VoIP Wars : Return of the SIP



Similar documents
VoIP Wars : Return of the SIP

Hacking SIP Services Like a Boss. Fatih Özavcı Information Security Researcher & Consultant

VoIP Wars: Attack of the Cisco Phones

VoIP Wars: Attack of the Cisco Phones

Hacking Trust Relationships of SIP Gateways

Practical VoIP Hacking with Viproy

Viproy Reloaded 2.0. Compliance, Protection & Business Confidence. Melbourne Level 10, 401 Docklands Drv

Penetration Testing SIP Services

VoIP Wars: Destroying Jar Jar Lync

How to make free phone calls and influence people by the grugq

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

VOIP WARS: THE PHREAKERS AWAKEN. Fatih Managing Consultant Context Information Security

Conducting an IP Telephony Security Assessment

The Trivial Cisco IP Phones Compromise

Formación en Tecnologías Avanzadas

Sense of Security VoIP Security Testing Training

Basic Vulnerability Issues for SIP Security

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

A Brief Security Analysis of Microsoft Skype for Business

SIP Essentials Training

An outline of the security threats that face SIP based VoIP and other real-time applications

The #1 Issue on VoIP, Fraud!

Sense of Security VoIP Security Testing Training

NAT TCP SIP ALG Support

PENTEST. Pentest Services. VoIP & Web.

SIP : Session Initiation Protocol

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

VoIP Security regarding the Open Source Software Asterisk

Voice Over IP (VoIP) Denial of Service (DoS)

EE4607 Session Initiation Protocol

Recommended IP Telephony Architecture


Securing SIP Trunks APPLICATION NOTE.

SIP Trunking. Service Guide. Learn More: Call us at

Enumerating and Breaking VoIP

Online course syllabus. MAB: Voice over IP

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

TSIN02 - Internetworking

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Vulnerability Assessment and Penetration Testing

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

Learn Ethical Hacking, Become a Pentester

The SIP School- 'Mitel Style'

The VoIP Vulnerability Scanner

Storming SIP Security

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

COPYRIGHTED MATERIAL. Contents. Foreword. Acknowledgments

SIP PBX TRUNKING WITH SIP-DDI 1.0

CS5008: Internet Computing

Analysis of a VoIP Attack

IP-Telephony SIP & MEGACO

Security of IPv6 and DNSSEC for penetration testers

VoIP Security Methodology and Results. NGS Software Ltd

SS7 & LTE Stack Attack

SIP Trunking and Voice over IP

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

VoIP Security. Title: Something Old (H.323), Something New (IAX), Something Hallow (Security), & Something Blue (VoIP Administrators)

SIP A Technology Deep Dive

Penetration Testing with Kali Linux

6.40A AudioCodes Mediant 800 MSBG

The SIP School- 'Mitel Style'

Black Box Analysis and Attacks of Nortel VoIP Implementations

Application Note. Onsight Connect Network Requirements V6.1

DoS/DDoS Attacks and Protection on VoIP/UC

Avaya IP Office 8.1 Configuration Guide

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

VoIP Trunking with Session Border Controllers

Best Practices for Securing IP Telephony

Vulnerabilities in SOHO VoIP Gateways

Unregister Attacks in SIP

Threats to be considered (1) ERSTE GROUP

SIP Trunking with Microsoft Office Communication Server 2007 R2

Transparent weaknesses in VoIP

TECHNICAL CHALLENGES OF VoIP BYPASS

Voice over IP Security

VoIP Phreaking Introduction to SIP Hacking. Hendrik Scholz 22C3, Berlin, Germany

The use of IP networks, namely the LAN and WAN, to carry voice. Voice was originally carried over circuit switched networks

Avaya Aura SIP Trunking Training

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There

How to Configure the Avaya IP Office 6.1 for use with Integra Telecom SIP Solutions

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Convergence Technologies Professional (CTP) Course 1: Data Networking

MODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Configuration Notes 283

Voice over IP Fundamentals

Integration of GSM Module with PC Mother Board (GSM Trunking) WHITE/Technical PAPER. Author: Srinivasa Rao Bommana

Ingate Firewall/SIParator SIP Security for the Enterprise

Mediatrix 3000 with Asterisk June 22, 2011

Media Gateway Controller RTP

White paper. SIP An introduction

Vega 100G and Vega 200G Gamma Config Guide

Firewall Support for SIP

Transcription:

VoIP Wars : Return of the SIP Fatih Özavcı Security Consultant @ Sense of Security (Australia) www.senseofsecurity.com.au @fozavci

# whois Security Consultant @ Sense of Security (Australia) 10+ Years Experience in Penetration Testing 800+ Penetration Tests, 40+ Focused on NGN/VoIP SIP/NGN/VoIP Systems Penetration Testing Mobile Application Penetration Testing IPTV Penetration Testing Regular Stuff (Network Inf., Web, SOAP, Exploitation...) Author of Viproy VoIP Penetration Testing Kit Author of Hacking Trust Relationships Between SIP Gateways Blackhat Arsenal USA 2013 Viproy VoIP Pen-Test Kit So, that's me 2

Viproy in Action http://www.youtube.com/watch?v=1vdtujnvkgm

# traceroute VoIP Networks are Insecure, but Why? Basic Attacks Discovery, Footprinting, Brute Force Initiating a Call, Spoofing, CDR and Billing Bypass SIP Proxy Bounce Attack Fake Services and MITM Fuzzing Servers and Clients, Collecting Credentials (Distributed) Denial of Service Attacking SIP Soft Switches and SIP Clients, SIP Amplification Attack Hacking Trust Relationships of SIP Gateways Attacking SIP Clients via SIP Trust Relationships Fuzzing in Advance Out of Scope RTP Services and Network Tests, Management Additional Services XML/JSON Based Soap Services 4

# info SIP Session Initiation Protocol Only Signalling, not for Call Transporting Extended with Session Discovery Protocol NGN Next Generation Network Forget TDM and PSTN SIP, H.248 / Megaco, RTP, MSAN/MGW Smart Customer Modems & Phones Easy Management Security is NOT a Concern?! Next Generation! Because We Said So! 5

# SIP Services : Internal IP Telephony Support Servers Factory/Campus SIP over VPN SIP Clients INTERNET Commercial Gateways SIP Server Analog/Digital PBX 6

# SIP Services : Commercial Services Customers VAS, CDR, DB Servers MSAN/MGW PSTN/ISDN Distributed MPLS SDP Servers Soft Switch INTERNET (SIP Server) Mobile RTP, Proxy Servers 3rd Party Gateways 7

# Administrators Think... Root Doesn't! Their VoIP Network Isolated Abusing VoIP Requires Knowledge Open Physical Access, Weak VPN or MPLS With Viproy, That's No Longer The Case! Most Attacks are Network Based or Toll Fraud DOS, DDOS, Attacking Mobile Clients, Spying Phishing, Surveliance, Abusing VAS Services VoIP Devices are Well-Configured Weak Passwords, Old Software, Vulnerable Protocols 8

# Viproy What? Viproy is a Vulcan-ish Word that means "Call" Viproy VoIP Penetration and Exploitation Kit Testing Modules for Metasploit, MSF License Old Techniques, New Approach SIP Library for New Module Development Custom Header Support, Authentication Support New Stuff for Testing: Trust Analyzer, Bounce Scan, Proxy etc Modules Options, Register, Invite, Message Brute Forcers, Enumerator SIP Trust Analyzer, Service Scanner SIP Proxy, Fake Service, DDOS Tester 9

# Basic Attacks We are looking for... Finding and Identifying SIP Services and Purposes Discovering Available Methods and Features Discovering SIP Software and Vulnerabilities Identifying Valid Target Numbers, Users, Realm Unauthenticated Registration (Trunk, VAS, Gateway) Brute Forcing Valid Accounts and Passwords Invite Without Registration Direct Invite from Special Trunk (IP Based) Invite Spoofing (After or Before Registration, Via Trunk) Viproy Pen-Testing Kit Could Automate Discovery 10

# Basic Attacks Discovery OPTIONS / REGISTER / INVITE / SUBSCRIBE 100 Trying 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Clients Gateways Collecting Information from Response Headers User-Agent Server Realm Call-ID Record-Route Warning P-Asserted-Identity P-Called-Party-ID P-Preferred-Identity P-Charging-Vector Soft Switch (SIP Server) 11

# Basic Attacks Register REGISTER / SUBSCRIBE (From, To, Credentials) 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error RESPONSE Depends on Informations in REQUEST Type of Request (REGISTER, SUBSCRIBE) FROM, TO, Credentials with Realm Via Actions/Tests Depends on RESPONSE Brute Force (FROM, TO, Credentials) Detecting/Enumerating Special TOs, FROMs or Trunks Detecting/Enumerating Accounts With Weak or Null Passwords. Clients Gateways Soft Switch (SIP Server) 12

# Basic Attacks this isn't the call you're looking for We are attacking for... Free Calling, Call Spoofing Free VAS Services, Free International Calling Breaking Call Barriers Spoofing with... Via Field, From Field P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ISDN Calling Party Number, Remote-Party-ID Bypass with... P-Charging-Vector (Spoofing, Manipulating) Re-Invite, Update (Without/With P-Charging-Vector) Viproy Pen-Testing Kit Supports Custom Headers 13

# Basic Attacks Invite, CDR and Billing Tests INVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA...) 100 Trying 183 Session Progress 180 Ringing 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error RESPONSE Depends on Informations in INVITE REQUEST FROM, TO, Credentials with Realm, FROM <>, TO <> Via, Record-Route Direct INVITE from Specific IP:PORT (IP Based Trunks) Actions/Tests Depends on RESPONSE Brute Force (FROM&TO) for VAS and Gateways Testing Call Limits, Unauthenticated Calls, CDR Management INVITE Spoofing for Restriction Bypass, Spying, Invoice. Clients Gateways Soft Switch (SIP Server) 14

# SIP Proxy Bounce Attack SIP Proxies Redirect Requests to Other SIP Servers We Can Access Them via SIP Proxy then We Can Scan We Can Scan Inaccessible Servers URI Field is Useful for This Scan Viproy Pen-Testing Kit Has a UDP Port Scan Module 15

# SIP Proxy Bounce Attack 192.168.1.145 Izmir Production SIP Service The Wall White Walker How Can We Use It? 192.168.1.146 Ankara 192.168.1.201 Adana SIP Trust Relationship Attacks Attacking Inaccessible Servers Attacking SIP Software Software Version, Type 16

# Fake Services and MITM We Need a Fake Service Adding a Feature to Regular SIP Client Collecting Credentials Redirecting Calls Manipulating CDR or Billing Features Fuzzing Servers and Clients for Vulnerabilities Fake Service Should be Semi-Automated Communication Sequence Should be Defined Sending Bogus Request/Result to Client/Server Viproy Pen-Testing Kit Has a SIP Proxy and Fake Service Fuzzing Support of Fake Service is in Development Stage 17

# Fake Services and MITM Usage of Proxy & Fake Server Features Soft Switch (SIP Server) Clients Use ARP Spoof & VLAN Hopping & Manual Config Collect Credentials, Hashes, Information Change Client's Request to Add a Feature (Spoofing etc) Change the SDP Features to Redirect Calls Add a Proxy Header to Bypass Billing & CDR Manipulate Request at Runtime to find BOF Vulnerabilities 18

# DOS It's Not Service, It's Money Locking All Customer Phones and Services for Blackmail Denial of Service Vulnerabilities of SIP Services Many Responses for Bogus Requests DDOS Concurrent Registered User/Call Limits Voice Message Box, CDR, VAS based DOS Attacks Bye And Cancel Tests for Call Drop Locking All Accounts if Account Locking is Active for Multiple Fails Multiple Invite (After or Before Registration, Via Trunk) Calling All Numbers at Same Time Overloading SIP Server's Call Limits Calling Expensive Gateways,Targets or VAS From Customers Viproy Pen-Testing Kit Has a few DOS Features 19

# DDOS All Your SIP Gateways Belong to Us! SIP Amplification Attack + SIP Servers Send Errors Many Times (10+) + We Can Send IP Spoofed Packets + SIP Servers Send Responses to Victim => 1 packet for 10+ Packets, ICMP Errors (Bonus) Viproy Pen-Testing Kit Has a PoC DDOS Module Can we use SIP Server's Trust? -wait for it20

# DDOS All Your SIP Gateways Belong to Us! 192.168.1.201 Izmir Production SIP Service The Wall IP Spoofed Call Request 192.168.1.202 Ankara Production SIP Service White Walker The Wall 192.168.1.203 Adana Production SIP Service Citadel 21

# Hacking SIP Trust Relationships NGN SIP Services Trust Each Other Authentication and TCP are Slow, They Need Speed IP and Port Based Trust are Most Effective Way What We Need Target Number to Call (Cell Phone if Service is Public) Tech Magazine, Web Site Information, News Baby Steps Finding Trusted SIP Networks (Mostly B Class) Sending IP Spoofed Requests from Each IP:Port Each Call Should Contain IP:Port in "From" Section If We Have a Call, We Have The Trusted SIP Gateway IP and Port Brace Yourselves The Call is Coming 22

# Hacking SIP Trust Relationships Slow Motion 192.168.1.201 Izmir Production SIP Service The Wall t es om u eq n Fr R l l ta i a d C rt Da e f oo :Po p S IP IP ins nta o C Ankara White Walker Istanbul International Trusted Operator 23

# Hacking SIP Trust Relationships Brace Yourselves, The Call is Coming 192.168.1.201 Izmir Production SIP Service The Wall White Walker st e qu rom e ll R in F a d C own e f Fr oo y Kn p om d S IP ebo Ci m tad o S el Come Again? Ankara Istanbul International Trusted Operator Billing? CDR? Log? 24

# Hacking SIP Trust Relationships Business Impact Denial of Service Short Message Service and Billing Calling All Numbers at Same Time Overloading SIP Server's Call Limits Overloading VAS Service or International Limits Overloading CDR Records with Spoofed Calls Attacking a Server Software Crashing/Exploiting Inaccesible Features Call Redirection (working on it, not yet :/) Attacking a Client? Next Slide! 25

# Attacking a Client via SIP Trust Relationships SIP Server Redirects a few Fields to Client FROM, FROM NAME, Contact Other Fields Depend on Server (SDP, MIME etc) Clients Have Buffer Overflow in FROM? Send 2000 Chars to Test it! Crash it or Execute your Command if Available Clients Trust SIP Servers and Trust is UDP Based This module can be used for Trust Between Client and Server Viproy Pen-Testing Kit SIP Trust Module Simple Fuzz Support (FROM=FUZZ 2000) You Can Modify it for Further Attacks 26

# Attacking a Client via SIP Trust Relationships Brace Yourselves 550 Chars are Coming 192.168.1.201 Izmir Production SIP Service The Wall White Walker Ankara Istanbul t es u eq R The Wall m l l o a r d C s in F e f Bo oo har p C S g IP 550 Re us In qu vit es e t CRASSSSH! International Trusted Operator Command? Why Not! AdorePhone Iphone App 27

# Fuzz Me Maybe Fuzzing as a SIP Client SIP Server Proxy MITM SIP Server Software SIP Clients Hardware Devices, IP Phones, Video Conference Systems Desktop Application or Web Based Software Mobile Software Special SIP Devices/Software SIP Firewalls, ACL Devices, Proxies Connected SIP Trunks, 3rd Party Gateways MSAN/MGW Logging Software (Indirect) Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE... 28

# Old School Fuzzing Request Fuzzing SDP Features MIME Type Fuzzing Response Fuzzing Authentication, Bogus Messages, Redirection Static vs Stateful How about Smart Fuzzing Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE) Fuzzing After Authentication (Double Account, Self-Call) Response Fuzzing (Before or After Authentication) Missing SIP Features (IP Spoofing for SIP Trunks, Proxy Headers) Numeric Fuzzing for Services is NOT Memory Corruption Dial Plan Fuzzing, VAS Fuzzing 29

# How Viproy Pen-Testing Kit Helps Fuzzing Tests Skeleton for Feature Fuzzing, NOT Only SIP Protocol Multiple SIP Service Initiation Call Fuzzing in Many States, Response Fuzzing Integration With Other Metasploit Features Fuzzers, Encoding Support, Auxiliaries, Immortality etc. Custom Header Support Future Compliance, Vendor Specific Extensions, VAS Raw Data Send Support (Useful with External Static Tools) Authentication Support Authentication Fuzzing, Custom Fuzzing with Authentication Less Code, Custom Fuzzing, State Checks Some Features (Fuzz Library, SDP) are Coming Soon 30

# Fuzzing SIP Services Request Based OPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE... 100 Trying 183 Session Progress 180 Ringing 200 OK Fuzzing Targets, REQUEST Fields 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Request Type, Protocol, Description Via, Branch, Call-ID, From, To, Cseq, Contact, Record-Route Proxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...) Authentication in Various Requests (User, Pass, Realm, Nonce) Content-Type, Content-Lenth SDP Information Fields ISUP Fields Clients Gateways Soft Switch (SIP Server) 31

# Fuzzing SIP Services Response Based OPTIONS MALICOUS RESPONSE Clients INVITE Myself / INVITE I'm Proxy INVITE/ACK Gateways MALICOUS RESPONSE Potential RESPONSE Types for Fuzzing 100 Trying 183 Session Progress 180 Ringing 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Soft Switch (SIP Server) 32

SIP Bounce Attack, Hacking SIP Trust, Attacking Mobile Apps http://www.youtube.com/watch?v=bsg3takh5ga

References Viproy VoIP Penetration and Exploitation Kit Author : http://viproy.com/fozavci Homepage : http://viproy.com/voipkit Github : http://www.github.com/fozavci/viproy-voipkit Attacking SIP Servers Using Viproy VoIP Kit (50 mins) https://www.youtube.com/watch?v=abxh_l0-y5a Hacking Trust Relationships Between SIP Gateways (PDF) http://viproy.com/files/siptrust.pdf VoIP Pen-Test Environment VulnVoIP http://www.rebootuser.com/?cat=371 34

Special Thanks to... Special Ones Konca Ozavci Kadir Altan Anil Pazvant Suggestions & Guidelines & Support Paul Henry Mark Collier Jason Olstrom Jesus Perez Rubio 35

Q?

Thanks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information