positive hack days. gritsai. voip insecurities workshop

VOIPinsecuritiesworkshop

“I just called to say I pwn youI just called to say how much I care

I just called to say I own youAnd I mean it from the bottom of my heart”

Stevie Wonder

Agenda

VOIP• PSTN & VOIP• PSTN vs. VOIP• VOIP protocols• VOIP security

Attacking VOIP• Enumerating VOIP devices• RTP attacks +demonstration• SIP attacks +practice• Further readings

PSTN / Public switched telephone network

VOIP / Voice over Internet Protocol

PSTN vs. VOIP

Network• PSTN – Closed network• VOIP – Public network (Internet)

End-user devices• PSTN – Simple devices• VOIP – Complex devices

Authentication• PSTN – No mobility (Authentication by wire)• VOIP – Mobility

VOIP protocols

Signaling protocolsMedia protocols

Call control and media stream use different routes

VOIP protocols: SignalingShort overview

• SIP Session Initiation Protocol• SDP Session Description Protocol• H.323 H.323• MGCP Media Gateway Control Protocol• SCCP Skinny Client Control Protocol• RTCP Real-time Transfer Control Protocol

VOIP protocols: Media and HybridShort overview

Media• RTP/SRTP

Hybrid (signaling + media)• IAX/IAX2

VOIP insecurities

Confidentiality• eavesdropping, recording, …

Availability• DoS, buffer overflows, …

Authentication• registration hijacking, Caller ID spoofing, …

Fraud• toll fraud, data masquerading, …

SPIT (SPAM over IP Telephony)• voice phishing, unsolicited calling, …

VOIP insecuritiesTopics for today

Enumeration of VOIP devices• search engines• port scanning

RTP• eavesdropping/recording calls• inserting data into media stream• DoS

SIP• searching extensions • Caller name spoofing• DoS

Enumerating VOIP devicesGoogle hacking

Google hacking• GHDB• User manual -> request Google

inurl: intitle: site:<Customer> !

Examples:Asterisk Management Portal: intitle:asterisk.management.portal web-accessCisco Phones: inurl:"NetworkConfiguration" ciscoCisco CallManager: inurl:"ccmuser/logon.asp"D-Link Phones: intitle:"D-Link DPH" "web login setting"Grandstream Phones: intitle:"Grandstream Device Configuration" passwordLinksys (Sipura) Phones: intitle:" SPA Configuration"Polycom Soundpoint Phones: intitle:"SoundPoint IP Configuration"

Enumerating VOIP devicesShodan [1/2]

www.shodanhq.com• search for domain names, ips, ports

Enumerating VOIP devicesShodan [2/2]

Banner grabbing• passwordless Snom phones

Enumerating VOIP devicesnmap

VOIP scanners• smap• svmap (sipvicious)

Fyodor’s nmap• -sU

UDP scanning common problems

Enumerating VOIP devicesCommon ports

VOIP protocols• 5060-5070, 1718-1720, 2517, ….• RTP ports are allocated dynamically

Management protocols• TCP 21-23, 80, 443, 8088, …• UDP 161, 162, 69, …

IANA• Internet Assigned Numbers Authority• grep <vendor> www.iana.org/assignments/port-numbers

Real-time Transport Protocol• RFC 1889 (1996) -> RFC 3550 (2003)• Media over IP/UDP• Packer reordering• Used with signaling protocols (SIP, H.323, MGCP)

RTCP (Real-time Transport Control Protocol)• RTCP port = RTP port + 1

RTP Attacks

Call interception• Attacking layers 2, 3• Decoding intercepted data

Injection into call• Finding RTP port• Injecting media stream

Denial of Service• RTP flood

RTP AttacksCall interception

ARP spoofing• Cain & abel• ettercap• arpspoof (dsniff)

Wireshark• Telephony• VOIP calls

/ Demo

RTP AttacksInjection: Synchronization in RTP

sequence number position in media stream +=1

timestamp sampling +=1

SSRC identifying source const(random 32 bit value)

payload type codec in use

RTP AttacksInjection

Unencrypted• deployment issues (debug)• QoS issues• key distribution

UDP – connectionless

Data requirements:• SSRC• timestamp, sequence number – monotonically

increasing• timestamp, sequence number - fuzzing

RTP AttacksInjection

Finding RTP port• Intercept SDP• Port scan

Media injection• Requirements

frequency codec

\ Demo• SDP || nmap• rtpinsertsound• not working 100%?

RTP AttacksDenial of Service

Flood• Low bandwidth requirements• Media stream = high load• Authentication - SIP• and again … UDP - connectionless

/ Demo• rtpflood

Session Initiation ProtocolApplication layer (TCP/UDP)ASCII headerSIP header ~= e-mail header

• URI

SIP Components

UA (User agent), Proxy, Registrar, Redirect

Call via Proxy Call via Redirect

SIP Attacks

Using somebodies PBX• Extension enumeration• Bruteforce extension password

Caller name spoofing

Registration hijacking

Denial of service• Busy lines

SIP Requests

INVITE indicates a client is being invited to participate in a call session

BYE Terminates a call and can be sent by either the caller or the callee

OPTIONS Queries the capabilities of servers

REGISTER Registers the address listed in the To header field with a SIP server

ACK Confirms that the client has received a final response to an INVITE request

CANCEL Cancels any pending request

more …

SIP Answers

1хх Informational (100 Trying, 180 Ringing)2xx Successful (200 OK, 202 Accepted)3xx Redirection (302 Moved Temporarily)4xx Request Failure (404 Not Found, 482 Loop Detected)5xx Server Failure (501 Not Implemented)6xx Global Failure (603 Decline)

basic SIP call

SIP AttacksUsing somebodies PBX

PBX• Extension enumeration• Bruteforcing passwords• Making a call

Practice with Sipvicious• svmap <ip>• svwar –e<extensions> <ip> -m<REQUEST>• svcrack –u<extension> -d <dictionary> <ip>• Setting up a softphone

SIP AttacksCaller name spoofing

Caller Name spoofing• Softphone

Practicing X-Lite• Softphone – caller name spoofing

Display name ‘ 1=1 -- Domain ip of UA Register disable

SIP AttacksRegistration hijacking

Registration hijacking• INVITE to PBX• Search user in Registar• Registration is in

Contact header: ip address

Practicing with X-Lite Register settings

• rate

SIP AttacksDenial of Service

Denial of Service• No auth

-> INVITE <- TRYING … <- Busy here

• HTTP digest -> INVITE generation/storing nonce

Practice• inviteflood

positive hack days. gritsai. voip insecurities workshop

voip insecuritiestopics

voip voice

enumerating voip devicesshodan

rtp ports

protocols sip

sip attackscaller

sip serverackconfirms

basic sip

Technology

gaweł mikołajczyk. i pv6 insecurities at first hop

converging insecurities

positive hack days. gurzov. voip - reduce your expenses,...

nato partnerships and operations: addressing insecurities...

how to let go of insecurities

insecurities at school

deliberative explanations: visualizing network...

climate insecurities, human security and social...

club-hack 2008 aditya k sood founder, sec-niche security...

hacking client side insecurities

aditya - hacking client side insecurities - clubhack2008

insecurities in employment and occupational careers and...

nnests’ anxieties and insecurities: self-perceptions of...

identities and insecurities

converging insecurities: water, energy, carbon and food

insecurities and inaccuracies of the sequoia avc...

insecurities of a frontender

tracking the birth pains famines & food insecurities 2015

evolving natural resource insecurities: evaluating the ......

survey of structural insecurities in iot