[OpenSIPS-Users] SIP Authentication Attacks

James Lamanna jlamanna at gmail.com
Sat Feb 4 00:52:19 CET 2012


Why do you say the credentials are wrong?
I guess I'm missing something from the log...?
www_authorize is returning 1

Here's the register handling:

 if (!t_newtran()) {
        xlog("L_ERR", "Could not make new transation REGISTER - M=$rm
RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
        sl_reply_error();
        exit;
    }

    $var(auth_code) = www_authorize("asterisk", "subscriber");
    xlog("L_INFO","Auth attempt for $fU@$fd from $si on port $Rp ret
$var(auth_code)");
    if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
        xlog("L_INFO","Auth error for $fU@$fd from $si cause $var(auth_code)");
    }

    if ( $var(auth_code) < 0 ) {
        www_challenge("asterisk", "0");
        exit;
    }

-- James


On Fri, Feb 3, 2012 at 3:23 PM, dotnetdub <dotnetdub at gmail.com> wrote:
>
>
> On 3 February 2012 22:41, <duane.larson at gmail.com> wrote:
>>
>> What does your whole REGISTER route look like? Maybe you are missing
>> something in there and it is allowing someone to register even thought the
>> password is wrong.



>>
>
>
> Definitely an issue with your script. Somewhere in there you are rejecting
> credentials but carrying on anyway...
>
>
>
>
>
>
>>
>>
>>
>>
>> On , James Lamanna <jlamanna at gmail.com> wrote:
>> > Hi,
>> >
>> > I know the phones are not on public IPs.
>> >
>> > Here is a opensips log of an attacker successfully registering
>> >
>> > (hashes have been scrubbed)
>> >
>> >
>> >
>> >
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:tm:t_newtran: transaction on entrance=(nil)
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:parse_headers: flags=ffffffffffffffff
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:parse_headers: flags=78
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction
>> >
>> > matching
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:tm:t_lookup_request: no transaction found
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id
>> >
>> > 0 entered
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:auth:check_nonce: comparing
>> >
>> > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and
>> >
>> > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b]
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:has_stmt_ctx: ctx found for subscriber
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728)
>> >
>> > MC=0x7ee3b0
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement
>> >
>> > run
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254;
>> >
>> > is_null=0
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in...
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1
>> >
>> > columns in result
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_allocate_columns: allocate 28 bytes for result columns at
>> >
>> > 0x7f55a8
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password]
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_allocate_rows: allocate 48 bytes for result rows and
>> >
>> > values at 0x7fa080
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:db_mysql:db_mysql_str2val: converting STRING [........]
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:auth:check_response: our result = ....7f340e'
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:auth:check_response: their response = '.....7f340e",
>> >
>> > algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires:
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:auth:check_response: authorization is OK
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:auth:post_auth: nonce index= 3171
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_free_columns: freeing result columns at 0x7f55a8
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_free_rows: freeing 1 rows
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_free_row: freeing row values at 0x7fa090
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_free_rows: freeing rows at 0x7fa080
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:
>> >
>> > DBG:core:db_free_result: freeing result set at 0x7f2200
>> >
>> > Feb  3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth
>> >
>> > attempt for xxxxx at yy.yy.yy.11 from 74.204.92.217 on port 5060 ret 1
>> >
>> >
>> >
>> > -- James
>> >
>> >
>> >
>> > On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender os-list at dovid.net> wrote:
>> >
>> > > James,
>> >
>> > >
>> >
>> > >
>> >
>> > > We have found with out users that some of them put the phones on
>> > > public
>> >
>> > > IP’s. If the default password is not changed, no matter how hard the
>> >
>> > > password is they will get in. Also try using characters like “@:^#” in
>> > > your
>> >
>> > > passwords.
>> >
>> > >
>> >
>> > >
>> >
>> > > Regards,
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > Dovid
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > ________________________________
>> >
>> > >
>> >
>> > > From: users-bounces at lists.opensips.org
>> >
>> > > [mailto:users-bounces at lists.opensips.org] On Behalf Of aws j
>> >
>> > > Sent: Thursday, February 02, 2012 06:08
>> >
>> > > To: OpenSIPS users mailling list
>> >
>> > > Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > Dear Mr James
>> >
>> > > Can you attached to me your suspect file to make VoIP forensic on it .
>> >
>> > > thanks
>> >
>> > > Aws
>> >
>> > > Msc VoIP security
>> >
>> > >
>> >
>> > > 2012/2/1 James Lamanna jlamanna at gmail.com>
>> >
>> > >
>> >
>> > > Hi,
>> >
>> > > I've noticed lately that a server of mine is getting repeatedly hit by
>> >
>> > > an attacker trying to make international calls.
>> >
>> > > The scary part is that the attacker seems to be able to register
>> >
>> > > correctly on different extensions, even though each extension has a
>> >
>> > > different, random password.
>> >
>> > > I'm not sure how the attacker is getting the passwords or if there's a
>> >
>> > > man-in-the-middle attack going on, but I would like some suggestions
>> >
>> > > on how to increase the security of SIP authentication in opensips.
>> >
>> > > I could enforce security through IP addresses, but I fear that will
>> >
>> > > become quite cumbersome.
>> >
>> > >
>> >
>> > > Thanks.
>> >
>> > >
>> >
>> > > -- James
>> >
>> > >
>> >
>> > > _______________________________________________
>> >
>> > > Users mailing list
>> >
>> > > Users at lists.opensips.org
>> >
>> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> > >
>> >
>> > >
>> >
>> > > _______________________________________________
>> >
>> > > Users mailing list
>> >
>> > > Users at lists.opensips.org
>> >
>> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> > >
>> >
>> >
>> >
>> > _______________________________________________
>> >
>> > Users mailing list
>> >
>> > Users at lists.opensips.org
>> >
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> >
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



More information about the Users mailing list