In addition to passive attacks, IAX is also vulnerable to pre-computed dic- tionary attacks. Pre-computed attacks require the attacker to take a single challenge and concatenate it with a list of passwords to create a long list of MD5 hashes. Once a list of pre-computed hashes has been created, the attacker takes the same challenge that was used to create all the hashes and issues it to an IAX client endpoint. In order for the attack to work, the victim must already have sent an authentication request packet to the Asterisk server. The attacker then spoofs the response by using the IP address of the Asterisk server, then sends a packet using her own challenge before the real chal- lenge packet from the Asterisk server reaches the client. Additionally, to ensure that the attacker’s spoofed packet (using the source IP of the Asterisk server) reaches the victim first, the attacker can create a packet in which the sequence information is low enough for the victim to assume it should be processed before any other challenge packet with a higher sequence number. This will guarantee that the attacker’s challenge will be used by the endpoint to create the MD5 authentication hash. When the endpoint receives the challenge from the attacker, it will respond with an MD5 hash derived from
Sig n al in g an d Medi a: IA X Sec uri t y 101
the attacker’s challenge and its own password. To complete the attack, the attacker simply matches the hash sent by the endpoint to a pre-computed hash created by the attacker. Once the attacker finds a match, the password has been compromised.
A way to carry out this attack is to concatenate 101320040 with every word in the English dictionary, which would create a list of pre-computed hashes. Once the list has been created, the only step the attacker needs to complete is to send a packet to the endpoint with the challenge of 101320040. When the endpoint receives the challenge, it will send the MD5 hash over the net- work. The attacker can simply sniff the response and compare it with the pre-computed list. Once one of the pre-computed MD5 hashes has been matched to the hash captured from the target, the attacker knows the pass- word. Figure 5-7 shows an example of the pre-computed attack using active packet injection.
Figure 5-7: Pre-computed dictionary attack
Notice in Figure 5-7 that the attacker has created a list of pre-computed hashes based on the challenge of 101320040 (shown at the lower left). When the attacker injects that challenge during the endpoint’s authentication pro- cess, the client creates an MD5 hash using the attacker’s challenge. Unlike the passive dictionary attack, wherein the attacker needs to brute-force the password, once the attacker sniffs the MD5 hash over the network, she can simply match the sniffed MD5 hash to one of the pre-computed MD5 hashes. If a match appears, the attacker has just obtained the endpoint’s password.
In order to demonstrate this issue, the co-author of this chapter (Zane Lackey) has written a tool in Python called vnak (downloadable from http:// www.isecpartners.com/tools.html). Vnak is a tool that can perform many attacks,
Asterisk IAX Endpoint Auth Request Challenge: 101320040 MD5 Hash: 71e8b2ed19d87e9370c2b1d82166cc12 (101320040 + Password) = 71e8b2ed19d87e9370c2b1d82166cc12 Attacker Injected Challenge: 101320040
Pre-Computed Hashes with the challenge of: 101320040
(101320040 + Hello ) = 77acb0c549a53c8be92ff38de16f493e (101320040 + My ) = fecb10cf2c5d9f04c1c73e4edc3615e7 (101320040 + Name ) = 7f80c21d76a2588199d2def80b47b48b (101320040 + Is ) = 89648df42ef87879555fcefd6edc1a80 (101320040 + Sonia ) = 6cd833257c34b4a993a29a1bc877b49b (101320040 + 123voiptest ) = 71e8b2ed19d87e9370c2b1d82166cc12 Sniffed MD5 Hash: 71e8b2ed19d87e9370c2b1d82166cc12
102 Ch ap te r 5
including a pre-computed dictionary attack (using option 1). Vnak will force a vulnerable endpoint to create an MD5 authentication hash using a challenge sent by an attacker instead of a legitimate server.
Targeted attack
To test vnak in targeted attack mode, you can use the example command shown here:
python vnak.py –e –a 1 ServerIP
Using this syntax, vnak sends a pre-computed challenge to its target. The target then receives the pre-computed challenge, combines it with its password, and sends the resulting MD5 hash back over the network. The attacker then views this hash over the network and uses it to carry out a dictionary attack. The dictionary attack is greatly improved over the offline attack because the attacker already has a list of MD5 hashes that have been created with the pre-computed challenge and various pass- words. It should be noted that vnak can perform many other attacks described in this chapter and other chapters, using the following flags: