The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:

1. svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000... 9000, 1001, 2001..9001, 1111,2222... 9999, 11111,22222...99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the --disabledefaults option to svwar.
   
2. svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.
   

That's it for now. Please let me know about your experience with the new features. To give the code a try simply run svn update from the sipvicious directory, or gte the latest by running the following:

svn checkout http://sipvicious.googlecode.com/svn/trunk/ sipvicious-read-only

Have fun!

Alert: this is not a VoIP security post. Just a repost from EnableSecurity.

I just released a new paper and tool on the subject of web application security.

Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself.

And if you did not do it already, please subscribe to my other site, EnableSecurity's RSS feed.

The final Backtrack 3 is out and it features some VoIP tools in the /pentest directory:

• SIPVicious (guess you know by now what this is about :)
• Voiper - a SIP fuzzing toolkit which aims at identifying flaws in VoIP products that do SIP and SDP.
• Sipbomber - a SIP testing tool which has test cases that are run against SIP enabled software / devices
• SIP Rogue - allows application level man in the middle (MITM) attacks on SIP devices.

In the $PATH one can find:

• VoIP Hopper - allows one to hop between VLANS.
• VOIPONG - a Voice over IP sniffer - will record any phone calls that it sees.
  
• sipdump / sipcrack - an offline password cracker for the digest authentication used by SIP

Tools that were previously found in Backtrack 2 are described on the tools page.

Grab Backtrack from the official site.

I'm looking at improving SIPVicious and would appreciate your input for new features or any possible bug fixes. Send me an email with ideas, or simply leave a comment.

Check my current "to do" list here.

The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.

What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:

• There is no indication that stolen VoIP details were harvested because of the lack of encryption
  
• If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)
  
• There was no indication as to the size or volume of the VoIP credentials trading

Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).

I'm interested in learning which method is being used to steal credentials. Take your pick:

• Sniffing at WiFi internet cafe's / hacked service providers etc and offline password attacks
• Active password attacks (such as those supported by SIPVicious svcrack). Such attacks have been previously used by Robert Moore and obviously others which were not caught ;-)
• Hacked VoIP service providers or end users
• Phishing attacks

My feeling is that active password attacks will give you the best results when the target is simply "the Internet". But in the end, what matters is what's being currently abused and how we can prevent and mitigate.

Update: Dave Gladwin updated the Newport Networks Blog to provide more details on the subject.

If anyone's going to be at Infosec Europe tomorrow or the next day and would like to have a chat (and maybe offer a beer), contact me.

Time to update twitter

Archangel Amael posted two new videos related to SIPVicious:

• Setting up a Vmware image of trixbox
• Abusing VOIP Networks

On his blog you'll also find a tutorial on setting up trixbox for testing, which is a companion to one of the videos.

Here are some apocalyptic scenarios related to VoIP and SIP:

• SIP's Insecurity Blanket
• Report Finds VOIP Services Susceptible to Major Attacks Through SIP
• VoIP security industry -- guilty as charged

Not exactly positive reports on VoIP - what they're effectively saying is that VoIP's increase in the phone market is a ticking bomb that will have great repercussions from a security point of view.

But IMHO, one thing's for sure - with big vendors like Microsoft, entering the market .. VoIP is here to stay.

The purpose of svcrack is very straightforward.This tool will launch a password guessing attack extensions on the SIP registrar. Attackers will be after your SIP passwords because such knowledge allows them to:

• Get free long distance calls
• Hijack and spoof phone calls
• Eat your spaghetti
  

The most obvious and damaging problem is toll fraud. Traditionally phone phreaks enjoyed free calls by abusing security flaws within the phone company's system as well as private companies' PABXs. By gaining access to an extension line which can make international calls, an attacker will be able to run large bills on the victim's account. On the other hand, the social engineering aspect should not be under estimated. Social engineering can be a very effective and reliable method that allows hackers to pull off some of the most interesting (sometimes amusing) attacks ever. From ordering free pizza as someone else, to hijacking the help desk's number and then asking for user's passwords, such attacks rely on human nature and can probably never be totally prevented.

This is how svcrack works:

1. It starts sending REGISTER requests to register a specific extension line
2. In the mean time the SIP server starts responding back asking for authentication.
3. The response also contains a nonce, which is a unique number or bit string that should only be used once. This nonce is used as the challenge in the challenge-response mechanism.
4. Svcrack uses the nonce and other properties to compute the challenge response then sends that back to the server

Svcrack will repeat the above procedure until the password gets cracked and an OK message is recieved, or until there are no more passwords to try.

During testing, we were able to run speeds up to 80 passwords per second - that is 6,912,000 passwords a day. These numbers are dependent on the SIP registrar and of course, on a real network, latency and other factors will seriously affect these results. Some registrars allow the attacker to reuse the nonce. This makes the registrar servers vulnerable to replay attacks. This feature is also useful during password cracking, since it can make the process faster. In fact, svcrack has an option which allows auditors to exploit this feature and possibly achieve faster speed.

Password policies form an important part of computer security. Unfortunately a large number of VoIP PBX servers do not apply any policies when it comes to authentication. Because of the lack of such security mechanisms, bruteforce attacks are a viable way to attack PBX servers. Svcrack, which is part of the SIPVicious tool suite, demonstrates this.

Of course, vendors and developers should be cautious when implementing features that can cause a denial of service. For example, the Account Lockout policy (available in Microsoft's AD and other systems) allows anyone to deny service to another user. This is not such a good idea especially in the case of something as "real time" as the phone service.

On the other hand, trotting or slowing down authentication might be a solution to limit the chance of attackers guessing the password in a reasonable time. Password complexity should also be enforced to hinder brute-force and dictionary attacks.