SIP extension enumeration in Bluebox-ng

There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them.

This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment, in which the extension is the public email address of the user. But it's still important in some cases:
  • To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force.
  • Some RCE (Remote Code Execution) exploits need a valid extension to work.
After a little research, these are the known vulns:
  • CVE-2009-3727: It's quite old and it's practically not present in real environments. It's still not implemented in Bluebox-ng, waiting for the complete re-write of the SIP stack in which is working Damián.
  • CVE-2011-2536: It's much more common than the last one. The option "alwaysauthreject", which the CVE speaks about, is disabled by default in old versions of Asterisk and a common bad practice in actual ones. Bluebox-ng implements it in the "sip-brute-ext" module. In this old post I deep a bit more in the used method.
  • (There is no CVE): This technique uses INVITE packets, there are some situations in which Asterisk allows the same goal even with the parameter "alwaysauthreject" enabled. They were discovered by Francesco Tornieri and published in packet storm. Now, the same Bluebox-ng module implements it. So @dvirus, you can now use it against your Busy Tone VulnPBX virtual machine ;).
  • CVE-2011-4597: It's similar to the other ones, but this time the server (Asterisk) answer to a different port when a valid extension exists due to an specific NAT related setup. This technique is supported through "sip-brute-ext-nat" module.
Finally I've also solved an important problem with the asynchrony in "sip-brute-pass" module which was very annoying to deploy a serious penetration test. :)


More brute-force modules in Bluebox-ng

The last day I said that now we're going to automate all VoIP tasks trying to build a VoIP/UC vulnerability scanner. But I realized that there are some other tasks which I need in each penetration test that we could add too. This way we could avoid to use another tools for an important part of the work.

Normally, we're hired to deploy a VoIP specific penetration test, but we also like to check (in a minimal way) the rest of implied services. So I've added next modules brute-force modules:

  • Asterisk AMI: It was a must because this is a very common scenario.
  • MySQL: The most common DB engine among VoIP servers.
  • MongoDB: It's not used in VoIP, but I've been playing lately with this system and I really like it. So I decided also to add a module.
  • SSH / (S)FTP: More common protocols.
  • HTTP(S): Useful when we find a web management panel for a VoIP server.
  • TFTP: Widely used in VoIP to auto-provisioning the softphones of an organization.
  • LDAP: Sometimes the VoIP servers perform the authentication against an existent LDAP instance (Microsoft Active Directory is also included here).

Finally I would like remark that, in my oppinion, we should solve next issues to build a professional tool:

  • Network scanner: For now we're using Evilscan, but it only supports full TCP scan (neither SYN nor UDP) and the project seems stopped.
  • Web vulnerability scanner: I don't know any tool for this written in Node.js. The most similar thing I found is Dirscan-node, useful to make directory brute-force but it's not a complete web vuln scanner.

In fact, I'm using Nmap and Skipfish to achieve these goals for now. So if you're thinking in a new security project (in Node.js) these ideas could be a good one. ;)


Bluebox-ng beta released

I've just pushed the last changes to Bluebox-ng repo to get what we consider a beta version. It's not yet finished but it's much more stable than the previous release. Here there is a resume of the changelog:

  • IPv6 support. I would like to thank Olle E. Johansson (@oej) because of his research in SIP and IPv6, it did my work really easy.
  • Exploitsearch.net API support.
  • DNS module finished.
  • Nicer outputs.
  • Simpler setup process.
  • A network host/port scanner (Evilscan).
  • Dirscan-node upgraded to version 0.5.
  • Added some numerical lists (with different paddings) to use with brute-force modules.
  • Host list files and port ranges support included in SipScan module.
  • Solved SipBrutePass module problem with too much asyncronous requests.
  • A lot of refinements in the whole code.

I want to say that we've decided to re-define the project like a "VoIP/UC vulnerability scanner", this way we can work more focused. Our idea is to write a tool to test in an automatic way our deployments. There are several options when we think in other environments such as the web (Skipfish, NiktoW3af, etc), but we've not anything similar in VoIP.

For now we have a bunch of tools (modules) that do the job in a comfortable (but indepentent) way. So, it's time to join all of them to automate the different tasks needed when we deploy an specific VoIP penetration test.

Finally we hope to present the first stable version at GSICKMINDS (A Coruña, 24-25-26 October), a great security event which I recommend to everyone. We're going to have here some security pr0n stars and we're in one of best places in the world to enjoy a few days. ;)