Skip to content

Usage: SIPDiscover

Jump to bottom
Moritz Abrell edited this page Mar 23, 2021 · 3 revisions

Overview

SIPDiscover is a tool to gather information about a SIP service. For example, if a potential SIP service has been identified via a port scan or other methods, then SIPDiscover helps to gather more information and identify potential vulnerabilities.

SIPDiscover uses predefined SIP requests, which are stored in the sub directory "requests", adapts them to the specified parameters and sends them to the target server. To add your own requests, you just have to put your request files into this sub directory.

Tool directory: WireBug/tools/SIPDiscover

Usage

Required arguments:

  • --dst = Destination IP address of the SIP service
  • --src = Your IP address of the interface you want to use. If protocol is UDP, you are also able to spoof the IP adress
  • --domain = The SIP domain. If you don't know the SIP domain, try destination IP address as SIP domain

Example usage:

  • Discover a UDP SIP service:

python sipdiscover.py --dst 192.168.122.153 --src 192.168.122.1 --domain 192.168.153

  • Discover a UDP SIP service with SIP extension 100:

python sipdiscover.py --dst 192.168.122.153 --src 192.168.122.1 --domain 192.168.153 --proto udp --user 100

  • Discover a TCP SIP service with destination port 5080:

python sipdiscover.py --dst 192.168.122.153 --src 192.168.122.1 --domain 192.168.153 --proto tcp --dport 5080

  • Discover a TLS SIP service with WireBug's default certificate:

python sipdiscover.py --dst 192.168.122.153 --src 192.168.122.1 --domain 192.168.153 --proto tls --dport 5061

  • Discover a TLS SIP service with your own certificate and key:

python sipdiscover.py --dst 192.168.122.153 --src 192.168.122.1 --domain 192.168.153 --proto tls --dport 5061 --crt /tmp/cert.crt --key /tmp/key.key

Notes

Take a close look at the output of SIPDiscover. In addition to information leaks such as version numbers in Server or User-Agent headers, other interesting information may be returned that requires further investigation.

Interesting Response-Lines:

  • "SIP/2.0 100 Trying": The SIP service is trying to handle your request. You should have a look to later responses.
  • "SIP/2.0 200 OK": Depending on the request, this status code may mean that there is a security risk. Related requests are: INVITE, REGISTER, BYE, UPDATE and SUBSCRIBE
  • "SIP/2.0 180 Ringing", "SIP/2.0 181 Call Is Being Forwarded", "SIP/2.0 182 Queued" and "SIP/2.0 183 Session Progress": These status codes may mean that there is a security risk. Related requests are: INVITE, BYE, UPDATE and SUBSCRIBE
  • "SIP/2.0 407 Proxy Authentication Required" and "SIP/2.0 401 Unauthorized": This means there is a potential vulnerability for online password brute-force attacks

Reason-Header:

If you see "Reason:" in the output, the SIP service responds with a error reason. Check if there is any interesting information in there

Clone this wiki locally