Hacking and securing your Asterisk server

Last updated on

I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…

It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.

Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing -

Ext - 1001 : Display Name - 1001 : Secret - Empty
Ext - 1002 : Display Name - 1002 :  Secret - 1002
Ext - 1003 : Display Name - "test" : Secret - "ekwrbq2k3b4lk32b"

Next I downloaded Sipvicious -

cd /tmp
wget http://sipvicious.googlecode.com/files/sipvicious-0.2.4.tar.gz
tar xvfz sipvicious-0.2.4.tar.gz
cd sipvicious-0.2.4

Now, first we need to find the Asterisk server we want to scan and for that we use svmap.py. I obviously know the name of my server but svmap.py will also scan blocks of IP addresses too.

./svmap.py asteriskdemo

| SIP Device        | User Agent   | Fingerprint                            |
-----------------------------------------------------------------------------
| asteriskdemo:5060 | Asterisk PBX | Asterisk / SJphone/1.60.289a (SJ Labs) |

So all I had to do was give it the hostname/ip address of my Asterisk servers and svmap has successfully identified it.

Next we want to see what externsions are configured on the server so we use svwar.py

./svwar.py -e 1000-9999 asteriskdemo

| Extension | Authentication |
------------------------------
| 1003      | reqauth        |
| 1002      | reqauth        |
| 1001      | noauth         |

The “-e 1000-9999″ tells svwar to scan for all extensions between those numbers. As you can see it returns the test extensions I configured and also tells us that extension 1001 doesn’t need a password to connect to it. So potentially, as a hacker, I could already connect as this extension and start making calls.

Now let’s see if there’s any other vulnerable extenions with svcrack.py -

./svcrack.py -u1002 -r1-9999 asteriskdemo

| Extension | Password |
------------------------
| 1002      | 1002     |

The “-u 1002″ tells svcrack which extension to try and guess the password for and “-r1-9999″ tells it to use that as a range for potential passwords. It took about 3 seconds to try all the numbers between 1 and 9999 and guess the password. It’s definitely not a good idea just to use numbers for your passwords!

It’s also possible to download dictionary files (just long lists of words) and tell sipvicious to use those as potential passwords. This obviously takes longer to run.

So, what can we do to protect ourselves?

There are a few really simple things that can make our Asterisk servers much more secure.

Always use long, difficult to guess passwords for your extensions!

Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling a sip scanner which are valid extension numbers. Here’s what happened when I changed the setting on my Trixbox -

I edited the file /etc/asterisk/sip_custom.conf and entered the line

alwaysauthreject=yes

Then reloaded SIP in Asterisk with -

asterisk -rv
sip reload
exit

Now if I run the same command as before to see what valid extension numbers there are I get the following error -

./svwar.py -e 1000-9999 asteriskdemo

ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing

There are other things you can do and there is a great article here – http://blogs.digium.com/2009/03/28/sip-security/

Last updated by .

7 thoughts on “Hacking and securing your Asterisk server

  1. Pingback: Ataques a una central Asterisk | Un Sanjuanino en Rio Cuarto

  2. matt Post author

    This website is designed to help people protect their VOIP servers, rather than to provide info for hacking them.

  3. Aly

    Thanks my elastix server was hacked this month 230€ cost of this hacking ,with your post i know how to protect my server.
    Merci beaucoup

  4. matt Post author

    The most important thing with Elastix is to protect the web interface. Elastix includes vTiger and there have been quite a few security exploits with it.

    Do not allow general access to the Web interface.

  5. Md Rumman Khan

    I need help for Asterisk Server.

    I have a Vicidialer . from last 1 week i noticed my Voip account is misused. I see traffic on our Voip account at time when no agent are dialing on our server.

    I see suspicious traffic in asterisk CLI also.

    Please help to save Voip account.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>