Authentication Capture: SIP - Metasploit

This page contains detailed information about how to use the auxiliary/server/capture/sip metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: Authentication Capture: SIP
Module: auxiliary/server/capture/sip
Source code: modules/auxiliary/server/capture/sip.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

msf > use auxiliary/server/capture/sip
msf auxiliary(sip) > show targets
    ... a list of targets ...
msf auxiliary(sip) > set TARGET target-id
msf auxiliary(sip) > show options
    ... show and set options ...
msf auxiliary(sip) > exploit

Go back to menu.

Msfconsole Usage

---

Here is how the server/capture/sip auxiliary module looks in the msfconsole:

msf6 > use auxiliary/server/capture/sip

msf6 auxiliary(server/capture/sip) > show info

       Name: Authentication Capture: SIP
     Module: auxiliary/server/capture/sip
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Patrik Karlsson <[email protected]>

Available actions:
  Name     Description
  ----     -----------
  Capture  Run SIP capture server

Check supported:
  No

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  CAINPWFILE                   no        The local filename to store the hashes in Cain&Abel format
  JOHNPWFILE                   no        The prefix to the local filename to store the hashes in JOHN format
  NONCE       1234             yes       The server byte nonce
  SRVHOST     0.0.0.0          yes       The local host to listen on.
  SRVPORT     5060             yes       The local port to listen on.

Description:
  This module provides a fake SIP service that is designed to capture 
  authentication credentials. It captures challenge and response pairs 
  that can be supplied to Cain or JtR for cracking.

Module Options

---

This is a complete list of options available in the server/capture/sip auxiliary module:

msf6 auxiliary(server/capture/sip) > show options

Module options (auxiliary/server/capture/sip):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   CAINPWFILE                   no        The local filename to store the hashes in Cain&Abel format
   JOHNPWFILE                   no        The prefix to the local filename to store the hashes in JOHN format
   NONCE       1234             yes       The server byte nonce
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     5060             yes       The local port to listen on.

Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run SIP capture server

Advanced Options

---

Here is a complete list of advanced options supported by the server/capture/sip auxiliary module:

msf6 auxiliary(server/capture/sip) > show advanced

Module advanced options (auxiliary/server/capture/sip):

   Name        Current Setting                Required  Description
   ----        ---------------                --------  -----------
   REALM                                      no        The SIP realm to which clients authenticate
   SRVVERSION  ser (3.3.0-pre1 (i386/linux))  yes       The server version to report in the greeting response
   VERBOSE     false                          no        Enable detailed status messages
   WORKSPACE                                  no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the server/capture/sip module can do:

msf6 auxiliary(server/capture/sip) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   Capture  Run SIP capture server

Evasion Options

---

Here is the full list of possible evasion options supported by the server/capture/sip auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(server/capture/sip) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Unauthorized

---

Here is a relevant code snippet related to the "Unauthorized" error message:

210:	              fd = File.open(datastore['CAINPWFILE'], "ab")
211:	              fd.puts resp.join("\t") + "\r\n"
212:	              fd.close
213:	            end
214:	
215:	            sip_send_error_message(request, 401, "Unauthorized")
216:	          else
217:	            sip_send_error_message(request, 401, "Unauthorized")
218:	          end
219:	        when "ACK"
220:	          # do nothing

Unauthorized

---

Here is a relevant code snippet related to the "Unauthorized" error message:

212:	              fd.close
213:	            end
214:	
215:	            sip_send_error_message(request, 401, "Unauthorized")
216:	          else
217:	            sip_send_error_message(request, 401, "Unauthorized")
218:	          end
219:	        when "ACK"
220:	          # do nothing
221:	        else
222:	          print_error("Unhandled method: #{request[:method]}")

Unhandled method: <REQUEST:METHOD>

---

Here is a relevant code snippet related to the "Unhandled method: <REQUEST:METHOD>" error message:

217:	            sip_send_error_message(request, 401, "Unauthorized")
218:	          end
219:	        when "ACK"
220:	          # do nothing
221:	        else
222:	          print_error("Unhandled method: #{request[:method]}")
223:	          sip_send_error_message(request, 401, "Unauthorized")
224:	        end
225:	      end
226:	
227:	    rescue ::Interrupt

Unauthorized

---

Here is a relevant code snippet related to the "Unauthorized" error message:

218:	          end
219:	        when "ACK"
220:	          # do nothing
221:	        else
222:	          print_error("Unhandled method: #{request[:method]}")
223:	          sip_send_error_message(request, 401, "Unauthorized")
224:	        end
225:	      end
226:	
227:	    rescue ::Interrupt
228:	      raise $!

Unknown error: <E.CLASS> <E.BACKTRACE>

---

Here is a relevant code snippet related to the "Unknown error: <E.CLASS> <E.BACKTRACE>" error message:

227:	    rescue ::Interrupt
228:	      raise $!
229:	    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
230:	      nil
231:	    rescue ::Exception => e
232:	      print_error("Unknown error: #{e.class} #{e.backtrace}")
233:	    ensure
234:	      @sock.close
235:	    end
236:	  end
237:	end

Go back to menu.

Related Pull Requests

---

• #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #5768 Merged Pull Request: Update modules to use metasploit-credential instead of report_auth_info
• #2525 Merged Pull Request: Change module boilerplate
• #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
• #618 Merged Pull Request: add module for capturing SIP authentication challenge and response pairs

Go back to menu.

See Also

---

Check also the following modules related to this module:

• auxiliary/server/capture/drda
• auxiliary/server/capture/ftp
• auxiliary/server/capture/http
• auxiliary/server/capture/http_basic
• auxiliary/server/capture/http_javascript_keylogger
• auxiliary/server/capture/http_ntlm
• auxiliary/server/capture/imap
• auxiliary/server/capture/mssql
• auxiliary/server/capture/mysql
• auxiliary/server/capture/pop3
• auxiliary/server/capture/postgresql
• auxiliary/server/capture/printjob_capture
• auxiliary/server/capture/smb
• auxiliary/server/capture/smtp
• auxiliary/server/capture/telnet
• auxiliary/server/capture/vnc
• auxiliary/voip/sip_deregister
• auxiliary/voip/sip_invite_spoof
• auxiliary/scanner/sip/enumerator
• auxiliary/scanner/sip/enumerator_tcp
• auxiliary/scanner/sip/options
• auxiliary/scanner/sip/options_tcp
• auxiliary/scanner/sip/sipdroid_ext_enum
• exploit/windows/sip/aim_triton_cseq
• exploit/windows/sip/sipxezphone_cseq
• exploit/windows/sip/sipxphone_cseq
• auxiliary/dos/scada/siemens_siprotec4
• post/android/capture/screen
• post/osx/capture/keylog_recorder
• post/osx/capture/screen
• post/windows/capture/keylog_recorder
• post/windows/capture/lockout_keylogger
• auxiliary/scanner/dlsw/dlsw_leak_capture
• exploit/windows/browser/ie_setmousecapture_uaf

Authors

---

Patrik Karlsson <patrik[at]cqure.net>

Version

---

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.