[OpenSIPS-Users] SIP Authentication Attacks

James Lamanna jlamanna at gmail.com
Fri Feb 3 23:36:50 CET 2012


Hi,
I know the phones are not on public IPs.
Here is a opensips log of an attacker successfully registering
(hashes have been scrubbed)


Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:tm:t_newtran: transaction on entrance=(nil)
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:parse_headers: flags=ffffffffffffffff
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:parse_headers: flags=78
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction
matching
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:tm:t_lookup_request: no transaction found
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id
0 entered
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:auth:check_nonce: comparing
[4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and
[4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b]
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:has_stmt_ctx: ctx found for subscriber
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728)
MC=0x7ee3b0
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement
run
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254;
is_null=0
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in...
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1
columns in result
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_allocate_columns: allocate 28 bytes for result columns at
0x7f55a8
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password]
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_allocate_rows: allocate 48 bytes for result rows and
values at 0x7fa080
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:db_mysql:db_mysql_str2val: converting STRING [........]
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:auth:check_response: our result = ....7f340e'
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:auth:check_response: their response = '.....7f340e",
algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires:
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:auth:check_response: authorization is OK
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:auth:post_auth: nonce index= 3171
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_free_columns: freeing result columns at 0x7f55a8
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_free_rows: freeing 1 rows
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_free_row: freeing row values at 0x7fa090
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_free_rows: freeing rows at 0x7fa080
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
DBG:core:db_free_result: freeing result set at 0x7f2200
Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth
attempt for xxxxx at yy.yy.yy.11 from 74.204.92.217 on port 5060 ret 1

-- James

On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender <os-list at dovid.net> wrote:
> James,
>
>
> We have found with out users that some of them put the phones on public
> IP’s. If the default password is not changed, no matter how hard the
> password is they will get in. Also try using characters like “@:^#” in your
> passwords.
>
>
> Regards,
>
>
>
> Dovid
>
>
>
> ________________________________
>
> From: users-bounces at lists.opensips.org
> [mailto:users-bounces at lists.opensips.org] On Behalf Of aws j
> Sent: Thursday, February 02, 2012 06:08
> To: OpenSIPS users mailling list
> Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks
>
>
>
> Dear Mr James
> Can you attached to me your suspect file to make VoIP forensic on it .
> thanks
> Aws
> Msc VoIP security
>
> 2012/2/1 James Lamanna <jlamanna at gmail.com>
>
> Hi,
> I've noticed lately that a server of mine is getting repeatedly hit by
> an attacker trying to make international calls.
> The scary part is that the attacker seems to be able to register
> correctly on different extensions, even though each extension has a
> different, random password.
> I'm not sure how the attacker is getting the passwords or if there's a
> man-in-the-middle attack going on, but I would like some suggestions
> on how to increase the security of SIP authentication in opensips.
> I could enforce security through IP addresses, but I fear that will
> become quite cumbersome.
>
> Thanks.
>
> -- James
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



More information about the Users mailing list