Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

VoIP Wars: The Phreakers Awaken

15,851 views

Published on

Black Hat USA 2016 - Presentation Video
https://www.youtube.com/watch?v=rl_kp5UZKlw

Larger organisations are using VoIP within their commercial services and corporate communications and the take up of cloud based Unified Communications (UC) solutions is rising every day. However, response teams and security testers have limited knowledge of VoIP attack surfaces and threats in the wild. Due to this lack of understanding of modern UC security requirements, numerous service providers, larger organisations and subscribers are leaving themselves susceptible to attack. Current threat actors are repurposing this exposed infrastructure for botnets, toll fraud etc.

The talk aims to arm response and security testing teams with knowledge of cutting-edge attacks, tools and vulnerabilities for VoIP networks. Some of the headlines are: attacking cloud based VoIP solutions to jailbreak tenant environments; discovering critical security vulnerabilities with the VoIP products of major vendors; exploiting harder to fix VoIP protocol and service vulnerabilities; testing the security of IP Multimedia Subsystem (IMS) services; and understanding the toolset developed by the author to discover previously unknown vulnerabilities and to develop custom attacks. In addition, the business impact of these attacks will be explained for various implementations, such as cloud UC services, commercial services, service provider networks and corporate communication. Through the demonstrations, the audience will understand how can they secure and test their communication infrastructure and services. The talk will also be accompanied by the newer versions of Viproy and Viproxy developed by the author to operate the attack demonstrations.

Published in: Technology
  • Be the first to comment

VoIP Wars: The Phreakers Awaken

  1. 1. VOIP WARS: THE PHREAKERS AWAKEN Fatih Ozavci – @fozavci Managing Consultant – Context Information Security
  2. 2. 2 Fatih Ozavci, Managing Consultant VoIP & phreaking Mobile applications and devices Network infrastructure CPE, hardware and IoT hacking Author of Viproy and VoIP Wars Public speaker and trainer  Blackhat, Defcon, HITB, AusCert, Troopers
  3. 3. 3 Fundamentals Design Vulnerabilities Practical UC Attacks UC and IMS fundamentals Security issues and vulnerabilities Practical attacks Securing communication services
  4. 4. 4 Audio Call TDM Alice Bob
  5. 5. 5 Alice Signalling Media RTP Proxy SIP Server Bob
  6. 6. 6 Alice Signalling Media RTP Proxy SIP Server Bob
  7. 7. 7 Alice Signalling Media RTP Proxy SIP Server Bob
  8. 8. 8 1- REGISTER 1- 200 OK 2- INVITE SDP/XML 2- 100 Trying 3- INVITE SDP/XML 3- 200 OK SDP/XML 4- ACK RTP RTP 4- 200 OK SDP/XML SIP Server Phone A Phone BRTP Proxy RTP Proxy RTP SIP Headers • Caller ID • Billing SIP Content • SDP • Enc. Keys RTP Content • Audio/Video • File sharing • RDP
  9. 9. 9
  10. 10. 10
  11. 11. 11 VoIP Server Windows Server Office Server Active Directory Virtual Machines 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
  12. 12. 12 SIP & Media Server Database Server Tenant Services Management Applications Client Applications PBX Shared Services 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
  13. 13. 13 Edge Server sky.com Edge Server kenobi.com DNS Server DNS / SRV DNS / SRV SIP / RTP Kenobi Corp Phone X x@kenobi.com VoIP Server Windows Server Office Server Active Directory Virtual Machines Phone A a@sky.com Skywalker Corp Phone B b@sky.com Phone C c@sky.com
  14. 14. 14 Call Session Control Function (P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure Mobile Subscribers UC/VoIP Subscribers Session Border Controller (SBC) Session Border Controller (SBC) ACCESS NETWORK ACCESS NETWORKCORE NETWORK Application Server (AS) Home Subscriber Server (HSS) Media Resource Function MRFC / MRFP
  15. 15. 15 Inter-vendor security issues INSUFFICIENT client management Missing client monitoring Missing software updates NO SIP/SDP or message filtering Centralised attack deployment Internal trust relationships Meeting and conferencing options Flexible collaboration options
  16. 16. 16 Content transferred to clients SIP/SDP content (e.g. format, codecs) Rich messaging (e.g. rtf, html, audio) Unified messaging Injecting files, XSS, phishing, RCE File transfers, embedded content Communication subsystem Call or SIP headers Rarely secured protocols (e.g. MSRP)
  17. 17. 17 Engage through a first contact point UC messaging, conference invitation, courtesy phones Combine old and new techniques Use UC for malicious activities (e.g. MS-RTASPF)
  18. 18. 18 Red Teaming Exercises Courtesy phones, conference rooms, media gateways Human Factor Testing Vishing, smishing, instant messaging, UC exploits Infrastructure Analysis Toll fraud, caller ID spoofing, TDoS/DDoS Application Security Assessments Management portals, self-care portals WebRTC, VoIP/UC apps, IVR software
  19. 19. 19 Service requirements Cloud, subscriber services, IMS Billing, recordings, CDR, encryption Trusted servers and gateways SIP proxies, federations, SBCs SIP headers used (e.g. ID, billing) Tele/Video conference settings Analyse the encryption design SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
  20. 20. 20 SIP header analysis  Caller ID spoofing, billing bypass Communication types allowed  File transfer, RDP, MSRP, teleconference Message content-types allowed  XSS, corrupted RTF, HTML5, images Conference and collaboration Fuzzing clients and servers  SIP headers, SDP content, file types  Combine with known attacks
  21. 21. 21 Attacks with NO user interaction Calls with caller ID spoofing Fake IVR, social engineering Messages with caller ID spoofing Smishing (e.g. fake software update) Injected XSS, file-type exploits Bogus content-types or messages Meetings, multi-callee events Attacking infrastructure Raspberry PI with PoE, Eavesdropping
  22. 22. 22 Unified Communication Solutions  Cisco Hosted Collaboration Suite  Microsoft Skype for Business (a.k.a Lync)  Free software (e.g. Kamalio, OpenIMS)  Other vendors (Avaya, Alcatel, Huawei) Attacking through  Signalling services  Messaging, voicemail and conference system  Cloud management and billing  Authorisation scheme  Client services (self-care, IP phone services)
  23. 23. 23 Vulnerable CPE Credential extraction Attacking through embedded devices Insecurely located distributors Hardware hacking, eavesdropping SIP header and manipulation for Toll Fraud Attacking legacy systems (e.g. Nortel?) Voicemail hijacking
  24. 24. 24 Analysing encryption design Implementation (e.g. SRTP, SIP/TLS) Inter-vendor SRTP key exchange Privacy and PCI compliance Network segregation IVR recordings (e.g. RTP events) Eavesdropping Call recordings security
  25. 25. 25 Inter-vendor services design Network and service segregation *CSCF locations, SBC services used VoLTE design, application services SIP headers are very sensitive Internal trust relationships Filtered/Ignored SIP headers Caller ID spoofing, Billing bypass Encryption design (SIP, SRTP, MSRP)
  26. 26. 26 Viproy VoIP Penetration Testing Kit (v4) VoIP modules for Metasploit Framework SIP, Skinny and MSRP services SIP authentication, fuzzing, business logic tests Cisco CUCDM exploits, trust analyser... Viproxy MITM Security Analyser (v3) A standalone Metasploit Framework module Supports TCP/TLS interception with custom TLS certs Provides a command console to analyse custom protocols
  27. 27. 27 Cloud communications SIP header tests, caller ID spoofing, Billing bypass, hijacking IP phones Signalling services Attacking tools for SIP and Skinny Advanced SIP attacks  Proxy bounce, SIP trust hacking  Custom headers, custom message-types UC tests w/ Viproxy + Real Client
  28. 28. 28 SIGNALLING / MESSAGING • SDP / XML • SIP Headers • XMPP • MSRP CONTENT • Message types (HTML, RTF, Docs) • File types (Docs, Codecs) • Caller ID Spoofing • DoS / TDoS / Robocalls, Smishing FORWARDED REQUESTS • Call Settings • Message Content NO USER INTERACTION • Call request parsing • Message content parsing • 3rd party libraries reachable
  29. 29. 29
  30. 30. 31 Unified Messaging Message types (e.g. rtf, html, images) Message content (e.g. JavaScript) File transfers and sharing features Code or script execution (e.g. SFB) Encoding (e.g. Base64, Charset) Various protocols MSRP, XMPP, SIP/MESSAGE Combining other attacks
  31. 31. 32 MANIPULATE SIP CONTENT INJECT MALICIOUS SUBJECTS SEND PHISHING MESSAGES Skype for Business Attacker’s Client Viproxy Interactive Console HACME 1 HACME 2 HACME 3 Attacker’s Client TLS / Proxy Certificate Compression Console Enabling Features Content Injection Security Bypass
  32. 32. 34 UC content forwarded to UC clients (NO interaction) SIP INVITE headers Message content SIP/SDP content Office 365 Federations *MS15-123 Skype for Business Attacker’s Client Viproxy Skype for Business Server Changed Request Forwarded Request Call Request
  33. 33. 35 URL filter bypass via JavaScript <script>var u1="ht"; u2="tp"; u3="://";o="w"; k="."; i=""; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+"viproy.com"</script> Script execution via SIP messages <script>window.location="viproy.com"</script> Script execution via SIP headers Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cudmlwc m95LmNvbSI8L3NjcmlwdD4=
  34. 34. 36 Attacking through a PBX or proxy Sending a meeting request Using a CUSTOM SIP header Waiting for the shells Viproy Skype for Business Server SIP PBX Server Forwarded Meeting Request Meeting Request (Attack in SIP headers) PRIVATE NETWORK Forwarded Requests
  35. 35. 38 Secure design Enforce security via SBCs Messaging, SIP headers, meetings… Enforce authentication Secure inter-vendor configuration Protect the legacy systems Protect the clients
  36. 36. 39 Securing Unified Communications (UC) is NOT just securing VoIP. Brace yourselves, VoIP/UC are attacks are coming. #TaylorYourCommunicationSecurity !
  37. 37. 40 Viproy VoIP Penetration Testing Kit http://www.viproy.com Context Information Security http://www.contextis.com
  38. 38. QUESTIONS?
  39. 39. THANKS!

×