SlideShare a Scribd company logo

VoIP Wars: The Phreakers Awaken

Fatih Ozavci
Fatih Ozavci

This document discusses vulnerabilities in voice over IP (VoIP) and unified communications systems. It begins by introducing the speaker and their background in VoIP security. It then outlines various attack vectors such as exploiting vulnerabilities in signaling protocols, message content, and unified messaging features to inject malicious content or execute code. The document emphasizes that securing UC involves more than just securing VoIP, and recommends approaches like secure infrastructure design, authentication, and client protection to help secure these systems.

Technology
1 of 42
Download to read offline
VOIP WARS: THE PHREAKERS AWAKEN Fatih Ozavci – @fozavci Managing Consultant – Context Information Security
2 Fatih Ozavci, Managing Consultant VoIP & phreaking Mobile applications and devices Network infrastructure CPE, hardware and IoT hacking Author of Viproy and VoIP Wars Public speaker and trainer  Blackhat, Defcon, HITB, AusCert, Troopers
3 Fundamentals Design Vulnerabilities Practical UC Attacks UC and IMS fundamentals Security issues and vulnerabilities Practical attacks Securing communication services
4 Audio Call TDM Alice Bob
5 Alice Signalling Media RTP Proxy SIP Server Bob
6 Alice Signalling Media RTP Proxy SIP Server Bob
7 Alice Signalling Media RTP Proxy SIP Server Bob
8 1- REGISTER 1- 200 OK 2- INVITE SDP/XML 2- 100 Trying 3- INVITE SDP/XML 3- 200 OK SDP/XML 4- ACK RTP RTP 4- 200 OK SDP/XML SIP Server Phone A Phone BRTP Proxy RTP Proxy RTP SIP Headers • Caller ID • Billing SIP Content • SDP • Enc. Keys RTP Content • Audio/Video • File sharing • RDP
9
10
11 VoIP Server Windows Server Office Server Active Directory Virtual Machines 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
12 SIP & Media Server Database Server Tenant Services Management Applications Client Applications PBX Shared Services 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
13 Edge Server sky.com Edge Server kenobi.com DNS Server DNS / SRV DNS / SRV SIP / RTP Kenobi Corp Phone X x@kenobi.com VoIP Server Windows Server Office Server Active Directory Virtual Machines Phone A a@sky.com Skywalker Corp Phone B b@sky.com Phone C c@sky.com
14 Call Session Control Function (P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure Mobile Subscribers UC/VoIP Subscribers Session Border Controller (SBC) Session Border Controller (SBC) ACCESS NETWORK ACCESS NETWORKCORE NETWORK Application Server (AS) Home Subscriber Server (HSS) Media Resource Function MRFC / MRFP
15 Inter-vendor security issues INSUFFICIENT client management Missing client monitoring Missing software updates NO SIP/SDP or message filtering Centralised attack deployment Internal trust relationships Meeting and conferencing options Flexible collaboration options
16 Content transferred to clients SIP/SDP content (e.g. format, codecs) Rich messaging (e.g. rtf, html, audio) Unified messaging Injecting files, XSS, phishing, RCE File transfers, embedded content Communication subsystem Call or SIP headers Rarely secured protocols (e.g. MSRP)
17 Engage through a first contact point UC messaging, conference invitation, courtesy phones Combine old and new techniques Use UC for malicious activities (e.g. MS-RTASPF)
18 Red Teaming Exercises Courtesy phones, conference rooms, media gateways Human Factor Testing Vishing, smishing, instant messaging, UC exploits Infrastructure Analysis Toll fraud, caller ID spoofing, TDoS/DDoS Application Security Assessments Management portals, self-care portals WebRTC, VoIP/UC apps, IVR software
19 Service requirements Cloud, subscriber services, IMS Billing, recordings, CDR, encryption Trusted servers and gateways SIP proxies, federations, SBCs SIP headers used (e.g. ID, billing) Tele/Video conference settings Analyse the encryption design SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
20 SIP header analysis  Caller ID spoofing, billing bypass Communication types allowed  File transfer, RDP, MSRP, teleconference Message content-types allowed  XSS, corrupted RTF, HTML5, images Conference and collaboration Fuzzing clients and servers  SIP headers, SDP content, file types  Combine with known attacks
21 Attacks with NO user interaction Calls with caller ID spoofing Fake IVR, social engineering Messages with caller ID spoofing Smishing (e.g. fake software update) Injected XSS, file-type exploits Bogus content-types or messages Meetings, multi-callee events Attacking infrastructure Raspberry PI with PoE, Eavesdropping
22 Unified Communication Solutions  Cisco Hosted Collaboration Suite  Microsoft Skype for Business (a.k.a Lync)  Free software (e.g. Kamalio, OpenIMS)  Other vendors (Avaya, Alcatel, Huawei) Attacking through  Signalling services  Messaging, voicemail and conference system  Cloud management and billing  Authorisation scheme  Client services (self-care, IP phone services)
23 Vulnerable CPE Credential extraction Attacking through embedded devices Insecurely located distributors Hardware hacking, eavesdropping SIP header and manipulation for Toll Fraud Attacking legacy systems (e.g. Nortel?) Voicemail hijacking
24 Analysing encryption design Implementation (e.g. SRTP, SIP/TLS) Inter-vendor SRTP key exchange Privacy and PCI compliance Network segregation IVR recordings (e.g. RTP events) Eavesdropping Call recordings security
25 Inter-vendor services design Network and service segregation *CSCF locations, SBC services used VoLTE design, application services SIP headers are very sensitive Internal trust relationships Filtered/Ignored SIP headers Caller ID spoofing, Billing bypass Encryption design (SIP, SRTP, MSRP)
26 Viproy VoIP Penetration Testing Kit (v4) VoIP modules for Metasploit Framework SIP, Skinny and MSRP services SIP authentication, fuzzing, business logic tests Cisco CUCDM exploits, trust analyser... Viproxy MITM Security Analyser (v3) A standalone Metasploit Framework module Supports TCP/TLS interception with custom TLS certs Provides a command console to analyse custom protocols
27 Cloud communications SIP header tests, caller ID spoofing, Billing bypass, hijacking IP phones Signalling services Attacking tools for SIP and Skinny Advanced SIP attacks  Proxy bounce, SIP trust hacking  Custom headers, custom message-types UC tests w/ Viproxy + Real Client
28 SIGNALLING / MESSAGING • SDP / XML • SIP Headers • XMPP • MSRP CONTENT • Message types (HTML, RTF, Docs) • File types (Docs, Codecs) • Caller ID Spoofing • DoS / TDoS / Robocalls, Smishing FORWARDED REQUESTS • Call Settings • Message Content NO USER INTERACTION • Call request parsing • Message content parsing • 3rd party libraries reachable
29
31 Unified Messaging Message types (e.g. rtf, html, images) Message content (e.g. JavaScript) File transfers and sharing features Code or script execution (e.g. SFB) Encoding (e.g. Base64, Charset) Various protocols MSRP, XMPP, SIP/MESSAGE Combining other attacks
32 MANIPULATE SIP CONTENT INJECT MALICIOUS SUBJECTS SEND PHISHING MESSAGES Skype for Business Attacker’s Client Viproxy Interactive Console HACME 1 HACME 2 HACME 3 Attacker’s Client TLS / Proxy Certificate Compression Console Enabling Features Content Injection Security Bypass
34 UC content forwarded to UC clients (NO interaction) SIP INVITE headers Message content SIP/SDP content Office 365 Federations *MS15-123 Skype for Business Attacker’s Client Viproxy Skype for Business Server Changed Request Forwarded Request Call Request
35 URL filter bypass via JavaScript <script>var u1="ht"; u2="tp"; u3="://";o="w"; k="."; i=""; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+"viproy.com"</script> Script execution via SIP messages <script>window.location="viproy.com"</script> Script execution via SIP headers Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cudmlwc m95LmNvbSI8L3NjcmlwdD4=
36 Attacking through a PBX or proxy Sending a meeting request Using a CUSTOM SIP header Waiting for the shells Viproy Skype for Business Server SIP PBX Server Forwarded Meeting Request Meeting Request (Attack in SIP headers) PRIVATE NETWORK Forwarded Requests
38 Secure design Enforce security via SBCs Messaging, SIP headers, meetings… Enforce authentication Secure inter-vendor configuration Protect the legacy systems Protect the clients
39 Securing Unified Communications (UC) is NOT just securing VoIP. Brace yourselves, VoIP/UC are attacks are coming. #TaylorYourCommunicationSecurity !
40 Viproy VoIP Penetration Testing Kit http://www.viproy.com Context Information Security http://www.contextis.com
QUESTIONS?
THANKS!

Recommended

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
What is SMTP Server?
What is SMTP Server?What is SMTP Server?
What is SMTP Server?SMTPGET
 
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraPreferred Networks
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
IPTV Security
IPTV SecurityIPTV Security
IPTV SecurityM.Syarifudin, ST, OSCP, OSWP
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 

Recommended

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
What is SMTP Server?
What is SMTP Server?What is SMTP Server?
What is SMTP Server?SMTPGET
 
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraPreferred Networks
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
IPTV Security
IPTV SecurityIPTV Security
IPTV SecurityM.Syarifudin, ST, OSCP, OSWP
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Murat KARA
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte AttackAirTight Networks
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptxVSAM Technologies India Private Limited
 
Real time transport protocol
Real time transport protocolReal time transport protocol
Real time transport protocolSwaroopSorte
 
Applications of Distributed Systems
Applications of Distributed SystemsApplications of Distributed Systems
Applications of Distributed Systemssandra sukarieh
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemOECLIB Odisha Electronics Control Library
 
mpeg2ts1_es_pes_ps_ts_psi
mpeg2ts1_es_pes_ps_ts_psimpeg2ts1_es_pes_ps_ts_psi
mpeg2ts1_es_pes_ps_ts_psihexiay
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
Authentication services
Authentication servicesAuthentication services
Authentication servicesGreater Noida Institute Of Technology
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
RTP
RTPRTP
RTPTarek Nader
 
IMS presentation
IMS presentationIMS presentation
IMS presentationAnirudh Yadav
 
Urdhav pundra and mudra
Urdhav pundra and mudraUrdhav pundra and mudra
Urdhav pundra and mudraDeepak-Atim Somaji-Sawant
 
Yazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriYazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriBGA Cyber Security
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to DatapowerShilpin Pvt. Ltd.
 
Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Murat KARA
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven CawnValeri Illescas
 
Siber Güvenlik ve Etik Hacking Sunu - 10
Siber Güvenlik ve Etik Hacking Sunu - 10Siber Güvenlik ve Etik Hacking Sunu - 10
Siber Güvenlik ve Etik Hacking Sunu - 10Murat KARA
 
Isp final presentation
Isp final presentationIsp final presentation
Isp final presentationJAI BAMORIYA
 
Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 ir. Carmelo Zaccone
 
Take a sip of sip
Take a sip of sipTake a sip of sip
Take a sip of sipLuxoftTraining
 

More Related Content

What's hot

Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Murat KARA
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
Real time transport protocol
Real time transport protocolReal time transport protocol
Real time transport protocolSwaroopSorte
 
Applications of Distributed Systems
Applications of Distributed SystemsApplications of Distributed Systems
Applications of Distributed Systemssandra sukarieh
 
mpeg2ts1_es_pes_ps_ts_psi
mpeg2ts1_es_pes_ps_ts_psimpeg2ts1_es_pes_ps_ts_psi
mpeg2ts1_es_pes_ps_ts_psihexiay
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Yazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriYazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriBGA Cyber Security
 
Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Murat KARA
 
Siber Güvenlik ve Etik Hacking Sunu - 10
Siber Güvenlik ve Etik Hacking Sunu - 10Siber Güvenlik ve Etik Hacking Sunu - 10
Siber Güvenlik ve Etik Hacking Sunu - 10Murat KARA
 
Isp final presentation
Isp final presentationIsp final presentation
Isp final presentationJAI BAMORIYA
 

What's hot (20)

Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
 
Real time transport protocol
Real time transport protocolReal time transport protocol
Real time transport protocol
 
Applications of Distributed Systems
Applications of Distributed SystemsApplications of Distributed Systems
Applications of Distributed Systems
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
mpeg2ts1_es_pes_ps_ts_psi
mpeg2ts1_es_pes_ps_ts_psimpeg2ts1_es_pes_ps_ts_psi
mpeg2ts1_es_pes_ps_ts_psi
 
LDAP
LDAPLDAP
LDAP
 
Authentication services
Authentication servicesAuthentication services
Authentication services
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
RTP
RTPRTP
RTP
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
 
Urdhav pundra and mudra
Urdhav pundra and mudraUrdhav pundra and mudra
Urdhav pundra and mudra
 
Yazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriYazılım Güvenliği Temelleri
Yazılım Güvenliği Temelleri
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
 
Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
Siber Güvenlik ve Etik Hacking Sunu - 10
Siber Güvenlik ve Etik Hacking Sunu - 10Siber Güvenlik ve Etik Hacking Sunu - 10
Siber Güvenlik ve Etik Hacking Sunu - 10
 
Isp final presentation
Isp final presentationIsp final presentation
Isp final presentation
 

Similar to VoIP Wars: The Phreakers Awaken

Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 ir. Carmelo Zaccone
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sipAnna Volynkina
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In VoipWaqas Daar
 
OST Market - Hybrid Case Histories
OST Market - Hybrid Case HistoriesOST Market - Hybrid Case Histories
OST Market - Hybrid Case HistoriesRoberto Galoppini
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Expocomm VoIP Presentation
Expocomm VoIP PresentationExpocomm VoIP Presentation
Expocomm VoIP Presentationdiego gosmar
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)SI3D systems
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCPrivacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCArnaud BUDKIEWICZ
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1Adebayo Ojo
 
Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1Carl Ford
 
Current trends and innovations in voice over IP
Current trends and innovations in voice over IPCurrent trends and innovations in voice over IP
Current trends and innovations in voice over IPALTANAI BISHT
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
SIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communicationsSIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communicationsRADVISION Ltd.
 
Audiocodes, Plantronics Cisco
Audiocodes, Plantronics CiscoAudiocodes, Plantronics Cisco
Audiocodes, Plantronics CiscoUcpartners.com.au
 

Similar to VoIP Wars: The Phreakers Awaken (20)

Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005
 
Take a sip of sip
Take a sip of sipTake a sip of sip
Take a sip of sip
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
 
SBC: Do I really need it?
SBC: Do I really need it?SBC: Do I really need it?
SBC: Do I really need it?
 
OST Market - Hybrid Case Histories
OST Market - Hybrid Case HistoriesOST Market - Hybrid Case Histories
OST Market - Hybrid Case Histories
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Oki Printers, Audiocodes
Oki Printers, AudiocodesOki Printers, Audiocodes
Oki Printers, Audiocodes
 
Yeastar My pbx soho_datasheet_en
Yeastar My pbx soho_datasheet_enYeastar My pbx soho_datasheet_en
Yeastar My pbx soho_datasheet_en
 
Expocomm VoIP Presentation
Expocomm VoIP PresentationExpocomm VoIP Presentation
Expocomm VoIP Presentation
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCPrivacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERC
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1
 
Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1
 
Current trends and innovations in voice over IP
Current trends and innovations in voice over IPCurrent trends and innovations in voice over IP
Current trends and innovations in voice over IP
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
SIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communicationsSIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communications
 
Audiocodes, Plantronics Cisco
Audiocodes, Plantronics CiscoAudiocodes, Plantronics Cisco
Audiocodes, Plantronics Cisco
 
SIP info
SIP infoSIP info
SIP info
 

More from Fatih Ozavci

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiFatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi KoruyunFatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeFatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiFatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarFatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriFatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiFatih Ozavci
 

More from Fatih Ozavci (14)

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

VoIP Wars: The Phreakers Awaken

  • 1. VOIP WARS: THE PHREAKERS AWAKEN Fatih Ozavci – @fozavci Managing Consultant – Context Information Security
  • 2. 2 Fatih Ozavci, Managing Consultant VoIP & phreaking Mobile applications and devices Network infrastructure CPE, hardware and IoT hacking Author of Viproy and VoIP Wars Public speaker and trainer  Blackhat, Defcon, HITB, AusCert, Troopers
  • 3. 3 Fundamentals Design Vulnerabilities Practical UC Attacks UC and IMS fundamentals Security issues and vulnerabilities Practical attacks Securing communication services
  • 8. 8 1- REGISTER 1- 200 OK 2- INVITE SDP/XML 2- 100 Trying 3- INVITE SDP/XML 3- 200 OK SDP/XML 4- ACK RTP RTP 4- 200 OK SDP/XML SIP Server Phone A Phone BRTP Proxy RTP Proxy RTP SIP Headers • Caller ID • Billing SIP Content • SDP • Enc. Keys RTP Content • Audio/Video • File sharing • RDP
  • 9. 9
  • 10. 10
  • 12. 12 SIP & Media Server Database Server Tenant Services Management Applications Client Applications PBX Shared Services 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
  • 13. 13 Edge Server sky.com Edge Server kenobi.com DNS Server DNS / SRV DNS / SRV SIP / RTP Kenobi Corp Phone X x@kenobi.com VoIP Server Windows Server Office Server Active Directory Virtual Machines Phone A a@sky.com Skywalker Corp Phone B b@sky.com Phone C c@sky.com
  • 14. 14 Call Session Control Function (P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure Mobile Subscribers UC/VoIP Subscribers Session Border Controller (SBC) Session Border Controller (SBC) ACCESS NETWORK ACCESS NETWORKCORE NETWORK Application Server (AS) Home Subscriber Server (HSS) Media Resource Function MRFC / MRFP
  • 15. 15 Inter-vendor security issues INSUFFICIENT client management Missing client monitoring Missing software updates NO SIP/SDP or message filtering Centralised attack deployment Internal trust relationships Meeting and conferencing options Flexible collaboration options
  • 16. 16 Content transferred to clients SIP/SDP content (e.g. format, codecs) Rich messaging (e.g. rtf, html, audio) Unified messaging Injecting files, XSS, phishing, RCE File transfers, embedded content Communication subsystem Call or SIP headers Rarely secured protocols (e.g. MSRP)
  • 17. 17 Engage through a first contact point UC messaging, conference invitation, courtesy phones Combine old and new techniques Use UC for malicious activities (e.g. MS-RTASPF)
  • 18. 18 Red Teaming Exercises Courtesy phones, conference rooms, media gateways Human Factor Testing Vishing, smishing, instant messaging, UC exploits Infrastructure Analysis Toll fraud, caller ID spoofing, TDoS/DDoS Application Security Assessments Management portals, self-care portals WebRTC, VoIP/UC apps, IVR software
  • 19. 19 Service requirements Cloud, subscriber services, IMS Billing, recordings, CDR, encryption Trusted servers and gateways SIP proxies, federations, SBCs SIP headers used (e.g. ID, billing) Tele/Video conference settings Analyse the encryption design SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
  • 20. 20 SIP header analysis  Caller ID spoofing, billing bypass Communication types allowed  File transfer, RDP, MSRP, teleconference Message content-types allowed  XSS, corrupted RTF, HTML5, images Conference and collaboration Fuzzing clients and servers  SIP headers, SDP content, file types  Combine with known attacks
  • 21. 21 Attacks with NO user interaction Calls with caller ID spoofing Fake IVR, social engineering Messages with caller ID spoofing Smishing (e.g. fake software update) Injected XSS, file-type exploits Bogus content-types or messages Meetings, multi-callee events Attacking infrastructure Raspberry PI with PoE, Eavesdropping
  • 22. 22 Unified Communication Solutions  Cisco Hosted Collaboration Suite  Microsoft Skype for Business (a.k.a Lync)  Free software (e.g. Kamalio, OpenIMS)  Other vendors (Avaya, Alcatel, Huawei) Attacking through  Signalling services  Messaging, voicemail and conference system  Cloud management and billing  Authorisation scheme  Client services (self-care, IP phone services)
  • 23. 23 Vulnerable CPE Credential extraction Attacking through embedded devices Insecurely located distributors Hardware hacking, eavesdropping SIP header and manipulation for Toll Fraud Attacking legacy systems (e.g. Nortel?) Voicemail hijacking
  • 24. 24 Analysing encryption design Implementation (e.g. SRTP, SIP/TLS) Inter-vendor SRTP key exchange Privacy and PCI compliance Network segregation IVR recordings (e.g. RTP events) Eavesdropping Call recordings security
  • 25. 25 Inter-vendor services design Network and service segregation *CSCF locations, SBC services used VoLTE design, application services SIP headers are very sensitive Internal trust relationships Filtered/Ignored SIP headers Caller ID spoofing, Billing bypass Encryption design (SIP, SRTP, MSRP)
  • 26. 26 Viproy VoIP Penetration Testing Kit (v4) VoIP modules for Metasploit Framework SIP, Skinny and MSRP services SIP authentication, fuzzing, business logic tests Cisco CUCDM exploits, trust analyser... Viproxy MITM Security Analyser (v3) A standalone Metasploit Framework module Supports TCP/TLS interception with custom TLS certs Provides a command console to analyse custom protocols
  • 27. 27 Cloud communications SIP header tests, caller ID spoofing, Billing bypass, hijacking IP phones Signalling services Attacking tools for SIP and Skinny Advanced SIP attacks  Proxy bounce, SIP trust hacking  Custom headers, custom message-types UC tests w/ Viproxy + Real Client
  • 28. 28 SIGNALLING / MESSAGING • SDP / XML • SIP Headers • XMPP • MSRP CONTENT • Message types (HTML, RTF, Docs) • File types (Docs, Codecs) • Caller ID Spoofing • DoS / TDoS / Robocalls, Smishing FORWARDED REQUESTS • Call Settings • Message Content NO USER INTERACTION • Call request parsing • Message content parsing • 3rd party libraries reachable
  • 29. 29
  • 30.
  • 31. 31 Unified Messaging Message types (e.g. rtf, html, images) Message content (e.g. JavaScript) File transfers and sharing features Code or script execution (e.g. SFB) Encoding (e.g. Base64, Charset) Various protocols MSRP, XMPP, SIP/MESSAGE Combining other attacks
  • 32. 32 MANIPULATE SIP CONTENT INJECT MALICIOUS SUBJECTS SEND PHISHING MESSAGES Skype for Business Attacker’s Client Viproxy Interactive Console HACME 1 HACME 2 HACME 3 Attacker’s Client TLS / Proxy Certificate Compression Console Enabling Features Content Injection Security Bypass
  • 33.
  • 34. 34 UC content forwarded to UC clients (NO interaction) SIP INVITE headers Message content SIP/SDP content Office 365 Federations *MS15-123 Skype for Business Attacker’s Client Viproxy Skype for Business Server Changed Request Forwarded Request Call Request
  • 35. 35 URL filter bypass via JavaScript <script>var u1="ht"; u2="tp"; u3="://";o="w"; k="."; i=""; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+"viproy.com"</script> Script execution via SIP messages <script>window.location="viproy.com"</script> Script execution via SIP headers Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cudmlwc m95LmNvbSI8L3NjcmlwdD4=
  • 36. 36 Attacking through a PBX or proxy Sending a meeting request Using a CUSTOM SIP header Waiting for the shells Viproy Skype for Business Server SIP PBX Server Forwarded Meeting Request Meeting Request (Attack in SIP headers) PRIVATE NETWORK Forwarded Requests
  • 37.
  • 38. 38 Secure design Enforce security via SBCs Messaging, SIP headers, meetings… Enforce authentication Secure inter-vendor configuration Protect the legacy systems Protect the clients
  • 39. 39 Securing Unified Communications (UC) is NOT just securing VoIP. Brace yourselves, VoIP/UC are attacks are coming. #TaylorYourCommunicationSecurity !
  • 40. 40 Viproy VoIP Penetration Testing Kit http://www.viproy.com Context Information Security http://www.contextis.com