SIP – ohh my!!

I am sorry that I haven’t been on  for a very long time,  dealing with lots of work, however today, I just wanted to share an experience about  what people do with SIP,  using any Sip Soft-phone and pointing the proxy address to a router registered in a SIP Trunk, Non Authorized individuals can perform outbound calls at your own cost!

This gateway is calling a valid SIP registered number

R2(cfg-translation-rule)#do show sip reg status
Line                             peer       expires(sec) registered P-Associ-URI
=========== === ======= ====== ========
2002                             -1         67           yes

Back to the victim router we get this:

/-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-07178976d20f5e3d-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:5001@172.1.1.112:18980>
To: "2002"<sip:2002@cisco.com>
From: "5001"<sip:5001@cisco.com>;tag=092be37d
Call-ID: OWNhNmQ4Mzk3YjY3YzlkZjhhZjY1MzI4OTdiYjVlZTI.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: X-Lite release 1104o stamp 56125
Content-Length: 332

v=0
o=- 1 2 IN IP4 172.1.1.112
s=CounterPath X-Lite 3.0
c=IN IP4 172.1.1.112
t=0 0
m=audio 60372 RTP/AVP 0 8 101
a=alt:1 3 : NP37ITbQ 7Z5WbGrz 213.16.33.139 60372
a=alt:2 2 : Q0JIKunJ uW14UV3u 172.2.1.111 60372
a=alt:3 1 : sKuD8lqI yL6F082u 172.1.1.112 60372
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=sendrecv
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 100
R1(config)#Trying
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-07178976d20f5e3d-1---d8754z-;rport
From: "5001"<sip:5001@cisco.com>;tag=092be37d
To: "2002"<sip:2002@cisco.com>
Date: Wed, 15 Sep 2010 18:41:09 GMT
Call-ID: OWNhNmQ4Mzk3YjY3YzlkZjhhZjY1MzI4OTdiYjVlZTI.
CSeq: 1 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:2002@6.6.6.6:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2212B1
Remote-Party-ID: "5001" <sip:1001@192.168.3.140>;party=calling;screen=no;privacy=off
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>
Date: Wed, 15 Sep 2010 18:41:09 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE:  1800
Cisco-Guid: 2755665842-3224310239-2190538297-1039164110
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1284576069
Contact: <sip:1001@192.168.3.140:5060>
Expires: 180
Allow-Events: telephone-event
Max-Forwards: 69
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 215

v=0
o=CiscoSystemsSIP-GW-UserAgent 6044 0 IN IP4 192.168.3.140
s=SIP Call
c=IN IP4 192.168.3.140
t=0 0
m=audio 18384 RTP/AVP 0 19
c=IN IP4 192.168.3.140
a=rtpmap:0 PCMU/8000
a=rtpmap:19 CN/8000
a=ptime:20
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2212B1
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>
Date: Wed, 15 Sep 2010 18:16:05 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Timestamp: 1284576069
CSeq: 101 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2212B1
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>;tag=94CD3D4-BBA
Date: Wed, 15 Sep 2010 18:16:05 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Timestamp: 1284576069
CSeq: 101 INVITE
Require: 100rel
RSeq: 7480
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Remote-Party-ID: <sip:6004@192.168.3.136>;party=called;screen=no;privacy=off
Contact: <sip:2002@192.168.3.136:5060>
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2316C4
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>;tag=94CD3D4-BBA
Date: Wed, 15 Sep 2010 18:16:05 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Server: Cisco-SIPGateway/IOS-12.x
CSeq: 102 PRACK
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
CANCEL sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-07178976d20f5e3d-1---d8754z-;rport
To: "2002"<sip:2002@cisco.com>
From: "5001"<sip:5001@cisco.com>;tag=092be37d
Call-ID: OWNhNmQ4Mzk3YjY3YzlkZjhhZjY1MzI4OTdiYjVlZTI.
CSeq: 1 CANCEL
User-Agent: X-Lite release 1104o stamp 56125
Content-Length: 0

!! hanged the phone here, not believing on what i was seeing !!!

The solution for this Fraud is to configure

R1(config)#access-list 1 permit 192.168.3.0 0.0.0.255
R1(config)#access-list 1 deny any
R1(config)#voice source-group SIPIN
R1(cfg-source-grp)#access-list 1
R1(cfg-source-grp)#^Z
R1#

The access list that is there is to prevent toll fraud. If the SIP message comes in from a SIP server that is not allowed by this acl, the Gateway would reject the call with “500 Internal Server Error”

//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-2b7ae0685139182a-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:5001@172.1.1.112:18980>
To: "2002"<sip:2002@cisco.com>
From: "5001"<sip:5001@cisco.com>;tag=9f2fa51e
Call-ID: ZmRlNmEyNGJlNjU3NmIxNzJmOWI1MjM1NzM4MjUzNjc.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: X-Lite release 1104o stamp 56125
Content-Length: 332

v=0
o=- 9 2 IN IP4 172.1.1.112
s=CounterPath X-Lite 3.0
c=IN IP4 172.1.1.112
t=0 0
m=audio 24758 RTP/AVP 0 8 101
a=alt:1 3 : YfWuKpv6 FtHUNojM 213.16.33.139 24758
a=alt:2 2 : +01pKF2W hOqOjQos 172.2.1.111 24758
a=alt:3 1 : Y3arJ6mi i4oz9+5p 172.1.1.112 24758
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=sendrecv
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 500
R1#Internal Server Error
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-2b7ae0685139182a-1---d8754z-;rport
From: "5001"<sip:5001@cisco.com>;tag=9f2fa51e
To: "2002"<sip:2002@cisco.com>;tag=110E318-D3C
Date: Wed, 15 Sep 2010 18:07:33 GMT
Call-ID: ZmRlNmEyNGJlNjU3NmIxNzJmOWI1MjM1NzM4MjUzNjc.
CSeq: 1 INVITE
Allow-Events: telephone-event
Reason: Q.850;cause=63
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0

//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
ACK sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-2b7ae0685139182a-1---d8754z-;rport
To: "2002"<sip:2002@cisco.com>;tag=110E318-D3C
From: "5001"<sip:5001@cisco.com>;tag=9f2fa51e
Call-ID: ZmRlNmEyNGJlNjU3NmIxNzJmOWI1MjM1NzM4MjUzNjc.
CSeq: 1 ACK
Content-Length: 0

A Networker Blog

All i want to do is to give the victim a voice.!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s