[asterisk-biz] PBX got Hacked

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Tue Mar 10 15:54:02 CDT 2009


On Tue, 2009-03-10 at 16:14 -0400, Andrew M. Lauppe wrote:
> We discussed this on freenode #freepbx today, and someone did the
> following math.
> 
> A 20 digit numerical password/secret (numerical meaning only 0-9 -
> obviously), attacked via brute force at 5,000,000 passwords per
> second, would take more than 600,000+ years to crack. I didn't verify
> but it looks about right.
> 
20 digit is 100,000,000,000,000,000,000 combinations assuming that there
are no blacklisted ones in that space.

100,000,000,000,000 seconds at 5M/sec. (for reference about what the
total US debt is including social security and other things that
normally dont show on the national debt numbers).

about 3.1M years for an exhaustive search, statistically speaking it
would be half that time on average if you are doing multiple, or about
1.6M years.

If the password is alphanumeric then it goes from 100 million trillion
to 13,367,495,000,000,000,000,000,000,000,000 or 13,367 trillion
trillion and I am not even going into case sensitivity or other
characters that could be used.

If you just used upper case letters and numbers, 10 characters would be
about 23 years @ 5M/sec for an exhaustive search.  12 would be 30k
years.  See below about how this time could be shortened.

> Lesson of the day? Sure, more secure passwords aren't THE solution,
> but they sure help. I'm pretty sure any attempt to brute force a SIP
> password on an asterisk box at anything approching 5 million passwords
> per second would have side effects that would bring the attack to your
> attention (like bringing your sip stack to it's knees perhaps?)
> 

it depends on how they are doing it.  Brute forcing *can* be via capture
packets, everything needed to get the password is in the auth packets in
sip.  There are a lot of different ways to get the hashes, they may be
able to get the hash without really doing much else, or they may be in a
position to do much more evil things.


> With most phones being auto-provisioned, the length of the password
> shouldn't be a limiting factor. Make your passwords/secrets more
> complex and we can be done with this conversation. Please.
> 
Well it is MD5 in sip, so the 5M/sec doesnt really hold if they are
doing it on a botnet or similar that is outside your control via
captured headers.  Of course stopping people from capturing headers is
beyond the scope of a packet filtering system.


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/1e83c898/attachment.pgp 


More information about the asterisk-biz mailing list