{"id":5156,"date":"2017-03-03T01:52:11","date_gmt":"2017-03-03T06:52:11","guid":{"rendered":"https:\/\/www.nurango.ca\/?p=5156"},"modified":"2023-02-01T20:47:47","modified_gmt":"2023-02-01T20:47:47","slug":"sipvicious-the-not-so-friendly-scanner","status":"publish","type":"post","link":"https:\/\/www.nurango.ca\/blog\/sipvicious-the-not-so-friendly-scanner","title":{"rendered":"SIPVicious &#8211; The Not So \u201cfriendly-scanner\u201d"},"content":{"rendered":"<p><span style=\"font-family: arial,helvetica,sans-serif;\">SIPVicious is like that pesky fly that keeps buzzing in your face but won\u2019t go away. No matter how many times you swat it, it will always come back.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\">Technically speaking though, SIPvicous is a SIP auditing tool used to scan for and enumerate SIP devices and accounts. It can be obtained freely from it\u2019s Google Code archive, the GIT repo or bundled with security auditing tools like Kali.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\">Originally intended for legitimate white hat security auditing for internal networks, in the hands of even the most bored of script kiddies it can cause some serious damage. That lazy network admin using common username\/password combos will yet again fall victim to this one. SIPvicous will send INVITE or OPTION packets looking for responses from live hosts, then log the results to a file. An attacker can then begin to enumerate for valid usernames and passwords which if successful, can cost 10\u2019s of thousands of dollars.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><img fetchpriority=\"high\" decoding=\"async\" class=\"size-full wp-image-5159\" src=\"https:\/\/www.nurango.ca\/wp-content\/uploads\/sipvicious.png\" alt=\"SIPVicious Attack\" width=\"723\" height=\"225\" \/><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> In addition, these Invites commonly cause what I call \u201cghost calls\u201d (phones ring from random callers but no one\u2019s home). Worse still, they can even initiate un-wanted calls.<\/span><\/p>\n<h4><span style=\"color: #36abd8; font-family: arial,helvetica,sans-serif;\">So How Does it Work?<\/span><\/h4>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\">SIPVicious is made up of 4 components \u2013 The head, the front legs, the hind legs, and the torso. I\u2019m kidding of course\u2026there\u2019s actually 5..<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><strong>Svcrack<\/strong> \u2013 Used to crack SIP passwords for a given username. Brute force or dict-based.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><strong>Svreport<\/strong> \u2013 Store session info for later use, ie; Cracking a password or reading packets elsewhere.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><strong>Svmap<\/strong> \u2013 \u201cThe annoying one\u201d that does the scanning for open SIP targets \u2013 usually with an INVITE or OPTIONS request.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><strong>Svwar<\/strong> \u2013 Scans for and enumerates phones on the network.<\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> It probes for phones by sending packets out and listens for a response, same as above but it seems there\u2019s more manipulation that can be done in terms of what the packets are and what size. This could potentially be used as a DDoS tool.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><code>root@kali:~# svmap 192.168.1.0\/24 -v<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> INFO:ImaFly:trying to get self ip .. might take a while<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> INFO:root:start your engines<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> INFO:ImaFly:Looks like we received a SIP request from 192.168.1.20:5060<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21:5060<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> INFO:ImaFly:Looks like we received a SIP request from 192.168.1.22:5060<\/code><\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><strong>Svcrash<\/strong> \u2013 Defend and Counter-attack tool against ..itself.<\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> This tool can be setup to read the asterisk log and automatically obtain a would be attackers IP and Port, attempting to shut down his agent with a malformed response packet (more on that later). Manual entries can also be set and optional Brute force on the destination port \u2013 woot woot!<\/span><\/p>\n<h4><span style=\"color: #36abd8; font-family: arial,helvetica,sans-serif;\">Securing Against SIPVicious<\/span><\/h4>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\">The easiest way to get around this in asterisk and FreeSWITCH is to <a href=\"https:\/\/www.nurango.ca\/blog\/securing-asterisk-using-fail2ban\/\">setup Fail2ban<\/a> at the minimum as the failed INVITE and User sniff packets will be blocked. However at this time there is no regex for the user-agent which I was surprised by.<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\">In Kamailio you would need to filter it out in local like so;<\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><code>route[SHOO_FLY]<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> if ($ua == \"friendly-scanner\" ){<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> xlog(\"L_WARN\", \"$ci|end|swatting fly with user-agent $ua from $si:$sp\\n\");<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> exit;<\/code><\/span><br \/>\n<span style=\"font-family: arial,helvetica,sans-serif;\"> <code> }<\/code><\/span><\/p>\n<p style=\"padding-left: 30px;\"><span style=\"font-family: arial,helvetica,sans-serif;\"><em>Now get yourself a fly swatter and be safe out there!<\/em><\/span><\/p>\n<p><span style=\"font-family: arial,helvetica,sans-serif;\"><strong>If you have any thoughts, questions or tips &amp; tricks please let everyone know in the comments below.<\/strong><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SIPVicious is like that pesky fly that keeps buzzing in your face but won\u2019t go away. No matter how many times you swat it, it will always come back. Technically speaking though, SIPvicous is a SIP auditing tool used to scan for and enumerate SIP devices and accounts. It can be obtained freely from it\u2019s Google Code archive, the GIT repo or&hellip;<\/p>\n","protected":false},"author":1,"featured_media":5164,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[4],"tags":[5],"class_list":["post-5156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts\/5156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/comments?post=5156"}],"version-history":[{"count":2,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts\/5156\/revisions"}],"predecessor-version":[{"id":10226,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts\/5156\/revisions\/10226"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/media\/5164"}],"wp:attachment":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/media?parent=5156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/categories?post=5156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/tags?post=5156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}