Saturday, 6 August 2011

SIP Enumeration

More VoIP security again this morning.

Most VoIP attacks require the attacker to know the VoIP username or phone extension. They use these to confirm the existence of the register, location, proxy Private Branch eXchange (PBX) and more and to craft their attacks.

It is of course possible to brute force a VoIP system running through all extensions possible in the system. This is time consuming and noisy leading to discovery and a skilled attacker will not do this.
Hence Enumeration.

Rather than making the noise of a brute force attack, the attacker can use the Session Identification Protocol (SIP) itself to obtain this information.

The REGISTER, OPTIONS and INVITE SIP methods are the ones most commonly used by an attacker in enumerating users.

Attackers will query these options and use them to speculate on and then validate user accounts. In this way they can both find if an extension is valid as well as mapping it to a particular user.

Monitoring failed traffic is a sign of an attack. Looking at and know what type of traffic is usual on your system and investigating the anomalous information helps you to take your valuable time and use it effectively.
In the coming days, I will describe the SIP enumerating process and how you can understand this and use this understanding to detect (and hence stop) attacks on your VoIP system.

No comments: