Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Monthly Archives: January 2009

Probing with OPTIONS messages

I’m part of the Norwegian Chapter of the Honeynet Project. We have lots of honeypots with different services up and running. The most interesting for me is the VoIP honeypot. It captures all VoIP traffic and answers all incoming calls as a normal gateway or IP PBX (e.g. Asterisk) would do.

The latest traffic is again from the Piradius network.

The piradius network is now using “OPTIONS” to probe for existing IP PBX they can abuse for free calls.

Internet Protocol, Src: (, Dst: 195.159.X.X (195.159.X.X)
User Datagram Protocol, Src Port: rapido-ip (2457), Dst Port: sip (5060)
Session Initiation Protocol
Request-Line: OPTIONS sip:3392@195.159.X.X SIP/2.0
Message Header
Via: SIP/2.0/UDP;branch=E7C34B92-11CE-87FE-DC76-8AA77F25C6B1;rport
Max-Forwards: 70
From: ;tag=FB84E0A1-04AC-E4C2-D7E5-E49A34E3E90D
Call-ID: 185B191D-379F-888E-ABEB-E78C1B5DA498
Accept: application/sdp
Content-Length: 0

A new address
There is also a new IP address where the same attack is coming from. You can see it from the same structured OPTIONS message.

Internet Protocol, Src: (, Dst: 195.159.X.X (195.159.X.X)
User Datagram Protocol, Src Port: sybase-sqlany (1498), Dst Port: sip (5060)
Session Initiation Protocol
Request-Line: OPTIONS sip:2658@195.159.X.X SIP/2.0
Message Header
Via: SIP/2.0/UDP;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rport
Max-Forwards: 70
To: <sip:2658@195.159.X.X>
From: <sip:8571@195.159.X.X>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8
Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190F
Contact: <sip:@;transport=udp>
Accept: application/sdp
Content-Length: 0

The packet would have been stopped in a firewall understanding SIP. The “VIA” and “Contact” field can not have a IP address.

The OPTIONS command

From web page:
The SIP method OPTIONS allows a UA to query another UA or a proxy server as to its capabilities. This allows a client to discover information about the supported methods, content types, extensions, codecs, etc. without “ringing” the other party.

For example, before a client inserts a Require header field into an INVITE listing an option that it is not certain the destination UAS supports, the client can query the destination UAS with an OPTIONS to see if this option is returned in a Supported header field.

All UAs MUST support the OPTIONS method.

There has been less security concern about the OPTIONS implementations, since it is the INVITE that generates the call. But the OPTIONS can reveal a lot about what User-Agent/Server it is and version. Then it is just a quick search to find a bug or backdoor on this…..

VoIP attacks are here again!

Have you seen the movie “The Lawnmower Man“? When, in the end, all phones in the whole world is ringing? This was the scenario for several firms in Norway this week. The phones rang every 20 minutes!

Whose fault is it?

And the guilty one? Several are to blame.

First; the Piradius (again…) network doing SIP and H.323 scans on open phones and gateways.
Second; the phone producer not making a secure enough phone.
Third; the people putting such a solution onto the Internet with no security.

What the attacker did

The Piradius network was scanning the network sequential and sending H.323 Call Connect to each IP address. The phones were open to invites from any IP address. The phones then rang, and when answered by some people there were nobody in the other end.

Information about the packet

In the h.323 packet the claim to use Cisco equipment, but I’ve never heard about a “balhophone”. If you do know, please comment! The version does sound too suspicious (1.666666). I’m guessing on an Asterisk….

           t35CountryCode: United States (181)
            t35Extension: 0
           manufacturerCode: 18
                             H.221 Manufacturer: Cisco (0xb5000012)
                            productId: balhophone
                            versionId: v 1.666666

The contact information within the H.323 packet for audio so totally different from where the TCP traffic is originated from. It is an unallocated space.

AS  | IP             | BGP Prefix   | CC | Registry | Allocated  | AS Name
NA |   | NA           |    |          |            | NA

The attacker has just used this IP address as a /dev/null for the audio of those that actually answered the phone. This RTP traffic back from mass calling can be a DoS attack in itself. If every packet you send on 1500 bytes generates a continues stream of 0,1Mbit (G711), it could take down the attacker itself….

The called number

Called party number: ’40#5926693444′

I’ve seen that they do include the # in several attacks previously, but this is not used in any part of Scandinavia to make an outbound call. If you know why an attacker is using the #, please let me know.

The perfect router – Routerboard with Mikrotik!

I’ve heard about the Mikrotik router long before I bought one, and even then it went almost a year before I started playing around with it. Now I’m totally in love, if that is possible! It can do everything!!! EVERYTHING!!

The routerboards are small computers with several networking interfaces, Example the CPU is from 200MHz to 680Mhz and the network interfaces can be up to nine (9) LAN ports built-in and with several possibilities of expanding it further with WLAN on other models. The Mikrotik RouterOS is running on top of this and also works on standard x86 architecture, letting you use it on an existing server!

The routerboards with Mikrotik RouterOS is known for their extreme WLAN! This combination is used in several countries for connecting up rural areas. I’ve seen presentation where it connected two radios 97 kilometers apart on 2.4GHz! Mikrotik has their (proprietary) WLAN protocol with extended timers to allow for extreme ranges. The 802.11 standard would time-out long before the response from the other side.

On the wired side, the Mikrotik supports 10/100 Ethernet and one unit supports 10/100/1000Mbit. I bought a routerboard 450 with five (5) LAN interfaces and I thought that should be enough. Then I discovered all the possibilities with the Mikrotik OS….

They have a recent feature called Ethernet over IP. It sounds slightly stupid, since normally IP is running over Ethernet, not vica versa. But this great feature let’s you bridges two networks (on Layer2) over any IP connection! It allows me to dedicate a port on my local router which logically is on my brothers network 500km away, allowing us to play Xbox directly as we were in the same room and LAN! Perfect! (he has a fiber 10/10Mbit connection, so it is limited to this speed)

rb450 routerboard

The RB450 routerboard

The fifth port is used for sniffing on the interfaces I want to, the fourth is my brothers network (with EoIP), the third is the local LAN, the second is my public network and the first is the WAN interface.. puuhh.. Now I need to order an extra switch so I can trunk several interfaces onto a new switch… (yes, of course the routerboard supports VLAN!)

Besides the EoIP, Mikrotik does PPP, L2TP, PPTP, IPSec and does support a large number of routing protcols (RIP, OSPF, BGP)