[VOIPSEC] Fwd: SIPVicious v0.2.3 supports SRV DNS records and Fingerprinting

[Sandro Gauci]

Hi Diana,

SIPVicious (svwar) is not able to enumerate extensions on Yate because
it cannot distinguish between one that exists in the configuration and
one that does not. This is by design. By changing the response for the
answers, the SIP registrar is breaking the SIP RFC which states the
following:

page 63:

      5. The registrar extracts the address-of-record from the To header
         field of the request.  If the address-of-record is not valid
         for the domain in the Request-URI, the registrar MUST send a
         404 (Not Found) response and skip the remaining steps.  The URI
         MUST then be converted to a canonical form.  To do that, all
         URI parameters MUST be removed (including the user-param), and
         any escaped characters MUST be converted to their unescaped
         form.  The result serves as an index into the list of bindings.

The latest release of SIPVicious is 0.2.4 and I would recommend
testing the svn version for the latest changes. When scanning Yate it
returns the following:

sipvicious obscure$ ./svwar.py 192.168.2.105
ERROR:TakeASip:SIP server replied with an authentication request for
an unknown extension. Set --force to force a scan.
WARNING:root:found nothing

As regards Asterisk, they did introduce the same behavior as Yate
(i.e. reply with a 401); it is just not the default. The option is
called "alwaysauthreject" and has been documented at
http://www.asteriskdocs.org/html/apas02.html

Incidentally, last month we just made available (commercially)
alwaysrejectbypass tool as part of VOIPPACK, which bypasses the
Asterisk feature:
http://vimeo.com/9398873

The rest of your post:
Multithreaded - no SIPVicious is not multithreaded; the code is
available, it uses select()

Blackhat whitehat security tools argument has been beaten to death. My
contribution to the subject can be seen in the FAQ:
http://code.google.com/p/sipvicious/wiki/FrequentlyAskedQuestions



Sandro Gauci
Chief Consultant and Founder of EnableSecurity
Email: sandro at enablesecurity.com
Web: http://enablesecurity.com/
PGP: 514D B10C 8C3C 15BB 2EFD  49EC 7CCD 73C5 0295 F23B



---
Your original email:

Hi all,

Seems that sipvicicious has a significant bug.
Someone tried to attack a Yate server using it.
The svmap like tool worked very well and found our server.
However the svwar doesn't work with Yate. Because Yate is not as stupid
as Asterisk to answer with 404 when it should answer 401.
sipvicious somehow uses a multithreaded system or was made somehow
multithreaded and somehow it ended up looping with registration requests.

Diana

P.S. A whitehat work can always be used by a blackhat guy.