I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…
It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.
Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing –
Next I downloaded Sipvicious –
Now, first we need to find the Asterisk server we want to scan and for that we use svmap.py. I obviously know the name of my server but svmap.py will also scan blocks of IP addresses too.
So all I had to do was give it the hostname/ip address of my Asterisk servers and svmap has successfully identified it.
Next we want to see what externsions are configured on the server so we use svwar.py
The “-e 1000-9999” tells svwar to scan for all extensions between those numbers. As you can see it returns the test extensions I configured and also tells us that extension 1001 doesn’t need a password to connect to it. So potentially, as a hacker, I could already connect as this extension and start making calls.
Now let’s see if there’s any other vulnerable extenions with svcrack.py –
The “-u 1002” tells svcrack which extension to try and guess the password for and “-r1-9999” tells it to use that as a range for potential passwords. It took about 3 seconds to try all the numbers between 1 and 9999 and guess the password. It’s definitely not a good idea just to use numbers for your passwords!
It’s also possible to download dictionary files (just long lists of words) and tell sipvicious to use those as potential passwords. This obviously takes longer to run.
So, what can we do to protect ourselves?
There are a few really simple things that can make our Asterisk servers much more secure.
Always use long, difficult to guess passwords for your extensions!
Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling a sip scanner which are valid extension numbers. Here’s what happened when I changed the setting on my Trixbox –
I edited the file /etc/asterisk/sip_custom.conf and entered the line
Then reloaded SIP in Asterisk with –
Now if I run the same command as before to see what valid extension numbers there are I get the following error –
There are other things you can do and there is a great article here – http://blogs.digium.com/2009/03/28/sip-security/