Voice Fraud Blog

Practical solutions for fighting VoIP and Telecom fraud

How do the “friendly scanner” attacks work

A SIP scanning attack usually has the following steps:
  1. Randomly send SIP OPTIONS messages to the wide Internet on port 5060 to see which services are out there. The IP addresses that get probed can be completely random or targeting a given company or service provider or a complete country. This way, the attacker gathers a list of IP addresses that host SIP services.
  2. For each IP target, a set of commonly used extensions (00, 01, 001, 002, etc.) are probed to see if they are configured. This is done usually with a REGISTER message for each extension. If the server responds with “404 Not found”, the extension is not configured. But if the server responds with “401 Unauthorized”, then the extension exists.
  3. For each extension, a large set of REGISTER messages are sent, each with a different password, usually taken from dictionaries. If for any of these requests the answer is “200 OK’, it means that the password was found. The attacker can now use it to place calls.
For better or worse, the open-source Sipvicious tools (also known as “friendly scanners” after the user agent string they use) make running the steps above ridiculously easy. As you can see from their website, a python script is provided for each of the above steps. They support saving of sessions between runs, distributing scans across computers and generating the list of commonly used extensions. The website also links to a set of dictionaries that can be used for password cracking.
One thing to note is that potentially a very large number of SIP requests are transmitted. For example, if there are 5 PBXes in a network, each with 100 extensions and  the attacker uses a dictionary with 10,000 words, a total of 2 * 5 * 100 * 10,000 = 10 millions SIP messages will be generated. This is where the friendly scanner becomes a bit rude and transforms itself in an unintentional DoS attack. Newer versions of Sipvicious have more generous delays between requests, but they are easily modifiable by the too-eager script kiddies.
Another interesting observation is that step 2 above relies on the server responding with different response codes depending on whether the extension exists or not (401 and 404 in the example above). By setting your server to always reply with 401 for unauthorized requests, you are making the job of the attacker much harder.
An easy way to test if your VoIP service has weak extensions is to run our free online SIP scanner. It runs Sip vicious behind the scenes and presents you a nice report about how your server looks like when scanned by an attacker.

How voice mail fraud works. Examples.

Let’s assume Chuck, our usual bad guy, has a premium rate phone number (1-900 in the US, 0900 usually in Europe) and he likes easy money. Bob, our unsuspecting victim, is using the voice mail service from his operator. The operator offers Bob a phone number to which he can call to hear his messages. As a convenience function, if Bob presses * after hearing the message, he will be connected to the person leaving the message. To protect Bob’s privacy, the operator only accepts calls to the voice mail number from Bob’s phone number and it requires a 4 digit PIN for extra security.
Here is how the attack happens:
  • Chuck spoofs Bob’s phone number and calls the voice mail number.
  • Chuck brute-forces Bob’s voice mail PIN. There are only 10000 combinations, so an automated script can find the PIN in about 5 minutes.
  • Chuck calls Bob’s number at a time he he knows he will get to the voice mail. He leaves a message from his 1-900 number.
  • Immediately, Chuck calls the voice mail system, authenticates as Bob using the cracked PIN, listen to his own message and then presses *.
  • An expensive call is created towards Chuck’s system and will be paid by Bob.
  • Chuck repeats the call until the operator notices and blocks him.
Easy money for Chuck.
Other possible variations:
  • Chuck hacks into Bob’s voice mail account as above.
  • Chuck uses the voice mail menus to setup automatic call forwarding to his 1-900 number.
  • Chuck calls Bob’s number while he is on holiday or similar, so the calls are always forwarded.
Or:
  • After hacking the voice mail account as above, Chuck changes the greeting message to something like (“<pause> Yes, I accept the charges”)
  • Chuck places a collect call (“reverse charge” in Europe) to Bob’s number, from his 1-900 number or from an expensive international destination if that doesn’t work.
  • The automated operator, hearing the “yes” keyword will connect the call.
I’m sure other ways of abusing the voice mail system are possible. So better make sure it’s not possible to brute-force into the accounts :-)

New online tool for checking PBX security: the SIP scanner

Screenshot of SIP Scanner

Today I’m launching a new web service: the SIP scanner. The goal of the tool is to make it easy to check if a PBX, or really any other type of SIP server, is vulnerable to various types of attacks.
It all started with an email sent by Dan York on the VOIPSA mailing list. He was asking for a SIP equivalent of the Shields Up port scanner and he mentioned the following use case:

The person asking was from a service provider who is selling SIP connectivity to small businesses with IP-PBXs. Many of these small businesses don’t have IT staff (and perhaps have purchased their IP-PBX from a big box store, online, etc.). Those SMBs don’t know anything about security. He was wondering if there was any service he could direct his customers to where they could just go and get a scan of their externally-exposed SIP connections.

At the end of the email, he hinted:

Anyone heard of one? (Anyone going to write one after this message? ;-)

And because I was just looking for good project to kick-start this blog: Challenge accepted!
My initial plan to do all the code for it during a single weekend was a bit too optimistic, in the end it took about two weekends (and the space in between). Nevertheless, it’s ready now, so if you have an Asterisk or Freeswitch or another type of SIP server, feel free to use this to check how vulnerable it is.The tool is completely free, but in order to avoid abuse, I limited it to three scans per day from the same IP address.
And here are the gory details for the curious and the technical inclined: it first runs nmap to get some information about the underlying operating system and open ports. It then uses SIPVicious to send OPTIONS requests to a set of common ports in the attempt to find running SIP services. After it found the ports on which it receives answers, it starts probing for common extensions (like 00, 11, 101, etc). Finally, for all the extensions it found it attempts a set of default passwords to see if the password is easy to crack. After that, it puts everything in an HTML report.
If I get any positive feedback for this, I will extend it to use other scanners and to check for actual vulnerabilities in open source VoIP servers. So make sure to get in contact with me and request features :-)