search

Pepelux / sippts

Set of tools to audit SIP based VoIP Systems
GNU General Public License v3.0
440 stars 87 forks source link

SIP register lack of authentication using sipsend.py #30

Closed AH-M-ED closed 1 year ago

AH-M-ED commented 1 year ago

Hello, First of all,thanks for the great work here!

Target: FreePBX server

I was trying to send a register request using

python3 sipsend.py -i 192.168.235.140 -r 5060 -m register --user 100 --pass xxx

output

REGISTER sip:192.168.235.140 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.112:48617;branch=tqabdqwqky8h2sqbysaxndqaqteeh33bfa5s15qqsaof3zfzxtu32gdto1w6u0p39qtx3d8
From:  <sip:100@192.168.235.140>;tag=dedcedd4
To:  <sip:100@192.168.235.140>
Contact: <sip:100@192.168.1.112:48617;transport=UDP>
Call-ID: c4db093cfefecf76ce41504c057dbaea
CSeq: 1 REGISTER
Max-Forwards: 70
User-Agent: pplsip
Allow: INVITE,REGISTER,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE
Expires: 10
Content-Length: 0

It should be something like this

REGISTER sip:192.168.235.140 SIP/2.0
Via: SIP/2.0/UDP 192.168.235.136:59550;rport;branch=z9hG4bKPje98bd1d2ce874495a34804a9fe0ae868
Max-Forwards: 70
From: <sip:100@192.168.235.140>;tag=db59db57b8a948559b7a5273075e2007
To: <sip:100@192.168.235.140>
Call-ID: b717c340934244bc9e0a2c995f0d11f3
CSeq: 29154 REGISTER
User-Agent: MicroSIP/3.19.30
Contact: <sip:100@192.168.235.136:59550;ob>
Expires: 300
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Authorization: Digest username="100", realm="asterisk", nonce="1668091363/ddf4099f6194d8b4ac230cc29b592a9d", uri="sip:192.168.235.140", response="fe613118d46b561eda759ae9cc08eafa", algorithm=md5, cnonce="bca6134cc2d34fc6863bd40a4efc45b1", opaque="66db59972a4067c4", qop=auth, nc=00000001

It seems that sipsend.py don't do the authentication when doing a Register request,hence you will always get a SIP/2.0 401 Unauthorized response. as you can see ,the Authorization header is missing.

Thanks.

AH-M-ED commented 1 year ago

Hello,

After further testing,I can confirm that the same issue happen sipinvite.py (not just sipsend.py)

Thanks.

Pepelux commented 1 year ago

Hi

I've tried it and it works fine. Maybe you must set -fu with the same user in --user, or maybe pplsip user-agent is filtered:

$ ./sipsend.py -i sip.myserver.com -m register --user MYUSER --pass MYPASS -fu MYUSER

☎️  SIPPTS BY 🅿 🅴 🅿 🅴 🅻 🆄 🆇

█████████████████████████████████████████████
█─▄▄▄▄█▄─▄█▄─▄▄─███─▄▄▄▄█▄─▄▄─█▄─▀█▄─▄█▄─▄▄▀█
█▄▄▄▄─██─███─▄▄▄███▄▄▄▄─██─▄█▀██─█▄▀─███─██─█
▀▄▄▄▄▄▀▄▄▄▀▄▄▄▀▀▀▀▀▄▄▄▄▄▀▄▄▄▄▄▀▄▄▄▀▀▄▄▀▄▄▄▄▀▀

💾 https://github.com/Pepelux/sippts
🐦 https://twitter.com/pepeluxx

[✓] Target: sip.myserver.com:5060/UDP
[✓] Customized From User: MYUSER

[+] Sending to sip.myserver.com:5060/UDP ...
REGISTER sip:sip.myserver.com SIP/2.0
Via: SIP/2.0/UDP 192.168.2.102:39109;branch=cc5cbwj7s0u7kchv50hnfuyw3xqikllm3u9aqtcxu2d4sj8u7lmwwdt1iexhznzln0jr2r6
From:  <sip:MYUSER@sip.myserver.com>;tag=b84da350
To:  <sip:MYUSER@sip.myserver.com>
Contact: <sip:MYUSER@192.168.2.102:39109;transport=UDP>
Call-ID: 0e1047a549f1e9af48157c9f487dbcbb
CSeq: 1 REGISTER
Max-Forwards: 70
User-Agent: pplsip
Allow: INVITE,REGISTER,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE
Expires: 10
Content-Length: 0

[-] Receiving from sip.myserver.com:5060/UDP ...
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.2.102:39109;rport=39109;received=X.X.X.X;branch=cc5cbwj7s0u7kchv50hnfuyw3xqikllm3u9aqtcxu2d4sj8u7lmwwdt1iexhznzln0jr2r6
From:  <sip:MYUSER@sip.myserver.com>;tag=b84da350
To:  <sip:MYUSER@sip.myserver.com>;tag=199f6dbec561f48acc074724c17bad7f.4dc20000
Call-ID: 0e1047a549f1e9af48157c9f487dbcbb
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="sip.myserver.com", nonce="Y33v32N97rMlpm0Hvw5brvKaONnmm7x+", qop="auth"
Server: MySIPServer
Content-Length: 0

[+] Request ACK
ACK sip:sip.myserver.com SIP/2.0
Via: SIP/2.0/UDP 192.168.2.102:39109;rport=39109;received=X.X.X.X;branch=cc5cbwj7s0u7kchv50hnfuyw3xqikllm3u9aqtcxu2d4sj8u7lmwwdt1iexhznzln0jr2r6
From:  <sip:MYUSER@sip.myserver.com>;tag=b84da350
To:  <sip:MYUSER@sip.myserver.com>;tag=199f6dbec561f48acc074724c17bad7f.4dc20000
Call-ID: 0e1047a549f1e9af48157c9f487dbcbb
CSeq: 1 ACK
Max-Forwards: 70
Content-Length: 0

[+] Sending to sip.myserver.com:5060/UDP ...
REGISTER sip:sip.myserver.com SIP/2.0
Via: SIP/2.0/UDP 192.168.2.102:39109;rport=39109;received=X.X.X.X;branch=cc5cbwj7s0u7kchv50hnfuyw3xqikllm3u9aqtcxu2d4sj8u7lmwwdt1iexhznzln0jr2r6
From:  <sip:MYUSER@sip.myserver.com>;tag=b84da350
To:  <sip:MYUSER@sip.myserver.com>
Contact: <sip:MYUSER@192.168.2.102:39109;transport=UDP>
Call-ID: 0e1047a549f1e9af48157c9f487dbcbb
Authorization: Digest username="MYUSER", realm="sip.myserver.com", nonce="Y33v32N97rMlpm0Hvw5brvKaONnmm7x+", uri="sip:MYUSER@sip.myserver.com", response="35d30464c0a6d8e9b5907f83a874590e", algorithm=MD5, qop=auth, cnonce="xh96r1bo", nc=00000001
CSeq: 2 REGISTER
Max-Forwards: 70
User-Agent: pplsip
Allow: INVITE,REGISTER,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE
Expires: 10
Content-Length: 0

[-] Receiving from sip.myserver.com:5060/UDP ...
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.2.102:39109;rport=39109;received=X.X.X.X;branch=cc5cbwj7s0u7kchv50hnfuyw3xqikllm3u9aqtcxu2d4sj8u7lmwwdt1iexhznzln0jr2r6
From:  <sip:MYUSER@sip.myserver.com>;tag=b84da350
To:  <sip:MYUSER@sip.myserver.com>;tag=199f6dbec561f48acc074724c17bad7f.4dc20000
Call-ID: 0e1047a549f1e9af48157c9f487dbcbb
CSeq: 2 REGISTER
Contact: <sip:MYUSER@X.X.X.X:15075;transport=udp>;expires=15;+sip.instance="<urn:uuid:153797d5-f4b9-004e-91cb-26876292d997>"
Supported: outbound
Server: MySIPServer
Content-Length: 0
Pepelux commented 1 year ago

I just committed an update to set From-User to the same value as --user (if it is set)

AH-M-ED commented 1 year ago

Thanks,still having a problem with registering and what i see is that the nonce on the second register request is empty,maybe this is the cause of the register issue!

./sipsend.py -i 192.168.235.140 -m register --user 100 --pass xxx -fu 100

☎️  SIPPTS BY 🅿 🅴 🅿 🅴 🅻 🆄 🆇

█████████████████████████████████████████████
█─▄▄▄▄█▄─▄█▄─▄▄─███─▄▄▄▄█▄─▄▄─█▄─▀█▄─▄█▄─▄▄▀█
█▄▄▄▄─██─███─▄▄▄███▄▄▄▄─██─▄█▀██─█▄▀─███─██─█
▀▄▄▄▄▄▀▄▄▄▀▄▄▄▀▀▀▀▀▄▄▄▄▄▀▄▄▄▄▄▀▄▄▄▀▀▄▄▀▄▄▄▄▀▀

💾 https://github.com/Pepelux/sippts
🐦 https://twitter.com/pepeluxx

[✓] Target: 192.168.235.140:5060/UDP

[+] Sending to 192.168.235.140:5060/UDP ...
REGISTER sip:192.168.235.140 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.112:51639;branch=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
From:  <sip:100@192.168.235.140>;tag=e2a19cfb
To:  <sip:100@192.168.235.140>
Contact: <sip:100@192.168.1.112:51639;transport=UDP>
Call-ID: d7e2209acfabcf7ca099a492e13d83ce
CSeq: 1 REGISTER
Max-Forwards: 70
User-Agent: pplsip
Allow: INVITE,REGISTER,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE
Expires: 10
Content-Length: 0

[-] Receiving from 192.168.235.140:5060/UDP ...
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.112:51639;rport=51639;received=192.168.235.1;branch=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
Call-ID: d7e2209acfabcf7ca099a492e13d83ce
From: <sip:100@192.168.235.140>;tag=e2a19cfb
To: <sip:100@192.168.235.140>;tag=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="asterisk",nonce="1669214131/ee76a3843d9bb9553a32d4d511b92c85",opaque="3e2cc12d1bc5d6ee",algorithm=MD5,qop="auth"
Server: FPBX-16.0.26(16.28.0)
Content-Length:  0

[+] Request ACK
ACK sip:192.168.235.140 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.112:51639;rport=51639;received=192.168.235.1;branch=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
From:  <sip:100@192.168.235.140>;tag=e2a19cfb
To:  <sip:100@192.168.235.140>;tag=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
Call-ID: d7e2209acfabcf7ca099a492e13d83ce
CSeq: 1 ACK
Max-Forwards: 70
Content-Length: 0

[+] Sending to 192.168.235.140:5060/UDP ...
REGISTER sip:192.168.235.140 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.112:51639;rport=51639;received=192.168.235.1;branch=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
From:  <sip:100@192.168.235.140>;tag=e2a19cfb
To:  <sip:100@192.168.235.140>
Contact: <sip:100@192.168.1.112:51639;transport=UDP>
Call-ID: d7e2209acfabcf7ca099a492e13d83ce
Authorization: Digest username="100", realm="asterisk", nonce="", uri="sip:100@192.168.235.140", response="1a4d44860cb1f4f7b6f214ffc04c5fce", algorithm=MD5, qop=auth, cnonce="v7lq2vsk", nc=00000001
CSeq: 2 REGISTER
Max-Forwards: 70
User-Agent: pplsip
Allow: INVITE,REGISTER,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE
Expires: 10
Content-Length: 0

[-] Receiving from 192.168.235.140:5060/UDP ...
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.112:51639;rport=51639;received=192.168.235.1;branch=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
Call-ID: d7e2209acfabcf7ca099a492e13d83ce
From: <sip:100@192.168.235.140>;tag=e2a19cfb
To: <sip:100@192.168.235.140>;tag=4s82qm4pofn7qmfcjybqmzg9z1vdy5l38wsikvwqgt3ywdmujbafahkxphz5f4jeqam73mo
CSeq: 2 REGISTER
WWW-Authenticate: Digest realm="asterisk",nonce="1669214131/ee76a3843d9bb9553a32d4d511b92c85",opaque="5b108e0566703a13",stale=true,algorithm=MD5,qop="auth"
Server: FPBX-16.0.26(16.28.0)
Content-Length:  0

thanks.

AH-M-ED commented 1 year ago

Hello, I managed to fix the issue by just deleting the \s here https://github.com/Pepelux/sippts/blob/master/lib/functions.py#L623 Closing this issue as resolved,thanks a lot for your assistance.

Pepelux commented 1 year ago

Fixed. Thanks