SIP – ohh my!!

I am sorry that I haven’t been on  for a very long time,  dealing with lots of work, however today, I just wanted to share an experience about  what people do with SIP,  using any Sip Soft-phone and pointing the proxy address to a router registered in a SIP Trunk, Non Authorized individuals can perform outbound calls at your own cost!

This gateway is calling a valid SIP registered number

R2(cfg-translation-rule)#do show sip reg status
Line                             peer       expires(sec) registered P-Associ-URI
=========== === ======= ====== ========
2002                             -1         67           yes

Back to the victim router we get this:

/-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-07178976d20f5e3d-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:5001@172.1.1.112:18980>
To: "2002"<sip:2002@cisco.com>
From: "5001"<sip:5001@cisco.com>;tag=092be37d
Call-ID: OWNhNmQ4Mzk3YjY3YzlkZjhhZjY1MzI4OTdiYjVlZTI.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: X-Lite release 1104o stamp 56125
Content-Length: 332

v=0
o=- 1 2 IN IP4 172.1.1.112
s=CounterPath X-Lite 3.0
c=IN IP4 172.1.1.112
t=0 0
m=audio 60372 RTP/AVP 0 8 101
a=alt:1 3 : NP37ITbQ 7Z5WbGrz 213.16.33.139 60372
a=alt:2 2 : Q0JIKunJ uW14UV3u 172.2.1.111 60372
a=alt:3 1 : sKuD8lqI yL6F082u 172.1.1.112 60372
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=sendrecv
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 100
R1(config)#Trying
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-07178976d20f5e3d-1---d8754z-;rport
From: "5001"<sip:5001@cisco.com>;tag=092be37d
To: "2002"<sip:2002@cisco.com>
Date: Wed, 15 Sep 2010 18:41:09 GMT
Call-ID: OWNhNmQ4Mzk3YjY3YzlkZjhhZjY1MzI4OTdiYjVlZTI.
CSeq: 1 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:2002@6.6.6.6:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2212B1
Remote-Party-ID: "5001" <sip:1001@192.168.3.140>;party=calling;screen=no;privacy=off
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>
Date: Wed, 15 Sep 2010 18:41:09 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE:  1800
Cisco-Guid: 2755665842-3224310239-2190538297-1039164110
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1284576069
Contact: <sip:1001@192.168.3.140:5060>
Expires: 180
Allow-Events: telephone-event
Max-Forwards: 69
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 215

v=0
o=CiscoSystemsSIP-GW-UserAgent 6044 0 IN IP4 192.168.3.140
s=SIP Call
c=IN IP4 192.168.3.140
t=0 0
m=audio 18384 RTP/AVP 0 19
c=IN IP4 192.168.3.140
a=rtpmap:0 PCMU/8000
a=rtpmap:19 CN/8000
a=ptime:20
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2212B1
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>
Date: Wed, 15 Sep 2010 18:16:05 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Timestamp: 1284576069
CSeq: 101 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2212B1
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>;tag=94CD3D4-BBA
Date: Wed, 15 Sep 2010 18:16:05 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Timestamp: 1284576069
CSeq: 101 INVITE
Require: 100rel
RSeq: 7480
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Remote-Party-ID: <sip:6004@192.168.3.136>;party=called;screen=no;privacy=off
Contact: <sip:2002@192.168.3.136:5060>
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.3.140:5060;branch=z9hG4bK2316C4
From: "5001" <sip:1001@6.6.6.6>;tag=12FA79C-2109
To: <sip:2002@6.6.6.6>;tag=94CD3D4-BBA
Date: Wed, 15 Sep 2010 18:16:05 GMT
Call-ID: A441F42A-C02F11DF-8296F639-3DF062CE@192.168.3.140
Server: Cisco-SIPGateway/IOS-12.x
CSeq: 102 PRACK
Content-Length: 0
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
CANCEL sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-07178976d20f5e3d-1---d8754z-;rport
To: "2002"<sip:2002@cisco.com>
From: "5001"<sip:5001@cisco.com>;tag=092be37d
Call-ID: OWNhNmQ4Mzk3YjY3YzlkZjhhZjY1MzI4OTdiYjVlZTI.
CSeq: 1 CANCEL
User-Agent: X-Lite release 1104o stamp 56125
Content-Length: 0

!! hanged the phone here, not believing on what i was seeing !!!

The solution for this Fraud is to configure

R1(config)#access-list 1 permit 192.168.3.0 0.0.0.255
R1(config)#access-list 1 deny any
R1(config)#voice source-group SIPIN
R1(cfg-source-grp)#access-list 1
R1(cfg-source-grp)#^Z
R1#

The access list that is there is to prevent toll fraud. If the SIP message comes in from a SIP server that is not allowed by this acl, the Gateway would reject the call with “500 Internal Server Error”

//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-2b7ae0685139182a-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:5001@172.1.1.112:18980>
To: "2002"<sip:2002@cisco.com>
From: "5001"<sip:5001@cisco.com>;tag=9f2fa51e
Call-ID: ZmRlNmEyNGJlNjU3NmIxNzJmOWI1MjM1NzM4MjUzNjc.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: X-Lite release 1104o stamp 56125
Content-Length: 332

v=0
o=- 9 2 IN IP4 172.1.1.112
s=CounterPath X-Lite 3.0
c=IN IP4 172.1.1.112
t=0 0
m=audio 24758 RTP/AVP 0 8 101
a=alt:1 3 : YfWuKpv6 FtHUNojM 213.16.33.139 24758
a=alt:2 2 : +01pKF2W hOqOjQos 172.2.1.111 24758
a=alt:3 1 : Y3arJ6mi i4oz9+5p 172.1.1.112 24758
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=sendrecv
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 500
R1#Internal Server Error
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-2b7ae0685139182a-1---d8754z-;rport
From: "5001"<sip:5001@cisco.com>;tag=9f2fa51e
To: "2002"<sip:2002@cisco.com>;tag=110E318-D3C
Date: Wed, 15 Sep 2010 18:07:33 GMT
Call-ID: ZmRlNmEyNGJlNjU3NmIxNzJmOWI1MjM1NzM4MjUzNjc.
CSeq: 1 INVITE
Allow-Events: telephone-event
Reason: Q.850;cause=63
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0

//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
ACK sip:2002@cisco.com SIP/2.0
Via: SIP/2.0/UDP 172.1.1.112:18980;branch=z9hG4bK-d8754z-2b7ae0685139182a-1---d8754z-;rport
To: "2002"<sip:2002@cisco.com>;tag=110E318-D3C
From: "5001"<sip:5001@cisco.com>;tag=9f2fa51e
Call-ID: ZmRlNmEyNGJlNjU3NmIxNzJmOWI1MjM1NzM4MjUzNjc.
CSeq: 1 ACK
Content-Length: 0

A Networker Blog

All i want to do is to give the victim a voice.!

35 @ Sofia, Република България!

Pyramid_of_35_spheres_animation

35 is the sum of the first five triangular numbers, making it a tetrahedral number.

35 is a centered cube number, a pentagonal number and a pentatope number.

35 is a highly cototient number, since there are more solutions to the equation                 x – φ(x) = 35 than there are for any other integers below it except 1.

There are 35 hexominoes, the polyominoes made from 6 squares.

35 is a discrete semiprime (or biprime) (5 x 7); the tenth, and the first with 5 as the lowest non-unitary factor. The aliquot sum of 35 is 13 this being the second composite number with such an aliquot sum; the first being the cube 27. 35 is the last member of the first triple cluster of semiprimes 33,34,35. 85,86,87 is the second such triple discrete semiprime cluster.

Since the greatest prime factor of 352 + 1 = 1226 is 613, which is obviously more than 35 twice, 35 is a Størmer number.

35 is the highest number one can count to on one’s fingers using base 6.

and today, 35 years old!

INE Voice COD is OUT!

 

Internetwork Expert, Voice Cod is just simply amazing!!

What I have seen so far, Brian Dennis, does an amazing job explaining the CME, he is the Master!, listening to their CODS, you fell like he skyrocket you  up to  the level necessary to defeat the CCIE Voice Lab!

CCIE Voice Advanced Technologies Class

I am really looking forward to rent a Voice Rack and Lab with them at the same time,  they ROCK!