In addition to an offline dictionary attack, SIP is also vulnerable to a man-in- the-middle attack, as shown in Figure 2-9. This attack uses ARP cache poison- ing or DNS spoofing techniques to allow the attacker to get between a SIP server and the legitimate SIP User Agent. Once the attacker is routing traffic between the two legitimate entities, he can perform a man-in-the-middle attack and authenticate to the SIP server without knowing a valid username and password. Authenticating to the SIP server significantly increases the attack surface of a SIP implementation.
During the attack, as shown in Figure 2-9, the attacker monitors the network to identify when SIP User Agents send authentication requests to the SIP server. When the authentication request occurs (step 1), he intercepts the packets and prevents them from reaching the real SIP server. He then sends his own authentication request to the SIP server (step 2).
Using the challenge/response method for authentication, the SIP server sends a nonce to the attacker (step 3). The attacker receives the nonce and then sends the same nonce to the legitimate User Agent, who was attempting to authenticate originally (step 4). The legitimate User Agent then sends the attacker a valid MD5 hash value that is derived from the real password and SIP server’s nonce (step 5), thinking the attacker is the actual SIP server. Once the attacker has the valid MD5 digest hash value from the legitimate User Agent, he sends the hash on behalf of himself to the SIP server and successfully authenticates (step 6).
Figure 2-9: Man-in-the-middle attack with SIP authentication
Registration Hijacking
Registration hijacking uses a dated attack class but still works in many new technologies such as VoIP. The attack takes advantage of a User Agent’s ability to modify the Contact field in the SIP header.
SIP Server SIP User Agent
Attacker
1. Auth Request 2. Auth Request
4. Nonce: 350c0fec 3. Nonce: 350c0fec
5. MD5: fc7131a20c49c3d96ba3e2e27d27 6. MD5: fc7131a20c49c3d96ba3e2e27d27
7. Authenticated! Man-in-the-Middle Attack
Intercepted Communication Actual Communication
Sig n al in g : SI P Se cur it y 39 NOTE Spoofing the identity of a user is nothing new; attackers have been spoofing emails in
SMTP mail messages for many years. The same idea applies to SIP REGISTER or INVITE messages, where a user can modify the Contact field in the SIP header and claim to be another User Agent.
When a User Agent registers with a SIP Registrar, many things are registered, including the User Agent’s point of contact information. The point of contact information, listed in the Contact field in the SIP header, contains the IP address of the User Agent. This information allows SIP Proxy servers to forward INVITE requests to the correct hard phone or soft phone via the IP address. For example, if Sonia wanted to talk to Kusum, the Proxy servers in both networks would have to have the contact information in order to locate each of them. Figure 2-10 shows a sample registration request from the SIP User Agent called Sonia (notice the Contact field for the user).
Figure 2-10: SIP registration request
In Figure 2-10, there are no cryptographic protections in the previous SIP REGISTER request. This opens the door for attackers to spoof the registra- tion request and hijack the identities of SIP User Agents.
In order to hijack the registration of a SIP User Agent, an attacker can submit the same registration request packet shown previously but modify the
Contact field in the SIP header and insert her own IP address. For example,
if an attacker named Raina wanted to hijack the registration of a user called Sonia, she would replace the Contact field, which contains Sonia’s IP address of 192.168.5.122, with her own, which is 192.168.5.126. Raina would then
40 Cha pt er 2
spoof a REGISTER request with her IP address instead of Sonia’s, as shown in Figure 2-11 (notice that the From field still says [email protected], but
the Contact field says [email protected]).
Figure 2-11: Spoofed REGISTER packet
The best method of spoofing a SIP message is with the SiVuS tool (http://www.vopsecurity.org/), a VoIP scanner primarily used for SIP-based implementations. Among other things, SiVuS can discover SIP networks, scan SIP devices, and create SIP messages. Its ability to create SIP messages is very useful for the registration-hijacking attack. For example, here’s how you could use SiVuS to spoof a registration attack and hijack another user’s identity on the SIP network.
1. Open SiVuS.
2. Under the SIP tab, select Utilities Message Generator.
3. In the SIP Message section, enter values a through m from the following text. Replace italic text with the correct values from your local network. The values are based on the user Raina’s hijacking the registration of the user Sonia (based on the legitimate request in Figure 2-10). Notice step m in italic bold, where Raina inserts her own contact IP address. Sonia’s information is listed in steps h and i:
a. Method: REGISTER
b. Transport: UDP
c. Called User: Sonia
d. Domain: 192.168.2.102
e. Port: 49304
f. Via: SIP/2.0/TCP 192.168.5.122
g. Branch: z9hG4bK-d87543-8C197c3ebd1b8855-1-d87543
h. To: Sonia <sip:[email protected]>
i. From: Sonia <sip:[email protected]>
j. From Tag: ff761a48
k. Call-ID: 845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM
l. Cseq: 1 Register
Sig n al in g : SI P Se cur it y 41
4. Click the Start button. (The configuration information is also shown in Figure 2-12.)
Figure 2-12: Spoofing SIP messages using SiVuS
Before the previous exercise can hijack a session, the attacker needs to take the legitimate user off the network. A good method to do this is by de-registering the legitimate SIP User Agent from the SIP Proxy server, as discussed later in “Denial of Service via BYE Message” on page 42.
Once the hijacking attack message is submitted to the SIP Proxy server, the attacker has successfully hijacked the User Agent’s registration.