n|u - The Open Security Community, profile picture
Uploaded byn|u - The Open Security Community
PPTX, PDF17,081 views

VoIP – vulnerabilities and attacks

The document discusses vulnerabilities and attacks against Voice over IP (VoIP) systems. It begins with an introduction to VoIP architecture, components, and protocols. It then covers vulnerabilities and common attack vectors against VoIP, such as identity spoofing, eavesdropping, password cracking, and denial of service attacks. The document demonstrates some example attacks and outlines tools that can be used for scanning, attacking, and testing the security of VoIP systems. It concludes with recommendations for countermeasures like firewalls, encryption, and network hardening to better secure VoIP infrastructures.

Embed presentation

Downloaded 468 times
VoIP – Vulnerabilities and Attacks Presented by - push
Agenda • Introduction to VoIP – VoIP Architecture – VoIP Components – VoIP Protocols • A PenTester Perspective – Attack Vectors – Scanning – Attacks – Tools of Trade – Countermeasures and Security http://null.co.in/ http://nullcon.net/
Remember Something? http://null.co.in/ http://nullcon.net/
VoIP • IP Telephony • Voice over Internet Protocol • Subset of IP Telephony • Transmission of “Voice” over Packet-Switched Network. • Is it only Voice??? – Data, Audio, Video http://null.co.in/ http://nullcon.net/
VoIP • Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets Analog Voice Signals 101010101010 1101101101 Analog Voice 1010101010101101101 101010101010110110 Signals 101 1101 101010101010 1101101101 Internet 1010101010101101101 101010101010110110 101 1101 http://null.co.in/ http://nullcon.net/
VoIP Architecture Ordinary Phone  ATA  Ethernet  Router  Internet http://null.co.in/ http://nullcon.net/
VoIP Architecture IP Phone  Ethernet  IP-PBX  Router  Internet Internet IP Phone IP - PBX Modem / Router http://null.co.in/ http://nullcon.net/
VoIP Architecture Softphone Phone  Ethernet  Router  Internet Internet http://null.co.in/ http://nullcon.net/
VoIP Architecture http://null.co.in/ http://nullcon.net/
VoIP Components • User Agents (devices) • Redirect Servers • Media gateways • Registrar Servers • Signaling gateways • Location Servers • Network management system • Gatekeepers • Billing systems • Proxy Servers GW  Gateway MG  Media Gateway GK  Gatekeeper MGC  Media Gateway Controller NMS  Network Management System IVR  Interactive Voice Response http://null.co.in/ http://nullcon.net/
VoIP Protocols • Vendor Proprietary • Signaling Protocols • Media Protocols http://null.co.in/ http://nullcon.net/
VoIP Protocols SIP Session Initiation Protocol SAP  Session Announcement Protocol SGCP  Simple Gateway Control Protocol MIME  Multipurpose Internet Mail IPDC  Internet Protocol device Control Extensions – Set of Standards RTP  Real Time Transmission Protocol IAX  Inter-Asterisk eXchange SRTP  Secure Real Time Transmission Protocol Megaco H.248  Gateway Control Protocol RTCP  RTP Control Protocol RVP over IP  Remote Voice Protocol over IP SRTCP  Secure RTP Control Protocol RTSP  Real Time Streaming Protocol MGCP  Media Gateway Control Protocol SCCP  Skinny Client Control Protocol (Cisco). SDP  Session Description Protocol UNISTIM  Unified Network Stimulus (Nortel). http://null.co.in/ http://nullcon.net/
VoIP Protocols - SIP http://null.co.in/ http://nullcon.net/
VoIP Protocols – H.323 http://null.co.in/ http://nullcon.net/
A PenTester Perspective http://null.co.in/ http://nullcon.net/
VoIP – Attack Vectors • Vulnerabilities of Both Data and Telephone Network • CIA Triad http://null.co.in/ http://nullcon.net/
VoIP - Scanning • Scanning a network for VoIP enabled systems / devices. • Tools for Scanning and Enumeration : – Nmap  port scanner – Smap  sip scanner. Finds SIP Enabled Servers – Svmap  sip scanner – Svwar  sip extension enumerator – Iwar VoIP Enabled modem Dialer – Metasploit Modules : • H.323 version scanner • SIP enumerator  SIP Username enumerator(UDP) • SIP enumerator_tcp  SIP Username Enumerator(TCP) • Options  SIP scanner(TCP) • Options_tcp  SIP scanner(UDP) http://null.co.in/ http://nullcon.net/
VoIP – Scanning Demo • Nmap scan http://null.co.in/ http://nullcon.net/
VoIP – Common Ports Protocol TCP Port UDP Port SIP 5060 5060 SIP-TLS 5061 5061 IAX2 - 4569 http – web based 80 / 8080 - management console tftp - 69 RTP - 5004 RTCP - 5005 IAX1 - 5036 SCCP 2000 SCCPS 2443 H.323 1720 http://null.co.in/ http://nullcon.net/
VoIP – Scanning Demo • Smap • svmap http://null.co.in/ http://nullcon.net/
VoIP – Scanning Demo • Metasploit Scanner http://null.co.in/ http://nullcon.net/
VoIP - Attacks • Identity Spoofing • Conversation Eavesdropping / Sniffing • Password Cracking • Man-In-The-Middle • SIP-Bye DoS • SIP Bombing • RTP Insertion Attacks • Web Based Management Console Hacks • Fuzzing • Default Passwords http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Identity – Caller ID Spoofing – Tools Used : • Metasploit- SIP_INVITE_Spoof • VoIP Fuzzer – Protos -Sip http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Conversation Eavesdropping – Tools used : • Cain & Abel • Ettercap • Arpspoof • Wireshark http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Man-In-The-Middle – Tools Used : • Wireshark • Arpspoof / ettercap • RTPInject • RTPmixsound http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Password Cracking – Tools Used : • SIPDump • SIPCrack • svcrack http://null.co.in/ http://nullcon.net/
VoIP - Attacks Some Default Passwords for VoIP Devices and Consoles: Device / Console Username Password Uniden UIP1868P VoIP - admin phone Web Interface Hitachi IP5000 VOIP WIFI - 0000 Phone 1.5.6 Vonage VoIP Telephone user user Adapter Grandstream Phones - Web Administrator /admin admin Adimistrator Interface user user •Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf http://null.co.in/ http://nullcon.net/
VoIP – Audit & PenTest Tools • UCSniff • MetaSploit Modules : – Auxillary Modules • VoIPHopper • SIP enumerator  SIP Username enumerator • SIP enumerator_tcp  SIP USERNAME • Vomit Enumerator • VoIPong • Options  SIP scanner • Options_tcp  SIP scanner • IAX Flood • Asterisk_login  Asterisk Manager Login Utility – Exploits • InviteFlood • Aol_icq_downloadagent  AOL ICQ Arbitary File Downlowd • RTPFlood • Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer Overflow • IAXFlood • Sipxezphone_cseq sipxezphone 0.35a Cseq Filed Overflow • BYE-TearDown • Sipxphone_cseq  sipxPhone 2.6.0.27 Cseq Buffer Overflow http://null.co.in/ http://nullcon.net/
Countermeasures & Security • Separate Infrasrtucture • Do not integrate Data and VoIP Networks • VoIP-aware Firewalls, • Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS • Harden Network Security – IDS – IPS - NIPS http://null.co.in/ http://nullcon.net/
Thank You See you all @ nullcon - Delhi http://null.co.in/ http://nullcon.net/

More Related Content

PPTX
Spoofing Techniques
byRaza_Abidi
 
PPTX
Voip security
byShethwala Ridhvesh
 
PDF
Hacking SIP Like a Boss!
byFatih Ozavci
 
PPTX
Cyber kill chain
byAnkita Ganguly
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PPT
VoIP Security
byDayanand Prabhakar
 
PPTX
SSL And TLS
byGhanshyam Patel
 
PPTX
Browser forensics
byPrince Boonlia
 
Spoofing Techniques
byRaza_Abidi
 
Voip security
byShethwala Ridhvesh
 
Hacking SIP Like a Boss!
byFatih Ozavci
 
Cyber kill chain
byAnkita Ganguly
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
VoIP Security
byDayanand Prabhakar
 
SSL And TLS
byGhanshyam Patel
 
Browser forensics
byPrince Boonlia
 

What's hot

PPTX
Firewall DMZ Zone
byNetProtocol Xpert
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PPTX
VAPT PRESENTATION full.pptx
byDARSHANBHAVSAR14
 
PPTX
Penetration Testing
byRomSoft SRL
 
PPTX
Man in The Middle Attack
byDeepak Upadhyay
 
PPTX
Identity Management
byVenkatesh Jambulingam
 
PDF
Offzone | Another waf bypass
byДмитрий Бумов
 
PDF
Cybersecurity Awareness Training Presentation v2024.03
byDallasHaselhorst
 
PPTX
Wireless Penetration Testing
byMohammed Adam
 
PDF
The Art of VoIP Hacking - Defcon 23 Workshop
byFatih Ozavci
 
PDF
16 palo alto ssl decryption policy concept
byMostafa El Lathy
 
PDF
20 palo alto site to site
byMostafa El Lathy
 
PDF
10 palo alto nat policy concepts
byMostafa El Lathy
 
PPTX
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
PPTX
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
PPT
Networking and penetration testing
byMohit Belwal
 
PPT
DDOS Attack
byAhmed Salama
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PDF
Addressing the cyber kill chain
bySymantec Brasil
 
PPT
Internet Traffic Monitoring and Analysis
byInformation Technology
 
Firewall DMZ Zone
byNetProtocol Xpert
 
Introduction to penetration testing
byNezar Alazzabi
 
VAPT PRESENTATION full.pptx
byDARSHANBHAVSAR14
 
Penetration Testing
byRomSoft SRL
 
Man in The Middle Attack
byDeepak Upadhyay
 
Identity Management
byVenkatesh Jambulingam
 
Offzone | Another waf bypass
byДмитрий Бумов
 
Cybersecurity Awareness Training Presentation v2024.03
byDallasHaselhorst
 
Wireless Penetration Testing
byMohammed Adam
 
The Art of VoIP Hacking - Defcon 23 Workshop
byFatih Ozavci
 
16 palo alto ssl decryption policy concept
byMostafa El Lathy
 
20 palo alto site to site
byMostafa El Lathy
 
10 palo alto nat policy concepts
byMostafa El Lathy
 
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
Networking and penetration testing
byMohit Belwal
 
DDOS Attack
byAhmed Salama
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
Addressing the cyber kill chain
bySymantec Brasil
 
Internet Traffic Monitoring and Analysis
byInformation Technology
 

Viewers also liked

PDF
VoIP Wars: Attack of the Cisco Phones
byFatih Ozavci
 
PPT
Voice Over IP (VoIP)
byhabib_786
 
PDF
VoIP Wars : Return of the SIP
byFatih Ozavci
 
PDF
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
byFatih Ozavci
 
PDF
VoIP Wars: The Phreakers Awaken
byFatih Ozavci
 
PPTX
What is VoIP and How it works?
bybroadconnect
 
PPTX
Voip powerpoint
byGW1992
 
PDF
Security Challenges In VoIP
byTomGilis
 
PDF
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
byFatih Ozavci
 
PDF
SIP Beyond VoIP
bySaúl Ibarra Corretgé
 
PDF
Introduction to SIP(Session Initiation Protocol)
byWilliam Lee
 
PPTX
voip gateway
byNayomi Ranamuka
 
ODP
Voice over Internet Protocol (VoIP) using Asterisk
bySameer Verma
 
PPTX
Voice over internet protocol (VoIP)
byNamra Afzal
 
PPTX
Introduction to VoIP
byPaloSanto Solutions
 
PDF
VoIP Seminar
byHossein Yavari
 
PPTX
Voip
byYasin Virani
 
ODP
Voip introduction
bydaksh bhatt
 
PPTX
VOIP Presentation
bytofael1
 
VoIP Wars: Attack of the Cisco Phones
byFatih Ozavci
 
Voice Over IP (VoIP)
byhabib_786
 
VoIP Wars : Return of the SIP
byFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
byFatih Ozavci
 
VoIP Wars: The Phreakers Awaken
byFatih Ozavci
 
What is VoIP and How it works?
bybroadconnect
 
Voip powerpoint
byGW1992
 
Security Challenges In VoIP
byTomGilis
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
byFatih Ozavci
 
SIP Beyond VoIP
bySaúl Ibarra Corretgé
 
Introduction to SIP(Session Initiation Protocol)
byWilliam Lee
 
voip gateway
byNayomi Ranamuka
 
Voice over Internet Protocol (VoIP) using Asterisk
bySameer Verma
 
Voice over internet protocol (VoIP)
byNamra Afzal
 
Introduction to VoIP
byPaloSanto Solutions
 
VoIP Seminar
byHossein Yavari
 
Voip
byYasin Virani
 
Voip introduction
bydaksh bhatt
 
VOIP Presentation
bytofael1
 

Similar to VoIP – vulnerabilities and attacks

PPT
Introduction to VoIP Security
byn|u - The Open Security Community
 
PPTX
VoIP - seminar at IASRI, New Delhi
byNishikant Taksande
 
PPTX
Voip
byHarry Sunarsa
 
PDF
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
bySuhas Desai
 
PDF
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
byThomas Siegers
 
PPT
Gaurav kumar VOIP MMMEC
byGaurav Kumar
 
PDF
Voip In College
byFree Open Source Software Technology Lab
 
PDF
Understanding VoIP - 1
byAdebayo Ojo
 
PDF
Widyatama.lecture.applied networking.iv-week-09-voip
byDjadja Sardjana
 
PDF
IMT Lecture: VOIP&IPTV MM-Biztel
byDjadja Sardjana
 
PDF
IMT Lecture Ict.VOIP+IPTV.Part01.MM-Biztel 02 Nov09
bygueste2f09df
 
PDF
BlackHat Hacking - Hacking VoIP.
bySumutiu Marius
 
PPTX
Voice Quality Metrics in VoIP
byFraj Alshahibi
 
PPT
1 VoIP Overview[1]
byWilliam Giba
 
PPT
1 Vo Ip Overview
byMohsin Fakhar
 
PDF
385 voice over ip
byjacinthsara
 
PDF
Sounds Like Botnet
byItzik Kotler
 
PDF
Securing Unified Communications Systems
byVoxeo Corp
 
PDF
voip elements by Karan singh cypher
byKaran Maker
 
PPTX
VoIP (Voice over Internet Protocol)
byAbdullah Shah
 
Introduction to VoIP Security
byn|u - The Open Security Community
 
VoIP - seminar at IASRI, New Delhi
byNishikant Taksande
 
Voip
byHarry Sunarsa
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
bySuhas Desai
 
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
byThomas Siegers
 
Gaurav kumar VOIP MMMEC
byGaurav Kumar
 
Voip In College
byFree Open Source Software Technology Lab
 
Understanding VoIP - 1
byAdebayo Ojo
 
Widyatama.lecture.applied networking.iv-week-09-voip
byDjadja Sardjana
 
IMT Lecture: VOIP&IPTV MM-Biztel
byDjadja Sardjana
 
IMT Lecture Ict.VOIP+IPTV.Part01.MM-Biztel 02 Nov09
bygueste2f09df
 
BlackHat Hacking - Hacking VoIP.
bySumutiu Marius
 
Voice Quality Metrics in VoIP
byFraj Alshahibi
 
1 VoIP Overview[1]
byWilliam Giba
 
1 Vo Ip Overview
byMohsin Fakhar
 
385 voice over ip
byjacinthsara
 
Sounds Like Botnet
byItzik Kotler
 
Securing Unified Communications Systems
byVoxeo Corp
 
voip elements by Karan singh cypher
byKaran Maker
 
VoIP (Voice over Internet Protocol)
byAbdullah Shah
 

More from n|u - The Open Security Community

PDF
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
PDF
Osint primer
byn|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Metasploit primary
byn|u - The Open Security Community
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
Introduction to TLS 1.3
byn|u - The Open Security Community
 
PDF
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
PDF
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
PPTX
Building active directory lab for red teaming
byn|u - The Open Security Community
 
PPTX
Owning a company through their logs
byn|u - The Open Security Community
 
PPTX
Introduction to shodan
byn|u - The Open Security Community
 
PDF
Cloud security
byn|u - The Open Security Community
 
PDF
Detecting persistence in windows
byn|u - The Open Security Community
 
PPTX
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
PDF
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
PDF
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
PDF
Extensible markup language attacks
byn|u - The Open Security Community
 
PPTX
Linux for hackers
byn|u - The Open Security Community
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
Osint primer
byn|u - The Open Security Community
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Nmap basics
byn|u - The Open Security Community
 
Metasploit primary
byn|u - The Open Security Community
 
Api security-testing
byn|u - The Open Security Community
 
Introduction to TLS 1.3
byn|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
Building active directory lab for red teaming
byn|u - The Open Security Community
 
Owning a company through their logs
byn|u - The Open Security Community
 
Introduction to shodan
byn|u - The Open Security Community
 
Cloud security
byn|u - The Open Security Community
 
Detecting persistence in windows
byn|u - The Open Security Community
 
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
Extensible markup language attacks
byn|u - The Open Security Community
 
Linux for hackers
byn|u - The Open Security Community
 
Android Pentesting
byn|u - The Open Security Community
 

Recently uploaded

PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
PDF
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PPTX
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PDF
Chapter 05 Drugs Acting on the Central Nervous System: Anti-Depressant Drugs
bySandeshSul
 
PDF
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PPTX
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
PPTX
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PDF
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
PPTX
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
PDF
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PPTX
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Chapter 05 Drugs Acting on the Central Nervous System: Anti-Depressant Drugs
bySandeshSul
 
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 

VoIP – vulnerabilities and attacks

  • 1.
    VoIP – Vulnerabilitiesand Attacks Presented by - push
  • 2.
    Agenda • Introduction to VoIP – VoIP Architecture – VoIP Components – VoIP Protocols • A PenTester Perspective – Attack Vectors – Scanning – Attacks – Tools of Trade – Countermeasures and Security http://null.co.in/ http://nullcon.net/
  • 3.
  • 4.
    VoIP • IP Telephony • Voice over Internet Protocol • Subset of IP Telephony • Transmission of “Voice” over Packet-Switched Network. • Is it only Voice??? – Data, Audio, Video http://null.co.in/ http://nullcon.net/
  • 5.
    VoIP • Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets Analog Voice Signals 101010101010 1101101101 Analog Voice 1010101010101101101 101010101010110110 Signals 101 1101 101010101010 1101101101 Internet 1010101010101101101 101010101010110110 101 1101 http://null.co.in/ http://nullcon.net/
  • 6.
    VoIP Architecture Ordinary Phone  ATA  Ethernet  Router  Internet http://null.co.in/ http://nullcon.net/
  • 7.
    VoIP Architecture IP Phone  Ethernet  IP-PBX  Router  Internet Internet IP Phone IP - PBX Modem / Router http://null.co.in/ http://nullcon.net/
  • 8.
    VoIP Architecture Softphone Phone  Ethernet  Router  Internet Internet http://null.co.in/ http://nullcon.net/
  • 9.
  • 10.
    VoIP Components • User Agents (devices) • Redirect Servers • Media gateways • Registrar Servers • Signaling gateways • Location Servers • Network management system • Gatekeepers • Billing systems • Proxy Servers GW  Gateway MG  Media Gateway GK  Gatekeeper MGC  Media Gateway Controller NMS  Network Management System IVR  Interactive Voice Response http://null.co.in/ http://nullcon.net/
  • 11.
    VoIP Protocols • Vendor Proprietary • Signaling Protocols • Media Protocols http://null.co.in/ http://nullcon.net/
  • 12.
    VoIP Protocols SIP SessionInitiation Protocol SAP  Session Announcement Protocol SGCP  Simple Gateway Control Protocol MIME  Multipurpose Internet Mail IPDC  Internet Protocol device Control Extensions – Set of Standards RTP  Real Time Transmission Protocol IAX  Inter-Asterisk eXchange SRTP  Secure Real Time Transmission Protocol Megaco H.248  Gateway Control Protocol RTCP  RTP Control Protocol RVP over IP  Remote Voice Protocol over IP SRTCP  Secure RTP Control Protocol RTSP  Real Time Streaming Protocol MGCP  Media Gateway Control Protocol SCCP  Skinny Client Control Protocol (Cisco). SDP  Session Description Protocol UNISTIM  Unified Network Stimulus (Nortel). http://null.co.in/ http://nullcon.net/
  • 13.
    VoIP Protocols -SIP http://null.co.in/ http://nullcon.net/
  • 14.
    VoIP Protocols –H.323 http://null.co.in/ http://nullcon.net/
  • 15.
  • 16.
    VoIP – AttackVectors • Vulnerabilities of Both Data and Telephone Network • CIA Triad http://null.co.in/ http://nullcon.net/
  • 17.
    VoIP - Scanning • Scanning a network for VoIP enabled systems / devices. • Tools for Scanning and Enumeration : – Nmap  port scanner – Smap  sip scanner. Finds SIP Enabled Servers – Svmap  sip scanner – Svwar  sip extension enumerator – Iwar VoIP Enabled modem Dialer – Metasploit Modules : • H.323 version scanner • SIP enumerator  SIP Username enumerator(UDP) • SIP enumerator_tcp  SIP Username Enumerator(TCP) • Options  SIP scanner(TCP) • Options_tcp  SIP scanner(UDP) http://null.co.in/ http://nullcon.net/
  • 18.
    VoIP – ScanningDemo • Nmap scan http://null.co.in/ http://nullcon.net/
  • 19.
    VoIP – CommonPorts Protocol TCP Port UDP Port SIP 5060 5060 SIP-TLS 5061 5061 IAX2 - 4569 http – web based 80 / 8080 - management console tftp - 69 RTP - 5004 RTCP - 5005 IAX1 - 5036 SCCP 2000 SCCPS 2443 H.323 1720 http://null.co.in/ http://nullcon.net/
  • 20.
    VoIP – ScanningDemo • Smap • svmap http://null.co.in/ http://nullcon.net/
  • 21.
    VoIP – ScanningDemo • Metasploit Scanner http://null.co.in/ http://nullcon.net/
  • 22.
    VoIP - Attacks • Identity Spoofing • Conversation Eavesdropping / Sniffing • Password Cracking • Man-In-The-Middle • SIP-Bye DoS • SIP Bombing • RTP Insertion Attacks • Web Based Management Console Hacks • Fuzzing • Default Passwords http://null.co.in/ http://nullcon.net/
  • 23.
    VoIP – AttacksDemo • Identity – Caller ID Spoofing – Tools Used : • Metasploit- SIP_INVITE_Spoof • VoIP Fuzzer – Protos -Sip http://null.co.in/ http://nullcon.net/
  • 24.
    VoIP – AttacksDemo • Conversation Eavesdropping – Tools used : • Cain & Abel • Ettercap • Arpspoof • Wireshark http://null.co.in/ http://nullcon.net/
  • 25.
    VoIP – AttacksDemo • Man-In-The-Middle – Tools Used : • Wireshark • Arpspoof / ettercap • RTPInject • RTPmixsound http://null.co.in/ http://nullcon.net/
  • 26.
    VoIP – AttacksDemo • Password Cracking – Tools Used : • SIPDump • SIPCrack • svcrack http://null.co.in/ http://nullcon.net/
  • 27.
    VoIP - Attacks Some Default Passwords for VoIP Devices and Consoles: Device / Console Username Password Uniden UIP1868P VoIP - admin phone Web Interface Hitachi IP5000 VOIP WIFI - 0000 Phone 1.5.6 Vonage VoIP Telephone user user Adapter Grandstream Phones - Web Administrator /admin admin Adimistrator Interface user user •Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf http://null.co.in/ http://nullcon.net/
  • 28.
    VoIP – Audit& PenTest Tools • UCSniff • MetaSploit Modules : – Auxillary Modules • VoIPHopper • SIP enumerator  SIP Username enumerator • SIP enumerator_tcp  SIP USERNAME • Vomit Enumerator • VoIPong • Options  SIP scanner • Options_tcp  SIP scanner • IAX Flood • Asterisk_login  Asterisk Manager Login Utility – Exploits • InviteFlood • Aol_icq_downloadagent  AOL ICQ Arbitary File Downlowd • RTPFlood • Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer Overflow • IAXFlood • Sipxezphone_cseq sipxezphone 0.35a Cseq Filed Overflow • BYE-TearDown • Sipxphone_cseq  sipxPhone 2.6.0.27 Cseq Buffer Overflow http://null.co.in/ http://nullcon.net/
  • 29.
    Countermeasures & Security • Separate Infrasrtucture • Do not integrate Data and VoIP Networks • VoIP-aware Firewalls, • Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS • Harden Network Security – IDS – IPS - NIPS http://null.co.in/ http://nullcon.net/
  • 30.
    Thank You See you all @ nullcon - Delhi http://null.co.in/ http://nullcon.net/

Editor's Notes

  • #5 IP Telephony - 1990
  • #30  Run all VoIP traffic through a separate Internet connection, separating voice and data into their own network segments (VLAN). Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. VoIP connections between different buildings use a Virtual Private Network (VPN) to authenticate users to prevent spoofing. Avoid use of cheap VoIP systems. Encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. Put VoIP servers in a secure physical location. Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed. Restrict access to VoIP servers to only system administrators and log and monitor all access. Use intrusion detection systems to monitor malicious attempts to access your VoIP network. Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls. Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through.