- Randomly send SIP OPTIONS messages to the wide Internet on port 5060 to see which services are out there. The IP addresses that get probed can be completely random or targeting a given company or service provider or a complete country. This way, the attacker gathers a list of IP addresses that host SIP services.
- For each IP target, a set of commonly used extensions (00, 01, 001, 002, etc.) are probed to see if they are configured. This is done usually with a REGISTER message for each extension. If the server responds with “404 Not found”, the extension is not configured. But if the server responds with “401 Unauthorized”, then the extension exists.
- For each extension, a large set of REGISTER messages are sent, each with a different password, usually taken from dictionaries. If for any of these requests the answer is “200 OK’, it means that the password was found. The attacker can now use it to place calls.
- Chuck spoofs Bob’s phone number and calls the voice mail number.
- Chuck brute-forces Bob’s voice mail PIN. There are only 10000 combinations, so an automated script can find the PIN in about 5 minutes.
- Chuck calls Bob’s number at a time he he knows he will get to the voice mail. He leaves a message from his 1-900 number.
- Immediately, Chuck calls the voice mail system, authenticates as Bob using the cracked PIN, listen to his own message and then presses *.
- An expensive call is created towards Chuck’s system and will be paid by Bob.
- Chuck repeats the call until the operator notices and blocks him.
- Chuck hacks into Bob’s voice mail account as above.
- Chuck uses the voice mail menus to setup automatic call forwarding to his 1-900 number.
- Chuck calls Bob’s number while he is on holiday or similar, so the calls are always forwarded.
- After hacking the voice mail account as above, Chuck changes the greeting message to something like (“<pause> Yes, I accept the charges”)
- Chuck places a collect call (“reverse charge” in Europe) to Bob’s number, from his 1-900 number or from an expensive international destination if that doesn’t work.
- The automated operator, hearing the “yes” keyword will connect the call.
The person asking was from a service provider who is selling SIP connectivity to small businesses with IP-PBXs. Many of these small businesses don’t have IT staff (and perhaps have purchased their IP-PBX from a big box store, online, etc.). Those SMBs don’t know anything about security. He was wondering if there was any service he could direct his customers to where they could just go and get a scan of their externally-exposed SIP connections.
Anyone heard of one? (Anyone going to write one after this message?