pfsense:alerts:et_scan_sipvicious_user-agent_detected_friendly-scanner
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| pfsense:alerts:et_scan_sipvicious_user-agent_detected_friendly-scanner [2020/03/01 18:05] – created peter | pfsense:alerts:et_scan_sipvicious_user-agent_detected_friendly-scanner [2020/04/07 12:14] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== PFSense - Alerts - ET SCAN Sipvicious User-Agent Detected (friendly-scanner) ====== | ||
| - | |||
| - | This is a scanner that looks for SIP servers. | ||
| - | |||
| - | SIP Servers are part of your VOIP infrastructure | ||
| - | |||
| - | ---- | ||
| - | |||
| - | Technically speaking though, SIPvicous is a SIP auditing tool used to scan for and enumerate SIP devices and accounts. | ||
| - | |||
| - | It can be obtained freely from it’s Google Code archive, the GIT repo or bundled with security auditing tools like Kali. | ||
| - | |||
| - | |||
| - | Originally intended for legitimate white hat security auditing for internal networks, in the hands of even the most bored of script kiddies it can cause some serious damage. | ||
| - | |||
| - | That lazy network admin using common username/ | ||
| - | |||
| - | SIPvicous will send INVITE or OPTION packets looking for responses from live hosts, then log the results to a file. | ||
| - | |||
| - | An attacker can then begin to enumerate for valid usernames and passwords which if successful, can get access. | ||
| - | |||
| - | In addition, these Invites commonly cause what I call “ghost calls” (phones ring from random callers but no one’s home). | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== How Does it Work? ===== | ||
| - | |||
| - | **SIPVicious** is made up of 4 components – The head, the front legs, the hind legs, and the torso. I’m kidding of course…there’s actually 5.. | ||
| - | |||
| - | **Svcrack** – Used to crack SIP passwords for a given username. Brute force or dict-based. | ||
| - | |||
| - | **Svreport** – Store session info for later use, ie; Cracking a password or reading packets elsewhere. | ||
| - | |||
| - | **Svmap** – “The annoying one” that does the scanning for open SIP targets – usually with an INVITE or OPTIONS request. | ||
| - | |||
| - | **Svwar** – Scans for and enumerates phones on the network. | ||
| - | |||
| - | It probes for phones by sending packets out and listens for a response, same as above but it seems there’s more manipulation that can be done in terms of what the packets are and what size. This could potentially be used as a DDoS tool. | ||
| - | |||
| - | <code bash> | ||
| - | svmap 192.168.1.0/ | ||
| - | INFO: | ||
| - | INFO: | ||
| - | INFO: | ||
| - | INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21: | ||
| - | INFO: | ||
| - | </ | ||
| - | |||
| - | |||
| - | **Svcrash** – Defend and Counter-attack tool against ..itself. | ||
| - | |||
| - | This tool can be setup to read the asterisk log and automatically obtain a would be attackers IP and Port, attempting to shut down his agent with a malformed response packet (more on that later). Manual entries can also be set and optional Brute force on the destination port – woot woot! | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== References ===== | ||
| - | |||
| - | https:// | ||
pfsense/alerts/et_scan_sipvicious_user-agent_detected_friendly-scanner.1583085910.txt.gz · Last modified: 2020/07/15 09:30 (external edit)