不正なSIP着信 218.93.205.205
Published: 2010/04/16
しつこくやってきます。
Registration from '"436599596"<sip:436599596@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"374192414"<sip:374192414@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch : : : Registration from '"100"<sip:100@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"101"<sip:101@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"199"<sip:199@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"200"<sip:200@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"204"<sip:204@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"205"<sip:205@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"206"<sip:206@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"207"<sip:207@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"208"<sip:208@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch : : : Registration from '"9994"<sip:9994@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"9995"<sip:9995@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"9996"<sip:9996@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"9997"<sip:9997@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"9998"<sip:9998@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch Registration from '"9999"<sip:9999@x.x.x.x>' failed for '218.93.205.205' - Username/auth name mismatch : : : Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password Registration from '"201" <sip:201@x.x.x.x>' failed for '218.93.205.205' - Wrong password
inetnum: 218.90.0.0 - 218.94.255.255 netname: CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN
動作的には、まず以下のusername(電話番号、内線番号)が存在するかどうかのチェックを行い、
account admin administrator alex guest mark michael test test1 test12 test123 374192414 436599596 100〜9999
SIPサーバー上で
Username/auth name mismatch
とならないものに関しては、応答が異なるために、そのusernameが存在するものと判断し、そのusernameに対してbruteforceを仕掛けてきます。
で、この攻撃がどのような感じで実行されているかというと、、、
関連するツールはSIPPとかSIPViciousとかいろいろありますが、例えばこんな感じ。
特定のアドレスレンジとかネット上に存在するSIPサーバーを検索
% ./svmap.py 10.0.0.1-10.0.0.255 | SIP Device | User Agent | Fingerprint | ---------------------------------------------------- | 10.0.0.1:5060 | Asterisk PBX | Asterisk | | 10.0.0.2:5060 | Asterisk PBX | Asterisk | | 10.0.1.1:5060 | Asterisk PBX | Asterisk | | 10.0.2.1:5060 | Asterisk PBX | Asterisk | | 10.0.2.2:5060 | Asterisk PBX | Asterisk |
見つけたSIPサーバーに存在する電話番号を調べる。つまり懐かしのWarDialer。。。
% ./svwar.py 10.0.0.1 | Extension | Authentication | ------------------------------ | 201 | reqauth | | 203 | reqauth | | 202 | reqauth |
で、みつけた番号に対してcracking。
%svcrack.py -u201 -d dictionary.txt 10.0.0.1 : : :
という感じで、対象のアプリケーションが変わるだけで、いつの時代でもやってることは単純で同じなわけですね。
で、これら一連の動作を自動シナリオでやってるわけです。
by jyake