[OpenSIPS-Users] SIP Authentication Attacks

duane.larson at gmail.com duane.larson at gmail.com
Fri Feb 3 23:41:29 CET 2012 

What does your whole REGISTER route look like? Maybe you are missing  
something in there and it is allowing someone to register even thought the  
password is wrong.



On , James Lamanna <jlamanna at gmail.com> wrote:
> Hi,

> I know the phones are not on public IPs.

> Here is a opensips log of an attacker successfully registering

> (hashes have been scrubbed)





> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:tm:t_newtran: transaction on entrance=(nil)

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:parse_headers: flags=ffffffffffffffff

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:parse_headers: flags=78

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction

> matching

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:tm:t_lookup_request: no transaction found

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id

> 0 entered

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:auth:check_nonce: comparing

> [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and

> [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b]

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:has_stmt_ctx: ctx found for subscriber

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728)

> MC=0x7ee3b0

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement

> run

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254;

> is_null=0

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in...

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1

> columns in result

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_allocate_columns: allocate 28 bytes for result columns at

> 0x7f55a8

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password]

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_allocate_rows: allocate 48 bytes for result rows and

> values at 0x7fa080

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:db_mysql:db_mysql_str2val: converting STRING [........]

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:auth:check_response: our result = ....7f340e'

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:auth:check_response: their response = '.....7f340e",

> algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires:

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:auth:check_response: authorization is OK

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:auth:post_auth: nonce index= 3171

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_free_columns: freeing result columns at 0x7f55a8

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_free_rows: freeing 1 rows

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_free_row: freeing row values at 0x7fa090

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_free_rows: freeing rows at 0x7fa080

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> DBG:core:db_free_result: freeing result set at 0x7f2200

> Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth

> attempt for xxxxx at yy.yy.yy.11 from 74.204.92.217 on port 5060 ret 1



> -- James



> On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender os-list at dovid.net> wrote:

> > James,

> >

> >

> > We have found with out users that some of them put the phones on public

> > IP's. If the default password is not changed, no matter how hard the

> > password is they will get in. Also try using characters like “@:^#” in  
> your

> > passwords.

> >

> >

> > Regards,

> >

> >

> >

> > Dovid

> >

> >

> >

> > ________________________________

> >

> > From: users-bounces at lists.opensips.org

> > [mailto:users-bounces at lists.opensips.org] On Behalf Of aws j

> > Sent: Thursday, February 02, 2012 06:08

> > To: OpenSIPS users mailling list

> > Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks

> >

> >

> >

> > Dear Mr James

> > Can you attached to me your suspect file to make VoIP forensic on it .

> > thanks

> > Aws

> > Msc VoIP security

> >

> > 2012/2/1 James Lamanna jlamanna at gmail.com>

> >

> > Hi,

> > I've noticed lately that a server of mine is getting repeatedly hit by

> > an attacker trying to make international calls.

> > The scary part is that the attacker seems to be able to register

> > correctly on different extensions, even though each extension has a

> > different, random password.

> > I'm not sure how the attacker is getting the passwords or if there's a

> > man-in-the-middle attack going on, but I would like some suggestions

> > on how to increase the security of SIP authentication in opensips.

> > I could enforce security through IP addresses, but I fear that will

> > become quite cumbersome.

> >

> > Thanks.

> >

> > -- James

> >

> > _______________________________________________

> > Users mailing list

> > Users at lists.opensips.org

> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >

> >

> > _______________________________________________

> > Users mailing list

> > Users at lists.opensips.org

> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >



> _______________________________________________

> Users mailing list

> Users at lists.opensips.org

> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120203/b733bf43/attachment-0001.htm>

More information about the Users mailing list