Testing SIP Security on a Budget, Part 1: Page 2

Getting started

Figure 3. Nmap invoked via ZenMap Click to see full size image

The first step during any vulnerability assessment is reconnaissance—that is, discovering and classifying VoIP terminals, proxies, gateways, and servers. You may wish to start with a conventional network node discovery and port scanning tool, looking for all active devices in your network that listen for incoming SIP messages. In SIP deployments, you'll primarily want to scan ports 5060 (SIP over UDP/TCP) and 5061 (SIP over TLS over TCP) and look for proxies that listen for REGISTER messages sent to sip.mcast.net (224.0.1.75). For vendor-specific ports, see this VoIP port list published by the Voice over Packet Security Forum.

One of the most popular general-purpose network discovery and port scanning tools is Nmap ("Network Mapper"), an open-source utility that runs on just about any platform. Nmap and its GUI interface ZenMap can be used to run a variety of port scan techniques (e.g., ping scan, TCP SYN scan, UDP scan), OS fingerprinting, and application banner grabs.

Figure 4. SIPVicious svmap Click to see full size image

Above, we can see ZenMap find a pair of SIP phones: a Cisco VoIP deskphone and some type of softphone running on a Windows laptop.

Alternatively, VoIP-capable devices can be discovered by a tool designed specifically for that purpose, like SIPVicious svmap (left)—a Python script that searches for SIP devices in a specified IP range. In fact, many of the tools illustrated in this article include some type of discovery utility to identify targets for further testing.

Digging deeper

Figure 5. SIPSCAN Click to see full size image

Why use a SIP-specific scanner? Ultimately, attackers need to know more about each potential target: what type of device it is, what operating system it runs, what applications it hosts, and what user account(s) it will accept.

During a vulnerability assessment, you want to determine how much an attacker could learn by using SIP to probe each discovered device. This step is called Fingerprinting and Enumeration.

For example, Sipflanker can be used to find devices listening to both ports 5060 and 80 (e.g., a VoIP phone with a web GUI)—it uses those web pages to determine the type of device. SIPSCAN (right) can be used to probe SIP-enabled targets using INVITE, REGISTER, and OPTIONS signaling messages to enumerate valid SIP usernames.

Note that enumeration can involve active (online) tests or passive (offline) analysis. For example, enumIAX actively probes Inter Asterisk Exchange servers, sending SIP messages containing either sequential character strings or usernames from a dictionary file to guess valid accounts. SIP.Tastic is an offline dictionary attack tool that analyzes previously-captured SIP messages, cracking SIP authentication digests to find the password that matches each username.