Securing SIP Asterisk installations effectively is a "must" today and by taking a few easy steps you can go a long way towards a more secure phone system.  There are a few easy preventative steps that you can take which will make malicious intruders have a much harder time in abusing your SIP based PBX phone system.  Unfortunately, there are some easily obtainable SIP scanning software applications that these individuals find and the following video is to make owners of SIP based systems aware of the vulnerabilities, so that you can take the proper measures.

To realize the potential ease of taking a PBX watch this demonstration of Sipautohack. It is a scanning tool that can quickly discover holes; extensions with passwords.

PBX Hacking Demo

In this video the internal network that has 3 SIP devices.  For each SIP device that acts as a registrar, the application then identifies the extensions by guessing commonly used extension names, examples being 1234, 2345, etc.  Once it identifies a valid extension as such, it will then attempt to identify neighboring sequential extensions.  Finally it will try to crack the password for each extension on the PBX.  In this example, the target PBX servers are Communigate Pro and Asterisk.

 

Automated VOIP penetration testing using sipautohack from Sandro Gauci on Vimeo.