Première conférence publique à Paris le 21 mars VOIP Security Sjur Usken and Ben Reardon

Transcription

1 Première conférence publique à Paris le 21 mars VOIP Security Sjur Usken and Ben Reardon

2 Agenda Sjur Usken: Norway Chapter SIP primer Why pwn a VOIP server anyway Case studies in Norway Do s and Don ts Future threats Ben Reardon: Australian Chapter Sipvicious tool Sundayddr scanner Sality SIP scanning worm Forensic Challenge 4

3 SIP primer SIP = Session Initiation Protocol Used to set up, maintain and tear down sessions Other protocols such as RTP do the actual voice carriage Does not necessarily belong to VOIP

4 SIP primer Normally runs over UDP port 5060 SIP TLS (port 5061) secures the SIP session, but does NOT encrypt the RTP stream. (then you need Secure RTP (SRTP) or other encryption. Request and response type, same familiar status codes as HTTP 100 Trying 180 Ringing 200 OK 301 Moved Permanently 403 Forbidden 404 Not Found etc Major difference between SIP and HTTP is, In SIP - ALL devices are BOTH Server and Client

5 SIP primer

6 SIP primer

7 SIP primer SIP method extensions from other RFCs: SIP method info: Extension in RFC 2976 SIP method notify: Extension in RFC 2848 PINT SIP method subscribe: Extension in RFC 2848 PINT SIP method unsubscribe: Extension in RFC 2848 PINT SIP method update: Extension in RFC 3311 SIP method message: Extension in RFC 3428 SIP method refer: Extension in RFC 3515 SIP method prack: Extension in RFC 3262 SIP Specific Event Notification: Extension in RFC 3265 SIP Message Waiting Indication: Extension in RFC 3842 SIP method PUBLISH: Extension is RFC 3903

8 SIP primer RFC 3261 Official Main SIP RFC RFC Number Portability Parameters for the "tel" URI RFC The tel URI for Telephone Numbers RFC Mapping of Media Streams to Resource Reservation Flows RFC The Session Initiation Protocol (SIP) Refer Method RFC Requirements for Resource Priority Mechanisms for the Session Initiation Protocol (SIP) RFC Compressing the Session Initiation Protocol (SIP) RFC The Session Initiation Protocol (SIP) Static Dictionary for Signaling Compression (SigComp) RFC Session Initiation Protocol (SIP) Extension for Instant Messaging RFC Internet Media Type message/sipfrag RFC Grouping of Media Lines in the Session Description Protocol (SDP) RFC Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option for Session Initiation Protocol (SIP) Servers RFC Dynamic Host Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP) Servers RFC Session Initiation Protocol (SIP) Extension Header Field for Registering Non-Adjacent Contacts RFC The Reason Header Field for the Session Initiation Protocol (SIP) RFC Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks RFC Short Term Requirements for Network Asserted Identity RFC A Privacy Mechanism for the Session Initiation Protocol (SIP) RFC Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC Private Session Initiation Protocol (SIP) Extensions for Media Authorization RFC Integration of Resource Management and Session Initiation Protocol (SIP) RFC The Session Initiation Protocol (SIP) UPDATE Method RFC SIP: Session Initiation Protocol (Main SIP RFC) RFC Reliability of Provisional Responses in the Session Initiation Protocol (SIP) RFC Session Initiation Protocol (SIP): Locating SIP Servers RFC An Offer/Answer Model with the Session Description Protocol (SDP) RFC Session Initiation Protocol (SIP)-Specific Event Notification RFC Control of Service Context using SIP Request-URI RFC Common Gateway Interface for SIP RFC The SIP INFO Method RFC The PINT Service Protocol: xtensions to SIP and SDP for IP Access to Telephone Call Services Surely, they are ALL secure...

9 Where is SIP used today Used to connect to the PSTN network SIP Trunk Static IP authentication SIP REGISTER End-devices Desktop phones Soft clients

10 Statistics from Sweden Scanned 1,000,000 ip addresses using svmap 2,296 replied with a SIP response Around 80 different vendors o Linksys (1362) o unknown (159) o Asterisk (121) o sipgt-67 (114) o EPC (111) o RIX67GW2 (78) o SpeedTouch (66) o Intertex (27)

11 And Norway (what are we thinking) Scanned 10,000,000 ip addresses using svmap 64,638 replied with a SIP response Around 152 different vendors o SpeedTouch (25305) o Linksys (17828) o ARRIS-TM502B (4455) o Sipura (3609) o ARRIS-TM602B (3267) o ARRIS-TM402B (2591) o M5T (1812) o unknown (1337) <--- good number ;-) o WGR613VAL-V2.3_43 (1140) o AVM (552)

12 Pick your targets Patton SN4552 2BIS EUI 00A0BA R5.T SIP M5T SIP Stack/ Linksys/SPA (SE) Nortel CS1000 SIP GW release_5.0 version_sse Polycom HDX 7000 HD (Release ) TANDBERG/512 (TC ) Sip EXpress router (2.1.0-dev1 OpenIMSCore (x86_64/linux))

13 Criminal Motives Financial Gain Toll Fraud Calling cards Premium rate dialing Retribution, Espionage, Intellectual property theft Leaks Eavesdropping You name it!

14 Successful attacks Lawnmover" attack All phones ring randomly with ghost calls "Bounce attack" on Cisco gateways with insecure configuration Fraud for approximately 1.2 million NOK (200K $) in 10 days. Test calls to Citibank in England. Bounces off insecure VoIP servers Firewall service provider left the PBX wide open Too many rules on the firewall and the technician did not quality check his work An Asterisk test server was connected to the prod network. Abused!

15 Some Phreaking Trivia Captain Crunch AKA John Draper Steve Wozniak 2600 Hz The Blue box

16

17 SipVicious pentesting tool Source: honeypot_ip_removed:5060 Datetime: :01: OPTIONS SIP/2.0 Via: SIP/2.0/UDP :5060;branch=z9hG4bK-17sd9sd41925 Content-Length: 0 From: "sipvicious"<sip:100@ >; User-Agent: friendly-scanner To: "sipvicious"<sip:100@ > Accept: application/sdp Contact: sip:100@honeypot_ip_removed:5060 CSeq: 1 OPTIONS Call-ID: Max-Forwards: 70

18 The sundayddr scanner

19 The sundayddr scanner Country of scanning host CN, 168 IP s Source: scanning_ip_removed:5060 Datetime: :53: Message: OPTIONS sip:100@honeypot_ip_removed SIP/2.0 Via: SIP/2.0/UDP :5060; branch=z9hg4bk ;rport Content-Length: 0 From: "sipsscuser"<sip:100@ >; tag=removed Accept: application/sdp User-Agent: sundayddr To: "sipssc"<sip:100@ > Contact: sip:100@ :5060 CSeq: 1 OPTIONS Call-ID: removed Max-Forwards: other countries, 52 US, 9 KR, 7 RU, 6 BR, 6 MY, 5 ES, 5 GB, 4 19

20 The sundayddr scanner 222 online Ports on scanning host 40 offline ssh microsoft-ds 4444 krb https 135 msrpc 80 http 139 netbios-ssn 111 rpcbind 21 ftp 1720 H.323/Q.931

21 The sundayddr scanner OS of scanning host (estimation) FreeBSD Aastra/Gemtek Embedded Load Balancer (eg F5) Linux 2.4/2.6 Lexmark Sun Solaris 8

22 The sundayddr scanner

23 Sality worm

24 Honeynet VOIP Forensic Challenge Austria Somalia Sierra Leone Hong Kong IP IP 2 - Franck Guenichot (France) - Fabio Panigatti (Italy) - Shaun Zinck (USA)

25 Possible future attacks More advance attacks on individual PBXes (buffer overflows, bug exploits etc. ) Trojans on local PCs doing internal search for PBXes (and can be a VoIP bridge) SPiT coming from the PSTN network (because it is so damn cheap to call) RTP injections to send commercials etc Eavesdropping on unencrypted calls Are you prepared

26 Do s and don ts Do Use long passwords (12+ letters and numbers) Use VPN for remote phones/ softclients Use at least access lists on firewalls, minimum! Don t! Use phones or PBXes on a public IP without a stateful firewall or a good SIP firewall Use default passwords Run unnecessary services on your PBX Intrusion Detection Systems Honeypot research Use VLAN as secure network 26

27 Summary There is money in hacking VOIP servers There is LOTS of scanning occurring Good security practices mitigate the current threat well (heard that before) What we have done: Measure, analyze and report activity Forensic Challenge FC4 VOIP module in Dionaea (GSOC 2011) What we are going to do Monitor for changes in MO and threat vectors Extend the VOIP module in Dionaea (GSOC 2011)

28

29 Thank you! Ben Reardon Sjur Eivind Usken Sjur wants to talk to those interested in M2M, scada, modbus, smarthouse etc technologies!