O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
1 de 35

Positive Hack Days. Gritsai. VOIP insecurities workshop



Baixar para ler offline

Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере распространенных IP-PBX и абонентских устройств. Рассматриваются как типовые сетевые уязвимости, так и сложные случаи, обнаруживаемые в ходе анализа защищенности реальных сетей.

Positive Hack Days. Gritsai. VOIP insecurities workshop

  1. 1. VOIPinsecuritiesworkshop<br />“I just called to say I pwn you<br />I just called to say how much I care<br />I just called to say I own you<br />And I mean it from the bottom of my heart” <br />Stevie Wonder<br />
  2. 2. Agenda<br />VOIP<br />PSTN & VOIP<br />PSTN vs. VOIP<br />VOIP protocols<br />VOIP security<br />Attacking VOIP<br />Enumerating VOIP devices<br />RTP attacks +demonstration<br />SIPattacks +practice<br />Further readings<br />
  3. 3. PSTN/ Public switched telephone network<br />
  4. 4. VOIP / Voice over Internet Protocol<br />
  5. 5. PSTN vs. VOIP<br />Network<br />PSTN – Closed network<br />VOIP – Public network(Internet)<br />End-user devices<br />PSTN – Simple devices<br />VOIP – Complex devices<br />Authentication<br />PSTN – No mobility (Authentication by wire)<br />VOIP – Mobility<br />
  6. 6. VOIP protocols<br />Signaling protocols<br />Media protocols<br />Call control and media stream use different routes<br />
  7. 7. VOIP protocols: SignalingShort overview<br />SIPSession Initiation Protocol<br />SDPSession Description Protocol<br />H.323H.323<br />MGCPMedia Gateway Control Protocol<br />SCCPSkinny Client Control Protocol<br />RTCPReal-time Transfer Control Protocol<br />
  8. 8. VOIP protocols: Media and HybridShort overview<br />Media<br />RTP/SRTP<br />Hybrid (signaling + media)<br />IAX/IAX2<br />
  9. 9. VOIP insecurities<br />Confidentiality<br />eavesdropping, recording, …<br />Availability<br />DoS, buffer overflows, …<br />Authentication<br />registration hijacking, Caller ID spoofing, …<br />Fraud<br />toll fraud, data masquerading, …<br />SPIT (SPAM over IP Telephony)<br />voice phishing, unsolicited calling, …<br />
  10. 10. VOIP insecuritiesTopics for today<br />Enumeration of VOIP devices<br />search engines<br />port scanning<br />RTP<br />eavesdropping/recording calls<br />inserting data into media stream<br />DoS<br />SIP<br />searching extensions <br />Caller name spoofing<br />DoS<br />
  11. 11. Enumerating VOIP devicesGoogle hacking<br />Google hacking<br />GHDB<br />User manual -> request Google<br />inurl:<br />intitle:<br />site:<Customer> !<br />Examples:<br />Asterisk Management Portal: intitle:asterisk.management.portal web-access<br />Cisco Phones: inurl:"NetworkConfiguration" cisco<br />Cisco CallManager: inurl:"ccmuser/logon.asp"<br />D-Link Phones: intitle:"D-Link DPH" "web login setting"<br />Grandstream Phones: intitle:"Grandstream Device Configuration" password<br />Linksys (Sipura) Phones: intitle:" SPA Configuration"<br />PolycomSoundpoint Phones: intitle:"SoundPoint IP Configuration"<br />
  12. 12. Enumerating VOIP devicesShodan [1/2]<br />www.shodanhq.com<br />search for domain names, ips, ports<br />
  13. 13. Enumerating VOIP devicesShodan [2/2]<br />Banner grabbing<br />passwordlessSnom phones<br />
  14. 14. Enumerating VOIP devicesnmap<br />VOIP scanners<br />smap<br />svmap (sipvicious)<br />Fyodor’s nmap<br />-sU<br />UDP scanning common<br /> problems<br />
  15. 15. Enumerating VOIP devicesCommon ports<br />VOIP protocols<br />5060-5070, 1718-1720, 2517, ….<br />RTP ports are allocated dynamically<br />Management protocols<br />TCP 21-23, 80, 443, 8088, …<br />UDP 161, 162, 69, …<br />IANA<br />Internet Assigned Numbers Authority<br />grep<vendor> www.iana.org/assignments/port-numbers<br />
  16. 16. RTP<br />Real-time Transport Protocol<br />RFC 1889 (1996) ->RFC 3550 (2003)<br />Media over IP/UDP<br />Packer reordering<br />Used with signaling protocols (SIP, H.323, MGCP)<br />RTCP (Real-time Transport Control Protocol)<br />RTCP port =RTP port + 1<br />
  17. 17. RTP Attacks<br />Call interception<br />Attacking layers2, 3<br />Decoding intercepted data<br />Injection into call<br />Finding RTP port<br />Injecting media stream<br />Denial of Service<br />RTP flood<br />
  18. 18. RTP AttacksCall interception<br />ARP spoofing<br />Cain & abel<br />ettercap<br />arpspoof (dsniff)<br />Wireshark<br />Telephony<br />VOIP calls<br /> / Demo<br />
  19. 19. RTP AttacksInjection: Synchronization in RTP<br />sequence number position in media stream +=1<br />timestampsampling +=1<br />SSRCidentifying source const<br />(random 32 bit value)<br />payload type codec in use <br />
  20. 20. RTPAttacksInjection<br />Unencrypted<br />deployment issues (debug)<br />QoSissues<br />key distribution<br />UDP – connectionless<br />Data requirements:<br />SSRC<br />timestamp, sequence number – monotonically increasing<br />timestamp, sequence number - fuzzing<br />
  21. 21. RTP AttacksInjection<br />Finding RTP port<br />InterceptSDP<br />Port scan<br />Media injection<br />Requirements<br />frequency<br />codec<br />Demo<br />SDP || nmap<br />rtpinsertsound<br />not working 100%?<br />
  22. 22. RTP AttacksDenial of Service<br />Flood<br />Low bandwidth requirements<br />Media stream = high load<br />Authentication - SIP<br />and again … UDP - connectionless<br /> / Demo<br />rtpflood<br />
  23. 23. SIP<br />Session Initiation Protocol<br />Application layer (TCP/UDP)<br />ASCII header<br />SIP header ~= e-mail header<br />URI<br />
  24. 24. SIP Components<br />UA (User agent), Proxy, Registrar, Redirect<br /> Call viaProxy Call via Redirect<br />
  25. 25. SIP Attacks<br />Using somebodies PBX<br />Extension enumeration<br />Bruteforce extension password<br />Caller name spoofing<br />Registration hijacking<br />Denial of service<br />Busy lines<br />
  26. 26. SIPRequests<br />INVITEindicates a client is being invited to participate in a call session<br />BYETerminates a call and can be sent by either the caller or the callee<br />OPTIONSQueries the capabilities of servers<br />REGISTERRegisters the address listed in the To header field with a SIP server<br />ACKConfirms that the client has received a final response to an INVITE request<br />CANCELCancels any pending request<br />more …<br />
  27. 27. SIPAnswers<br />1хх Informational (100 Trying, 180 Ringing)<br />2xx Successful (200 OK, 202 Accepted)<br />3xx Redirection (302 Moved Temporarily)<br />4xx Request Failure (404 Not Found, 482 Loop Detected)<br />5xx Server Failure (501 Not Implemented)<br />6xx Global Failure (603 Decline)<br />
  28. 28. basic SIP call<br />
  29. 29. SIP AttacksUsing somebodies PBX <br />PBX<br />Extension enumeration<br />Bruteforcing passwords<br />Making a call<br />Practice withSipvicious<br />svmap <ip><br />svwar –e<extensions> <ip> -m<REQUEST><br />svcrack –u<extension> -d <dictionary> <ip><br />Setting up asoftphone <br />
  30. 30. SIP AttacksCaller name spoofing<br />Caller Name spoofing<br />Softphone<br />Practicing X-Lite<br />Softphone–caller name spoofing<br />Display name‘ 1=1 --<br />Domain ip of UA<br />Register disable<br />
  31. 31. SIP AttacksRegistration hijacking<br />Registration hijacking<br />INVITE to PBX<br />Search user in Registar<br />Registration is in <br />Contact header: ip address<br />Practicing with X-Lite<br />Register settings<br />rate<br />
  32. 32. SIP AttacksDenial of Service<br />Denial of Service<br />No auth<br />-> INVITE<br /><- TRYING… <- Busy here<br />HTTP digest<br />-> INVITE<br />generation/storingnonce <br />Practice<br />inviteflood<br />
  33. 33. Further reading<br />Set up a lab<br />http://enablesecurity.com/resources/how-to-set-up-a-voip-lab-on-a-shoe-string/<br />Read and practice<br />Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions<br />Advanced attacks<br />“Having fun with RTP” by kapejod<br />“SIP home gateways under fire” by AnhängteDateien<br />Fuzzing<br />
  34. 34. QA<br />
  35. 35. ggritsai@ptsecurity.ru<br />