VoIP Mailing List Archives

[murf at parsetree.com]

In the past little while, we've seen

a wave of attacks on asterisk, via the

provisioning.


It goes something like this:


A. scan for IP phones on the internet,

   either via spotting something on port 5060,

   or via the port 80 web interface for the phone.

   Or, use web sites that scan the internet, and

   classify the machines, to make your work shorter.

B. Once you get into the web GUI, get the URL for provisioning.

   I haven't checked yet... do any phones actually

   allow you to set this, or do any display the

   current value?

   And, finally, how many phones publish their

   own MAC address in the GUI? Or, can you suck this

   out of the returned IP packets?

C. Given the URL and the mac, fetch the phones

   provisioning info, including it's sip account

   info. Use to best advantage.

D. Going further, set up a brute-force probe algorithm,

   to probe all possible mac addresses for a given

   phone manufacturer, via http requests. After all,

   those provisioning web servers are fast and efficient,

   aren't they? Collect all possible mac addresses and

   grab the provisioning, and now you have a LOT of sip

   accounts. Use to best advantage.



And, professional hacking organizations seem to also follow

these rules:


a. wait several months for any history of the above activities

   to roll off the log files. Treat your phone systems like

   fine wine vintage.

b. Use multiple (hundreds/thousands) of machines scattered
   over the earth to carry out the above probes, and also to

   use the accounts for generating international calls.


In general, using the SIP account info gleaned from these

kinds of efforts is a bit problematic. You see, to effectively

use your phone system to place calls, they will have to

set up their own phone system to act like a phone, and

register to the phone system, and then initiate calls.

Trouble is, your phone is usually already registered, but

can be "bumped off". Your phone will re-register at intervals
and bump the hackers, who will again register and bump your

phone. This little game of "king of the hill" may show up in

your Asterisk logs.



So, these defenses can be employed to stop/ameliorate such

hacking efforts:


1. Keep your phones behind a firewall. Travellers, beware!

   Never leave the default login info of the phone at default!

2. Never use the default provisioning URL for the phone,

   with it's default URL or password.

3. Use fail2ban, ossec, whatever to stymie any brute force
   mac address searches.

4. Use your firewalls to restrict IP's that can access web,

   ftp, etc, for provisioning to just those IP's needed to allow

   your phones to provision.

5. Keep your logs for a couple years.

6. Change your phone SIP acct passwords now, if you haven't
   implemented the above precautions yet.



If I missed a previous post on this, forgive me.

Just thought you-all might appreciate a heads-up.


murf









--

Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉  murf at parsetree dot com
☎ 307-899-5535

[james at fivecats.org]

On 5/22/2014 12:41 PM, Steve Murphy wrote: