SlideShare a Scribd company logo
VoIP Wars : Return of the SIP
Fatih Özavcı
Security Consultant @ Sense of Security (Australia)
www.senseofsecurity.com.au @fozavci
2
# whois
● Security Consultant @ Sense of Security (Australia)
● 10+ Years Experience in Penetration Testing
● 800+ Penetration Tests, 40+ Focused on NGN/VoIP
– SIP/NGN/VoIP Systems Penetration Testing
– Mobile Application Penetration Testing
– IPTV Penetration Testing
– Regular Stuff (Network Inf., Web, SOAP, Exploitation...)
● Author of Viproy VoIP Penetration Testing Kit
● Author of Hacking Trust Relationships Between SIP Gateways
● Blackhat Arsenal USA 2013 – Viproy VoIP Pen-Test Kit
● So, that's me
Viproy in Action
http://www.youtube.com/watch?v=1vDTujNVKGM
4
# traceroute
●
VoIP Networks are Insecure, but Why?
● Basic Attacks
– Discovery, Footprinting, Brute Force
– Initiating a Call, Spoofing, CDR and Billing Bypass
●
SIP Proxy Bounce Attack
● Fake Services and MITM
– Fuzzing Servers and Clients, Collecting Credentials
● (Distributed) Denial of Service
– Attacking SIP Soft Switches and SIP Clients, SIP Amplification Attack
● Hacking Trust Relationships of SIP Gateways
● Attacking SIP Clients via SIP Trust Relationships
● Fuzzing in Advance
● Out of Scope
– RTP Services and Network Tests, Management
– Additional Services
– XML/JSON Based Soap Services
5
# info
● SIP – Session Initiation Protocol
– Only Signalling, not for Call Transporting
– Extended with Session Discovery Protocol
● NGN – Next Generation Network
– Forget TDM and PSTN
– SIP, H.248 / Megaco, RTP, MSAN/MGW
– Smart Customer Modems & Phones
– Easy Management
– Security is NOT a Concern?!
● Next Generation! Because We Said So!
6
# SIP Services : Internal IP Telephony
INTERNET
SIP Server
Support Servers
SIP Clients
Factory/Campus
SIP over VPN
Commercial
Gateways
Analog/Digital PBX
7
# SIP Services : Commercial Services
INTERNETSoft Switch
(SIP Server)
VAS, CDR, DB Servers
MSAN/MGW
PSTN/ISDN Distributed
MPLS
3rd Party
Gateways
SDP Servers
Customers
RTP, Proxy
Servers
Mobile
8
# Administrators Think... Root Doesn't!
● Their VoIP Network Isolated
– Open Physical Access, Weak VPN or MPLS
● Abusing VoIP Requires Knowledge
– With Viproy, That's No Longer The Case!
● Most Attacks are Network Based or Toll Fraud
– DOS, DDOS, Attacking Mobile Clients, Spying
– Phishing, Surveliance, Abusing VAS Services
● VoIP Devices are Well-Configured
– Weak Passwords, Old Software, Vulnerable Protocols
9
# Viproy What?
● Viproy is a Vulcan-ish Word that means "Call"
● Viproy VoIP Penetration and Exploitation Kit
– Testing Modules for Metasploit, MSF License
– Old Techniques, New Approach
– SIP Library for New Module Development
– Custom Header Support, Authentication Support
– New Stuff for Testing: Trust Analyzer, Bounce Scan, Proxy etc
● Modules
– Options, Register, Invite, Message
– Brute Forcers, Enumerator
– SIP Trust Analyzer, Service Scanner
– SIP Proxy, Fake Service, DDOS Tester
10
# Basic Attacks
● We are looking for...
– Finding and Identifying SIP Services and Purposes
– Discovering Available Methods and Features
– Discovering SIP Software and Vulnerabilities
– Identifying Valid Target Numbers, Users, Realm
– Unauthenticated Registration (Trunk, VAS, Gateway)
– Brute Forcing Valid Accounts and Passwords
– Invite Without Registration
– Direct Invite from Special Trunk (IP Based)
– Invite Spoofing (After or Before Registration, Via Trunk)
● Viproy Pen-Testing Kit Could Automate Discovery
11
# Basic Attacks
Discovery
OPTIONS / REGISTER / INVITE / SUBSCRIBE
100 Trying
200 OK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Collecting Information from Response Headers
➔ User-Agent
➔ Server
➔ Realm
➔ Call-ID
➔ Record-Route
➔
➔ Warning
➔ P-Asserted-Identity
➔ P-Called-Party-ID
➔ P-Preferred-Identity
➔ P-Charging-Vector
Soft Switch
(SIP Server)
Clients
Gateways
12
# Basic Attacks
Register
REGISTER / SUBSCRIBE (From, To, Credentials)
200 OK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
RESPONSE Depends on Informations in REQUEST
➔ Type of Request (REGISTER, SUBSCRIBE)
➔ FROM, TO, Credentials with Realm
➔ Via
Actions/Tests Depends on RESPONSE
➔ Brute Force (FROM, TO, Credentials)
➔ Detecting/Enumerating Special TOs, FROMs or Trunks
➔ Detecting/Enumerating Accounts With Weak or Null Passwords
➔ ….
Soft Switch
(SIP Server)
Clients
Gateways
13
# Basic Attacks
● this isn't the call you're looking for
● We are attacking for...
– Free Calling, Call Spoofing
– Free VAS Services, Free International Calling
– Breaking Call Barriers
– Spoofing with...
● Via Field, From Field
● P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity
● ISDN Calling Party Number, Remote-Party-ID
– Bypass with...
● P-Charging-Vector (Spoofing, Manipulating)
● Re-Invite, Update (Without/With P-Charging-Vector)
● Viproy Pen-Testing Kit Supports Custom Headers
14
# Basic Attacks
Invite, CDR and Billing Tests
Soft Switch
(SIP Server)
Clients
Gateways
INVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA ...)
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Actions/Tests Depends on RESPONSE
➔ Brute Force (FROM&TO) for VAS and Gateways
➔ Testing Call Limits, Unauthenticated Calls, CDR Management
➔ INVITE Spoofing for Restriction Bypass, Spying, Invoice
➔ ….
100 Trying
183 Session Progress
180 Ringing
200 OK
RESPONSE Depends on Informations in INVITE REQUEST
➔ FROM, TO, Credentials with Realm, FROM <>, TO <>
➔ Via, Record-Route
➔ Direct INVITE from Specific IP:PORT (IP Based Trunks)
15
# SIP Proxy Bounce Attack
● SIP Proxies Redirect Requests to Other SIP Servers
– We Can Access Them via SIP Proxy then We Can Scan
– We Can Scan Inaccessible Servers
– URI Field is Useful for This Scan
● Viproy Pen-Testing Kit Has a UDP Port Scan Module
16
# SIP Proxy Bounce Attack
The Wall
192.168.1.145 – Izmir
Production SIP Service
192.168.1.146
Ankara
White Walker
192.168.1.201
Adana
How Can We Use It?
● SIP Trust Relationship Attacks
● Attacking Inaccessible Servers
● Attacking SIP Software
– Software Version, Type
17
# Fake Services and MITM
● We Need a Fake Service
– Adding a Feature to Regular SIP Client
– Collecting Credentials
– Redirecting Calls
– Manipulating CDR or Billing Features
– Fuzzing Servers and Clients for Vulnerabilities
● Fake Service Should be Semi-Automated
– Communication Sequence Should be Defined
– Sending Bogus Request/Result to Client/Server
● Viproy Pen-Testing Kit Has a SIP Proxy and Fake Service
● Fuzzing Support of Fake Service is in Development Stage
18
# Fake Services and MITM
Usage of Proxy & Fake Server Features
Soft Switch
(SIP Server)
● Use ARP Spoof & VLAN Hopping & Manual Config
● Collect Credentials, Hashes, Information
● Change Client's Request to Add a Feature (Spoofing etc)
● Change the SDP Features to Redirect Calls
● Add a Proxy Header to Bypass Billing & CDR
● Manipulate Request at Runtime to find BOF Vulnerabilities
Clients
19
# DOS – It's Not Service, It's Money
● Locking All Customer Phones and Services for Blackmail
● Denial of Service Vulnerabilities of SIP Services
– Many Responses for Bogus Requests → DDOS
– Concurrent Registered User/Call Limits
– Voice Message Box, CDR, VAS based DOS Attacks
– Bye And Cancel Tests for Call Drop
– Locking All Accounts if Account Locking is Active for Multiple Fails
● Multiple Invite (After or Before Registration, Via Trunk)
– Calling All Numbers at Same Time
– Overloading SIP Server's Call Limits
– Calling Expensive Gateways,Targets or VAS From Customers
● Viproy Pen-Testing Kit Has a few DOS Features
20
# DDOS – All Your SIP Gateways Belong to Us !
● SIP Amplification Attack
+ SIP Servers Send Errors Many Times (10+)
+ We Can Send IP Spoofed Packets
+ SIP Servers Send Responses to Victim
=> 1 packet for 10+ Packets, ICMP Errors (Bonus)
● Viproy Pen-Testing Kit Has a PoC DDOS Module
● Can we use SIP Server's Trust ? -wait for it-
21
# DDOS – All Your SIP Gateways Belong to Us!
The Wall
192.168.1.201 – Izmir
Production SIP Service
192.168.1.202 – Ankara
Production SIP Service
Citadel
IP Spoofed Call Request
White Walker
The Wall
192.168.1.203 – Adana
Production SIP Service
22
# Hacking SIP Trust Relationships
● NGN SIP Services Trust Each Other
– Authentication and TCP are Slow, They Need Speed
– IP and Port Based Trust are Most Effective Way
● What We Need
– Target Number to Call (Cell Phone if Service is Public)
– Tech Magazine, Web Site Information, News
● Baby Steps
– Finding Trusted SIP Networks (Mostly B Class)
– Sending IP Spoofed Requests from Each IP:Port
– Each Call Should Contain IP:Port in "From" Section
– If We Have a Call, We Have The Trusted SIP Gateway IP and Port
– Brace Yourselves The Call is Coming
23
The Wall
# Hacking SIP Trust Relationships
Slow Motion
192.168.1.201 – Izmir
Production SIP Service
Ankara Istanbul
International Trusted Operator
IP Spoofed Call Request
Contains IP:Port Data in From
White Walker
24
# Hacking SIP Trust Relationships
Brace Yourselves, The Call is Coming
192.168.1.201 – Izmir
Production SIP Service
White Walker
Ankara Istanbul
International Trusted Operator
IP Spoofed Call Request
Somebody Known in From
Come Again?
● Billing ?
● CDR ?
● Log ?
From
Citadel
The Wall
25
# Hacking SIP Trust Relationships – Business Impact
● Denial of Service
– Short Message Service and Billing
– Calling All Numbers at Same Time
– Overloading SIP Server's Call Limits
– Overloading VAS Service or International Limits
– Overloading CDR Records with Spoofed Calls
● Attacking a Server Software
– Crashing/Exploiting Inaccesible Features
– Call Redirection (working on it, not yet :/)
● Attacking a Client?
– Next Slide!
26
# Attacking a Client via SIP Trust Relationships
● SIP Server Redirects a few Fields to Client
– FROM, FROM NAME, Contact
– Other Fields Depend on Server (SDP, MIME etc)
● Clients Have Buffer Overflow in FROM?
– Send 2000 Chars to Test it !
– Crash it or Execute your Command if Available
● Clients Trust SIP Servers and Trust is UDP Based
– This module can be used for Trust Between Client and Server
● Viproy Pen-Testing Kit SIP Trust Module
– Simple Fuzz Support (FROM=FUZZ 2000)
– You Can Modify it for Further Attacks
27
# Attacking a Client via SIP Trust Relationships
Brace Yourselves 550 Chars are Coming
192.168.1.201 – Izmir
Production SIP Service
White Walker
Ankara Istanbul
International Trusted Operator
IP Spoofed Call Request
550 Chars in From
CRASSSSH!
● Command?
● Why Not!
Bogus Invite
Request
The Wall
The Wall
AdorePhone Iphone App
28
# Fuzz Me Maybe
● Fuzzing as a SIP Client | SIP Server | Proxy | MITM
● SIP Server Software
● SIP Clients
– Hardware Devices, IP Phones, Video Conference Systems
– Desktop Application or Web Based Software
– Mobile Software
● Special SIP Devices/Software
– SIP Firewalls, ACL Devices, Proxies
– Connected SIP Trunks, 3rd Party Gateways
– MSAN/MGW
– Logging Software (Indirect)
– Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE...
29
# Old School Fuzzing
● Request Fuzzing
– SDP Features
– MIME Type Fuzzing
● Response Fuzzing
– Authentication, Bogus Messages, Redirection
● Static vs Stateful
● How about Smart Fuzzing
– Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE)
– Fuzzing After Authentication (Double Account, Self-Call)
– Response Fuzzing (Before or After Authentication)
– Missing SIP Features (IP Spoofing for SIP Trunks, Proxy Headers)
– Numeric Fuzzing for Services is NOT Memory Corruption
– Dial Plan Fuzzing, VAS Fuzzing
30
# How Viproy Pen-Testing Kit Helps Fuzzing Tests
● Skeleton for Feature Fuzzing, NOT Only SIP Protocol
● Multiple SIP Service Initiation
– Call Fuzzing in Many States, Response Fuzzing
● Integration With Other Metasploit Features
– Fuzzers, Encoding Support, Auxiliaries, Immortality etc.
● Custom Header Support
– Future Compliance, Vendor Specific Extensions, VAS
● Raw Data Send Support (Useful with External Static Tools)
● Authentication Support
– Authentication Fuzzing, Custom Fuzzing with Authentication
● Less Code, Custom Fuzzing, State Checks
● Some Features (Fuzz Library, SDP) are Coming Soon
31
# Fuzzing SIP Services
Request Based
OPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE....
Soft Switch
(SIP Server)
Gateways
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Fuzzing Targets, REQUEST Fields
➔ Request Type, Protocol, Description
➔ Via, Branch, Call-ID, From, To, Cseq, Contact, Record-Route
➔ Proxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...)
➔ Authentication in Various Requests (User, Pass, Realm, Nonce)
➔ Content-Type, Content-Lenth
➔ SDP Information Fields
➔ ISUP Fields
100 Trying
183 Session Progress
180 Ringing
200 OK
Clients
32
# Fuzzing SIP Services
Response Based
OPTIONS
Soft Switch
(SIP Server)
Gateways
INVITE/ACK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
100 Trying
183 Session Progress
180 Ringing
200 OK
INVITE Myself / INVITE I'm Proxy
MALICOUS RESPONSE
MALICOUS RESPONSE
Potential RESPONSE Types for Fuzzing
Clients
SIP Bounce Attack, Hacking SIP Trust, Attacking Mobile Apps
http://www.youtube.com/watch?v=bSg3tAkh5gA
34
References
● Viproy VoIP Penetration and Exploitation Kit
Author : http://viproy.com/fozavci
Homepage : http://viproy.com/voipkit
Github : http://www.github.com/fozavci/viproy-voipkit
● Attacking SIP Servers Using Viproy VoIP Kit (50 mins)
https://www.youtube.com/watch?v=AbXh_L0-Y5A
● Hacking Trust Relationships Between SIP Gateways (PDF)
http://viproy.com/files/siptrust.pdf
● VoIP Pen-Test Environment – VulnVoIP
http://www.rebootuser.com/?cat=371
35
Special Thanks to...
Special Ones
● Konca Ozavci
● Kadir Altan
● Anil Pazvant
Suggestions & Guidelines & Support
● Paul Henry
● Mark Collier
● Jason Olstrom
● Jesus Perez Rubio
Q ?
Thanks

More Related Content

What's hot

VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
Dan York
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
n|u - The Open Security Community
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
pseudor00t overflow
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
Felipe Prado
 
VoIP Security
VoIP SecurityVoIP Security
VoIP Security
Dayanand Prabhakar
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
Alan Percy
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
sbwahid
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Alan Percy
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
PrivateWave Italia SpA
 
Scaling Open Source Applications with SBCs
Scaling Open Source Applications with SBCsScaling Open Source Applications with SBCs
Scaling Open Source Applications with SBCs
Alan Percy
 
VOIP security
VOIP securityVOIP security
VOIP security
Rohit Gurjar
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  SourceI N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
Suhas Desai
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
SI3D systems
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Encryption
 
IP PBX
IP PBXIP PBX
IP PBX
Rajesh Erri
 

What's hot (20)

VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
Voip security
Voip securityVoip security
Voip security
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
 
VoIP Security
VoIP SecurityVoIP Security
VoIP Security
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
 
Scaling Open Source Applications with SBCs
Scaling Open Source Applications with SBCsScaling Open Source Applications with SBCs
Scaling Open Source Applications with SBCs
 
VOIP security
VOIP securityVOIP security
VOIP security
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  SourceI N T E R O P09  Suhas  Desai  Secure  Your  Vo I P  Network With  Open  Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
 
IP PBX
IP PBXIP PBX
IP PBX
 

Similar to VoIP Wars : Return of the SIP

Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash
 
The Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionThe Role of SBC in Fraud Protection
The Role of SBC in Fraud Protection
Alan Percy
 
The Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionThe Role of SBCs in Fraud Protection
The Role of SBCs in Fraud Protection
TelcoBridges Inc.
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
Flavio Eduardo de Andrade Goncalves
 
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP SecurityPLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PROIDEA
 
VoIP security
VoIP securityVoIP security
VoIP security
Mile Blenton
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product Family
Cagdas Tanriover
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bent
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
Warren Bent
 
Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2
George Wahome
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
Tarek Kalaji
 
Wi-Fi Hotspot With Facebook - Barcamp Macau 2014
Wi-Fi Hotspot With Facebook - Barcamp Macau 2014Wi-Fi Hotspot With Facebook - Barcamp Macau 2014
Wi-Fi Hotspot With Facebook - Barcamp Macau 2014
kentsi
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CloudIDSummit
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
How to protect your business telephony from cyber attacks - webinar 2017, Eng...
How to protect your business telephony from cyber attacks - webinar 2017, Eng...How to protect your business telephony from cyber attacks - webinar 2017, Eng...
How to protect your business telephony from cyber attacks - webinar 2017, Eng...
Askozia
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
DefconRussia
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
Payment card for dummies sddc presentation @buet
Payment card for dummies sddc presentation @buetPayment card for dummies sddc presentation @buet
Payment card for dummies sddc presentation @buet
Saidur Sujon
 

Similar to VoIP Wars : Return of the SIP (20)

Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
The Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionThe Role of SBC in Fraud Protection
The Role of SBC in Fraud Protection
 
The Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionThe Role of SBCs in Fraud Protection
The Role of SBCs in Fraud Protection
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP SecurityPLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
 
VoIP security
VoIP securityVoIP security
VoIP security
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product Family
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Wi-Fi Hotspot With Facebook - Barcamp Macau 2014
Wi-Fi Hotspot With Facebook - Barcamp Macau 2014Wi-Fi Hotspot With Facebook - Barcamp Macau 2014
Wi-Fi Hotspot With Facebook - Barcamp Macau 2014
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
How to protect your business telephony from cyber attacks - webinar 2017, Eng...
How to protect your business telephony from cyber attacks - webinar 2017, Eng...How to protect your business telephony from cyber attacks - webinar 2017, Eng...
How to protect your business telephony from cyber attacks - webinar 2017, Eng...
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Payment card for dummies sddc presentation @buet
Payment card for dummies sddc presentation @buetPayment card for dummies sddc presentation @buet
Payment card for dummies sddc presentation @buet
 

More from Fatih Ozavci

Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
Fatih Ozavci
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
Fatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeFatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
Fatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiFatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarFatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriFatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiFatih Ozavci
 

More from Fatih Ozavci (11)

Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Recently uploaded

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 

Recently uploaded (20)

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 

VoIP Wars : Return of the SIP

  • 1. VoIP Wars : Return of the SIP Fatih Özavcı Security Consultant @ Sense of Security (Australia) www.senseofsecurity.com.au @fozavci
  • 2. 2 # whois ● Security Consultant @ Sense of Security (Australia) ● 10+ Years Experience in Penetration Testing ● 800+ Penetration Tests, 40+ Focused on NGN/VoIP – SIP/NGN/VoIP Systems Penetration Testing – Mobile Application Penetration Testing – IPTV Penetration Testing – Regular Stuff (Network Inf., Web, SOAP, Exploitation...) ● Author of Viproy VoIP Penetration Testing Kit ● Author of Hacking Trust Relationships Between SIP Gateways ● Blackhat Arsenal USA 2013 – Viproy VoIP Pen-Test Kit ● So, that's me
  • 4. 4 # traceroute ● VoIP Networks are Insecure, but Why? ● Basic Attacks – Discovery, Footprinting, Brute Force – Initiating a Call, Spoofing, CDR and Billing Bypass ● SIP Proxy Bounce Attack ● Fake Services and MITM – Fuzzing Servers and Clients, Collecting Credentials ● (Distributed) Denial of Service – Attacking SIP Soft Switches and SIP Clients, SIP Amplification Attack ● Hacking Trust Relationships of SIP Gateways ● Attacking SIP Clients via SIP Trust Relationships ● Fuzzing in Advance ● Out of Scope – RTP Services and Network Tests, Management – Additional Services – XML/JSON Based Soap Services
  • 5. 5 # info ● SIP – Session Initiation Protocol – Only Signalling, not for Call Transporting – Extended with Session Discovery Protocol ● NGN – Next Generation Network – Forget TDM and PSTN – SIP, H.248 / Megaco, RTP, MSAN/MGW – Smart Customer Modems & Phones – Easy Management – Security is NOT a Concern?! ● Next Generation! Because We Said So!
  • 6. 6 # SIP Services : Internal IP Telephony INTERNET SIP Server Support Servers SIP Clients Factory/Campus SIP over VPN Commercial Gateways Analog/Digital PBX
  • 7. 7 # SIP Services : Commercial Services INTERNETSoft Switch (SIP Server) VAS, CDR, DB Servers MSAN/MGW PSTN/ISDN Distributed MPLS 3rd Party Gateways SDP Servers Customers RTP, Proxy Servers Mobile
  • 8. 8 # Administrators Think... Root Doesn't! ● Their VoIP Network Isolated – Open Physical Access, Weak VPN or MPLS ● Abusing VoIP Requires Knowledge – With Viproy, That's No Longer The Case! ● Most Attacks are Network Based or Toll Fraud – DOS, DDOS, Attacking Mobile Clients, Spying – Phishing, Surveliance, Abusing VAS Services ● VoIP Devices are Well-Configured – Weak Passwords, Old Software, Vulnerable Protocols
  • 9. 9 # Viproy What? ● Viproy is a Vulcan-ish Word that means "Call" ● Viproy VoIP Penetration and Exploitation Kit – Testing Modules for Metasploit, MSF License – Old Techniques, New Approach – SIP Library for New Module Development – Custom Header Support, Authentication Support – New Stuff for Testing: Trust Analyzer, Bounce Scan, Proxy etc ● Modules – Options, Register, Invite, Message – Brute Forcers, Enumerator – SIP Trust Analyzer, Service Scanner – SIP Proxy, Fake Service, DDOS Tester
  • 10. 10 # Basic Attacks ● We are looking for... – Finding and Identifying SIP Services and Purposes – Discovering Available Methods and Features – Discovering SIP Software and Vulnerabilities – Identifying Valid Target Numbers, Users, Realm – Unauthenticated Registration (Trunk, VAS, Gateway) – Brute Forcing Valid Accounts and Passwords – Invite Without Registration – Direct Invite from Special Trunk (IP Based) – Invite Spoofing (After or Before Registration, Via Trunk) ● Viproy Pen-Testing Kit Could Automate Discovery
  • 11. 11 # Basic Attacks Discovery OPTIONS / REGISTER / INVITE / SUBSCRIBE 100 Trying 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Collecting Information from Response Headers ➔ User-Agent ➔ Server ➔ Realm ➔ Call-ID ➔ Record-Route ➔ ➔ Warning ➔ P-Asserted-Identity ➔ P-Called-Party-ID ➔ P-Preferred-Identity ➔ P-Charging-Vector Soft Switch (SIP Server) Clients Gateways
  • 12. 12 # Basic Attacks Register REGISTER / SUBSCRIBE (From, To, Credentials) 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error RESPONSE Depends on Informations in REQUEST ➔ Type of Request (REGISTER, SUBSCRIBE) ➔ FROM, TO, Credentials with Realm ➔ Via Actions/Tests Depends on RESPONSE ➔ Brute Force (FROM, TO, Credentials) ➔ Detecting/Enumerating Special TOs, FROMs or Trunks ➔ Detecting/Enumerating Accounts With Weak or Null Passwords ➔ …. Soft Switch (SIP Server) Clients Gateways
  • 13. 13 # Basic Attacks ● this isn't the call you're looking for ● We are attacking for... – Free Calling, Call Spoofing – Free VAS Services, Free International Calling – Breaking Call Barriers – Spoofing with... ● Via Field, From Field ● P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ● ISDN Calling Party Number, Remote-Party-ID – Bypass with... ● P-Charging-Vector (Spoofing, Manipulating) ● Re-Invite, Update (Without/With P-Charging-Vector) ● Viproy Pen-Testing Kit Supports Custom Headers
  • 14. 14 # Basic Attacks Invite, CDR and Billing Tests Soft Switch (SIP Server) Clients Gateways INVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA ...) 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Actions/Tests Depends on RESPONSE ➔ Brute Force (FROM&TO) for VAS and Gateways ➔ Testing Call Limits, Unauthenticated Calls, CDR Management ➔ INVITE Spoofing for Restriction Bypass, Spying, Invoice ➔ …. 100 Trying 183 Session Progress 180 Ringing 200 OK RESPONSE Depends on Informations in INVITE REQUEST ➔ FROM, TO, Credentials with Realm, FROM <>, TO <> ➔ Via, Record-Route ➔ Direct INVITE from Specific IP:PORT (IP Based Trunks)
  • 15. 15 # SIP Proxy Bounce Attack ● SIP Proxies Redirect Requests to Other SIP Servers – We Can Access Them via SIP Proxy then We Can Scan – We Can Scan Inaccessible Servers – URI Field is Useful for This Scan ● Viproy Pen-Testing Kit Has a UDP Port Scan Module
  • 16. 16 # SIP Proxy Bounce Attack The Wall 192.168.1.145 – Izmir Production SIP Service 192.168.1.146 Ankara White Walker 192.168.1.201 Adana How Can We Use It? ● SIP Trust Relationship Attacks ● Attacking Inaccessible Servers ● Attacking SIP Software – Software Version, Type
  • 17. 17 # Fake Services and MITM ● We Need a Fake Service – Adding a Feature to Regular SIP Client – Collecting Credentials – Redirecting Calls – Manipulating CDR or Billing Features – Fuzzing Servers and Clients for Vulnerabilities ● Fake Service Should be Semi-Automated – Communication Sequence Should be Defined – Sending Bogus Request/Result to Client/Server ● Viproy Pen-Testing Kit Has a SIP Proxy and Fake Service ● Fuzzing Support of Fake Service is in Development Stage
  • 18. 18 # Fake Services and MITM Usage of Proxy & Fake Server Features Soft Switch (SIP Server) ● Use ARP Spoof & VLAN Hopping & Manual Config ● Collect Credentials, Hashes, Information ● Change Client's Request to Add a Feature (Spoofing etc) ● Change the SDP Features to Redirect Calls ● Add a Proxy Header to Bypass Billing & CDR ● Manipulate Request at Runtime to find BOF Vulnerabilities Clients
  • 19. 19 # DOS – It's Not Service, It's Money ● Locking All Customer Phones and Services for Blackmail ● Denial of Service Vulnerabilities of SIP Services – Many Responses for Bogus Requests → DDOS – Concurrent Registered User/Call Limits – Voice Message Box, CDR, VAS based DOS Attacks – Bye And Cancel Tests for Call Drop – Locking All Accounts if Account Locking is Active for Multiple Fails ● Multiple Invite (After or Before Registration, Via Trunk) – Calling All Numbers at Same Time – Overloading SIP Server's Call Limits – Calling Expensive Gateways,Targets or VAS From Customers ● Viproy Pen-Testing Kit Has a few DOS Features
  • 20. 20 # DDOS – All Your SIP Gateways Belong to Us ! ● SIP Amplification Attack + SIP Servers Send Errors Many Times (10+) + We Can Send IP Spoofed Packets + SIP Servers Send Responses to Victim => 1 packet for 10+ Packets, ICMP Errors (Bonus) ● Viproy Pen-Testing Kit Has a PoC DDOS Module ● Can we use SIP Server's Trust ? -wait for it-
  • 21. 21 # DDOS – All Your SIP Gateways Belong to Us! The Wall 192.168.1.201 – Izmir Production SIP Service 192.168.1.202 – Ankara Production SIP Service Citadel IP Spoofed Call Request White Walker The Wall 192.168.1.203 – Adana Production SIP Service
  • 22. 22 # Hacking SIP Trust Relationships ● NGN SIP Services Trust Each Other – Authentication and TCP are Slow, They Need Speed – IP and Port Based Trust are Most Effective Way ● What We Need – Target Number to Call (Cell Phone if Service is Public) – Tech Magazine, Web Site Information, News ● Baby Steps – Finding Trusted SIP Networks (Mostly B Class) – Sending IP Spoofed Requests from Each IP:Port – Each Call Should Contain IP:Port in "From" Section – If We Have a Call, We Have The Trusted SIP Gateway IP and Port – Brace Yourselves The Call is Coming
  • 23. 23 The Wall # Hacking SIP Trust Relationships Slow Motion 192.168.1.201 – Izmir Production SIP Service Ankara Istanbul International Trusted Operator IP Spoofed Call Request Contains IP:Port Data in From White Walker
  • 24. 24 # Hacking SIP Trust Relationships Brace Yourselves, The Call is Coming 192.168.1.201 – Izmir Production SIP Service White Walker Ankara Istanbul International Trusted Operator IP Spoofed Call Request Somebody Known in From Come Again? ● Billing ? ● CDR ? ● Log ? From Citadel The Wall
  • 25. 25 # Hacking SIP Trust Relationships – Business Impact ● Denial of Service – Short Message Service and Billing – Calling All Numbers at Same Time – Overloading SIP Server's Call Limits – Overloading VAS Service or International Limits – Overloading CDR Records with Spoofed Calls ● Attacking a Server Software – Crashing/Exploiting Inaccesible Features – Call Redirection (working on it, not yet :/) ● Attacking a Client? – Next Slide!
  • 26. 26 # Attacking a Client via SIP Trust Relationships ● SIP Server Redirects a few Fields to Client – FROM, FROM NAME, Contact – Other Fields Depend on Server (SDP, MIME etc) ● Clients Have Buffer Overflow in FROM? – Send 2000 Chars to Test it ! – Crash it or Execute your Command if Available ● Clients Trust SIP Servers and Trust is UDP Based – This module can be used for Trust Between Client and Server ● Viproy Pen-Testing Kit SIP Trust Module – Simple Fuzz Support (FROM=FUZZ 2000) – You Can Modify it for Further Attacks
  • 27. 27 # Attacking a Client via SIP Trust Relationships Brace Yourselves 550 Chars are Coming 192.168.1.201 – Izmir Production SIP Service White Walker Ankara Istanbul International Trusted Operator IP Spoofed Call Request 550 Chars in From CRASSSSH! ● Command? ● Why Not! Bogus Invite Request The Wall The Wall AdorePhone Iphone App
  • 28. 28 # Fuzz Me Maybe ● Fuzzing as a SIP Client | SIP Server | Proxy | MITM ● SIP Server Software ● SIP Clients – Hardware Devices, IP Phones, Video Conference Systems – Desktop Application or Web Based Software – Mobile Software ● Special SIP Devices/Software – SIP Firewalls, ACL Devices, Proxies – Connected SIP Trunks, 3rd Party Gateways – MSAN/MGW – Logging Software (Indirect) – Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE...
  • 29. 29 # Old School Fuzzing ● Request Fuzzing – SDP Features – MIME Type Fuzzing ● Response Fuzzing – Authentication, Bogus Messages, Redirection ● Static vs Stateful ● How about Smart Fuzzing – Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE) – Fuzzing After Authentication (Double Account, Self-Call) – Response Fuzzing (Before or After Authentication) – Missing SIP Features (IP Spoofing for SIP Trunks, Proxy Headers) – Numeric Fuzzing for Services is NOT Memory Corruption – Dial Plan Fuzzing, VAS Fuzzing
  • 30. 30 # How Viproy Pen-Testing Kit Helps Fuzzing Tests ● Skeleton for Feature Fuzzing, NOT Only SIP Protocol ● Multiple SIP Service Initiation – Call Fuzzing in Many States, Response Fuzzing ● Integration With Other Metasploit Features – Fuzzers, Encoding Support, Auxiliaries, Immortality etc. ● Custom Header Support – Future Compliance, Vendor Specific Extensions, VAS ● Raw Data Send Support (Useful with External Static Tools) ● Authentication Support – Authentication Fuzzing, Custom Fuzzing with Authentication ● Less Code, Custom Fuzzing, State Checks ● Some Features (Fuzz Library, SDP) are Coming Soon
  • 31. 31 # Fuzzing SIP Services Request Based OPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE.... Soft Switch (SIP Server) Gateways 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Fuzzing Targets, REQUEST Fields ➔ Request Type, Protocol, Description ➔ Via, Branch, Call-ID, From, To, Cseq, Contact, Record-Route ➔ Proxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...) ➔ Authentication in Various Requests (User, Pass, Realm, Nonce) ➔ Content-Type, Content-Lenth ➔ SDP Information Fields ➔ ISUP Fields 100 Trying 183 Session Progress 180 Ringing 200 OK Clients
  • 32. 32 # Fuzzing SIP Services Response Based OPTIONS Soft Switch (SIP Server) Gateways INVITE/ACK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error 100 Trying 183 Session Progress 180 Ringing 200 OK INVITE Myself / INVITE I'm Proxy MALICOUS RESPONSE MALICOUS RESPONSE Potential RESPONSE Types for Fuzzing Clients
  • 33. SIP Bounce Attack, Hacking SIP Trust, Attacking Mobile Apps http://www.youtube.com/watch?v=bSg3tAkh5gA
  • 34. 34 References ● Viproy VoIP Penetration and Exploitation Kit Author : http://viproy.com/fozavci Homepage : http://viproy.com/voipkit Github : http://www.github.com/fozavci/viproy-voipkit ● Attacking SIP Servers Using Viproy VoIP Kit (50 mins) https://www.youtube.com/watch?v=AbXh_L0-Y5A ● Hacking Trust Relationships Between SIP Gateways (PDF) http://viproy.com/files/siptrust.pdf ● VoIP Pen-Test Environment – VulnVoIP http://www.rebootuser.com/?cat=371
  • 35. 35 Special Thanks to... Special Ones ● Konca Ozavci ● Kadir Altan ● Anil Pazvant Suggestions & Guidelines & Support ● Paul Henry ● Mark Collier ● Jason Olstrom ● Jesus Perez Rubio
  • 36. Q ?