[OpenSIPS-Users] SIP Authentication Attacks

duane.larson at gmail.com duane.larson at gmail.com
Tue Feb 7 16:57:35 CET 2012


Well your logic looks correct and I don't think it allows failed REGISTER  
to get through.


On , James Lamanna <jlamanna at gmail.com> wrote:
> Why do you say the credentials are wrong?

> I guess I'm missing something from the log...?

> www_authorize is returning 1



> Here's the register handling:



> if (!t_newtran()) {

> xlog("L_ERR", "Could not make new transation REGISTER - M=$rm

> RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");

> sl_reply_error();

> exit;

> }



> $var(auth_code) = www_authorize("asterisk", "subscriber");

> xlog("L_INFO","Auth attempt for $fU@$fd from $si on port $Rp ret

> $var(auth_code)");

> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {

> xlog("L_INFO","Auth error for $fU@$fd from $si cause $var(auth_code)");

> }



> if ( $var(auth_code)
> www_challenge("asterisk", "0");

> exit;

> }



> -- James





> On Fri, Feb 3, 2012 at 3:23 PM, dotnetdub dotnetdub at gmail.com> wrote:

> >

> >

> > On 3 February 2012 22:41, duane.larson at gmail.com> wrote:

> >>

> >> What does your whole REGISTER route look like? Maybe you are missing

> >> something in there and it is allowing someone to register even thought  
> the

> >> password is wrong.







> >>

> >

> >

> > Definitely an issue with your script. Somewhere in there you are  
> rejecting

> > credentials but carrying on anyway...

> >

> >

> >

> >

> >

> >

> >>

> >>

> >>

> >>

> >> On , James Lamanna jlamanna at gmail.com> wrote:

> >> > Hi,

> >> >

> >> > I know the phones are not on public IPs.

> >> >

> >> > Here is a opensips log of an attacker successfully registering

> >> >

> >> > (hashes have been scrubbed)

> >> >

> >> >

> >> >

> >> >

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:tm:t_newtran: transaction on entrance=(nil)

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:parse_headers: flags=ffffffffffffffff

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:parse_headers: flags=78

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction

> >> >

> >> > matching

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:tm:t_lookup_request: no transaction found

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id

> >> >

> >> > 0 entered

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:auth:check_nonce: comparing

> >> >

> >> > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and

> >> >

> >> > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b]

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:has_stmt_ctx: ctx found for subscriber

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728)

> >> >

> >> > MC=0x7ee3b0

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement

> >> >

> >> > run

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254;

> >> >

> >> > is_null=0

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in...

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1

> >> >

> >> > columns in result

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_allocate_columns: allocate 28 bytes for result columns at

> >> >

> >> > 0x7f55a8

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password]

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_allocate_rows: allocate 48 bytes for result rows and

> >> >

> >> > values at 0x7fa080

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:db_mysql:db_mysql_str2val: converting STRING [........]

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:auth:check_response: our result = ....7f340e'

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:auth:check_response: their response = '.....7f340e",

> >> >

> >> > algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires:

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:auth:check_response: authorization is OK

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:auth:post_auth: nonce index= 3171

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_free_columns: freeing result columns at 0x7f55a8

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_free_rows: freeing 1 rows

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_free_row: freeing row values at 0x7fa090

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_free_rows: freeing rows at 0x7fa080

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]:

> >> >

> >> > DBG:core:db_free_result: freeing result set at 0x7f2200

> >> >

> >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth

> >> >

> >> > attempt for xxxxx at yy.yy.yy.11 from 74.204.92.217 on port 5060 ret 1

> >> >

> >> >

> >> >

> >> > -- James

> >> >

> >> >

> >> >

> >> > On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender os-list at dovid.net>  
> wrote:

> >> >

> >> > > James,

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > > We have found with out users that some of them put the phones on

> >> > > public

> >> >

> >> > > IP's. If the default password is not changed, no matter how hard  
> the

> >> >

> >> > > password is they will get in. Also try using characters like  
> “@:^#” in

> >> > > your

> >> >

> >> > > passwords.

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > > Regards,

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > > Dovid

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > > ________________________________

> >> >

> >> > >

> >> >

> >> > > From: users-bounces at lists.opensips.org

> >> >

> >> > > [mailto:users-bounces at lists.opensips.org] On Behalf Of aws j

> >> >

> >> > > Sent: Thursday, February 02, 2012 06:08

> >> >

> >> > > To: OpenSIPS users mailling list

> >> >

> >> > > Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > > Dear Mr James

> >> >

> >> > > Can you attached to me your suspect file to make VoIP forensic on  
> it .

> >> >

> >> > > thanks

> >> >

> >> > > Aws

> >> >

> >> > > Msc VoIP security

> >> >

> >> > >

> >> >

> >> > > 2012/2/1 James Lamanna jlamanna at gmail.com>

> >> >

> >> > >

> >> >

> >> > > Hi,

> >> >

> >> > > I've noticed lately that a server of mine is getting repeatedly  
> hit by

> >> >

> >> > > an attacker trying to make international calls.

> >> >

> >> > > The scary part is that the attacker seems to be able to register

> >> >

> >> > > correctly on different extensions, even though each extension has a

> >> >

> >> > > different, random password.

> >> >

> >> > > I'm not sure how the attacker is getting the passwords or if  
> there's a

> >> >

> >> > > man-in-the-middle attack going on, but I would like some  
> suggestions

> >> >

> >> > > on how to increase the security of SIP authentication in opensips.

> >> >

> >> > > I could enforce security through IP addresses, but I fear that will

> >> >

> >> > > become quite cumbersome.

> >> >

> >> > >

> >> >

> >> > > Thanks.

> >> >

> >> > >

> >> >

> >> > > -- James

> >> >

> >> > >

> >> >

> >> > > _______________________________________________

> >> >

> >> > > Users mailing list

> >> >

> >> > > Users at lists.opensips.org

> >> >

> >> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >> >

> >> > >

> >> >

> >> > >

> >> >

> >> > > _______________________________________________

> >> >

> >> > > Users mailing list

> >> >

> >> > > Users at lists.opensips.org

> >> >

> >> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >> >

> >> > >

> >> >

> >> >

> >> >

> >> > _______________________________________________

> >> >

> >> > Users mailing list

> >> >

> >> > Users at lists.opensips.org

> >> >

> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >> >

> >> >

> >>

> >> _______________________________________________

> >> Users mailing list

> >> Users at lists.opensips.org

> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >>

> >

> >

> > _______________________________________________

> > Users mailing list

> > Users at lists.opensips.org

> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

> >



> _______________________________________________

> Users mailing list

> Users at lists.opensips.org

> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120207/10da64f1/attachment-0001.htm>


More information about the Users mailing list