Internet of Terrible: Can you hear me meow?

Internet of Terrible

Can you hear me meow?

©2016 RSEC.US -=- Brandon McCrillis

• Name: Brandon McCrillis

• Company: Rendition InfoSec

• Email: [email protected]

• URL: RSEC.US

• Twitter: @13M4C

• Model: DA243A-ABA 6415cl NA910 • TotalPhysicalMemory: 804765696

Get-WmiObject -Class Win32_ComputerSystem

mailto:[email protected]




Objectives:

Discuss case studies of conducting network

enumeration using VoIP infrastructure and other

embedded devices


Objectives:

Highlight attack methodologies that can be

used for credential harvesting, enumeration,

denial of service, and persistence


Objectives:

Practical Defensive techniques and real-world attacker mitigations via monitoring and secure

configuration


Objectives:

Therapeutically work through some *minor* cat issues


Times have changed…


The Internet of Terrible

1983: CYBER

CSI++


IoT: All the things!

©2016 RSEC.US -=- Brandon McCrillis©2016 RSEC.US

Spy-on-you Barbie!

Embedded Devices…Doing things with stuff


Embedded Devices

In-flight Entertainment

Much Services, Many Lulz

Y’know, living off the land…


Real-world Assessments…

Voice over IP…Teh VoIP


What is VoIP?


What is Asterisk?

Where it’s at..Two turn-tables and a Polycom phone


What’s in the box…


Reduce, Reuse, Recycle


Can you hear me meow?


Factory Reset Devices pls!


Meh?


I have wut u need…


Default SoundPoint 501 Creds

• Default TFTP || FTP:username: PlcmSpIppassword: PlcmSpIp

• DEFAULT HTTP:username: Polycompassword: 456

Default User Pass: 123Default Admin Pass: 456


Ye Old Web GUI


Sure, I’ll bite…


Base64 Decode

Polycom : 456


AsteriskNOW

Attacking VoIP…Calling your mother


• Information Gathering / Enumeration• Monitoring and Eavesdropping • Attacking Authentication• VLAN Hopping• Denial of Service / Flooding• Spoofing Caller ID

Common Attack Vectors

VoIP WeaponizedI shouldn’t be able to do this!


Oh so sexy….


CHECK-SYNC

Many vendors allow for a remote reboot of phones to facilitate SIP configuration

updates.

When an attacker 0wn yer VoIP


CHECK-SYNC



CHECK-SYNC

Using this for pure evil, an attacker can force consumption of a tampered

configuration to the phone… unauthenticated.



CHECK-SYNC

Check-sync DoS



• Python-based SIP Packet Forging Tool by Pietro Bertera (bertera.it)

https://github.com/pbertera/SIPPing

Also, wrote a blog post regarding SIP packet filtering using iptables

SIPPing …FTW!




Crafted check-sync packet


SPECIAL EXTENSIONS

Configuration of a “special extension” with auto-answer can force the phone to

answer a call (without ringing) and immediately force the speakerphone mic

to listen. …a real time audio feed… without user interaction or knowledge.



SPECIAL EXTENSIONS



VLAN Hopping

Often times VoIP VLANs are not monitored (read: trusted) -- “Plug and

Play” hopping…



VLAN Hopping



More phun with VoIP

auxillary/voipauxillary/scanner/sip

SIPvicious / SIPdump / SIPCrack

Kali/Metasploit


Future Development

• SIP Tunneling

• Exploit and Exfiltration Framework

• Enumeration of trusted devices within the information system

• Flashing Custom Firmware


The Last Meow…

QUESTIONS?

Brandon McCrillis

[email protected]

@13M4C




Internet of Terrible: Can you hear me meow?

Technology

Transcript of Internet of Terrible: Can you hear me meow?