2023-08-03 19:12:22 +00:00
# SIP( )
2023-04-17 15:16:32 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
* 你在一个**网络安全公司**工作吗? !
* 发现我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组** ](https://discord.gg/hRep4RUj7f ) 或 [**Telegram群组** ](https://t.me/peass ) 或 **关注**我在**Twitter**上的[** 🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ) **提交PR来分享你的黑客技巧。**
2023-04-17 15:16:32 +00:00
< / details >
2023-08-03 19:12:22 +00:00
## 基本信息
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
SIP( ) ( ) ( ) , ,
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
SIP的一些关键特点包括:
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
1. **基于文本的协议** : , , ,
2. **可扩展性和灵活性** : , ,
3. **互操作性** : ,
4. **模块化设计** : ( ( ) ( ) )
5. **代理和重定向服务器** : ,
6. **存在和即时消息** : ,
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
尽管SIP具有许多优点, , ,
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
### SIP方法
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
在**RFC 3261**中定义的核心SIP方法包括:
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
1. **INVITE** :用于**初始化新会话(呼叫)**或修改现有会话。INVITE方法携带会话描述( ) ,
2. **ACK** :用于**确认对INVITE请求的最终响应的接收**。ACK方法通过提供端到端的确认,
3. **BYE** :用于**终止已建立的会话(呼叫)**。BYE方法由会话中的任一方发送,
4. **CANCEL** :用于在建立会话之前**取消挂起的INVITE请求**。如果发件人改变主意或接收方没有响应,
5. **OPTIONS** :用于**查询SIP服务器或用户代理的功能**。OPTIONS方法可以发送以请求有关支持的方法、媒体类型或其他扩展的信息,
6. **REGISTER** :由用户代理使用以**向SIP注册服务器注册其当前位置**。REGISTER方法有助于维护用户的SIP URI和其当前IP地址之间的最新映射,
2023-04-17 15:16:32 +00:00
{% hint style="warning" %}
2023-08-03 19:12:22 +00:00
请注意,要拨打某人的电话,**不需要使用REGISTER**进行任何操作。\
但是,为了执行**INVITE**,呼叫方可能需要**先进行身份验证**,否则将收到**`401 Unauthorized`**响应。
2023-04-17 15:16:32 +00:00
{% endhint %}
2023-08-03 19:12:22 +00:00
除了这些核心方法外,还有**几种SIP扩展方法**在其他RFC中定义, :
1. **SUBSCRIBE** : ,
2. **NOTIFY** : , ,
3. **REFER** : ,
4. **MESSAGE** : , ,
5. **UPDATE** : ,
6. **PUBLISH** : ,
### SIP响应代码
* **1xx( )
* 100 Trying: ,
* 180 Ringing:
* 183 Session Progress:
* **2xx( )
* 200 OK: ,
* 202 Accepted: ,
* **3xx( )
* 300 Multiple Choices: ,
* 301 Moved Permanently:
* 302 Moved Temporarily:
* 305 Use Proxy:
* **4xx( )
* 400 Bad Request:
* 401 Unauthorized:
* 403 Forbidden:
* 404 Not Found:
* 408 Request Timeout:
* 486 Busy Here: ,
* **5xx( )
* 500 Internal Server Error:
* 501 Not Implemented:
* 503 Service Unavailable: ,
* **6xx( )
* 600 Busy Everywhere:
* 603 Decline:
* 604 Does Not Exist Anywhere:
## 示例
### SIP INVITE示例
2023-04-17 15:16:32 +00:00
```
INVITE sip:jdoe@example.com SIP/2.0
Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bK776asdhds
Max-Forwards: 70
To: John Doe < sip:jdoe @ example . com >
From: Jane Smith < sip:jsmith @ example . org > ;tag=1928301774
Call-ID: a84b4c76e66710
CSeq: 314159 INVITE
Contact: < sip:jsmith @ pc33 . example . com >
User-Agent: ExampleSIPClient/1.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
Content-Length: 142
v=0
o=jsmith 2890844526 2890842807 IN IP4 pc33.example.com
s=-
c=IN IP4 pc33.example.com
t=0 0
m=audio 49170 RTP/AVP 0
a=rtpmap:0 PCMU/8000te
```
< details >
2023-08-03 19:12:22 +00:00
< summary > 每个参数的解释< / summary >
1. **Request-Line** : `INVITE sip:jdoe@example.com SIP/2.0` - 这一行指示了方法( ) , ( ) (
2. **Via** : `Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bK776asdhds` - Via头部指定了传输协议( ) ( )
3. **Max-Forwards** : `Max-Forwards: 70` - 这个头字段限制了请求可以被代理转发的次数,以避免无限循环。
4. **To** : `To: John Doe <sip:jdoe@example.com>` - To头部指定了呼叫的接收者, ( ) (
5. **From** : `From: Jane Smith <sip:jsmith@example.org>;tag=1928301774` - From头部指定了呼叫的发送者, ( ) (
6. **Call-ID** : `Call-ID: a84b4c76e66710` - Call-ID头部唯一标识了两个用户代理之间的呼叫会话。
7. **CSeq** : `CSeq: 314159 INVITE` - CSeq头部包含一个序列号和请求中使用的方法。它用于将响应与请求匹配并检测乱序消息。
8. **Contact** : `Contact: <sip:jsmith@pc33.example.com>` - Contact头部提供了一个直接的路由到发送者,
9. **User-Agent** : `User-Agent: ExampleSIPClient/1.0` - User-Agent头部提供了关于发送者的软件或硬件的信息,
10. **Allow** : `Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO` - Allow头部列出了发送者支持的SIP方法。这有助于接收者了解在通信过程中可以使用哪些方法。
11. **Content-Type** : `Content-Type: application/sdp` - Content-Type头部指定了消息体的媒体类型, ( )
12. **Content-Length** : `Content-Length: 142` - Content-Length头部指示消息体的大小( )
13. **消息体** : 消息体包含了SDP会话描述,
* `v=0` - 协议版本( )
* `o=jsmith 2890844526 2890842807 IN IP4 pc33.example.com` - 发起者和会话标识符
* `s=-` - 会话名称(单个连字符表示没有会话名称)
* `c=IN IP4 pc33.example.com` - 连接信息(网络类型、地址类型和地址)
* `t=0 0` - 时间信息( , )
* `m=audio 49170 RTP/AVP 0` - 媒体描述( ) , ( ) ( )
* `a=rtpmap:0 PCMU/8000` - 将格式( ) ( ) ( )
2023-04-17 15:16:32 +00:00
< / details >
2023-08-03 19:12:22 +00:00
### SIP REGISTER示例
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
REGISTER方法用于会话初始化协议( ) , ( ) , ,
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
下面是一个详细的SIP消息示例, :
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
1. UA向注册服务器发起初始**REGISTER**请求:
2023-04-17 15:16:32 +00:00
```yaml
REGISTER sip:example.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
Max-Forwards: 70
From: Alice < sip:alice @ example . com > ;tag=565656
To: Alice < sip:alice @ example . com >
Call-ID: 1234567890@192.168.1.100
CSeq: 1 REGISTER
Contact: < sip:alice @ 192 . 168 . 1 . 100:5060 > ;expires=3600
Expires: 3600
Content-Length: 0
```
2023-08-03 19:12:22 +00:00
这个初始的REGISTER消息由用户代理( ) , ( ) , ( ) , ( )
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
2. 注册服务器返回的**401 Unauthorized**响应:
2023-04-17 15:16:32 +00:00
```css
cssCopy codeSIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
From: Alice < sip:alice @ example . com > ;tag=565656
To: Alice < sip:alice @ example . com > ;tag=7878744
Call-ID: 1234567890@192.168.1.100
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="example.com", nonce="abcdefghijk", algorithm=MD5, qop="auth"
Content-Length: 0
```
2023-08-03 19:12:22 +00:00
注册服务器会回复一个包含"401 Unauthorized"消息的响应,其中包含一个"WWW-Authenticate"头部。该头部包含了用户代理进行身份验证所需的信息,如**身份验证领域、随机数和算法**。
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
3. 使用身份验证凭证的注册请求:
2023-04-17 15:16:32 +00:00
```vbnet
REGISTER sip:example.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
Max-Forwards: 70
From: Alice < sip:alice @ example . com > ;tag=565656
To: Alice < sip:alice @ example . com >
Call-ID: 1234567890@192.168.1.100
CSeq: 2 REGISTER
Contact: < sip:alice @ 192 . 168 . 1 . 100:5060 > ;expires=3600
Expires: 3600
Authorization: Digest username="alice", realm="example.com", nonce="abcdefghijk", uri="sip:example.com", response="65a8e2285879283831b664bd8b7f14d4", algorithm=MD5, cnonce="lmnopqrst", qop=auth, nc=00000001
Content-Length: 0
```
2023-08-03 19:12:22 +00:00
UA发送另一个REGISTER请求,
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
这是如何计算"Authorization"响应的方法:
2023-04-17 15:16:32 +00:00
```python
import hashlib
def calculate_sip_md5_response(username, password, realm, method, uri, nonce, nc, cnonce, qop):
2023-08-03 19:12:22 +00:00
# 1. Calculate HA1 (concatenation of username, realm, and password)
ha1_input = f"{username}:{realm}:{password}"
ha1 = hashlib.md5(ha1_input.encode()).hexdigest()
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
# 2. Calculate HA2 (concatenation of method and uri)
ha2_input = f"{method}:{uri}"
ha2 = hashlib.md5(ha2_input.encode()).hexdigest()
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
# 3. Calculate the final response value (concatenation of h1, stuff and h2)
response_input = f"{ha1}:{nonce}:{nc}:{cnonce}:{qop}:{ha2}"
response = hashlib.md5(response_input.encode()).hexdigest()
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
return response
2023-04-17 15:16:32 +00:00
# Example usage
username = "alice"
password = "mysecretpassword"
realm = "example.com"
method = "REGISTER"
uri = "sip:example.com"
nonce = "abcdefghijk"
nc = "00000001"
cnonce = "lmnopqrst"
qop = "auth"
response = calculate_sip_md5_response(username, password, realm, method, uri, nonce, nc, cnonce, qop)
print(f"MD5 response value: {response}")
```
2023-08-03 19:12:22 +00:00
4. **注册成功**来自注册服务器的响应:
2023-04-17 15:16:32 +00:00
```yaml
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
From: Alice < sip:alice @ example . com > ;tag=565656
To: Alice < sip:alice @ example . com > ;tag=7878744
Call-ID: 1234567890@192.168.1.100
CSeq: 2 REGISTER
Contact: < sip:alice @ 192 . 168 . 1 . 100:5060 > ;expires=3600
Expires: 3600
Content-Length: 0
```
2023-08-03 19:12:22 +00:00
在注册服务器验证提供的凭据后,**它发送一个"200 OK"的响应来表示注册成功**。响应包括已注册的联系信息和注册的过期时间。此时, ( ) ,
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
### 呼叫示例
2023-04-17 15:16:32 +00:00
< figure > < img src = "../../../.gitbook/assets/image (666).png" alt = "" > < figcaption > < / figcaption > < / figure >
{% hint style="info" %}
2023-08-03 19:12:22 +00:00
没有提到,
2023-04-17 15:16:32 +00:00
{% endhint %}
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2023-04-17 15:16:32 +00:00
2023-08-03 19:12:22 +00:00
* 你在一家**网络安全公司**工作吗? !
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组** ](https://discord.gg/hRep4RUj7f )或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ) **提交PR来分享你的黑客技巧。**
2023-04-17 15:16:32 +00:00
< / details >
