"Mr. Watson, come here. I want some career advice."
Sometimes, I like to fire up a shell on one of my honeypot boxes, tail -f the logs from one of the tools I’ve written, and just sit and watch the attacks fly by.
That got me to thinking: What the heck is going on with SIP?
I’m a pretty pragmatic kinda’ guy. I once gave a presentation at a SANS event with the title, Hacking Ugly, which - in reality - was just an ode to pragmatism. In it, I made this argument: We can all appreciate a beautifully constructed tool or an incredibly complex and well-structured pentest attack. But most of the time, it’s hastily thrown together scripts or meatball attacks that actually win the day.
So I started thinking about SIP hacking from a pragmatic point of view. Seriously, what’s going on here?
The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications.* SIP is used to provide signaling for Internet-based telephony by private, IP-based telephone systems (think IP PBX systems, like the open-source tool Asterisk).
The title of this little literary gem is a riff on what are supposedly the first words, spoken by Alexander Graham Bell, when he demonstrated his ability to “talk with electricity” way back in 1876 (“Mr Watson, come here. I want to see you.”). I’m pretty sure Bell would be amazed at what his invention has become.
SIP, in many ways, takes inspiration from another communication protocol, SMTP, and we all know how well that particular exercise has turned out from a security perspective… so you gotta figure SIP is a minefield too.
And it is…
SIP generally is run on port 5060/UDP, and on a daily basis, I see a bunch of stuff like this hit my honeypots:
00000000 4f 50 54 49 4f 4e 53 20 - 73 69 70 3a 31 30 30 40 |OPTIONS sip:100@|
00000010 XX XX XX XX XX XX XX XX - XX XX XX XX 3a 35 30 36 |XXXXXXXXXXXX:506|
00000020 30 20 53 49 50 2f 32 2e - 30 0d 0a 56 69 61 3a 20 |0 SIP/2.0..Via: |
00000030 53 49 50 2f 32 2e 30 2f - 55 44 50 20 30 2e 36 2e |SIP/2.0/UDP 0.6.|
00000040 31 31 2e 31 36 33 3a 35 - 30 36 31 3b 62 72 61 6e |11.163:5061;bran|
00000050 63 68 3d 7a 39 68 47 34 - 62 4b 2d 33 32 35 36 35 |ch=z9hG4bK-32565|
00000060 31 30 38 34 35 3b 72 70 - 6f 72 74 0d 0a 43 6f 6e |10845;rport..Con|
00000070 74 65 6e 74 2d 4c 65 6e - 67 74 68 3a 20 30 0d 0a |tent-Length: 0..|
00000080 46 72 6f 6d 3a 20 22 73 - 69 70 76 69 63 69 6f 75 |From: "sipviciou|
00000090 73 22 3c 73 69 70 3a 31 - 30 30 40 31 2e 31 2e 31 |s"<sip:100@1.1.1|
000000a0 2e 31 3e 3b 74 61 67 3d - 36 31 33 32 36 34 33 39 |.1>;tag=61326439|
000000b0 33 37 33 39 33 37 36 34 - 33 31 33 33 36 33 33 34 |3739376431336334|
000000c0 30 31 33 32 33 32 33 38 - 33 35 33 35 33 37 33 35 |0132323835353735|
000000d0 33 38 33 37 0d 0a 41 63 - 63 65 70 74 3a 20 61 70 |3837..Accept: ap|
000000e0 70 6c 69 63 61 74 69 6f - 6e 2f 73 64 70 0d 0a 55 |plication/sdp..U|
000000f0 73 65 72 2d 41 67 65 6e - 74 3a 20 66 72 69 65 6e |ser-Agent: frien|
00000100 64 6c 79 2d 73 63 61 6e - 6e 65 72 0d 0a 54 6f 3a |dly-scanner..To:|
00000110 20 22 73 69 70 76 69 63 - 69 6f 75 73 22 3c 73 69 | "sipvicious"<si|
00000120 70 3a 31 30 30 40 31 2e - 31 2e 31 2e 31 3e 0d 0a |p:100@1.1.1.1>..|
00000130 43 6f 6e 74 61 63 74 3a - 20 73 69 70 3a 31 30 30 |Contact: sip:100|
00000140 40 30 2e 36 2e 31 31 2e - 31 36 33 3a 35 30 36 31 |@0.6.11.163:5061|
00000150 0d 0a 43 53 65 71 3a 20 - 31 20 4f 50 54 49 4f 4e |..CSeq: 1 OPTION|
00000160 53 0d 0a 43 61 6c 6c 2d - 49 44 3a 20 31 37 35 32 |S..Call-ID: 1752|
00000170 34 38 31 34 35 30 30 32 - 31 32 37 35 36 30 37 31 |4814500212756071|
00000180 35 30 39 35 0d 0a 4d 61 - 78 2d 46 6f 72 77 61 72 |5095..Max-Forwar|
00000190 64 73 3a 20 37 30 0d 0a - 0d 0a |ds: 70.... |
This particular attack is the result of someone running SIPvicious, the “friendly-scanner,” a SIP auditing tool used to scan for and enumerate SIP devices and accounts. It can be obtained freely from its GIT repo or it can be found bundled with security auditing tools like Kali.
I did some checking, and I’m seeing, on average, approximately 300 of these a day - or one every 4.8 minutes. While that doesn’t approach the level of, say, RDP scanning, it’s still a lot.
Over the past few weeks, I’ve logged about 3000 different source IPs scanning for SIP. That’s a pretty considerable number.
All of this attack traffic and all of these sources mean that the bad guys have a considerable “investment” in infrastructure aimed at SIP. But for what? How many targets can there be?
I’ve seen this cruft in my logs for years. Seriously, this has to be a dead end, right?
I started doing a little research, and it turns out that there are a whole lot more here than you’d think.
Let’s just do a little back of the envelope math, based on what I found:
- According to the fine folks at Asterisk, they have 1.3 million new endpoints hitting the ‘Net each year (whoa!)
- That works out to about 3500 new endpoints per day
- Asterisk isn’t the only game in town, but it’s probably the biggest… so let’s just assume 5000 total new endpoints a day
- Being generous, let’s figure only 5% of those new endpoints are being set up by a first-rodeo, VoIP bubble-head and are poorly configured and vulnerable to exploitation
- So as a diligent SIP scanner, you’re competing for a new supply of, let’s say, 250 vulnerable new SIP endpoints each day
- With a tiny 100 member botnet, you could grab… Wait… wut?
- Generate some ca$h with kickbacks you get for dialing premium rate numbers (charged to the owner of the PBX), $ell “phone service,” or u$e these (generally beefy) $ervers for $ome crypto mining…
Ok. Now I understand.
Do you ever get the feeling like you’ve taken the wrong path in life?
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter: @tliston
March 10, 2021
*Blatently ripped off from Wikipedia. (The Oracle of All Knowledge™. Praise be... Praise be...)