07 Apr, 2023

Extensible Messaging and Presence Protocol (XMPP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

XMPP (Extensible Messaging and Presence Protocol) is an open standard communication protocol used for exchanging messages, presence information, and other data between two or more communication endpoints over a network. Originally known as Jabber, XMPP was developed by the Jabber open-source community in 1999 and has since become a widely used protocol for instant messaging, social networking, and collaboration tools.

XMPP common ports

Port 5222: This is the default port used for client-to-server connections over TCP.

Port 5223: This is the default port used for client-to-server connections over SSL/TLS.

Port 5269: This is the default port used for server-to-server connections over TCP.

Port 5280: This is the default port used for web-based connections over HTTP.

Port 5281: This is the default port used for web-based connections over HTTPS.

Standard commands from unauthorized users

Presence floods: Sending a large number of presence stanzas can overload an XMPP server, causing it to slow down or crash.

Message floods: Sending a large number of messages can also overload an XMPP server or disrupt communications.

Subscription requests: An unauthorized user can send subscription requests to other users, which can cause annoyance or confusion.

IQ stanzas: IQ stanzas can be used to query information from an XMPP server or client, such as roster information or server configuration. An unauthorized user could use IQ stanzas to gather information about the server or its users.

Tools for using protocol XMPP

Manual Tools:

  • Pidgin: A popular open-source instant messaging client that supports multiple protocols including XMPP.

  • Adium: A popular instant messaging client for Mac that supports XMPP.

  • Miranda IM: An open-source instant messaging client for Windows that supports XMPP.

  • Conversations: A mobile instant messaging client for Android that supports XMPP.

  • ChatSecure: A mobile instant messaging client for iOS that supports XMPP.

Automated Tools:

  • XMPP Compliance Tester: An online tool that tests XMPP server compliance with the XMPP specifications.

  • XMPP Analyzer: A network analyzer that can be used to monitor and troubleshoot XMPP traffic.

  • Sleuth: An XMPP traffic analyzer that can be used to detect security issues and vulnerabilities.

  • XMPP Security Scanner: A tool that scans XMPP servers for common security issues and vulnerabilities.

  • Metasploit Framework: A penetration testing tool that includes modules for testing XMPP servers for vulnerabilities.

  • OpenVAS: A network vulnerability scanner that includes a module for testing XMPP servers.

  • Nmap: A network mapping and security scanning tool that can be used to scan XMPP ports and identify potential vulnerabilities.

  • Nikto: A web server vulnerability scanner that can be used to test XMPP server web interfaces for vulnerabilities.

  • Burp Suite: A web application security testing tool that can be used to test XMPP server web interfaces for vulnerabilities.

  • OWASP ZAP: An open-source web application security testing tool that can be used to test XMPP server web interfaces for vulnerabilities.

Last five known CVE for IKE

 CVE-2023-25356: CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and write files to, the sipXcom server. This can also be leveraged to gain remote command execution. 

 CVE-2022-26491: An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968. 

CVE-2022-24968: In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification. 

 CVE-2022-22784: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server. 

 CVE-2021-45968: An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7.20.x (and in other products). An endpoint in the backend Tomcat server of the Pascom allows SSRF, a related issue to CVE-2019-18394. 

Useful information

– Open standard: XMPP is an open standard protocol, meaning that anyone can implement it and develop applications that use it.

– Decentralized: XMPP is a decentralized protocol, which means that there is no central server controlling the communication. Instead, each user has their own server, and communication happens between servers.

– Security: XMPP supports end-to-end encryption, meaning that messages are encrypted between the sender and receiver, and cannot be intercepted or read by anyone else.

– Extensible: XMPP is an extensible protocol, which means that it can be customized and extended to suit different needs. This makes it a flexible platform for developing a wide range of communication applications.

– Presence: XMPP includes a presence feature, which allows users to see who is online and available for communication.

– Cross-platform: XMPP can be used on a wide range of platforms, including desktops, mobile devices, and web browsers.

– Federation: XMPP servers can be federated, which means that users on different servers can communicate with each other seamlessly.

– Uses: XMPP is used for a wide range of communication applications, including instant messaging, voice and video chat, and IoT communication.

– Libraries: There are several XMPP libraries available for different programming languages, which makes it easy to develop XMPP applications.

– Clients: There are several XMPP clients available for different platforms, including desktop and mobile devices, which makes it easy to use XMPP for real-time communication.

Known banners

“Welcome banner” – A banner that appears when a user logs in or joins a chat room, welcoming them to the service or application.

“Informational banner” –  A banner that provides information about the service or application, such as new features, updates, or maintenance downtime.

“Promotional banner” – A banner that promotes a specific product, service, or feature within the application or service.

“Call-to-action banner” – A banner that encourages users to take a specific action, such as upgrading their account, inviting friends to the service, or completing a survey.

“Error banner” – A banner that alerts users to errors or issues within the application or service.

“Presence banner” – A banner that displays the online status of the user or their contacts, such as “Available”, “Busy”, “Away”, or “Offline”.

“Notification banner” – A banner that displays notifications, such as new messages or incoming calls, to get the user’s attention even if they are not currently active on the application or service.

Books for studies the Extensible Messaging and Presence Protocol (XMPP)

XMPP: The Definitive Guide by Peter Saint-Andre, Kevin Smith, and Remko Tronçon – This book is a comprehensive guide to XMPP and covers everything from the protocol basics to advanced topics like security, scalability, and federation.

Professional XMPP Programming with JavaScript and jQuery by Jack Moffitt and Andreas Schobel – This book focuses on using XMPP with JavaScript and jQuery to build real-time web applications, including chat systems, collaborative editing tools, and more.

Instant Messaging in Java: The Jabber / XMPP Handbook by Iain Shigeoka – This book provides an introduction to XMPP and guides readers through building a basic chat application using the Smack API for Java.

XMPP: The State of the Art edited by Kevin Smith and Remko Tronçon – This book is a collection of essays by XMPP experts and covers topics like federation, security, mobile XMPP, and more.

Real-Time Communication with WebRTC and XMPP by Salvatore Loreto and Simon Pietro Romano – This book explores the intersection of WebRTC and XMPP, showing how these technologies can be used together to build powerful real-time communication applications.

Building Applications with Jabberd2 by Mickael Remond – This book is a practical guide to building XMPP-based applications using the Jabberd2 server, covering topics like authentication, roster management, and more.

Professional XMPP Programming with C# by Jack Moffitt – This book provides a comprehensive guide to using XMPP with C#, including examples of building real-time applications like chat systems and games.

XMPP: Building Real-Time Applications by Lloyd Watkin and Michal Piotrowski – This book covers the basics of XMPP and guides readers through building real-time applications like chat systems, file sharing tools, and more.

Learning XMPP by Alexey Melnikov – This book provides an introduction to XMPP and covers topics like message routing, presence, and roster management, as well as building a basic chat application.

Practical XMPP by Michael Weibel and Daniel Gultsch – This book is a practical guide to XMPP development, covering topics like building chat bots, integrating with third-party APIs, and building real-time web applications using XMPP.

List of Payload for Extensible Messaging and Presence Protocol (XMPP)

  • Message payload: A payload that carries a message from one user to another, including text, images, audio, video, and other multimedia content.

  • Presence payload: A payload that indicates a user’s online status, including their availability, mood, and activity.

  • Subscription payload: A payload that requests or confirms a subscription between two users, allowing them to share presence information and receive notifications.

  • IQ payload: A payload that carries information queries and responses, including user profiles, roster information, and service discovery.

  • File transfer payload: A payload that carries files or other data between users, using protocols like Jingle and Stream Initiation.

  • Stanza error payload: A payload that indicates an error in processing a message or request, including error codes and error messages.

  • Stream management payload: A payload that manages the flow of XML stanzas between client and server, including stream resumption, flow control, and message acknowledgments.

  • Ad-hoc commands payload: A payload that allows users to execute custom commands on the server, including administrative tasks, queries, and other operations.

Mitigation

  1. Implementing end-to-end encryption using tools such as OpenPGP or OTR can help to protect messages and ensure that they cannot be intercepted or read by unauthorized parties.

  2. Strong authentication mechanisms can be used to verify the identity of users and prevent unauthorized access to XMPP servers.

  3. Implementing access controls can help to limit the exposure of XMPP servers to potential attacks by restricting access to authorized users.

  4. Implementing firewall rules can help to block unauthorized access attempts to XMPP servers and prevent network-based attacks.

  5. Keeping XMPP server software up-to-date with the latest security patches and updates can help to prevent known vulnerabilities from being exploited.

Conclusion

Extensible Messaging and Presence Protocol (XMPP) is a widely used communication protocol that offers flexibility and interoperability, but it is not immune to security threats. Mitigation techniques, such as encryption, authentication, access controls, firewall protection, and regular software updates, can be used to improve its security and protect against potential attacks. With appropriate security measures in place, XMPP can be a safe and reliable way to communicate in real-time.

Other Services

Ready to secure?

Let's get in touch