Attacking VOIP
Get ready for a lot of tool troubleshooting
Last updated
Get ready for a lot of tool troubleshooting
Last updated
First a little explanation about VOIP and the SIP protocol.
SIP is an application layer protocol using UDP/TCP over port 5060. TLS encrypted traffic occurs on port 5061. Initially this default use of unencrypted traffic opens up to a handful of MITM attacks, but that will be covered later.
Lets look at how this protocol works
The SIP interaction typically goes like this
Sender initiates via INVITE request
Receiver sends back a 100 (trying) request
Sender starts rining sending a 180 (ringing)
Receiver picks up the phone and a 200 is sent (OK response)
ACK is sent by initator
Call begins
BYE request sent to end the call.
So that covers the uses of 4 of the 7 protocols, what about the others?
REGISTER - Registering the user against the SIP server
OPTIONS - Shows the options the caller has (this will be important)
REFER - Shows the receiver needs to communicate through a 3rd party by the info attached to the request
Nmap using the -A (all detection's and scripts) flag will shoot out an OPTIONS request to show what of these protocols can be accessed.
Extra Network Enumeration
The PBX could also be exposing other network services such as:
69/UDP (TFTP): Firmware updates
80 (HTTP) / 443 (HTTPS): To manage the device from the web
389 (LDAP): Alternative to store the users information
3306 (MySQL): MySQL database
5038 (Manager): Allows to use Asterisk from other platforms
5222 (XMPP): Messages using Jabber
5432 (PostgreSQL): PostgreSQL database And others...
So how do we find out what we can actually use as an attack vector?
Sipscan works sending and waiting well-formed SIP packages. It is posible to scan several IP addresses or network ranges, over UDP, TCP or TLS.
There is a large number of other flags that pass specific names, users, domains, threads used etc but this is a basic one liner to get started.
Another scanning tool for SIP protocols, this allows us to choose what type of SIP request we would like to enumerate with rather then just what network protocol