Viproy VoIP Penetration and Exploitation Toolkit

Similar documents
VoIP Wars : Return of the SIP

VoIP Wars : Return of the SIP

Hacking SIP Services Like a Boss. Fatih Özavcı Information Security Researcher & Consultant

Viproy Reloaded 2.0. Compliance, Protection & Business Confidence. Melbourne Level 10, 401 Docklands Drv

Hacking Trust Relationships of SIP Gateways

VoIP Wars: Attack of the Cisco Phones

VoIP Wars: Attack of the Cisco Phones

Practical VoIP Hacking with Viproy

Penetration Testing SIP Services

VoIP Wars: Destroying Jar Jar Lync

VOIP WARS: THE PHREAKERS AWAKEN. Fatih Managing Consultant Context Information Security

Enumerating and Breaking VoIP

Conducting an IP Telephony Security Assessment

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

The Trivial Cisco IP Phones Compromise

Security of IPv6 and DNSSEC for penetration testers

Vulnerability Assessment and Penetration Testing

Basic Vulnerability Issues for SIP Security


Penetration Testing with Kali Linux

Online course syllabus. MAB: Voice over IP

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

NAT TCP SIP ALG Support

PENTEST. Pentest Services. VoIP & Web.

Connecting with Vonage

Sense of Security VoIP Security Testing Training

Learn Ethical Hacking, Become a Pentester

Understand SIP trunk and registration in DWG gateway Version: 1.0 Dinstar Technologies Co., Ltd. Date:

Storming SIP Security

A Brief Security Analysis of Microsoft Skype for Business

Voice Over IP (VoIP) Denial of Service (DoS)

Formación en Tecnologías Avanzadas

The VoIP Vulnerability Scanner

CyberData VoIP V2 Speaker with VoIP Clock Kit Configuration Guide for OmniPCX Enterprise

Securing Enterprise VoIP. VoIP Vulnerabilities Patrick Young CEO Arlinx Inc.

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

VoIP Security regarding the Open Source Software Asterisk

Black Box Analysis and Attacks of Nortel VoIP Implementations

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

How to make free phone calls and influence people by the grugq

Application Security Testing

Connecting with Free IP Call

CRYPTUS DIPLOMA IN IT SECURITY

Sense of Security VoIP Security Testing Training

NEW!!! Industry s only Comprehensive VoIP Security Boot Camp

SIP Essentials Training

EE4607 Session Initiation Protocol

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

COPYRIGHTED MATERIAL. Contents. Foreword. Acknowledgments

SS7 & LTE Stack Attack

SIP Trunking Manual Technical Support Web Site: (registration is required)

VoIP Security. Title: Something Old (H.323), Something New (IAX), Something Hallow (Security), & Something Blue (VoIP Administrators)

An outline of the security threats that face SIP based VoIP and other real-time applications

1 SIP Carriers. 1.1 Tele Warnings Vendor Contact Versions Verified Interaction Center 2015 R2 Patch

Wave SIP Trunk Configuration Guide FOR BROADVOX

TECHNICAL CHALLENGES OF VoIP BYPASS

The #1 Issue on VoIP, Fraud!

Linux Network Security

hackers 2 hackers conference III voip (in)security luiz eduardo cissp, ceh, cwne, gcih

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Recommended IP Telephony Architecture

MODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

SIP : Session Initiation Protocol

How to Configure the Avaya IP Office 6.1 for use with Integra Telecom SIP Solutions

SIP Trunking with Microsoft Office Communication Server 2007 R2

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Mediatrix 3000 with Asterisk June 22, 2011

6.40A AudioCodes Mediant 800 MSBG

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Ecessa Proxy VoIP Manual

Penetration Testing - a way for improving our cyber security

Advanced Higher Computing. Computer Networks. Homework Sheets

Time Warner ITSP Setup Guide

Vega 100G and Vega 200G Gamma Config Guide

CS5008: Internet Computing

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS

Deployment of Snort IDS in SIP based VoIP environments

Vulnerability Scan. January 6, 2015

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

Connecting with sipgate

Information Security. Training

Attacking VoIP Networks

The SIP School- 'Mitel Style'

Tactical Exploitation the other way to pen-test. hdm / valsmith

1.1.3 Versions Verified SIP Carrier status as of 18 Sep 2014 : validated on CIC 4.0 SU6.

Audience. Pre-Requisites

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

How to hack VMware vcenter server in 60 seconds

Potential Targets - Field Devices

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

Payment Card Industry (PCI) Executive Report. Pukka Software

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

How to Configure the Toshiba Strata CIX for use with Integra Telecom SIP Solutions

Transcription:

Viproy VoIP Penetration and Exploitation Toolkit Fatih Özavcı Security Consultant @ Sense of Security (Australia)

# whois Security Consultant @ Sense of Security (Australia) 10+ Years Experience in Penetration Testing 800+ Penetration Tests, 40+ Focused on NGN/VoIP SIP/NGN/VoIP Systems Penetration Testing Mobile Application Penetration Testing IPTV Penetration Testing Regular Stuff (Network Inf., Web, SOAP, Exploitation...) Author of Viproy VoIP Penetration Testing Kit Author of Hacking Trust Relationships Between SIP Gateways DEFCON 21 VoIP Wars: Return of the SIP So, that's me 2

# traceroute Viproy What? SIP Services and Security Problems Basic Attacks but in Easy Way Modules for Basic Attacks SIP Proxy Bounce Attack Fake Services and MITM (Distributed) Denial of Service Hacking Trust Relationships of SIP Gateways Fuzzing in Advance Out of Scope RTP Services and Network Tests, Management Additional Services XML/JSON Based Soap Services 3

# Viproy What? Viproy is a Vulcan-ish Word that means "Call" Viproy VoIP Penetration and Exploitation Kit Testing Modules for Metasploit, MSF License Old Techniques, New Approach SIP Library for New Module Development Custom Header Support, Authentication Support New Stuffs for Testing: Trust Analyzer, Proxy etc Modules Options, Register, Invite Brute Forcers, Enumerator SIP Trust Analyzer, Service Scanner SIP Proxy, Fake Service, DDOS Tester 4

# SIP Services : Internal IP Telephony Support Servers Factory/Campus SIP over VPN SIP Clients INTERNET Commercial Gateways SIP Server Analog/Digital PBX 5

# SIP Services : Commercial Services Customers VAS, CDR, DB Servers MSAN/MGW PSTN/ISDN Distributed MPLS SDP Servers Soft Switch INTERNET (SIP Server) Mobile RTP, Proxy Servers 3rd Party Gateways 6

# Basic Attacks but in Easy Way We are looking for... Finding and Identifying SIP Services and Purposes Discovering Available Methods and Features Discovering SIP Software and Vulnerabilities Identifying Valid Target Numbers, Users, Realm Unauthenticated Registration (Trunk, VAS, Gateway) Brute Forcing Valid Accounts and Passwords Invite Without Registration Direct Invite from Special Trunk (IP Based) Invite Spoofing (After or Before Registration, Via Trunk) 7

# Basic Attacks but in Easy Way this isn't the call you're looking for We are attacking for... Free Calling, Call Spoofing Free VAS Services, Free International Calling Breaking Call Barriers Spoofing with... Via Field, From Field P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ISDN Calling Party Number, Remote-Party-ID Bypass with... P-Charging-Vector (Spoofing, Manipulating) Re-Invite, Update (Without/With P-Charging-Vector) 8

# Basic Attacks but in Easy Way Modules for Discovery - Register, Enumerator, Options, Invite Modules to Obtain Information - Enumerator, Brute Forcer Modules to Attack VAS or Internal Services Module to Initiate Calls, Billing Attacks and Privilege Analysis Invite, Brute Forcer, Enumerator, Trust Analyzer Invite (Custom Header Support, Proxy Headers etc) Modules for Analyzing Trust Issues and Invite Spoofing Invite, Trust Analyzer Module to Modify SIP Clients/Servers' Behaviors - MITM Proxy Modules for DDOS/DOS - All Modules 9

# SIP Proxy Bounce Attack SIP Proxies Redirect Requests to Other SIP Servers We Can Access Them via SIP Proxy then We Can Scan We Can Scan Inaccessible Servers URI Field is Useful for This Scan Viproy Pen-Testing Kit Has a UDP Port Scan Module 10

# SIP Proxy Bounce Attack 192.168.1.145 Izmir Production SIP Service The Wall White Walker How Can We Use It? 192.168.1.146 Ankara 192.168.1.201 Adana SIP Trust Relationship Attacks Attacking Inaccessible Servers Attacking SIP Software Software Version, Type 11

# Fake Services and MITM Usage of Proxy & Fake Server Features Soft Switch (SIP Server) Clients Use ARP Spoof & VLAN Hopping & Manual Config Collect Credentials, Hashes, Information Change Client's Request to Add a Feature (Spoofing etc) Change the SDP Features to Redirect Calls Add a Proxy Header to Bypass Billing & CDR Manipulate Request at Runtime to find BOF Vulnerabilities 12

# Fake Services and MITM We Need a Fake Service Adding a Feature to Regular SIP Client Collecting Credentials Redirecting Calls Manipulating CDR or Billing Features Fuzzing Servers and Clients for Vulnerabilities Fake Service Should be Semi-Automated Communiation Sequence Should be Defined Sending Bogus Request/Result to Client/Server Viproy Pen-Testing Kit Has a SIP Proxy and Fake Service Fuzzing Support of Fake Service is in Development Stage 13

# DOS It's Not Service, It's Money Locking All Customer Phones and Services for Blackmail Denial of Service Vulnerabilities of SIP Services Many Responses for Bogus Requests DDOS Concurrent Registered User/Call Limits Voice Message Box, CDR, VAS based DOS Attacks Bye And Cancel Tests for Call Drop Locking All Accounts if Account Locking is Active for Multiple Fails Multiple Invite (After or Before Registration, Via Trunk) Calling All Numbers at Same Time Overloading SIP Server's Call Limits Calling Expensive Gateways,Targets or VAS From Customers Viproy Pen-Testing Kit Has a few DOS Features 14

# DDOS All Your SIP Gateways Belong to Us! SIP Amplification Attack + SIP Servers Send Errors Many Times (10+) + We Can Send IP Spoofed Packets + SIP Servers Send Responses to Victim => 1 packet for 10+ Packets, ICMP Errors (Bonus) Viproy Pen-Testing Kit Has a PoC DDOS Module Can we use SIP Server's Trust? -wait for it15

# Hacking SIP Trust Relationships NGN SIP Services Trust Each Other Authentication and TCP are Slow, They Need Speed IP and Port Based Trust are Most Effective Way What We Need Target Number to Call (Cell Phone if Service is Public) Tech Magazine, Web Site Information, News Baby Steps Finding Trusted SIP Networks (Mostly B Class) Sending IP Spoofed Requests from Each IP:Port Each Call Should Contain IP:Port in From Section If We Have a Call, We Have The Trusted SIP Gateway IP and Port Brace Yourselves The Call is Coming 16

# Hacking SIP Trust Relationships Slow Motion 192.168.1.201 Izmir Production SIP Service The Wall t es om u eq n Fr R l l ta i a d C rt Da e f oo :Po p S IP IP ins nta o C Ankara White Walker Istanbul International Trusted Operator 17

# How Viproy Pen-Testing Kit Helps Fuzzing Tests Skeleton for Feature Fuzzing, NOT Only SIP Protocol Multiple SIP Service Initiation Call Fuzzing in Many States, Response Fuzzing Integration With Other Metasploit Features Fuzzers, Encoding Support, Auxiliaries, Immortality etc. Custom Header Support Future Compliance, Vendor Specific Extensions, VAS Raw Data Send Support (Useful with External Static Tools) Authentication Support Authentication Fuzzing, Custom Fuzzing with Authentication Less Code, Custom Fuzzing, State Checks Some Features (Fuzz Library, SDP) are Coming Soon 18

References Viproy VoIP Penetration and Exploitation Kit Author : http://viproy.com/fozavci Homepage : http://viproy.com/voipkit Github : http://www.github.com/fozavci/viproy-voipkit Attacking SIP Servers Using Viproy VoIP Kit (50 mins) https://www.youtube.com/watch?v=abxh_l0-y5a Hacking Trust Relationships Between SIP Gateways (PDF) http://viproy.com/files/siptrust.pdf VoIP Pen-Test Environment VulnVoIP http://www.rebootuser.com/?cat=371 19

Q?

Thanks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information