Perform a SIP extension enumeration attack.
Reproduce, detect and exploit the SIP extension enumeration security issue. The tool goes beyond the very basics of the attack, allowing testers to probe the target concurrently, make use of custom templatable SIP messages, spreading the scan across different targets and more.
The basic functionality of the
sip enumerate command is as follows:
Probing phase, that is, for each probing method (see
REGISTER) for a random SIP extension (i.e. username in the SIP URI) to the target
never-authis not set, try to authenticate; if the response is again 407 or 401 OR 403, 408 or 500 then it typically means that the target is not vulnerable; if we receive a different response, enable the
WARNlevel message advising that a 2xx response code was received for a SIP URI that is assumed to be non-existent on the target; then skip to the next probe method in the list
Start enumeration phase, that is, start sending each SIP message, each having a different SIP URI and then handling the responses as follows:
always-authis off, then it typically means that we found a valid extension that requires authentication
always-authis on, attempt to authenticate
When the enumeration SIP method is
INVITE, certain extra behaviour needs to take place.
The tool displays the following information:
The following is an example logging of the tool when run with the default settings:
INFO[2020-05-28 16:41:18] Target is probably vulnerable using REGISTER (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] Target is probably vulnerable using SUBSCRIBE (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] Target is probably vulnerable using NOTIFY (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] Target is probably vulnerable using PUBLISH (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] Target is probably vulnerable using MESSAGE (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] Target is probably vulnerable using INVITE (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] Target is probably vulnerable using OPTIONS (setting responseStatusCode:404, responseReasonPhrase:enumerate me baby) INFO[2020-05-28 16:41:18] enumerating with method REGISTER, status code 404 INFO[2020-05-28 16:41:20] found extension 1002 INFO[2020-05-28 16:41:20] found extension 1001 INFO[2020-05-28 16:41:20] found extension 1000 INFO[2020-05-28 16:41:20] found extension 1008 INFO[2020-05-28 16:41:20] found extension 1005 INFO[2020-05-28 16:41:20] found extension 1006 INFO[2020-05-28 16:41:20] found extension 1003 INFO[2020-05-28 16:41:20] found extension 1007 INFO[2020-05-28 16:41:20] found extension 1009 INFO[2020-05-28 16:41:20] found extension 1004 INFO[2020-05-28 16:41:20] found extension 1100 INFO[2020-05-28 16:41:20] found extension 1200 INFO[2020-05-28 16:41:20] found extension 1300 INFO[2020-05-28 16:41:20] found extension 1400 INFO[2020-05-28 16:41:21] found extension 2000 INFO[2020-05-28 16:41:28] results for target udp://demo.sipvicious.pro:5060 INFO[2020-05-28 16:41:28] 1002 found INFO[2020-05-28 16:41:28] 1001 found INFO[2020-05-28 16:41:28] 1000 found INFO[2020-05-28 16:41:28] 1008 found INFO[2020-05-28 16:41:28] 1005 found INFO[2020-05-28 16:41:28] 1006 found INFO[2020-05-28 16:41:28] 1003 found INFO[2020-05-28 16:41:28] 1007 found INFO[2020-05-28 16:41:28] 1009 found INFO[2020-05-28 16:41:28] 1004 found INFO[2020-05-28 16:41:28] 1100 found INFO[2020-05-28 16:41:28] 1200 found INFO[2020-05-28 16:41:28] 1300 found INFO[2020-05-28 16:41:28] 1400 found INFO[2020-05-28 16:41:28] 2000 found
sipvicious sip enumerate extensions <target1 [target2 [target3 ...]]> [flags]
--auth-mode string Specify how to handle authentication requests (fake|real|ignore); default: ignore unless the -u flag is present (default "ignore") -c, --conn-count int number of connections to open (default 30) -u, --credentials string Set the username and password in the following format: username:password (e.g. 1000:test123) -d, --dictionary string dictionary to use for bruteforcing users --do-not-probe Do not attempt to find out how the server should respond when an extension does not exist -D, --domain string override domain name for the SIP address --ext-fmt string Specify a format string for the extension (to be used with --extensions) -e, --extensions strings set the range of target extension numbers and/or alphanumeric extensions (default [0-9999,admin]) --from-address string Specify the from address either as a static string or a format string which formats the extension (e.g. sip:%email@example.com) --from-domain string force a particular domain in the From header value -m, --method string set the SIP message method to use (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS) --probe-methods strings Specify which SIP methods to use when attempting to find ways to perform enumeration (default [REGISTER,SUBSCRIBE,NOTIFY,PUBLISH,MESSAGE,INVITE,OPTIONS]) --probe-only Only do the probing exercise, do not run the actual enumeration --rate string specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms --register maintain a registration throughout the attack; requires -u --sipuri-dictionary string Specify a file with the full SIP URIs to test for --to-domain string force a particular domain in the To header value
--ca-cert string TLS CA Certificate --client-cert string TLS client certificate --client-key string TLS client private key -C, --config string configuration file to use (may be JSON, TOML or YAML) --debug set log level to debug --logfile string specify a log filename --srtp string specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none") --templates string Directory to search for template overrides (default ".") --tls-key-log string TLS key log, - for stdout
sipvicious enum ext -e 100-999,1000-2000 udp://target:5060
# use specific ranges of extensions for enumeration, and pad the numeric range 1000-9999 with a zero (i.e. 01000-09999) sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 -e 1000-9999,10000-99999 --ext-fmt '%05d' # use fake authentication while using a dictionary to bruteforce users sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 -c 100 --auth-mode fake -d dict.txt # rate limit tests while using subscribe method (less intrusive) sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 --rate 1/30ms --do-not-probe -m subscribe # customise a SIP message by altering the To and From domain sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 --to-domain urlonsip.tld --from-domain siteonsip.tld # do not execute the actual enumeration test, instead only perform the initial probe while maintaining a registration throughout the test sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 -u 1000:1500 --register --probe-only # specify probe methods along with list of SIP URIs sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 --probe-methods invite,publish,subscribe --sipuri-dictionary sipuri.lst # enumerating using custom from address and format string for the extensions sipvicious sip enumerate extensions udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 --from-address sip:%firstname.lastname@example.org --ext-fmt '%04d' --extensions 0-9999
This tool returns exit code 3, i.e. security issue is detected when a SIP extension enumeration is allowed and confirmed by identifying at least one SIP extension. The tool returns exit code 3, i.e. network connectivity problems when the connection fails.
Specify how authentication requests are handled. This can be either
ignore. By default, authentication requests are ignored unless credentials are specified using the
-u flag. When credentials are specified, the default behaviour is to make use of real credentials. When
fake is specified, the challenge response is generated based on the challenge, but no credentials are actually used. This has the benefit of generating a failed authentication request, thus possibly triggering methods of SIP enumeration specific to authentication responses.
real is specified, the tool always tries to authenticate when challenged using SIP digest authentication; even if the probing stage determined that this is not required for enumeration. If, on the other hand,
ignore is specified, the tool to never authenticates when challenged using SIP digest authentication; even if the probing stage determined that this is required for enumeration.
The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.
The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.
The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.
Specify a configuration file which may be a JSON, TOML and YAML config
format. To get the default settings and figure out which settings are available, one may
sipvicious utils dump config command. This is typically used to create a template
configuration that can then be edited as need be.
These settings may be overwritten when the corresponding flag is explicitly set, if one is present.
conn-count allows setting of how many sockets should be used concurrently to spread out of the attack.
Specify valid credentials so that SIP enumeration can be done authenticated. The following format is used
1000:test123). When not specified, if required, the tool will send fake challenge responses.
Tells the logger to print out debug messages.
Specify a file containing potential SIP extensions to be used in the enumeration attack. This overrides the default
do-not-probe flag is set, the probe phase is skipped. Instead, the tool assumes that extensions that exist should return a
200 response. The tool also assumes that non-existent extensions will return a
404 response code.
If no SIP method is explicitly set, the
REGISTER method is used.
A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.
ext-fmt flag allows users to specify a format template for the extension generation. For example,
-e 1-999 --ext-fmt="123%04d999" between 1230001999 to 1230999999.
The format string library used is the standard Go
fmt. Please check the documentation for full details about the syntax.
This flag allows users to specify ranges of numbers and/or alphanumeric characters to be used in the enumeration attack. Each potential extension or range of numeric extensions is comma separated. Numeric ranges are separated by a minus sign. For example:
Specify a specific From address. The resulting string can be static, e.g.
sip:email@example.com or a format string which results in formatting the target extension, e.g.
sip:firstname.lastname@example.org which results in
sip:email@example.com when the target extension is
Force a specific domain name for the
From domain. This is useful when the domain name for the SIP address is different than the one passed for the SIPURI in the first line.
logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a
.json file extension, then the output format is in JSON, otherwise it defaults to text format.
Users who wish to force a particular SIP method for probing and enumeration, can specify that method by passing the method flag. This overrides the
probe-methods flag allows users to specify which methods to try to perform enumeration against. By default, it includes all SIP methods that are known to indicate if a particular extension exists on the registrar or can be proxied to.
This feature is useful when the target has partial protection against SIP extension enumeration that is limited to only specific methods. For example, a number of PBX systems have implemented protection against enumeration for the
REGISTER method but not the
By default, the tool will try to make use of the following SIP methods in the specified sequence during the probing phase:
The probing phase will log (at INFO level) which SIP methods appear to allow enumeration once all the methods have been tested. After that, the tool will start the enumeration phase, making use of the first method that appeared to allow enumeration. Users who wish to force a specific method for enumeration, overriding this behaviour, can do so by setting the
method switch. Note that the
OPTIONS method may lead to false positives.
This flag is given for users whose intent is to simply detect if enumeration is possible on the target. The tool will exit after the probe phase is finished, with an error code of 2 indicating that the target appears to be vulnerable.
Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.
Register requires credentials to be passed so that a
REGISTER message is sent to authenticate with a registrar server before starting the attack. The registration is maintained as per SIP standards, so that authentication does not time out.
sipuri-dictionary flag is similar to the dictionary flag with the difference that the dictionary file should include the full SIP URI. This is especially useful for when the target handles different domains.
srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming
INVITE message. When the
srtp flag is set to
none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming
srtp mode can also be either
sdes. In both
sdes modes, the parameters are not required and will be generated randomly as need be.
Options for both
sdes mode may be passed after a colon. For example:
--srtp dtls:cert.crt:cert.key[:ca.crt]where the first argument after the mode (
dtls) is the public certificate
cert.crt, then the private key
cert.keyand finally, the optional certificate authority file
--srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSojwhere the argument is the base64 encoded cryptographic master key appended with the master salt.
Note that in the case of
sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite
Allows one to set the template directory which is used to load (or save) the SIP templates.
To get the default SIP templates, make use of the
sipvicious sip utils dump templates command.
The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.
Force a specific domain name for the To address. This is useful when the domain name for the SIP address is different than the one passed for the SIPURI in the first line. If no
from-address argument is passed, this overrides the value for the
From header as well.
In some cases, some targets may respond positively (e.g. with a
200 OK) when scanned. This is especially the case when the enumeration method is set to
OPTIONS. Therefore, by default, the tool detects instances where all extensions start resulting in a positive response. This is done by going into probe phase every 300 messages.
When making use of
INVITE, the tool tries to cancel calls by sending a
CANCEL as soon as a 180 response is received and if that fails, sends a BYE if the call is picked up.