• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Positive Hack Days. Gritsai. VOIP insecurities workshop
 

Positive Hack Days. Gritsai. VOIP insecurities workshop

on

  • 2,627 views

Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере ...

Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере распространенных IP-PBX и абонентских устройств. Рассматриваются как типовые сетевые уязвимости, так и сложные случаи, обнаруживаемые в ходе анализа защищенности реальных сетей.

Statistics

Views

Total Views
2,627
Views on SlideShare
1,894
Embed Views
733

Actions

Likes
1
Downloads
85
Comments
0

6 Embeds 733

http://phdays.com 346
http://2011.phdays.com 323
http://www.phdays.com 49
http://phday.com 12
http://www.phday.com 2
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Positive Hack Days. Gritsai. VOIP insecurities workshop Positive Hack Days. Gritsai. VOIP insecurities workshop Presentation Transcript

    • VOIPinsecuritiesworkshop
      “I just called to say I pwn you
      I just called to say how much I care
      I just called to say I own you
      And I mean it from the bottom of my heart”
      Stevie Wonder
    • Agenda
      VOIP
      PSTN & VOIP
      PSTN vs. VOIP
      VOIP protocols
      VOIP security
      Attacking VOIP
      Enumerating VOIP devices
      RTP attacks +demonstration
      SIPattacks +practice
      Further readings
    • PSTN/ Public switched telephone network
    • VOIP / Voice over Internet Protocol
    • PSTN vs. VOIP
      Network
      PSTN – Closed network
      VOIP – Public network(Internet)
      End-user devices
      PSTN – Simple devices
      VOIP – Complex devices
      Authentication
      PSTN – No mobility (Authentication by wire)
      VOIP – Mobility
    • VOIP protocols
      Signaling protocols
      Media protocols
      Call control and media stream use different routes
    • VOIP protocols: SignalingShort overview
      SIPSession Initiation Protocol
      SDPSession Description Protocol
      H.323H.323
      MGCPMedia Gateway Control Protocol
      SCCPSkinny Client Control Protocol
      RTCPReal-time Transfer Control Protocol
    • VOIP protocols: Media and HybridShort overview
      Media
      RTP/SRTP
      Hybrid (signaling + media)
      IAX/IAX2
    • VOIP insecurities
      Confidentiality
      eavesdropping, recording, …
      Availability
      DoS, buffer overflows, …
      Authentication
      registration hijacking, Caller ID spoofing, …
      Fraud
      toll fraud, data masquerading, …
      SPIT (SPAM over IP Telephony)
      voice phishing, unsolicited calling, …
    • VOIP insecuritiesTopics for today
      Enumeration of VOIP devices
      search engines
      port scanning
      RTP
      eavesdropping/recording calls
      inserting data into media stream
      DoS
      SIP
      searching extensions
      Caller name spoofing
      DoS
    • Enumerating VOIP devicesGoogle hacking
      Google hacking
      GHDB
      User manual -> request Google
      inurl:
      intitle:
      site:<Customer> !
      Examples:
      Asterisk Management Portal: intitle:asterisk.management.portal web-access
      Cisco Phones: inurl:"NetworkConfiguration" cisco
      Cisco CallManager: inurl:"ccmuser/logon.asp"
      D-Link Phones: intitle:"D-Link DPH" "web login setting"
      Grandstream Phones: intitle:"Grandstream Device Configuration" password
      Linksys (Sipura) Phones: intitle:" SPA Configuration"
      PolycomSoundpoint Phones: intitle:"SoundPoint IP Configuration"
    • Enumerating VOIP devicesShodan [1/2]
      www.shodanhq.com
      search for domain names, ips, ports
    • Enumerating VOIP devicesShodan [2/2]
      Banner grabbing
      passwordlessSnom phones
    • Enumerating VOIP devicesnmap
      VOIP scanners
      smap
      svmap (sipvicious)
      Fyodor’s nmap
      -sU
      UDP scanning common
      problems
    • Enumerating VOIP devicesCommon ports
      VOIP protocols
      5060-5070, 1718-1720, 2517, ….
      RTP ports are allocated dynamically
      Management protocols
      TCP 21-23, 80, 443, 8088, …
      UDP 161, 162, 69, …
      IANA
      Internet Assigned Numbers Authority
      grep<vendor> www.iana.org/assignments/port-numbers
    • RTP
      Real-time Transport Protocol
      RFC 1889 (1996) ->RFC 3550 (2003)
      Media over IP/UDP
      Packer reordering
      Used with signaling protocols (SIP, H.323, MGCP)
      RTCP (Real-time Transport Control Protocol)
      RTCP port =RTP port + 1
    • RTP Attacks
      Call interception
      Attacking layers2, 3
      Decoding intercepted data
      Injection into call
      Finding RTP port
      Injecting media stream
      Denial of Service
      RTP flood
    • RTP AttacksCall interception
      ARP spoofing
      Cain & abel
      ettercap
      arpspoof (dsniff)
      Wireshark
      Telephony
      VOIP calls
      / Demo
    • RTP AttacksInjection: Synchronization in RTP
      sequence number position in media stream +=1
      timestampsampling +=1
      SSRCidentifying source const
      (random 32 bit value)
      payload type codec in use
    • RTPAttacksInjection
      Unencrypted
      deployment issues (debug)
      QoSissues
      key distribution
      UDP – connectionless
      Data requirements:
      SSRC
      timestamp, sequence number – monotonically increasing
      timestamp, sequence number - fuzzing
    • RTP AttacksInjection
      Finding RTP port
      InterceptSDP
      Port scan
      Media injection
      Requirements
      frequency
      codec
      Demo
      SDP || nmap
      rtpinsertsound
      not working 100%?
    • RTP AttacksDenial of Service
      Flood
      Low bandwidth requirements
      Media stream = high load
      Authentication - SIP
      and again … UDP - connectionless
      / Demo
      rtpflood
    • SIP
      Session Initiation Protocol
      Application layer (TCP/UDP)
      ASCII header
      SIP header ~= e-mail header
      URI
    • SIP Components
      UA (User agent), Proxy, Registrar, Redirect
      Call viaProxy Call via Redirect
    • SIP Attacks
      Using somebodies PBX
      Extension enumeration
      Bruteforce extension password
      Caller name spoofing
      Registration hijacking
      Denial of service
      Busy lines
    • SIPRequests
      INVITEindicates a client is being invited to participate in a call session
      BYETerminates a call and can be sent by either the caller or the callee
      OPTIONSQueries the capabilities of servers
      REGISTERRegisters the address listed in the To header field with a SIP server
      ACKConfirms that the client has received a final response to an INVITE request
      CANCELCancels any pending request
      more …
    • SIPAnswers
      1хх Informational (100 Trying, 180 Ringing)
      2xx Successful (200 OK, 202 Accepted)
      3xx Redirection (302 Moved Temporarily)
      4xx Request Failure (404 Not Found, 482 Loop Detected)
      5xx Server Failure (501 Not Implemented)
      6xx Global Failure (603 Decline)
    • basic SIP call
    • SIP AttacksUsing somebodies PBX
      PBX
      Extension enumeration
      Bruteforcing passwords
      Making a call
      Practice withSipvicious
      svmap <ip>
      svwar –e<extensions> <ip> -m<REQUEST>
      svcrack –u<extension> -d <dictionary> <ip>
      Setting up asoftphone
    • SIP AttacksCaller name spoofing
      Caller Name spoofing
      Softphone
      Practicing X-Lite
      Softphone–caller name spoofing
      Display name‘ 1=1 --
      Domain ip of UA
      Register disable
    • SIP AttacksRegistration hijacking
      Registration hijacking
      INVITE to PBX
      Search user in Registar
      Registration is in
      Contact header: ip address
      Practicing with X-Lite
      Register settings
      rate
    • SIP AttacksDenial of Service
      Denial of Service
      No auth
      -> INVITE
      <- TRYING… <- Busy here
      HTTP digest
      -> INVITE
      generation/storingnonce
      Practice
      inviteflood
    • Further reading
      Set up a lab
      http://enablesecurity.com/resources/how-to-set-up-a-voip-lab-on-a-shoe-string/
      Read and practice
      Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions
      Advanced attacks
      “Having fun with RTP” by kapejod
      “SIP home gateways under fire” by AnhängteDateien
      Fuzzing
    • QA
    • ggritsai@ptsecurity.ru