Alessio Pennasilico VoIP security
-
Upload
crs4-research-center-in-sardinia -
Category
Technology
-
view
2.447 -
download
2
description
Transcript of Alessio Pennasilico VoIP security
![Page 1: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/1.jpg)
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
VoIP (in)SecurityAll your bases belong to us
![Page 2: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/2.jpg)
Alessio L.R. Pennasilico 2
$ whois mayhem
Board of Directors:CLUSIT, ISSA Italian Chapter, Italian Linux Society, OpenBSD
Italian User Group, Metro Olografix, Sikurezza.org, Spippolatori Hacker Club
Hacker’s Profiling Project, CrISTAL, Recursiva.org
Security Evangelist @
![Page 3: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/3.jpg)
Alessio L.R. Pennasilico
IT Security...
Un inutile impedimento
che rallenta le comuni operazioni
e danneggia il business?
3
![Page 4: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/4.jpg)
Alessio L.R. Pennasilico
IT Security...
O prevenzione e risposta ad eventi che danneggerebbero il business in modo peggiore?
4
![Page 5: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/5.jpg)
Alessio L.R. Pennasilico
Evoluzione
5
La tecnologia si evolve…
… e con essa anche le minacce!
![Page 6: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/6.jpg)
Alessio L.R. Pennasilico
Video: I signori della truffa
6
![Page 7: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/7.jpg)
Alessio L.R. Pennasilico 6
![Page 9: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/9.jpg)
Alessio L.R. Pennasilico
mayhem
I’m worried
8
![Page 10: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/10.jpg)
Alessio L.R. Pennasilico 9
VoIP explosion
“Mobile VoIP Users to Nearly 139 Million by 2014
Says In-Stat”
![Page 11: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/11.jpg)
Alessio L.R. Pennasilico
Telecom
news
10
![Page 12: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/12.jpg)
Alessio L.R. Pennasilico
CALEA
laws
11
![Page 13: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/13.jpg)
Alessio L.R. Pennasilico
Spyware
economic interests
12
![Page 14: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/14.jpg)
Alessio L.R. Pennasilico
mayhem
everyone wants to know
something about me
13
![Page 15: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/15.jpg)
Alessio L.R. Pennasilico
mayhem
it’s none of your business (KL)
14
![Page 16: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/16.jpg)
Alessio L.R. Pennasilico
History
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Benjamin Franklin, 1759
15
![Page 18: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/18.jpg)
Alessio L.R. Pennasilico
Phones
eavesdropping
17
![Page 19: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/19.jpg)
Alessio L.R. Pennasilico
Phones
It’s possible
to listen to others’ conversations
from another shared line phone.
18
![Page 20: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/20.jpg)
Alessio L.R. Pennasilico
Phones
It’s possible to connect
a specific eavesdropping device
to the phone line
with a crocodile clips
19
![Page 21: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/21.jpg)
Alessio L.R. Pennasilico
Phones
It’s possible to eavesdrop
from the central PBX
or from ISP switches.
20
![Page 22: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/22.jpg)
Alessio L.R. Pennasilico
Phones
It’s possible to eavesdrop
from trunks
with advanced technologies.
21
![Page 24: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/24.jpg)
Alessio L.R. Pennasilico
Deployment
Faster, easier and cheaper to deploy
over national IP network infrastructure
23
![Page 25: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/25.jpg)
Alessio L.R. Pennasilico
Services
Native advanced services
for every user
Fax2Mail, VoiceMail, IVR, text2speech
24
![Page 26: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/26.jpg)
Alessio L.R. Pennasilico
Tools
Plenty of OpenSource Projects
full functionals and very mature
user, business and carrier oriented
Asterisk, FreeSwitch, OpenSER, OpenSBC
25
![Page 27: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/27.jpg)
Alessio L.R. Pennasilico
Standards
Using standard protocols
it’s truly interoperable
SIP, H.323, IAX
26
![Page 28: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/28.jpg)
Alessio L.R. Pennasilico
Integration
The PBX or the VoIP client
can interact with other applications
and use centralized data
billing, E.164,CRM integration
27
![Page 29: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/29.jpg)
Alessio L.R. Pennasilico
Question
but what about security?
28
![Page 30: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/30.jpg)
http
://w
ww
.alb
a.st
/
All your VoIP belongs to us :)
![Page 31: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/31.jpg)
Alessio L.R. Pennasilico 30
Traditional Telephony“I do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer.”
Captain Crunch, “Secrets of the Little Blue Box“, 1971
(slide from Hacker's Profile Project, http://hpp.recursiva.org)
![Page 32: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/32.jpg)
Alessio L.R. Pennasilico 31
Eavesdropping
“Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister.”
Bruce Schneier, his blog, 22nd June 2006
Greek wiretapping scandal
![Page 33: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/33.jpg)
Alessio L.R. Pennasilico 32
First attacks ...
“A brute-force password attack was launched against a SIP-based PBX in what appeared to be an attempt to guess passwords. Queries were coming in about 10 per second. Extension/identities were incrementing during each attempt, and it appeared that a full range of extensions were cycled over and over with the new password. The User-Agent: string was almost certainly falsified.”
John Todd on VoIPSA mailinglist, May 24th 2006
![Page 34: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/34.jpg)
Alessio L.R. Pennasilico 33
Frauds
“Edwin Andreas Pena, a 23 year old Miami resident, was arrested by the Federal government: he was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and routing connections through their networks.”
The New York Times, June 7th 2006
![Page 35: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/35.jpg)
Alessio L.R. Pennasilico
Robert Moore
34
![Page 36: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/36.jpg)
Alessio L.R. Pennasilico
Robert Moore
“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.
34
![Page 37: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/37.jpg)
Alessio L.R. Pennasilico
Robert Moore
“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.
34
"It's so easy a caveman can do it!"
![Page 38: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/38.jpg)
Alessio L.R. Pennasilico
VoIP Risks
Telephones had always been seen as secure, because they use proprietary hardware,
proprietary protocols, and are disconnected from the other devices.
35
![Page 39: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/39.jpg)
Alessio L.R. Pennasilico
VoIP Risks
Telephones had always been seen as secure, because they use proprietary hardware,
proprietary protocols, and are disconnected from the other devices.
VoIP multiply traditional telephony risks for IP network risks.
35
![Page 40: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/40.jpg)
Alessio L.R. Pennasilico
ISDN2SIP
36
![Page 41: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/41.jpg)
Alessio L.R. Pennasilico 37
Protect us!
End user has no way to protect himself: he has to adhere to its carrier configuration.
Providers and companies implementing a VoIP infrastructure should take care of their customers’
security and privacy.
![Page 42: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/42.jpg)
Alessio L.R. Pennasilico 38
SPIT
SPAM over Internet Telephony will become an emergency.
Low cost of VoIP calls, widespreading of human and tech resources, use of recorded messages, high revenues even on
low purchases make SPIT an attractive business.
![Page 43: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/43.jpg)
Alessio L.R. Pennasilico 39
Vishing
Voice Phishing is a typical fraud against end users, available thanks to VoIP characteristics.
Cheapness of this technology permit to deploy this attack on a large scale, integrating some “old style”
attacks (e.g. wardialing, caller id spoofing).
This fraud is based on user’s trust in “telephone device” and trust in caller identity.
![Page 44: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/44.jpg)
Alessio L.R. Pennasilico 40
Risks
Denial of Service (DoS), eavesdropping, identity theft, toll fraud, Vishing, SPIT are real risks.
There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and
devices.
![Page 45: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/45.jpg)
Alessio L.R. Pennasilico 40
Risks
Denial of Service (DoS), eavesdropping, identity theft, toll fraud, Vishing, SPIT are real risks.
There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and
devices.
We can use them to secure our infrastructure!
![Page 47: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/47.jpg)
Alessio L.R. Pennasilico
Boot sequence
42
• Boot• Retrieve Conf• Registration• Signaling• RTP
![Page 48: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/48.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
![Page 49: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/49.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:
![Page 50: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/50.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
![Page 51: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/51.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
![Page 52: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/52.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
![Page 53: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/53.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
• Phones download configuration from the TFTP server
![Page 54: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/54.jpg)
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
• Phones download configuration from the TFTP server
• Phones authenticate on the VoIP server
![Page 55: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/55.jpg)
Alessio L.R. Pennasilico 44
...and start a call.
When bootstrap is complete the phone exchanges some information with the server, to describe its status and inform the VoIP PBX about calls status
(signaling).
When a call is answered a new traffic flow of UDP packets starts, carrying our voice. This is called RTP
and can be established between end points or between each SIP-UA and its server.
![Page 56: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/56.jpg)
Alessio L.R. Pennasilico
What can I do? :)
DHCP Spoofing -> TFTP redirect
TFTP Spoofing -> OS substitution
TFTP Queries -> obtain configurations
Password Sniffing
PBX Spoofing -> negotiate auth
RTP Traffic in clear
45
![Page 58: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/58.jpg)
Alessio L.R. Pennasilico
VLAN
47
![Page 59: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/59.jpg)
Alessio L.R. Pennasilico
VLAN Packets
48
macsrc
macdst
TAG
Dati
macsrc
macdst Dati
![Page 60: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/60.jpg)
Alessio L.R. Pennasilico
Configure the phone
49
![Page 61: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/61.jpg)
Alessio L.R. Pennasilico
Configure the switch
50
![Page 62: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/62.jpg)
Alessio L.R. Pennasilico
Inter-VLAN routing
You need at least a L3 device
Can be a Firewall with ACL
A VoIP protocols aware firewall is much more effective
51
![Page 63: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/63.jpg)
Alessio L.R. Pennasilico
AAA
Authentication
Authorization
Accounting
Do you have all 3 A ?
52
![Page 64: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/64.jpg)
Alessio L.R. Pennasilico
Encrypting
VPN?
Signaling -> TLS
RTP -> SRTP
PKI? Lawful interception?
53
![Page 65: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/65.jpg)
Alessio L.R. Pennasilico
Periodic PenTests
Is your infrastructure secure today?
If yes, will still be secure in 6 months?
54
![Page 67: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/67.jpg)
Alessio L.R. Pennasilico
mis-configuration
0039081XXXXXXX
“Press 1 for commercial office,
2 for sales dept, 3 to access the search menu,
9 to talk with an operator”
3 0 0456152498
“Alba S.T. buon giorno, come posso esserle utile?”
56
![Page 68: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/68.jpg)
Alessio L.R. Pennasilico
“clever” devices
Many network devices supports security feature to mitigate known attacks:
✓ gratuitous ARP block
✓ DHCP snooping
✓ flood detection
✓ QoS support
✓ …
57
![Page 69: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/69.jpg)
Alessio L.R. Pennasilico
Power over Ethernet
Is you switch under an UPS?
How long is your UPS able to stand
on-battery powering phones?
58
![Page 70: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/70.jpg)
Alessio L.R. Pennasilico
Quality of Service
Security feature?
Can preserve the VoIP traffic from being delayed / dropped
...needed...
59
![Page 71: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/71.jpg)
Alessio L.R. Pennasilico
Redudancy
Is it a security feature, or just about business continuity?
Don’t know, but you need it :)
60
![Page 72: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/72.jpg)
Alessio L.R. Pennasilico
Training
Security is unsuccessfully if you do not teach people what to do, how to use the new
technology you give them, the importance of data they’re managing.
61
![Page 73: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/73.jpg)
http
://w
ww
.alb
a.st
/
Tools to test your infrastructures...
![Page 74: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/74.jpg)
Alessio L.R. Pennasilico 63
Ettercap
The Man in the Middle attack suite. Multiplatform, usable from console or in a window manager.
Ettercap allows to perform all typical layer 2 tests to understand how vulnerable our switched network is
if not correctly protected.
Keywords: arp spoofing, arp poisoning, hijacking, sniffing, decoding, dns spoofing, dos, flood.
http://ettercap.sourceforge.net/
![Page 75: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/75.jpg)
Alessio L.R. Pennasilico 64
Ettercap (2)
![Page 76: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/76.jpg)
Alessio L.R. Pennasilico 65
Vomit
Voice Over Misconfigured Internet Telephones, from a standard tcpdump log trace, can create a wave file
with the audio conversation intercepted on the monitored network.
It supports MGCP protocol with G.711 codec and works only on Linux.
./vomit -r elisa.dump | waveplay -S 8000 -B 16 -C 1
![Page 77: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/77.jpg)
Alessio L.R. Pennasilico 66
Wireshark
Multiplatform Sniffer, with a lot of decoders that allows to manage the intercepted traffic.
Wireshark can identify and decode both signaling and RTP traffic and shows all information needed for
a successive analysis.
http://www.wireshark.org/
![Page 78: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/78.jpg)
Alessio L.R. Pennasilico 67
Wireshark (2)
![Page 79: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/79.jpg)
Alessio L.R. Pennasilico 68
Oreka
Available for Windows and Linux, supports Cisco Call Manager, Lucent APX8000, Avaya, S8500, Siemens
HiPath, VocalData, Sylantro and Asterisk SIP channel protocols.
Eavesdrops and records RTP part of phone calls.
Simple, intuitive, accessible through a web interface, based on a MySQL database.
http://oreka.sourceforge.net/
![Page 80: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/80.jpg)
Alessio L.R. Pennasilico 69
Ohrwurm
“Ear worm” is an RTP fuzzer. It sends a large amount of requests, with different combinations of
parameters, some correct and some with few or no sense, to interprete the answers and identify
anomalies..
Anomalies are often the launchpad to discover a bug or some implementation defect.
http://mazzoo.de/blog/2006/08/25#ohrwurm
![Page 81: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/81.jpg)
Alessio L.R. Pennasilico 70
SipSak
SIP Swiss Army Knife permits to interact with any SIP device, forging ad-hoc SIP traffic to gather
information on its target features and behaviour.
http://sipsak.org/
![Page 82: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/82.jpg)
Alessio L.R. Pennasilico 71
Smap
By merging nmap and SipSak, this project realizes a new specific tool, a program able to detect all SIP devices in the network and produce a report for
each one.
This will permit us to obtain a map of VoIP devices, with their features, brand and model.
http://www.wormulon.net/index.php?/archives/1125-smap-released.html
![Page 83: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/83.jpg)
Alessio L.R. Pennasilico 72
SiVus
It’s a SIP security scanner: it verifies characteristics of scan targets and compares them against a database
of known misconfigurations or bugs.
This database is increasing in a very impressive way …
http://www.vopsecurity.org/html/tools.html
![Page 84: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/84.jpg)
Alessio L.R. Pennasilico
SipVicious
SIPVicious is an integrated suite that allows to scan, enumerate, and crack SIP accounts.
svmap - this is a sip scanner. Lists SIP devices found on an IP range
svwar - identifies active extensions on a PBX
svcrack - an online password cracker for SIP PBX
svreport - manages sessions and exports reports to various formats
73
![Page 85: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/85.jpg)
Alessio L.R. Pennasilico
Scan
mayhem$ python svmap.py 192.168.99.0/24
| SIP Device | User Agent |-------------------------------------| 192.168.99.13:5060 | Asterisk PBX |
74
![Page 86: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/86.jpg)
Alessio L.R. Pennasilico
Enumerate
mayhem$ python svwar.py -e 100-200 192.168.99.13
| Extension | Authentication |------------------------------| 120 | reqauth || 111 | reqauth || 125 | noauth |
75
![Page 87: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/87.jpg)
Alessio L.R. Pennasilico
Brute Force
mayhem$ python svcrack.py -n -u 111 -r 1000-9999 192.168.99.13
| Extension | Password |------------------------| 111 | 1234 |
mayhem$ python svcrack.py -n -u 120 -r 1000-9999 192.168.99.13
| Extension | Password |------------------------| 120 | 1357 |
76
![Page 88: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/88.jpg)
Alessio L.R. Pennasilico 77
Other tools
Packet Gen & Packet ScanShootSipnessSipshare
Sip scenarioSiptest harnessSipv6analyzer
Winsip Call GeneratorSipsim
MediaproNetdude
SipBomber
RTP FlooderInvite flooderRTP injector
Sipscanreg. hijacker eraser/adder
Fuzzy PacketIax FlooderCain & Abel
SipKillSFTF
VoIPongSipP
![Page 90: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/90.jpg)
Alessio L.R. Pennasilico
Conclusions✓ Pay attention to risk analysis and planning!
✓ Divide in multiple VLAN
✓ Implement QoS
✓ Be extremely careful in AAA
✓ Use cryptography! (TLS, SRTP)
✓ Use “clever” devices
(can mitigate mitm, garp, spoofing, flooding and other known attacks)
✓ Application level Firewall
✓ Avoid single point of failure
✓ Periodic security test
79
![Page 91: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/91.jpg)
Alessio L.R. Pennasilico 80
Bibliography
http://www.voipsa.org
http://www.voip-info.org
http://misitano.com/pubs/voip-ictsec.pdf
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58.zip
http://www.nytimes.com/2006/06/08/technology/08voice.html
http://www.schneier.com/blog/
http://www.cloudmark.com/press/releases/?release=2006-04-25-2
http://www.usdoj.gov/usao/nj/press/files/pdffiles/penacomplaint.pdf
http://www.usdoj.gov/usao/pae/News/Pr/2005/feb/Moore.pdf
Scholz - Attacking VoIP Networks
![Page 92: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/92.jpg)
Alessio L.R. Pennasilico 81
VoIP explosion
“Mobile VoIP Users to Nearly 139 Million by 2014
Says In-Stat”
![Page 93: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/93.jpg)
Alessio L.R. Pennasilico
Conclusioni
VoIP can be secure
82
![Page 94: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/94.jpg)
Alessio L.R. Pennasilico
Conclusioni
more secure
than traditional telephony
83
![Page 95: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/95.jpg)
Alessio L.R. Pennasilico
Conclusioni
it depends on us
84
![Page 96: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/96.jpg)
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)
![Page 97: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/97.jpg)
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
Domande? T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)
![Page 98: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/98.jpg)
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)Grazie dell’attenzione!
![Page 99: Alessio Pennasilico VoIP security](https://reader033.fdocuments.in/reader033/viewer/2022052303/554cc10fb4c905a5208b45f9/html5/thumbnails/99.jpg)
Alessio L.R. Pennasilico
Quote del Video
Il nostro mondo non è più dominato dalle armi, dall'energia, dai soldi; è dominato da piccoli uno e zero,
da bit e da dati, tutto è solo elettronica.
C'è una guerra là fuori, amico mio. Una guerra mondiale. E non ha la minima importanza chi ha più pallottole, ha
importanza chi controlla le informazioni. Ciò che si vede, si sente, come lavoriamo, cosa pensiamo, si basa
tutto sull'informazione!
86