Info secvoip

857 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
857
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Info secvoip

  1. 1. InfoSec & VoIPLaboratorio de conmutación Jesús Pérez Rubio jesus.perez@quobis.com @jesusprubio 25/09/2012 http://www.quobis.com
  2. 2. Contents- VoIP fraud examples- VoIP threats "in the wild"- VoIP & DoS (flood)- Demo: Metasploit SIPflood module- Countermeasurements- Exercise notes
  3. 3. VoIP fraud examples (I)- 1 month -> 60.000 $- 1/2 day -> 23.000 min. -> 15.000 euros- 46 h. -> 11.000 calls -> 120.000 $- 500.000 calls -> 1.000.000 $...- http://shadowcommunications.co.uk/ (Offline) - 1.500.000 calls - 11.000.000 euros - 42 individuals
  4. 4. VoIP fraud examples (II)
  5. 5. VoIP threats "in the wild"- NO eavesdropping, password cracking, etc. (this time) -> Encryption- Extension/password brute-force- INVITE attack- Default web panel passwords- DoS/DDoS flood
  6. 6. Extension/password brute-force (I)
  7. 7. Extension/password brute-force (II)
  8. 8. INVITE attacksip:+442032988741sip:+000442032988741@XX.YY.ZZ.189sip:1442032988742@XX.YY.ZZ.189
  9. 9. INVITE attacksip:+442032988741sip:+000442032988741@XX.YY.ZZ.189sip:1442032988742@XX.YY.ZZ.189 - INVITE authentication -> Kamailio WIN!
  10. 10. Default web panel passwords (I)
  11. 11. Default web panel passwords (II)
  12. 12. Default web panel passwords (III)
  13. 13. DoS- DoS (Denial of service)- Types: - Communication interruption - Malfomed packets (Teardrop) - Physical destruction - Flood - DDoS- Tools: LOIC, Hulk, Aircrack-ng, Exploit-DB
  14. 14. DoS (Impact)
  15. 15. VoIP & DoS- Impact! vs. (web application) - Application layer -> Increase performance- SIP proxy vs. PBX- Tools: - Malformed packets: - Fuzzing (Voiper) - Flood: - Sipvicious - udpflood, inviteflood, rtpflood, iaxflooder - SIPp - Problems: - Old - Diversity of languages -> Complex use/customize - Lack of report generation mechanism
  16. 16. SIPflood (REGISTER)
  17. 17. SIPflood (INVITE)
  18. 18. SIPflood_tcp (INVITE)
  19. 19. SIPflood_DDoS (INVITE)
  20. 20. Countermeasurements- General - Firewall - Secure passwords - Upgrades- Specific: - Monitoring - Fail2ban - ?¿ module (Kamailio) - IDS/IPS (Snort/Prelude) - Session Border Controller (SBC)
  21. 21. References- http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html-http://www.securitybydefault.com/2012/03/desarrollando-para-metasploit-ii.html- http://code.google.com/p/metasploit/source/browse/sip/sipflood.rb- http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack- http://saghul.net/blog/2010/06/17/deteniendo-un-sip-flood-con-opensips-y-el-modulo-pike/- http://www.kamailio.org/docs/modules/1.4.x/pike.html- http://kamailio.org/docs/modules/devel/modules/pipelimit.html- http://kamailio.org/docs/modules/1.4.x/ratelimit.html- http://nicerosniunos.blogspot.com.es/2011/09/voip-information-gathering-metasploit.html- http://nicerosniunos.blogspot.com.es/2012/07/bruteforcing-sip-extensions-with.html- http://code.google.com/p/sipvicious/w/list- http://blog.sipvicious.org/- http://blog.pepelux.org/2012/02/15/asterisk-invite-attack/- http://www.hackingvoip.com/- http://www.offensive-security.com/metasploit-unleashed/Main_Page- http://www.securitybydefault.com/2012/09/riesgos-reales-en-voip.html- http://www.backtrack-linux.org/
  22. 22. Exercise notes-Option 3: you will configure Kamailio for Drake Island. This island has been apirate refuge for centuries. This tradition survives and nowadays this island has theworld highest cracker rate per km2. Last year we used SIPvicious toolkit to test thesecurity of our Kamailio server. Though simple, it’s quite powerful, hacker communityskills improve day after day so you must use more powerful tools. That’s the reasonwhy this year will use the Metasploit modules implemented by our colleague jesus.perez@quobis.com to simulate DoS, DDoS and extension brute-force attacks. Yourchallenge in the practice option will be implement as many attacks and securitymethods as you can. The security of this operator is in your hands. The internationalprefix assigned for Drake Island is: 001788[6-7]- References- Any usefull (not exposed) generic attack/countermeasurementaccepted- Metasploit SIP scan module (options.rb) bug -> SIPVicious accepted DEFENSE!! 1 attack vector -> 1 defense mechanism
  23. 23. ? Pol. A Granxa P.260 36400 Porriño (Spain) Tlf. +34 902 999 465 SIP://sip.quobis.com http://www.quobis.com

×