sipvicious sip crack digestleak

Summary

Reproduce the SIP Digest leak attack

What it does

Reproduce, detect and exploit the SIP Digest leak attack. This tool allows testers to check for the vulnerability affecting user-agent clients and SIP proxies, allowing for various mutations of the attack, including caller and callee mode and support for external cracking tools hashcat and John the Ripper.

Tool functionality

The crack digestleak tool is meant to reproduce the SIP Digest leak attack that allows SIP user-agents to receive other user-agents' SIP digest response. By retrieving this response, an attacker can try to recover the original password used for authenticating against the SIP proxy by making use of fast offline password cracking attacks.

By default (caller mode), the tool sets up a call using the SIP protocol and awaits the callee to hangup, thus sending a BYE SIP message. When this message is received, the tool issues a 407 response instead of 200, with a Proxy-Authenticate header. Vulnerable systems will respond to the challenge with a response computed from information present in the SIP message and the secret (password). When the callee mode is used, the tool listens for incoming INVITE and BYE messages and issues a 407 response to them. Thus, the victim would need to call the attacker in such cases.

Further details about the different modes can be found in the mode flag documentation.

The following is an example logging of the tool when run with default settings:

INFO[0001] Sending INVITE to 192.168.99.2:5060 for sip:someone@example.org
INFO[0002] Call picked up by sip:else@example.org
INFO[0004] Received BYE, challenging that with a 407
INFO[0006] Digest leaked: response=6fb97bc75ba918ad19e944d4826a863d, realm=example.org, nonce=asdfasdf, uri=sip:attacker@example.org, method=BYE, username=1234
INFO[0007] Sending 200 OK to end the call properly

Command format

sipvicious sip crack digestleak <target1 [target2 [target3 ...]]> [flags]

Flags

      --codec strings        Specify the codec that should be used for the RTP stream (default [alaw,ulaw,opus,gsm,g723,lpc,g722,g728,g729,h261,h263])
  -u, --credentials string   set the username and password in the following format: username:password (e.g. 1000:test123)
  -D, --domain string        override domain name for the SIP address
      --duration duration    set maximum duration to keep the test going
  -e, --extension string     specify a target extension or SIP URI to call; if not specified, a random numeric extension is used
  -f, --from string          specify the from header address; if not specified, the from address is constructed from the credentials, otherwise a random numeric extension is used
      --methods strings      Specify the SIP methods to challenge with a 407 (default [BYE,INVITE])
  -m, --mode string          set mode (valid modes are callee and caller) (default "caller")
  -o, --output strings       Specify filename(s) to output the digest details. See documentation for information on file extension meanings
      --register             register with the specified target
      --rtp-payload string   specify the RTP payload for the audio (e.g. music.wav or 2600hz.raw) (default "music.wav")

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
      --logfile string       specify a log filename
      --srtp string          specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log, - for stdout

Examples

sipvicious sip crack digestleak udp://target:5060 -e 101 -u 100:passwd
sipvicious sip crack digestleak tcp://target:5060 --mode callee --register -u 100:passwd
sipvicious sip crack digestleak wss://target:443 -e 101 -u 100:password \
	-o output.hashcat -o output.txt -o output.john

Advanced examples

# using specific codecs for the RTP stream
sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 --codec ulaw,alaw,opus,gsm -e 2000

# registering with the target specified using a username:password then target extension 2000
sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 --register -u 1000:1500 -e 2000

# using your own rtp payload to be played during the call
sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 -e 2000 --rtp-payload music.raw

# getting the tool's output in each format supported (i.e. hashcat, John the ripper and plaintext SIP)
sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 -e 2000 -o output.hashcat -o output.john -o output.txt

# specifying multiple targets along with over-riding the domain name for the SIP address
sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 -D siteonsip.tld -e 2000

# specify the duration of time for which the tests should run and from a specific extension
sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 -e 2000 --duration 10s -f 1100

Exit codes

If the digest response is recovered, the tool returns a 3 exit code, i.e. security issue is detected. Otherwise exit codes are returned as standard throughout the tool.

Flag: ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: codec

Specify the codec to be supported for the SDP and also in the RTP stream. Currently supported are alaw, ulaw, opus, gsm, g723, lpc, g722, g728, g729, h261 and h263. You may pass multiple codecs by delimiting using a comma, as follows: ulaw,alaw,opus.

When rates and channels need to be passed, they can be provided after the codec name, separated by a slash. For example: opus/48000/2.

Flag: config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: credentials

Specify valid credentials so that the registration can be done authenticated. The following format is used username:password (e.g. 1000:test123).

Flag: debug

Tells the logger to print out debug messages.

Flag: domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: duration

Specify the maximum duration of the attack so that it stops after a certain time.

Flag: extension

This flag allows users to call a particular extension, overriding the default behaviour of calling a random extension. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

When the mode is set to sip-callee, this flag has no meaning.

Flag: from

This flag allows users to set the From address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

Flag: logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: methods

The methods flag allows specification of the methods that are challenged. This is useful when, for example, you do not want to challenge incoming INVITE messages but only BYE messages.

Flag: mode

The tool currently supports two modes. The default mode is to start a call with the target using the SIP protocol. If the call is picked up by the callee, the tool awaits for incoming SIP messages that match those specified using the methods flag (i.e. INVITE and BYE by default) and challenges them with a 407 response.

When the mode is set to callee, the tool behaves much like the sip utils callee tool. If no register flag is passed, the tool will listen on the specified target address and wait for incoming calls. If the register flag is used, the tool will register with the specified target and wait for incoming calls. Whenever an incoming call is received, the INVITE message is challenged with a 407 response.

In both cases, the tool then expects challenged request to send a challenge response, thus leaking the MD5 digest.

Flag: output

The output flag is used to create an output file with the SIP information that can be used for an offline password cracking attack. By default, the raw SIP message response is stored in the output file. If the file extension of the output file is .hashcat, then the format used by hashcat is created. If the file extension of the output file is .john, then the format used is that of John the Ripper.

For example, the following command will produce both a .hashcat and .john file:

sipvicious sip crack digestleak udp://demo.sipvicious.pro:5060 -e 2000 \
-o sipvicious.hashcat -o sipvicious.john

To use the .hashcat file, run the tool as follows:

hashcat -m11400 sipvicious.hashcat

The following are some practical examples of how Hashcat can be used:

hashcat -m 11400 -a3 sipvicious.hashcat '?d?d?d?d'
hashcat -m 11400 sipvicious.hashcat dictionary.txt

To use the .john file, run the tool as follows:

john sipvicious.john

The following are some practical examples of how JtR can be used:

john --incremental sipvicious.john
john --wordlist=dictionary.txt sipvicious.john

Usage of either tool is outside the scope of this documentation. Please consult the official documentation for Hashcat and John the Ripper.

Flag: register

Register may use credentials to be passed so that a REGISTER message is sent to authenticate with a registrar server before starting the call or waiting for a call to be received. The registration is maintained as per SIP standards, so that authentication does not time out.

Flag: rtp-payload

The rtp-payload parameter allows the setting of a file that is used for the RTP stream. The following file types are supported:

  • .raw, for raw audio to be passed to the RTP stream without any transcoding
  • .wav, for wave files to be transcoded for the RTP stream

Flag: srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • TODO: --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

Future enhancements

Automated cracking

The crack flag uses the built-in SIP Digest password cracking functionality after receiving the challenge response (i.e. MD5 digest), to try to recover the original password. This functionality will try the most common potential passwords based on the SIP extension, the domain, mutations of such information as well as shorter passwords (less than 6 characters long) and commonly used patterns and passwords.

For the full functionality and more features consider using the sip crack offline command or output to a hashcat or John the Ripper file.

reINVITE attack

Support for the reINVITE attack outlined originally outlined by INRIA; further references: IETF Presentation