Hacking VoIP Routers. Power Of Community 2007 Hendrik Scholz

Similar documents
Attacking VoIP Networks

Attacking VoIP Networks

SIP Stack Fingerprinting and Stack Difference Attacks

Spam goes VoIP. Number Harvesting for Fun and Profit. Hack in The Box 2007 Dubai Hendrik Scholz

How to make free phone calls and influence people by the grugq

VoIP Phreaking Introduction to SIP Hacking. Hendrik Scholz 22C3, Berlin, Germany

Finding VoIP vulnerabilities while you sleep

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

Analysis of a VoIP Attack

Vulnerabilities in SOHO VoIP Gateways

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play

Linux Network Security

Firewall Firewall August, 2003

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

Connecting with Vonage

DLink-655 Router Configuration Guide for VoIP

Manual. ABTO Software

SIP Trunking Quick Reference Document

VoIP Security Methodology and Results. NGS Software Ltd

P160S SIP Phone Quick User Guide

Check list for web developers

V o I P. VoIP What it can do for you. John Ferlito johnf@inodes.org

FOSDEM 2007 Brussels, Belgium. Daniel Pocock B.CompSc(Melbourne)

NCAS National Caller ID Authentication System

VoIP and IP Telephony

ScopTEL TM IP PBX Software. ITSP SIP Trunking Configuration

Connecting Your Enterprise With Asterisk: IAX to Kinky Adult Call Centers. Dayton Turner Voxter Communications

How To Configure. VoIP Survival. with. Broadsoft Remote Survival

Grandstream Networks, Inc. UCM6100 Security Manual

VOICE OVER IP SECURITY

IP Office Technical Tip

hackers 2 hackers conference III voip (in)security luiz eduardo cissp, ceh, cwne, gcih

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

Troubleshooting Tools to Diagnose or Report a Problem February 23, 2012

Multi-Homing Dual WAN Firewall Router

Connecting Your Enterprise With Asterisk: IAX to Carriers. Dayton Turner Voxter Communications

Firewall VPN Router. Quick Installation Guide M73-APO09-380

NAT Traversal for VoIP

Using IP Networks for voice and video: benefits and challenges

Connecting with sipgate

Release Notes for NeoGate TA410/TA X

The VoIP Vulnerability Scanner

An outline of the security threats that face SIP based VoIP and other real-time applications

A Comparative Study of Signalling Protocols Used In VoIP

Avaya IP Office 8.1 Configuration Guide

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

SIP ALG - Session Initiated Protocol Applications- Level Gateway

Multimedia Communication in the Internet. SIP Security Threads. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS 1

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

Penetration Testing SIP Services

and Voice Applications Eyal Wirsansky, Verso Technologies JaxJUG

Tunnels and Redirectors

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

TSIN02 - Internetworking

Deployment of TLS support with Open SIP Express Router

VoIP from A to Z. NAEO 2009 Conference Cancun, Mexico

UIP1868P User Interface Guide

VOIP TELEPHONY: CURRENT SECURITY ISSUES

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

For internal circulation of BSNL only

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

SSC Getting rid of the biggest drag on VoIP!

SIP Trunking Application Notes V1.3

The 3CXIPPBX Tutorial

Configuring SIP Trunking and Networking for the NetVanta 7000 Series

Broadband Phone Gateway BPG510 Technical Users Guide

What is Web Security? Motivation

DPH-140S SIP Phone Quick User Guide

Mediatrix 3000 with Asterisk June 22, 2011

nexvortex SIP Trunking

3CX IP PBX Phone System Technical Training Deerfield.com

TECHNICAL CHALLENGES OF VoIP BYPASS

Storming SIP Security

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Connecting with Free IP Call

1 SIP Carriers. 1.1 Tele Warnings Vendor Contact Versions Verified SIP Carrier status as of Jan 1,

DoS/DDoS Attacks and Protection on VoIP/UC

Ethical Hacking as a Professional Penetration Testing Technique

PREDICTIVE DIALER AND REMOTE AGENT SETUP GUIDE

Integration of GSM Module with PC Mother Board (GSM Trunking) WHITE/Technical PAPER. Author: Srinivasa Rao Bommana

ShoreTel & AMTELCO Infinity Console via SIP Trunking (Native)

Businesses Save Money with Toshiba s New SIP Trunking Feature

Chapter 2 Introduction

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

VoIP Router TA G81022MS User Guide

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

RingCentral Office. Configure Grandstream phones with RingCentral. To contact RingCentral, please visit or call

White paper. SIP An introduction

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Voice over IP (SIP) Milan Milinković

The Telecom Terminal Solution

Attack and Defense Techniques

Monitoring SIP Traffic Using Support Vector Machines

User Manual of Web Client

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

SIP Essentials Training

Transcription:

Hacking VoIP Routers Power Of Community 2007 Hendrik Scholz hs@123.org 1

Agenda VoIP enabled DSL Routers Locating devices Fingerprinting Attacks Conclusions 2

VoIP enabled devices 3

Software Clients aka ''softphones'' your average Windows client often reassembles look and feel of a phone features lots of CPU power constant updates 4

Hardware Phones aka ''hardphones'' three major types VoIP enabled (mobile) phones PSTN to VoIP converters (ATAs) (DSL) routers with embedded VoIP capabilities 5

The usual Suspects 6

The Suspect direct internet connection no NAT issues for VoIP no protection from the outside world direct access to SIP stack Linux based 7

Locating VoIP devices 8

Locating VoIP Routers comparison search for open mailservers / http proxies well known port (25/80, 5060 in this case) nmap is great for this conclusion write a SIP aware nmap clone low SIP density, thus has to be fast 9

smap feature wise mashup of nmap (http://insecure.org/nmap/) sipsak (http://sipsak.org/) somewhat stateful SIP test tool http://www.wormulon.net/smap/ NEW: multi threaded for POC2007 5 100x faster than before can saturate your my local DSL uplink ;) 10

live demo single host scanning with smap 11

smap: testing a single host $ smap router.wormulon.net smap 0.6.0 ng <hs@123.org> http://www.wormulon.net/ 89.53.25.243: ICMP not tested, SIP enabled 1 host scanned, 1 SIP enabled $ 12

scanning networks which networks? sources: check DSL/cable ISPs that also have VoIP Dialup Blacklists verified that these IPs belong to customers IRC channels topic related (Linux, VoIP, Asterisk,...) 13

live demo network scanning with smap 14

smap: scanning a network $ time smap 89.53.25.0/24 89.53.25.72: ICMP not tested, SIP enabled 89.53.25.100: ICMP not tested, SIP enabled... 89.53.25.254: ICMP not tested, SIP disabled 256 hosts scanned, 180 SIP enabled (70.3%) real 0m18.880s user 0m0.004s sys 0m0.008s 15

network scanning results 60 80% success rate on ''good'' networks around 1 5% on random networks Best case attack preparation vulnerable device known ISP selling that device is known 1 minute scan time per /24 50% success rate result: ~7500 vulnerable hosts per hour 16

VoIP related protocols helpful protocols to identify VoIP devices ACS Auto Configuration server MGCP Media Gateway Control Protocol IAX Inter Asterisk exchange H.323 ITU T Q931 based VoIP protocols all less used than SIP 17

Auto Configuration Server Thesis: DSL router configuration is too complicated Solution: Remote configuration/management Implementation: TCP port 8000 open on router Features push/pull/replace config remote actions, i.e. reboot 18

ACS - Scanning / Attacking Scanning and Fingerprinting send ''GET / HTTP/1.0'' to port 8000 compare quoted realm against database of known ACS strings Attacking SSL all the way Certificates on both client and server another talk next year? 19

MGCP MGCP = Media Gateway Control Protocol RFC 3435 defines MGCP 1.0 API for media gateways no way to set up calls divert/manage media Usage deprecated for clients used on backbones for decomposed Voice switches 20

Fingerprinting VoIP devices 21

Fingerprinting Three steps send request receive response parse response and compare oddities to database Source of differences supported methods, features text representation (SIP is clear text) ability to parse broken messages 22

Fingerprinting: sample message OPTIONS sip:smap@localhost SIP/2.0 Via: SIP/2.0/UDP 89.53.52.174:12345;branch=z9hG4bK. 18752;rport;alias From: <sip:smap@89.53.52.174:12345>;tag=3170f461dc2786 To: <sip:smap@localhost> Call ID: 91902014@89.53.52.174 CSeq: 45717 OPTIONS Contact: <sip:smap@89.53.52.174:12345> Content Length: 0 Max Forwards: 70 User Agent: smap 0.6.0 ng Accept: text/plain 23

live demo fingerprinting a single host 24

smap: fingerprinting a single host $ smap o router.wormulon.net smap 0.6.0 ng <hs@123.org> http://www.wormulon.net/ 89.53.52.154: ICMP not tested, SIP enabled Guess: AVM FRITZ!Box Fon Series firmware: 14.04.06 (May 18 2006) User Agent: AVM FRITZ!Box Fon WLAN 7170 (fs) 29.04.40 (Aug 3 2007) 1 host scanned, 1 SIP enabled (100.0%) $ 25

live demo fingerprinting a network 26

smap: fingerprinting a network $ smap o 89.53.52.0/24 [...] 89.53.52.0: ICMP not tested, SIP enabled Guess: AVM FRITZ!Box Fon Series firmware: 29.04.29 (Dec 8 2006) User Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.31 (Feb 5 2007) 89.53.52.1: ICMP not tested, SIP enabled Guess: AVM FRITZ!Box Fon Series firmware: 29.04.29 (Dec 8 2006) User Agent: AVM FRITZ!Box Fon WLAN 7170 29.04.22 (Sep 6 2006) [...] 89.53.52.4: ICMP not tested, SIP disabled 89.53.52.5: ICMP not tested, SIP disabled [...] 256 hosts scanned, 177 SIP enabled (69.1%) $ 27

Attacking VoIP routers 28

Possible Attacks Unwanted Contact (SPIT) Denial of Service Misrepresentation Communication Interception lots of low level parser stuff 29

Attack: Unwanted Contact Issues need to bypass ISP authentication need to bypass blacklists, firewalls,... need to know extension/user to contact Attack craft message(s) to make phone ring get users attention optional: play V*i*a*g*r*a SPIT message 30

Samsung Unwanted Contact task: bypass ISP task: bypass ''firewall'' not implemented on Samsung IAD task: find valid extension directly talk to IAD bug on Samsung IAD 0day advisory: Samsung unwanted contact.txt 31

live demo Samsung IAD ''Unwanted Contact'' 32

SPIT: Alert-Info Abuse 1/2 Alert Info is a SIP header defined in RFC3960 set distinct ringtone proprietary/abstract number proprietary/abstract name URI to.wav file supported by Asterisk, Grandstream, Thomson, Snom not mandatory (RFC 3960 > 3261) 33

Unwanted Contact: Ekiga comparable to Samsung issue published as: Ekiga_INVITE_RURI_advisory.txt adds a new twist: Misrepresentation 34

Ekiga Misrepresentation Attack INVITE contains From: header From: "abc" <sip: 123@10.0.0.2:12345>;tag=71a59b73 split into displayname and SIP URI popup window on incoming call: 35

Ekiga Misrepresentation 2/2 Call History shows displayname field 36

Misrepresentation Attacks Inside Ekiga user clicks on displayname Ekiga calls SIP URI oh my bank called please enter account information Outside Ekiga user copies displayname calls number which wasn't known/trusted inside VoIP network 37

SPIT: Alert-Info Abuse 2/2 Preparation put SPIT audio file on hacked webserver Attack send modified call setup message to victim phone receives message pulls.wav file off website starts playing ''custom'' ringtone 38

AVM 0-Byte UDP bug AVM Fritz!Box is series of VoIP/DSL routers empty UDP message to SIP port will be forwarded to SIP stack SIP stack crashes no incoming calls possible Attack: hping3-2 -d 0 -p 5060 <target> first published: http://mazzoo.de/blog/security/fritzbox_dos.writeback fixed in early 2007 but still seen in the wild 39

VoIP Cross Site Scripting VoIP devices have web interface with call logs inject malicious content i.e. Javascript credits to Radu State Owning the internal network with SIP (part 1) and a Linksys Phone http://seclists.org/fulldisclosure/2007/oct/0174.html 40

XSS Example INVITE sip:testac.0180.01@freenet.de SIP/2.0 Via: SIP/2.0/UDP 10.0.0.2:12345;branch=z9hG4bK. 0c430fd8;rport;alias From: "blafasel" <sip: 01801411111999@10.0.0.2:12345>;tag=71a59b73 To: sip:testac.0180.01@freenet.de Call-ID: 1906678643@10.0.0.2 CSeq: 9 INVITE Content-Length: 0 Contact: sip:sipsak@10.0.0.2:12345 $ sipsak -f <filename> -s sip:freenet.de -p <IP> 41

Outlook VoIP Botnets SPIT SBC in between all calls? VoIP firewalls breaking them has huge impact 42

Questions and Answers Hendrik Scholz hs@123.org 43

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information