Friday, January 14, 2011

Dionaea SIP module test

Here is the listing of my test of Dionaea SIP module with sipvicious. Tool sipvicious is one of the de-facto sip auditing tool based VOIP system. The testing has performed with svmap.py and specifying the some common scanning method that supported by a legitimate VOIP system.

I have listed the sipvicious output,followed by Dionaea response of each method:


C:\sipvicious>python svmap.py -s session1 -v 192.168.56.101

INFO:DrinkOrSip:Db does sync
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:unknown:unknown -> 192.168.56.101:5060 -> unknown
-> 3CXPhoneSystem
INFO:root:we have 1 devices
| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

INFO:root:Total time: 0:00:03.223000

C:\sipvicious>python svmap.py -m OPTIONS 192.168.56.10

| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

C:\sipvicious>python svmap.py -m CANCEL 192.168.56.101

| SIP Device | User Agent | Fingerprint
|
--------------------------------------------------------------------------------
-----------
| 192.168.56.101:5060 | unknown | Viceroy 1.2 / T-Com Speedport W500V / Firmw
are v1.37 |
| | | MxSF/v3.2.6.26 / ET747-a3
|

[14012011 00:11:13] sip dionaea/sip.py:1118: Received CANCEL
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/none [192.168.56.101:5060->192.168.56.1:5060] state: none->close
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/close [192.168.56.101:5060->192.168.56.1:5060] state: close->close
[14012011 00:11:15] logsql dionaea/logsql.py:574: attackid 21567 is done

Note : Wireshark show the malformed packet.


C:\sipvicious>python svmap.py -m REGISTER 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INVITE 192.168.56.101

WARNING:root:found nothing
[14012011 00:08:33] sip dionaea/sip.py:833: SIP Session created
[14012011 00:08:33] sip dionaea/sip.py:975: Received INVITE
[14012011 00:08:33] sip dionaea/sip.py:1183: Mandatory header content-type not in message

C:\sipvicious>python svmap.py -m ACK 192.168.56.101

WARNING:root:found nothing
[14012011 00:10:55] sip dionaea/sip.py:833: SIP Session created
[14012011 00:10:55] sip dionaea/sip.py:1061: Received ACK
[14012011 00:10:55] sip dionaea/sip.py:1069: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m BYE 192.168.56.101

WARNING:root:found nothing
[14012011 00:12:42] sip dionaea/sip.py:833: SIP Session created
[14012011 00:12:42] sip dionaea/sip.py:1101: Received BYE
[14012011 00:12:42] sip dionaea/sip.py:1109: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m PRACK 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m SUBSCRIBE 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m NOTIFY 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m PUBLLISH 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INFO 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m REFER 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m UPDATE 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m MESSAGE 192.168.56.101

WARNING:root:found nothing

[14012011 00:16:27] sip dionaea/sip.py:966: Unknown SIP header (supported: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER and SIP responses

From the quick these, the current Dionaea SIP module managed to support OPTIONS and CANCEL method well. Several SIP method can be improved for DIonaea SIP module such as INVITE, ACK, BYE, REGISTER, which include the support of the request and reply with the correct response. I will work on it soon.

Reference:
How to use svmap
http://code.google.com/p/sipvicious/wiki/SvmapUsage
List of SIP request methods
http://en.wikipedia.org/wiki/SIP_Requests

1 comment:

  1. a) svmap.py doesn't produce proper INVITE / ACK BYE or REGISTER messages, only proper OPTIONS msges
    b) for REGISTER they should have tested svcrack and svwar


    - sandro (sipvicious .. get in touch if you're running another round)

    ReplyDelete