9/14/2011

VoIP Information Gathering: Metasploit


Information gathering is the stage of a penetration test when the attacker tries to  collect as much information as possible about the target. This step is normally composed for footprinting and fingerprinting but, in the case of VoIP systems, we should add extension enumeration to the list. During this last step attacker will attempt to obtain valid extensions/users of the target system.


Footprinting & Fingerprinting

My favourite tools for these jobs are FOCA and Nmap, it´s a bit strange combination but it fits for me :). FOCA automates almost all the “dirty job” and it is the best with public documents metadata, while Nmap flexibility let me confirm manually all these discovered stuff. Moreover, in the case of SIP Protocol, FOCA also is able to obtain more information from target  DNS SRV records, they work in a similar way during a call that MX ones for mailing. Next picture taken from the blog of its “father” shows an example of them.


Figure: Adobe SRV records

NOTE: FOCA it is not GPL, it´s only free as in free beer but, in my opinion, there is no replacement for the moment.

There are some other specific tools for VoIP which complement classic ones discussed above. I´m going to focus on Metasploit modules because Sipvicious set of tools, which is the most used for this tasks and works in a very similar way, is a lot of documented over the net. These VoIP specific scans reduce strongly the time in comparison of nmap because they send specific SIP request UDP packets instead of ICMP ones. In this post we can find a complete explanation of that and here is exposed how nmap UDP scan works. You can compare it (nmap -sU -p 5060 -sV TARGET) and check that the speed difference is really huge. One important advantage of Metasploit over Sipvicious is the support of threading which could speed up still more the process.

So, at this point, we are ready to start scanning a testing environment formed by an Ubuntu 11.04 laptop hosting two virtual machines, connected in NAT mode:
- Backtrack 5 R1 box simulating bad guy.
- Debian Squeeze box with a basic installation of Asterisk 1.6.2.9-2 and only 101 and 102 extensions allowed.

There are not too much Metasploit modules involving VoIP but we already have auxiliaries needed for SIP scanning and extension enumeration as showed in the picture:


Figure: Metasploit SIP related modules

Now, I´m going to use Armitage (sorry guys, I like GUIs :P) in order to scan my network using "SIP scan (UDP)" (auxiliary/scanner/sip/options) module. It supports only OPTIONS scanning but it is enough for being the most realiable type. In fact, INVITE scan could be noisy and produce a "ring” at the other end.  If you are interested in all these subjects and how they work more in depth I recommend you (as always) “VoIP Haking Exposed” book.

You only have to specify the target for configure the module, next images show the steps and the correct result.


Figure: Module configuration


Figure: Scan result


Extension enumeration

Instead of explaining how this attack works in a theorethical way (diagrams and all this stuff) I´m going to refer you to the book and show a situation which helps to understand because user/extension enumeration is possible. Firstly I will try to connect my Ekiga softphone to Asterisk server with a non existent user:


Figure: Bad user account configuration


Figure: Bad login result

Ok, Asterisk didn´t allow the connection, now we are going to try with an existent user and bad password:


Figure: Correct user and bad password configuration


Figure: “Not bad” login result

The response is different in both cases so, as you can imagine at this point, we could easily identify different extensions. In order to automate this attack we can use “SIP Username Enumerator (UDP)” module (scanner/sip/enumerator) which supports REGISTER and OPTIONS scan (METHOD module parameter). Really it is a Brute-force attack trying specified extensions, so it is very important to specify PADLEN argument, if not, you could obtain a very long list of non-existent extensions. In my case I choose PADLEN equal to 3 because extensions are 101 and 102, I also modifed MAXENT to fit with it.


Figure: Enumerator module configuration


Figure: REGISTER extension enumeration result


Figure: OPTIONS extension enumeration result

As you can see I got different results, on one side OPTIONS scan identified extensions 500 (Asterisk demo) and 600 (echo demo) and REGISTER scan got real extensions on the other. So it would be necessary to use both types during a pentest process.

At this moment Metasploit does not support Asterisk Exchange protocol (this is also part of VoIP protocols as SIP) scan. We have enumIAX and iaxscan classic tools, but we are only focus in SIP protocol at this time.

Information gathering coutermeasurements is a very interesting subject but I think it is enough for today, typical solutions are Fail2ban combined with Iptables and other specific tools for each type of VoIP system.

Jesús Pérez