IVR Security:- Internal A3acks Via Phone Line

Similar documents
How I DOS ed My Bank. (DTMF Input Processing Easy DOS Attacks via Phone Lines)

Cisco Unified Communications Manager Auto-Attendant

Dramatically simplifying voice and data networking. IVR Editor HOW-TO Guide

Let's take a look at another example, which is based on the following diagram:

Eliac Call Recording - Configurator Guide. Eliac. Call Recording System Ver. 2.x.

SYMETRIX SOLUTIONS: TECH TIP February 2014

1. Login to with your User ID and password. Select Virtual Receptionist from the Basic Services tab.

Project Code: SPBX. Project Advisor : Aftab Alam. Project Team: Umair Ashraf (Team Lead) Imran Bashir Khadija Akram

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Wildix W04FXO Whitepaper

Updated Since :

Voice Call Addon for Ozeki NG SMS Gateway

1 VoIP/PBX Axxess Server

This topic describes dial peers and their applications.

Updated Since :

Updated Since :

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

White Paper Integration of TTY Calls into a Call Center Using the Placeholder Call Technique Updated: February 2007

Internet Telephony Terminology

Implementing Database Security and Auditing

A Guide to Connecting to FreePBX

Implementing a Digital Answering Machine with a High-Speed 8-Bit Microcontroller

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Updated Since :

SIP Trunking using Optimum Business SIP Trunk Adaptor and the Allworx 6x IP PBX

NCH Swift Sound IVM Phone Answering Attendant

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

: AudioCodes. Updated Since : READ THIS BEFORE YOU PROCEED

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

CRYPTUS DIPLOMA IN IT SECURITY

Detecting SQL Injection Vulnerabilities in Web Services

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

IPPBX FAQ. For Firmware Version: V2.0/V

Envox Call Information Manager

V o i c e Processing S y s t e m

4. H.323 Components. VOIP, Version 1.6e T.O.P. BusinessInteractive GmbH Page 1 of 19

SIP Trunking using Optimum Business SIP Trunk Adaptor and ShoreTel IP PBX Phone System

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

locuz.com Professional Services Security Audit Services

Configuration guide for Switchvox and Cbeyond.

Quick Start Guide CREATING A NEW SITE

Workforce Management IVR. A multi-service voice platform

Grandstream Networks, Inc. UCM6100 Security Manual

Deploying Cisco Unified Contact Center Express Volume 1

Inbound Routing with NetSatisFAXTion

Compromising Voice Messaging Systems

Configuration Notes 290

Enabling Users for Lync services

Enterprise Communication Suite

Metasploit The Elixir of Network Security

To ensure you successfully install Timico VoIP for Business you must follow the steps in sequence:

Penetration Testing with Kali Linux

NAT TCP SIP ALG Support

FOR COMPANIES THAT WANT TO EXPAND AND IMPROVE THEIR TELEPHONE SYSTEM

Thick Client Application Security

KX-NS. Cellular Phone as Extension

IP PBX SH-500N

MAGIC TH6. System Configuration SW Version 2.000

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

OfficeServ 7100 IP-PBX. SIP Trunking using the Optimum Business Sip Trunk Adaptor and the Samsung

Application Notes Rev. 1.0 Last Updated: January 9, 2015

How Inbound Fax Routing Can Help Reduce Document Distribution Costs and Improve Productivity

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Analogue Telephone User Guide

Voice Over Internet Protocol(VoIP)

Optimizing Converged Cisco Networks (ONT)

SIP Trunking using the Optimum Business SIP Trunk adaptor and the AltiGen Max1000 IP PBX version 6.7

Table of Contents GETTING STARTED Enter Password Dialog...3 Using Online Help...3 System Configuration Menu...4

Vulnerability Assessment and Penetration Testing

White paper. SIP An introduction

Application Intrusion Detection

2N OfficeRoute. 2N OfficeRoute & Siemens HiPath (series 3000) connected via SIP trunk. Quick guide. Version 1.00

COMSPHERE 6700 SERIES NETWORK MANAGEMENT SYSTEM

Overview of Voice Over Internet Protocol

Applications between Asotel VoIP and Asterisk

E I M S - Interactive Voice Response System

1Building Communications Solutions with Microsoft Lync Server 2010

Dial Peer. Example: Dial-Peer Configuration

Automatic Routing of Inbound Faxes With Castelle Network Fax Servers. Fractional T1, Full T1, Fractional E1, Full E1, ISDN, DID and PBX Integration

Web App Security Audit Services

Step into the next level of office communication

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

Enhanced VoIP Based Virtual PC Troubleshooting

Verifone Terminal FAQs (version D413):

Release Notes for NeoGate TA410/TA X

13 Ways Through A Firewall

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

SIP Trunking using the Optimum Business SIP Trunk Adaptor and the NEC DSX-40 IP-PBX

Direct IP Calls. Quick IP Call Mode

PBX Fraud Educational Information for PBX Customers

IVR (Interactive Voice Response) Operation Manual. Copyright 2012 Agile Networks, Inc. All Rights Reserved.

VIDEO IVR VAS & Customer Care

Manual. ABTO Software

Integration of GSM Module with PC Mother Board (GSM Trunking) WHITE/Technical PAPER. Author: Srinivasa Rao Bommana

SIP SOFTPHONE SDK Microsoft Windows Desktop OS

This module explains the Microsoft Dynamics NAV architecture and its core components.

VoiceXML Tutorial. Part 1: VoiceXML Basics and Simple Forms

SIP Trunk Configuration for Broadvox

Transcription:

IVR Security:- Internal A3acks Via Phone Line

Who am I? Rahul Sasi Security Researcher @ isight Partners. Member Garage4Hackers.

Garage 4 Hackers InformaGon Security professionals from Fortune 500, Security research and ConsulGng firms from all across the world. Security Firms ConsulGng Firms Research Firms Law Enforcements h3p://www.garage4hackers.com

IVR ApplicaGon Phone Banking Telephone Assistant Operator Hospital Medical Enquiry

What Made Me Interested: IVR ApplicaGon My Phone Banking. How it works. It used 16 digit Account No followed by 4 digit ATM pin for authengcagon using a voice call to IVR.

How it could be Hacked: In Theory Probability Theory Probability that event A occurs P(A) = n(a) / n(s). where, n(a) - number of event occurs in A n(s) - number of possible outcomes n(a) = n no of customers (huge) n(s) = no of pin combinagon (9000)

More Theory So if we make a program that dials into IVR and tries to authengcates into users account StarGng form account no 1000 to 2000 for password 6666. The chances of 1000 users having 6666 as pin for there accounts is very high :D. The lowest possibility lets say 10 accounts.

Enough Theories Individual Users ader 3 invalid a3empts, there account gets blocked. And every night at 12 clock your account would be automagcally acgvated ;) So if I start my brute force program at night 10 O clock, I could try 5 different pins for 1000 accounts with out blocking any accounts :D

Now what With the above logic any one would be able to crack least 50 ATM pins in 4 hours Gme :O Enough Theories

AT Commands Basic Sending DTMF tones using phone modem. AT [A3enGon ] ATD ATZ + vts ATH

How to Automate Serial Port CommunicaGon Talk to your phone modem.

Demo #1 IVR Brute.mp4

IVR: IntroducGon InteracGve Voice RecogniGon systems, use Touch- tone or Speech RecogniGon to make callers interact with the system. Touch Tones: DTMF inputs. Speech RecogniGon: Could send in voice commands, and TTS(Text to Speech) Engine Could detect it.

IVR Architecture

Layers of IVR Telephone Network TCP, IP Network VXML Telephony Server Web ApplicaGon server

Modules: How it works Client (Telephone Phone) Telephone Network PBX (Private Branch Exchange ) VXML Telephony Server VXML CXML Web ApplicaGon Servers Databases

Finger PrinGng Internal Servers: Triggering Errors: If we could trigger error messages on Internal servers, the text to voice (3s) machine would read out the error. There are many ways to trigger error, Fuzz for the grammar files, or best way is source code audigng. Automated Fuzzing for Errors.(tools)

Vulnerable Programs Sample Vulnerable Program: error_vul.xml

Demo #2 Finger PrinGng Internal Servers [Demo Video] ivr_error_video.mp4

Input ValidaGon A3acks: Using Grammar files [Nonsense Grammar format] Using prebuilt grammar files.

Chances of SQL InjecGon A3ack Vulnerable Program

Demo #3 Fuzzing for Grammar files

SQL Payloads Via DTMF DTMF LimitaGons, we could only send [0-9 ] * # A B C D Advance SQL injecgon Based on [ False InjecGon ]

Basic InjecGon: select * from users where id='$id' and password='$password or 1=1

select * from users where id='$id' and password='$password '=0# Input: '=0# [ and It Works ] Other inputs that will work: AddiGon +0# MulGplicaGon '*9# 1*0*0*1 [True] 1*0*0*1 [False] h3p://www.exploit- db.com/papers/18263/

IVR: Enter User ID User: 1337 IVR: Wrong User ID, Please try again IVR: Enter User ID User: 31337 IVR: Welcome Rahul Sasi

IVR: Enter User ID User: 31337*1*1*1*1 IVR: Welcome Rahul Sasi IVR: Enter User ID User: 31337*1*1*1*0 IVR: Invalid User [or] No Response

SQL InjecGon Check using DTMF Demo Video

Long strings, chances of Buffer Overflow. Improper Input validagon on input to CGI applicagons form VXML server. Voice and DTMF Fuzzing could Reveal Bugs. Our tool will be having voice fuzzing Support.

LimitaGons. Payloads cannot have / and other special characters. Sending payload using Upper Case Alpha Numeric Shell code. The payload has to be converted to DTMF (0-9) and Alphabets (A- Z)

Demo Video Vulnerable Program

The making of Voice Payload. Upper Case Alpha Numeric Payload

Demo #4 IVR: A3acking Internal Server using Voice Payload.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information