SIP Tactics && Exploitation By Jacky Altal and Yosseff Cohen ILHACK 2009.
-
Upload
gregory-winfred-hancock -
Category
Documents
-
view
218 -
download
0
Transcript of SIP Tactics && Exploitation By Jacky Altal and Yosseff Cohen ILHACK 2009.
SIP Tactics && Exploitation
By Jacky Altal and Yosseff Cohen
ILHACK 2009
About us – Jacky 4lt4l
Professional Experience:• Two years as a security and data communication expert at local company.• Six years as a software developer and Security Consultant at a local Bio-
Tech company.• Hacking Defined Leading Instructor – Technion CISO/SECPROF
programs.
Specializing in:• Penetration Testing• Vulnerability Research• Forensics Investigations
TOC
\x01 VoIP – The Real World
\x02 VoIP - Know Your Environment
\x03 VoIP - Security Threats
\x04 VoIP - Lab
\x05 VoIP - Q&A
Why do we ask those Questions?
According to Emerging Cyber Threats for 2009 (Georgia Tech Info Sec Center) more then 75 percents of corporate phone lines will be using Voice Over IP (VoIP) in the next two years.
“From the outset, VoIP infrastructure has been vulnerable to the same types of attacks that plague other networked computing architectures. When voice is digitized, encoded, compressed into packets and exchanged over IP networks, it is susceptible to misuse. Cyber criminals will be drawn to the VoIP medium to engage in voice fraud, data theft and other scams—similar to the problems email has experienced. Denial of service, remote code execution and botnets all apply to VoIP networks, and will become more problematic for mobile devices as well. “ Emerging Cyber Threats for 2009 by the Georgia Tech Information Security Center
\x01 VoIP – Reality\x01 VoIP – Reality
“VoIP is about convergence. The idea is that you save money and resources and time,” Next Generation Security
Because VoIP connects telephone calls via the Internet, it shares the Internet’s weaknesses.
many incumbent telecommunication carriers have started offering VoIP
the aspect of security, or lack thereof, is misunderstood by some of the VoIP service providers. Includes local Providers I`m n0t Smiling…
VoIP Tactics && Hacking
\x01 VoIP – Reality\x01 VoIP – Reality
\x01 VoIP – Reality\x01 VoIP – Reality
\x01 VoIP – Home \x01 VoIP – Home
About us – Yossef Cohen (SIPM4ST3R)
Professional Experience:• 10 years of experience in the telecom market working for Amdocs Israel,
last 3 years as Integration Manager for projects as Sprint 4G, AT&T and BMCC china;
• Founder of MaxxVoice.com, developed during the Sabbatical year in 2006.
Specializing in:• Penetration Testing• Vulnerability Research• Forensics Investigations
• VoIP: Voice Over Internet Protocol– Phone calls over the internet– Is used through softphones or IP phones/ATA– Supports QoS– Supports several audio codecs
\x01 VoIP – Know Your Environment \x01 VoIP – Know Your Environment VoIPVoIP
• SIP: Session Initialization Protocol– Used for signaling– Supports audio and video– TCP and UDP– Uses port 5060– ASCII protocol like SMTP and HTTP
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIPSIP
• RTP: Real-time Transport Protocol– Used for the voice transport– UDP– Is dynamic, not using standard ports
• RTCP: RTP Control Protocol– Controls and monitors the voice transport
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment RTPRTP
• SIP uses mail format address, in the pattern:– <user | phone number>@<domain | hostname |
IP address>
• Some examples:– [email protected]– [email protected]
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment AddressingAddressing
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
• INVITE from callerINVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.0.204:5060;rport;branch=z9hG4bK42ccbc6905
From: <sip:[email protected]>;tag=33a31c9c
To: <sip:[email protected]>
Call-ID: [email protected]
Contact: <sip:[email protected]:5060>
CSeq: 801 INVITE
Max-Forwards: 70
Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS,INFO,MESSAGE
Content-Type: application/sdp
User-Agent: Nologo
Content-Length: 429
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
• Ringing<--- SIP read from 192.168.5.15:5060 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK565267b5
From: <sip:[email protected]>;tag=as23f90079
To: <sip:[email protected];user=phone>;tag=419b9912cbfa34b2
Call-ID: [email protected]
CSeq: 102 INVITE
User-Agent: Grandstream HT488 1.0.3.64 FXS
Content-Length: 0
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
• Ok from Called peer (answered)<--- SIP read from 192.168.5.10:5060 --->SIP/2.0 200 OKVia: SIP/2.0/UDP
192.168.5.10:5060;rport;branch=z9hG4bK62b65b4f29;received=192.168.5.10
From: <sip:[email protected]>;tag=1983eb6fTo: <sip:[email protected]>;tag=as36a497bcCall-ID: [email protected]: 802 INVITEUser-Agent: SIPM4ST3RAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
NOTIFYSupported: replacesContact: <sip:[email protected]>Content-Type: application/sdpContent-Length: 264
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
• ACK from caller to start the RTP session<--- SIP read from 192.168.5.10:5060 --->
ACK sip:[email protected];user=phone SIP/2.0
Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK384d1e7a
From: <sip:[email protected]>;tag=as23f90079
To: <sip:[email protected];user=phone>;tag=419b9912cbfa34b2
Contact: <sip:[email protected]>
Call-ID: [email protected]
CSeq: 102 ACK
User-Agent: SIPM4ST3R
Max-Forwards: 70
Content-Length: 0
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
• BYE from called peer, hang-up<--- SIP read from 192.168.5.15:5060 --->BYE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 192.168.0.202;branch=z9hG4bKbcb6e24514450a48From: <sip:[email protected];user=phone>;tag=2efac6b2150259f8To: <sip:[email protected]>;tag=as1ca51ab9Call-ID: [email protected]: 33409 BYEUser-Agent: Grandstream HT488 1.0.3.64 FXSMax-Forwards: 70Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBEContent-Length: 0
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
• BYE from caller<--- SIP read from 192.168.5.10:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK099b03fe
From: <sip:[email protected]>;tag=as36a497bc
To: <sip:[email protected]>;tag=1983eb6f
Call-ID: [email protected]
CSeq: 102 BYE
Content-Length: 0
\x02 VoIP – Know Your Environment \x02 VoIP – Know Your Environment SIP SignalingSIP Signaling
\x03 VoIP - Security Threats
Layer
NetworkPhysical attackARP CacheARP FloodMAC Spoofing
InternetIP SpoofingRedirect via IP
IP Frag
TransportTCP/UDP Flood
TCP/UDP Replay
ApplicationTftp InsertionDHCP Insertion
SpoofRTP Tamper
\x01 VoIP – Reality\x01 VoIP – Reality
\x01 VoIP – Reality\x01 VoIP – Reality
\x01 VoIP – Reality\x01 VoIP – Reality
Unblock the Blocker – Kevin Mitnik
Google Dork:intext:"FreePBX Administration" + "Welcome" inurl:Admin
Default Trix Box VOIP Servers
Default passwords, vulnerable servers.
Google Dork:intext:"FreePBX Administration" + "Welcome" inurl:Admin
Default passwords, vulnerable servers.
Google Dork:intext:"FreePBX Administration" + "Welcome" inurl:Admin
Default passwords, vulnerable servers.
Directory Harvesting
VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP addresses by conducting brute force attacks on a network. The attacker can send thousands of VoIP addresses to a particular VoIP domain, those that are not returned, are valid VoIP clients.
לפטופ5060להוסיף פה תמונת מסך של סריקה
Eavesdropping
Voice packets are subject to man-in-the-middle attacks where a hacker spoofs the MAC address of two parties and forces VoIP packets to flow through the hacker's system.
• Reassemble voice packets• Listen in to real-time conversations
Hackers can also gain access to all sorts of sensitive data and information, such as user names, passwords, and VoIP system information.
SQL-Injection & Password Guessing can be launched in distributed nature with different SIP URI
SQL-Injection Tampering via SIP
AuthorizationDigest header can be tampered in order to inject SQL query.
Update subcriber set first_name=‘jacky_altal’Where username=‘asterisk’--,realm-=“192.168.10.100”, algortim=“md5”,Nonce=“41351a34b342b43434d223421d”,Response=“a6466dce7890e087e6e55e67e2ee3”
Invite Of Death Attack
The Invite of Death attack simply demonstrates that VoIP is affected by exactly the same types of vulnerabilities as any other IP application. In this case a simple implementation error leaves the application open to a remote Denial Of Service attack. This vulnerability has already been fixed but there are many others to come.
In other words, if you are relying on a generic firewall to protect your voice system, the chances are that it will not block or even detect these threats.
SIPy – send spoofed call to sip client KillerWritten by Jacky Altal and Yossef Cohen
SipY – SIP software testing,
SipY – SIP Server/Client Vulnerability testing,
Modify Request
Reverse Request
Modify Request
Are You R-E-A-D-Y??? Let`s F-I-G-H-T!!!
LAB
CentOS - Linux Distro http://www.centos.org/Asterisk – Open Source PBX http://www.asterisk.org/xLite – SIP Client Iphone sip client ( home made )
Of course that there are many other codecs and other stuff….
iWar012 – ;) Network Range Mass Scanning
http://www.softwink.com/iwar/
We can find other lines, scan network ranges, by IP`s and phone numbers.
Find FREE X.25 networks
Free SEX Lines,
Encryption what is it good for?
Provisioning Servers
しかたが ない Shikata ga nai….
Question? > /dev/null
The End
[email protected] [email protected] http://4lt4l.blogspot.com