Post on 12-Apr-2017
Internet of Terrible
Can you hear me meow?
©2016 RSEC.US -=- Brandon McCrillis
• Name: Brandon McCrillis
• Company: Rendition InfoSec
• Email: brandon@renditioninfosec.com
• URL: RSEC.US
• Twitter: @13M4C
• Model: DA243A-ABA 6415cl NA910 • TotalPhysicalMemory: 804765696
Get-WmiObject -Class Win32_ComputerSystem
©2016 RSEC.US -=- Brandon McCrillis
Objectives:
Discuss case studies of conducting network
enumeration using VoIP infrastructure and other
embedded devices
©2016 RSEC.US -=- Brandon McCrillis
Objectives:
Highlight attack methodologies that can be
used for credential harvesting, enumeration,
denial of service, and persistence
©2016 RSEC.US -=- Brandon McCrillis
Objectives:
Practical Defensive techniques and real-world attacker mitigations via monitoring and secure
configuration
©2016 RSEC.US -=- Brandon McCrillis
Objectives:
Therapeutically work through some *minor* cat issues
©2016 RSEC.US -=- Brandon McCrillis
Times have changed…
©2016 RSEC.US -=- Brandon McCrillis
The Internet of Terrible
1983: CYBER
CSI++
©2016 RSEC.US -=- Brandon McCrillis
IoT: All the things!
©2016 RSEC.US -=- Brandon McCrillis©2016 RSEC.US
Spy-on-you Barbie!
Embedded Devices…Doing things with stuff
©2016 RSEC.US -=- Brandon McCrillis
Embedded Devices
In-flight Entertainment
Much Services, Many Lulz
Y’know, living off the land…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
©2016 RSEC.US -=- Brandon McCrillis
Real-world Assessments…
Voice over IP…Teh VoIP
©2016 RSEC.US -=- Brandon McCrillis
What is VoIP?
©2016 RSEC.US -=- Brandon McCrillis
What is Asterisk?
Where it’s at..Two turn-tables and a Polycom phone
©2016 RSEC.US -=- Brandon McCrillis
What’s in the box…
©2016 RSEC.US -=- Brandon McCrillis
Reduce, Reuse, Recycle
©2016 RSEC.US -=- Brandon McCrillis
Can you hear me meow?
©2016 RSEC.US -=- Brandon McCrillis
Factory Reset Devices pls!
©2016 RSEC.US -=- Brandon McCrillis
Meh?
©2016 RSEC.US -=- Brandon McCrillis
I have wut u need…
©2016 RSEC.US -=- Brandon McCrillis
Default SoundPoint 501 Creds
• Default TFTP || FTP:username: PlcmSpIppassword: PlcmSpIp
• DEFAULT HTTP:username: Polycompassword: 456
Default User Pass: 123Default Admin Pass: 456
©2016 RSEC.US -=- Brandon McCrillis
Ye Old Web GUI
©2016 RSEC.US -=- Brandon McCrillis
Sure, I’ll bite…
©2016 RSEC.US -=- Brandon McCrillis
Sure, I’ll bite…
©2016 RSEC.US -=- Brandon McCrillis
Base64 Decode
Polycom : 456
©2016 RSEC.US -=- Brandon McCrillis
AsteriskNOW
©2016 RSEC.US -=- Brandon McCrillis
AsteriskNOW
©2016 RSEC.US -=- Brandon McCrillis
AsteriskNOW
Attacking VoIP…Calling your mother
©2016 RSEC.US -=- Brandon McCrillis
• Information Gathering / Enumeration• Monitoring and Eavesdropping • Attacking Authentication• VLAN Hopping• Denial of Service / Flooding• Spoofing Caller ID
Common Attack Vectors
VoIP WeaponizedI shouldn’t be able to do this!
©2016 RSEC.US -=- Brandon McCrillis
Oh so sexy….
©2016 RSEC.US -=- Brandon McCrillis
CHECK-SYNC
Many vendors allow for a remote reboot of phones to facilitate SIP configuration
updates.
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
CHECK-SYNC
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
CHECK-SYNC
Using this for pure evil, an attacker can force consumption of a tampered
configuration to the phone… unauthenticated.
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
CHECK-SYNC
Check-sync DoS
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
• Python-based SIP Packet Forging Tool by Pietro Bertera (bertera.it)
https://github.com/pbertera/SIPPing
Also, wrote a blog post regarding SIP packet filtering using iptables
SIPPing …FTW!
©2016 RSEC.US -=- Brandon McCrillis
Crafted check-sync packet
©2016 RSEC.US -=- Brandon McCrillis
SPECIAL EXTENSIONS
Configuration of a “special extension” with auto-answer can force the phone to
answer a call (without ringing) and immediately force the speakerphone mic
to listen. …a real time audio feed… without user interaction or knowledge.
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
SPECIAL EXTENSIONS
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
SPECIAL EXTENSIONS
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
VLAN Hopping
Often times VoIP VLANs are not monitored (read: trusted) -- “Plug and
Play” hopping…
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
VLAN Hopping
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
VLAN Hopping
When an attacker 0wn yer VoIP
©2016 RSEC.US -=- Brandon McCrillis
More phun with VoIP
auxillary/voipauxillary/scanner/sip
SIPvicious / SIPdump / SIPCrack
Kali/Metasploit
©2016 RSEC.US -=- Brandon McCrillis
Future Development
• SIP Tunneling
• Exploit and Exfiltration Framework
• Enumeration of trusted devices within the information system
• Flashing Custom Firmware
©2016 RSEC.US -=- Brandon McCrillis
Trusted can’t be trusted
Wrapping it up…
©2016 RSEC.US
©2016 RSEC.US -=- Brandon McCrillis
Secure configuration and Monitoring FTW!
Wrapping it up…
©2016 RSEC.US
©2016 RSEC.US -=- Brandon McCrillis
Know your network better than I will
Wrapping it up…
©2016 RSEC.US
©2016 RSEC.US -=- Brandon McCrillis
The Last Meow…
QUESTIONS?
Brandon McCrillis
brandon@renditioninfosec.com
@13M4C