I will be at almost 100% right if I say that SIP-based VoIP devices make up the majority of all network devices in any corporate network as well as Network Cameras, Access Control, IoT, etc., especially in ‘conservative’ companies.
The fact that SIP is insecure by design is an old song, and SIP fraud (especially, calling the premium numbers) was a popular topic for a long time. Back in 2014, I remember that ‘sipvicious’ traffic was in the Top10 on my honeypot.
In 2021 there is still a set of challenges in securing SIP properly. Unlike 2014, SIP security is an internal, not external security problem.
Often, exactly VoIP is the fastest communication channel in the company. How will your Security Operations Center react when all their phones start to ring simultaneously? Will they save their ability to process real-time threats?
A bit about SIP
SIP is a Session Initiation Protocol. This is mostly used for signaling and session initiation - surprize! That means you can establish a session and make a call with SIP, but the voice stream will be transferred with another protocol like RTP.
What is important for us - SIP is a text-based protocol, it is similar to HTTP. Just check the example below and you will get it.
REGISTER sip:10.0.0.1 SIP/2.0 Via: SIP/2.0/TCP 10.0.1.1:5060;branch=z9hH4bK-42456-10-0 From: <sip:email@example.com;transport=TCP>;tag=10 To: <sip:firstname.lastname@example.org;transport=TCP> Call-ID: email@example.com CSeq: 1 REGISTER Contact: <sip:firstname.lastname@example.org:5060;transport=TCP> Max-Forwards: 10 Expires: 3600 User-Agent: SIPp/Win32 Content-Length: 0
This is an example of the REGISTER query. In two words, it makes the SIP Gateway know that you are ready for sending and receiving calls from others clients.
As you see, we could implement such queries with ncat, filling all required fields manually. But why if we have some amazing tools? :)
That’s why I am writing this post. There are at least two tools you could use for SIP testing - sipvicious and sipp.
SipVicious is an amazing set of tools covering the whole area from reconnaissance to credentials cracking. But it hides a lot of details under a hood, and, to be honest, I had a lot of troubles with dependencies building and installing it in 2018. Seems like that this project is still alive and actively growing, so the situation may be different nowadays.
Anyway, the road brought me to another tool named SIPP. The developers call it a test tool or network generator, but I consider it as a fully functional SIP fuzzer. As any other fuzzer it works around a set of scenarios with different data being sent.
The big advantage of SIPP is that a lot of scenarios are already available - check this one and this repos.
SIPP opens the door for some great and funny attacks. For example, you could REGISTER at the SIP Gateway with some existing extension (like your CISO) and send multiple spoofed INVITEs to your targets - and they will receive the call from a spoofed extension and description!
You can use this case as a part of Social Engineering attacks or as an Employee-level DoS distracting the workflow of target users.
Good Luck and Have Fun!