sip crack online
Note
This documentation applies to SIPVicious version v6.0.0-experimental.6. Please note that only the latest version of SIPVicious PRO is supported.Summary
Launch an online SIP password cracking attack
What it does
Test SIP account weaknesses through a password guessing attack. This tool allows various types of password cracking attacks on SIP registrars and proxies to discover guessable passwords and demonstrate security issues in weak password policies.
Tool functionality
The SIP online cracking tool attempts to guess SIP account passwords on a target SIP server. It supports various SIP methods, password guessing techniques, distribution of the attack across different targets and across different extensions.
The tool makes use of a number of password generators which are used to produce passwords that are then used in each password guessing (or cracking) attempt. By default, the tool uses the pattern cracking algorithm as a password generator, using the basic extension based algorithm. Multiple generators can be used in combination in each attack.
The tool starts by sending a SIP request to the target, then waiting for a 407 or 401 response, with the default SIP method being set to REGISTER
. When a 401 or 407 response is received, it then computes the authentication challenge response using the digest authentication mechanism and sends the same SIP message with the challenge response. If a 401 or 407 response is received as the new response, it then moves on to the next password from the password generators. It does this process until the password generators run out of passwords to try, or until all target extensions have resulted in a 200 OK indicating that their password has been cracked.
When the response to a SIP message without an authentication header is a 200 OK
, instead of a 401
or 407
, this means that no authentication is required. Other 4XX
, 5XX
or 6XX
responses indicate that a password cracking attack is not possible. Special warnings are generated when the response code is unknown (e.g. a 3XX or 202 response).
In the case of the REGISTER SIP method, the From
and To
address are typically the same unless the SIP registrar allows for third-party registration. In such cases one can make use of the from
flag to specify who is registering which extension or SIP URI that is passed to the extensions
flag. In this case, the extensions
flag specifies the To
address in the SIP message. When it comes to methods other than REGISTER (e.g. INVITE), the extensions
flag sets the From
address rather than the To
address.
Note
When it comes to setting theTo
and From
headers, the behaviour of the sip crack online
tool depends on the SIP method that is used for the attack. This may be different from other tools such as sip enumerate extensions
, since the aim of this tool is SIP account password cracking rather than enumeration.The following password generators are available:
- pattern cracking algorithm
- numeric range cracking
- password dictionary attack
- username and password dictionary attack
Video demonstration
Command format
sipvicious sip crack online <target1 [target2 [target3 ...]]> [flags]
Flags
--auth-config strings Specify SIP authentication configuration. See documentation for details e.g. algorithm:sha-256
--close-conn Close the connection after sending each message, instead of keeping it alive
-c, --conn-count int Number of sockets to use (per target) (default 30)
--credentials-file string Specify a file containing usernames and passwords on each line, in the following format: username$password (e.g. 1000$test123) or username:extension$password (e.g. user1:1000$test123) or even username:sipuri$password (e.g. user1:sip:1000@example.org$test123); to take input from stdin, use - instead of a filename
-d, --dictionary string Specify a dictionary file with potential passwords; to take input from stdin, use - instead of a filename
-D, --domain string Override domain name for the SIP address
-e, --extensions strings Specify a target extensions and/or SIP URIs; if the authentication username is different than the extension, it is passed after a colon; if no extensions are specified, a random numeric extension is used
-E, --extensions-file string Specify a file with extensions and/or SIP URIs or colon delimited extensions or SIP URIs and users; to take input from stdin, use - instead of a filename
--from string Specify a from extension or SIP URI to set the from address; if not specified, a random numeric extension is used
-m, --method string Set the SIP message method to use (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS) (default "register")
-p, --pattern strings Specify which pattern algorithms to test for with the passwords (ext|ext2|num|dial|all|none); e.g. num,dial (default [ext])
-r, --range strings Specify a range of numbers for the password; e.g. 100-200,300-310,400
--range-fmt string Specify a format string for the password (to be used with --range)
--rate string Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
--to string Specify a to extension or SIP URI to set the To address; if not specified, the default behavior depends on the SIP method being tested
Flags inherited from parent commands
--ca-cert string TLS CA Certificate
--client-cert string TLS client certificate
--client-key string TLS client private key
-C, --config string configuration file to use (may be JSON, TOML or YAML)
--debug set log level to debug
-T, --duration duration Stop the tool after a certain amount of time; e.g. 30s
--logfile string specify a log filename
--results string specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings
--srtp string Specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
--templates string Directory to search for template overrides (default ".")
--tls-key-log string TLS key log
Examples
sipvicious sip crack online udp://target:5060 -d passwords.txt -e 1234
sipvicious sip crack online udp://target:5060 -e 1000 -r 1000-2000
Advanced examples
# using the numeric password range with a format string to pad numbers with zeros
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -d passwords.txt -e 1234 -r 0-9999 --range-fmt '%04d'
# cracking a SIP proxy using INVITE message to call 1234 from various extensions
sipvicious sip crack online tcp://demo.sipvicious.pro:5060 -m invite -e 1000,1100,2000 --to 1001
# distributed password cracking against a SIP TLS server over 100 connections with a credentials file
sipvicious sip crack online tls://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 udp://demo.sipvicious.pro:5060 --credentials-file userpass.txt -c 100
# launch a password cracking against 1234 with dictionary and range
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234 -d dict.txt -r 100-200
# do a bunch of known extensions using the pattern scan
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234,2345,3456,4567,5678
# do a bunch of known extensions from file using the pattern scan
sipvicious sip crack online udp://demo.sipvicious.pro:5060 --extensions-file extensions.txt
# do password cracking against an extension with a known username
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 2000:2000
# same but this time we have a specific SIP URI passed there
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e sip:2000@demo.sipvicious.pro:2000
# distribute the attack across different users and targets
sipvicious sip crack online udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 -e 1100,2000 -D siteonsip.tld
# slowly do password cracking
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234 --rate 10/1s
# Try all pattern cracking algorithms against a dictionary of extensions
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -E extensions.txt -p all
Exit codes
Code | Description |
---|---|
40 | A security issue is raised when any passwords are guessed or when any extensions on test require no authentication |
30 | A network connectivity issue is raised when the connection fails or when no response is received |
Full flag documentation
Flag: --auth-config
Specify SIP authentication configuration. This flag accepts the following values:
algorithm:value
where value may bemd5
,md5-sess
,sha-256
,sha-256-sess
,sha-512-256
orsha-512-256-sess
. This value will force the tool to calculate the authorization response based on the firstWWW-Authenticate
orProxy-Authenticate
header field that matches this algorithm. If no match is found then the firstWWW-Authenticate
orProxy-Authenticate
header is selected.
Flag: --ca-cert
The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.
Flag: --client-cert
The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.
Flag: --client-key
The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.
Flag: --close-conn
The default connection behaviour is to try to keep all connections alive or, in the case of UDP, to reuse the same socket. This flag overrides this behaviour so that the connection is closed after each message is sent. This can uncover vulnerabilities related to socket handling in relation to SIP signalling.
Flag: -C
, --config
Specify a configuration file which may be a JSON, TOML and YAML config
format. To get the default settings and figure out which settings are available, one may
run the sipvicious utils dump config
command. This is typically used to create a template
configuration that can then be edited as need be.
These settings may be overwritten when the corresponding flag is explicitly set, if one is present.
Flag: -c
, --conn-count
The conn-count
allows setting of how many sockets should be used concurrently to spread out the attack.
Flag: --credentials-file
The credentials-file
flag sets the credentials file to be used. This takes a filename as value, containing dollar sign delimited credentials consisting of a username and password on each line. Example content:
fred$passw0rd
alice$inwonderland
john$theripper
The file can also contain an extension or SIP URI delimited by a colon, as follows:
fred:1000$passw0rd
alice:sip:alice@example.org$inwonderland
Note that when no target extensions are specified using the extension
flag, the extension is set to the username in the credentials file. If an extension is specified in the credentials file, then the extension in the extension
flag is ignored.
When the filename is specified as -
, standard input is used instead of taking input from a file.
Flag: --debug
Tells the logger to print out debug messages.
Flag: -d
, --dictionary
The dictionary
flag takes a filename as argument whose contents are passwords to be used in the password guessing attack. The format of the dictionary consists of one password on each line. When the filename is specified as -
, standard input is used instead of taking input from a file.
In the following example, we make use of maskprocessor from hashcat to generate password combinations and feed them to SIPVicious online cracker:
mp64.bin '?a?a?a?a' | sipvicious sip crack online udp://demo.sipvicious.pro:5060 --debug --dictionary - -e 123
Flag: -D
, --domain
A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.
Flag: -T
, --duration
Specify the maximum duration of the attack so that it stops after a certain time. Examples include:
30s
10m
24h
Flag: -e
, --extensions
This flag allows users to specify extensions or target SIP URIs to be tested for the password cracking attack. Each potential extension is comma separated. For example: 100,1000,9999,test1,test2
. If the authentication username is different than the extension, it is passed after a colon. For example: 100:user1,1000:user2
. If a SIP URI is used instead of a plain extension, that would look like the following: sip:100@example.org:user1
.
When no extensions are specified, a random numeric extension is used.
Flag: -E
, --extensions-file
The extensions-file
flag takes a filename containing an extension and optionally, username per line. Extensions and usernames are colon delimited similar to the values passed to the extensions
flag. When the filename is specified as -
, standard input is used instead of taking input from a file.
Flag: --from
Specify the From
address in the SIP header. It’s practical usage depends on the SIP method that is used for the password cracking attack as outlined in this document.
Flag: --logfile
When the logfile
flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json
file extension, then the output format is in JSON, otherwise it defaults to text format.
Flag: -m
, --method
Specify the SIP method to be used for password cracking. The following methods are supported:
REGISTER
SUBSCRIBE
NOTIFY
PUBLISH
MESSAGE
INVITE
OPTIONS
Flag: -p
, --pattern
The pattern
flag sets which pattern cracking algorithm should be enabled. The following values can be used in combination:
ext
: to enable SIP account specific password testsext2
: to enable more extension SIP account specific password testsnum
: to perform common numeric-based password testsdial
: to perform dialpad specific password tests
Additionally, the following methods are convenience methods:
all
none
The pattern cracking algorithms each do the following to generate passwords:
- SIP account specific tests (
ext
):- null password
- tries the SIP extension
- tries the SIP extension in reverse
- if the SIP extension is different from the SIP username, then the same tests are run again but with the username
- More advanced SIP account specific tests (
ext2
):- tries the SIP extension prepended with a range of numbers between 0 and 9, then 00 and 99 (note the zero padding)
- tries the SIP extension appended with a range of numbers between 0 and 9, then 00 and 99
- if the SIP extension is different from the SIP username, then the same tests are run again but with the username
- Common numeric passwords (
num
):- Consecutive numbers of lengths between 3 and 10 (e.g. 012, 123 and 123456, up till 0123456789)
- Reverse of the previous test (e.g. 321, 0987654321)
- Round digit numbers of lengths between 3 and 6 (e.g. 000, 100, 200 till 900000)
- Dates starting from 1900 to 10 years from now (i.e. 2029)
- Repeated numbers of lengths between 3 and 10 (e.g. 000, 111 up till 9999999999)
- Dialpad specific (
dial
):- Patterns common on dialpads that are not covered by the previous patterns (e.g. 147,
147*
, 147258) - Reverse of the previous test
- Patterns common on dialpads that are not covered by the previous patterns (e.g. 147,
Flag: -r
, --range
This flag allows users to specify ranges of numbers to be used in the password cracking attack. Each range of numeric password is comma separated. Numeric ranges are separated by a minus sign. For example: 100-999,1000-1500
.
Flag: --range-fmt
The range-fmt
flag allows users to specify a format template for the numeric range password generation. For example, -r 1-999 --range-fmt="123%04d999"
between 1230001999 to 1230999999.
The format string library used is the standard Go fmt
. Please check the documentation for full details about the syntax.
Flag: --rate
Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.
Flag: --results
When the results
flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json
file extension. In that case, the result output is that of JSON.
The schema for the JSON output for this submodule can be found here.
Flag: --srtp
The srtp
flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE
message. When the srtp
flag is set to none
, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE
. The srtp
mode can also be either dtls
or sdes
. In both dtls
and sdes
modes, the parameters are not required and will be generated randomly as need be.
Options for both dtls
and sdes
mode may be passed after a colon. For example:
--srtp dtls:cert.crt:cert.key[:ca.crt]
where the first argument after the mode (dtls
) is the public certificatecert.crt
, then the private keycert.key
and finally, the optional certificate authority fileca.crt
--srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj
where the argument is the base64 encoded cryptographic master key appended with the master salt.
Note that in the case of sdes
key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80
.
Flag: --templates
Allows one to set the template directory which is used to load (or save) the SIP templates.
To get the default SIP templates, make use of the sipvicious sip utils dump templates
command.
Flag: --tls-key-log
The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.
Flag: --to
Specify the To
address in the SIP header. It’s practical usage depends on the SIP method that is used for the password cracking attack as outlined in this document.
Caveats
Behaviour of the extension
flag
The extension
flag sets either the first line’s SIP-URI, From
or To
header depending on the value of the method
flag. This way, password cracking for a specific target extension is done depending on the SIP method.
JSON schema
The following is the JSON schema for the JSON output of this tool:
{
"type": "object",
"properties": {
"status": {
"type": "object",
"properties": {
"returncode": { "type": "integer" },
"description": { "type": "string" }
}
},
"targets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"target": { "type": "string" },
"status": {
"type": "object",
"properties": {
"returncode": { "type": "integer" },
"description": { "type": "string" }
}
},
"results": {
"type": "object",
"properties": {
}
},
"issues": {
"type": "object",
"properties": {
"crackedpassword": {
"type": "array",
"items": {
"type": "object",
"properties": {
"extension": {"type": "string"},
"username": {"type": "string"},
"password": {"type": "string"}
}
}
}
}
}
}
}
}
}
}