• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Alessio Pennasilico VoIP security
 

Alessio Pennasilico VoIP security

on

  • 3,068 views

Alessio Pennasilico @ CRS4 Colloquia

Alessio Pennasilico @ CRS4 Colloquia
13_06-2011

Statistics

Views

Total Views
3,068
Views on SlideShare
3,068
Embed Views
0

Actions

Likes
1
Downloads
64
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Alessio's talk from 1h15min

    <br /><object type="application/x-shockwave-flash" data="http://www.youtube.com/v/GGlDvrEGSyE?version=3&amp;hl=en_US" width="350" height="288"><param name="movie" value="http://www.youtube.com/v/GGlDvrEGSyE?version=3&amp;hl=en_US"></param><embed src="http://www.youtube.com/v/GGlDvrEGSyE?version=3&amp;hl=en_US" width="350" height="288" type="application/x-shockwave-flash"></embed></object>
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Alessio Pennasilico VoIP security Alessio Pennasilico VoIP security Presentation Transcript

    • ! VoIP (in)Security All your bases belong to us Alessio L.R. PennasilicoPhone/Fax +39 045 8271222 mayhem@alba.stVerona, Milano, Roma twitter: mayhemspphttp://www.alba.st/ FaceBook: alessio.pennasilico Cagliari, 13 Giugno 2011
    • $ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, ISSA Italian Chapter, Italian Linux Society, OpenBSD Italian User Group, Metro Olografix, Sikurezza.org, Spippolatori Hacker Club Hacker’s Profiling Project, CrISTAL, Recursiva.orgAlessio L.R. Pennasilico 2
    • IT Security... Un inutile impedimento che rallenta le comuni operazioni e danneggia il business?Alessio L.R. Pennasilico 3
    • IT Security... O prevenzione e risposta ad eventi che danneggerebbero il business in modo peggiore?Alessio L.R. Pennasilico 4
    • Evoluzione La tecnologia si evolve… … e con essa anche le minacce!Alessio L.R. Pennasilico 5
    • Video: I signori della truffaAlessio L.R. Pennasilico 6
    • Alessio L.R. Pennasilico 6
    • How do I feel today?http://www.alba.st/
    • mayhem I’m worriedAlessio L.R. Pennasilico 8
    • VoIP explosion “Mobile VoIP Users to Nearly 139 Million by 2014 Says In-Stat”Alessio L.R. Pennasilico 9
    • Telecom newsAlessio L.R. Pennasilico 10
    • CALEA lawsAlessio L.R. Pennasilico 11
    • Spyware economic interestsAlessio L.R. Pennasilico 12
    • mayhem everyone wants to know something about meAlessio L.R. Pennasilico 13
    • mayhem it’s none of your business (KL)Alessio L.R. Pennasilico 14
    • History "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Benjamin Franklin, 1759Alessio L.R. Pennasilico 15
    • http://www.alba.st/ Phones
    • Phones eavesdroppingAlessio L.R. Pennasilico 17
    • Phones It’s possible to listen to others’ conversations from another shared line phone.Alessio L.R. Pennasilico 18
    • Phones It’s possible to connect a specific eavesdropping device to the phone line with a crocodile clipsAlessio L.R. Pennasilico 19
    • Phones It’s possible to eavesdrop from the central PBX or from ISP switches.Alessio L.R. Pennasilico 20
    • Phones It’s possible to eavesdrop from trunks with advanced technologies.Alessio L.R. Pennasilico 21
    • http://www.alba.st/ You want VoIP!
    • Deployment Faster, easier and cheaper to deploy over national IP network infrastructureAlessio L.R. Pennasilico 23
    • Services Native advanced services for every user Fax2Mail,VoiceMail, IVR, text2speechAlessio L.R. Pennasilico 24
    • Tools Plenty of OpenSource Projects full functionals and very mature user, business and carrier oriented Asterisk, FreeSwitch, OpenSER, OpenSBCAlessio L.R. Pennasilico 25
    • Standards Using standard protocols it’s truly interoperable SIP, H.323, IAXAlessio L.R. Pennasilico 26
    • Integration The PBX or the VoIP client can interact with other applications and use centralized data billing, E.164,CRM integrationAlessio L.R. Pennasilico 27
    • Question but what about security?Alessio L.R. Pennasilico 28
    • All your VoIP belongs to us :)http://www.alba.st/
    • Traditional Telephony “I do it for one reason and one reason only. Im learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, thats my bag. The phone company is nothing but a computer.” Captain Crunch, “Secrets of the Little Blue Box“, 1971 (slide from Hackers Profile Project, http://hpp.recursiva.org)Alessio L.R. Pennasilico 30
    • Eavesdropping “Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister.” Bruce Schneier, his blog, 22nd June 2006 Greek wiretapping scandalAlessio L.R. Pennasilico 31
    • First attacks ... “A brute-force password attack was launched against a SIP-based PBX in what appeared to be an attempt to guess passwords. Queries were coming in about 10 per second. Extension/ identities were incrementing during each attempt, and it appeared that a full range of extensions were cycled over and over with the new password. The User-Agent: string was almost certainly falsified.” John Todd on VoIPSA mailinglist, May 24th 2006Alessio L.R. Pennasilico 32
    • Frauds “Edwin Andreas Pena, a 23 year old Miami resident, was arrested by the Federal government: he was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and routing connections through their networks.” The New York Times, June 7th 2006Alessio L.R. Pennasilico 33
    • Robert MooreAlessio L.R. Pennasilico 34
    • Robert Moore “Id say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had admin or Cisco0 as passwords on them”.Alessio L.R. Pennasilico 34
    • Robert Moore "Its so easy a caveman can do it!" “Id say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had admin or Cisco0 as passwords on them”.Alessio L.R. Pennasilico 34
    • VoIP Risks Telephones had always been seen as secure, because they use proprietary hardware, proprietary protocols, and are disconnected from the other devices.Alessio L.R. Pennasilico 35
    • VoIP Risks Telephones had always been seen as secure, because they use proprietary hardware, proprietary protocols, and are disconnected from the other devices. VoIP multiply traditional telephony risks for IP network risks.Alessio L.R. Pennasilico 35
    • ISDN2SIPAlessio L.R. Pennasilico 36
    • Protect us! End user has no way to protect himself: he has to adhere to its carrier configuration. Providers and companies implementing a VoIP infrastructure should take care of their customers’ security and privacy.Alessio L.R. Pennasilico 37
    • SPIT SPAM over Internet Telephony will become an emergency. Low cost of VoIP calls, widespreading of human and tech resources, use of recorded messages, high revenues even on low purchases make SPIT an attractive business.Alessio L.R. Pennasilico 38
    • Vishing Voice Phishing is a typical fraud against end users, available thanks to VoIP characteristics. Cheapness of this technology permit to deploy this attack on a large scale, integrating some “old style” attacks (e.g. wardialing, caller id spoofing). This fraud is based on user’s trust in “telephone device” and trust in caller identity.Alessio L.R. Pennasilico 39
    • Risks Denial of Service (DoS), eavesdropping, identity theft, toll fraud,Vishing, SPIT are real risks. There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and devices.Alessio L.R. Pennasilico 40
    • Risks Denial of Service (DoS), eavesdropping, identity theft, toll fraud,Vishing, SPIT are real risks. There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and devices. We can use them to secure our infrastructure!Alessio L.R. Pennasilico 40
    • How does a phone call works?http://www.alba.st/
    • Boot sequence • Boot • Retrieve Conf • Registration • Signaling • RTPAlessio L.R. Pennasilico 42
    • Power up the phone ...Alessio L.R. Pennasilico 43
    • Power up the phone ... VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy attacks:Alessio L.R. Pennasilico 43
    • Power up the phone ... VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy attacks:• Phones obtain IP address from a DHCP serverAlessio L.R. Pennasilico 43
    • Power up the phone ... VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy attacks:• Phones obtain IP address from a DHCP server• DHCP furnishes the TFTP server address to the phoneAlessio L.R. Pennasilico 43
    • Power up the phone ... VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy attacks:• Phones obtain IP address from a DHCP server• DHCP furnishes the TFTP server address to the phone• Phones download the firmware from the TFTP serverAlessio L.R. Pennasilico 43
    • Power up the phone ... VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy attacks:• Phones obtain IP address from a DHCP server• DHCP furnishes the TFTP server address to the phone• Phones download the firmware from the TFTP server• Phones download configuration from the TFTP serverAlessio L.R. Pennasilico 43
    • Power up the phone ... VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy attacks:• Phones obtain IP address from a DHCP server• DHCP furnishes the TFTP server address to the phone• Phones download the firmware from the TFTP server• Phones download configuration from the TFTP server• Phones authenticate on the VoIP serverAlessio L.R. Pennasilico 43
    • ...and start a call. When bootstrap is complete the phone exchanges some information with the server, to describe its status and inform the VoIP PBX about calls status (signaling). When a call is answered a new traffic flow of UDP packets starts, carrying our voice. This is called RTP and can be established between end points or between each SIP-UA and its server.Alessio L.R. Pennasilico 44
    • What can I do? :) DHCP Spoofing -> TFTP redirect TFTP Spoofing -> OS substitution TFTP Queries -> obtain configurations Password Sniffing PBX Spoofing -> negotiate auth RTP Traffic in clearAlessio L.R. Pennasilico 45
    • Hardening tips & trikshttp://www.alba.st/
    • VLANAlessio L.R. Pennasilico 47
    • VLAN Packets mac mac Dati src dst T mac mac A Dati src dst GAlessio L.R. Pennasilico 48
    • Configure the phoneAlessio L.R. Pennasilico 49
    • Configure the switchAlessio L.R. Pennasilico 50
    • Inter-VLAN routing You need at least a L3 device Can be a Firewall with ACL A VoIP protocols aware firewall is much more effectiveAlessio L.R. Pennasilico 51
    • AAA Authentication Authorization Accounting Do you have all 3 A ?Alessio L.R. Pennasilico 52
    • Encrypting VPN? Signaling -> TLS RTP -> SRTP PKI? Lawful interception?Alessio L.R. Pennasilico 53
    • Periodic PenTests Is your infrastructure secure today? If yes, will still be secure in 6 months?Alessio L.R. Pennasilico 54
    • http://www.alba.st/ Other advices...
    • mis-configuration 0039081XXXXXXX “Press 1 for commercial office, 2 for sales dept, 3 to access the search menu, 9 to talk with an operator” 3 0 0456152498 “Alba S.T. buon giorno, come posso esserle utile?”Alessio L.R. Pennasilico 56
    • “clever” devices Many network devices supports security feature to mitigate known attacks:✓ gratuitous ARP block✓ DHCP snooping✓ flood detection✓ QoS support✓ …Alessio L.R. Pennasilico 57
    • Power over Ethernet Is you switch under an UPS? How long is your UPS able to stand on-battery powering phones?Alessio L.R. Pennasilico 58
    • Quality of Service Security feature? Can preserve the VoIP traffic from being delayed / dropped ...needed...Alessio L.R. Pennasilico 59
    • Redudancy Is it a security feature, or just about business continuity? Don’t know, but you need it :)Alessio L.R. Pennasilico 60
    • Training Security is unsuccessfully if you do not teach people what to do, how to use the new technology you give them, the importance of data they’re managing.Alessio L.R. Pennasilico 61
    • Tools to test your infrastructures...http://www.alba.st/
    • Ettercap The Man in the Middle attack suite. Multiplatform, usable from console or in a window manager. Ettercap allows to perform all typical layer 2 tests to understand how vulnerable our switched network is if not correctly protected. Keywords: arp spoofing, arp poisoning, hijacking, sniffing, decoding, dns spoofing, dos, flood. http://ettercap.sourceforge.net/Alessio L.R. Pennasilico 63
    • Ettercap (2)Alessio L.R. Pennasilico 64
    • Vomit Voice Over Misconfigured Internet Telephones, from a standard tcpdump log trace, can create a wave file with the audio conversation intercepted on the monitored network. It supports MGCP protocol with G.711 codec and works only on Linux. ./vomit -r elisa.dump | waveplay -S 8000 -B 16 -C 1Alessio L.R. Pennasilico 65
    • Wireshark Multiplatform Sniffer, with a lot of decoders that allows to manage the intercepted traffic. Wireshark can identify and decode both signaling and RTP traffic and shows all information needed for a successive analysis. http://www.wireshark.org/Alessio L.R. Pennasilico 66
    • Wireshark (2)Alessio L.R. Pennasilico 67
    • Oreka Available for Windows and Linux, supports Cisco Call Manager, Lucent APX8000, Avaya, S8500, Siemens HiPath,VocalData, Sylantro and Asterisk SIP channel protocols. Eavesdrops and records RTP part of phone calls. Simple, intuitive, accessible through a web interface, based on a MySQL database. http://oreka.sourceforge.net/Alessio L.R. Pennasilico 68
    • Ohrwurm “Ear worm” is an RTP fuzzer. It sends a large amount of requests, with different combinations of parameters, some correct and some with few or no sense, to interprete the answers and identify anomalies.. Anomalies are often the launchpad to discover a bug or some implementation defect. http://mazzoo.de/blog/2006/08/25#ohrwurmAlessio L.R. Pennasilico 69
    • SipSak SIP Swiss Army Knife permits to interact with any SIP device, forging ad-hoc SIP traffic to gather information on its target features and behaviour. http://sipsak.org/Alessio L.R. Pennasilico 70
    • Smap By merging nmap and SipSak, this project realizes a new specific tool, a program able to detect all SIP devices in the network and produce a report for each one. This will permit us to obtain a map of VoIP devices, with their features, brand and model. http://www.wormulon.net/index.php?/archives/1125-smap-released.htmlAlessio L.R. Pennasilico 71
    • SiVus It’s a SIP security scanner: it verifies characteristics of scan targets and compares them against a database of known misconfigurations or bugs. This database is increasing in a very impressive way … http://www.vopsecurity.org/html/tools.htmlAlessio L.R. Pennasilico 72
    • SipVicious SIPVicious is an integrated suite that allows to scan, enumerate, and crack SIP accounts. svmap - this is a sip scanner. Lists SIP devices found on an IP range svwar - identifies active extensions on a PBX svcrack - an online password cracker for SIP PBX svreport - manages sessions and exports reports to various formatsAlessio L.R. Pennasilico 73
    • Scan mayhem$ python svmap.py 192.168.99.0/24 | SIP Device | User Agent | ------------------------------------- | 192.168.99.13:5060 | Asterisk PBX |Alessio L.R. Pennasilico 74
    • Enumerate mayhem$ python svwar.py -e 100-200 192.168.99.13 | Extension | Authentication | ------------------------------ | 120 | reqauth | | 111 | reqauth | | 125 | noauth |Alessio L.R. Pennasilico 75
    • Brute Force mayhem$ python svcrack.py -n -u 111 -r 1000-9999 192.168.99.13 | Extension | Password | ------------------------ | 111 | 1234 | mayhem$ python svcrack.py -n -u 120 -r 1000-9999 192.168.99.13 | Extension | Password | ------------------------ | 120 | 1357 |Alessio L.R. Pennasilico 76
    • Other tools Packet Gen & Packet Scan RTP Flooder Shoot Invite flooder Sipness RTP injector Sipshare Sipscan Sip scenario reg. hijacker eraser/adder Siptest harness Fuzzy Packet Sipv6analyzer Iax Flooder Winsip Call Generator Cain & Abel Sipsim SipKill Mediapro SFTF Netdude VoIPong SipBomber SipPAlessio L.R. Pennasilico 77
    • http://www.alba.st/ Conclusions
    • Conclusions✓ Pay attention to risk analysis and planning!✓ Divide in multiple VLAN✓ Implement QoS✓ Be extremely careful in AAA✓ Use cryptography! (TLS, SRTP)✓ Use “clever” devices (can mitigate mitm, garp, spoofing, flooding and other known attacks)✓ Application level Firewall✓ Avoid single point of failure✓ Periodic security testAlessio L.R. Pennasilico 79
    • Bibliography http://www.voipsa.org http://www.voip-info.org http://misitano.com/pubs/voip-ictsec.pdf http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58.zip http://www.nytimes.com/2006/06/08/technology/08voice.html http://www.schneier.com/blog/ http://www.cloudmark.com/press/releases/?release=2006-04-25-2 http://www.usdoj.gov/usao/nj/press/files/pdffiles/penacomplaint.pdf http://www.usdoj.gov/usao/pae/News/Pr/2005/feb/Moore.pdf Scholz - Attacking VoIP NetworksAlessio L.R. Pennasilico 80
    • VoIP explosion “Mobile VoIP Users to Nearly 139 Million by 2014 Says In-Stat”Alessio L.R. Pennasilico 81
    • Conclusioni VoIP can be secureAlessio L.R. Pennasilico 82
    • Conclusioni more secure than traditional telephonyAlessio L.R. Pennasilico 83
    • Conclusioni it depends on usAlessio L.R. Pennasilico 84
    • ! These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike-2.5 version; you can copy, modify, or sell them. “Please” cite your source and use the same licence :) Alessio L.R. PennasilicoPhone/Fax +39 045 8271222 mayhem@alba.stVerona, Milano, Roma twitter: mayhemspphttp://www.alba.st/ FaceBook: alessio.pennasilico Cagliari, 13 Giugno 2011
    • ! Domande? These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike-2.5 version; you can copy, modify, or sell them. “Please” cite your source and use the same licence :) Alessio L.R. PennasilicoPhone/Fax +39 045 8271222 mayhem@alba.stVerona, Milano, Roma twitter: mayhemspphttp://www.alba.st/ FaceBook: alessio.pennasilico Cagliari, 13 Giugno 2011
    • ! These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike-2.5 Grazie dell’attenzione! version; you can copy, modify, or sell them. “Please” cite your source and use the same licence :) Alessio L.R. PennasilicoPhone/Fax +39 045 8271222 mayhem@alba.stVerona, Milano, Roma twitter: mayhemspphttp://www.alba.st/ FaceBook: alessio.pennasilico Cagliari, 13 Giugno 2011
    • Quote del Video Il nostro mondo non è più dominato dalle armi, dallenergia, dai soldi; è dominato da piccoli uno e zero, da bit e da dati, tutto è solo elettronica. Cè una guerra là fuori, amico mio. Una guerra mondiale. E non ha la minima importanza chi ha più pallottole, ha importanza chi controlla le informazioni. Ciò che si vede, si sente, come lavoriamo, cosa pensiamo, si basa tutto sullinformazione!Alessio L.R. Pennasilico 86