[asterisk-users] Interesting new hack attack

Steve Murphy murf at parsetree.com
Thu May 22 11:41:35 CDT 2014

In the past little while, we've seen
a wave of attacks on asterisk, via the

It goes something like this:

A. scan for IP phones on the internet,
   either via spotting something on port 5060,
   or via the port 80 web interface for the phone.
   Or, use web sites that scan the internet, and
   classify the machines, to make your work shorter.
B. Once you get into the web GUI, get the URL for provisioning.
   I haven't checked yet... do any phones actually
   allow you to set this, or do any display the
   current value?
   And, finally, how many phones publish their
   own MAC address in the GUI? Or, can you suck this
   out of the returned IP packets?
C. Given the URL and the mac, fetch the phones
   provisioning info, including it's sip account
   info. Use to best advantage.
D. Going further, set up a brute-force probe algorithm,
   to probe all possible mac addresses for a given
   phone manufacturer, via http requests. After all,
   those provisioning web servers are fast and efficient,
   aren't they? Collect all possible mac addresses and
   grab the provisioning, and now you have a LOT of sip
   accounts. Use to best advantage.

And, professional hacking organizations seem to also follow
these rules:

a. wait several months for any history of the above activities
   to roll off the log files. Treat your phone systems like
   fine wine vintage.
b. Use multiple (hundreds/thousands) of machines scattered
   over the earth to carry out the above probes, and also to
   use the accounts for generating international calls.

In general, using the SIP account info gleaned from these
kinds of efforts is a bit problematic. You see, to effectively
use your phone system to place calls, they will have to
set up their own phone system to act like a phone, and
register to the phone system, and then initiate calls.
Trouble is, your phone is usually already registered, but
can be "bumped off". Your phone will re-register at intervals
and bump the hackers, who will again register and bump your
phone. This little game of "king of the hill" may show up in
your Asterisk logs.

So, these defenses can be employed to stop/ameliorate such
hacking efforts:

1. Keep your phones behind a firewall. Travellers, beware!
   Never leave the default login info of the phone at default!
2. Never use the default provisioning URL for the phone,
   with it's default URL or password.
3. Use fail2ban, ossec, whatever to stymie any brute force
   mac address searches.
4. Use your firewalls to restrict IP's that can access web,
   ftp, etc, for provisioning to just those IP's needed to allow
   your phones to provision.
5. Keep your logs for a couple years.
6. Change your phone SIP acct passwords now, if you haven't
   implemented the above precautions yet.

If I missed a previous post on this, forgive me.
Just thought you-all might appreciate a heads-up.



Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉  murf at parsetree dot com
☎ 307-899-5535
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140522/0fd08cea/attachment.html>

More information about the asterisk-users mailing list