info secvoip
TRANSCRIPT
InfoSec & VoIP Laboratorio de conmutación
Jesús Pérez [email protected]
@jesusprubio25/09/2012
http://www.quobis.com
Contents
- VoIP fraud examples - VoIP threats "in the wild"
- VoIP & DoS (flood)
- Demo: Metasploit SIPflood module - Countermeasurements - Exercise notes
VoIP fraud examples (I)
- 1 month -> 60.000 $- 1/2 day -> 23.000 min. -> 15.000 euros- 46 h. -> 11.000 calls -> 120.000 $- 500.000 calls -> 1.000.000 $...
- http://shadowcommunications.co.uk/ (Offline) - 1.500.000 calls - 11.000.000 euros - 42 individuals
VoIP fraud examples (II)
VoIP threats "in the wild"
- NO eavesdropping, password cracking, etc. (this time) -> Encryption - Extension/password brute-force - INVITE attack
- Default web panel passwords
- DoS/DDoS flood
Extension/password brute-force (I)
Extension/password brute-force (II)
INVITE attack
sip:+442032988741sip:[email protected]:[email protected]
- INVITE authentication -> Kamailio WIN!
Default web panel passwords (I)
Default web panel passwords (II)
Default web panel passwords (III)
DoS
- DoS (Denial of service) - Types: - Communication interruption - Malfomed packets (Teardrop) - Physical destruction - Flood - DDoS
- Tools: LOIC, Hulk, Aircrack-ng, Exploit-DB
DoS (Impact)
VoIP & DoS
- Impact! vs. (web application) - Application layer -> Increase performance - SIP proxy vs. PBX
- Tools: - Malformed packets: - Fuzzing (Voiper) - Flood: - Sipvicious - udpflood, inviteflood, rtpflood, iaxflooder - SIPp - Problems: - Old - Diversity of languages -> Complex use/customize - Lack of report generation mechanism
SIPflood (REGISTER)
SIPflood (INVITE)
SIPflood_tcp (INVITE)
SIPflood_DDoS (INVITE)
Countermeasurements
- General - Firewall - Secure passwords - Upgrades
- Specific: - Monitoring - Fail2ban - ?¿ module (Kamailio) - IDS/IPS (Snort/Prelude) - Session Border Controller (SBC)
References
- http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html -http://www.securitybydefault.com/2012/03/desarrollando-para-metasploit-ii.html - http://code.google.com/p/metasploit/source/browse/sip/sipflood.rb- http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack- http://saghul.net/blog/2010/06/17/deteniendo-un-sip-flood-con-opensips-y-el-modulo-pike/ - http://www.kamailio.org/docs/modules/1.4.x/pike.html - http://kamailio.org/docs/modules/devel/modules/pipelimit.html - http://kamailio.org/docs/modules/1.4.x/ratelimit.html - http://nicerosniunos.blogspot.com.es/2011/09/voip-information-gathering-metasploit.html - http://nicerosniunos.blogspot.com.es/2012/07/bruteforcing-sip-extensions-with.html - http://code.google.com/p/sipvicious/w/list - http://blog.sipvicious.org/ - http://blog.pepelux.org/2012/02/15/asterisk-invite-attack/ - http://www.hackingvoip.com/- http://www.offensive-security.com/metasploit-unleashed/Main_Page- http://www.securitybydefault.com/2012/09/riesgos-reales-en-voip.html- http://www.backtrack-linux.org/
Exercise notes
-Option 3: you will configure Kamailio for Drake Island. This island has been a pirate refuge for centuries. This tradition survives and nowadays this island has the world highest cracker rate per km2. Last year we used SIPvicious toolkit to test the security of our Kamailio server. Though simple, it’s quite powerful, hacker community skills improve day after day so you must use more powerful tools. That’s the reason why this year will use the Metasploit modules implemented by our colleague [email protected] to simulate DoS, DDoS and extension brute-force attacks. Your challenge in the practice option will be implement as many attacks and security methods as you can. The security of this operator is in your hands. The international prefix assigned for Drake Island is: 001788[6-7] - References - Any usefull (not exposed) generic attack/countermeasurement accepted
- Metasploit SIP scan module (options.rb) bug -> SIPVicious accepted DEFENSE!! 1 attack vector -> 1 defense mechanism
?
Pol. A Granxa P.26036400 Porriño (Spain)Tlf. +34 902 999 465SIP://sip.quobis.com
http://www.quobis.com