10/08/2012

Fixing some SIP related Metasploit modules

Hi again, while I was checking some demos for our class at Vigo University representing Quobis I noticed that Metasploit options.rb module (SIP scanning) wasn't working ok. I mean, it was unable to recognize a Kamailio server. Next two pictures show the difference with SIPVicious output:



Some time ago, I wrote a post about this module and I remember being a bit surprised because the code doesn't respect SIP protocol at all (but It worked with Asterisk). After a quick view to Kamailio logs my suspects were confirmed, Sanity module was doing right its job dropping these packets. :)


Next function defines how requests are created in actual module, If you are familiar with SIP RFC you probably will notice what I'm talking about. If not, I suggest you to compare it with my create_request function of sipflood.rb module.


    def create_probe(ip)
        suser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
        shost = Rex::Socket.source_address(ip)
        src   = "#{shost}:#{datastore['CPORT']}"

        data  = "OPTIONS sip:#{datastore['TO']}@#{ip} SIP/2.0\r\n"
        data << "Via: SIP/2.0/UDP #{src};branch=z9hG4bK.#{"%.8x" % rand(0x100000000)};rport;alias\r\n"
        #data << "From: sip:#{suser}@#{src};tag=70c00e8c\r\n"
        data << "From: sip:#{suser}@#{src};tag=70c00e8c\r\n"
        #data << "To: sip:#{datastore['TO']}@#{ip}\r\n"
        data << "To: sip:#{suser}@#{ip}\r\n"
        data << "Call-ID: #{rand(0x100000000)}@#{shost}\r\n"
        data << "CSeq: 1 OPTIONS\r\n"
        data << "Contact:  sip:#{suser}@#{src}\r\n"
        data << "Content-Length: 0\r\n"
        data << "Max-Forwards: 20\r\n"
        data << "User-Agent: #{suser}\r\n"
        data << "Accept: text/plain\r\n"
    end 


Once some changes were done in order to use my function (with OPTIONS packets), we can see that we have a correct response now.


This issue often appears working with Session Border Controllers so I coded our own version of these modules. Nothing else, here there are the links to the new version of the modules. I also added this feature to enumeration.rb module, needed to brute-force valid extensions. 

Anyway, If you try to enumerate Kamailio extensions you will fail because its default configuration avoid this. Asterisk also has an option to do it but it can be bypassed. And FreeSWITCH? We will play with all this stuff another day. ;)