Attacking VOIP

Get ready for a lot of tool troubleshooting

Sources and additional research

Practical VoIP Penetration TestingMedium

The beginning explanation sourced heavily from here

Pentesting VoIPHackTricks

First a little explanation about VOIP and the SIP protocol.

SIP is an application layer protocol using UDP/TCP over port 5060. TLS encrypted traffic occurs on port 5061. Initially this default use of unencrypted traffic opens up to a handful of MITM attacks, but that will be covered later.

Lets look at how this protocol works

SIP Protocol

The SIP interaction typically goes like this

1. Sender initiates via INVITE request

2. Receiver sends back a 100 (trying) request

3. Sender starts rining sending a 180 (ringing)

4. Receiver picks up the phone and a 200 is sent (OK response)

5. ACK is sent by initator

6. Call begins

7. BYE request sent to end the call.

So that covers the uses of 4 of the 7 protocols, what about the others?

• REGISTER - Registering the user against the SIP server

• OPTIONS - Shows the options the caller has (this will be important)

• REFER - Shows the receiver needs to communicate through a 3rd party by the info attached to the request

Initial scanning and enumeration

Nmap using the -A (all detection's and scripts) flag will shoot out an OPTIONS request to show what of these protocols can be accessed.

Do NOT take this at face value. The Viproy toolkit built into Metasploit does the same thing, just because these options are AVAILABLE externally does NOT mean that they are accessible. The report from options will not tell you if proxy authentication is required to use any of these protocols.

Extra Network Enumeration

• The PBX could also be exposing other network services such as:

  • 69/UDP (TFTP): Firmware updates

  • 80 (HTTP) / 443 (HTTPS): To manage the device from the web

  • 389 (LDAP): Alternative to store the users information

  • 3306 (MySQL): MySQL database

  • 5038 (Manager): Allows to use Asterisk from other platforms

  • 5222 (XMPP): Messages using Jabber

  • 5432 (PostgreSQL): PostgreSQL database And others...

So how do we find out what we can actually use as an attack vector?

Sippts

GitHub - Pepelux/sippts: Set of tools to audit SIP based VoIP SystemsGitHub

The only SIP tools I have found that have been updated since 2018

# Quick install dump
# USE PYENVS - This tool uses some old libraries that will 100% cause conflicts
# Or problems in the future, you can see how to do this in Intro


git clone https://github.com/Pepelux/sippts.git
cd sippts/
# Do your pyenv stuff here
pip install -r requirements.txt

SIPscan

Sipscan works sending and waiting well-formed SIP packages. It is posible to scan several IP addresses or network ranges, over UDP, TCP or TLS.

# Basic Usage
# -p all says try with all protocols
# -ua sippts by default uses a useragent called pplsip which is typically blocked. -ua lets you change this

python sipscan.py -i <ip Address> -p all -r 5060-5080 -ua <User Agent>

There is a large number of other flags that pass specific names, users, domains, threads used etc but this is a basic one liner to get started.

SipVicious

GitHub - EnableSecurity/sipvicious: SIPVicious OSS has been around since 2007 and is actively updated to help security teams, QA and developers test SIP-based VoIP systems and applications.GitHub

Another solid toolkit

HomeGitHub

Wiki for SipVicious

# This one is installed by default on kali or can be installed
sudo apt install sipvicious

# or
## USE YOUR VENVS
git clone https://github.com/EnableSecurity/sipvicious.git
cd sipvicious/
python setup.py install

Svmap

Another scanning tool for SIP protocols, this allows us to choose what type of SIP request we would like to enumerate with rather then just what network protocol

## Example usage

# Use --fp to fingerprint the services
svmap 10.10.0.0/24 -p 5060-5070 [--fp]

Methods enumeration with sipenumerate