easy PBX honeypotting

Did anyone else see the new sipvicious logo? Pretty cool upgrade. Now sipvicious is not the only SIP hacking automation tool. I’ve been seeing a lot of “Friendly-Scanner” as well. This post is just a quick overview of how to set up an easy honeypot that allows registration to any extension. My real PBX does not use the default 5060 for SIP registration, so I was able to use that for my bait server. Now all this considered, if I was poking around the web and I saw a PBX on port 5060 and extensions like 100 or 101 without authentication I’d assume, “IT’S A TARP!” but what’s really doing the work here? It’s not a guy like me sitting at a PC, it’s an automated script like SIPVICIOUS. No flags are going off in the script saying, “this is way too easy.” Whats actually happening though is that if a call is made from any of my bait extensions, the call is sent out my IAX trunk which connects my two PBX’s. The dirty call is then translated to 110 before it leaves the bait server, that’s it. Any calls over the IAX trunk will go to extension 110 where they can be answered. The caller has no idea that the number has been translated, and I don’t have to worry about them some how getting out through my real SIP trunk which only the real PBX has access to.

Registration attempt against 100, 101, 1001 etc. No 401 Authentication failed message is sent

Caller can then dial whatever number they want from 101

Call matches dial pattern associated with IAX trunk and is passed to it

IAX trunk translates dialed digits to 110 and sends it out trunk

Real PBX receives call for 110 over the IAX trunk and rings extension 110

110 rings and if answered, call is established with random guy on the internet that you can say “hi” to.

IAX and routes

Other than building the “bait extensions” on the honeypot and having a real extension to call, only two things need set up. The IAX trunk and manipulation. First thing is to ensure your Outbound Route included all digits that someone might want to reach.

On the Left is the Outbound route Dial Pattern table.

After some issues matching all the fubar numbers these people were trying to dial, I had to tweak mine a bit and keep adding. The callers were trying to throw in something like a trunk access code assuming that they had to dial something prior to calling internationally. I know there’s some overlap here but you get the idea. We just want to match anything that they dial and try to connect this call.

On the right, we see the dialed number manipulation.

We’re not matching any patterns, we’re trying to catch everything as a prefix so it will be discarded, and then 110 is being appended to each rule. This is how we translate everything to 110.

There’s plenty of resources on setting up an IAX trunk out there, so I’ll be brief.

from the bait system…

Outgoing Peer details

username=System1 secret=password host=10.17.17.66 type=friend context=from-trunk qualify=yes qualifyfreqok=25000 transfer=no trunk=yes

Incoming USER details

type=user secret=password host=10.17.17.70 context=from-internal

from the real system…

Outgoing Peer details

username=System1 secret=password host=10.17.17.66 type=friend context=from-trunk qualify=yes qualifyfreqok=25000 transfer=no trunk=yes

Incoming USER details

type=user secret=password host=10.17.17.66 context=from-internal

cat tax