If a router has port 5060 open, and I know that there is unencrypted SIP traffic going through this port, how could one take advantage of this

  • An nmap scan against an IP address shows that port 5060 is open. I know that 5060 indicates that this is SIP traffic. Also, 5060 indicates that this is unencrypted traffic, where if the port was 5061, then the traffic would be encrypted.

    I also have a hunch that 5060 tunnels through to a PBX-based phone system (possibly Asterisk). I think that the router is listening on 5060 and forwarding any inbound traffic pointed at port 5060 at this IP address to this Linux-based phone system for the purpose of receiving calls.

    Calls made come out through port 5060 at this IP address.

    What problems would this setup cause from a security point of view? How could an attacker take advantage of this information?

    Strictly speaking, port xxxx being open doesn't *indicate* anything. While it's likely that port 5060 is being used for SIP, and sending unencrypted traffic, it's also possible that it could be used for a web server or just about anything else.

    Ok, I have it on good authority that it's SIP and that it's not encrypted.

    @JMK - So what is your question exactly? You can view any traffic on any port.

    I want to know how a router forwarding traffic on port 5060 to an Asterisk phone system which is sending and receiving unencrypted SIP traffic would be vulnerable to attack, what an attacker would do to compromise such a system and how to defend against this. Do I need to update my question?

  • Yoav Aner

    Yoav Aner Correct answer

    9 years ago

    port 5060 is normally assigned to SIP traffic. It might or might not be used for SIP however. A simple nmap scan to this destination should probably reveal much more, for example here's an output from a OS fingerprint nmap scan to a voip adapter

    nmap -v -O <ip_address>
    Host is up (0.0026s latency).
    Not shown: 999 closed ports
    80/tcp open  http
    MAC Address: 00:0E:08:CA:**:** (Cisco Linksys)
    Device type: VoIP adapter
    Running: Sipura embedded
    OS details: Sipura SPA-1001 or SPA-3000 VoIP adapter
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=261 (Good luck!)
    IP ID Sequence Generation: Incremental

    Some implementations of SIP TLS appear to use port 5061 by default, but the reverse is not necessarily true. i.e. seeing port 5061 doesn't necessarily mean it's encrypted. I know of a few SIP installations where various ports are used for (standard) SIP, and they tend to range between 5060-5070... Again, those ports are completely arbitrary. You can choose to run a service on pretty much any port you'd like. So I can, e.g. run SIP TLS on port 80 and plain SIP on port 23 if I choose to... Until you do some kind of a probe / scan, you won't be able to know with a high-enough degree of certainty.

    As far as VOIP / SIP security - there are probably many tools for scanning and potentially exploiting VOIP. A simple search revealed those items:

    and I'm sure you can find many others to experiment with.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM