TMCnet News

Cracking IP-PBX SIP Passwords - Be Afraid!
[June 28, 2010]

Cracking IP-PBX SIP Passwords - Be Afraid!


Originally posted on VoIP & Gadgets Blog, here: http://blog.tmcnet.com/blog/tom-keating/asterisk/cracking-ip-pbx-sip-passwords---be-afraid.asp.

chris-lyman.jpg A few years ago I had an email conversation with Chris Lyman, the former CEO of Fonality, the makers of trixbox IP-PBX systems. I expressed concern that their trixbox Pro system was using the MAC address both for the password and the username, which for obvious reasons isn't very secure.

Below is the email conversation slightly edited for security and clarification reasons, followed by some further thoughts on SIP security:
________

Chris,
Security is going to be a huge competitive advantage after we see some high profile VoIP intrusions.

How bout forcing users to change their voicemail PIN after X number of days? TMC's voicemail was hacked many years ago. (see link/story below)

More importantly, how about automatically changing extension passwords every month and then flash all of the phones with the new passwords at 3am? This can be done easily with Aastra phones.

Read my article including the comments from Ward Mundy:

http://blog.tmcnet.com/blog/tom-keating/voip/analysis-of-a-voip-attack.asp

____________

Tom,
Interesting article. DISA is not enabled on trixbox Pro or PBXtra, so no worries there.

However, you can cause some financial or privacy damage if you get a vm password. On the financial side, if the extension has the ability to make outbound calls from the voicemail system, then you could make free calls that way. On the privacy side, you could listen to someone's voicemail.

So, here is what we will do in the 2.1 release of trixbox Pro (coming to you in a couple of months):

1. Force strong vm passwords (no "1111", etc.)
2. Auto-expire all existing weak vm passwords (next login to the User Panel will force you to change it)
3. Auto-expire *all* vm passwords every 180 days.
4. Randomize vm passwords for all new systems provisioned.
5. Disable "CallOut" on all existing and new extensions. This should eliminate the financial risk.

In addition, trixbox Pro 2.1 carries a few other new security features coming:

1. Force strong password on user panel
2. Force strong password on admin panel
3. Auto-expiry of admin password every 180 days on admin panel

Why aren't we auto-expiring user panel password? Huge pain! People's FONcall will break. Their click-to-call will break. Their HUD won't log-in - very disruptive!

FYI, trixbox Pro and PBXtra already (for a long time now) have brute force protection with IP-address lockout for the Web Admin and Web User Panels.

Good stuff Tom...thanks!

Should I reach out to you when we launch 2.1, I bet the telephony world would like to see some of the measures we have already and are *soon* to be taking in the area of security.

____________

Chris,
Good stuff! Sounds like I may have given you some ideas for password security.

You covered 2 out of the 3 passwords in your email.

You didn't mention IP phone passwords.

For instance, aastra phones have this in the .cfg file for each MAC address:

sip line1 auth name: 00085D3D23E0
sip line1 password: 00085D3D23E0
sip line1 user name: 00085D3D23E0

By default auto-provisioned phones use the MAC address for BOTH the username & password. A hacker that finds a trixbox server listening on port 5060 could in theory guess the MAC address and password. Don't forget, each IP phone provider like any network device is assigned a unique 6 string MAC address (1st 6 digits/letters). So for Aastra, it's 00085D.
You can see that with this nifty mac address lookup tool:
http://www.coffer.com/mac_find/?string=00085D

That only leaves 3D23E0 remaining in the password or 6 additional characters. I believe the number of combinations is 6 letters (A-F) + 10 digits = 16^6 = 16,777,216 combinations to try and register with the SIP server by "hacking" all the Aastra combinations (assuming auth name is the same as the password). Once you get a successful registration, voila' free calling!

Still, probably pretty hard to do. [they'd have to guess a MAC address you're using plus assume you are using the same for the password]

Still, my idea in my original email is to change the password in the .phone's cfg file periodically. Though I don't think anyone is doing this yet.

Would require trixbox pro to modify each MAC address file, pick a random password, and then "push" out the new password to the phones & reboot them at say 3am. Could do this once per 3 months or something.




Thoughts?

____________


Tom,

  >Tom: Good stuff! Sounds like I may have given you some ideas for password security.

Yes, actually you did! Some of this was stuff already on the table, but the random expiry was a really nice call. Tx for the nudge.smile

  >Tom: You didn't mention IP phone passwords.

Ah, yes...figured you were going to ask about this...

trixbox Pro 2.1 will have randomly generated SIP passwords. We considered auto-expiring them, but given that our customers use every type of phone from Astra, to Cisco, to Poylcom, to Counterpath, to Snom, to Grandsream...you can imagine the headache of auto-expiry. In fact, it actually becomes dangerous to do so because you can't guarantee a phone will get its new configuration file in case it's remote or is specifically configured not to get its configuration file or pointing to a different TFTP/FTP server. If the phone is unable to get the new configuration file, we've just prevented the phone from working.

It's actually pretty hard to pull of the attack you described. Not that I like publicly providing a blueprint for how to hack the baby I have spent 5 years building, but...

Assuming you knew a trixbox Pro's public IP address, it had port forwarding enabled for remote phones, and you knew a model of phone it was using (such as Polycom or Aastra), you would be able to brute force a username and password in a few days to a few weeks...you could hijack the phone. That is what I call the "stackable if" problem and probability starts decreasing in step functions at each layer.

There are 16^6 combos (16,777,216). With this number, at 10 attempts a second, assuming you knew a trixbox Pro's public IP address, it had port forwarding enabled for remote phones, and you knew a model of phone it was using (such as Polycom or Aastra)...your half life toward a brute force attack would be 9.709 days of sustained 24 hour attacking and you would reach a 100% intrustion rate at 19.42 days.

../chris

____________

Chris,

Great reply.

I agree would be tough to crack. Not to mention you'd have to throttle the brute force attack since some SIP servers might get overloaded thus tipping off the IT/phone admin.

____
[end email thread]

Even though I wrote 'Great reply' in my last reply to Chris, I still didn't like his answer. Essentially, trixbox Pro was relying on "security by obscurity" and hoping a brute force SIP cracker couldn't guess a MAC address number to use for both the username and password.

Continue reading Cracking IP-PBX SIP Passwords - Be Afraid!...

Tags: , , , , , , , , , Related tags: , , , , ,

Related Entries
  • Hacking trixbox Pro to Work with ClearOne Max IP - Apr 27, 2010
    clearone-general-settings.jpg
  • EZCallerID.com Hosted CNAM for Enhanced Caller-ID on any IP-PBX Launches - Feb 25, 2009
    ezcallerid-cnam-service.jpg
  • Build your own SIP-to-Skype gateway using Asterisk - Feb 17, 2009
  • Adtran IP 706 Review - Oct 01, 2008
    ip-706-web-admin.jpg
  • trixbox Pro 2.0 review - Sep 04, 2008
    trixbox-acd-recording-screen.jpg
  • SIP-based VoIP Wake Up Call Service - May 16, 2008
  • pbxnsip IP-PBX Review - Feb 21, 2007
  • Panasonic announces Digium Asterisk certification for new TGP500 series SIP DECT-based phone system - May 04, 2010
    panasonic-kx-tgp550-sip-dect-cordless-phone.jpg
  • Positron Telecommunication's Innovative Asterisk-on-a-Card - Dec 17, 2009
    positron-2.jpg
  • Skype for SIP Beta Now Open! - Dec 02, 2009
  • TrackBacks | Comments | Tag with del.icio.us | VoIP & Gadgets Blog Home | Permalink: Cracking IP-PBX SIP Passwords - Be Afraid!


    [ Back To TMCnet.com's Homepage ]