Skip to main content

SIP INVITE attack with Metasploit

Some days ago my friend @pepeluxx wrote another post about INVITE attacks. He spoke about a @sinologic project which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples:

I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because SIP RFC says that an extension has not to be registered to be able to make a call, only to receive it. Really most SIP servers implement authentication both in registering and calling process (and even to hang up a call), this is useful in eavesdropping scenarios in order to avoid SIP Teardown (BYE) attacks. But only a few systems have this configuration enabled by default, most of them use authentication only to register. In example, for Asterisk we should change “allowguest=no” in "sip.conf" file to ask for authentication in each call (INVITE). Apart from this, sysadmins should be also very carefully defining the dialplan to be secure. A common example of what not to do is the next one, in where outbound (to PSTN) calls context is included in default one:

(sip.conf file)

(extensions.conf file)
include  => outbound

I committed the module to my Github project, it only implements a SIP INVITE request where the user can provide next parameters:

Module parameters

You should try to call to a common phone number (you can see it in last picture) and with an extension because servers normally work in a different way. The code simply sends an INVITE request with provided options and then it parses the response. If it is a “Trying” you could be in a problem man. ;)

Possible insecure system

Possible insecure system

Secure system to this vector

These are the links to both UDP and TCP version of the tool. I would like to remember that Metasploit modules which support TCP also support TLS. You can change the version of the protocol and another optional parameters with command “show advanced”.
Advanced options

Finally I want to say that last days I was reviewing my SIP Metasploit modules trying to add some more features (like SIP proxy support) and I found that they are a mess. There is a lot of repeated code and they are complex to maintain. So, after speaking with some Metasploit guys on irc channel, I’m going to write a new SIP Proto ("lib/rex/proto/sip.rb") class and a Mixin ("lib/msf/core/auxiliary/sip.rb") which uses it. Once solved this I’m going to add all SIP modules I have developed to official Metasploit distribution.


Popular posts from this blog

ISO 27001: Inventario de los activos de información

Uno de los primeros pasos que debe seguir la entidad para adaptarse a la norma ISO 27001 es realizar el inventario de activos que contendrá todos aquellos activos de información que tienen algún valor para la organización y que quedan dentro del alcance del SGSI . En un principio puede parecer un poco abrumador para un principiante(como yo) por la enorme cantidad de activos que se te van ocurriendo por eso decidí empezar por clasificarlos de alguna forma, de entre las múltiples maneras que me encontré elijo la definida por los expertos del foro ISO27k ya que me parece la más completa, mostrando ejemplos de cada tipo y es válida para entidades de muy distinta naturaleza. Éste podría ser un buen punto para comenzar siempre teniendo en cuenta lo que nos aconsejan también en ese foro: "Debido a que los activos son algo cambiante, incluso si pudieras cubrir absolutamente todo lo que hay hoy, mañana la situación sería un poco diferente y más en unas semanas, meses o años. Así que

Flooding Asterisk, Freeswitch and Kamailio with Metasploit

Hi, it has been a long time since my last post because of my new job and my final year project ("VoIP denegation of service attacks" for curious) but there is something I found during my tests with  Freeswitch ,  Kamailio  and  Asterisk  that I want to share. NOTE: Really, guys of  Security By Default  blog published us (my good friend Roi Mallo and me) two articles about how to develop modules for Metasploit framework, another two are coming.  ;) During my project, among others, I developed a Metasploit module which can flood SIP protocol with common frames (INVITE, OPTIONS, REGISTER, BYE), I wrote it at Quobis (nice job ;) in order to use it for some private tests because actual software didn´t fit our needs, so we are going to probe how is the behavior of different GPL VoIP servers against this kind of attacks: - Asterisk: I think it needs no introduction, the famous softswitch/PBX software. - Freeswitch: It´s a newer softswitch that seems to be Asterisk replacement

Another simple Metasploit module: ICMP Flooder

Hi again!, I said I was going to develope VoIP related Metasploit modules but I was reading PacketFu documentation and I found that wrinting an ICMP flooder couldn´t be too complicated at this point. So I share this code too, I decided to include SHOST and SIZE options too trying to get a more flexible module able to make different flavors of this attack as Ping flood , Smurf or Ping of death . Next pictures show the module in  the same way of last post. Code: ------------------------------------------------------------------------- require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos include Msf::Exploit::Capture def initialize super( 'Name' => 'ICMP Flooder', 'Description' => 'A simple ICMP flooder', 'Author' => 'Jesus Perez', 'License'     => MSF_LICENSE, 'Version' => '$Revision: 0 $' ) register_opt