Attacking VoIP Networks



Similar documents
Attacking VoIP Networks

VoIP Phreaking Introduction to SIP Hacking. Hendrik Scholz 22C3, Berlin, Germany

SIP Stack Fingerprinting and Stack Difference Attacks

How to make free phone calls and influence people by the grugq

NAT TCP SIP ALG Support

Lawful Interception in German VoIP Networks

This presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1.

SIP Essentials Training

Formación en Tecnologías Avanzadas

Avaya IP Office 8.1 Configuration Guide

SIP Trunking. Service Guide. Learn More: Call us at

SIP Trunking Quick Reference Document

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Connecting with Vonage

VOICE OVER IP SECURITY

Technical Configuration Notes

SIP Trunking Manual Technical Support Web Site: (registration is required)

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Configuring Interoperability between Avaya IP Office and Avaya Business Communication Manager

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

ACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers.

Overview ENUM ENUM. VoIP Introduction (2/2) VoIP Introduction (1/2)

Security of IPv6 and DNSSEC for penetration testers

SIP A Technology Deep Dive

TSIN02 - Internetworking

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

IP Office Technical Tip

VoIP technology employs several network protocols such as MGCP, SDP, H323, SIP.

Application Notes Rev. 1.0 Last Updated: January 9, 2015

Connecting with Free IP Call

Enumerating and Breaking VoIP

SIP : Session Initiation Protocol

Internet Technology Voice over IP

Overview of Voice Over Internet Protocol

BroadSoft Partner Configuration Guide SIP Access Device Configuration Sonus Networks, Inc. SBC 1000 / SBC 2000

Technical Configuration Notes

An outline of the security threats that face SIP based VoIP and other real-time applications

Configuring a Pure-IP SIP Trunk in Lync 2013

Application Notes Rev. 1.0 Last Updated: February 3, 2015

VoIP Interkonnektion Test Specification

SIP-H.323 Interworking

Voice Printing And Reachability Code (VPARC) Mechanism for prevention of Spam over IP Telephony (SPIT)

Configuration Notes 0217

3CX Guide sip.orbtalk.co.uk

Enterprise Video Conferencing

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

nexvortex SIP Trunking Implementation & Planning Guide V1.5

SIP: Ringing Timer Support for INVITE Client Transaction

Basic Vulnerability Issues for SIP Security

NCS 416 Paul Brennan Mohammed Haque IAX2 Trunking

Internet Telephony PBX System

Mediatrix 4404 Step by Step Configuration Guide June 22, 2011

VoIP. Overview. Jakob Aleksander Libak Introduction Pros and cons Protocols Services Conclusion

Internet Voice, Video and Telepresence Harvard University, CSCI E-139. Lecture #5

Storming SIP Security

Analysis of a VoIP Attack

TECHNICAL CHALLENGES OF VoIP BYPASS

SBC 1000/2000 Configuration Guide with Lync 2013 for Windstream/ LPAETEC SIP Trunk Deployments

Transparent weaknesses in VoIP

SIP Trunk Configuration Guide. using

The VoIP Vulnerability Scanner

Wave SIP Trunk Configuration Guide FOR BROADVOX

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Configuring SIP Trunking and Networking for the NetVanta 7000 Series

VoIP Trunking with Session Border Controllers

hackers 2 hackers conference III voip (in)security luiz eduardo cissp, ceh, cwne, gcih

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 6.X for use with babytel SIP trunks. SIP CoE

SIP Trunking Application Notes V1.3

Interoperability Test Plan for International Voice services (Release 6) May 2014

VOIP-211RS/210RS/220RS/440S. SIP VoIP Router. User s Guide

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

VoIP Server Reference

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Application Notes for Configuring Avaya IP Office 9.0 with HIPCOM SIP Trunk Issue 1.0

Configuring Interactive Intelligence ININ IP PBX For tw telecom SIP Trunking service USER GUIDE

Configuring Interoperability between Avaya IP Office and Avaya Communication Manager

proudly presents Homer-Shooting The secret Art of Troubleshooting VoIP in Real-Time with Homer & SIPGrep

nexvortex Setup Guide

OpenSER the open SIP Server. Bogdan-Andrei Iancu CEO Voice System Co-Founder OpenSER Project

VoIP Security Methodology and Results. NGS Software Ltd

Application Notes for BT Wholesale/HIPCOM SIP Trunk Service and Avaya IP Office 8.0 Issue 1.0

Release Notes for NeoGate TA410/TA X

EE4607 Session Initiation Protocol

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

VoIP H.323 Series. VoIP Gatways: VoIP 422/404/440/800 VoIP Routers: VoIP 404R/440R/200R/110R. Quick Setup Guide

How to Configure the Avaya IP Office 6.1 for use with Integra Telecom SIP Solutions

Grandstream Networks, Inc. UCM6100 Security Manual

DoS/DDoS Attacks and Protection on VoIP/UC

Dialogic Diva SIPcontrol Software

Micronet VoIP Solution with Asterisk

Connecting with sipgate

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

SPAM over Internet Telephony (SPIT) und Abwehrmöglichkeiten

Manual. ABTO Software

Project Code: SPBX. Project Advisor : Aftab Alam. Project Team: Umair Ashraf (Team Lead) Imran Bashir Khadija Akram

Transcription:

Attacking VoIP Networks Hendrik Scholz <hscholz@raisdorf.net> http://www.wormulon.net/ cansecwest/core06 Vancouver April 3 7 2006

Agenda VoIP overview specific Attacks Forking/Traffic Amplification End User Devices Routing Protocol Independent Attacks Implementation Differences Configuration Bugs

VoIP for Managers VoIP equals cheap: run PSTN on Internet infrastructure more features: ISDN + Instant Messaging in production use today end users peering/transit Google/Skype cannot be wrong explosive growth

The Dark Side PSTN converges with the Internet more old hardware to take care of PSTN features need to be implemented fundamental differences clever network + dump terminals goes dumb network + clever applications

SIP Standards Feel Lost? 1847, 2045, 2046, 2047, 2048, 2198, 2327, 2543, 2616, 2617, 2633, 2733, 2791, 2833, 2848, 2959, 2976, 3087, 3050, 3204, 3219, 3261, 3262, 3263, 3264, 3265, 3266, 3310, 3311, 3312, 3313, 3319, 3320, 3321, 3322, 3323, 3324, 3325, 3326, 3327, 3329, 3361, 3351, 3372, 3388, 3389, 3398, 3407, 3420, 3428, 3455, 3468, 3485, 3515, 3550, 3551, 3555, 3556, 3605, 3606, 3608, 3611, 3702, 3711, 3725, 3764, 3824, 3840, 3842, 3856, 3857, 3890, 3891, 3903, 3911, 3959, 3960, 3968, 3969, 3976, 4028, 4077, 4083, 4091, 4092, 4117, 4123, 4145, 4168, 4189, 4235, 4240, 4244, 4245, 4317, 4320, 4321, 4353, 4354, 4411, 4412 http://www.packetizer.com/voip/sip/standards.html 'few' additional drafts new RFCs/drafts on a weekly basis

Session Initiation Protocol Requests i.e. INVITE, REGISTER, CANCEL Responses i.e 200 OK, 403 Forbidden, 404 Not Found lots of additions Caller ID (Remote Party ID, RFC 3323, RFC 3325) supplementary services (HOLD, MCID, CCBS) complex state engine

Attack Vectors Signalling (SIP) SIP Neighborhood: Billing, PSTN, MGCP,... Routing End Devices Protocol independent attacks Implementation specific issues Configuration bugs

SIP Signalling

Singalling: Call Forking User adam john john Call Forking parallel/serial forking wanted behaviour possible problems traffic amplification resource starvation (if stateful) Contact adam@10.1.1.1:5060;tag=value john@172.30.1.1:5060;opaque=123 john@192.168.1.1:18123;foo=bar

Signalling: Call Forwarding Time To Live: SIP: Max Forwards (counts down) SS7/ISUP: Redirect counter (counts up) Loops? they do happen

Fork Loop: Ingredients parallel call forking two contacts for one user add the loop strip IP from contact and add local domain add tag to keep contact fields different User a a Contact a@wormulon.net;uniq=1 a@wormulon.net;uniq=2

Fork Loop: Tree source: draft ietf sip fork loop 00

Fork Loop: Preparation REGISTER users http://sipp.sf.net/ http://sipsak.org/ single call to user A use your phone ;) wait for 2^70 INVITEs to be processed 1,180,591,620,717,411,303,424 INVITEs 408 timeout will be triggered > attack teared down

Fork Loop: Denial of Service add 3 rd contact: victim remote IP random port UDP or TCP transport network might die before victim

Fork loop: Improvements PSTN contact forward to cell phone cell phone forwards back to SIP proxy results in new calls, fresh timeout, full TTL (Max Forwards) Announcement contact announcement starts playing immediately redirect RTP/media to victim using SDP modify PSTN/announcement/fork ratio for more destruction

Routing

Routing Attacks Routing based on dialplan inside each device, or predefined Routes (Route/Service Route header) use Route headers to direct messages REGISTER at foreign site ''Carrier VoIP Security'' by Nico Fischbach

End User Devices

End User Devices routers/modems/pbxs/atas Operating System Unpatched Unprotected No logging/notification Web interface ISP wide monocultures

End User Devices: Attacks little CPU power, limited number of lines resource starvation no inbound Authentication needed for ENUM et al. SPIT remote management reboot, config change, call control, click to dial

Locating Devices smap mashup of sipsak and nmap available at http://www.wormulon.net/ utilize OPTIONS SIP request basic banner grabbing for fingerprinting 80 90% VoIP enabled devices observed!

Locating Devices: smap ouput $ smap -O -t 200 89.53.10.0/24 scanning 89.53.10.0... timeout scanning 89.53.10.1... timeout... scanning 89.53.10.8... up User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.01 (Jan 25 2006) scanning 89.53.10.9... up User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.01 (Jan 25 2006) scanning 89.53.10.10... up User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.01 (Jan 25 2006)... 256 hosts scanned, 114 up, 142 down, 0 errors $ nmap -sp 89.53.10.0/24... Nmap run completed -- 256 IP addresses (138 hosts up) scanned in 5.400 seconds $

Protocol Independent Attacks

Timing Attacks exploit UDP defragmentation timer evade billing & Lawful Interception inspired by Van Hauser's IPv6 talk at 22C3 goal: fool passive Lawful Interception

Timing Attack: LI Setup

Timing Attack: LI Box receives mirrored traffic use libnids defragmentation in userland parse SIP messages (i.e. using libosip) check username/phone # against DB copy message to LEA if needed

Timing Attack: Timers two different IP stacks different implementation different configuration LI Box might drop fragments too early... or too late goal: prevent a messages from being defragmented on LI system

LI timer < LIVE timer inject 1 st fragment LI stores fragment LIVE stores fragment wait for fragment to expire on LI system inject 2 nd fragment LIVE de fragments successfully LI system stores second fragment

LI timer > LIVE timer inject 1 st fragment: fill both buffers wait for LIVE system to drop fragment inject 2 nd fragment LI box de fragments successfully LIVE stores fragment inject 3 rd fragment LI box stores fragment LIVE de fragments and initiates call

SIP Implementation Differences

RFC 3261 Implementation RFC 3261 To/From 'Displayname' Displayname considered a comment libosip bails out on comma in Displayname osip_message_parse() fails add comma in Displayname and break LI system previously described

Implementation: Caller ID Different implementations From Remote Party ID P Preferred Identity/P Asserted Identity ISP proprietary extensions, i.e. SetCallerID:

Implementation: Caller ID spoof Caller ID using different implementation set to cell phone number, call voice mail

Configuration Bugs

Max Forwards: cheap calls

Max Forwards: cheap calls

Conclusions PSTN Convergence still in progress new hardware new RFCs (ISDN supplementary services) regional laws Research areas fingerprinting, stack differences SPIT Filesharing

Upcoming Events Sipit 18 Tokyo, Japan 3 rd Telephony Summit + Workshop Wiesbaden/Essen, Germany 3 rd VoIP Security Workshop Berlin, Germany Sipit 19 Durham, NH, USA

Resources Call Cases: http://www.tech invite.com/ Documentation: http://www.softarmor.com/ SIP software SER: http://iptel.org/ OpenSER: http://openser.org/ Asterisk: http://asterisk.org/ sipp, sipsak Protos Test Suite

Questions & Answers Q&A hscholz@raisdorf.net

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information