Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Positive Hack Days. Gritsai. VOIP insecurities workshop


Published on

Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере распространенных IP-PBX и абонентских устройств. Рассматриваются как типовые сетевые уязвимости, так и сложные случаи, обнаруживаемые в ходе анализа защищенности реальных сетей.

Published in: Technology
  • Be the first to comment

Positive Hack Days. Gritsai. VOIP insecurities workshop

  1. 1. VOIPinsecuritiesworkshop<br />“I just called to say I pwn you<br />I just called to say how much I care<br />I just called to say I own you<br />And I mean it from the bottom of my heart” <br />Stevie Wonder<br />
  2. 2. Agenda<br />VOIP<br />PSTN & VOIP<br />PSTN vs. VOIP<br />VOIP protocols<br />VOIP security<br />Attacking VOIP<br />Enumerating VOIP devices<br />RTP attacks +demonstration<br />SIPattacks +practice<br />Further readings<br />
  3. 3. PSTN/ Public switched telephone network<br />
  4. 4. VOIP / Voice over Internet Protocol<br />
  5. 5. PSTN vs. VOIP<br />Network<br />PSTN – Closed network<br />VOIP – Public network(Internet)<br />End-user devices<br />PSTN – Simple devices<br />VOIP – Complex devices<br />Authentication<br />PSTN – No mobility (Authentication by wire)<br />VOIP – Mobility<br />
  6. 6. VOIP protocols<br />Signaling protocols<br />Media protocols<br />Call control and media stream use different routes<br />
  7. 7. VOIP protocols: SignalingShort overview<br />SIPSession Initiation Protocol<br />SDPSession Description Protocol<br />H.323H.323<br />MGCPMedia Gateway Control Protocol<br />SCCPSkinny Client Control Protocol<br />RTCPReal-time Transfer Control Protocol<br />
  8. 8. VOIP protocols: Media and HybridShort overview<br />Media<br />RTP/SRTP<br />Hybrid (signaling + media)<br />IAX/IAX2<br />
  9. 9. VOIP insecurities<br />Confidentiality<br />eavesdropping, recording, …<br />Availability<br />DoS, buffer overflows, …<br />Authentication<br />registration hijacking, Caller ID spoofing, …<br />Fraud<br />toll fraud, data masquerading, …<br />SPIT (SPAM over IP Telephony)<br />voice phishing, unsolicited calling, …<br />
  10. 10. VOIP insecuritiesTopics for today<br />Enumeration of VOIP devices<br />search engines<br />port scanning<br />RTP<br />eavesdropping/recording calls<br />inserting data into media stream<br />DoS<br />SIP<br />searching extensions <br />Caller name spoofing<br />DoS<br />
  11. 11. Enumerating VOIP devicesGoogle hacking<br />Google hacking<br />GHDB<br />User manual -> request Google<br />inurl:<br />intitle:<br />site:<Customer> !<br />Examples:<br />Asterisk Management Portal: web-access<br />Cisco Phones: inurl:"NetworkConfiguration" cisco<br />Cisco CallManager: inurl:"ccmuser/logon.asp"<br />D-Link Phones: intitle:"D-Link DPH" "web login setting"<br />Grandstream Phones: intitle:"Grandstream Device Configuration" password<br />Linksys (Sipura) Phones: intitle:" SPA Configuration"<br />PolycomSoundpoint Phones: intitle:"SoundPoint IP Configuration"<br />
  12. 12. Enumerating VOIP devicesShodan [1/2]<br /><br />search for domain names, ips, ports<br />
  13. 13. Enumerating VOIP devicesShodan [2/2]<br />Banner grabbing<br />passwordlessSnom phones<br />
  14. 14. Enumerating VOIP devicesnmap<br />VOIP scanners<br />smap<br />svmap (sipvicious)<br />Fyodor’s nmap<br />-sU<br />UDP scanning common<br /> problems<br />
  15. 15. Enumerating VOIP devicesCommon ports<br />VOIP protocols<br />5060-5070, 1718-1720, 2517, ….<br />RTP ports are allocated dynamically<br />Management protocols<br />TCP 21-23, 80, 443, 8088, …<br />UDP 161, 162, 69, …<br />IANA<br />Internet Assigned Numbers Authority<br />grep<vendor><br />
  16. 16. RTP<br />Real-time Transport Protocol<br />RFC 1889 (1996) ->RFC 3550 (2003)<br />Media over IP/UDP<br />Packer reordering<br />Used with signaling protocols (SIP, H.323, MGCP)<br />RTCP (Real-time Transport Control Protocol)<br />RTCP port =RTP port + 1<br />
  17. 17. RTP Attacks<br />Call interception<br />Attacking layers2, 3<br />Decoding intercepted data<br />Injection into call<br />Finding RTP port<br />Injecting media stream<br />Denial of Service<br />RTP flood<br />
  18. 18. RTP AttacksCall interception<br />ARP spoofing<br />Cain & abel<br />ettercap<br />arpspoof (dsniff)<br />Wireshark<br />Telephony<br />VOIP calls<br /> / Demo<br />
  19. 19. RTP AttacksInjection: Synchronization in RTP<br />sequence number position in media stream +=1<br />timestampsampling +=1<br />SSRCidentifying source const<br />(random 32 bit value)<br />payload type codec in use <br />
  20. 20. RTPAttacksInjection<br />Unencrypted<br />deployment issues (debug)<br />QoSissues<br />key distribution<br />UDP – connectionless<br />Data requirements:<br />SSRC<br />timestamp, sequence number – monotonically increasing<br />timestamp, sequence number - fuzzing<br />
  21. 21. RTP AttacksInjection<br />Finding RTP port<br />InterceptSDP<br />Port scan<br />Media injection<br />Requirements<br />frequency<br />codec<br /> Demo<br />SDP || nmap<br />rtpinsertsound<br />not working 100%?<br />
  22. 22. RTP AttacksDenial of Service<br />Flood<br />Low bandwidth requirements<br />Media stream = high load<br />Authentication - SIP<br />and again … UDP - connectionless<br /> / Demo<br />rtpflood<br />
  23. 23. SIP<br />Session Initiation Protocol<br />Application layer (TCP/UDP)<br />ASCII header<br />SIP header ~= e-mail header<br />URI<br />
  24. 24. SIP Components<br />UA (User agent), Proxy, Registrar, Redirect<br /> Call viaProxy Call via Redirect<br />
  25. 25. SIP Attacks<br />Using somebodies PBX<br />Extension enumeration<br />Bruteforce extension password<br />Caller name spoofing<br />Registration hijacking<br />Denial of service<br />Busy lines<br />
  26. 26. SIPRequests<br />INVITEindicates a client is being invited to participate in a call session<br />BYETerminates a call and can be sent by either the caller or the callee<br />OPTIONSQueries the capabilities of servers<br />REGISTERRegisters the address listed in the To header field with a SIP server<br />ACKConfirms that the client has received a final response to an INVITE request<br />CANCELCancels any pending request<br />more …<br />
  27. 27. SIPAnswers<br />1хх Informational (100 Trying, 180 Ringing)<br />2xx Successful (200 OK, 202 Accepted)<br />3xx Redirection (302 Moved Temporarily)<br />4xx Request Failure (404 Not Found, 482 Loop Detected)<br />5xx Server Failure (501 Not Implemented)<br />6xx Global Failure (603 Decline)<br />
  28. 28. basic SIP call<br />
  29. 29. SIP AttacksUsing somebodies PBX <br />PBX<br />Extension enumeration<br />Bruteforcing passwords<br />Making a call<br />Practice withSipvicious<br />svmap <ip><br />svwar –e<extensions> <ip> -m<REQUEST><br />svcrack –u<extension> -d <dictionary> <ip><br />Setting up asoftphone <br />
  30. 30. SIP AttacksCaller name spoofing<br />Caller Name spoofing<br />Softphone<br />Practicing X-Lite<br />Softphone–caller name spoofing<br />Display name‘ 1=1 --<br />Domain ip of UA<br />Register disable<br />
  31. 31. SIP AttacksRegistration hijacking<br />Registration hijacking<br />INVITE to PBX<br />Search user in Registar<br />Registration is in <br />Contact header: ip address<br />Practicing with X-Lite<br />Register settings<br />rate<br />
  32. 32. SIP AttacksDenial of Service<br />Denial of Service<br />No auth<br />-> INVITE<br /><- TRYING… <- Busy here<br />HTTP digest<br />-> INVITE<br />generation/storingnonce <br />Practice<br />inviteflood<br />
  33. 33. Further reading<br />Set up a lab<br /><br />Read and practice<br />Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions<br />Advanced attacks<br />“Having fun with RTP” by kapejod<br />“SIP home gateways under fire” by AnhängteDateien<br />Fuzzing<br />
  34. 34. QA<br />
  35. 35.<br />