Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:alerts:et_scan_sipvicious_user-agent_detected_friendly-scanner [2020/03/01 18:04] – removed peter
+++ pfsense:suricata:alerts:et_scan_sipvicious_user-agent_detected_friendly-scanner [2021/01/15 00:41] (current) – created peter
@@ Line 1: / Line 1: @@
+====== PFSense - Suricata - Alerts - ET SCAN Sipvicious User-Agent Detected (friendly-scanner) ======
+This is a scanner that looks for [[https://en.wikipedia.org/wiki/List_of_SIP_software|SIP]] servers.
+[[https://en.wikipedia.org/wiki/List_of_SIP_software|SIP Servers]] are part of your VOIP infrastructure
+----
+Technically speaking, SIPvicous is a SIP auditing tool used to scan for and enumerate SIP devices and accounts.
+It can be obtained freely from it’s Google Code archive, the GIT repo or bundled with security auditing tools like Kali.
+Originally intended for legitimate white hat security auditing for internal networks, in the hands of even the most bored of script kiddies it can cause some serious damage.
+That lazy network admin using common username/password combos will yet again fall victim to this one.
+SIPvicous will send INVITE or OPTION packets looking for responses from live hosts, then log the results to a file.
+An attacker can then begin to enumerate for valid usernames and passwords which if successful, can get access.
+In addition, these Invites commonly cause **ghost calls** (phones ring from random callers but no one’s home).  Worse still, they can even initiate un-wanted calls.
+----
+===== How Does it Work? =====
+**SIPVicious** is made up of 4 components – The head, the front legs, the hind legs, and the torso. I’m kidding of course…there’s actually 5..
+  * **Svcrack:** – Used to crack SIP passwords for a given username.  Brute force or dict-based.
+  * **Svreport:** – Store session info for later use, ie; Cracking a password or reading packets elsewhere.
+  * **Svmap:** – “The annoying one” that does the scanning for open SIP targets – usually with an INVITE or OPTIONS request.
+  * **Svwar:** – Scans for and enumerates phones on the network.
+    * It probes for phones by sending packets out and listens for a response, same as above but it seems there’s more manipulation that can be done in terms of what the packets are and what size.
+    * This could potentially be used as a DDoS tool. <code bash>
+svmap 192.168.1.0/24 -v
+INFO:ImaFly:trying to get self ip .. might take a while
+INFO:root:start your engines
+INFO:ImaFly:Looks like we received a SIP request from 192.168.1.20:5060
+INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21:5060
+INFO:ImaFly:Looks like we received a SIP request from 192.168.1.22:5060
+</code>
+  * **Svcrash** – Defend and Counter-attack tool against ..itself.
+    * This tool can be setup to read the asterisk log and automatically obtain a would be attackers IP and Port, attempting to shut down his agent with a malformed response packet.
+    * Manual entries can also be set and optional Brute force on the destination port!
+----
+===== References =====
+https://code.google.com/p/sipvicious/