Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
SIP Tactics && Exploitation PowerPoint Presentation
Download Presentation
SIP Tactics && Exploitation

SIP Tactics && Exploitation

177 Vues Download Presentation
Télécharger la présentation

SIP Tactics && Exploitation

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. SIP Tactics && Exploitation ILHACK 2009 By Jacky Altal and Yosseff Cohen

  2. About us – Jacky 4lt4l • Professional Experience: • Two years as a security and data communication expert at local company. • Six years as a software developer and Security Consultant at a local Bio-Tech company. • Hacking Defined Leading Instructor – Technion CISO/SECPROF programs. • Specializing in: • Penetration Testing • Vulnerability Research • Forensics Investigations

  3. TOC \x01 VoIP – The Real World \x02 VoIP - Know Your Environment \x03 VoIP - Security Threats \x04 VoIP - Lab \x05 VoIP - Q&A

  4. \x01 VoIP – Reality Why do we ask those Questions? According to Emerging Cyber Threats for 2009 (Georgia Tech Info Sec Center) more then 75 percents of corporate phone lines will be using Voice Over IP (VoIP) in the next two years. “From the outset, VoIP infrastructure has been vulnerable to the same types of attacks that plague other networked computing architectures. When voice is digitized, encoded, compressed into packets and exchanged over IP networks, it is susceptible to misuse. Cyber criminals will be drawn to the VoIP medium to engage in voice fraud, data theft and other scams—similar to the problems email has experienced. Denial of service, remote code execution and botnets all apply to VoIP networks, and will become more problematic for mobile devices as well. “Emerging Cyber Threats for 2009 by the Georgia Tech Information Security Center

  5. \x01 VoIP – Reality “VoIP is about convergence. The idea is that you save money and resources and time,” Next Generation Security Because VoIP connects telephone calls via the Internet, it shares the Internet’s weaknesses. many incumbent telecommunication carriers have started offering VoIP the aspect of security, or lack thereof, is misunderstood by some of the VoIP service providers. Includes local Providers I`m n0t Smiling… VoIP Tactics && Hacking

  6. \x01 VoIP – Reality

  7. \x01 VoIP – Home

  8. About us – Yossef Cohen (SIPM4ST3R) • Professional Experience: • 10 years of experience in the telecom market working for Amdocs Israel, last 3 years as Integration Manager for projects as Sprint 4G, AT&T and BMCC china; • Founder of MaxxVoice.com, developed during the Sabbatical year in 2006. • Specializing in: • Penetration Testing • Vulnerability Research • Forensics Investigations

  9. \x01 VoIP – Know Your Environment VoIP • VoIP: Voice Over Internet Protocol • Phone calls over the internet • Is used through softphones or IP phones/ATA • Supports QoS • Supports several audio codecs

  10. \x02 VoIP – Know Your Environment SIP • SIP: Session Initialization Protocol • Used for signaling • Supports audio and video • TCP and UDP • Uses port 5060 • ASCII protocol like SMTP and HTTP

  11. \x02 VoIP – Know Your Environment RTP • RTP: Real-time Transport Protocol • Used for the voice transport • UDP • Is dynamic, not using standard ports • RTCP: RTP Control Protocol • Controls and monitors the voice transport

  12. \x02 VoIP – Know Your Environment Addressing • SIP uses mail format address, in the pattern: • <user | phone number>@<domain | hostname | IP address> • Some examples: • jacky@sip.maxxvoice.com • yossef@sip.maxxvoice.com

  13. \x02 VoIP – Know Your Environment SIP Signaling

  14. \x02 VoIP – Know Your Environment SIP Signaling • INVITE from caller INVITE sip:401@192.168.5.15 SIP/2.0 Via: SIP/2.0/UDP 192.168.0.204:5060;rport;branch=z9hG4bK42ccbc6905 From: <sip:402@192.168.5.10>;tag=33a31c9c To: <sip:401@192.168.5.15> Call-ID: 42fe147836f1f4a446f4572a5386aaca@192.168.0.204 Contact: <sip:402@192.168.15.10:5060> CSeq: 801 INVITE Max-Forwards: 70 Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS,INFO,MESSAGE Content-Type: application/sdp User-Agent: Nologo Content-Length: 429

  15. \x02 VoIP – Know Your Environment SIP Signaling • Ringing <--- SIP read from 192.168.5.15:5060 ---> SIP/2.0 180 Ringing Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK565267b5 From: <sip:401@192.168.5.15>;tag=as23f90079 To: <sip:402@192.168.5.10;user=phone>;tag=419b9912cbfa34b2 Call-ID: 1bdfcd7c378f2a7e55c3b4591d608db0@cohenet.dyndns.org CSeq: 102 INVITE User-Agent: Grandstream HT488 1.0.3.64 FXS Content-Length: 0

  16. \x02 VoIP – Know Your Environment SIP Signaling • Ok from Called peer (answered) <--- SIP read from 192.168.5.10:5060 ---> SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.5.10:5060;rport;branch=z9hG4bK62b65b4f29;received=192.168.5.10 From: <sip:402@192.168.5.10>;tag=1983eb6f To: <sip:401@192.168.5.15>;tag=as36a497bc Call-ID: 73bf4cb01443f22e78d0b4664df3d281@192.168.0.204 CSeq: 802 INVITE User-Agent: SIPM4ST3R Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Contact: <sip:401@192.168.5.15> Content-Type: application/sdp Content-Length: 264

  17. \x02 VoIP – Know Your Environment SIP Signaling • ACK from caller to start the RTP session <--- SIP read from 192.168.5.10:5060 ---> ACK sip:401@192.168.5.15;user=phone SIP/2.0 Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK384d1e7a From: <sip:402@192.168.5.10>;tag=as23f90079 To: <sip:401@192.168.5.15;user=phone>;tag=419b9912cbfa34b2 Contact: <sip:402@192.168.5.10> Call-ID: 1bdfcd7c378f2a7e55c3b4591d608db0@192.168.5.10 CSeq: 102 ACK User-Agent: SIPM4ST3R Max-Forwards: 70 Content-Length: 0

  18. \x02 VoIP – Know Your Environment SIP Signaling • BYE from called peer, hang-up <--- SIP read from 192.168.5.15:5060 ---> BYE sip:402@192.168.5.10 SIP/2.0 Via: SIP/2.0/UDP 192.168.0.202;branch=z9hG4bKbcb6e24514450a48 From: <sip:401@192.168.5.15;user=phone>;tag=2efac6b2150259f8 To: <sip:402@192.168.5.10>;tag=as1ca51ab9 Call-ID: 68b836e61e5356b820593f69008a74de@192.168.5.10 CSeq: 33409 BYE User-Agent: Grandstream HT488 1.0.3.64 FXS Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE Content-Length: 0

  19. \x02 VoIP – Know Your Environment SIP Signaling • BYE from caller <--- SIP read from 192.168.5.10:5060 ---> SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK099b03fe From: <sip:401@192.168.5.10>;tag=as36a497bc To: <sip:402@192.168.5.15>;tag=1983eb6f Call-ID: 73bf4cb01443f22e78d0b4664df3d281@192.168.5.15 CSeq: 102 BYE Content-Length: 0

  20. \x03 VoIP - Security Threats

  21. \x01 VoIP – Reality

  22. \x01 VoIP – Reality

  23. \x01 VoIP – Reality

  24. Unblock the Blocker – Kevin Mitnik

  25. Google Dork: intext:"FreePBX Administration" + "Welcome" inurl:Admin Default Trix Box VOIP Servers Default passwords, vulnerable servers.

  26. Google Dork: intext:"FreePBX Administration" + "Welcome" inurl:Admin Default passwords, vulnerable servers.

  27. Google Dork: intext:"FreePBX Administration" + "Welcome" inurl:Admin Default passwords, vulnerable servers.

  28. Directory Harvesting VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP addresses by conducting brute force attacks on a network.  The attacker can send thousands of VoIP addresses to a particular VoIP domain, those that are not returned, are valid VoIP clients. להוסיף פה תמונת מסך של סריקה 5060 לפטופ

  29. Eavesdropping • Voice packets are subject to man-in-the-middle attacks where a hacker spoofs the MAC address of two parties and forces VoIP packets to flow through the hacker's system. • Reassemble voice packets • Listen in to real-time conversations • Hackers can also gain access to all sorts of sensitive data and information, such as user names, passwords, and VoIP system information. • SQL-Injection & Password Guessing can be launched in distributed nature with different SIP URI

  30. SQL-InjectionTampering via SIP AuthorizationDigest header can be tampered in order to inject SQL query. Update subcriber set first_name=‘jacky_altal’ Where username=‘asterisk’--, realm-=“192.168.10.100”, algortim=“md5”, Nonce=“41351a34b342b43434d223421d”, Response=“a6466dce7890e087e6e55e67e2ee3”

  31. Invite Of Death Attack The Invite of Death attack simply demonstrates that VoIP is affected by exactly the same types of vulnerabilities as any other IP application. In this case a simple implementation error leaves the application open to a remote Denial Of Service attack. This vulnerability has already been fixed but there are many others to come. In other words, if you are relying on a generic firewall to protect your voice system, the chances are that it will not block or even detect these threats.

  32. SIPy – send spoofed call to sip client Killer Written by Jacky Altal and Yossef Cohen

  33. SipY – SIP software testing,

  34. SipY – SIP Server/Client Vulnerability testing,

  35. Modify Request Reverse Request Modify Request

  36. Are You R-E-A-D-Y??? Let`s F-I-G-H-T!!!

  37. LAB CentOS - Linux Distro http://www.centos.org/ Asterisk – Open Source PBX http://www.asterisk.org/ xLite – SIP Client Iphone sip client ( home made ) Of course that there are many other codecs and other stuff….

  38. iWar012 – ;) Network Range Mass Scanning We can find other lines, scan network ranges, by IP`s and phone numbers. Find FREE X.25 networks Free SEX Lines, http://www.softwink.com/iwar/

  39. Encryption what is it good for?

  40. Provisioning Servers しかたが ない Shikata ga nai….

  41. Question? > /dev/null

  42. The End jacky@see-security.comyossef@maxxvoice.com http://4lt4l.blogspot.com