Sunday, August 28, 2011

Packet Manipulator: SIP Auditing Plugins

Participate in an open source project and contribute something to the community is something I always wanted of doing. Google Summer of Code was my gateway and one of the best experiences I had.

I follow UMIT since its inception, and this year I had the opportunity to meet the incredible team that maintains the project, and learn a lot with my mentor Francesco like collaborative development, project organization and Python, among many other skills that I acquired.

Unfortunately I did not have as much time as planned for the project and I dont finished my project in the time. But I will finish the project and I have no doubt that I will continue contributing while I has something to add.

My project is related to the area that I have more experience: IP telephony, and the area that I love: Security.

Security in IP telephony is a very important topic. As the future of telecommunications is the world IP, the present is the convergence.
The protocol chosen for this convergence is the SIP (Session Initiation Protocol).

SIP Monitor:

It is responsible for monitoring incoming TCP/UDP packets (port ranging from 5058 to 5065), in order to discover the presence of SIP Message and parse the message and save important fields.

SIP Portscan:

It is responsible for discovering SIP servers in case the SIP monitor is unable to find any SIP related activities or sniffing is not possible for various reasons.

SIP Enumeration:

It is used to discovery a list of usernames in SIP servers in case of the SIP monitor does not find any SIP username, or when the user want to collect a major number of valid logins that the SIP monitor have just discovered

SIP Checkauth:

It is used to test the strength of passwords in SIP authentication. It will require user interaction to provide a dictionary of weak passwords.
This plugin is not finished yet

SIP Fuzzing:

It will be used to send many types of SIP messages, in order to detect crashes in SIP server (or SIP device, like a IP Phone). Each message can have some strange data, like an overflowed data field, a wrong field name, a sql query in field data and so on.
This plugin is not finished yet

After this, i will implement:

SIP MiTM (To check if servers is vulnerable to Man in The Middle attack)
SIP Hijacking
SIP Spoofing

And I have plans to write a IPS based in Umit, to check sip messages and detect possible attacks and notify the admin.

No comments:

Post a Comment