SlideShare a Scribd company logo

VoIP Wars: Attack of the Cisco Phones

VoIP Wars: Attack of the Cisco Phones slide set presented at Blackhat USA 2014 and DEF CON 22.

1 of 60
Download to read offline
VoIP Wars: 
Attack of the Cisco Phones 
Compliance, Protection & Business Confidence 
Sense of Security Pty Ltd 
! 
Sydney 
Level 8, 66 King Street 
Sydney NSW 2000 Australia 
Melbourne 
Level 10, 401 Docklands Drv 
Docklands VIC 3008 Australia 
T: 1300 922 923 
T: +61 (0) 2 9290 4444 
F: +61 (0) 2 9290 4455 
info@senseofsecurity.com.au 
www.senseofsecurity.com.au 
ABN: 14 098 237 908 
www.senseofsecurity.com.au © Sense of Security 2013 Page ‹#› – 13-Sep-13
Speaker 
• Fatih Ozavci 
• Senior Security Consultant 
• Interests 
• VoIP 
• Mobile Applications 
• Network Infrastructure 
! 
• Author of Viproy VoIP Penetration Testing Kit 
• Public Speaker 
• Defcon, BlackHat Arsenal, AusCert, Ruxcon 
www.senseofsecurity.com.au © Sense of Security 2014 Page 2 
of 60 – Aug-14
Viproy VoIP Toolkit 
• Viproy is a Vulcan-ish Word that means "Call" 
• Viproy VoIP Penetration and Exploitation Kit 
• Testing modules for Metasploit, MSF license 
• Old techniques, new approach 
• SIP library for new module development 
• Custom header support, authentication support 
• Trust analyser, SIP proxy bounce, MITM proxy, Skinny 
• Modules 
• Options, Register, Invite, Message 
• Brute-forcers, Enumerator 
• SIP trust analyser,SIP proxy, Fake service 
• Cisco Skinny analysers 
• Cisco UCM/UCDM exploits 
www.senseofsecurity.com.au © Sense of Security 2014 Page 3 
of 60 – Aug-14
Agenda 
www.senseofsecurity.com.au © Sense of Security 2014 Page 4 
of 60 – Aug-14 
Hosted VoIP 101 
Network Attacks 
Attacking CUCDM 
Attacking CUCM 
Attacking SIP 
Attacking 
Clients 
Attacking 
Skinny
Hosted VoIP services 
www.senseofsecurity.com.au © Sense of Security 2014 Page 5 
of 60 – Aug-14
Hosted VoIP environment 
• Vendors are Cisco and VOSS Solutions 
• Web based services 
• IP Phone services (Cisco, VOSS* IP Phone XML Services) 
• Tenant client services management (VOSS* Selfcare) 
• Tenant* services management (VOSS* Domain Manager) 
• VoIP services 
• Skinny (SCCP) services for Cisco phones 
• SIP services for other tenant phones 
• RTP services for media streaming 
• PBX/ISDN gateways, network equipment 
! 
* Tenant => Customer of hosted VoIP service 
* VOSS => VOSS Solutions, hosted VoIP provider & Cisco partner 
* VOSS a.k.a Voice Over Super Slick, created by Jason Ostrom 
www.senseofsecurity.com.au © Sense of Security 2014 Page 6 
of 60 – Aug-14
Ad

Recommended

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cmeYves Jean Louis
 

More Related Content

What's hot

Diameter Processing with Kamailio
Diameter Processing with KamailioDiameter Processing with Kamailio
Diameter Processing with KamailioCarsten Bock
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Introduction to VoIP using SIP
Introduction to VoIP using SIPIntroduction to VoIP using SIP
Introduction to VoIP using SIPKundan Singh
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...ALTANAI BISHT
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config GuideWoo Hyung Choi
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCMoises Silva
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4Nil Menon
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk
 
SIP Trunking
SIP TrunkingSIP Trunking
SIP Trunkingorionnow
 
Voice over internet protocol (VoIP)
 Voice over internet protocol (VoIP)  Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP) Namra Afzal
 
Avaya call routing_flowchart
Avaya call routing_flowchartAvaya call routing_flowchart
Avaya call routing_flowchartdborsan
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System  on PFSense FirewallSnort Intrusion Detection / Prevention System  on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Avaya aura 6.x technical overview
Avaya aura 6.x technical overviewAvaya aura 6.x technical overview
Avaya aura 6.x technical overviewMotty Ben Atia
 

What's hot (20)

Diameter Processing with Kamailio
Diameter Processing with KamailioDiameter Processing with Kamailio
Diameter Processing with Kamailio
 
Voip security
Voip securityVoip security
Voip security
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Introduction to VoIP using SIP
Introduction to VoIP using SIPIntroduction to VoIP using SIP
Introduction to VoIP using SIP
 
Sangoma SBC Training Presentation
Sangoma SBC Training PresentationSangoma SBC Training Presentation
Sangoma SBC Training Presentation
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
Ims conference-call
Ims conference-callIms conference-call
Ims conference-call
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
 
VOIP
VOIPVOIP
VOIP
 
IPv6
IPv6IPv6
IPv6
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
 
SIP Trunking
SIP TrunkingSIP Trunking
SIP Trunking
 
Voice over internet protocol (VoIP)
 Voice over internet protocol (VoIP)  Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP)
 
Les Communications Unifiées
Les Communications UnifiéesLes Communications Unifiées
Les Communications Unifiées
 
Avaya call routing_flowchart
Avaya call routing_flowchartAvaya call routing_flowchart
Avaya call routing_flowchart
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System  on PFSense FirewallSnort Intrusion Detection / Prevention System  on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
 
Avaya aura 6.x technical overview
Avaya aura 6.x technical overviewAvaya aura 6.x technical overview
Avaya aura 6.x technical overview
 

Similar to VoIP Wars: Attack of the Cisco Phones

Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopFelipe Prado
 
Cidway Banking 02 2011
Cidway Banking 02 2011Cidway Banking 02 2011
Cidway Banking 02 2011lfilliat
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  SourceI N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
Solving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open StandardsSolving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open StandardsChristina Inge
 
Squire Technologies: Class 4 Softswitch
Squire Technologies: Class 4 SoftswitchSquire Technologies: Class 4 Softswitch
Squire Technologies: Class 4 SoftswitchSquire Technologies
 
Alllworx presentation 2
Alllworx presentation 2Alllworx presentation 2
Alllworx presentation 2LeeHarris217
 
Mp company overview 2014 0214 version 3
Mp company overview 2014 0214 version 3Mp company overview 2014 0214 version 3
Mp company overview 2014 0214 version 3Ricardo Resnik
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...AirTight Networks
 
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Canada
 
Squire Technologes: Session Border Controller
Squire Technologes: Session Border Controller Squire Technologes: Session Border Controller
Squire Technologes: Session Border Controller Squire Technologies
 
Wanderweb-market-intro
Wanderweb-market-introWanderweb-market-intro
Wanderweb-market-introPhilip Swart
 

Similar to VoIP Wars: Attack of the Cisco Phones (20)

Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
 
Cidway Banking 02 2011
Cidway Banking 02 2011Cidway Banking 02 2011
Cidway Banking 02 2011
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  SourceI N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
Solving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open StandardsSolving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open Standards
 
Squire Technologies: Class 4 Softswitch
Squire Technologies: Class 4 SoftswitchSquire Technologies: Class 4 Softswitch
Squire Technologies: Class 4 Softswitch
 
Alllworx presentation 2
Alllworx presentation 2Alllworx presentation 2
Alllworx presentation 2
 
Mp company overview 2014 0214 version 3
Mp company overview 2014 0214 version 3Mp company overview 2014 0214 version 3
Mp company overview 2014 0214 version 3
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Vo ip sip
Vo ip sipVo ip sip
Vo ip sip
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
The New Economics of Wi-Fi _ Disruptive Forces Driving Innovation for Carrier...
 
Linkedin - Cisco
Linkedin - CiscoLinkedin - Cisco
Linkedin - Cisco
 
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
 
Protegendo sua cloud
Protegendo sua cloud Protegendo sua cloud
Protegendo sua cloud
 
Parminder Singh
Parminder SinghParminder Singh
Parminder Singh
 
Squire Technologes: Session Border Controller
Squire Technologes: Session Border Controller Squire Technologes: Session Border Controller
Squire Technologes: Session Border Controller
 
Wanderweb-market-intro
Wanderweb-market-introWanderweb-market-intro
Wanderweb-market-intro
 

More from Fatih Ozavci

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiFatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi KoruyunFatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeFatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiFatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarFatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriFatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiFatih Ozavci
 

More from Fatih Ozavci (17)

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Recently uploaded

Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotelPhilippines
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsInflectra
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Product School
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...ISPMAIndia
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERNRonnelBaroc
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 

Recently uploaded (20)

Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company Profile
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 

VoIP Wars: Attack of the Cisco Phones

  • 1. VoIP Wars: Attack of the Cisco Phones Compliance, Protection & Business Confidence Sense of Security Pty Ltd ! Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 www.senseofsecurity.com.au © Sense of Security 2013 Page ‹#› – 13-Sep-13
  • 2. Speaker • Fatih Ozavci • Senior Security Consultant • Interests • VoIP • Mobile Applications • Network Infrastructure ! • Author of Viproy VoIP Penetration Testing Kit • Public Speaker • Defcon, BlackHat Arsenal, AusCert, Ruxcon www.senseofsecurity.com.au © Sense of Security 2014 Page 2 of 60 – Aug-14
  • 3. Viproy VoIP Toolkit • Viproy is a Vulcan-ish Word that means "Call" • Viproy VoIP Penetration and Exploitation Kit • Testing modules for Metasploit, MSF license • Old techniques, new approach • SIP library for new module development • Custom header support, authentication support • Trust analyser, SIP proxy bounce, MITM proxy, Skinny • Modules • Options, Register, Invite, Message • Brute-forcers, Enumerator • SIP trust analyser,SIP proxy, Fake service • Cisco Skinny analysers • Cisco UCM/UCDM exploits www.senseofsecurity.com.au © Sense of Security 2014 Page 3 of 60 – Aug-14
  • 4. Agenda www.senseofsecurity.com.au © Sense of Security 2014 Page 4 of 60 – Aug-14 Hosted VoIP 101 Network Attacks Attacking CUCDM Attacking CUCM Attacking SIP Attacking Clients Attacking Skinny
  • 5. Hosted VoIP services www.senseofsecurity.com.au © Sense of Security 2014 Page 5 of 60 – Aug-14
  • 6. Hosted VoIP environment • Vendors are Cisco and VOSS Solutions • Web based services • IP Phone services (Cisco, VOSS* IP Phone XML Services) • Tenant client services management (VOSS* Selfcare) • Tenant* services management (VOSS* Domain Manager) • VoIP services • Skinny (SCCP) services for Cisco phones • SIP services for other tenant phones • RTP services for media streaming • PBX/ISDN gateways, network equipment ! * Tenant => Customer of hosted VoIP service * VOSS => VOSS Solutions, hosted VoIP provider & Cisco partner * VOSS a.k.a Voice Over Super Slick, created by Jason Ostrom www.senseofsecurity.com.au © Sense of Security 2014 Page 6 of 60 – Aug-14
  • 7. Discovery for hosted VoIP networks • Discover VoIP network configuration, design and requirements • Find Voice VLAN and gain access • Gain access using PC port on IP Phone • Understand the switching security for: • Main vendor for VoIP infrastructure • Network authentication requirements • VLAN ID and requirements • IP Phone management services • Supportive services in use www.senseofsecurity.com.au © Sense of Security 2014 Page 7 of 60 – Aug-14
  • 8. Protected and isolated? www.senseofsecurity.com.au © Sense of Security 2014 Page 8 of 60 – Aug-14
  • 9. Switching manipulation • Attack Types • PC Ports of the IP phone and handsets • CDP sniffing/spoofing for Voice VLAN • DTP and VLAN Trunking Protocol attacks • ARP spoofing for MITM attacks • DHCP spoofing & snooping • Persistent access • Tapberry Pi (a.k.a berry-tap) • Tampered phone • Power over ethernet (PoE) • 3G/4G for connectivity www.senseofsecurity.com.au © Sense of Security 2014 Page 9 of 60 – Aug-14
  • 10. How to make your own Tapberry Pi www.senseofsecurity.com.au © Sense of Security 2014 Page 10 of 60 – Aug-14 RJ45 Connection Pins
  • 11. How to make your own Tapberry Pi www.senseofsecurity.com.au © Sense of Security 2014 Page 11 of 60 – Aug-14 Speaker Power Patch the Cat5 cable
  • 12. Attacking the TFTP server • Obtaining configuration files for MAC addresses • SEPDefault.cnf, SEPXXXXXXXXXXXX.cnf.xml • SIPDefault.cnf, SIPXXXXXXXXXXXX.cnf.xml • Identifying SIP, Skinny, RTP and web settings • Finding IP phone software and updates • Configuration files may contain credentials • Digital signature/encryption usage for files ! ! ! Tip: TFTPTheft, Metasploit, Viproy TFTP module www.senseofsecurity.com.au © Sense of Security 2014 Page 12 of 60 – Aug-14
  • 13. Configuration file content • <deviceProtocol>SCCP</deviceProtocol>! • <sshUserId></sshUserId>! • <sshPassword></sshPassword>! ! • <webAccess>1</webAccess>! • <settingsAccess>1</settingsAccess>! • <sideToneLevel>0</sideToneLevel>! • <spanToPCPort>1</spanToPCPort>! • <sshAccess>1</sshAccess>! ! • <phonePassword></phonePassword> www.senseofsecurity.com.au © Sense of Security 2014 Page 13 of 60 – Aug-14
  • 14. Becoming the TFTP server • Send fake configurations for • HTTP server • IP phone management server • SIP server and proxy • Skinny server • RTP server and proxy • Deploy SSH public keys for SSH on IP Phones • Update custom settings of IP Phones • Deploy custom OS update and code execution ! Tip: Metasploit TFTP & FakeDNS servers, Viproxy www.senseofsecurity.com.au © Sense of Security 2014 Page 14 of 60 – Aug-14
  • 15. Cisco Hosted Collaboration Suite • Cisco UC Domain Manager • VOSS IP Phone XML services • VOSS Self Care customer portal • VOSS Tenant services management • Cisco UC Manager • Cisco Unified Dialed Number Analyzer • Cisco Unified Reporting • Cisco Unified CM CDR Analysis and Reporting ! • Multiple Vulnerabilities in Cisco Unified Communications Domain Manager http://tools.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-20140702-cucdm www.senseofsecurity.com.au © Sense of Security 2014 Page 15 of 60 – Aug-14
  • 16. VOSS Self Care Tenant user services • Password & PIN management • Voicemail configuration • Presence • Corporate Directory access • Extension mobility ! Weaknesses • Cross-site scripting vulnerabilities www.senseofsecurity.com.au © Sense of Security 2014 Page 16 of 60 – Aug-14
  • 17. Account details stored XSS www.senseofsecurity.com.au © Sense of Security 2014 Page 17 of 60 – Aug-14
  • 18. VOSS domain manager • Tenant administration services • User management • Location and dial plan management • CLI and number translation configuration ! Weaknesses • User enumeration • Privilege escalation vulnerabilities • Cross-site scripting vulnerabilities • SQL injections and SOAP manipulations www.senseofsecurity.com.au © Sense of Security 2014 Page 18 of 60 – Aug-14
  • 19. Errors, Information Leakage /emapp/EMAppServlet?device=USER ! ! ! ! /bvsm/iptusermgt/disassociateuser.cgi www.senseofsecurity.com.au © Sense of Security 2014 Page 19 of 60 – Aug-14
  • 20. Insecure File Upload /bvsm/iptbulkadmin /bvsm/iptbulkloadmgt/bulkloaduploadform.cgi www.senseofsecurity.com.au © Sense of Security 2014 Page 20 of 60 – Aug-14
  • 21. Privilege Escalation /bvsm/iptusermgt/moduser.cgi (stored XSS, change users’ role) /bvsm/iptadminusermgt/adduserform.cgi?user_type=adminuser ! ! ! ! ! /bvsm/iptnumtransmgt/editnumbertranslationform.cgi?id=1 ! www.senseofsecurity.com.au © Sense of Security 2014 Page 21 of 60 – Aug-14
  • 22. IP Phone management VOSS IP Phone XML services • Shared service for all tenants • Call forwarding (Skinny has, SIP has not) • Speed dial management • Voicemail PIN management http://1.2.3.4/bvsmweb/SRV.cgi?device=ID&cfoption=ACT www.senseofsecurity.com.au © Sense of Security 2014 Page 22 of 60 – Aug-14 Services • speeddials • changepinform • showcallfwd • callfwdmenu Actions • CallForwardAll • CallForwardBusy
  • 23. IP Phone management • Authentication and Authorisation free! • MAC address is sufficient • Jailbreaking tenant services ! • Viproy Modules • Call Forwarding • Speed Dial www.senseofsecurity.com.au © Sense of Security 2014 Page 23 of 60 – Aug-14
  • 24. Demonstration of VOSS attacks www.senseofsecurity.com.au © Sense of Security 2014 Page 24 of 60 – Aug-14
  • 25. Unified Communications • Forget TDM and PSTN • SIP, Skinny, H.248, RTP, MSAN/MGW • Smart customer modems & phones ! • Cisco UCM • Linux operating system • Web based management services • VoIP services (Skinny, SIP, RTP) • Essential network services (TFTP, DHCP) • Call centre, voicemail, value added services www.senseofsecurity.com.au © Sense of Security 2014 Page 25 of 60 – Aug-14
  • 26. Discovering VoIP servers • Looking for • Signalling servers (e.g. SIP, Skinny, H.323, H.248) • Proxy servers (e.g. RTP, SIP, SDP) • Contact Centre services • Voicemail and email integration • Call recordings, call data records, log servers ! • Discovering • Operating systems, versions and patch level • Management services (e.g. SNMP, Telnet, HTTP, SSH) • Weak or default credentials www.senseofsecurity.com.au © Sense of Security 2014 Page 26 of 60 – Aug-14
  • 27. Attacking SIP services • Essential analysis • Registration and invitation analysis • User enumeration, brute force for credentials • Discovery for SIP trunks, gateways and trusts • Caller ID spoofing (w/wo register or trunk) ! • Advanced analysis • Finding value added services and voicemail • SIP trust hacking • SIP proxy bounce attack www.senseofsecurity.com.au © Sense of Security 2014 Page 27 of 60 – Aug-14
  • 28. Cisco specific SIP registration • Extensions (e.g. 1001) • MAC address in Contact field • SIP digest authentication (user + password) • SIP x.509 authentication • All authentication elements must be valid! ! • Good news, we have SIP enumeration inputs! Warning: 399 bhcucm "Line not configured” Warning: 399 bhcucm "Unable to find device/user in database" Warning: 399 bhcucm "Unable to find a device handler for the request received on port 52852 from 192.168.0.101” Warning: 399 bhcucm "Device type mismatch" www.senseofsecurity.com.au © Sense of Security 2014 Page 28 of 60 – Aug-14
  • 29. Register and Subscribe www.senseofsecurity.com.au © Sense of Security 2014 Page 29 of 60 – Aug-14 Register / Subscribe (FROM, TO, Credentials)
  • 30. Invite, CDR and Billing tests www.senseofsecurity.com.au © Sense of Security 2014 Page 30 of 60 – Aug-14 Invite / Ack / Re-Invite / Update (FROM, TO, VIA, Credentials)
  • 31. SIP Proxy Bounce attack 192.168.1.145 - Sydney Production SIP Service 192.168.1.146 Melbourne 192.168.1.202 Brisbane www.senseofsecurity.com.au © Sense of Security 2014 Page 31 of 60 – Aug-14 SIP Proxy Bounce Attacks • SIP trust relationship hacking • Attacking inaccessible servers • Attacking the SIP software and protocol • Software, Version, Type, Realm
  • 32. Denial of Service attacks 192.168.1.145 - Sydney Production SIP Service 192.168.1.146 Melbourne 192.168.1.202 Brisbane IP spoofed UDP SIP request www.senseofsecurity.com.au © Sense of Security 2014 Page 32 of 60 – Aug-14 SIP based DoS attacks • UDP vulnerabilities and IP spoofing • Too many errors, very very verbose mode • ICMP errors Alderaan
  • 33. Hacking SIP trust relationships IP spoofed UDP SIP request From field has IP and Port 192.168.1.145 - Sydney Production SIP Service www.senseofsecurity.com.au © Sense of Security 2014 Page 33 of 60 – Aug-14 Send INVITE/MESSAGE requests with • IP spoofing (source is Brisbane), • from field contains Spoofed IP and Port, the caller ID will be your trusted host. 192.168.1.146 Melbourne 192.168.1.202 Brisbane UDP Trust Universal Trust Tatooine
  • 34. Attacking a client using SIP trust 192.168.1.145 - Sydney Production SIP Service www.senseofsecurity.com.au © Sense of Security 2014 Page 34 of 60 – Aug-14 IP spoofed UDP SIP request From field has bogus characters 192.168.1.146 Melbourne 192.168.1.202 Brisbane UDP Trust Universal Trust Tatooine It’s a TRAP! Send INVITE/MESSAGE requests with • IP spoofing (source is Brisbane), • from field contains special number, you will have fun or voicemail access.
  • 35. Toll fraud for CUCM • Cisco UCM accepts MAC address as identity • No authentication (secure deployment?) • Rogue SIP gateway with no authentication • Caller ID spoofing with proxy headers • Via field, From field • P-Asserted-Identity, P-Called-Party-ID • P-Preferred-Identity • ISDN Calling Party Number, Remote-Party-ID* • Billing bypass with proxy headers • P-Charging-Vector (Spoofing, Manipulating) • Re-Invite, Update (With/Without P-Charging-Vector) ! * https://tools.cisco.com/bugsearch/bug/CSCuo51517 www.senseofsecurity.com.au © Sense of Security 2014 Page 35 of 60 – Aug-14
  • 36. Remote-Party-ID header Source: Cisco CUCM SIP Line Messaging Guide www.senseofsecurity.com.au © Sense of Security 2014 Page 36 of 60 – Aug-14
  • 37. Caller ID spoofing on CUCM Remote-Party-ID header Remote-Party-ID: <sip:007@1.2.3.4>;party=called;screen=yes;privacy=off ! What for? • Caller ID spoofing • Billing bypass • Accessing voicemail • 3rd party operators www.senseofsecurity.com.au © Sense of Security 2014 Page 37 of 60 – Aug-14
  • 38. Caller ID fraud for all operators? • Telecom operators trust source Caller ID • One insecure operator to rule them all www.senseofsecurity.com.au © Sense of Security 2014 Page 38 of 60 – Aug-14
  • 39. Fake Caller ID for messages? • Call me back function on voicemail / calls • Sending many spoofed messages for DoS • Overseas? Roaming? • Social engineering (voicemail notification) • Value added services • Add a data package to my line • Subscribe me to a new mobile TV service • Reset my password/PIN/2FA • Group messages, celebrations www.senseofsecurity.com.au © Sense of Security 2014 Page 39 of 60 – Aug-14
  • 40. Demonstration of SIP attacks www.senseofsecurity.com.au © Sense of Security 2014 Page 40 of 60 – Aug-14
  • 41. VoIP client security • Different Client Types • Mobile, Desktop, Teleconference, Handsets • Information Disclosure • Unnecessary services and ports (SNMP, FTP) • Weak management services (Telnet, SSH, HTTP) • Stored credentials and sensitive information • Unauthorised Access • Password or TFTP attacks, enforced upgrades • Weak VoIP Services • Clients may accept direct invite, register or notify www.senseofsecurity.com.au © Sense of Security 2014 Page 41 of 60 – Aug-14
  • 42. Cisco VoIP clients • Cisco IP Phones • Cisco IP Communicator • Cisco Unified Personal Communicator • Cisco Webex Client • Cisco Jabber services • Cisco Jabber Voice/Video • IM for 3rd party clients • Mobile, desktop, Mac • Jabber SDK for web Source: www.arkadin.com www.senseofsecurity.com.au © Sense of Security 2014 Page 42 of 60 – Aug-14
  • 43. Rogue services and DSITM • Use ARP/DNS Spoof & VLAN hopping & Manual config • Collect credentials, hashes, information • Change client's request to add a feature (e.g. Spoofing) • Change the SDP features to redirect calls • Add a proxy header to bypass billing & CDR • Manipulate request at runtime to find BoF vulnerabilities • Trigger software upgrades for malwared executables www.senseofsecurity.com.au © Sense of Security 2014 Page 43 of 60 – Aug-14 Death Star in the Middle
  • 44. Attacking a client using SIP service • Caller ID spoofed messages • to install a malicious application or an SSL certificate • to redirect voicemails or calls • Fake caller ID for Scam, Vishing or Spying • Manipulate the content or content-type on messaging • Trigger a crash/BoF on the remote client • Inject cross-site scripting to the conversation ! • Proxies with TLS+TCP interception and manipulation • Viproxy (github.com/fozavci/viproxy) • MITMproxy www.senseofsecurity.com.au © Sense of Security 2014 Page 44 of 60 – Aug-14
  • 45. SMS phishing using SIP messages www.senseofsecurity.com.au © Sense of Security 2014 Page 45 of 60 – Aug-14
  • 46. Attacking a client using SIP trust • SIP server redirects a few fields to client • FROM, FROM NAME, Contact • Other fields depend on server (e.g. SDP, MIME) • Message content • Clients have buffer overflow in FROM? • Send 2000 chars to test it ! • Crash it or execute your shellcode if available • Clients trust SIP servers and trust is UDP based • Trust hacking module can be used for the trust between server and client too. • Viproy Penetration Testing Kit SIP Modules • Simple fuzz support (FROM=FUZZ 2000) • You can modify it for further attacks www.senseofsecurity.com.au © Sense of Security 2014 Page 46 of 60 – Aug-14
  • 47. Attacking a client using SIP trust 192.168.1.145 - Sydney Production SIP Service www.senseofsecurity.com.au © Sense of Security 2014 Page 47 of 60 – Aug-14 IP spoofed UDP SIP request From field has bogus characters 192.168.1.146 Melbourne 192.168.1.202 Brisbane UDP Trust Universal Trust Tatooine Crash! Adore iPhone App Send INVITE/MESSAGE requests with • IP spoofing (source is Brisbane), • from field contains exploit, the client will be your stormtrooper.
  • 48. Attacking clients using VoIP Video demo for SIP based client attacks www.senseofsecurity.com.au © Sense of Security 2014 Page 48 of 58 – Aug-14 • Manipulating instant messaging between clients • Initiate a call using fake Caller ID • Send a fake message from the Operator • Send bogus message to crash • Send too many calls and create a crash !
  • 49. Attacking Skinny services • Cisco Skinny (SCCP) • Binary, not plain text • Different versions • No authentication • MAC address is identity • Auto registration ! • Basic attacks • Register as a phone • Disconnect other phones • Call forwarding • Unauthorised calls Source: Cisco www.senseofsecurity.com.au © Sense of Security 2014 Page 49 of 60 – Aug-14
  • 50. Other Skinny researches • Skinny vulnerabilities published http://tools.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-20120229-cucm by Felix Lindner http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa- 20100303-cucm.html by Sipera VIPER Lab • IxVoice SCCP (Skinny) Test Library • VIPER UCSniff supports Skinny • VIPER LAVA has Skinny support(?) ! VoIP Security not found. Did you mean Jason Ostrom? He is not only passionate about VoIP… www.senseofsecurity.com.au © Sense of Security 2014 Page 50 of 60 – Aug-14
  • 51. Attacking Skinny services www.senseofsecurity.com.au © Sense of Security 2014 Page 51 of 60 – Aug-14
  • 52. Attacking Skinny services Viproy has a Skinny library for easier development and sample attack modules • Skinny auto registration • Skinny register • Skinny call • Skinny call forwarding www.senseofsecurity.com.au © Sense of Security 2014 Page 52 of 60 – Aug-14
  • 53. Attacking Skinny services Everybody can develop a Skinny module now, even Ewoks! ! Register Unauthorised Call www.senseofsecurity.com.au © Sense of Security 2014 Page 53 of 60 – Aug-14
  • 54. Preparing a proper client for Skinny • Install Cisco IP Communicator • Change the MAC address of Windows • Register the software with this MAC www.senseofsecurity.com.au © Sense of Security 2014 Page 54 of 60 – Aug-14
  • 55. Demonstration of Skinny attacks www.senseofsecurity.com.au © Sense of Security 2014 Page 55 of 60 – Aug-14
  • 56. Summary www.senseofsecurity.com.au © Sense of Security 2014 Page of 60 – Aug-14 56 Hosted VoIP 101 Network Attacks Attacking CUCDM Attacking CUCM Attacking SIP Attacking Clients Attacking Skinny
  • 57. Solutions • Install the Cisco security patches • From CVE-2014-3277 to CVE-2014-3283, CVE-2014-2197, CVE-2014-3300 • CSCum75078, CSCun17309, CSCum77041, CSCuo51517, CSCum76930, CSCun49862 • Secure network design • IP phone services MUST be DEDICATED, not SHARED • Secure deployment with PKI • Authentication with X.509, software signatures • Secure SSL configuration • Secure protocols • Skinny authentication, SIP authentication • HTTP instead of TFTP, SSH instead of Telnet www.senseofsecurity.com.au © Sense of Security 2014 Page 57 of 60 – Aug-14
  • 58. References • Viproy Homepage and Documentation http://www.viproy.com ! • Attacking SIP servers using Viproy VoIP Kit https://www.youtube.com/watch?v=AbXh_L0-Y5A ! • VoIP Pen-Test Environment – VulnVoIP http://www.rebootuser.com/?cat=371 ! • Credits and thanks go to… Sense of Security Team, Jason Ostrom, Mark Collier, Paul Henry, Sandro Gauci www.senseofsecurity.com.au © Sense of Security 2014 Page 58 of 60 – Aug-14
  • 59. Questions ? www.senseofsecurity.com.au © Sense of Security 2014 Page 59 of 60 – Aug-14
  • 60. Thank you Recognised as Australia’s fastest growing information security and risk management consulting firm through the Deloitte Technology Fast 50 & BRW Fast 100 programs Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au www.senseofsecurity.com.au © Sense of Security 2014 Page of 60 60 – Aug-14