ENABLESECURITY




        Scanning the Intertubes for VOIP
                 Telephony exposed on the ‘net




           ...
ENABLESECURITY




                      whoami

          • EnableSecurity
          • 9 years old
          • SIPVicious...
ENABLESECURITY




                 next few minutes

          • Brief intro to how VoIP is being abused
          • Scan...
ENABLESECURITY




                    VoIP Scanning

          • SIP
          • IAX2
          • H.323
          • SCCP
...
ENABLESECURITY




                 A primer on SIP

          • Text based just like HTTP
          • UDP port 5060
     ...
ENABLESECURITY




                 A primer on IAX2

          • Binary protocol running on port 4569
          • POKE is...
ENABLESECURITY




            VoIP and Cybercrime

          • Scans for SIP are on the rise
          • News of fraud
  ...
ENABLESECURITY




                                   Scans
 OPTIONS sip:2658@195.159.X.X SIP/2.0
 Via: SIP/2.0/UDP 0.0.0....
ENABLESECURITY




                      Honeypot


          • Some python code put together
          • Replies to reque...
ENABLESECURITY




                 demo


                        Con dence 2009
ENABLESECURITY




                   SIP Scanning

          • OPTIONS is ideal for this
          • REGISTER adds value ...
ENABLESECURITY




                   OPTIONS scan

                      OPTIONS
                                  SIP
  ...
ENABLESECURITY




                 Con dence 2009
ENABLESECURITY




                   Scanning IAX2

                        POKE
                               Asterisk
...
ENABLESECURITY




                 Con dence 2009
ENABLESECURITY




                 Headers of interest
          SIP/2.0 404 Not found
          Via: SIP/2.0/UDP 1.1.1.1...
ENABLESECURITY




             Modified User-agent
          SIP/2.0 404 Not found
          Via: SIP/2.0/UDP 1.1.1.1:5061...
ENABLESECURITY




                             Give away
          SIP/2.0 404 Not found
          Via: SIP/2.0/UDP 1.1.1...
ENABLESECURITY




                             Give away
          SIP/2.0 404 Not found
          Via: SIP/2.0/UDP 1.1.1...
ENABLESECURITY




             Fingerprinting To Tag

         Sipura / Linksys SPA       [a-fA-F0-9]{16}i0


           ...
ENABLESECURITY




                 Order of headers
 SIP/2.0 200 OK
 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;r...
ENABLESECURITY




                 Order of headers
 SIP/2.0 404 Not Found
 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-...
ENABLESECURITY




                   Order of headers
SIP/2.0 200 OK                                    SIP/2.0 404 Not F...
ENABLESECURITY




                   Order of headers
SIP/2.0 200 OK                                    SIP/2.0 401 Unaut...
ENABLESECURITY




          Case for header names
SIP/2.0 200 OK                                    SIP/2.0 401 Unauthori...
ENABLESECURITY




                  Fingerprinting

          • Just one packet needed
          • To tag
          • Hea...
ENABLESECURITY




                 Community effort

          • SIPVicious 0.2.3
          • Included svlearnfp.py
     ...
ENABLESECURITY




                 Interesting facts

          • Random scans work pretty well
          • ADSL etc FRIT...
ENABLESECURITY




                 demo


                        Con dence 2009
ENABLESECURITY




          Introducing REGISTER

          • Binds an extension to an IP and port
          • Normally r...
ENABLESECURITY




           More interesting facts

          • The REGISTER scan
           • Dangerous
           • Us...
ENABLESECURITY



                     Enumeration of
                       extensions
          • Response to a REGISTER...
ENABLESECURITY




                                     *
                           1 00
                          ER
   ...
ENABLESECURITY




                                     *
                             nd
                      ot fou
   ...
ENABLESECURITY




                 demo


                        Con dence 2009
ENABLESECURITY




                 DDoS using IAX2?

                        REG REQ


                                  ...
ENABLESECURITY




                 DDoS using IAX2?

                        REG REQ


                                  ...
ENABLESECURITY




                 DDoS using IAX2?

                        REG REQ


                                  ...
ENABLESECURITY




                 DDoS using IAX2?

                        REG REQ


                                  ...
ENABLESECURITY




                 DDoS using IAX2?
                 }:-)   REGR
                            EQ




     ...
ENABLESECURITY




                 DDoS using IAX2?
                               **
                               **
 ...
ENABLESECURITY




                 DDoS using IAX2?
                                **
                                **...
ENABLESECURITY




                 Con dence 2009
ENABLESECURITY




                 SIP Digest Auth

          • REGISTER usually gets a 401 Unauthorized
          • INVI...
ENABLESECURITY




                 Digest Leak

                    INVITE

                    200 OK




              ...
ENABLESECURITY




                 Digest Leak

                     BYE


                     407
                   Ch...
ENABLESECURITY




                 demo


                        Con dence 2009
ENABLESECURITY




            Vulnerable endpoints

          • X-lite
          • Gizmo5
          • Zoiper

           ...
ENABLESECURITY




            Vulnerable endpoints

          • Cisco 7940
          • Grandstream GXP*
          • Patto...
ENABLESECURITY




                          But ...

          • There’s no SIP Phones on the ‘net!
          • There are...
ENABLESECURITY




                      More at..

          • EnableSecurity.com/research
          • Sipvicious.org
   ...
ENABLESECURITY




                    Shoutouts!


          • Sjur at usken.no
          • dudes from .mt =)


         ...
ENABLESECURITY




                 Q.A


                       Con dence 2009
ENABLESECURITY




                 sandro@enablesecurity.com




                                       Con dence 2009
Upcoming SlideShare
Loading in …5
×

Scanning The Intertubes For Voip

1,517 views

Published on

Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,517
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Scanning The Intertubes For Voip

  1. 1. ENABLESECURITY Scanning the Intertubes for VOIP Telephony exposed on the ‘net Con dence 2009
  2. 2. ENABLESECURITY whoami • EnableSecurity • 9 years old • SIPVicious and VOIPPACK (for CANVAS) • Surfjack, Extended HTML Form attack Con dence 2009
  3. 3. ENABLESECURITY next few minutes • Brief intro to how VoIP is being abused • Scanning for VoIP systems • How to fingerprint VoIP systems • Possibilities for abuse Con dence 2009
  4. 4. ENABLESECURITY VoIP Scanning • SIP • IAX2 • H.323 • SCCP Con dence 2009
  5. 5. ENABLESECURITY A primer on SIP • Text based just like HTTP • UDP port 5060 • INVITE gets things to buzz and ring • REGISTER sends phone calls your way • OPTIONS gives you supported options Con dence 2009
  6. 6. ENABLESECURITY A primer on IAX2 • Binary protocol running on port 4569 • POKE is like ping • PONG is like er.. pong • REGREQ is like REGISTER • REGREJ stands for registration rejected Con dence 2009
  7. 7. ENABLESECURITY VoIP and Cybercrime • Scans for SIP are on the rise • News of fraud • What is happening in the background? • What tools are they using? Con dence 2009
  8. 8. ENABLESECURITY Scans OPTIONS sip:2658@195.159.X.X SIP/2.0 Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rport Max-Forwards: 70 To: <sip:2658@195.159.X.X> From: <sip:8571@195.159.X.X>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8 Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190F CSeq: 1 OPTIONS Contact: <sip:@0.0.0.0:1498;transport=udp> Accept: application/sdp Content-Length: 0 Con dence 2009
  9. 9. ENABLESECURITY Honeypot • Some python code put together • Replies to requests and acts like a registrar Con dence 2009
  10. 10. ENABLESECURITY demo Con dence 2009
  11. 11. ENABLESECURITY SIP Scanning • OPTIONS is ideal for this • REGISTER adds value :-) • Tell between a registrar and an endpoint Con dence 2009
  12. 12. ENABLESECURITY OPTIONS scan OPTIONS SIP scanner Registrar 200 OK Con dence 2009
  13. 13. ENABLESECURITY Con dence 2009
  14. 14. ENABLESECURITY Scanning IAX2 POKE Asterisk scanner Box PONG Con dence 2009
  15. 15. ENABLESECURITY Con dence 2009
  16. 16. ENABLESECURITY Headers of interest SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  17. 17. ENABLESECURITY Modified User-agent SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  18. 18. ENABLESECURITY Give away SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  19. 19. ENABLESECURITY Give away SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  20. 20. ENABLESECURITY Fingerprinting To Tag Sipura / Linksys SPA [a-fA-F0-9]{16}i0 [a-fA-F0-9]{6,8}-[a-fA- Cisco VoIP Gateway F0-9]{2,4} AVM FRITZ!Box [a-fA-F0-9]{16,29} Con dence 2009
  21. 21. ENABLESECURITY Order of headers SIP/2.0 200 OK Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS User-Agent: xxx voicemail Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
  22. 22. ENABLESECURITY Order of headers SIP/2.0 404 Not Found Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061 From: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=d90a4f8a13c4d8bf89f5 To: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=as263e3393 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS User-Agent: xxx asterisk Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Accept: application/sdp Content-Length: 0 Con dence 2009
  23. 23. ENABLESECURITY Order of headers SIP/2.0 200 OK SIP/2.0 404 Not Found Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.138:5060>;tag=d9 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=as26 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS CSeq: 1 OPTIONS User-Agent: sipgate voicemail User-Agent: sipbox asterisk Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REF Contact: <sip:1.2.3.35> Supported: replaces Accept: application/sdp Accept: application/sdp Content-Length: 0 Content-Length: 0 Con dence 2009
  24. 24. ENABLESECURITY Order of headers SIP/2.0 200 OK SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.40:5060>;tag=d90 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.40:5060>;tag=cfbe3 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER CSeq: 1 OPTIONS Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 User-Agent: sipgate voicemail WWW-Authenticate: Digest realm=quot;sipgate.atquot;, Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY0 Content-Length: Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
  25. 25. ENABLESECURITY Case for header names SIP/2.0 200 OK SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.40:5060>;tag=d90 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.40:5060>;tag=cfbe3 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER CSeq: 1 OPTIONS Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 User-Agent: sipgate voicemail WWW-Authenticate: Digest realm=quot;sipgate.atquot;, Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY0 Content-Length: Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
  26. 26. ENABLESECURITY Fingerprinting • Just one packet needed • To tag • Headers • Community effort Con dence 2009
  27. 27. ENABLESECURITY Community effort • SIPVicious 0.2.3 • Included svlearnfp.py • Generated regular expressions for to tags • Generated hashes describing headers • SIPVicious 2.0 ... Con dence 2009
  28. 28. ENABLESECURITY Interesting facts • Random scans work pretty well • ADSL etc FRITZ!Box, Speedtouch • Asterisk • Cisco Gateways Con dence 2009
  29. 29. ENABLESECURITY demo Con dence 2009
  30. 30. ENABLESECURITY Introducing REGISTER • Binds an extension to an IP and port • Normally requires authentication • If no password is set it binds without auth Con dence 2009
  31. 31. ENABLESECURITY More interesting facts • The REGISTER scan • Dangerous • Useful for cheap honeypots :-) Con dence 2009
  32. 32. ENABLESECURITY Enumeration of extensions • Response to a REGISTER for non-existent extension • A different response indicates that the extension exists • If the extension has no password it sends a 200 OK • Otherwise asks for authentication Con dence 2009
  33. 33. ENABLESECURITY * 1 00 ER EG IST R ISTE R 101 REG REGISTER 102 Con dence 2009
  34. 34. ENABLESECURITY * nd ot fou 40 4N 20 0 OK 401 Auth required Con dence 2009
  35. 35. ENABLESECURITY demo Con dence 2009
  36. 36. ENABLESECURITY DDoS using IAX2? REG REQ * :-) ACK REGREJ ACK Con dence 2009
  37. 37. ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ Con dence 2009
  38. 38. ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ REGREJ Con dence 2009
  39. 39. ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ REGREJ REGREJ Con dence 2009
  40. 40. ENABLESECURITY DDoS using IAX2? }:-) REGR EQ * :-/ ACK REGREJ REGREJ REGREJ Con dence 2009
  41. 41. ENABLESECURITY DDoS using IAX2? ** ** :-o ** ** * }:-) Con dence 2009
  42. 42. ENABLESECURITY DDoS using IAX2? ** ** :’-( ** ** * }:-) Con dence 2009
  43. 43. ENABLESECURITY Con dence 2009
  44. 44. ENABLESECURITY SIP Digest Auth • REGISTER usually gets a 401 Unauthorized • INVITE gets a 407 Proxy Authentication • Challenge response mechanism • Takes various properties + password • Nonce, Method, URI Con dence 2009
  45. 45. ENABLESECURITY Digest Leak INVITE 200 OK Con dence 2009
  46. 46. ENABLESECURITY Digest Leak BYE 407 Challenge Con dence 2009
  47. 47. ENABLESECURITY demo Con dence 2009
  48. 48. ENABLESECURITY Vulnerable endpoints • X-lite • Gizmo5 • Zoiper Con dence 2009
  49. 49. ENABLESECURITY Vulnerable endpoints • Cisco 7940 • Grandstream GXP* • Patton Smartlink • Linksys SPA942 • Fritzbox Con dence 2009
  50. 50. ENABLESECURITY But ... • There’s no SIP Phones on the ‘net! • There are ;-) • The ‘net is full of Fritzbox • Internal endpoints behind NAT Con dence 2009
  51. 51. ENABLESECURITY More at.. • EnableSecurity.com/research • Sipvicious.org • VOIPSA.org Con dence 2009
  52. 52. ENABLESECURITY Shoutouts! • Sjur at usken.no • dudes from .mt =) Con dence 2009
  53. 53. ENABLESECURITY Q.A Con dence 2009
  54. 54. ENABLESECURITY sandro@enablesecurity.com Con dence 2009

×