SlideShare a Scribd company logo

Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server. Sandro Gauci

Alan Quayle
Alan Quayle

SIPVicious PRO is a new offensive security toolset for real-time communications (RTC) that aims to be the most powerful toolset. It covers SIP, RTP, STUN/TURN, and other protocols. The demo server provides a playground for testing SIPVicious PRO's attacks and is vulnerable to everything it can test. Future plans include expanding protocol coverage and potentially open sourcing the demo server.

Technology
1 of 26
Download to read offline
TOOLS FOR OFFENSIVE RTC SECURITY Introducing SIPVicious PRO and the demo server Sandro Gauci, 2021-04-30
INTRODUCTION
WHO AM I? Developed SIPVicious OSS Leading Enable Security: Offensive RTC security Security research / penetration testing Consultancy and training We develop SIPVicious PRO
CONTRIBUTE TO OPEN SOURCE RTC SECURITY? Yes we do! Security research and advisories Open-source tools, especially SIPVicious OSS (being updated) Our blog - Communication Breakdown at OpenSIPIt’01 https://rtcsec.com https://opensipit.org/
PREVIOUSLY AT A DIFFERENT TAD SUMMIT Why I think defensive security on its own is not enough The value of an offensive approach towards RTC security Why I think that RTC security lacks this approach: lack of training opportunities lack of robust testing tools
AGENDA: WHAT THIS ONE IS ABOUT A brief look at the RTC offensive security landscape SIPVicious OSS SIPVicious PRO The demo server as your playground Demos and walk-throughs Future plans
OFFENSIVE RTC SECURITY TOOLS LANDSCAPE
THE AWESOME RTC HACKING LIST https://github.com/EnableSecurity/awesome-rtc- hacking
A LITTLE ABOUT SIPVICIOUS OSS open-source, published back in 2007 python-based 3 main tools: svmap which is a scanner for SIP svwar which enumerates extensions on SIP devices svcrack that tries to guess passwords for SIP extensions
SIPVICIOUS OSS DEMO!
FAST FORWARD TO THE FUTURE (2021) the future is here
Credit: https://unsplash.com/@agk42
SIPVICIOUS PRO: AN INTRODUCTION shares the same name as SVOSS complete new code covers the entire RTC space not just SIP aims to be the most powerful offensive RTC security toolset
SIPVICIOUS PRO DEMO!
SIPVICIOUS PRO: FEATURE-SET Various new attacks supported e.g.: SIP ood RTP ood Digest leak RTP Bleed RTP inject Fuzzing Support for SIP over different transport protocols TCP, UDP, TLS and WebSockets
SIPVICIOUS PRO: FEATURE-SET Integration within QA , including CI/CD pipelines SIP messages may be easily modi ed using a exible Support for RTP attacks Insane speed, especially useful for ood attacks with rate limiting capabilities Compliance to RFCs automation systems templating system
TRAINING OPPORTUNITIES WITH THE DEMO SERVER
WHY? needed a place to show SIPVicious PRO reliable/deterministic response to attacks
WHAT IS IT?
diagram
VULNERABLE TO … EVERYTHING THAT CAN BE TESTED WITH SIPVICIOUS PRO (and more) SIP Digest Leak SIP extension enumeration SIP password cracking RTP Bleed RTP Inject RTP Flood TURN proxy abuse
TALK TO ME ABOUT PROTOCOLS SIP on TCP/TLS/UDP/WebSocket RTP/SRTP SDES and DTLS TURN server WebRTC interface
DEMO SERVER .. DEMO TIME! https://demo.sipvicious.pro/call/
FUTURE PLANS SIPVicious PRO covering RTC in general, e.g. adding coverage of: XMPP STUN/TURN Custom signalling protocols Keep supporting SIPVicious OSS Demo server should be open-sourced (put some pressure on us)
THANKS! Alfred Farrugia for developing most of SIPVicious PRO and the very cool web interface for calling over WebRTC Pinaki for helping keep SIPVicious OSS alive and kicking The TAD audience and Alan for inviting me to talk about security stuff :)
SOME WAYS TO GET IN TOUCH Subscribe to our blog at Enable Security: https://www.rtcsec.com sandro@enablesecurity.com https://enablesecurity.com/#contact-us

Recommended

A tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approachesA tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approaches
Sandro Gauci
 
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
Sandro Gauci
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal
 
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET Journal
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view
IPv6 Conference
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
ir. Carmelo Zaccone
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
Michael Boman
 

Recommended

A tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approachesA tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approaches
Sandro Gauci
 
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
Sandro Gauci
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal
 
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET Journal
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view
IPv6 Conference
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
ir. Carmelo Zaccone
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
Michael Boman
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
Sguil
SguilSguil
Sguil
Michael Boman
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
Lancope, Inc.
 
Acid
AcidAcid
Acid
Michael Boman
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
Olle E Johansson
 
Altitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopAltitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF Workshop
Fastly
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
Michael Boman
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
Dhruv Sharma
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Alessandro Polidori
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Lancope, Inc.
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
Lancope, Inc.
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
sushmil123
 
Vision one-customer
Vision one-customerVision one-customer
Vision one-customer
Marie-Agnès PONS
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Shamal Abeyrathne
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
Yury Chemerkin
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
SIP Beyond Telecom
SIP Beyond TelecomSIP Beyond Telecom
SIP Beyond Telecom
RADVISION Ltd.
 

More Related Content

What's hot

SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
Sguil
SguilSguil
Sguil
Michael Boman
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
Lancope, Inc.
 
Acid
AcidAcid
Acid
Michael Boman
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
Olle E Johansson
 
Altitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopAltitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF Workshop
Fastly
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
Michael Boman
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
Dhruv Sharma
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Alessandro Polidori
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Lancope, Inc.
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
Lancope, Inc.
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
sushmil123
 
Vision one-customer
Vision one-customerVision one-customer
Vision one-customer
Marie-Agnès PONS
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Shamal Abeyrathne
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
Yury Chemerkin
 

What's hot (20)

SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
Sguil
SguilSguil
Sguil
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
Acid
AcidAcid
Acid
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
 
Altitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF WorkshopAltitude San Francisco 2018: WAF Workshop
Altitude San Francisco 2018: WAF Workshop
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
 
Vision one-customer
Vision one-customerVision one-customer
Vision one-customer
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
 

Similar to Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server. Sandro Gauci

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
SIP Beyond Telecom
SIP Beyond TelecomSIP Beyond Telecom
SIP Beyond Telecom
RADVISION Ltd.
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushed
Sandro Gauci
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
apidays
 
WebRTC Videobroadcasting
WebRTC VideobroadcastingWebRTC Videobroadcasting
WebRTC Videobroadcasting
Ravi Kuril
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationpeter lam
 
The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
The worst of enemies – let’s talk about DDoS and RTC, Sandro GauciThe worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
Alan Quayle
 
Webinar - What's New at Cloudflare (8/23/18)
Webinar - What's New at Cloudflare (8/23/18)Webinar - What's New at Cloudflare (8/23/18)
Webinar - What's New at Cloudflare (8/23/18)
Cloudflare
 
Delhi The Second Adventure
Delhi The Second AdventureDelhi The Second Adventure
Delhi The Second Adventure
n|u - The Open Security Community
 
SIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communicationsSIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communications
RADVISION Ltd.
 
Continuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationContinuous Delivery with a PaaS Application
Continuous Delivery with a PaaS Application
Mark Rendell
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015
Ken Owens
 
Platform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - FinalPlatform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - Final
Aviran Mordo
 
Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0
Capgemini
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
James Wickett
 
RHTAP.pptx
RHTAP.pptxRHTAP.pptx
RHTAP.pptx
Sripad NS
 
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco CloudDEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
Cisco DevNet
 
Enterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetEnterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up Budget
DevOps.com
 

Similar to Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server. Sandro Gauci (20)

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
SIP Beyond Telecom
SIP Beyond TelecomSIP Beyond Telecom
SIP Beyond Telecom
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushed
 
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
INTERFACE by apidays 2023 - The Swiss Cheese Model of Layered API Security, L...
 
WebRTC Videobroadcasting
WebRTC VideobroadcastingWebRTC Videobroadcasting
WebRTC Videobroadcasting
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
The worst of enemies – let’s talk about DDoS and RTC, Sandro GauciThe worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci
 
Webinar - What's New at Cloudflare (8/23/18)
Webinar - What's New at Cloudflare (8/23/18)Webinar - What's New at Cloudflare (8/23/18)
Webinar - What's New at Cloudflare (8/23/18)
 
Delhi The Second Adventure
Delhi The Second AdventureDelhi The Second Adventure
Delhi The Second Adventure
 
SIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communicationsSIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communications
 
Continuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationContinuous Delivery with a PaaS Application
Continuous Delivery with a PaaS Application
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015
 
Platform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - FinalPlatform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - Final
 
Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
 
RHTAP.pptx
RHTAP.pptxRHTAP.pptx
RHTAP.pptx
 
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco CloudDEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
DEVNET-1149 Leveraging Rapid Development with PaaS on Cisco Cloud
 
Enterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetEnterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up Budget
 

More from Alan Quayle

What is a vCon?
What is a vCon?What is a vCon?
What is a vCon?
Alan Quayle
 
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Alan Quayle
 
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Alan Quayle
 
What makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelWhat makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias Goebel
Alan Quayle
 
eSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasaleSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João Casal
Alan Quayle
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin Sime
Alan Quayle
 
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
Alan Quayle
 
Programmable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigProgrammable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas Granig
Alan Quayle
 
How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...
Alan Quayle
 
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisLatest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Alan Quayle
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
Alan Quayle
 
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Alan Quayle
 
Open Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleOpen Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan Quayle
Alan Quayle
 
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuOpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
Alan Quayle
 
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoTADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
Alan Quayle
 
What happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleWhat happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan Quayle
Alan Quayle
 
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichStacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Alan Quayle
 
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
Alan Quayle
 
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateFounding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Alan Quayle
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
Alan Quayle
 

More from Alan Quayle (20)

What is a vCon?
What is a vCon?What is a vCon?
What is a vCon?
 
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
 
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
 
What makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelWhat makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias Goebel
 
eSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasaleSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João Casal
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin Sime
 
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
 
Programmable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigProgrammable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas Granig
 
How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...
 
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisLatest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
 
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
 
Open Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleOpen Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan Quayle
 
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuOpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
 
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoTADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
 
What happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleWhat happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan Quayle
 
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichStacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
 
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
 
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateFounding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
 

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 

Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server. Sandro Gauci

  • 1. TOOLS FOR OFFENSIVE RTC SECURITY Introducing SIPVicious PRO and the demo server Sandro Gauci, 2021-04-30
  • 3. WHO AM I? Developed SIPVicious OSS Leading Enable Security: Offensive RTC security Security research / penetration testing Consultancy and training We develop SIPVicious PRO
  • 4. CONTRIBUTE TO OPEN SOURCE RTC SECURITY? Yes we do! Security research and advisories Open-source tools, especially SIPVicious OSS (being updated) Our blog - Communication Breakdown at OpenSIPIt’01 https://rtcsec.com https://opensipit.org/
  • 5. PREVIOUSLY AT A DIFFERENT TAD SUMMIT Why I think defensive security on its own is not enough The value of an offensive approach towards RTC security Why I think that RTC security lacks this approach: lack of training opportunities lack of robust testing tools
  • 6. AGENDA: WHAT THIS ONE IS ABOUT A brief look at the RTC offensive security landscape SIPVicious OSS SIPVicious PRO The demo server as your playground Demos and walk-throughs Future plans
  • 8. THE AWESOME RTC HACKING LIST https://github.com/EnableSecurity/awesome-rtc- hacking
  • 9. A LITTLE ABOUT SIPVICIOUS OSS open-source, published back in 2007 python-based 3 main tools: svmap which is a scanner for SIP svwar which enumerates extensions on SIP devices svcrack that tries to guess passwords for SIP extensions
  • 11. FAST FORWARD TO THE FUTURE (2021) the future is here
  • 13. SIPVICIOUS PRO: AN INTRODUCTION shares the same name as SVOSS complete new code covers the entire RTC space not just SIP aims to be the most powerful offensive RTC security toolset
  • 15. SIPVICIOUS PRO: FEATURE-SET Various new attacks supported e.g.: SIP ood RTP ood Digest leak RTP Bleed RTP inject Fuzzing Support for SIP over different transport protocols TCP, UDP, TLS and WebSockets
  • 16. SIPVICIOUS PRO: FEATURE-SET Integration within QA , including CI/CD pipelines SIP messages may be easily modi ed using a exible Support for RTP attacks Insane speed, especially useful for ood attacks with rate limiting capabilities Compliance to RFCs automation systems templating system
  • 18. WHY? needed a place to show SIPVicious PRO reliable/deterministic response to attacks
  • 21. VULNERABLE TO … EVERYTHING THAT CAN BE TESTED WITH SIPVICIOUS PRO (and more) SIP Digest Leak SIP extension enumeration SIP password cracking RTP Bleed RTP Inject RTP Flood TURN proxy abuse
  • 22. TALK TO ME ABOUT PROTOCOLS SIP on TCP/TLS/UDP/WebSocket RTP/SRTP SDES and DTLS TURN server WebRTC interface
  • 23. DEMO SERVER .. DEMO TIME! https://demo.sipvicious.pro/call/
  • 24. FUTURE PLANS SIPVicious PRO covering RTC in general, e.g. adding coverage of: XMPP STUN/TURN Custom signalling protocols Keep supporting SIPVicious OSS Demo server should be open-sourced (put some pressure on us)
  • 25. THANKS! Alfred Farrugia for developing most of SIPVicious PRO and the very cool web interface for calling over WebRTC Pinaki for helping keep SIPVicious OSS alive and kicking The TAD audience and Alan for inviting me to talk about security stuff :)
  • 26. SOME WAYS TO GET IN TOUCH Subscribe to our blog at Enable Security: https://www.rtcsec.com sandro@enablesecurity.com https://enablesecurity.com/#contact-us