Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking SIP Like a Boss!


Published on

This is my Athcon 2013 slide set. I also demonstrated that attacking mobile applications via SIP Trust, scanning via SIP proxies and MITM fuzzing in Live Demo.

Published in: Technology, Business

Hacking SIP Like a Boss!

  1. 1. Hacking SIP Services Like a BossFatih ÖzavcıInformation Security Researcher & Consultantfatih.ozavci at
  2. 2. 2#occupygezi#occupygezi #direngezi
  3. 3. 3#occupygezi#occupygezi #direngezi
  4. 4. 4#occupygezi#occupygezi #direngezi
  5. 5. 5#occupygeziAbout MeInformation Security Consultant @ Viproy / Turkey10+ Years Experience in Penetration Testing800+ Penetration Tests, 40+ Focused on NGN/VoIPSIP/NGN/VoIP Systems Penetration TestingMobile Application Penetration TestingIPTV Penetration TestingRegular Stuff (Network Inf., Web, SOAP, Exploitation...)Author of Viproy VoIP Penetration Testing KitAuthor of Hacking SIP Trust Relationships of SIP GatewaysBlackhat Arsenal USA 2013 – Viproy VoIP Pen-Test KitSo, thats me
  6. 6. 6#occupygeziAgendaVoIP Networks are Insecure, but Why?Viproy What?DiscoveryRegister/Subscribe TestsInvite TestsCDR and Billing BypassDenial of ServiceFuzzingHacking SIP Trust RelationshipsOut of ScopeRTP Services and Network TestsManagement and Additional ServicesXML/JSON Based Soap Services
  7. 7. 7#occupygeziSIP, NGN, VoIPSIP – Session Initiation ProtocolOnly Signaling not Transporting CallExtended with Session Discovery ProtocolNGN – Next Generation NetworkForget TDM and PSTNSIP, H.248 / Megaco, RTP, MSAN/MGWSmart Customer Modems & PhonesEasy ManagementSecurity Free, Its NOT Required?!Next Generation! Because We Said So!
  8. 8. 8#occupygeziAdministrators Think... Root Doesnt!Their VoIP Network IsolatedOpen Physical Access for Many Network OperatorsInsufficient Network SegmentationInsecure VPNs (IPSec, MPLS)Abusing VoIP Requires KnowledgeIts Easy With Right Automated Tools, But Thats the Case !Most Attacks are Network Based or Toll FraudCall Based DOS Attacks, Response Based DDOS Attacks,Compromising Clients for Surveillance, SpyingPhishing, Fake Calls for Fun&Profit, Abusing VAS ServicesVoIP Devices are Well-ConfiguredMany Operators and Vendors Have No Idea About The Security RequirementsSIP Accounts without Passwords, Trunks, Management ProblemsOld Version and Insecure Software (Especially VAS, CDR, DB, Operating System)Insecure Additional Services (TFTP, Telnet, SNMP, FTP, DHCP, Soap Services)
  9. 9. 9#occupygeziSIP Services : Internal IP TelephonyINTERNETSIP ServerSupport ServersSIP ClientsFactory/CampusSIP over VPNCommercialGatewaysAnalog/Digital PBX
  10. 10. 10#occupygeziSIP Services : Commercial OperatorsINTERNETSoft Switch(SIP Server)VAS, CDR, DB ServersMSAN/MGWPSTN/ISDN DistrubutorMPLS3rd PartyGatewaysSDP ServersCustomersRTP, ProxyServersMobile
  11. 11. 11#occupygeziWhy Other SIP Tools are not Efficient ?Sipvicious, Sipsak, Sipp : Basic Tools, Basic FunctionsThey Need Complete Protocol Information to Perform a TestThey Prepared for Simple Tasks, not Complete OperationPerforming Security Tests After Authentication is PainfulCall Spoofing, Bypassing CDR/Invoice, SpyingDOS Attacks for Call Limits, VAS Services, Toll FraudSpecial Tests Require 3-4 StepsThey Dont Have Pen-Test FeaturesDatabase Support, Integration with Other ToolsKnowledge TransferQuick Action & Development for Specific Cases
  12. 12. 12#occupygeziWhy Metasploit Framework or New Modules?Metasploit Has Many Penetration Testing Features1000+ Exploits & Tools, Database Support, Automated TasksHandy Functions for Development, Sample Modules, Less CodeIntegration Between Tools and ExploitsWhy New Metasploit Modules?There is NO SIP Library in REX, Auxiliary Development is PainfulThere is NO Module for Testing SIP Services after AuthenticationPresented SIP Auxiliaries are Useful Only Specific Tests8 Simple Modules and 1 Library, Less Code for SIP TestsIntegrated SIP Tests with Metasploit Framework Infrastructure
  13. 13. 13#occupygeziViproy What?Viproy is a Vulcan-ish Word that means "Call"Viproy VoIP Penetration and Exploitation KitTesting Modules for Metasploit, MSF LicenseOld Techniques, New ApproachSIP Library for New Module DevelopmentCustom Header Support, Authentication SupportNew Stuffs for Testing: Trust Analyzer, Proxy etcModulesOptions, Register, InviteBrute Forcers, EnumeratorSIP Trust Analyzer, Port ScanSIP Proxy, Fake Service
  14. 14. 14#occupygeziDiscoveryFinding and Identifying SIP ServicesDifferent Ports, Different PurposesInternal Communication Service or PSTN GatewayDiscovering Available MethodsRegister, Direct Invite, OptionsSoft Switch, Call Manager, Mobile Client Software, IP PhoneDiscovering SIP SoftwareWell-Known Software VulnerabilitiesCompliant Softwares and ArchitectureNetwork Points and 3rd Party Detection
  15. 15. 15#occupygeziDiscoverySoft Switch(SIP Server)ClientsGatewaysOPTIONS / REGISTER / INVITE / SUBSCRIBE100 Trying200 OK401 Unauthorized403 Forbidden404 Not Found500 Internal Server ErrorCollecting Information from Response HeadersUser-AgentServerRealmCall-IDRecord-RouteWarningP-Asserted-IdentityP-Called-Party-IDP-Preferred-IdentityP-Charging-Vector
  16. 16. 16#occupygeziRegister/Subscribe TestsUnauthenticated RegistrationSpecial TrunksSpecial VAS NumbersGatewaysIdentifying Valid Target Numbers, Users, RealmDe-Registration for Valid UsersBrute Forcing Valid Accounts and PasswordsWith Well-Known User ListNumeric User Ranges
  17. 17. 17#occupygeziRegister/Subscribe TestsSoft Switch(SIP Server)ClientsGatewaysREGISTER / SUBSCRIBE (From, To, Credentials)200 OK401 Unauthorized403 Forbidden404 Not Found500 Internal Server ErrorRESPONSE Depends on Informations in REQUESTType of Request (REGISTER, SUBSCRIBE)FROM, TO, Credentials with RealmViaActions/Tests Depends on RESPONSEBrute Force (FROM, TO, Credentials)Detecting/Enumerating Special TOs, FROMs or TrunksDetecting/Enumerating Accounts With Weak or Null Passwords….
  18. 18. 18#occupygeziInvite TestsInvite Without RegistrationClient Software, IP Phone, Test SIP ServerBypassing “After Register” RestrictionsDirect Invite from Special Trunk (IP Based)VAS Services, Trusted Soft Switches, Gateways, MSAN, MGWInvite Spoofing (After or Before Registration, Via Trunk)For Phishing, Spying, Surveillance, Restriction Bypass, VASVia Field, From FieldP-Asserted-Identity, P-Called-Party-ID, P-Preferred-IdentityISDN Calling Party Number, Remote-Party-ID
  19. 19. 19#occupygeziCDR and Billing BypassInvite Spoofing (After or Before Registration, Via Trunk)Via Field, From FieldP-Asserted-Identity, P-Called-Party-ID, P-Preferred-IdentityISDN Calling Party Number, Remote-Party-IDBypass TechniquesFaking as a Cheap Gateway, Another Customer or TrunkDirect Call to Client, VAS Service or GatewayCall Count Information on HeadersP-Charging-Vector (Spoofing, Manipulating)Re-Invite, Update (Without/With P-Charging-Vector)
  20. 20. 20#occupygeziInvite, CDR and Billing TestsSoft Switch(SIP Server)ClientsGatewaysINVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA ...)401 Unauthorized403 Forbidden404 Not Found500 Internal Server ErrorActions/Tests Depends on RESPONSEBrute Force (FROM&TO) for VAS and GatewaysTesting Call Limits, Unauthenticated Calls, CDR ManagementINVITE Spoofing for Restriction Bypass, Spying, Invoice….100 Trying183 Session Progress180 Ringing200 OKRESPONSE Depends on Informations in INVITE REQUESTFROM, TO, Credentials with Realm, FROM <>, TO <>Via, Record-RouteDirect INVITE from Specific IP:PORT (IP Based Trunks)
  21. 21. 21#occupygeziDenial of ServiceDenial of Service Vulnerabilities of SIP ServicesMany Responses for Bogus Requests DDOS→Concurrent Registered User/Call LimitsVoice Message Box, CDR, VAS based DOS AttacksBye And Cancel Tests for Call DropLocking All Accounts if Account Locking is Active for MultipleFailsMultiple Invite (After or Before Registration, Via Trunk)Calling All Numbers at Same TimeOverloading Sip Servers Call LimitsCalling Expensive Gateways,Targets or VAS From Customers
  22. 22. 22#occupygeziFuzzing SIP Services or Fuzz Me MaybeFuzzing as a SIP Client | SIP Server | Proxy | MITMSIP Server SoftwaresSIP ClientsHardware Devices, IP Phones, Video Conference SystemsDesktop Application or Web Based SoftwareMobile SoftwareSpecial SIP Devices/SoftwaresSIP Firewalls, ACL Devices, ProxiesConnected SIP Trunks, 3rdParty GatewaysMSAN/MGWLogging Softwares (Indirect)Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE...
  23. 23. 23#occupygeziFuzzing SIP Services or Fuzz Me MaybeRequest FuzzingFuzzing Registration and Authentication ParametersFuzzing Invite ParametersFuzzing Options ParametersFuzzing Bye and Cancel ParametersFuzzing Authentication FunctionsResponse FuzzingAuthentication Options (Nonce, Digest, URI etc)[1|2]0x 200 OK, 100 Trying, 180 Ringing, 183 Session Progress30x 301 Moved Permanently, 305 Use Proxy, 380 AlternateServices40x 401 Unauthorized, 403 Forbidden, 402 Payment Required60x 600 Busy, 603 Decline, 606 Not Acceptable
  24. 24. 24#occupygeziStatic and Stateful SIP FuzzersStatic FuzzersProtos SIP Fuzzer FuzzersInterstate
  25. 25. 25#occupygeziMissing Features in SIP FuzzersStatic FuzzersState Tracking is Biggest ProblemMissing Important SIP Features and HeadersStateful Fuzzers (Old Tools, Last Update 2007)Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE)Fuzzing After Authentication (Double Account, Self-Call)Response Fuzzing (Before or After Authentication)Missing SIP FeaturesIP Spoofing for SIP TrunksProxy Headers, Custom Headers, Invoice HeadersSDP and ISUP SupportNumeric Fuzzing for Services is NOT Buffer OverflowDial Plan Fuzzing, VAS Fuzzing
  26. 26. 26#occupygeziHow This SIP Library Helps Fuzzing TestsSkeleton for Feature Fuzzing, NOT Only SIP ProtocolMultiple SIP Service InitiationCall Fuzzing in Many States, Response FuzzingIntegration With Other Metasploit FeaturesFuzzers, Encoding Support, Auxiliaries, Immortality etc.Custom Header SupportFuture Compliance, Vendor Specific Extensions, VASRaw Data Send Support (Useful with External Static Tools)Authentication SupportAuthentication Fuzzing , Custom Fuzzing with AuthenticationLess Code, Custom Fuzzing, State ChecksSome Features (Fuzz Library, SDP) are in Development
  27. 27. 27#occupygeziFuzzing SIP Services : Request BasedSoft Switch(SIP Server)ClientsGatewaysOPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE....401 Unauthorized403 Forbidden404 Not Found500 Internal Server ErrorFuzzing Targets, REQUEST FieldsRequest Type, Protocol, DescriptionVia, Branch, Call-ID, From, To, Cseq, Contact, Record-RouteProxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...)Authentication in Different Requests (User, Pass, Realm, Nonce)Content-Type, Content-LenthSDP Information FieldsISUP Fields100 Trying183 Session Progress180 Ringing200 OK
  28. 28. 28#occupygeziFuzzing SIP Services : Response BasedSoft Switch(SIP Server)ClientsGatewaysOPTIONSINVITE/ACK401 Unauthorized403 Forbidden404 Not Found500 Internal Server Error100 Trying183 Session Progress180 Ringing200 OKINVITE Myself / INVITE Im ProxyMALICOUS RESPONSEMALICOUS RESPONSEPotential RESPONSE Types for Fuzzing
  29. 29. 29#occupygeziHacking SIP Trust RelationshipsNGN SIP Services Trust Each OtherAuthentication and TCP are Slow, They Need SpeedIP and Port Based Trust are Most Effective WayWhat We NeedTarget Number to Call (Cell Phone if Service is Public)Tech Magazine, Web Site Information, NewsBaby StepsFinding Trusted SIP Networks (Mostly B Class)Sending IP Spoofed Requests from Each IP:PortEach Call Should Contain IP:Port in From SectionNote The Trusted SIP Gateway When We Have a CallBrace Yourselves The Call is Coming
  30. 30. 30#occupygeziThe Wall# Hacking SIP Trust RelationshipsSlow Motion192.168.1.201 – IzmirProduction SIP ServiceAnkara IstanbulTrusted International OperatorIP Spoofed Call RequestContains IP:Port Data in From White Walker
  31. 31. 31#occupygeziThe Wall# Hacking SIP Trust RelationshipsBrace Yourselves The Call is Coming192.168.1.201 – IzmirProduction SIP ServiceAnkara IstanbulTrusted International OperatorIP Spoofed Call RequestSomebody Known in FromBilling ?CDR ?Log ?Come Again?FromCitadelWhite Walker
  32. 32. 32#occupygeziReferences and Further InformationMy Personal Page ( Trust Relationships Between SIP GatewaysSIP Pen-Testing Kit for Metasploit FrameworkPen-Testing Guide for SIP Services in EnglishPen-Testing Using Metasploit Framework in Turkish (300 Pages)Blog : fozavci.blogspot.comSIP Pen-Testing Kit for Metasploit Framework Project (
  33. 33. 33#occupygeziDEMOAttacking SIP Servers Using Viproy SIP Pen-Testing Kit
  34. 34. 34#occupygeziQ ?
  35. 35. 35#occupygeziThank You