Skip to main content

sip crack online

Summary

Launch an online SIP password cracking attack

What it does

Test SIP account weaknesses through a password guessing attack. This tool allows various types of password cracking attacks on SIP registrars and proxies to discover guessable passwords and demonstrate security issues in weak password policies.

Tool functionality

The SIP online cracking tool attempts to guess SIP account passwords on a target SIP server. It supports various SIP methods, password guessing techniques, distribution of the attack across different targets and across different extensions.

The tool makes use of a number of password generators which are used to produce passwords that are then used in each password guessing (or cracking) attempt. By default, the tool uses the pattern cracking algorithm as a password generator, using the basic extension based algorithm. Multiple generators can be used in combination in each attack.

The tool starts by sending a SIP request to the target, then waiting for a 407 or 401 response, with the default SIP method being set to REGISTER. When a 401 or 407 response is received, it then computes the authentication challenge response using the digest authentication mechanism and sends the same SIP message with the challenge response. If a 401 or 407 response is received as the new response, it then moves on to the next password from the password generators. It does this process until the password generators run out of passwords to try, or until all target extensions have resulted in a 200 OK indicating that their password has been cracked.

When the response to a SIP message without an authentication header is a 200 OK, instead of a 401 or 407, this means that no authentication is required. Other 4XX, 5XX or 6XX responses indicate that a password cracking attack is not possible. Special warnings are generated when the response code is unknown (e.g. a 3XX or 202 response).

In the case of the REGISTER SIP method, the From and To address are typically the same unless the SIP registrar allows for third-party registration. In such cases one can make use of the from flag to specify who is registering which extension or SIP URI that is passed to the extensions flag. In this case, the extensions flag specifies the To address in the SIP message. When it comes to methods other than REGISTER (e.g. INVITE), the extensions flag sets the From address rather than the To address.

The following password generators are available:

Video demonstration

sipvicious sip crack online

Command format

sipvicious sip crack online <target1 [target2 [target3 ...]]> [flags]

Flags

      --auth-config strings       Specify SIP authentication configuration. See documentation for details e.g. algorithm:sha-256
      --close-conn                Close the connection after sending each message, instead of keeping it alive
  -c, --conn-count int            Number of sockets to use (per target) (default 30)
      --credentials-file string   Specify a file containing usernames and passwords on each line, in the following format: username$password (e.g. 1000$test123) or username:extension$password (e.g. user1:1000$test123) or even username:sipuri$password (e.g. user1:sip:1000@example.org$test123); to take input from stdin, use - instead of a filename
  -d, --dictionary string         Specify a dictionary file with potential passwords; to take input from stdin, use - instead of a filename
  -D, --domain string             Override domain name for the SIP address
  -e, --extensions strings        Specify a target extensions and/or SIP URIs; if the authentication username is different than the extension, it is passed after a colon; if no extensions are specified, a random numeric extension is used
  -E, --extensions-file string    Specify a file with extensions and/or SIP URIs or colon delimited extensions or SIP URIs and users; to take input from stdin, use - instead of a filename
      --from string               Specify a from extension or SIP URI to set the from address; if not specified, a random numeric extension is used
  -m, --method string             Set the SIP message method to use (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS) (default "register")
  -p, --pattern strings           Specify which pattern algorithms to test for with the passwords (ext|ext2|num|dial|all|none); e.g. num,dial (default [ext])
  -r, --range strings             Specify a range of numbers for the password; e.g. 100-200,300-310,400
      --range-fmt string          Specify a format string for the password (to be used with --range)
      --rate string               Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --to string                 Specify a to extension or SIP URI to set the To address; if not specified, the default behavior depends on the SIP method being tested

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
  -T, --duration duration    Stop the tool after a certain amount of time; e.g. 30s
      --logfile string       specify a log filename
      --results string       specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings
      --srtp string          Specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log

Examples

sipvicious sip crack online udp://target:5060 -d passwords.txt -e 1234
sipvicious sip crack online udp://target:5060 -e 1000 -r 1000-2000

Advanced examples

# using the numeric password range with a format string to pad numbers with zeros
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -d passwords.txt -e 1234 -r 0-9999 --range-fmt '%04d'

# cracking a SIP proxy using INVITE message to call 1234 from various extensions
sipvicious sip crack online tcp://demo.sipvicious.pro:5060 -m invite -e 1000,1100,2000 --to 1001

# distributed password cracking against a SIP TLS server over 100 connections with a credentials file
sipvicious sip crack online tls://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 udp://demo.sipvicious.pro:5060 --credentials-file userpass.txt -c 100

# launch a password cracking against 1234 with dictionary and range
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234 -d dict.txt -r 100-200

# do a bunch of known extensions using the pattern scan
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234,2345,3456,4567,5678

# do a bunch of known extensions from file using the pattern scan
sipvicious sip crack online udp://demo.sipvicious.pro:5060 --extensions-file extensions.txt

# do password cracking against an extension with a known username
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 2000:2000

# same but this time we have a specific SIP URI passed there
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e sip:2000@demo.sipvicious.pro:2000

# distribute the attack across different users and targets
sipvicious sip crack online udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 -e 1100,2000 -D siteonsip.tld

# slowly do password cracking	
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -e 1234 --rate 10/1s

# Try all pattern cracking algorithms against a dictionary of extensions
sipvicious sip crack online udp://demo.sipvicious.pro:5060 -E extensions.txt -p all

Exit codes

CodeDescription
40A security issue is raised when any passwords are guessed or when any extensions on test require no authentication
30A network connectivity issue is raised when the connection fails or when no response is received

Full flag documentation

Flag: --auth-config

Specify SIP authentication configuration. This flag accepts the following values:

  • algorithm:value where value may be md5, md5-sess, sha-256, sha-256-sess, sha-512-256 or sha-512-256-sess. This value will force the tool to calculate the authorization response based on the first WWW-Authenticate or Proxy-Authenticate header field that matches this algorithm. If no match is found then the first WWW-Authenticate or Proxy-Authenticate header is selected.

Flag: --ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --close-conn

The default connection behaviour is to try to keep all connections alive or, in the case of UDP, to reuse the same socket. This flag overrides this behaviour so that the connection is closed after each message is sent. This can uncover vulnerabilities related to socket handling in relation to SIP signalling.

Flag: -C, --config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: -c, --conn-count

The conn-count allows setting of how many sockets should be used concurrently to spread out the attack.

Flag: --credentials-file

The credentials-file flag sets the credentials file to be used. This takes a filename as value, containing dollar sign delimited credentials consisting of a username and password on each line. Example content:

fred$passw0rd
alice$inwonderland
john$theripper

The file can also contain an extension or SIP URI delimited by a colon, as follows:

fred:1000$passw0rd
alice:sip:alice@example.org$inwonderland

Note that when no target extensions are specified using the extension flag, the extension is set to the username in the credentials file. If an extension is specified in the credentials file, then the extension in the extension flag is ignored.

When the filename is specified as -, standard input is used instead of taking input from a file.

Flag: --debug

Tells the logger to print out debug messages.

Flag: -d, --dictionary

The dictionary flag takes a filename as argument whose contents are passwords to be used in the password guessing attack. The format of the dictionary consists of one password on each line. When the filename is specified as -, standard input is used instead of taking input from a file.

In the following example, we make use of maskprocessor from hashcat to generate password combinations and feed them to SIPVicious online cracker:

mp64.bin '?a?a?a?a' | sipvicious sip crack online udp://demo.sipvicious.pro:5060 --debug --dictionary - -e 123

Flag: -D, --domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: -T, --duration

Specify the maximum duration of the attack so that it stops after a certain time. Examples include:

  • 30s
  • 10m
  • 24h

Flag: -e, --extensions

This flag allows users to specify extensions or target SIP URIs to be tested for the password cracking attack. Each potential extension is comma separated. For example: 100,1000,9999,test1,test2. If the authentication username is different than the extension, it is passed after a colon. For example: 100:user1,1000:user2. If a SIP URI is used instead of a plain extension, that would look like the following: sip:100@example.org:user1.

When no extensions are specified, a random numeric extension is used.

Flag: -E, --extensions-file

The extensions-file flag takes a filename containing an extension and optionally, username per line. Extensions and usernames are colon delimited similar to the values passed to the extensions flag. When the filename is specified as -, standard input is used instead of taking input from a file.

Flag: --from

Specify the From address in the SIP header. It’s practical usage depends on the SIP method that is used for the password cracking attack as outlined in this document.

Flag: --logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: -m, --method

Specify the SIP method to be used for password cracking. The following methods are supported:

  • REGISTER
  • SUBSCRIBE
  • NOTIFY
  • PUBLISH
  • MESSAGE
  • INVITE
  • OPTIONS

Flag: -p, --pattern

The pattern flag sets which pattern cracking algorithm should be enabled. The following values can be used in combination:

  • ext: to enable SIP account specific password tests
  • ext2: to enable more extension SIP account specific password tests
  • num: to perform common numeric-based password tests
  • dial: to perform dialpad specific password tests

Additionally, the following methods are convenience methods:

  • all
  • none

The pattern cracking algorithms each do the following to generate passwords:

  • SIP account specific tests (ext):
    • null password
    • tries the SIP extension
    • tries the SIP extension in reverse
    • if the SIP extension is different from the SIP username, then the same tests are run again but with the username
  • More advanced SIP account specific tests (ext2):
    • tries the SIP extension prepended with a range of numbers between 0 and 9, then 00 and 99 (note the zero padding)
    • tries the SIP extension appended with a range of numbers between 0 and 9, then 00 and 99
    • if the SIP extension is different from the SIP username, then the same tests are run again but with the username
  • Common numeric passwords (num):
    • Consecutive numbers of lengths between 3 and 10 (e.g. 012, 123 and 123456, up till 0123456789)
    • Reverse of the previous test (e.g. 321, 0987654321)
    • Round digit numbers of lengths between 3 and 6 (e.g. 000, 100, 200 till 900000)
    • Dates starting from 1900 to 10 years from now (i.e. 2029)
    • Repeated numbers of lengths between 3 and 10 (e.g. 000, 111 up till 9999999999)
  • Dialpad specific (dial):
    • Patterns common on dialpads that are not covered by the previous patterns (e.g. 147, 147*, 147258)
    • Reverse of the previous test

Flag: -r, --range

This flag allows users to specify ranges of numbers to be used in the password cracking attack. Each range of numeric password is comma separated. Numeric ranges are separated by a minus sign. For example: 100-999,1000-1500.

Flag: --range-fmt

The range-fmt flag allows users to specify a format template for the numeric range password generation. For example, -r 1-999 --range-fmt="123%04d999" between 1230001999 to 1230999999.

The format string library used is the standard Go fmt. Please check the documentation for full details about the syntax.

Flag: --rate

Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: --results

When the results flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json file extension. In that case, the result output is that of JSON.

The schema for the JSON output for this submodule can be found here.

Flag: --srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: --templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: --tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

Flag: --to

Specify the To address in the SIP header. It’s practical usage depends on the SIP method that is used for the password cracking attack as outlined in this document.

Caveats

Behaviour of the extension flag

The extension flag sets either the first line’s SIP-URI, From or To header depending on the value of the method flag. This way, password cracking for a specific target extension is done depending on the SIP method.

JSON schema

The following is the JSON schema for the JSON output of this tool:

{
  "type": "object",
  "properties": {
    "status": {
      "type": "object",
      "properties": {
        "returncode": { "type": "integer" },
        "description": { "type": "string" }
      }
    },
    "targets": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "target": { "type": "string" },
          "status": {
            "type": "object",
            "properties": {
              "returncode": { "type": "integer" },
              "description": { "type": "string" }
            }
          },
          "results": {
            "type": "object",
            "properties": {
            }
          },
          "issues": {
            "type": "object",
            "properties": {
              "crackedpassword": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "extension": {"type": "string"},
                    "username": {"type": "string"},
                    "password": {"type": "string"}
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}