info secvoip
TRANSCRIPT
![Page 1: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/1.jpg)
InfoSec & VoIP Laboratorio de conmutación
Jesús Pérez [email protected]
@jesusprubio25/09/2012
http://www.quobis.com
![Page 2: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/2.jpg)
Contents
- VoIP fraud examples - VoIP threats "in the wild"
- VoIP & DoS (flood)
- Demo: Metasploit SIPflood module - Countermeasurements - Exercise notes
![Page 3: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/3.jpg)
VoIP fraud examples (I)
- 1 month -> 60.000 $- 1/2 day -> 23.000 min. -> 15.000 euros- 46 h. -> 11.000 calls -> 120.000 $- 500.000 calls -> 1.000.000 $...
- http://shadowcommunications.co.uk/ (Offline) - 1.500.000 calls - 11.000.000 euros - 42 individuals
![Page 4: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/4.jpg)
VoIP fraud examples (II)
![Page 5: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/5.jpg)
VoIP threats "in the wild"
- NO eavesdropping, password cracking, etc. (this time) -> Encryption - Extension/password brute-force - INVITE attack
- Default web panel passwords
- DoS/DDoS flood
![Page 6: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/6.jpg)
Extension/password brute-force (I)
![Page 7: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/7.jpg)
Extension/password brute-force (II)
![Page 9: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/9.jpg)
INVITE attack
sip:+442032988741sip:[email protected]:[email protected]
- INVITE authentication -> Kamailio WIN!
![Page 10: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/10.jpg)
Default web panel passwords (I)
![Page 11: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/11.jpg)
Default web panel passwords (II)
![Page 12: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/12.jpg)
Default web panel passwords (III)
![Page 13: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/13.jpg)
DoS
- DoS (Denial of service) - Types: - Communication interruption - Malfomed packets (Teardrop) - Physical destruction - Flood - DDoS
- Tools: LOIC, Hulk, Aircrack-ng, Exploit-DB
![Page 14: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/14.jpg)
DoS (Impact)
![Page 15: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/15.jpg)
VoIP & DoS
- Impact! vs. (web application) - Application layer -> Increase performance - SIP proxy vs. PBX
- Tools: - Malformed packets: - Fuzzing (Voiper) - Flood: - Sipvicious - udpflood, inviteflood, rtpflood, iaxflooder - SIPp - Problems: - Old - Diversity of languages -> Complex use/customize - Lack of report generation mechanism
![Page 16: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/16.jpg)
SIPflood (REGISTER)
![Page 17: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/17.jpg)
SIPflood (INVITE)
![Page 18: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/18.jpg)
SIPflood_tcp (INVITE)
![Page 19: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/19.jpg)
SIPflood_DDoS (INVITE)
![Page 20: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/20.jpg)
Countermeasurements
- General - Firewall - Secure passwords - Upgrades
- Specific: - Monitoring - Fail2ban - ?¿ module (Kamailio) - IDS/IPS (Snort/Prelude) - Session Border Controller (SBC)
![Page 21: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/21.jpg)
References
- http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html -http://www.securitybydefault.com/2012/03/desarrollando-para-metasploit-ii.html - http://code.google.com/p/metasploit/source/browse/sip/sipflood.rb- http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack- http://saghul.net/blog/2010/06/17/deteniendo-un-sip-flood-con-opensips-y-el-modulo-pike/ - http://www.kamailio.org/docs/modules/1.4.x/pike.html - http://kamailio.org/docs/modules/devel/modules/pipelimit.html - http://kamailio.org/docs/modules/1.4.x/ratelimit.html - http://nicerosniunos.blogspot.com.es/2011/09/voip-information-gathering-metasploit.html - http://nicerosniunos.blogspot.com.es/2012/07/bruteforcing-sip-extensions-with.html - http://code.google.com/p/sipvicious/w/list - http://blog.sipvicious.org/ - http://blog.pepelux.org/2012/02/15/asterisk-invite-attack/ - http://www.hackingvoip.com/- http://www.offensive-security.com/metasploit-unleashed/Main_Page- http://www.securitybydefault.com/2012/09/riesgos-reales-en-voip.html- http://www.backtrack-linux.org/
![Page 22: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/22.jpg)
Exercise notes
-Option 3: you will configure Kamailio for Drake Island. This island has been a pirate refuge for centuries. This tradition survives and nowadays this island has the world highest cracker rate per km2. Last year we used SIPvicious toolkit to test the security of our Kamailio server. Though simple, it’s quite powerful, hacker community skills improve day after day so you must use more powerful tools. That’s the reason why this year will use the Metasploit modules implemented by our colleague [email protected] to simulate DoS, DDoS and extension brute-force attacks. Your challenge in the practice option will be implement as many attacks and security methods as you can. The security of this operator is in your hands. The international prefix assigned for Drake Island is: 001788[6-7] - References - Any usefull (not exposed) generic attack/countermeasurement accepted
- Metasploit SIP scan module (options.rb) bug -> SIPVicious accepted DEFENSE!! 1 attack vector -> 1 defense mechanism
![Page 23: Info secvoip](https://reader033.vdocuments.us/reader033/viewer/2022052904/557acd08d8b42add288b4a46/html5/thumbnails/23.jpg)
?
Pol. A Granxa P.26036400 Porriño (Spain)Tlf. +34 902 999 465SIP://sip.quobis.com
http://www.quobis.com