StarTrinity.com Measuring quality

SIP Tester Download Features Use cases Use cases - diagrams Tutorial Basic steps for active testing Basic steps for passive testing (monitoring) Installation Main window UAC registrations UAS registrations Outgoing SIP calls Incoming SIP calls Current calls report: SIP information Current calls report: RTP information Call Detail Record (CDR) report Lowest quality calls Reports/Statistics Performance chart Stepwise testing Manual tests Impairments generation Settings Log Scaling License information Command line interface Web API Screens videos Settings Software architecture Change log Compatible soft/hardware FAQ Hardware requirements Archive of test reports Our customers Success stories Reviews Softswitch Free trial on our server Download to your server Tutorial - Dialer Campaigns Tutorial GSM Termination Guide Settings Software architecture FAQ Change log CallXML Documentation Examples Misc Blog E-book about VoIP SIP tutorials Continuous speed test FAQ Download for Windows Download for Android Linux setup guide UDP Network Tester Download IP networks performance research Internet connection monitor Contact us

VoIP Security Test and Validation Suite, SIP Security Test Tool, SIP Fuzzing Software

The suite is a part of StarTrinity SIP Tester. Free trial is available. The suite includes

• CallXML engine
• Distributed SIP Tester nodes and central management software
• Recommended CallXML scripts for penetration testing
• Scripts for SIP scanning
• Scripts to scan SIP DDoS reflectors
• Scripts for brute force attacks
• Scripts for IP spoofing
• Scripts for stateful SIP fuzzing
• Scripts for RTP fuzzing
• Scripts for various DoS attacks (at least 5 attack types)
  • DRDoS (reflected): SIP proxy reflection
  • DoS: regular SIP flood with malformed packets
  • DRDoS (reflected): HTTP proxy reflection
  • DRDoS (reflected): Via SIP header reflected DoS attack
  • Spoofed TCP SYN flood

StarTrinity announces availability of VoIP Security Test and Validation Suite (VS²) - a set of tools for VoIP engineers to test stability of VoIP servers against possible attacks. Also, we offer white hat (legal) SIP/VoIP hacking services (penetration test as a service).

Features

• Multiple-protocol VoIP penetration test system based on CallXML scripts
  • VoIP protocols: UDP, TCP, TLS, SIP, RTP, RTCP, T.38
  • Stateless sending of malformed SIP packets
  • Fuzzing SIP packets randomly within normal VoIP calls (stateful SIP fuzzing). Various ways to randomly and explicitly malform packets
  • Abnormally high rate of fuzzed SIP packets within normally initiated call (e.g. thousands of retransmitted ACK's, or re-INVITE's)
  • CallXML scripts for penetration tests. Subsystem of system variables specific for every test and environment (host names, port numbers, IP ranges, etc). REST API to access the variables.
  • List of predefined test scripts that can possibly crash your VoIP server
  • List of usernames/passwords for brute force attack scripts
  • RTP, RTCP, T.38 flood and malformed packets generation
  • Source IP spoofing
  • TCP SYN flood attack simulation (for SIP over TCP and TLS)
• Distributed test nodes running on multiple servers for VoIP DDoS attacks
  • Centralized web-based management of multiple test nodes
  • Easy setup of new test nodes on Windows VPS (Amazon AWS, Azure, etc)
  • Interconnection with multiple VoIP providers and PSTN gateways for TDoS attack simulation
• REST API to integrate with external systems: start/stop test, notification about downtime
• Desktop GUI and web interface for authoring scripts (for VoIP engineers)

Architecture

Updates

2018 - started to work with VoIP penetration testing
2018..2019 - discovered few serious vulnerabilities in some open source projects
2018-11-17 - released new version with "addSipMalformer". It is a basic CallXML element for SIP fuzzing or malforming. It modifies transmitted SIP packets in random way, using a configured method with some parameters like probability
2018-11-18 - found 2 issues in our own SIP stack and fixed them. the issues were related to accessing bad memory location in case of receiving malformed SIP packets
2018-11-18 - found the 3rd issue in our own SIP stack
2018-11-18 - discovered VoIP attack-initiated memory leak in FreeSWITCH: it crashes in 2 minutes
2018-12-09 - running SIP security tests with 3CX PBX, more details here. See video.
2018-12-10 - having a random SIP message fuzzer, our software generates malformed SIP packets within normal SIP calls now. We run a test, and found a SIP packet that crashes our SIP stack: We got this error in Visual Studio debugger, so we see all details and will fix the error ASAP. It is a buffer overflow error, and it is very dangerous, if I believe to books about penetration testing. Some authors claim that it is possible to inject ASM code into the packets and execute it on remote machine (a book provides example executing calc.exe by hacking a FTP server)
2018-12-13 - started to research stablity of Kamailio 5.1.6 on Debian - found an issue that can be seen as DoS vulnerability. During our tests with malformed/fuzzed SIP packets Kamailio overloads system log processes "rsyslogd" and "systemd-journald".
2019-01-18 - fixed 2 bugs (exploits) in our own SIP stack, all thanks to randomly fuzzed and repeated SIP messages. Unhandled exceptions (reference of wrong address in RAM) happen after 10k..300k generated calls. 1 more expoit still not fixed, and I think we will find more. Looks like our tool is very useful for all VoIP security test engineers and legal hackers
2019-01-19 - fixed the remaining exploit in our software, now it runs stable, for 8 hours and 500K calls so far
2019-01-19 - we have incorporated 17 various publically available exploits into the VoIP security testing software and finally crashed Kamailio!
2019-01-20 - found another exploit in our own software, looks like the SIP security issues are never-ending as we add new SIP fuzzers. Here is the packet that causing crash (in this case it is infinite loop): 2019-01-25 - started few SIP scanners, with new CallXML element enablesipscanner. It sends SIP OPTIONS requests to random IP addresses: VoIP software that responds to our OPTIONS SIP scanning is following (we get it from "User-Agent" or "Server" headers):

• FRITZ!OS
• eXosip/3.0.3
• o2-ZyXEL-1.00(AAJG.0)D20_1-DSL_IAD_BSA_WLAN
• Pirelli Broadband Solutions/Discus Platform/DWV_TEO_4.3.2.0039
• AVM FRITZ!Box Fon WLAN 7113 (UI) 60.04.68 (Jul 28 2009)
• Sphairon UA - 2.27-2.9.15.2 NetConnect
• 3CXPhoneSystem 10.0.23053.0
• ASKEY AR_RTK_V10.1.1h
• AVM FRITZ!Box Fon WLAN 7170 (fs) 29.04.80 (Jan 27 2010)
• 3CXPhoneSystem 15.5.15502.6 (15502)
• Speedport W 701V 33.04.25 (Jul 12 2006)
• IAD-OHIO-B-GP-M/1.48S-M
• Asterisk PBX 1.8.30.0
• ParksSIPGateway
• Linksys/PAP2T-5.1.6(LS)
• MP-1288 FXS/v.7.20A.158.056
• Tilgin Vood HG238x_ESx000-02_10_01_24
• M5T SIP Stack/4.1.2.2
• F660/V5.2.10P2T5
• NEC-i SV8100-GE 09.01/2.1
• BER_JU_056_03690
• Grandstream UCM6104V1.5B 1.0.8.12
• NEC Aspire UX 04.00.00/2.1
• Telefonadapter - Telia Bredbandstelefoni
• F660/V5.2.10P2T5
• EnGenius_Router
• kamailio (4.4.4 (x86_64/linux)) do you know that this version is vulnerable ? there is a CVE since 2018-05 - see CVE-2018-14767

We see that some software is outdated and it could mean security vulnerabilities. Note: our software is able to make 30K SIP scans per second at one server, and since this time people having SIP servers with open port 5060 should receive our "friendly" advertisements, one time every 2 days.
2019-02-03 - we continue running SIP scanners on 3 servers. We scan random IP addresses and random UDP ports.

• We got few abuse reports. It is interesting that we run same scanner script on 3 servers and NOT ALL 3 hosting providers send us same abuse reports (SIP scanning, brute force attacks). One of the hosting providers did not send us any abuse warning, although our tool sends 20K SIP OPTIONS scans per second to random IP addresses. Can a hacker get "scanner-friendly" server hosting? Yes, easily, there are many such servers being offered (payment via bitcoin)
• Although some SIP user agents respond with SIP/2.0 403 SIP request not received from active SIP server, which is correct behaviour (I think best behaviour is not to send any response at all), most other SIP UA's send responses with vulnerabilities
• Some vulnerable things I see in the responses to random INVITE scanning:
  • User-Agent or Server headers contain information about devices. This information MAY be useful to VoIP hackers, for example when they scan for specific SIP devices via an IP network. Examples:
    • User-Agent: FRITZ!OS
    • User-Agent: o2-ZyXEL-1.00(AAJG.0)D20_1-DSL_IAD_BSA_WLAN
    • User-Agent: PolycomSoundPointIP-SPIP_331-UA/4.0.11.0583
    • Server: Grandstream UCM6202V1.4A 1.0.18.12
    • Server: Grandstream UCM6204V1.4A 1.0.13.14
    • User-Agent: Panasonic-KX-HTS-002.00022
    • Server: Cisco/SPA122-1.4.1(002)
    • Server: Yeastar S100-30.10.0.34
    • User-Agent: T-Com LinkMgr/11.10.0.117
    • Server: Cisco-SIPGateway/IOS-12.x
    • User-Agent: Polycom/5.5.0.20556 PolycomVVX-VVX_400-UA/5.5.0.20556
    • Server: FPBX-2.10.1(1.8.13.0)
  • Some UA's send response with device serial numbers:
    • Server: Tilgin Vood HG25xx_ESx000-03_00_00_67 ... X-Serialnumber: V69100000000-0000544234
    • User-Agent: Technicolor TG784n v3 Build 10.2.1.O ... X-Serialnumber: CP1530RAVNL
    Is the exposing of serial number good in terms of SIP security?
  • The fact that UA's respond to scanner via internet could mean DoS (denial of service) vulnerability. What if hacker sends 10000 SIP scans to same destination? UA will be out of service, if there are no dynamic filters implemented. The VoIP software must have dynamic IP blacklists, we have seen automatic IP blacklisting in 3CX PBX
  • Some SIP UA's send "401 Unauthorized" responses, it opens way to faster user enumeration and brute-force attacks. I hope that the usernames/passwords are not weak.

It is a good question - who SHOULD block SIP scanners? VoIP software, IP routers, firewalls, ISPs, your company's system administrator, or you yourself? And another question: have your system administrators correctly configured fail2ban, and does it still work correctly?
When a hacker detects response from SIP phones/devices, he can find more SIP phones at the same IP address or at close IP addresses (within same IP mask). In our research we found 7 "Polycom" SIP devices at IP address xx.xx.178.180

• port 9320: User-Agent: PolycomSoundPointIP-SPIP_450-UA/4.0.4.2906
• port 13893: User-Agent: Polycom/5.5.0.20556 PolycomVVX-VVX_400-UA/5.5.0.20556
• port 27144: User-Agent: PolycomSoundPointIP-SPIP_450-UA/4.0.4.2906
• port 22574: User-Agent: PolycomVVX-VVX_500-UA/5.2.4.0068
• port 57016: User-Agent: PolycomVVX-VVX_500-UA/5.2.4.0068
• port 60749: User-Agent: PolycomSoundPointIP-SPIP_450-UA/4.0.4.2906

We have access to few Polycom SIP phones. Next possible step is spam over VoIP (SPIT), Caller ID phishing, or DoS. A question: why do I have access to the SIP phones behind NAT? Why does the IP router pass SIP packets from my IP? It is not good. IP router's NAT vulnerability leads to vulnerability of SIP phones. I don't know what is model of IP router which implements NAT here, so can not give you more details.
2019-02-05 - published VoIP security warning about IP spoofing
2024 - opened access to the VoIP security testing features

Copyright 2011-2024 StarTrinity.com | Blog | Contact lead developer via LinkedIn |