Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Departed Communications: Learn the ways to smash them!

325 views

Published on

Unified Communications (UC) is widely used by larger organisations for video conferences, office collaboration, cloud services and mobile communications. These services also have key roles in the IP Multimedia Subsystem (IMS) implementations of next generation mobile networks. As a result of these, customers require unified collaboration; and the telecommunications industry offers managed communications services and infrastructure using UC and IMS technologies. These offerings also come with design issues, well-known security vulnerabilities and legacy services.
Security testing of communication networks, however, is underestimated, and mostly under-scoped. Due to the lack of time and resources, the results of the security tests are only providing a security illusion. On the other hand, the advanced VoIP and UC attacks can be much faster and efficient with a proper methodology used. Therefore, this talk aims to improve the testing skills of the assurance teams for better penetration testing results. The theme of the talk is on transferring the VoIP and UC knowledge from a phreak to penetration testers. This will be performed through practical attack demonstrations, testing tips and automated actions.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Departed Communications: Learn the ways to smash them!

  1. 1. 107/04/2017 Departed Communications: Learn The Ways to Smash Them! Fatih Ozavci (@fozavci) Managing Consultant – Context Information Security
  2. 2. 207/04/2017 Speaker • Fatih Ozavci, Managing Consultant – VoIP & phreaking – Mobile applications and devices – Network infrastructure – CPE, hardware and IoT hacking • Author of Viproy and VoIP Wars • Public speaker and trainer – Blackhat, Defcon, HITB, AusCert, Troopers
  3. 3. 307/04/2017 Agenda • VoIP, UC, IMS and more • Security breaches • Various implementations and issues • Testing techniques • Demonstrations
  4. 4. 407/04/2017 Traditional Phone Systems Audio Call TDM Alice Bob
  5. 5. 507/04/2017 Unified Communications Alice Signalling Media RTP Proxy SIP Server Bob
  6. 6. 607/04/2017 Unified Collaboration Alice Signalling Media RTP Proxy SIP Server Bob
  7. 7. 707/04/2017 Unified Attack Surfaces Alice Signalling Media RTP Proxy SIP Server Bob
  8. 8. 807/04/2017 Security Concerns • Toll Fraud • Tenant Isolation • Confidentiality • Availability • Privacy (eg PII) • Regulations • Call quality • Infrastructure • Endpoint Security • Lawful / Illegal Interception • Reputation Damage
  9. 9. 907/04/2017 Modern Challenges and Incidents
  10. 10. 1007/04/2017 Summary of Security Breaches • Legacy systems (15 years old) • Insecure CPE deployment • Lack of authentication • Broken authorisation • Too much trust • No security patch whatsoever It’s NOt a Faulty Router
  11. 11. 1107/04/2017 VoIP in Real Life Corporate/Federated Communications Service Providers Cloud Services Mobile Operators
  12. 12. 1207/04/2017 Warming Up • VoIP Wars research series – Return of the SIP (Advanced SIP attacks) – Attack of the Cisco Phones (Cisco specific attacks) – Destroying Jar Jar Lync (SFB specific attacks) – The Phreakers Awaken (UC and IMS specific attacks) • Tools – Viproy for sending signalling and cloud attacks – Viproxy for intercepting UC client/server traffic • Viproy.com for videos and training videos
  13. 13. 1307/04/2017 Practical Design Analysis • Service requirements – Cloud, subscriber services, IMS – Billing, recordings, CDR, encryption • Trusted servers and gateways – SIP proxies, federations, SBCs • SIP headers used (e.g. ID, billing) • Tele/Video conference settings • Analyse the encryption design – SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
  14. 14. 1407/04/2017 Corporate Communications VoIP Server Windows Server Office Server Active Directory Virtual Machines 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
  15. 15. 1507/04/2017 Analysing Corporate Communications • Find a way to get in – Courtesy phones, meeting rooms, lobby – Replace or compromise it (e.g. raspberry pi) • Analyse the network access – CDP discovery, VLAN hopping, ARP spoofing • Compromise faster – Harvest conf and creds on TFTP/HTTP – Compromise conf files to deploy SSH keys • Exploit service/server management – Legacy software, missing patches, default creds
  16. 16. 1607/04/2017 Federated Communications Edge Server sky.com Edge Server kenobi.com DNS Server DNS / SRV DNS / SRV SIP / RTP Kenobi Corp Phone X x@kenobi.com VoIP Server Windows Server Office Server Active Directory Virtual Machines Phone A a@sky.com Skywalker Corp Phone B b@sky.com Phone C c@sky.com
  17. 17. 1707/04/2017 Attacking Through Signalling • Discover the protocols – SIP, Cisco Skinny/SCCP, Alcatel UA • Discover the signalling gateways – Lack of authentication, insecure management • Perform essential signalling attacks – Enumeration, brute force, call forwarding • Inject custom headers to calls – Caller ID spoofing, billing or dial plan bypass • Attack with a real client – Voicemail access, toll fraud, spread the attack to clients • Combining other attacks
  18. 18. 1807/04/2017 Attacking Through Messaging • Unified Messaging – Message types (e.g. rtf, html, images) – Message content (e.g. JavaScript) – File transfers and sharing features – Code or script execution (e.g. SFB) – Encoding (e.g. Base64, Charset) • Various protocols – MSRP, XMPP, SIP/MESSAGE • Combining other attacks
  19. 19. 1907/04/2017 Mass Compromise Attacking through a gateway • Send a malicious meeting request • Combine the attacks discussed • Wait for the shells Viproy Skype for Business Server SIP PBX Server Signalling Gateway Forwarded Meeting Request Meeting Request (Attack in SIP content/headers) PRIVATE NETWORK Forwarded Requests
  20. 20. 2007/04/2017 Attack Using Original Clients MANIPULATE SIP CONTENT INJECT MALICIOUS SUBJECTS SEND PHISHING MESSAGES Attacker’s Client Viproxy Interactive Console HACME 1 HACME 2 HACME 3 Reason: adding features Attacker’s Client  TLS / Proxy  Certificate  Compression Console  Enabling Features  Content Injection  Security Bypass
  21. 21. 2107/04/2017
  22. 22. 2207/04/2017 Cloud Communications SIP & Media Server Database Server Tenant Services Management Applications Client Applications PBX Shared Services 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
  23. 23. 2307/04/2017 Targeting Tenants or Providers • Persistent access – Raspberry PI with PoE, eavesdropping • Shared services to jailbreak – Billing, PBX, recordings, client applications • Unauthorised service access – Toll fraud, call forwarding, speed dial harvesting – Privilege escalation on shared management – SIP header manipulations for good • Practical attacks w/ caller ID spoofing – Voicemail harvesting, robocalls
  24. 24. 2407/04/2017 Targeting Clients • Attacks with NO user interaction • Calls with caller ID spoofing – Fake IVR, social engineering • Messages with caller ID spoofing – Smishing (e.g. fake software update) – Injected XSS, file-type exploits – Bogus content-types or messages – Meetings, multi-callee events
  25. 25. 2507/04/2017 Attacking Through UC/IMS SIGNALLING / MESSAGING • SDP / XML • SIP Headers • XMPP • MSRP CONTENT • Message types (HTML, RTF, Docs) • File types (Docs, Codecs) • Caller ID Spoofing • DoS / TDoS / Robocalls, Smishing FORWARDED REQUESTS • Call Settings • Message Content NO USER INTERACTION • Call request parsing • Message content parsing • 3rd party libraries reachable
  26. 26. 2607/04/2017 UC/VoIP Subscriber Services Service Provider ACS SIP TR-069 / DOCSIS RADIUSVOIP (SIP + RTP) PSTN PSTN Service Provider Media/Call Gateway VOIP (SIP + RTP) Management
  27. 27. 2707/04/2017 Subscriber Services Testing • Vulnerable CPE – Credential extraction – Attacking through embedded devices • Insecurely located gateways – Hardware hacking, eavesdropping – Tampering gateways for persistent access • SIP header manipulations – Toll Fraud – Attacking legacy systems (e.g. Nortel?) – Voicemail hijacking
  28. 28. 2807/04/2017 Call Centre Security Testing • Analysing encryption design – Implementation (e.g. SRTP, SIP/TLS) – Inter-vendor SRTP key exchange • Privacy and PCI compliance – Network segregation – IVR recordings (e.g. RTP events) – Eavesdropping – Call recordings security
  29. 29. 2907/04/2017 Mobile Networks (IMS / VoLTE) Call Session Control Function (P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure Mobile Subscribers UC/VoIP Subscribers Session Border Controller (SBC) Session Border Controller (SBC) ACCESS NETWORK ACCESS NETWORKCORE NETWORK Application Server (AS) Home Subscriber Server (HSS) Media Resource Function MRFC / MRFP
  30. 30. 3007/04/2017 Mobile Networks Testing • Inter-vendor services design • Accessing through mobile phones – Tampered phone/SIM/IMSI – IPSec interception for mobile phone – ENode-B traffic • Network and service segregation – *CSCF locations, SBC services used – VoLTE design, application services • SIP headers are very sensitive – Internal trust relationships – Filtered/Ignored SIP headers – Caller ID spoofing, Billing bypass • Encryption design (SIP, SRTP, MSRP)
  31. 31. 3107/04/2017 Security Testing Using Vipro(x)y • Cloud communications – SIP header tests, caller ID spoofing, – Billing bypass, hijacking IP phones • Signalling services – Attacking tools for SIP and Skinny – Advanced SIP attacks • Proxy bounce, SIP trust hacking • Custom headers, custom message-types • UC tests w/ Viproxy + Real Client
  32. 32. 3207/04/2017 Sample SIP INVITE/SDP Exploit
  33. 33. 3307/04/2017
  34. 34. 3407/04/2017 Viproyable PBX Vulnerable VoIP server with exercises (hands-on during workshops) • VoIP service discovery • Enumeration using various responses • Gathering unauthorised access to the extensions • Hijacking voicemails • Performing call spoofing attacks • Discovering SIP trust relationships • Harvesting information via IP phone configuration files • Gaining unauthorised access to Asterisk Management • Remote code execution through SIP services • Remote code execution through FreePBX modules • Decoding RTP sessions and Decrypting SRTP sessions for eavesdropping • Exploiting Cisco CUCDM services
  35. 35. 3507/04/2017 QumpIn Communications Analyser • QumpIn: Communications Officer in Klingon • Replaces Viproy and Viproxy – Lack of programming, lack of community support – Metasploit Framework, unstable communications • What’s On – Under development, pure Python 3.x code – Module structure like Empire and Metasploit Framework • Phases 1. Core functionalities of Viproy and Viproxy 2. Advanced protocol and authentication support, fuzzers and exploits
  36. 36. 3607/04/2017 Upcoming Features of QumpIn Signalling Media IMS & VoLTE Cloud UC Assessment IVR & CC Voicemail Practical Exploits Research Tools
  37. 37. 3707/04/2017
  38. 38. 3807/04/2017 References • Viproy VoIP Penetration Testing Kit • QumpIn Communications Analyser http://www.viproy.com • Context Information Security http://www.contextis.com
  39. 39. 3907/04/2017 Any Questions Context Information Security https://www.contextis.com
  40. 40. 4007/04/2017 Thanks Context Information Security https://www.contextis.com

×