Asterisk forensics: the logs vs the attackers
Last updated: Apr 17, 2020
Recently I had the opportunity to present on VoIP insecurity around various conferences this year, on my own and also with Joffrey Czarny.
At Secure 2011 we had one day a workshop and one of the things we showed was the effect of a typical SIPVicious attack on an Asterisk box. The following videos (best seen in full screen and high quality) illustrate what happens.
When we run svmap.py, nothing usually shows up on the asterisk logs.
Running svwar.py floods the logs with attempts for registrations for various extensions.
Running svcrack.py on a valid extension shows a large number of “Wrong password” errors.
Enumeration and password cracking are not the only attacks being performed on target PBX systems on the Internet. Honeypots and victims are able to pick up a number of INVITE scans looking for “open sip relays”. This is a vulnerability that may affect SIP gateways without proper access control or badly configured dialplans that allow calls to pass through without authentication.
The following video shows how this looks when done using X-lite (which is what some of the attackers are using) on an Asterisk box. You can see the log entries filling up.
Hope someone finds this useful when looking at log files or studying attacks on SIP. Feedback is welcome as always