SIPVicious is like that pesky fly that keeps buzzing in your face but won’t go away. No matter how many times you swat it, it will always come back.

Technically speaking though, SIPvicous is a SIP auditing tool used to scan for and enumerate SIP devices and accounts. It can be obtained freely from it’s Google Code archive, the GIT repo or bundled with security auditing tools like Kali.

Originally intended for legitimate white hat security auditing for internal networks, in the hands of even the most bored of script kiddies it can cause some serious damage. That lazy network admin using common username/password combos will yet again fall victim to this one. SIPvicous will send INVITE or OPTION packets looking for responses from live hosts, then log the results to a file. An attacker can then begin to enumerate for valid usernames and passwords which if successful, can cost 10’s of thousands of dollars.

SIPVicious Attack
In addition, these Invites commonly cause what I call “ghost calls” (phones ring from random callers but no one’s home). Worse still, they can even initiate un-wanted calls.

 

So How Does it Work?

SIPVicious is made up of 4 components – The head, the front legs, the hind legs, and the torso. I’m kidding of course…there’s actually 5..

Svcrack – Used to crack SIP passwords for a given username. Brute force or dict-based.

Svreport – Store session info for later use, ie; Cracking a password or reading packets elsewhere.

Svmap – “The annoying one” that does the scanning for open SIP targets – usually with an INVITE or OPTIONS request.

Svwar – Scans for and enumerates phones on the network.
It probes for phones by sending packets out and listens for a response, same as above but it seems there’s more manipulation that can be done in terms of what the packets are and what size. This could potentially be used as a DDoS tool.

 

[email protected]:~# svmap 192.168.1.0/24 -v
INFO:ImaFly:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:ImaFly:Looks like we received a SIP request from 192.168.1.20:5060
INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21:5060
INFO:ImaFly:Looks like we received a SIP request from 192.168.1.22:5060

 

Svcrash – Defend and Counter-attack tool against ..itself.
This tool can be setup to read the asterisk log and automatically obtain a would be attackers IP and Port, attempting to shut down his agent with a malformed response packet (more on that later). Manual entries can also be set and optional Brute force on the destination port – woot woot!

 

Securing Against SIPVicious

The easiest way to get around this in asterisk and FreeSWITCH is to setup Fail2ban at the minimum as the failed INVITE and User sniff packets will be blocked. However at this time there is no regex for the user-agent which I was surprised by.

In Kamailio you would need to filter it out in local like so;

route[SHOO_FLY]
if ($ua == "friendly-scanner" ){
xlog("L_WARN", "$ci|end|swatting fly with user-agent $ua from $si:$sp\n");
exit;
}

 

Now get yourself a fly swatter and be safe out there!

 

If you have any thoughts, questions or tips & tricks please let everyone know in the comments below.