SIP Username Enumeration
Medium Nessus Plugin ID 56983
SynopsisThe SIP server on the remote host allows the enumeration of users.
DescriptionThe SIP server on the remote host appears to respond differently to registration requests for valid and invalid usernames. Using that fact, Nessus was able to enumerate some of the valid usernames.
SolutionConfigure the SIP server to respond identically to valid and invalid usernames. This can be done in Asterisk, for example, by setting 'alwaysauthreject=yes' in sip.conf.