Friday, June 22, 2012

SIP Security1: Scanning VoIP/PBX Servers

To find out a device/machine which is providing VoIP service, scan for ports 5060/5061 on both UDP and TCP. By default VoIP devices run on UDP 5060 port.

We can use tools like SIPVicious or SIPSCAN(windows only). is a CLI (Command Line Interface) tool whereas SIPSCAN is a GUI (Graphical User Interface) tool. SIPSCAN is username enumerator rather than a Scanner.

Both the tools support OPTIONS, INVITE and REGISTER methods to find User Agent Server (UAS). But can be used to pass any SIP method, infact we can pass invalid argument to detect the VoIP Server.

By default SIPSCAN tries with following extensions/usernames
thisisthecanary, test, echo, admin, dave, 101 to 110 excluding 109, 201 to 210 excluding 209, 401 to 410 excluding 409 and 501 to 510 excluding 509.

While scanning with SIPSCAN leave "Target SIP Domain" as default value to or add domain or IP of your SIP Server. If you leave "Target SIP Domain" blank will not show  any results but with

Happy Week end :-) !!!

Monday, June 18, 2012 Bad user = SIP/2.0 401 - svwar will probably not work!

Running from SIPVicious was throwing below error

#/home/praveen/sipvicious-0.2.7#./ --force -e100-110
WARNING:TakeASip:Bad user = SIP/2.0 401  - svwar will probably not work!
WARNING:TakeASip:We got an unknown response
ERROR:TakeASip:Response: 'SIP/2.0 401 Unauthorized\r\nVia: SIP/2.0/UDP;branch=z9hG4bK-2777087671;received=;rport=5060\r\nFrom: "100";tag=3130300131353239383436353338\r\nTo: "100";tag=as4442a546\r\nCall-ID: 3403670806\r\nCSeq: 1 REGISTER\r\nServer: Asterisk PBX\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH\r\nSupported: replaces, timer\r\nWWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="5858df28"\r\nContent-Length: 0\r\n\r\n'
WARNING:root:found nothing

IP Address is the Asterisk PBX Server.

Googled for the error but couldn'd find solution so thought of going through the SIP Configuration file /etc/asterisk/sip.conf where we can find below description.
When an incoming INVITE or REGISTER is to be rejected, for any reason, always reject with     '401 Unauthorized 'instead of letting the requester know whether there was a matching user or peer for their request .i.e. PBX server will always respond with "401 Unauthorized" error to not disclose user details.

Add below line to sip.conf, by default the value is yes.
alwaysauthreject = no

Restart Asterisk PBX for above changes to reflect.

$sudo /etc/init.d/asterisk /stop/start

execute below commands
#asterisk -vvr
asterisk*CLI>sip reload

Now we can successfully run which gives below output
#/home/praveen/sipvicious-0.2.7#./  -e100-1010
| Extension | Authentication |
| 1004      | reqauth        |
| 102       | reqauth        |
| 101       | reqauth        |
| 1003      | reqauth        |
| 1002      | reqauth        |
| 1001      | reqauth        |

Articles which might be of interest 
Packet level view of REGISTER, SUBSCRIBE and NOTIFY methods

Configuration and Registration of Softphone and Analog Phone( with ATA) and Asterisk PBX

Thank You !!!

Sunday, June 17, 2012

HTTP Response Headers for Mitigating Web Hacks

HTTP (Hyper Text Transfer Protocol) is an Application Protocol which has different headers for each Requests sent and Responses received based upon the content being exchanged between Web Server, Proxy Server, Cache Server, User-Agent etc.

Example below shows the syntax used within the HTTP response header:
Set-Cookie: =[; =][; expires=][; domain=][; path=][; secure][; HttpOnly]

Majority of XSS attacks target theft of session id's, cookies etc. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
 As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

 If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

Used to prevent Clickjacking by not allowing page to be rendered in a frame. There are two possible values for X-Frame-Options
The page cannot be displayed in a frame, regardless of the site attempting to do so.
The page can only be displayed in a frame on the same origin as the page itself.

Example 1: Site wants all content to come from its own domain:
X-Content-Security-Policy: allow 'self'

Example 2: Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript:
X-Content-Security-Policy: allow 'self'; img-src *; \
                           object-src *; \

Example 3: Server administrators want to deny all third-party scripts for the site, and a given project group also wants to disallow media from other sites (header provided by sysadmins and header provided by project group are both present):
X-Content-Security-Policy: allow *; script-src 'self'
X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self';

Example 4: Online payments site wants to ensure that all of the content in its pages is loaded over SSL to prevent attackers from eavesdropping on requests for insecure content:
X-Content-Security-Policy: allow https://*:443

Strict-Transport-Security (HSTS=HTTP Strict Transport Security)
The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]

        The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubdomains (Optional)
        If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

The HSTS policy helps protect website users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker

This header is exclusive to Internet Explorer 8 which turns on cross site scripting protection(Off by default as it could potentially break some websites).

Stops the opening of the files directly from the domain. The browser removes the file opening control from the download box when it encounters a noopen parameter in the X-Download-Options as a part of the HTTP response.

Used to prevent MIME based attacks which may lead to code execution.

unset Server
Don't give verbose information about type of Web Server running, its version, extra plugins loaded etc.

Packet Level View: SIP UAC REGISTERing with PBX Server

Lets get into the capture level details of SIP User Agent Client (UAC) registering with User Agent Server (UAS). Also see how subscribe and notify work.

Asterisk PBX (Private Branch eXchange) Server (UAS)
X-Lite Phone (UAC)

SIP registration is a method used by a SIP device (Softphone, Analog Phone with ATA, PBX Server etc) to inform its registrar (VoIP provider, PBX) where SIP device is located.
Initial REGISTER request may be plain without without Authentication details for registering contact information. If Client need to authenticate, PBX Server responds back with "401 Unauthorized". REGISTER requests should be challenged for Authentication. Once Registration is successful VoIP provider will know where to forward incoming calls. 

REGISTER requests add, remove and query bindings. A REGISTER request can add a new binding between an address-of-record and one or more contact addresses.  Registration on behalf of a particular address-of-record can be performed by a suitably authorized third party.  A client(Phone, UAC) can also remove previous bindings or query to determine which bindings are currently in place for an address-of-record.

A server that accepts REGISTER requests and places the information it receives in those requests into the location service for the domain it handles which registers one or more IP addresses to a certain SIP URI, indicated by the sip: scheme, although other protocol schemes are possible (such as tel:). More than one user agent can register at the same URI, with the result that all registered user agents will receive a call to the SIP URI.

The general concept of SUBSCRIBE is that entities in the network can subscribe (X-Lite softphone) 
to resource or call state for various resources or calls in the network, and those entities (or entities 
acting on their behalf) can send notifications (PBX, VoIP Service Provider) when those states change. 
If SUBSCRIBE needs Authentication Server responds back with "401 Unauthorized".

NOTIFY the subscriber of a new Event by returning current state information.
Typical flow of SUBSCRIBE and NOTIFY messages are given below
 (X-Lite Phone)     (Asterisk PBX Server)
   Subscriber          Notifier
       |-----SUBSCRIBE---->|     Request state subscription
       | <--------200---------- |     Acknowledge subscription
       |<------NOTIFY------- |     Return current state information
       |<------NOTIFY------- |     Return current state information
Subscriptions are expired and must be refreshed by subsequent SUBSCRIBE messages. 
To configure X-Lite Softphone and Asterisk PBX go through below link

Friday, June 15, 2012

REGISTERing Softphone and Analog Phone with Asterisk PBX

In this article we are going to look at configuring Asterisk PBX (Private Branch eXchange) with different Users/Extensions as well as REGISTERing X-Lite Softphone and Beetel M 71 Analog Phone with Asterisk Soft PBX.
Asterisk is installed on Ubuntu 12.04LTS, X-Lite Softphone on Windows XP SP3.

If Asterisk PBX is already running, stop asterisk service.
$sudo /etc/init.d/asterisk stop
 * Stopping Asterisk PBX: asterisk

Edit Asterisk PBX SIP Configuration file
$sudo vim /etc/asterisk/sip.conf

Add users as per requirement, see below snapshot   

Edit extensions.conf file, see below snapshot
$sudo vim /etc/asterisk/extensions.conf 

extern => 1003,n,Dial(SIP/1002,20,tr) is the config in above snapshot which says, "any call to extension 1003 will be forwarded to 1002".
Start Asterisk soft PBX as below
#sudo /etc/init.d/asterisk start
 * Starting Asterisk PBX: asterisk

After starting execute below command as root which will output Asterisk debug logs
#asterisk -vvr

When we start X-Lite Softphone and click Softphone -> Account Settings
below window should appear

Analog Phone is connected to ATA (Analog Telephone Adapter). ATA will have Phone Ports (RJ11) for connecting Analog Phones and Ethernet Ports (RJ45) for connecting to IP network.
Below snapshot shows Analog Telephone Adapter (ATA) connection setting.

REGISTERing my X-Lite Softphone with Asterisk PBX.

In the same way we should register Analog Phone(beetel M 71) with Asterisk PBX. Once the registration is done we can call from Analog Phone to Softphone or viceversa.

To get into details of how communication happens between Asterisk PBX and X-Lite Softphone by getting into each packet of the above capture see below post