, an article from 2005 showed up which describes what happened to a couple of organizations (hospitals and businesses). The telco companies tend to ask the victim organizations to pay up the phone bill for calls that the phone phreaks made.

But now things are moving more towards the Internet, where attackers can be anywhere in the world and the cost of a packet is much less than that of a phonecall!

VOIPPACK released

2009-01-06T14:39:00.000-08:00

Yep its out! Check out the announcement on EnableSecurity. For more information about VOIPPACK refer to the products page.

This video is a demo of sipautohack in action (looks and sounds better than the previous):

Demonstrating sipautohack from Sandro Gauci on Vimeo.

VOIP Scanning on the increase

2009-01-06T13:34:00.000-08:00

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while. What is new is that they are getting detected more and more (and I'm getting more emails about this) which probably means that the scans are on the increase.

Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).

Here's some blogs and articles that mentioned SIPVicious scans:

If you came across any such scans or related stories drop me an email.

Introducing EnableSecurity VoIPPack

2008-12-13T01:34:00.000-08:00

EnableSecurity VoIPPack is a pack or addon for Immunity CANVAS that complements this tool with commercial-grade VoIP scanning capabilities. Probably the most intruiguing module currently is sipautohack.

The following is a taster showing sipautohack scanning a target network, identifying PBX server, enumerating the extensions intelligently and finally cracking the password for each extension on the PBX. More demos here.

.

For more information about VoIPPack take a look at the product page. EnableSecurity is currently running a private beta. Apply as a beta tester.

Off to RSA Europe 2008

2008-10-26T03:47:00.001-07:00

I'll be in the UK for the next few days to visit RSA Europe. Will probably be twittering on twitter.com/sandrogauci and updating the sister blog at EnableSecurity where I'll post the list of talks that I'm interested in visiting as soon as I get a chance. And of course - if any readers are around drop me a message ;-)

Analysis of a VoIP Attack

2008-10-24T00:06:00.000-07:00

Klaus Darilion published an interesting paper explaining what happened to German VoIP users and how to mitigate. I suggest that you read this one. Looks like attacks are becoming more and more widespread / mainstream.

Upcoming changes in SIPVicious

2008-09-09T22:24:00.000-07:00

The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:

svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000... 9000, 1001, 2001..9001, 1111,2222... 9999, 11111,22222...99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the --disabledefaults option to svwar.
svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.

That's it for now. Please let me know about your experience with the new features. To give the code a try simply run svn update from the sipvicious directory, or gte the latest by running the following:

svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only

Have fun!

Homeland Security Dept's PBX hacked?

2008-08-21T07:21:00.001-07:00

Ouch! ZDNet have a short article about a misconfigured PBX making 400 calls to some of the hottest countries around: Afghanistan, India, Yemen and Saudi Arabia. Very ugly .. hope that the details emerge. If anyone has more details email me or post here.

Promotional message: SIPVicious is free - test your SIP based PBX before someone else does ;-)

Update: Apparently it consisted of voicemail hacking - you know that thing from the 90s. So no VoIP or SIP involved, just plain old school default pin cracking.

Surf Jack - HTTPS will not save you

2008-08-11T04:07:00.000-07:00

Alert: this is not a VoIP security post. Just a repost from EnableSecurity.

I just released a new paper and tool on the subject of web application security.

Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself.

And if you did not do it already, please subscribe to my other site, EnableSecurity's RSS feed.

New SIPVicious release 0.2.4

2008-08-10T09:32:00.000-07:00

Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-)

Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable!

Here's a link to the full Changelog.

Grab the tarball or the zip file.
To upgrade to the svn version simply run "svn update" as usual - enjoy

Backtrack 3 out - with VoIP security tools

2008-06-20T05:40:00.000-07:00

The final Backtrack 3 is out and it features some VoIP tools in the /pentest directory:

SIPVicious (guess you know by now what this is about :)
Voiper - a SIP fuzzing toolkit which aims at identifying flaws in VoIP products that do SIP and SDP.
Sipbomber - a SIP testing tool which has test cases that are run against SIP enabled software / devices
SIP Rogue - allows application level man in the middle (MITM) attacks on SIP devices.

In the $PATH one can find:

VoIP Hopper - allows one to hop between VLANS.
VOIPONG - a Voice over IP sniffer - will record any phone calls that it sees.
sipdump / sipcrack - an offline password cracker for the digest authentication used by SIP

Tools that were previously found in Backtrack 2 are described on the tools page.

Grab Backtrack from the official site.

Ladies and Gentlemen please welcome..

2008-06-17T01:10:00.000-07:00

EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details.

So what sort of things am I doing?

Wireless security auditing
Web Application Security
VoIP security research
Reverse Engineering

I'll continue developing SIPVicious and publish additional tools to help security professionals get the job done.

And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week.

SIPVicious tools roadmap

2008-06-11T08:06:00.000-07:00

I'm looking at improving SIPVicious and would appreciate your input for new features or any possible bug fixes. Send me an email with ideas, or simply leave a comment.

Check my current "to do" list here.

SIPVicious version 0.2.3 with fingerprinting and dns goodies

2008-06-03T05:37:00.000-07:00

Just posted a new version of SIPVicious v0.2.3. This includes some new features as well as bug fixes. However be warned - bugs have been invariably introduced in the course of adding these new features, so please help me test it out ;-)

Here's the link you've been looking for.

From the Changelog:

v0.2.3

Feature: Fingerprinting support for svmap. Included fphelper.py and 3 databases used for fingerprinting.
Feature: Added svlearnfp.py which allows one to add new signatures to db and send them to the author.
Feature: Added DNS SRV check to svmap. Use ./svmap.py --srv domainname.com to give it a try

v0.2.svn

Feature: added the ability for svreport to count results when doing a list
Bug fix: fixed a bug related to resuming a scan which does not have an extension

VoIP and identity fraud on the BBC

2008-05-15T02:37:00.000-07:00

The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.

What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:

There is no indication that stolen VoIP details were harvested because of the lack of encryption
If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)
There was no indication as to the size or volume of the VoIP credentials trading

Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).

I'm interested in learning which method is being used to steal credentials. Take your pick:

Sniffing at WiFi internet cafe's / hacked service providers etc and offline password attacks
Active password attacks (such as those supported by SIPVicious svcrack). Such attacks have been previously used by Robert Moore and obviously others which were not caught ;-)
Hacked VoIP service providers or end users
Phishing attacks

My feeling is that active password attacks will give you the best results when the target is simply "the Internet". But in the end, what matters is what's being currently abused and how we can prevent and mitigate.

Update: Dave Gladwin updated the Newport Networks Blog to provide more details on the subject.

Defcon 15 videos - VoIP related talks

2008-05-02T10:13:00.000-07:00

Just in case anyone missed Defcon 15 (like I did), here's two talks of interest with relation to VoIP:

T210: INTERSTATE: A Stateful Protocol Fuzzer for SIP by Ian G. Harris
T442: Real-time Steganography with RTP by |)ruid

For the rest of the videos check out this list.

Thanks for Anthony of Iron::Guard for the pointer.

OSSEC v1.5 now has builtin Asterisk rules

2008-05-02T01:05:00.000-07:00

A new OSSEC version has been released. Along with a number of updates, OSSEC now includes the Asterisk rules that were first published in my hakin9 article and then here. The rest of the updates are described in the Changelog.

Grab it now.

Infosec Europe 2008

2008-04-22T07:03:00.000-07:00

If anyone's going to be at Infosec Europe tomorrow or the next day and would like to have a chat (and maybe offer a beer), contact me.

Time to update twitter