SIP Scanning and VoIP Security
A few months ago after I had setup my Asterisk box I started receiving strange calls from people in Colorado and started to check my call logs. I noticed that the night before someone had made calls from my box to many different numbers in succession. xxx-xxx-2401, xxx-xxx-2402, xxx-xxx-2403, etc. I knew that my box had been compromised.
I had set weak secrets for my extensions and they were able to brute the secret and start making calls from my machine. I immediately changed all the secrets and have not had a problem since, but this article will show you some tools that can be used to test your own box and some settings that should be changed in order to secure it.
The tool that I use to scan Asterisk boxes is sipvicious. You will need to have python installed in order to run the scripts. There are two scripts that I use in the sipvicious tool suite: svwar.py to enumerate extensions and svcrack.py to crack the extension’s secret.
python svwar.py -e 100-499,1000-2999 192.168.1.223
This would scan my Asterisk box and enumerate extensions 100-499 and 1000-2999. You can also input a dictionary file of extensions by using the -d switch.
| Extension | Authentication |
| 200 | reqauth |
The return shows that I have extension 200 and it requires authentication. So now I could run svcrack.py to crack the secret.
python svcrack.py -u 200 -r 1-9999 192.168.1.223
This would try to login to extension 200 with secret 1 through 9999. svcrack.py can also be used with a dictionary using the -d switch.
Some useful .bat files that I created to make it quicker:
@echo off
cd C:\(directory with sipviscous scripts)
:input
set SIP_IP=
set /P SIP_IP=Enter IP Address: %=%
if "%SIP_IP%"=="" goto input
python svwar.py -e 100-499,1000-3999 %SIP_IP%
pause
@echo off
cd C:\(directory with sipviscous scripts)
:sip_ip
set SIP_IP=
set /P SIP_IP=Enter IP Address: %=%
if "%SIP_IP%"=="" goto sip_ip
:sip_exten
set SIP_EXTEN=
set /P SIP_EXTEN=Enter Extension: %=%
if "%SIP_EXTEN%"=="" goto sip_exten
python svcrack.py -u %SIP_EXTEN% -r 0-9999 %SIP_IP%
pause
To secure my box I have done the following:
1. Long multi-character secrets.
2. Added alwaysauthreject=yes to /etc/asterisk/sip_custom.conf
3. Blocked WAN ports to Asterisk on network firewall (except port 5060).
4. Changed default passwords on everything that comes with Elastix.
5. Installed Fail2Ban.