VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
View previous topic :: View next topic |
Author |
Message |
murf at parsetree.com Guest
|
Posted: Thu May 22, 2014 11:42 am Post subject: [asterisk-users] Interesting new hack attack |
|
|
In the past little while, we've seen
a wave of attacks on asterisk, via the
provisioning.
It goes something like this:
A. scan for IP phones on the internet,
either via spotting something on port 5060,
or via the port 80 web interface for the phone.
Or, use web sites that scan the internet, and
classify the machines, to make your work shorter.
B. Once you get into the web GUI, get the URL for provisioning.
I haven't checked yet... do any phones actually
allow you to set this, or do any display the
current value?
And, finally, how many phones publish their
own MAC address in the GUI? Or, can you suck this
out of the returned IP packets?
C. Given the URL and the mac, fetch the phones
provisioning info, including it's sip account
info. Use to best advantage.
D. Going further, set up a brute-force probe algorithm,
to probe all possible mac addresses for a given
phone manufacturer, via http requests. After all,
those provisioning web servers are fast and efficient,
aren't they? Collect all possible mac addresses and
grab the provisioning, and now you have a LOT of sip
accounts. Use to best advantage.
And, professional hacking organizations seem to also follow
these rules:
a. wait several months for any history of the above activities
to roll off the log files. Treat your phone systems like
fine wine vintage.
b. Use multiple (hundreds/thousands) of machines scattered
over the earth to carry out the above probes, and also to
use the accounts for generating international calls.
In general, using the SIP account info gleaned from these
kinds of efforts is a bit problematic. You see, to effectively
use your phone system to place calls, they will have to
set up their own phone system to act like a phone, and
register to the phone system, and then initiate calls.
Trouble is, your phone is usually already registered, but
can be "bumped off". Your phone will re-register at intervals
and bump the hackers, who will again register and bump your
phone. This little game of "king of the hill" may show up in
your Asterisk logs.
So, these defenses can be employed to stop/ameliorate such
hacking efforts:
1. Keep your phones behind a firewall. Travellers, beware!
Never leave the default login info of the phone at default!
2. Never use the default provisioning URL for the phone,
with it's default URL or password.
3. Use fail2ban, ossec, whatever to stymie any brute force
mac address searches.
4. Use your firewalls to restrict IP's that can access web,
ftp, etc, for provisioning to just those IP's needed to allow
your phones to provision.
5. Keep your logs for a couple years.
6. Change your phone SIP acct passwords now, if you haven't
implemented the above precautions yet.
If I missed a previous post on this, forgive me.
Just thought you-all might appreciate a heads-up.
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535 |
|
Back to top |
|
|
james at fivecats.org Guest
|
Posted: Thu May 22, 2014 4:22 pm Post subject: [asterisk-users] Interesting new hack attack |
|
|
On 5/22/2014 12:41 PM, Steve Murphy wrote:
Quote: | So, these defenses can be employed to stop/ameliorate such
hacking efforts:
1. Keep your phones behind a firewall. Travellers, beware!
Never leave the default login info of the phone at default!
2. Never use the default provisioning URL for the phone,
with it's default URL or password.
3. Use fail2ban, ossec, whatever to stymie any brute force
mac address searches.
4. Use your firewalls to restrict IP's that can access web,
ftp, etc, for provisioning to just those IP's needed to allow
your phones to provision.
5. Keep your logs for a couple years.
6. Change your phone SIP acct passwords now, if you haven't
implemented the above precautions yet.
If I missed a previous post on this, forgive me.
Just thought you-all might appreciate a heads-up.
|
Encrypt your provisioning system if the phone supports it. I had a
cable/voip service provider who HTTPS provisioned by MAC without
encryption and the provisioning URL was stored, unlocked, in the ATA.
Had I been slightly more nefarious, I could have walked the the
provisioning tree nice and slow and easily grabbed everyone's SIP
credentials in the clear.
No hacking or cracking was involved. The ATA doubled as the NAT router
they handed out and gave the admin password out freely.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
Back to top |
|
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|