[asterisk-users] Interesting new hack attack
murf at parsetree.com
Thu May 22 11:41:35 CDT 2014
In the past little while, we've seen
a wave of attacks on asterisk, via the
It goes something like this:
A. scan for IP phones on the internet,
either via spotting something on port 5060,
or via the port 80 web interface for the phone.
Or, use web sites that scan the internet, and
classify the machines, to make your work shorter.
B. Once you get into the web GUI, get the URL for provisioning.
I haven't checked yet... do any phones actually
allow you to set this, or do any display the
And, finally, how many phones publish their
own MAC address in the GUI? Or, can you suck this
out of the returned IP packets?
C. Given the URL and the mac, fetch the phones
provisioning info, including it's sip account
info. Use to best advantage.
D. Going further, set up a brute-force probe algorithm,
to probe all possible mac addresses for a given
phone manufacturer, via http requests. After all,
those provisioning web servers are fast and efficient,
aren't they? Collect all possible mac addresses and
grab the provisioning, and now you have a LOT of sip
accounts. Use to best advantage.
And, professional hacking organizations seem to also follow
a. wait several months for any history of the above activities
to roll off the log files. Treat your phone systems like
fine wine vintage.
b. Use multiple (hundreds/thousands) of machines scattered
over the earth to carry out the above probes, and also to
use the accounts for generating international calls.
In general, using the SIP account info gleaned from these
kinds of efforts is a bit problematic. You see, to effectively
use your phone system to place calls, they will have to
set up their own phone system to act like a phone, and
register to the phone system, and then initiate calls.
Trouble is, your phone is usually already registered, but
can be "bumped off". Your phone will re-register at intervals
and bump the hackers, who will again register and bump your
phone. This little game of "king of the hill" may show up in
your Asterisk logs.
So, these defenses can be employed to stop/ameliorate such
1. Keep your phones behind a firewall. Travellers, beware!
Never leave the default login info of the phone at default!
2. Never use the default provisioning URL for the phone,
with it's default URL or password.
3. Use fail2ban, ossec, whatever to stymie any brute force
mac address searches.
4. Use your firewalls to restrict IP's that can access web,
ftp, etc, for provisioning to just those IP's needed to allow
your phones to provision.
5. Keep your logs for a couple years.
6. Change your phone SIP acct passwords now, if you haven't
implemented the above precautions yet.
If I missed a previous post on this, forgive me.
Just thought you-all might appreciate a heads-up.
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the asterisk-users