VoIP Security Management



Similar documents
Asterisk Module Documentation for the yencap Agent Release: ASTERISK-yencap-1.0.0

ASTERISK. Goal. Prerequisites. Asterisk IP PBX Configuration

Overview of Asterisk (*) Jeff Gunther

Setup Guide: on the MyNetFone Service. Revision History

NCClient: A Python Library for NETCONF Client Applications

Micronet VoIP Solution with Asterisk

Mediatrix 3000 with Asterisk June 22, 2011

Applications between Asotel VoIP and Asterisk

Connecting with Vonage

Figure The scenario

Asterisk: The Open Source PBX Solution Adam Olson Systems and network administrators typically deal with

System Admin Module User Guide. Schmooze Com Inc.

Connecting with Free IP Call

Voxitas SIP Trunk Setup

Running Asterisk in a Corporate Environment: a Beginner s Tale

Asterisk. Michael Kershaw

Unicorn60x0 IP ANALOG GATEWAY ASTERISK CONFIGURATION

VoIP Recorder V2 Setup Guide

TEL 500 WRITE UP WEEK 8 FREE PBX SIP LAB SUBMITTED TO: PROF. RONNY BULL BY: ANUSHA ALIGAPALLY

CyberData VoIP V2 Speaker with VoIP Clock Kit Configuration Guide for OmniPCX Enterprise

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Setup the Asterisk server with the Internet Gate

Integrating a Hitachi IP5000 Wireless IP Phone

SIP Trunk 2 IP-PBX User Guide Asterisk. Ver /08/01 Ver /09/17 Ver /10/07 Ver /10/15 Ver1.0.

Connecting with sipgate

Cisco 7940 How To. (c) Bicom Systems

ThinkTel ITSP with Registration Setup Quick Start Guide

IPPBX FAQ. For Firmware Version: V2.0/V

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

JetWave SIP Trunk Setup

IPChitChat VoIP Service User Manual

VoIP Security regarding the Open Source Software Asterisk

Mediatrix 4404 Step by Step Configuration Guide June 22, 2011

How To Protect Your Network From A Hacker Attack On Zcoo Ip Phx From A Pbx From An Ip Phone From A Cell Phone From An Uniden Ip Pho From A Sim Sims (For A Sims) From A

Quick Installation Guide

How to Configure the Cisco UC500 for use with Integra Telecom SIP Solutions

AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

Basic configuration of the GXW410x with Asterisk

BiPAC 74xx series. VoIP Quick Install Guide

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Release Notes for NeoGate TA410/TA X

VOIP, Linux, and Asterisk Making Beautiful Voice Together

Using Polycom KIRK Wireless Server 300 or 6000 with Asterisk

NOC Workshop VoIP in the NOC labs SANOG10

Ryan Brown October 9, 2004 The Burgh Live, LLC. Voice over IP using Asterisk (*)

Introduction. What is DUNDi? Configuring Asterisk for use with DUNDi

PCBest Networks VOIP Recorder

Telephony with an Asterisk phone system

SIPSTATION User Guide. Schmooze Com Inc.

Epygi Technologies How to Configure Alphatech Cityline IP DP device on the Quadro IP PBX

Vertex VoIP Caller ID (Version 1.5)

Network Configuration Management Using NETCONF and YANG

Embedded Asterisk. A Crazy Man s Approach to VoIP. Terry Dunlap. 5/12/2007 terrydunlap.com

Asterisk & ENUM. Extending the Open Source PBX. Michael Haberler, IPA Otmar Lendl, nic.at

Visocall IP PBX Connection

VOIP with Asterisk & Perl

Conducting an IP Telephony Security Assessment

Enabling NAT and Routing in DGW v2.0 June 6, 2012

A System for Auto-Provisioning VOIP Telephones for Asterisk

LABORATORIUM 1 Setup and basic configuration of Asterisk BPX on Linux

Hands-on MESH Network Exercise Workbook

NCS 416 Paul Brennan Mohammed Haque IAX2 Trunking

SIP Trunking using Optimum Business SIP Trunk Adaptor and the Cisco Call Manager Express Version 8.5

Asterisk. Technical Application Notes

Knowledgebase Solution

Grandstream Networks, Inc.

Black Box Analysis and Attacks of Nortel VoIP Implementations

Using DUNDi with a Cluster of Asterisk Servers! General Description and Scope

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

Technical Bulletin Using Polycom SoundPoint IP and Polycom SoundStation IP Phones with Asterisk

The Trivial Cisco IP Phones Compromise

Link2VoIP SIP Trunk Setup

Grandstream Networks, Inc. UCM6510 Basic Configuration Guide

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play

Packet Sniffing on Layer 2 Switched Local Area Networks

DUNDi, So Easy A Caveman Could Do It!

Quick Provisioning Guide for Third-Party PBX

Troubleshooting Voice Over IP with WireShark

1 VoIP/PBX Axxess Server

nexvortex Setup Guide

V660. Quick Start Guide. Dual-Mode Phone. Version /2007 Edition 1. Copyright All rights reserved

Grandstream Networks, Inc. UCM6100 Security Manual

Broadvox SIP Trunk Setup

DSX. ATC SIP Trunk Setup. April 22, 2011 Issue NEC Corporation of America 4 Forest Parkway, Shelton, CT 06484

How To Set Up Mybpx Security Configuration Guide V1.2.2 (V1.3.2) On A Pc Or Mac)

VoIP Security. Title: Something Old (H.323), Something New (IAX), Something Hallow (Security), & Something Blue (VoIP Administrators)

DSX. DSX SIP Setup. April 22, 2011 Issue NEC Corporation of America 4 Forest Parkway, Shelton, CT 06484

NodePhone Business Trunks User Manual

Configuring the Cisco SPA8800 IP Telephony Gateway in an Asterisk Environment

The Telecom Terminal Solution

UIP1868P User Interface Guide

AGILE SIP TRUNK IP- PBX Connection Manual (Asterisk, Trixbox)

Quick Installation Guide

General Guidelines for SIP Trunking Installations

Asterisk SIP Trunk Settings - Vestalink

D-LINK DPH-140S SIP PHONE INSTALLATION GUIDE

Transcription:

VoIP Security Management Humberto Abdelnur, Vincent Cridlig, Jérome Bourdellon, Radu State, Olivier Festor LORIA-INRIA Lorraine, France {abdelnur, cridligv, bourdellon, state, festor}@loria.fr http://madynes.loria.fr 1

Outline EnSUITE: Netconf management suite VoIP management with Netconf VoIP security assessment 2

Netconf overview XML-basedNetwork management configuration protocol Transport protocol SSH, SSL, BEEP, SOAP,... RPC get, get-config edit-config, copy-config, deleteconfig lock, unlock Close-session, kill-session Multiple configurations Running Candidate Startup Capabilities Writable-running Xpath Candidate... 3

YencaP architecture 4

YencaP modules system Asteriks_Module VoIP 5

Manager web interface Agent list Operations Parameters Help 6

Access control on VoIP <get-config> /netconf/asterisk/data </get-config> <asterisk> <data> </data> </asterisk> Netconf Agent <netconf> <asterisk> <data></data> </asterisk> </netconf> m1, read, /netconf/asterisk/data Access control policy 7

Asterisk overview Open source pbx system developed by Mark Spencer Supports VoIP with SIP, h323, and IAX Linux based SIP phone SIP phone Asterisk PBX SIP phone SIP phone SIP phone 8

NetConf Module Mapping configuration files to XML voicemail.conf extensions.conf [default] 1234 => 4242,Mailbox asterisk.conf exten => s,1,wait,1 4200 exten => => 9855,Mark s,2,answer sip.conf 4300 => [global] exten 3456,Ben 4310 astetcdir => s,3,digittime exten => [general] -5432,Sales => /etc/aster 4069 astmoddir => s,4,response exten => context=default => 6522,Matt => /etc/ast s,5,backgrou 4073 astvarlibdir exten => recordhistory=yes => 1099,Bianca => /var/l s,6,backgrou 4110 astagidir => realm=mydomain.tld 3443,Rob => /usr/shar astspooldir port=5060 => /var/sp astrundir bindaddr=0.0.0.0 => /var/run astlogdir srvlookup=yes => /var/log/a <?xml version='1.0' encoding='utf-8'> <asterisk> <file name= asterisk.conf > <section name= global > <attribute name= astetcdir >/etc/asterisk </attribute> </section> </file> <file name= sip.conf > <section name= general > <attribute name= context >netconf </attribute> </section> </file> </asterisk> 9

YencaP Module Request NetConf Module NetConf Manager NetConf Agent NetConf Module For Asterisk NetConf Module Asterisk PBX Response 10

Add a new user username= FOO password= BAR NetConf Demo <rpc xmlns='urn:ietf:params:xml:ns:netconf:base:1.0' message-id='1'> <edit-config> <target> <running/> </target> <config xmlns:xc='urn:ietf:params:xml:ns:netconf:base:1.0'> <netconf> <asterisk> <file name="sip.conf"> <section name="demo" xc:operation="create"> <attribute name="username">foo</attribute> <attribute name="secret">bar</attribute> <attribute name="type">friend</attribute> <attribute name="host">dynamic</attribute> <attribute name="context">demo</attribute> <attribute name="dtmfmode">inband</attribute> <attribute name="callerid">demo</attribute> </section> </file> </asterisk> </netconf> </config> </edit-config> </rpc> 11

Security Assessment(Fuzzy Packet) PBX Network Fuzzy Packet is a tool that is able to manipulates and generates data messages by injecting and capturing packets into a network. Security Assessment Security Assessment Fuzzy Packet soft Its functionality depends in the XML templates which configure the actions to take. Spam Injector Spam Listener Fuzzer Brute Register User Enum Fuzzer ARP ARP Injector XML Templates Functions Its architecture embeds on a Plug- In model, so it provides an easy extensibility to new features. 12

<usergenerator> <assignuser>user</assignuser> <assignpass>pass</assignpass> </usergenerator> <string>register sip:pbx-server.com SIP/2.0</string> <CRLF/> <string>from: sip:</string> <variable>user</variable> <string>@pbx-server.com</string> <CRLF/> <string>call-id: </string> <randomstr> <minlen>5</minlen> <letters/> <numbers/> </randomstr> <string>@pbx-server.com</string> <CRLF/> Data Generator (Fuzzer) generates REGISTER sip:pbx-server.com SIP/2.0 From: sip:smith345@pbx-server.com Call-ID: 9F1994A81DD@PBX-Server.com Random user and password generator PlugIn Creates the string followed by carriage return and a line feed Creates the string followed by the result of the python code Creates the string followed by a random string composed of letters and numbers with length bigger that 5 characters Other possible actions Replace Reg. Expressions Repeats blocks Conditionals, probabilities Execution of Python Methods 13

Lost Packets Register Reply User Enumeration Captures the replies and generates an authenticate message if necessary Network PBX Authentication Register Packets Generates REGISTER messages and inject them into a network. <sniff> <device>eth0</device> <inject> <packet> <ethernet> <source>..</source> <destination>..</destination> <ip>.. </ip> </ethernet> </packet> <xi:include href="sip/register.xml"/> </inject> </sniff> <filter>udp and port 5060</filter> <capture> <assignvar>msg</assignvar> <continue>callidexist(msg)</continue> <choice> <option> <condition> isuserexists(msg) </condition>.. </option> <option> <condition> isuseracepted(msg) </condition>.. </option> </choice> <continue>isrequiredauth(msg)</continue> <injectreply> <invertpacket/> <xi:include href="sip/auth.xml"/> </injectreply> </capture> Assign the captured packet to the msg variable Check if the Call-ID is in our list of msg Check if Status-Code is 100 Trying. Add to a priority list Check if Status-Code is 200 Ok. User accepted by the Server An Authentication challenge is required, so it inject a reply message for it 14

A RPT MSG B INVITE B RPT MSG A OK A RPT Listening Sniffed Codecs Sniffed Codecs RPT sniffed Sniffing Codecs Spam Injection RPT MSG B INVITE B RPT MSG A OK A RPT SPAM Injection B <capture> <assignvar>msg</assignvar> <choice> <option> <condition>isinvite(msg)</condition>.. </option> <option> <condition>isok(msg)</condition>.. </option> </choice> </capture> Listening RPT packets <pycode>rtp = RTPPackets()</pycode> <pycode>rtp.startreading()</pycode> <sniff> <device>eth0</device> <filter> <string>ip src net </string> <variable>called_ip</variable> <string> and udp and src port </string> <pycode>called_rpt_port</pycode> </filter> <capture> <assignvar>msg</assignvar> <pycode>rtp.listencurrentpacket(msg)</pycode> </capture> </sniff> <pycode>rtp.stopreading()</pycode> Injecting Spam <pycode>rtp = RTPPackets()</pycode> <pycode>rtp.openfile(codecs,"test.wav")</pycode> <pycode>rtp.startreading()</pycode> <sniff> <filter>..</filter> <capture> <assignvar>msg</assignvar> <pycode>rtp.setrtpfields(msg)</pycode> <injectreply> <pycode>rtp.getcurrentpacket()</pycode> </injectreply> </capture> </sniff> <pycode>rtp.stopreading()</pycode> 15

who who is C? is A? ask A B & C A SWITCH SWITCH ARP Injection (achiving man in the middle ) who is B? ask A this is C who is C? this is C ask A B C We want to see all the packets from a Computer A. Reply the ARP Request send by every computer involving the IP of A. To computer A: every IP go through the intruder To other computers: A's IP goes through the intruder Still, we want to renew the cache before they send a Request message, so we can send ours, once in a while to ensure they send all packet through our the intruder 16

Demo PBX DHCP TFTP TestBed ARP Injector Injects ARP packets into the caller in order to be in the middle of every packet it send. SWITCH Spam Injector Injects RTP packets (a recorded message) into the called party conversation. Called party Caller party Listener Capture RTP packets from the called party conversation and play them in the current computer. User Enum Try to register (brute force) in the PBX by injecting and capturing packets in the network. 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information