SIP Tactics && Exploitation

By Jacky Altal and Yosseff Cohen

ILHACK 2009

About us – Jacky 4lt4l

Professional Experience:• Two years as a security and data communication expert at local company.• Six years as a software developer and Security Consultant at a local Bio-

Tech company.• Hacking Defined Leading Instructor – Technion CISO/SECPROF

programs.

Specializing in:• Penetration Testing• Vulnerability Research• Forensics Investigations

TOC

\x01 VoIP – The Real World

\x02 VoIP - Know Your Environment

\x03 VoIP - Security Threats

\x04 VoIP - Lab

\x05 VoIP - Q&A

Why do we ask those Questions?

According to Emerging Cyber Threats for 2009 (Georgia Tech Info Sec Center) more then 75 percents of corporate phone lines will be using Voice Over IP (VoIP) in the next two years.

“From the outset, VoIP infrastructure has been vulnerable to the same types of attacks that plague other networked computing architectures. When voice is digitized, encoded, compressed into packets and exchanged over IP networks, it is susceptible to misuse. Cyber criminals will be drawn to the VoIP medium to engage in voice fraud, data theft and other scams—similar to the problems email has experienced. Denial of service, remote code execution and botnets all apply to VoIP networks, and will become more problematic for mobile devices as well. “ Emerging Cyber Threats for 2009 by the Georgia Tech Information Security Center

\x01 VoIP – Reality\x01 VoIP – Reality

“VoIP is about convergence. The idea is that you save money and resources and time,” Next Generation Security

Because VoIP connects telephone calls via the Internet, it shares the Internet’s weaknesses.

many incumbent telecommunication carriers have started offering VoIP

the aspect of security, or lack thereof, is misunderstood by some of the VoIP service providers. Includes local Providers I`m n0t Smiling…

VoIP Tactics && Hacking

\x01 VoIP – Reality\x01 VoIP – Reality

\x01 VoIP – Reality\x01 VoIP – Reality

\x01 VoIP – Home \x01 VoIP – Home

About us – Yossef Cohen (SIPM4ST3R)

Professional Experience:• 10 years of experience in the telecom market working for Amdocs Israel,

last 3 years as Integration Manager for projects as Sprint 4G, AT&T and BMCC china;

• Founder of MaxxVoice.com, developed during the Sabbatical year in 2006.

Specializing in:• Penetration Testing• Vulnerability Research• Forensics Investigations

• VoIP: Voice Over Internet Protocol– Phone calls over the internet– Is used through softphones or IP phones/ATA– Supports QoS– Supports several audio codecs

\x01 VoIP – Know Your Environment \x01 VoIP – Know Your Environment VoIPVoIP

• SIP: Session Initialization Protocol– Used for signaling– Supports audio and video– TCP and UDP– Uses port 5060– ASCII protocol like SMTP and HTTP

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIPSIP

• RTP: Real-time Transport Protocol– Used for the voice transport– UDP– Is dynamic, not using standard ports

• RTCP: RTP Control Protocol– Controls and monitors the voice transport

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment RTPRTP

• SIP uses mail format address, in the pattern:– <user | phone number>@<domain | hostname |

IP address>

• Some examples:– jacky@sip.maxxvoice.com– yossef@sip.maxxvoice.com

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment AddressingAddressing

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

• INVITE from callerINVITE sip:401@192.168.5.15 SIP/2.0

Via: SIP/2.0/UDP 192.168.0.204:5060;rport;branch=z9hG4bK42ccbc6905

From: <sip:402@192.168.5.10>;tag=33a31c9c

To: <sip:401@192.168.5.15>

Call-ID: 42fe147836f1f4a446f4572a5386aaca@192.168.0.204

Contact: <sip:402@192.168.15.10:5060>

CSeq: 801 INVITE

Max-Forwards: 70

Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS,INFO,MESSAGE

Content-Type: application/sdp

User-Agent: Nologo

Content-Length: 429

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

• Ringing<--- SIP read from 192.168.5.15:5060 --->

SIP/2.0 180 Ringing

Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK565267b5

From: <sip:401@192.168.5.15>;tag=as23f90079

To: <sip:402@192.168.5.10;user=phone>;tag=419b9912cbfa34b2

Call-ID: 1bdfcd7c378f2a7e55c3b4591d608db0@cohenet.dyndns.org

CSeq: 102 INVITE

User-Agent: Grandstream HT488 1.0.3.64 FXS

Content-Length: 0

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

• Ok from Called peer (answered)<--- SIP read from 192.168.5.10:5060 --->SIP/2.0 200 OKVia: SIP/2.0/UDP

192.168.5.10:5060;rport;branch=z9hG4bK62b65b4f29;received=192.168.5.10

From: <sip:402@192.168.5.10>;tag=1983eb6fTo: <sip:401@192.168.5.15>;tag=as36a497bcCall-ID: 73bf4cb01443f22e78d0b4664df3d281@192.168.0.204CSeq: 802 INVITEUser-Agent: SIPM4ST3RAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,

NOTIFYSupported: replacesContact: <sip:401@192.168.5.15>Content-Type: application/sdpContent-Length: 264

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

• ACK from caller to start the RTP session<--- SIP read from 192.168.5.10:5060 --->

ACK sip:401@192.168.5.15;user=phone SIP/2.0

Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK384d1e7a

From: <sip:402@192.168.5.10>;tag=as23f90079

To: <sip:401@192.168.5.15;user=phone>;tag=419b9912cbfa34b2

Contact: <sip:402@192.168.5.10>

Call-ID: 1bdfcd7c378f2a7e55c3b4591d608db0@192.168.5.10

CSeq: 102 ACK

User-Agent: SIPM4ST3R

Max-Forwards: 70

Content-Length: 0

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

• BYE from called peer, hang-up<--- SIP read from 192.168.5.15:5060 --->BYE sip:402@192.168.5.10 SIP/2.0Via: SIP/2.0/UDP 192.168.0.202;branch=z9hG4bKbcb6e24514450a48From: <sip:401@192.168.5.15;user=phone>;tag=2efac6b2150259f8To: <sip:402@192.168.5.10>;tag=as1ca51ab9Call-ID: 68b836e61e5356b820593f69008a74de@192.168.5.10CSeq: 33409 BYEUser-Agent: Grandstream HT488 1.0.3.64 FXSMax-Forwards: 70Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBEContent-Length: 0

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

• BYE from caller<--- SIP read from 192.168.5.10:5060 --->

SIP/2.0 200 OK

Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK099b03fe

From: <sip:401@192.168.5.10>;tag=as36a497bc

To: <sip:402@192.168.5.15>;tag=1983eb6f

Call-ID: 73bf4cb01443f22e78d0b4664df3d281@192.168.5.15

CSeq: 102 BYE

Content-Length: 0

\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling

\x03 VoIP - Security Threats

Layer

NetworkPhysical attackARP CacheARP FloodMAC Spoofing

InternetIP SpoofingRedirect via IP

IP Frag

TransportTCP/UDP Flood

TCP/UDP Replay

ApplicationTftp InsertionDHCP Insertion

SpoofRTP Tamper

\x01 VoIP – Reality\x01 VoIP – Reality

\x01 VoIP – Reality\x01 VoIP – Reality

\x01 VoIP – Reality\x01 VoIP – Reality

Unblock the Blocker – Kevin Mitnik

Google Dork:intext:"FreePBX Administration" + "Welcome" inurl:Admin

Default Trix Box VOIP Servers

Default passwords, vulnerable servers.

Google Dork:intext:"FreePBX Administration" + "Welcome" inurl:Admin

Default passwords, vulnerable servers.

Google Dork:intext:"FreePBX Administration" + "Welcome" inurl:Admin

Default passwords, vulnerable servers.

Directory Harvesting

VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP addresses by conducting brute force attacks on a network. The attacker can send thousands of VoIP addresses to a particular VoIP domain, those that are not returned, are valid VoIP clients.

לפטופ5060להוסיף פה תמונת מסך של סריקה

Eavesdropping

Voice packets are subject to man-in-the-middle attacks where a hacker spoofs the MAC address of two parties and forces VoIP packets to flow through the hacker's system.

• Reassemble voice packets• Listen in to real-time conversations

Hackers can also gain access to all sorts of sensitive data and information, such as user names, passwords, and VoIP system information.

SQL-Injection & Password Guessing can be launched in distributed nature with different SIP URI

SQL-Injection Tampering via SIP

AuthorizationDigest header can be tampered in order to inject SQL query.

Update subcriber set first_name=‘jacky_altal’Where username=‘asterisk’--,realm-=“192.168.10.100”, algortim=“md5”,Nonce=“41351a34b342b43434d223421d”,Response=“a6466dce7890e087e6e55e67e2ee3”

Invite Of Death Attack

The Invite of Death attack simply demonstrates that VoIP is affected by exactly the same types of vulnerabilities as any other IP application. In this case a simple implementation error leaves the application open to a remote Denial Of Service attack. This vulnerability has already been fixed but there are many others to come.

In other words, if you are relying on a generic firewall to protect your voice system, the chances are that it will not block or even detect these threats.

SIPy – send spoofed call to sip client KillerWritten by Jacky Altal and Yossef Cohen

SipY – SIP software testing,

SipY – SIP Server/Client Vulnerability testing,

Modify Request

Reverse Request

Modify Request

Are You R-E-A-D-Y??? Let`s F-I-G-H-T!!!

LAB

CentOS - Linux Distro http://www.centos.org/Asterisk – Open Source PBX http://www.asterisk.org/xLite – SIP Client Iphone sip client ( home made )

Of course that there are many other codecs and other stuff….

iWar012 – ;) Network Range Mass Scanning

http://www.softwink.com/iwar/

We can find other lines, scan network ranges, by IP`s and phone numbers.

Find FREE X.25 networks

Free SEX Lines,

Encryption what is it good for?

Provisioning Servers

しかたが ない Shikata ga nai….

Question? > /dev/null

The End

jacky@see-security.com yossef@maxxvoice.com http://4lt4l.blogspot.com