sip security

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


cisco 2600 running a sip trunk

can sip credentials be 'sniffed' over the internet? One person told me they
can, another says it's impossible so I'm confused. The sip password in my
router config appears as encypted with a number '7' preceding it. Thanks for
any advice.


Re: sip security


Quoted text here. Click to load it


SIP authentication is typically handled with the same algorithm as
HTTP MD5 Digest authentication.

So the actual credentials are MD5 hash'd, but probably aren't as
secure as it could be.

The configuration space of the router isn't related to how the
protocol communicates over the Internet??
But the router most likely needs to have a reversable hash in configs
so it can properly do the HTTP MD5 digest authentication.


Re: sip security




Quoted text here. Click to load it

so does that mean it's possible to sniff sip credentials over the internet?


Re: sip security


Quoted text here. Click to load it


No. The client sends a MD5 has of the password across the
connection. The server sends a "nonce" to hash with the password, to
prevent replay attacks.



Re: sip security


Quoted text here. Click to load it

thanks for your feedback on this Doug. Have you seen this?
https://learningnetwork.cisco.com/blogs/network-sheriff/2009/05/26/confessions-of-a-voip-hacker

midway through the article is mentions ' SIPScan to enumerate more info'.
This sounds like sip trunk sniffing would you agree?


Re: sip security


Quoted text here. Click to load it




Here's a demo of sipscan in action.. You can also download it yourself.

http://enablesecurity.com/products/enablesecurity-voippack-sipscan-demo /

SIP is a very chatty protocol.

Most people setting up a "PBX" type application of SIP usually are
very lazy about security surrounding the protocol. Letting anybody
connect to it. By default it will let anybody connect. What they can
do beyond that is really up to how the device is setup beyond that.
(And since things like Cisco gateways doing SIP offer you an infinate
number of ways to configure things beyond that, many are going to be
very insecure methods).

Since SIP allows two way control of things that potentially can cost
you money, make sure you know who is connecting to your SIP trunks, or
throw the whole thing behind a firewall, only opening up the smallest
hole you need to to have it work.

Its not like HTTP which generally only allows one way flow of data down.

Re: sip security


Doug McIntyre wrote:
Quoted text here. Click to load it

I would highly recommend that the original poster, tg, study up a bit
more on the SIP protocol, hashes that don't use salts, rainbow tables,
best practices for deploying SIP services. Then they may wish to decide
whether their current Cisco gear is best suited for their deployment.
Below are a few places to start aside from contacting the TAC, turning
on SIP packet inspection, etc.

http://en.wikipedia.org/wiki/Rainbow_table
http://en.wikipedia.org/wiki/Session_Initiation_Protocol
http://www.sipcenter.com/sip.nsf/html/Firewalls+Security

-Gary

Re: sip security




Quoted text here. Click to load it

It's much worse: one could use your router as toll fraud chain...



Re: sip security


Quoted text here. Click to load it

fortunately I only have a small amount in payg credit so that's the most I
could lose. But how could anyone on the WAN side 'use my router'?  

Site Timeline