====== PFSense - Suricata - Alerts - ET SCAN Sipvicious User-Agent Detected (friendly-scanner) ====== This is a scanner that looks for [[https://en.wikipedia.org/wiki/List_of_SIP_software|SIP]] servers. [[https://en.wikipedia.org/wiki/List_of_SIP_software|SIP Servers]] are part of your VOIP infrastructure ---- Technically speaking, SIPvicous is a SIP auditing tool used to scan for and enumerate SIP devices and accounts. It can be obtained freely from it’s Google Code archive, the GIT repo or bundled with security auditing tools like Kali. Originally intended for legitimate white hat security auditing for internal networks, in the hands of even the most bored of script kiddies it can cause some serious damage. That lazy network admin using common username/password combos will yet again fall victim to this one. SIPvicous will send INVITE or OPTION packets looking for responses from live hosts, then log the results to a file. An attacker can then begin to enumerate for valid usernames and passwords which if successful, can get access. In addition, these Invites commonly cause **ghost calls** (phones ring from random callers but no one’s home). Worse still, they can even initiate un-wanted calls. ---- ===== How Does it Work? ===== **SIPVicious** is made up of 4 components – The head, the front legs, the hind legs, and the torso. I’m kidding of course…there’s actually 5.. * **Svcrack:** – Used to crack SIP passwords for a given username. Brute force or dict-based. * **Svreport:** – Store session info for later use, ie; Cracking a password or reading packets elsewhere. * **Svmap:** – “The annoying one” that does the scanning for open SIP targets – usually with an INVITE or OPTIONS request. * **Svwar:** – Scans for and enumerates phones on the network. * It probes for phones by sending packets out and listens for a response, same as above but it seems there’s more manipulation that can be done in terms of what the packets are and what size. * This could potentially be used as a DDoS tool. svmap 192.168.1.0/24 -v INFO:ImaFly:trying to get self ip .. might take a while INFO:root:start your engines INFO:ImaFly:Looks like we received a SIP request from 192.168.1.20:5060 INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21:5060 INFO:ImaFly:Looks like we received a SIP request from 192.168.1.22:5060 * **Svcrash** – Defend and Counter-attack tool against ..itself. * This tool can be setup to read the asterisk log and automatically obtain a would be attackers IP and Port, attempting to shut down his agent with a malformed response packet. * Manual entries can also be set and optional Brute force on the destination port! ---- ===== References ===== https://code.google.com/p/sipvicious/