I found a security hole in the Asterisk SIP implementation last week. I was happy to hear that it has already been patched and released. The vulnerability allows an attacker to determine whether a given username is valid or not. With knowledge of existing usernames a more efficient password guessing attack can be mounted against the system.
The full advisory can be read here:
I have been working on some very basic VoIP tools lately which amongst other things have this attack implemented. I’ll hopefully get to releasing it in the near future.
I must say that I am somewhat surprised that people still use the smbat suite for Windows security testing. Since I am doing most Windows testing from Windows now a days I have found myself using alternative tools instead.
I have recieved numerous of questions over time regarding compilation problems, the most common being. Why does smbat fail to compile with the following error message?
error: ‘CLK_TCK’ undeclared (first use in this function)
This is due to the CLK_TCK being deprecated and replaced by CLOCKS_PER_SEC. The following patch solves this problem. Apply it by running the following command from within the smbat directory:
patch -p1 < smbat_CLK_TCK.patch