Authentication Capture: SIP - Metasploit
This page contains detailed information about how to use the auxiliary/server/capture/sip metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Authentication Capture: SIP
Module: auxiliary/server/capture/sip
Source code: modules/auxiliary/server/capture/sip.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/capture/sip
msf auxiliary(sip) > show targets
... a list of targets ...
msf auxiliary(sip) > set TARGET target-id
msf auxiliary(sip) > show options
... show and set options ...
msf auxiliary(sip) > exploit
Go back to menu.
Msfconsole Usage
Here is how the server/capture/sip auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/capture/sip
msf6 auxiliary(server/capture/sip) > show info
Name: Authentication Capture: SIP
Module: auxiliary/server/capture/sip
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Patrik Karlsson <[email protected]>
Available actions:
Name Description
---- -----------
Capture Run SIP capture server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
NONCE 1234 yes The server byte nonce
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 5060 yes The local port to listen on.
Description:
This module provides a fake SIP service that is designed to capture
authentication credentials. It captures challenge and response pairs
that can be supplied to Cain or JtR for cracking.
Module Options
This is a complete list of options available in the server/capture/sip auxiliary module:
msf6 auxiliary(server/capture/sip) > show options
Module options (auxiliary/server/capture/sip):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
NONCE 1234 yes The server byte nonce
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 5060 yes The local port to listen on.
Auxiliary action:
Name Description
---- -----------
Capture Run SIP capture server
Advanced Options
Here is a complete list of advanced options supported by the server/capture/sip auxiliary module:
msf6 auxiliary(server/capture/sip) > show advanced
Module advanced options (auxiliary/server/capture/sip):
Name Current Setting Required Description
---- --------------- -------- -----------
REALM no The SIP realm to which clients authenticate
SRVVERSION ser (3.3.0-pre1 (i386/linux)) yes The server version to report in the greeting response
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/capture/sip module can do:
msf6 auxiliary(server/capture/sip) > show actions
Auxiliary actions:
Name Description
---- -----------
Capture Run SIP capture server
Evasion Options
Here is the full list of possible evasion options supported by the server/capture/sip auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/capture/sip) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unauthorized
Here is a relevant code snippet related to the "Unauthorized" error message:
210: fd = File.open(datastore['CAINPWFILE'], "ab")
211: fd.puts resp.join("\t") + "\r\n"
212: fd.close
213: end
214:
215: sip_send_error_message(request, 401, "Unauthorized")
216: else
217: sip_send_error_message(request, 401, "Unauthorized")
218: end
219: when "ACK"
220: # do nothing
Unauthorized
Here is a relevant code snippet related to the "Unauthorized" error message:
212: fd.close
213: end
214:
215: sip_send_error_message(request, 401, "Unauthorized")
216: else
217: sip_send_error_message(request, 401, "Unauthorized")
218: end
219: when "ACK"
220: # do nothing
221: else
222: print_error("Unhandled method: #{request[:method]}")
Unhandled method: <REQUEST:METHOD>
Here is a relevant code snippet related to the "Unhandled method: <REQUEST:METHOD>" error message:
217: sip_send_error_message(request, 401, "Unauthorized")
218: end
219: when "ACK"
220: # do nothing
221: else
222: print_error("Unhandled method: #{request[:method]}")
223: sip_send_error_message(request, 401, "Unauthorized")
224: end
225: end
226:
227: rescue ::Interrupt
Unauthorized
Here is a relevant code snippet related to the "Unauthorized" error message:
218: end
219: when "ACK"
220: # do nothing
221: else
222: print_error("Unhandled method: #{request[:method]}")
223: sip_send_error_message(request, 401, "Unauthorized")
224: end
225: end
226:
227: rescue ::Interrupt
228: raise $!
Unknown error: <E.CLASS> <E.BACKTRACE>
Here is a relevant code snippet related to the "Unknown error: <E.CLASS> <E.BACKTRACE>" error message:
227: rescue ::Interrupt
228: raise $!
229: rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
230: nil
231: rescue ::Exception => e
232: print_error("Unknown error: #{e.class} #{e.backtrace}")
233: ensure
234: @sock.close
235: end
236: end
237: end
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5768 Merged Pull Request: Update modules to use metasploit-credential instead of report_auth_info
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
- #618 Merged Pull Request: add module for capturing SIP authentication challenge and response pairs
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/server/capture/drda
- auxiliary/server/capture/ftp
- auxiliary/server/capture/http
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/capture/imap
- auxiliary/server/capture/mssql
- auxiliary/server/capture/mysql
- auxiliary/server/capture/pop3
- auxiliary/server/capture/postgresql
- auxiliary/server/capture/printjob_capture
- auxiliary/server/capture/smb
- auxiliary/server/capture/smtp
- auxiliary/server/capture/telnet
- auxiliary/server/capture/vnc
- auxiliary/voip/sip_deregister
- auxiliary/voip/sip_invite_spoof
- auxiliary/scanner/sip/enumerator
- auxiliary/scanner/sip/enumerator_tcp
- auxiliary/scanner/sip/options
- auxiliary/scanner/sip/options_tcp
- auxiliary/scanner/sip/sipdroid_ext_enum
- exploit/windows/sip/aim_triton_cseq
- exploit/windows/sip/sipxezphone_cseq
- exploit/windows/sip/sipxphone_cseq
- auxiliary/dos/scada/siemens_siprotec4
- post/android/capture/screen
- post/osx/capture/keylog_recorder
- post/osx/capture/screen
- post/windows/capture/keylog_recorder
- post/windows/capture/lockout_keylogger
- auxiliary/scanner/dlsw/dlsw_leak_capture
- exploit/windows/browser/ie_setmousecapture_uaf
Authors
Patrik Karlsson <patrik[at]cqure.net>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.