05 Apr, 2023

Session Initiation Protocol (SIP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

Session Initiation Protocol (SIP) is a text-based protocol that uses requests and responses to establish, modify, and terminate multimedia sessions over IP networks. It can be used for a wide range of multimedia applications, including voice and video calls, instant messaging, and presence information.

SIP common ports

TCP/UDP port 5060: This is the default port for SIP traffic. SIP endpoints use this port to establish and manage communication sessions.

TCP/UDP port 5061: This port is commonly used for secure SIP (SIPS) traffic that is encrypted using Transport Layer Security (TLS).

TCP/UDP port 5062: This port is used for Session Description Protocol (SDP) traffic, which is used to describe the characteristics of multimedia sessions.

TCP/UDP port 5063: This port is used for Real-Time Transport Protocol (RTP) traffic, which is used to transmit audio and video data between SIP endpoints.

TCP/UDP port 5080: Some SIP implementations use this port as an alternate to port 5060.

Standard commands from unauthorized users

Unauthorized users who attempt to access the Session Initiation Protocol (SIP) infrastructure may use several standard commands to try to gain access or disrupt communication. Here are some of the most common commands that unauthorized users may attempt to use:

INVITE: This command is used to initiate a session between two SIP endpoints. An unauthorized user may try to use this command to establish a connection with a SIP server or other endpoint.

REGISTER: This command is used to register a SIP endpoint with a SIP server. An unauthorized user may try to use this command to register a fake endpoint or impersonate an existing endpoint.

BYE: This command is used to terminate a session between two SIP endpoints. An unauthorized user may try to use this command to disrupt communication or cause a denial-of-service (DoS) attack.

CANCEL: This command is used to cancel a previously sent SIP message. An unauthorized user may try to use this command to disrupt communication or cause a DoS attack.

OPTIONS: This command is used to query a SIP endpoint or server for its capabilities. An unauthorized user may try to use this command to probe the SIP infrastructure for vulnerabilities.

INFO: This command is used to send non-essential information between SIP endpoints. An unauthorized user may try to use this command to send spam or other unwanted messages.

Tools for using protocol SIP

Manual Tools:

  • SIPVicious: A suite of tools that allows attackers to scan, fingerprint, and exploit SIP-based devices and networks. It includes tools for brute-forcing passwords, spoofing SIP messages, and conducting eavesdropping attacks.

  • SIPp: A tool for stress-testing SIP-based devices and networks. It can simulate thousands of SIP endpoints and generate traffic to test the performance and scalability of the infrastructure.

  • SIP-Torture: A tool for testing the interoperability and compliance of SIP-based devices and networks with the SIP protocol. It can test various SIP scenarios and generate reports on the results.

  • SIPScan: A tool for scanning networks for SIP devices and enumerating their capabilities and vulnerabilities. It can detect open SIP ports, identify SIP servers and clients, and extract information from SIP messages.

  • SIPCrack: A tool for cracking SIP passwords using dictionary attacks or brute-force methods. It uses various techniques to speed up the password cracking process, such as parallel processing and GPU acceleration.

  • SIPFuzz: A tool for fuzzing SIP-based devices and networks to find vulnerabilities and exploits. It can generate and send malformed SIP messages to test the robustness and security of the infrastructure.

  • SIPDump: A tool for capturing and analyzing SIP traffic on a network. It can decode and display SIP messages, extract information from them, and generate statistics on the traffic.

  • SIPAuthCrack: A tool for cracking SIP authentication credentials using brute-force methods. It can be used to test the strength of SIP passwords and identify weak passwords that can be easily cracked.

Automated Tools:

  • Metasploit: A popular framework for developing and executing exploits against various targets, including SIP-based devices and networks. It includes a set of modules for exploiting SIP vulnerabilities and conducting attacks.

  • Nmap: A network scanning tool that can be used to detect SIP devices and services on a network. It can identify open SIP ports, determine the operating system and version of the devices, and extract other information from SIP messages.

  • SIPVader: An automated tool for detecting and exploiting SIP vulnerabilities. It includes a database of known SIP vulnerabilities and exploits, and can be used to launch automated attacks against SIP-based devices and networks.

  • SIPArmyKnife: An all-in-one tool for testing and exploiting SIP-based devices and networks. It includes various modules for scanning, fingerprinting, exploiting, and testing SIP infrastructure.

  • SIPRider: An automated tool for identifying and exploiting SIP vulnerabilities. It can scan networks for SIP devices, extract information from SIP messages, and launch automated attacks against vulnerable devices.

  • SIPProxy: An automated tool for intercepting and modifying SIP traffic on a network. It can be used for testing the security and robustness of SIP infrastructure, as well as for conducting eavesdropping and modification attacks.

  • SIPVampire: An automated tool for detecting and exploiting SIP vulnerabilities. It can scan networks for SIP devices, identify open ports and services, and launch automated attacks against vulnerable devices.

  • SIPpScenario: An automated tool for generating and executing SIP traffic scenarios. It can be used for stress-testing SIP infrastructure, as well as for testing the functionality and compliance of SIP-based devices and networks.

Browser Plugins:

  • SIP Inspector: A browser plugin for inspecting and debugging SIP traffic in real-time. It can capture and display SIP messages, decode and analyze their contents, and provide insights into the behavior of SIP-based devices and networks.

  • SIP Workbench: A browser plugin for testing and debugging SIP-based applications. It includes various tools for generating and sending SIP messages, analyzing their responses, and debugging issues in SIP-based applications.

  • SIP Tester: A browser plugin for testing and troubleshooting SIP-based devices and networks. It can generate and send SIP messages, emulate various SIP scenarios, and provide detailed reports on the results.

  • SIP Debug: A browser plugin for debugging and troubleshooting SIP-based applications. It can capture and display SIP messages, analyze their contents, and provide insights into the behavior of SIP-based devices and networks.

Last five known CVE for SIP

CVE-2023-28099 – OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.9 and 3.2.6, if `ds_is_in_list()` is used with an invalid IP address string (`NULL` is illegal input), OpenSIPS will attempt to print a string from a random address (stack garbage), which could lead to a crash. All users of `ds_is_in_list()` without the `$si` variable as 1st parameter could be affected by this vulnerability to a larger, lesser or no extent at all, depending if the data passed to the function is a valid IPv4 or IPv6 address string or not. Fixes will are available starting with the 3.1.9 and 3.2.6 minor releases. There are no known workarounds. 

• CVE-2023-28098 – OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.7 and 3.2.4, a specially crafted Authorization header causes OpenSIPS to crash or behave in an unexpected way due to a bug in the function `parse_param_name()` . This issue was discovered while performing coverage guided fuzzing of the function parse_msg. The AddressSanitizer identified that the issue occurred in the function `q_memchr()` which is being called by the function `parse_param_name()`. This issue may cause erratic program behaviour or a server crash. It affects configurations containing functions that make use of the affected code, such as the function `www_authorize()` . Versions 3.1.7 and 3.2.4 contain a fix.

• CVE-2023-28097 – OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.9 and 3.2.6, a malformed SIP message containing a large _Content-Length_ value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the `-m` flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred when shared memory was set to `2362` or higher. This issue is fixed in versions 3.1.9 and 3.2.6. The only workaround is to guarantee that the Content-Length value of input messages is never larger than `2147483647`.

• CVE-2023-28096 – OpenSIPS, a Session Initiation Protocol (SIP) server implementation, has a memory leak starting in the 2.3 branch and priot to versions 3.1.8 and 3.2.5. The memory leak was detected in the function `parse_mi_request` while performing coverage-guided fuzzing. This issue can be reproduced by sending multiple requests of the form `{“jsonrpc”: “2.0”,”method”: “log_le`. This malformed message was tested against an instance of OpenSIPS via FIFO transport layer and was found to increase the memory consumption over time. To abuse this memory leak, attackers need to reach the management interface (MI) which typically should only be exposed on trusted interfaces. In cases where the MI is exposed to the internet without authentication, abuse of this issue will lead to memory exhaustion which may affect the underlying system’s availability. No authentication is typically required to reproduce this issue. On the other hand, memory leaks may occur in other areas of OpenSIPS where the cJSON library is used for parsing JSON objects. The issue has been fixed in versions 3.1.8 and 3.2.5.

• CVE-2023-28095 – OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Versions prior to 3.1.7 and 3.2.4 have a potential issue in `msg_translator.c:2628` which might lead to a server crash. This issue was found while fuzzing the function `build_res_buf_from_sip_req` but could not be reproduced against a running instance of OpenSIPS. This issue could not be exploited against a running instance of OpenSIPS since no public function was found to make use of this vulnerable code. Even in the case of exploitation through unknown vectors, it is highly unlikely that this issue would lead to anything other than Denial of Service. This issue has been fixed in versions 3.1.7 and 3.2.4.

Useful information

– SIP is a signaling protocol used for initiating, maintaining, and terminating multimedia sessions over IP networks.

– It is an open standard protocol developed by the Internet Engineering Task Force (IETF).

– SIP is used for establishing voice and video calls, instant messaging, presence, and other multimedia services.

– SIP works on the application layer of the OSI model and uses TCP or UDP as the transport protocol.

– SIP messages consist of a start line, a set of headers, and an optional message body.

– SIP uses the Session Description Protocol (SDP) to negotiate the parameters of a multimedia session, such as codec types, media formats, and network addresses.

– SIP supports several call control features, such as call hold, call transfer, call forwarding, and conference calling.

– SIP is an extensible protocol, which means that it can be extended to support new services and features.

– SIP can be used with various VoIP protocols, such as H.323, MGCP, and RTP.

– SIP is used by several popular VoIP applications and services, such as Skype, Google Voice, and Microsoft Teams.

– SIP can be vulnerable to various types of attacks, such as spoofing, flooding, eavesdropping, and denial-of-service (DoS) attacks.

– SIP can be secured using several mechanisms, such as Transport Layer Security (TLS), Secure Real-time Transport Protocol (SRTP), and authentication and authorization mechanisms.

– SIP is used in several industries, such as telecommunications, healthcare, education, and finance.

– SIP is widely adopted in both the public and private sectors and is expected to continue to grow in popularity in the coming years.

– SIP has several benefits over traditional circuit-switched telephony, such as lower costs, greater flexibility, and richer features.

Known banners

“SIP/2.0” – This is the most common banner used by SIP servers and clients to identify the SIP version and protocol.

“Asterisk PBX” – This banner is used by the open-source Asterisk PBX software, which is widely used for VoIP applications.

“FreeSWITCH” – This banner is used by the open-source FreeSWITCH software, which is a scalable and modular VoIP platform.

“OpenSIPS” – This banner is used by the open-source OpenSIPS software, which is a high-performance SIP server used for voice and video communications.

“Kamailio” – This banner is used by the open-source Kamailio software, which is a high-performance SIP server used for real-time communication applications.

“SIP Express Router” – This banner is used by the open-source SER software, which is a fast and scalable SIP server used for VoIP applications.

“Cisco-CP7960G” – This banner is used by Cisco IP phones, which support SIP as well as other VoIP protocols.

“PolycomSoundPointIP-SPIP” – This banner is used by Polycom IP phones, which support SIP as well as other VoIP protocols.

“Avaya IP Office” – This banner is used by Avaya IP phones, which support SIP as well as other VoIP protocols.

“3CX Phone System” – This banner is used by the 3CX Phone System, which is a software-based PBX used for VoIP applications.

Books for studies SIP

Session Initiation Protocol: Complete Self-Assessment Guide by Gerardus Blokdyk: This book is designed to help individuals and organizations assess their understanding of Session Initiation Protocol (SIP) and related technologies. It includes over 700 questions and answers that cover topics such as SIP architecture, SIP signaling, SIP proxies and servers, and SIP security.

SIP: Understanding the Session Initiation Protocol by Alan B. Johnston: This book provides a comprehensive overview of SIP and its applications. It covers the basics of SIP, including its architecture and components, and then delves into more advanced topics such as SIP security and SIP trunking.

SIP Demystified by Gonzalo Camarillo: This book is a beginner’s guide to SIP that covers the basics of SIP and its applications. It includes detailed explanations of SIP messaging, call flows, and SIP call setup, as well as information on SIP security and interoperability.

SIP Security by Dorgham Sisalem: This book is focused specifically on SIP security and includes information on various SIP security threats and vulnerabilities. It covers topics such as SIP authentication and encryption, SIP denial-of-service attacks, and SIP-based fraud.

SIP Handbook: Services, Technologies, and Security of Session Initiation Protocol by Syed A. Ahson and Mohammad Ilyas: This book is a comprehensive guide to SIP and its applications. It covers the basics of SIP, including its architecture and components, as well as advanced topics such as SIP security and SIP-based services.

SIP Trunking by Christina Hattingh and Darryl Sladden: This book is focused specifically on SIP trunking, which is a way to connect an organization’s phone system to the public switched telephone network (PSTN) using SIP. It covers topics such as SIP trunking architecture, SIP trunking providers, and SIP trunking deployment.

Building Telephony Systems with OpenSIPS 1.6 by Flavio E. Goncalves: This book is focused on building telephony systems using OpenSIPS, which is an open-source SIP server. It covers topics such as OpenSIPS architecture, SIP message processing, and building a complete telephony system using OpenSIPS.

List of Payload for Session Initiation Protocol

  • INVITE – This payload is used to initiate a session between two parties.

  • ACK – This payload is used to acknowledge the successful receipt of a SIP message.

  • BYE – This payload is used to terminate a session between two parties.

  • CANCEL – This payload is used to cancel a pending session invitation.

  • REGISTER – This payload is used to register a user’s contact information with a SIP server.

  • OPTIONS – This payload is used to query the capabilities of a remote SIP server or user agent.

  • UPDATE – This payload is used to modify an existing session.

  • MESSAGE – This payload is used to send text messages between SIP clients.

  • INFO – This payload is used to transfer non-session related information during a session.

  • PRACK – This payload is used to confirm the reliable reception of a provisional response.

  • SUBSCRIBE – This payload is used to request notifications of events from a SIP server.

  • NOTIFY – This payload is used to deliver event notifications to a subscriber.

  • REFER – This payload is used to transfer a session to a third party.

  • PUBLISH – This payload is used to publish a user’s state to a SIP server.

Mitigation

  1. Use strong passwords and authentication mechanisms to prevent unauthorized access to SIP devices and services.

  2. Use firewalls to block unauthorized access to SIP servers and endpoints.

  3. Perform regular software updates and patching to ensure that SIP devices and services are up-to-date with the latest security fixes and updates.

  4. Use encryption to secure SIP communications and prevent eavesdropping.

  5. Implement intrusion detection and prevention systems to monitor network traffic and detect and respond to SIP attacks.

  6. Use network segmentation to separate SIP and VoIP traffic from other network traffic.

  7. Limit the number of open ports and services to minimize the attack surface of SIP devices and services.

  8. Disable unnecessary SIP features and services that are not required for the organization’s operations.

Conclusion

Session Initiation Protocol (SIP) is a widely used signaling protocol for establishing and managing real-time communication sessions such as voice, video, and instant messaging. It is an open-standard protocol that is widely supported by various vendors and products in the telecommunications industry.

SIP provides a flexible and extensible framework for creating and managing multimedia sessions. It allows for the establishment and modification of sessions, as well as the exchange of session-related information between participants. SIP can also be used with other protocols such as Real-Time Transport Protocol (RTP) and Secure Real-Time Transport Protocol (SRTP) to provide secure and reliable communications.

Other Services

Ready to secure?

Let's get in touch