2. Agenda
• Introduction to VoIP
– VoIP Architecture
– VoIP Components
– VoIP Protocols
• A PenTester Perspective
– Attack Vectors
– Scanning
– Attacks
– Tools of Trade
– Countermeasures and Security
http://null.co.in/ http://nullcon.net/
4. VoIP
• IP Telephony
• Voice over Internet Protocol
• Subset of IP Telephony
• Transmission of “Voice” over Packet-Switched
Network.
• Is it only Voice??? – Data, Audio, Video
http://null.co.in/ http://nullcon.net/
5. VoIP
• Voice Analog Signals are converted to digital
bits - “Sampled” and transmitted in packets
Analog Voice
Signals
101010101010
1101101101
Analog Voice
1010101010101101101 101010101010110110
Signals 101 1101
101010101010
1101101101 Internet
1010101010101101101 101010101010110110
101 1101
http://null.co.in/ http://nullcon.net/
6. VoIP Architecture
Ordinary Phone ATA Ethernet Router Internet
http://null.co.in/ http://nullcon.net/
7. VoIP Architecture
IP Phone Ethernet IP-PBX Router Internet
Internet
IP Phone IP - PBX Modem / Router
http://null.co.in/ http://nullcon.net/
8. VoIP Architecture
Softphone Phone Ethernet Router Internet
Internet
http://null.co.in/ http://nullcon.net/
10. VoIP Components
• User Agents (devices) • Redirect Servers
• Media gateways • Registrar Servers
• Signaling gateways • Location Servers
• Network management system
• Gatekeepers • Billing systems
• Proxy Servers
GW Gateway MG Media Gateway GK Gatekeeper
MGC Media Gateway Controller NMS Network Management System
IVR Interactive Voice Response
http://null.co.in/ http://nullcon.net/
11. VoIP Protocols
• Vendor Proprietary
• Signaling Protocols
• Media Protocols
http://null.co.in/ http://nullcon.net/
12. VoIP Protocols
SIP Session Initiation Protocol SAP Session Announcement Protocol
SGCP Simple Gateway Control Protocol MIME Multipurpose Internet Mail
IPDC Internet Protocol device Control Extensions – Set of Standards
RTP Real Time Transmission Protocol IAX Inter-Asterisk eXchange
SRTP Secure Real Time Transmission Protocol Megaco H.248 Gateway Control Protocol
RTCP RTP Control Protocol RVP over IP Remote Voice Protocol over IP
SRTCP Secure RTP Control Protocol RTSP Real Time Streaming Protocol
MGCP Media Gateway Control Protocol SCCP Skinny Client Control Protocol (Cisco).
SDP Session Description Protocol UNISTIM Unified Network Stimulus (Nortel).
http://null.co.in/ http://nullcon.net/
26. VoIP – Attacks Demo
• Password Cracking
– Tools Used :
• SIPDump
• SIPCrack
• svcrack
http://null.co.in/ http://nullcon.net/
27. VoIP - Attacks
Some Default Passwords for VoIP Devices and Consoles:
Device / Console Username Password
Uniden UIP1868P VoIP - admin
phone Web Interface
Hitachi IP5000 VOIP WIFI - 0000
Phone 1.5.6
Vonage VoIP Telephone user user
Adapter
Grandstream Phones - Web Administrator /admin admin
Adimistrator Interface
user user
•Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf
http://null.co.in/ http://nullcon.net/
29. Countermeasures & Security
• Separate Infrasrtucture
• Do not integrate Data and VoIP Networks
• VoIP-aware Firewalls,
• Secure Protocols like SRTP,
• Session Encryption using SIP/TLS, SCCP/TLS
• Harden Network Security – IDS – IPS - NIPS
http://null.co.in/ http://nullcon.net/
30. Thank You
See you all @ nullcon - Delhi
http://null.co.in/ http://nullcon.net/
Editor's Notes
IP Telephony - 1990
Run all VoIP traffic through a separate Internet connection, separating voice and data into their own network segments (VLAN). Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. VoIP connections between different buildings use a Virtual Private Network (VPN) to authenticate users to prevent spoofing. Avoid use of cheap VoIP systems. Encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. Put VoIP servers in a secure physical location. Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed. Restrict access to VoIP servers to only system administrators and log and monitor all access. Use intrusion detection systems to monitor malicious attempts to access your VoIP network. Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls. Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through.