Focus on EnableSecurity’s VOIPPACK suite tools

The former CEO of EnableSecurity Saudro Gauci [also known for great articles in (in)secure mag] released a new set of utilities to perform IP Phone attacks.

The updates are

• SIP Digest Leak
• Ghostcall

Here is what comes in Saudro Gauci’s EnableSecurity Blog

What does the SIP Digest Leak tool do?

The SIP Digest Leak is a vulnerability that affects a number of IP Phones that make use of SIP. Many VoIP phones will respond to an authentication challenge even when the challenge is not coming from an authorized party. This causes these VoIP phones to leak out the digest authentication details which are used to access PBX servers. Attackers can then launch an offline password attack to recover the original password based on various details obtained through this attack. This tool automates the whole process.

What about Ghostcall?

When an attacker is able to contact the SIP phones directly, the attacker can often get the phones to ring. This means that someone can launch a denial of service where all phones in a network ring at the same time. Ghostcall demonstrates this issue by first determining which extensions the SIP phones ring on, and then getting them to ring simultaneously.

For more advanced information and video tutorial.

Here is a full list of VOIPPACK features

• sipscan - Scans the network for SIP devices and identifies the user-agent and if the device is a PBX
• sipenumerate - Enumerates extensions on a PBX server
• sipcrack - Launches password attacks on the PBX server
• sipautohack - Given a target network, this module will scan for SIP devices, enumerate any extensions on all PBX servers found and try to guess their password
• iax2scan - Scans the network for IAX2 (Asterisk) devices
• asterisknow_exec - Installs MOSDEF on an AsteriskNOW is configuration credentials are known
• voipdnssrv - Enumerates SRV records that are relevant to VOIP (SIP, IAX2, H.323) and resolves to IP address
• sipdigestleak - Forces IP Phones to leak out the digest credentials and performs a quick offline password attack
• ghostcall - Rings all phones on a target network at the same time
• digestcracker - offline SIP digest password recovery tool
• sipphonecall - emulates the control part of an IP phone and can be used to test if a phone will ring
• sipgetringers - Finds out which number / extension an IP Phone rings on

Security-Database’s review

Needless to say that Saudro allowed security-database to beta test sipenumerate and sipautohack. It was a kid stuff to takeover a VoIP network. I was deeply amazed to see how some VoIP protocols could be unsecured and easy to compromise. These tools were tested in real bank environment.

EnableSecurity has simply created the best VoIP security assessment suite tools ever.

If you want play with VoIP tools, it’s better to set a VoIP lab at home. Don’t panic, Saudro made it easy by releasing this quite good paper.