[Detecting Rogue SIP Daemons in Network] ======================================== Triosec , SecNiche Security -==[Layout]==- This brief layout will present the detection elements to differentiate between rogue SIP daemons and working SIP daemons.The SIP daemon basically runs on port 5060. Due to network complexity attacker usually follow this approach to monitor the traffic that is going to be generated through Invite , Register etc request. The five points should have to be taken into account while considering the rogue daemon stats: 1. No response generation by the daemon. 2. Protocol mismatch occurs on desired port. 3. Connection Establishment Failure. 4. No Specific Error is undertaken as response mechanism. 5. Timeout occurred frequently. The above stated facts almost dissect between rogue SIP daemons. -==[Examples]==- -==[Request Invite : Response]==- SIPScan Results: Scan started Tue Jul 24 08:34:08 2007 Target SIP Server: 127.0.0.1:5060 TCP Domain: example.com There was an initial connection timeout while scanning. Please try again or increase the timeout value ---------- INVITE sip:thisisthecanary@example.com SIP/2.0 Via: SIP/2.0/TCP 172.19.6.194:3326;rport;branch=z9hG4bK44FE55FBBC C449A9A4BEB71869664AEC From: test ;tag=325602560 To: <172.19.6.194> Contact: Call-ID: 3326@172.19.6.194 CSeq: 534886 INVITE Max-Forwards: 70 Content-Type: application/sdp User-Agent: X-Lite release 1105x Content-Length: 305 v=0 o=test 9785927 7605419 IN IP4 172.19.6.194 s=X-Lite c=IN IP4 172.19.6.194 t=0 0 m=audio 8000 RTP/AVP 0 8 3 98 97 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:98 iLBC/8000 a=rtpmap:97 speex/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv -==[Request Register : Response]==- SIPScan Results: Scan started Tue Jul 24 08:36:33 2007 Target SIP Server: 127.0.0.1:5060 TCP Domain: example.com The connection to 127.0.0.1 couldn't be established - try another port or protocol? ------------ REGISTER sip:thisisthecanary@example.com SIP/2.0 Via: SIP/2.0/TCP 172.19.6.194:3327;branch=el7mCh5QhC6WNg From: test ;tag=vkffYiKFjn To: test Call-ID: 9262@172.19.6.194 CSeq: 9262 REGISTER Contact: Max_forwards: 70 User Agent: SIPScan 1.0 Content-Type: application/sdp Subject: SIPScan Probe Expires: 7200 Content-Length: 0 -==[Request Options : Response]==- SIPScan Results: Scan started Tue Jul 24 08:38:02 2007 Target SIP Server: 127.0.0.1:5060 TCP Domain: example.com There was an initial connection timeout while scanning. Please try again or increase the timeout value. -------------- OPTIONS sip:thisisthecanary@example.com SIP/2.0 Via: SIP/2.0/TCP 172.19.6.194:3328;branch=el7mCh5QhC6WNg From: test ;tag=vkffYiKFjn To: test Call-ID: 1057@172.19.6.194 CSeq: 1057 OPTIONS Contact: Max_forwards: 70 User Agent: SIPScan 1.0 Subject: SIPScan 1.0 Probe Content-Length: 0 The above stated exmaples have been undertaken against rogue SIP daemon. Clearly no dynamic indication is shown that let us considering the daemon as real.The inference is all clear. When network is checked physically a rogue instance of netcat listener was started by the attacker in order to gather information. ================= Zknk