sipvicious sip crack online

Summary

Launch an online SIP password cracking attack

What it does

Test SIP account weaknesses through a password guessing attack. This tool allows various types of password cracking attacks on SIP registrars and proxies to discover guessable passwords and demonstrate security issues in weak password policies.

Tool functionality

The SIP online cracking tool attempts to guess SIP account passwords on a target SIP server. It supports various SIP methods, password guessing techniques, distribution of the attack across different targets and across different extensions.

The tool makes use of a number of password generators which are used to produce passwords that are then used in each password guessing (or cracking) attempt. By default, the tool uses the pattern cracking algorithm as a password generator, using the basic extension based algorithm. Multiple generators can be used in combination in each attack.

The tool starts by sending a SIP request to the target, then waiting for a 407 or 401 response, with the default SIP method being set to REGISTER. When a 401 or 407 response is received, it then computes the authentication challenge response using the digest authentication mechanism and sends the same SIP message with the challenge response. If a 401 or 407 response is received as the new response, it then moves on to the next password from the password generators. It does this process until the password generators run out of passwords to try, or until all target extensions have resulted in a 200 OK indicating that their password has been cracked.

When the response to a SIP message without an authentication header is a 200 OK, instead of a 401 or 407, this means that no authentication is required. Other 4XX, 5XX or 6XX responses indicate that a password cracking attack is not possible. Special warnings are generated when the response code is unknown (e.g. a 3XX or 202 response).

In the case of the REGISTER SIP method, the From and To address are typically the same unless the SIP registrar allows for third-party registration. In such cases one can make use of the from flag to specify who is registering which extension or SIP URI that is passed to the extensions flag. In this case, the extensions flag specifies the To address in the SIP message. When it comes to methods other than REGISTER (e.g. INVITE), the extensions flag sets the From address rather than the To address.

When it comes to setting the To and From headers, the behaviour of the sip crack online tool depends on the SIP method that is used for the attack. This may be different from other tools such as sip enumerate extensions, since the aim of this tool is SIP account password cracking rather than enumeration.

The following password generators are available:

The following is an example of the logging from the tool when run with the default settings:

INFO[0000] Starting password cracking attack             targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Starting pattern cracking algorithm test      targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Starting numeric range cracking test          targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Starting dictionary cracking test             targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Found password                                extension=1000 password=password1 targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Found password                                extension=1000 password=password1 targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Found password                                extension=1000 password=password1 targets="[udp://example.org:5060 tls://example.org:5061]"
INFO[0000] Found all passwords                           targets="[udp://example.org:5060 tls://example.org:5061]"
{
    "sip": {
        "crack": {
            "online": [{
                    "target": "udp://example.org:5060",
                    "results": [{
                            "extension": "1000",
                            "password": "password1",
                            "username": "1000"
                        },
                        {
                            "extension": "1001",
                            "password": "password2",
                            "username": "1001"
                        }
                    ]
                },
                {
                    "target": "tls://example.org:5061",
                    "results": [{
                        "extension": "1002",
                        "password": "password3",
                        "username": "1002"
                    }]
                }
            ]
        }
    }
}

Command format

sipvicious sip crack online <target1 [target2 [target3 ...]]> [flags]

Flags

  -c, --conn-count int           Number of sockets to use (per target) (default 30)
      --credentials string       specify a file containing usernames and passwords on each line, in the following format: username$password (e.g. 1000$test123) or username:extension$password (e.g. user1:1000$test123) or even username:sipuri$password (e.g. user1:sip:1000@example.org$test123
  -d, --dictionary string        specify a dictionary file with potential passwords
  -D, --domain string            override domain name for the SIP address
  -e, --extensions strings       specify a target extensions and/or SIP URIs; if the authentication username is different than the extension, it is passed after a colon; if no extensions are specified, a random numeric extension is used
  -E, --extensions-file string   specify a file with extensions and/or SIP URIs or colon delimited extensions or SIP URIs and users
      --from string              specify a from extension or SIP URI to set the From address; if not specified, the default behavior depends on the SIP method being tested
  -m, --method string            set the SIP message method to use (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS) (default "register")
  -p, --pattern strings          specify which pattern algorithms to test for with the passwords (ext|ext2|num|dial|all|none); e.g. num,dial (default [ext])
  -r, --range strings            specify a range of numbers for the password; e.g. 100-200,300-310,400
      --range-fmt string         specify a format string for the password (to be used with --range)
      --rate string              specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --to string                specify a to extension or SIP URI to set the To address; if not specified, the default behavior depends on the SIP method being tested

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
      --logfile string       specify a log filename
      --srtp string          specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log, - for stdout

Examples

sipvicious sip crack online udp://target:5060 -d passwords.txt -e 1234

Advanced examples

# using the numeric password range with a format string to pad numbers with zeros
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -d passwords.txt -e 1234 -r 0-9999 --range-fmt '%04d'

# cracking a SIP proxy using INVITE message to call 1234 from various extensions
sipvicious sip crack online tcp://demo.sipvicious.pro:5060 -m invite -e 1000,1100,2000 --to 1001

# distributed password cracking against a SIP TLS server over 100 connections with a credentials file
sipvicious sip crack online tls://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 udp://demo.sipvicious.pro:5060 --credentials userpass.txt -c 100

# launch a password cracking against 1234 with dictionary and range
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234 -d dict.txt -r 100-200

# do a bunch of known extensions using the pattern scan
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234,2345,3456,4567,5678

# do a bunch of known extensions from file using the pattern scan
sipvicious sip crack online udp://demo.sipvicious.pro:5060 --extensions-dict extensions.txt

# do password cracking against an extension with a known username
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 2000:2000

# same but this time we have a specific SIP URI passed there
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e sip:2000@demo.sipvicious.pro:2000

# distribute the attack across different users and targets
sipvicious sip crack online udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 -e 1100,2000 -D siteonsip.tld

# slowly do password cracking	
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234 --rate 10/1s

# Try all pattern cracking algorithms against a dictionary of extensions
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -E extensions.txt -p all

Exit codes

If any passwords are guessed, or any extensions on test do not require authentication, the tool returns 3, i.e. security issue detected.

Flag: ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: conn-count

The conn-count allows setting of how many sockets should be used concurrently to spread out of the attack.

Flag: credentials

The credentials flag sets the credentials file to be used. This takes a filename as value, containing dollar sign delimited credentials consisting of a username and password on each line. Example content:

fred$passw0rd
alice$inwonderland
john$theripper

The file can also contain an extension or SIP URI delimited by a colon, as follows:

fred:1000$passw0rd
alice:sip:alice@example.org$inwonderland

Note that when no target extensions are specified using the extension flag, the extension is set to the username in the credentials file. If an extension is specified in the credentials file, then the extension in the extension flag is ignored.

Flag: debug

Tells the logger to print out debug messages.

Flag: dictionary

The dictionary flag takes a filename as argument whose contents are passwords to be used in the password guessing attack. The format of the dictionary consists of one password on each line.

Flag: domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: extensions

This flag allows users to specify extensions or target SIP URIs to be tested for the password cracking attack. Each potential extension is comma separated. For example: 100,1000,9999,test1,test2. If the authentication username is different than the extension, it is passed after a colon. For example: 100:user1,1000:user2. If a SIP URI is used instead of a plain extension, that would look like the following: sip:100@example.org:user1.

When no extensions are specified, a random numeric extension is used.

Flag: from

Specify the From address in the SIP header. It’s practical usage depends on the SIP method that is used for the password cracking attack as outlined in this document.

Flag: logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: method

Specify the SIP method to be used for password cracking. The following methods are supported:

  • REGISTER
  • SUBSCRIBE
  • NOTIFY
  • PUBLISH
  • MESSAGE
  • INVITE
  • OPTIONS

Flag: pattern

The pattern flag sets which pattern cracking algorithm should be enabled. The following values can be used in combination:

  • ext: to enable SIP account specific password tests
  • ext2: to enable more extension SIP account specific password tests
  • num: to perform common numeric-based password tests
  • dial: to perform dialpad specific password tests

Additionally, the following methods are convenience methods:

  • all
  • none

The pattern cracking algorithms each do the following to generate passwords:

  • SIP account specific tests (ext):
    • null password
    • tries the SIP extension
    • tries the SIP extension in reverse
    • if the SIP extension is different from the SIP username, then the same tests are run again but with the username
  • More advanced SIP account specific tests (ext2):
    • tries the SIP extension prepended with a range of numbers between 0 and 9, then 00 and 99 (note the zero padding)
    • tries the SIP extension appended with a range of numbers between 0 and 9, then 00 and 99
    • if the SIP extension is different from the SIP username, then the same tests are run again but with the username
  • Common numeric passwords (num):
    • Consecutive numbers of lengths between 3 and 10 (e.g. 012, 123 and 123456, up till 0123456789)
    • Reverse of the previous test (e.g. 321, 0987654321)
    • Round digit numbers of lengths between 3 and 6 (e.g. 000, 100, 200 till 900000)
    • Dates starting from 1900 to 10 years from now (i.e. 2029)
    • Repeated numbers of lengths between 3 and 10 (e.g. 000, 111 up till 9999999999)
  • Dialpad specific (dial):
    • Patterns common on dialpads that are not covered by the previous patterns (e.g. 147, 147*, 147258)
    • Reverse of the previous test

Flag: range

This flag allows users to specify ranges of numbers to be used in the password cracking attack. Each range of numeric password is comma separated. Numeric ranges are separated by a minus sign. For example: 100-999,1000-1500.

Flag: range-fmt

The range-fmt flag allows users to specify a format template for the numeric range password generation. For example, -r 1-999 --range-fmt="123%04d999" between 1230001999 to 1230999999.

The format string library used is the standard Go fmt. Please check the documentation for full details about the syntax.

Flag: rate

Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • TODO: --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

Flag: to

Specify the To address in the SIP header. It’s practical usage depends on the SIP method that is used for the password cracking attack as outlined in this document.

Caveats

Behaviour of the extension flag

The extension flag sets either the first line’s SIP-URI, From or To header depending on the value of the method flag. This way, password cracking for a specific target extension is done depending on the SIP method.