[asterisk-biz] PBX got Hacked

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Wed Mar 11 14:31:26 CDT 2009 

On Wed, 2009-03-11 at 15:13 -0400, Andrew M. Lauppe wrote:
> > Despite of all the arguments on other things we could do, why not increase
> > the level of security in Asterisk if there is a possibility to do so?
> >   
> Bottom line here, I think, is that the security holes aren't just in
> Asterisk, they're in SIP, and Asterisk has to support SIP. It is SIP
> that passes the usernames/passwords in plaintext. If SIP supported a
> more secure authentication scheme, Asterisk would support it. 
> 

sip does do more secure auth, TLS but its not supported in asterisk
because it requires TCP (RFC requires tcp support anyway, yet asterisk
does not officially do that either).  

And passwords are NOT in plaintext.

The username, nonce, and what you are doing (REGISTER for example) are
all cleartext, but the password is not.  The nonce is a short duration
disposable number to prevent replay attacks.

You can generate the hashes on the command line if you have md5sum
installed.


echo -n "username:sip.proxy.com:password" | md5sum  [H1]
echo -n "REGISTER:sip:sip.proxy.com" | md5sum       [H2]
410af6915afa5485f59c31f118a90440e16f9f92            [nonce]

[H1:nonce:H2]
echo -n
02d0a5e971ca6406d490ab960f26acb7:410af6915afa5485f59c31f118a90440e16f9f92:a498bb31fc00ac6243518fbc4d749a64 | md5sum


hash that is sent: 871117dbfca535464e3efd76fbc94e81


It works just as well for INVITE or other things that require auth.




> Of course, that said, SIPS exists... I do believe Digium is working on
> SIPS support, no?
> 
there has been tls forks for a while, getting them merged into trunk
seems to be where the hold up is.  

-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090311/25c89975/attachment.pgp

More information about the asterisk-biz mailing list