Re: [asterisk-users] how to show used wrong password
On 03/15/2012 02:38 PM, Warren Selby wrote: Second, this is kind of outside the box thinking, so it may not work at all, but try setting the NAT on that peer to no, and then tcpdump the incoming registration attempts and see if you can see the internal private IP address of the packet. If there's a SIP helper on the far end, this may not help. Possibly, remove the secret= line from that peer in sip.conf and see if it successfully registers. Again, with the right nat= setting, you may be able to tcpdump the communication with that peer and get the private IP address so that you can then attempt narrow it down. This is not a long term solution, obviously, as it would create a gaping security hole, but it's worth a shot. There's an interesting option in there: if you remove the 'secret', then the peer will be able to register. Once it is registered, you can call it, and the user/owner/etc. will hopefully be there so you can tell them to fix their endpoint. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On Wed, Mar 14, 2012 at 1:36 PM, Randall rand...@songshu.org wrote: all works as expected only there is 1 extension that is trying to register with a wrong password causing fail2ban to block the IP address, normally that is ok behaviour but i have several extensions on that IP address. First of all, white list the IP in fail2ban and you won't accidentally ban the whole office. This can be done by following this guide: http://www.fail2ban.org/wiki/index.php/Whitelist Second, this is kind of outside the box thinking, so it may not work at all, but try setting the NAT on that peer to no, and then tcpdump the incoming registration attempts and see if you can see the internal private IP address of the packet. If there's a SIP helper on the far end, this may not help. Possibly, remove the secret= line from that peer in sip.conf and see if it successfully registers. Again, with the right nat= setting, you may be able to tcpdump the communication with that peer and get the private IP address so that you can then attempt narrow it down. This is not a long term solution, obviously, as it would create a gaping security hole, but it's worth a shot. -- Thanks, --Warren Selby, dCAP http://www.SelbyTech.com http://www.selbytech.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On 03/13/2012 11:06 PM, Dave Platt wrote: Ouch. That isn't going to be so easy to spot, then! You would have to guess a bunch of likely passwords, fake up a challenge with some known nonce, and compare the response against those you would expect with each of the various possible passwords. (You've already got the Source Code to do all this, of course.) You'll have to try the selective unplugging method instead . There may be a way to do this, even in the face of the nonce-and-hash security system. As I understand it: when a system (re)registers with a good password, what you'll typically see is: - A registration request from the client (with the client's ID in the SIP parameters) - A response from Asterisk, saying something on the order of Stale authentication. Try again. Here's a new nonce for you. - Another registration request from the same client, specifying the newly-issued nonce, and having a hash based on that nonce and the shared secret. - An OK response from Asterisk. When a system (re)registers, and has the wrong password/secret, the exchange will be different. - A registration request from the client (with the client's ID in the SIP parameters) - A response from Asterisk, saying something on the order of Stale authentication. Try again. Here's a new nonce for you. - Another registration request from the same client, specifying the newly-issued nonce, and having a hash based on that nonce and the shared secret. - A response from Asterisk, rejecting the second registration request with something like a bad digest error. So, if you examine all of the SIP protocol exchanges taking place, you should see a whole bunch of successful four-way handshakes (from clients that have the correct secrets), and an occasional four-way handshake failure (from the one client that has the wrong password in its configuration). You won't be able to tell what password the client is actually trying to use - that's the whole point of the nonce-and-hash approach - but you'll be able to identify its client name, and (unless the far end is using a NAT or proxy) its IP address. To pin down the actual location of the client, you'll either have to go there, or have someone at the remote site do some investigation and (possibly) packet tracing on the LAN. this will be of little use in this situation, the location is a shared office space/building in Vietnam and the local hands i have already checked our computers for soft phones, but quit possible some machines got swapped there or some local admin installed it somewhere for testing purposes... and the local hands i have, not really usefull explaining them to look up the meaning of packet tracing Or, I suppose one could simply use Asterisk to try to phone the device or softphone in question, at whatever address it called in from, and ask whoever answers the phone to disable it! this was my original idea yes, but how can i call it without it being registered? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On Tuesday 13 March 2012, Randall wrote: hi all, have asterisk set up in combination with fail2ban. all works as expected only there is 1 extension that is trying to register with a wrong password causing fail2ban to block the IP address, normally that is ok behaviour but i have several extensions on that IP address. . snip . anyway to see which wrong password is being used? tcpflow. (And don't underestimate the power of simply disconnecting things until it works . last thing you disconnected was the faulty one.) -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On 03/13/2012 08:11 AM, A J Stiles wrote: On Tuesday 13 March 2012, Randall wrote: hi all, have asterisk set up in combination with fail2ban. all works as expected only there is 1 extension that is trying to register with a wrong password causing fail2ban to block the IP address, normally that is ok behaviour but i have several extensions on that IP address. . snip . anyway to see which wrong password is being used? tcpflow. (And don't underestimate the power of simply disconnecting things until it works . last thing you disconnected was the faulty one.) This will not help. Assuming we are talking about a SIP REGISTER here, the password is *not* sent in the request. Asterisk issues a challenge including a randomly generated value (called a 'nonce'), then the UA attempting to register responds to that challenge with an MD5 digest of a string composed of various elements, including both the nonce and the shared secret ('password'). Asterisk computes the same digest internally, and if they match, then the assumption is that both ends know the shared secret. By their very nature, digest functions are not reversible; given the MD5 digest present in an SIP request containing an Authorization header, there is no way to figure out what shared secret was used in the computation of that digest. Since you know the nonce and the other portions of the calculation, you could attempt to try various 'likely' passwords to see if any of them result in the same digest value... this is called the brute-force method, and it could take a *very* long time to arrive at a shared secret that would allow the endpoint to register. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On 03/13/2012 02:11 PM, A J Stiles wrote: On Tuesday 13 March 2012, Randall wrote: hi all, have asterisk set up in combination with fail2ban. all works as expected only there is 1 extension that is trying to register with a wrong password causing fail2ban to block the IP address, normally that is ok behaviour but i have several extensions on that IP address. . snip . anyway to see which wrong password is being used? tcpflow. (And don't underestimate the power of simply disconnecting things until it works . last thing you disconnected was the faulty one.) Thanks will give that a try. p.s. i know the method, only problem that its a time consuming process (in this case it includes a 9000 km travel and not all equipment on that side is mine) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On 03/13/2012 03:53 PM, Kevin P. Fleming wrote: On 03/13/2012 08:11 AM, A J Stiles wrote: On Tuesday 13 March 2012, Randall wrote: hi all, have asterisk set up in combination with fail2ban. all works as expected only there is 1 extension that is trying to register with a wrong password causing fail2ban to block the IP address, normally that is ok behaviour but i have several extensions on that IP address. . snip . anyway to see which wrong password is being used? tcpflow. (And don't underestimate the power of simply disconnecting things until it works . last thing you disconnected was the faulty one.) This will not help. Assuming we are talking about a SIP REGISTER here, the password is *not* sent in the request. Asterisk issues a challenge including a randomly generated value (called a 'nonce'), then the UA attempting to register responds to that challenge with an MD5 digest of a string composed of various elements, including both the nonce and the shared secret ('password'). Asterisk computes the same digest internally, and if they match, then the assumption is that both ends know the shared secret. By their very nature, digest functions are not reversible; given the MD5 digest present in an SIP request containing an Authorization header, there is no way to figure out what shared secret was used in the computation of that digest. Since you know the nonce and the other portions of the calculation, you could attempt to try various 'likely' passwords to see if any of them result in the same digest value... this is called the brute-force method, and it could take a *very* long time to arrive at a shared secret that would allow the endpoint to register. confirmed, doesn't work -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
On Tuesday 13 March 2012, Kevin P. Fleming wrote: [tcpflow] will not help. Assuming we are talking about a SIP REGISTER here, the password is *not* sent in the request. Asterisk issues a challenge including a randomly generated value (called a 'nonce'), then the UA attempting to register responds to that challenge with an MD5 digest of a string composed of various elements, including both the nonce and the shared secret ('password'). Asterisk computes the same digest internally, and if they match, then the assumption is that both ends know the shared secret. Ouch. That isn't going to be so easy to spot, then! You would have to guess a bunch of likely passwords, fake up a challenge with some known nonce, and compare the response against those you would expect with each of the various possible passwords. (You've already got the Source Code to do all this, of course.) You'll have to try the selective unplugging method instead . -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] how to show used wrong password
Ouch. That isn't going to be so easy to spot, then! You would have to guess a bunch of likely passwords, fake up a challenge with some known nonce, and compare the response against those you would expect with each of the various possible passwords. (You've already got the Source Code to do all this, of course.) You'll have to try the selective unplugging method instead . There may be a way to do this, even in the face of the nonce-and-hash security system. As I understand it: when a system (re)registers with a good password, what you'll typically see is: - A registration request from the client (with the client's ID in the SIP parameters) - A response from Asterisk, saying something on the order of Stale authentication. Try again. Here's a new nonce for you. - Another registration request from the same client, specifying the newly-issued nonce, and having a hash based on that nonce and the shared secret. - An OK response from Asterisk. When a system (re)registers, and has the wrong password/secret, the exchange will be different. - A registration request from the client (with the client's ID in the SIP parameters) - A response from Asterisk, saying something on the order of Stale authentication. Try again. Here's a new nonce for you. - Another registration request from the same client, specifying the newly-issued nonce, and having a hash based on that nonce and the shared secret. - A response from Asterisk, rejecting the second registration request with something like a bad digest error. So, if you examine all of the SIP protocol exchanges taking place, you should see a whole bunch of successful four-way handshakes (from clients that have the correct secrets), and an occasional four-way handshake failure (from the one client that has the wrong password in its configuration). You won't be able to tell what password the client is actually trying to use - that's the whole point of the nonce-and-hash approach - but you'll be able to identify its client name, and (unless the far end is using a NAT or proxy) its IP address. To pin down the actual location of the client, you'll either have to go there, or have someone at the remote site do some investigation and (possibly) packet tracing on the LAN. Or, I suppose one could simply use Asterisk to try to phone the device or softphone in question, at whatever address it called in from, and ask whoever answers the phone to disable it! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users