sipvicious sip enumerate extensions

Summary

Perform a SIP extension enumeration attack.

What it does

Reproduce, detect and exploit the SIP extension enumeration security issue. The tool goes beyond the very basics of the attack, allowing testers to probe the target concurrently, make use of custom templatable SIP messages, spreading the scan across different targets and more.

Tool functionality

The basic functionality of the sip enumerate command is as follows:

  1. Probing phase, that is, for each probing method (see probe-methods flag)

    1. sending a SIP message (starting with REGISTER) for a random SIP extension (i.e. username in the SIP URI) to the target
    2. if the response code is between 100 and 199 (inclusive), it is ignored
    3. if the response code is 407 or 401 AND never-auth is not set, try to authenticate; if the response is again 407 or 401 OR 403, 408 or 500 then it typically means that the target is not vulnerable; if we receive a different response, enable the always-auth flag
    4. if the response code is 403, 408 or 500 then it might mean that the system is not available or the wrong target hostname is provided
    5. if the response code is 2xx, log a WARN level message advising that a 2xx response code was received for a SIP URI that is assumed to be non-existent on the target; then skip to the next probe method in the list
    6. otherwise, note the response code and response reason as meaning that the attempted extension does not exist and move on to enumeration phase
  2. Start enumeration phase, that is, start sending each SIP message, each having a different SIP URI and then handling the responses as follows:

    1. if the response code and the response reason is the same as the one recorded in the probing phase, assume that the extension does not exist
    2. if the response code is between 100 and 199 (inclusive), it is ignored
    3. if the response code is 403, 408 or 500 then it might mean that the system is not available or the wrong target hostname is provided
    4. if the response code is 407 or 401 if always-auth is off, then it typically means that we found a valid extension that requires authentication
    5. if the response code is 407 or 401 if always-auth is on, attempt to authenticate
    6. if the response code is 200 then it means that the extension exists (if the request method is REGISTER), does not require authentication or that the system routes our message
    7. if the response code is 404 and the response code recorded in the probing phase was anything else, then it may be of interest for further investigation
    8. if either the response code or response reason is anything else other than the ones recorded during probing phase, assume that the extension exists and is of interest

When the enumeration SIP method is INVITE, certain extra behaviour needs to take place.

The tool displays the following information:

  • When the extension exists, the response code, if confirmed to exist or marked as interesting and SIP URI is logged at INFO level
  • When the tool exits, the SIP URIs found grouped by the response code are returned
  • If the system is detected to be vulnerable, the exit code is 2

The following is an example logging of the tool when run with the default settings:

INFO[2020-05-28 16:41:18] Target is probably vulnerable using REGISTER (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] Target is probably vulnerable using SUBSCRIBE (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] Target is probably vulnerable using NOTIFY (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] Target is probably vulnerable using PUBLISH (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] Target is probably vulnerable using MESSAGE (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] Target is probably vulnerable using INVITE (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] Target is probably vulnerable using OPTIONS (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby)
INFO[2020-05-28 16:41:18] enumerating with method REGISTER, status code 404
INFO[2020-05-28 16:41:20] found extension 1002
INFO[2020-05-28 16:41:20] found extension 1001
INFO[2020-05-28 16:41:20] found extension 1000
INFO[2020-05-28 16:41:20] found extension 1008
INFO[2020-05-28 16:41:20] found extension 1005
INFO[2020-05-28 16:41:20] found extension 1006
INFO[2020-05-28 16:41:20] found extension 1003
INFO[2020-05-28 16:41:20] found extension 1007
INFO[2020-05-28 16:41:20] found extension 1009
INFO[2020-05-28 16:41:20] found extension 1004
INFO[2020-05-28 16:41:20] found extension 1100
INFO[2020-05-28 16:41:20] found extension 1200
INFO[2020-05-28 16:41:20] found extension 1300
INFO[2020-05-28 16:41:20] found extension 1400
INFO[2020-05-28 16:41:21] found extension 2000
INFO[2020-05-28 16:41:28] results for target udp://demo.sipvicious.pro:5060
INFO[2020-05-28 16:41:28] 1002                      found
INFO[2020-05-28 16:41:28] 1001                      found
INFO[2020-05-28 16:41:28] 1000                      found
INFO[2020-05-28 16:41:28] 1008                      found
INFO[2020-05-28 16:41:28] 1005                      found
INFO[2020-05-28 16:41:28] 1006                      found
INFO[2020-05-28 16:41:28] 1003                      found
INFO[2020-05-28 16:41:28] 1007                      found
INFO[2020-05-28 16:41:28] 1009                      found
INFO[2020-05-28 16:41:28] 1004                      found
INFO[2020-05-28 16:41:28] 1100                      found
INFO[2020-05-28 16:41:28] 1200                      found
INFO[2020-05-28 16:41:28] 1300                      found
INFO[2020-05-28 16:41:28] 1400                      found
INFO[2020-05-28 16:41:28] 2000                      found

Command format

sipvicious sip enumerate extensions <target1 [target2 [target3 ...]]> [flags]

Flags

      --auth-mode string           Specify how to handle authentication requests (fake|real|ignore); default: ignore unless the -u flag is present (default "ignore")
  -c, --conn-count int             number of connections to open (default 30)
  -u, --credentials string         Set the username and password in the following format: username:password (e.g. 1000:test123)
  -d, --dictionary string          dictionary to use for bruteforcing users
      --do-not-probe               Do not attempt to find out how the server should respond when an extension does not exist
  -D, --domain string              override domain name for the SIP address
      --ext-fmt string             Specify a format string for the extension (to be used with --extensions)
  -e, --extensions strings         set the range of target extension numbers and/or alphanumeric extensions (default [0-9999,admin])
      --from-address string        Specify the from address either as a static string or a format string which formats the extension (e.g. sip:%s@example.org)
      --from-domain string         force a particular domain in the From header value
  -m, --method string              set the SIP message method to use (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS)
      --probe-methods strings      Specify which SIP methods to use when attempting to find ways to perform enumeration (default [REGISTER,SUBSCRIBE,NOTIFY,PUBLISH,MESSAGE,INVITE,OPTIONS])
      --probe-only                 Only do the probing exercise, do not run the actual enumeration
      --rate string                specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --register                   maintain a registration throughout the attack; requires -u
      --sipuri-dictionary string   Specify a file with the full SIP URIs to test for
      --to-domain string           force a particular domain in the To header value

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
      --logfile string       specify a log filename
      --srtp string          specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log, - for stdout

Examples

sipvicious enum ext -e 100-999,1000-2000 udp://target:5060

Advanced examples

# use specific ranges of extensions for enumeration, and pad the numeric range 1000-9999 with a zero (i.e. 01000-09999)
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 -e 1000-9999,10000-99999 --ext-fmt '%05d'

# use fake authentication while using a dictionary to bruteforce users
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 -c 100 --auth-mode fake -d dict.txt

# rate limit tests while using subscribe method (less intrusive)
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 --rate 1/30ms --do-not-probe -m subscribe

# customise a SIP message by altering the To and From domain
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 --to-domain urlonsip.tld --from-domain siteonsip.tld 

# do not execute the actual enumeration test, instead only perform the initial probe while maintaining a registration throughout the test
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 -u 1000:1500 --register --probe-only

# specify probe methods along with list of SIP URIs
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 --probe-methods invite,publish,subscribe --sipuri-dictionary sipuri.lst 

# enumerating using custom from address and format string for the extensions
sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 --from-address sip:%s@siteonsip.tld --ext-fmt '%04d' --extensions 0-9999

Exit codes

This tool returns exit code 3, i.e. security issue is detected when a SIP extension enumeration is allowed and confirmed by identifying at least one SIP extension. The tool returns exit code 3, i.e. network connectivity problems when the connection fails.

Flag: auth-mode

Specify how authentication requests are handled. This can be either fake, real or ignore. By default, authentication requests are ignored unless credentials are specified using the -u flag. When credentials are specified, the default behaviour is to make use of real credentials. When fake is specified, the challenge response is generated based on the challenge, but no credentials are actually used. This has the benefit of generating a failed authentication request, thus possibly triggering methods of SIP enumeration specific to authentication responses.

If fake or real is specified, the tool always tries to authenticate when challenged using SIP digest authentication; even if the probing stage determined that this is not required for enumeration. If, on the other hand, ignore is specified, the tool to never authenticates when challenged using SIP digest authentication; even if the probing stage determined that this is required for enumeration.

Flag: ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: conn-count

The conn-count allows setting of how many sockets should be used concurrently to spread out of the attack.

Flag: credentials

Specify valid credentials so that SIP enumeration can be done authenticated. The following format is used username:password (e.g. 1000:test123). When not specified, if required, the tool will send fake challenge responses.

Flag: debug

Tells the logger to print out debug messages.

Flag: dictionary

Specify a file containing potential SIP extensions to be used in the enumeration attack. This overrides the default extensions flag.

Flag: do-not-probe

When the do-not-probe flag is set, the probe phase is skipped. Instead, the tool assumes that extensions that exist should return a 401, 407 or 200 response. The tool also assumes that non-existent extensions will return a 404 response code.

If no SIP method is explicitly set, the REGISTER method is used.

Flag: domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: ext-fmt

The ext-fmt flag allows users to specify a format template for the extension generation. For example, -e 1-999 --ext-fmt="123%04d999" between 1230001999 to 1230999999.

The format string library used is the standard Go fmt. Please check the documentation for full details about the syntax.

Flag: extensions

This flag allows users to specify ranges of numbers and/or alphanumeric characters to be used in the enumeration attack. Each potential extension or range of numeric extensions is comma separated. Numeric ranges are separated by a minus sign. For example: 100-999,1000-1500,9999,test1,test2.

Flag: from-address

Specify a specific From address. The resulting string can be static, e.g. sip:1234@example.org or a format string which results in formatting the target extension, e.g. sip:123%#04i999@example.org which results in sip:1230001999@example.org when the target extension is 0.

Flag: from-domain

Force a specific domain name for the From domain. This is useful when the domain name for the SIP address is different than the one passed for the SIPURI in the first line.

Flag: logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: method

Users who wish to force a particular SIP method for probing and enumeration, can specify that method by passing the method flag. This overrides the probe-methods flag.

Flag: probe-methods

The probe-methods flag allows users to specify which methods to try to perform enumeration against. By default, it includes all SIP methods that are known to indicate if a particular extension exists on the registrar or can be proxied to.

This feature is useful when the target has partial protection against SIP extension enumeration that is limited to only specific methods. For example, a number of PBX systems have implemented protection against enumeration for the REGISTER method but not the SUBSCRIBE method.

By default, the tool will try to make use of the following SIP methods in the specified sequence during the probing phase:

  1. REGISTER
  2. SUBSCRIBE
  3. NOTIFY
  4. PUBLISH
  5. MESSAGE
  6. INVITE
  7. OPTIONS

The probing phase will log (at INFO level) which SIP methods appear to allow enumeration once all the methods have been tested. After that, the tool will start the enumeration phase, making use of the first method that appeared to allow enumeration. Users who wish to force a specific method for enumeration, overriding this behaviour, can do so by setting the method switch. Note that the OPTIONS method may lead to false positives.

Flag: probe-only

This flag is given for users whose intent is to simply detect if enumeration is possible on the target. The tool will exit after the probe phase is finished, with an error code of 2 indicating that the target appears to be vulnerable.

Flag: rate

Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: register

Register requires credentials to be passed so that a REGISTER message is sent to authenticate with a registrar server before starting the attack. The registration is maintained as per SIP standards, so that authentication does not time out.

Flag: sipuri-dictionary

The sipuri-dictionary flag is similar to the dictionary flag with the difference that the dictionary file should include the full SIP URI. This is especially useful for when the target handles different domains.

Flag: srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • TODO: --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

Flag: to-domain

Force a specific domain name for the To address. This is useful when the domain name for the SIP address is different than the one passed for the SIPURI in the first line. If no from-domain or from-address argument is passed, this overrides the value for the From header as well.

Caveats

Detection of false positives

In some cases, some targets may respond positively (e.g. with a 200 OK) when scanned. This is especially the case when the enumeration method is set to OPTIONS. Therefore, by default, the tool detects instances where all extensions start resulting in a positive response. This is done by going into probe phase every 300 messages.

On making use of INVITE for enumeration

When making use of INVITE, the tool tries to cancel calls by sending a CANCEL as soon as a 180 response is received and if that fails, sends a BYE if the call is picked up.

Future enhancements

  • Intelligent SIP extension enumeration similar to VOIPPACK
  • Allow distributed attacks by splitting extensions and telemetry
  • Detect changes in headers or additional provisional responses when extensions do exist
  • A more accurate probe phase for lab environment tests where existent extensions are already known; this can be done by comparing responses for extensions that exist and those that do not, removing anything that is generated randomly in the SIP response and comparing the rest