SlideShare a Scribd company logo

VoIP – vulnerabilities and attacks

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai July-August 2012 Meet

EducationTechnologyBusiness
1 of 30
VoIP – Vulnerabilities and Attacks Presented by - push
Agenda • Introduction to VoIP – VoIP Architecture – VoIP Components – VoIP Protocols • A PenTester Perspective – Attack Vectors – Scanning – Attacks – Tools of Trade – Countermeasures and Security http://null.co.in/ http://nullcon.net/
Remember Something? http://null.co.in/ http://nullcon.net/
VoIP • IP Telephony • Voice over Internet Protocol • Subset of IP Telephony • Transmission of “Voice” over Packet-Switched Network. • Is it only Voice??? – Data, Audio, Video http://null.co.in/ http://nullcon.net/
VoIP • Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets Analog Voice Signals 101010101010 1101101101 Analog Voice 1010101010101101101 101010101010110110 Signals 101 1101 101010101010 1101101101 Internet 1010101010101101101 101010101010110110 101 1101 http://null.co.in/ http://nullcon.net/
VoIP Architecture Ordinary Phone  ATA  Ethernet  Router  Internet http://null.co.in/ http://nullcon.net/
VoIP Architecture IP Phone  Ethernet  IP-PBX  Router  Internet Internet IP Phone IP - PBX Modem / Router http://null.co.in/ http://nullcon.net/
VoIP Architecture Softphone Phone  Ethernet  Router  Internet Internet http://null.co.in/ http://nullcon.net/
VoIP Architecture http://null.co.in/ http://nullcon.net/
VoIP Components • User Agents (devices) • Redirect Servers • Media gateways • Registrar Servers • Signaling gateways • Location Servers • Network management system • Gatekeepers • Billing systems • Proxy Servers GW  Gateway MG  Media Gateway GK  Gatekeeper MGC  Media Gateway Controller NMS  Network Management System IVR  Interactive Voice Response http://null.co.in/ http://nullcon.net/
VoIP Protocols • Vendor Proprietary • Signaling Protocols • Media Protocols http://null.co.in/ http://nullcon.net/
VoIP Protocols SIP Session Initiation Protocol SAP  Session Announcement Protocol SGCP  Simple Gateway Control Protocol MIME  Multipurpose Internet Mail IPDC  Internet Protocol device Control Extensions – Set of Standards RTP  Real Time Transmission Protocol IAX  Inter-Asterisk eXchange SRTP  Secure Real Time Transmission Protocol Megaco H.248  Gateway Control Protocol RTCP  RTP Control Protocol RVP over IP  Remote Voice Protocol over IP SRTCP  Secure RTP Control Protocol RTSP  Real Time Streaming Protocol MGCP  Media Gateway Control Protocol SCCP  Skinny Client Control Protocol (Cisco). SDP  Session Description Protocol UNISTIM  Unified Network Stimulus (Nortel). http://null.co.in/ http://nullcon.net/
VoIP Protocols - SIP http://null.co.in/ http://nullcon.net/
VoIP Protocols – H.323 http://null.co.in/ http://nullcon.net/
A PenTester Perspective http://null.co.in/ http://nullcon.net/
VoIP – Attack Vectors • Vulnerabilities of Both Data and Telephone Network • CIA Triad http://null.co.in/ http://nullcon.net/
VoIP - Scanning • Scanning a network for VoIP enabled systems / devices. • Tools for Scanning and Enumeration : – Nmap  port scanner – Smap  sip scanner. Finds SIP Enabled Servers – Svmap  sip scanner – Svwar  sip extension enumerator – Iwar VoIP Enabled modem Dialer – Metasploit Modules : • H.323 version scanner • SIP enumerator  SIP Username enumerator(UDP) • SIP enumerator_tcp  SIP Username Enumerator(TCP) • Options  SIP scanner(TCP) • Options_tcp  SIP scanner(UDP) http://null.co.in/ http://nullcon.net/
VoIP – Scanning Demo • Nmap scan http://null.co.in/ http://nullcon.net/
VoIP – Common Ports Protocol TCP Port UDP Port SIP 5060 5060 SIP-TLS 5061 5061 IAX2 - 4569 http – web based 80 / 8080 - management console tftp - 69 RTP - 5004 RTCP - 5005 IAX1 - 5036 SCCP 2000 SCCPS 2443 H.323 1720 http://null.co.in/ http://nullcon.net/
VoIP – Scanning Demo • Smap • svmap http://null.co.in/ http://nullcon.net/
VoIP – Scanning Demo • Metasploit Scanner http://null.co.in/ http://nullcon.net/
VoIP - Attacks • Identity Spoofing • Conversation Eavesdropping / Sniffing • Password Cracking • Man-In-The-Middle • SIP-Bye DoS • SIP Bombing • RTP Insertion Attacks • Web Based Management Console Hacks • Fuzzing • Default Passwords http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Identity – Caller ID Spoofing – Tools Used : • Metasploit- SIP_INVITE_Spoof • VoIP Fuzzer – Protos -Sip http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Conversation Eavesdropping – Tools used : • Cain & Abel • Ettercap • Arpspoof • Wireshark http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Man-In-The-Middle – Tools Used : • Wireshark • Arpspoof / ettercap • RTPInject • RTPmixsound http://null.co.in/ http://nullcon.net/
VoIP – Attacks Demo • Password Cracking – Tools Used : • SIPDump • SIPCrack • svcrack http://null.co.in/ http://nullcon.net/
VoIP - Attacks Some Default Passwords for VoIP Devices and Consoles: Device / Console Username Password Uniden UIP1868P VoIP - admin phone Web Interface Hitachi IP5000 VOIP WIFI - 0000 Phone 1.5.6 Vonage VoIP Telephone user user Adapter Grandstream Phones - Web Administrator /admin admin Adimistrator Interface user user •Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf http://null.co.in/ http://nullcon.net/
VoIP – Audit & PenTest Tools • UCSniff • MetaSploit Modules : – Auxillary Modules • VoIPHopper • SIP enumerator  SIP Username enumerator • SIP enumerator_tcp  SIP USERNAME • Vomit Enumerator • VoIPong • Options  SIP scanner • Options_tcp  SIP scanner • IAX Flood • Asterisk_login  Asterisk Manager Login Utility – Exploits • InviteFlood • Aol_icq_downloadagent  AOL ICQ Arbitary File Downlowd • RTPFlood • Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer Overflow • IAXFlood • Sipxezphone_cseq sipxezphone 0.35a Cseq Filed Overflow • BYE-TearDown • Sipxphone_cseq  sipxPhone 2.6.0.27 Cseq Buffer Overflow http://null.co.in/ http://nullcon.net/
Countermeasures & Security • Separate Infrasrtucture • Do not integrate Data and VoIP Networks • VoIP-aware Firewalls, • Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS • Harden Network Security – IDS – IPS - NIPS http://null.co.in/ http://nullcon.net/
Thank You See you all @ nullcon - Delhi http://null.co.in/ http://nullcon.net/

Recommended

VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Voip security
Voip securityVoip security
Voip securityShethwala Ridhvesh
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Voice Over IP (VoIP)
Voice Over IP (VoIP)Voice Over IP (VoIP)
Voice Over IP (VoIP)habib_786
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP) Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP) Namra Afzal
 
LTE Basic
LTE BasicLTE Basic
LTE Basicneerav_adhikari
 
VOIP BASIC
VOIP BASICVOIP BASIC
VOIP BASICdhara patel
 

Recommended

VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Voip security
Voip securityVoip security
Voip securityShethwala Ridhvesh
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Voice Over IP (VoIP)
Voice Over IP (VoIP)Voice Over IP (VoIP)
Voice Over IP (VoIP)habib_786
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP) Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP) Namra Afzal
 
LTE Basic
LTE BasicLTE Basic
LTE Basicneerav_adhikari
 
VOIP BASIC
VOIP BASICVOIP BASIC
VOIP BASICdhara patel
 
WirelessHART
WirelessHARTWirelessHART
WirelessHARTJean M. Winter
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...ALTANAI BISHT
 
Voip
VoipVoip
VoipHarry Sunarsa
 
Voip
VoipVoip
VoipYasin Virani
 
Voip introduction
Voip introductionVoip introduction
Voip introductiondaksh bhatt
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration FlowKent Loh
 
IT6601 Mobile Computing Unit III
IT6601 Mobile Computing Unit IIIIT6601 Mobile Computing Unit III
IT6601 Mobile Computing Unit IIIpkaviya
 
WiFi Technology & IEEE
WiFi Technology & IEEEWiFi Technology & IEEE
WiFi Technology & IEEEvasanthimuniasamy
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocolMichal Hrncirik
 
Mobile IP
Mobile IPMobile IP
Mobile IPDanielaSalazar3
 
sigtran
sigtransigtran
sigtrankrsgowri
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloningAnkur Kumar
 
VOIP security
VOIP securityVOIP security
VOIP securityRohit Gurjar
 
SIP Trunking overview
SIP Trunking overviewSIP Trunking overview
SIP Trunking overviewJohn Downing
 
Wireshark
WiresharkWireshark
WiresharkVijay kumar
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIPMahmoud Abudaqa
 
Voice over IP (VoIP)
Voice over IP (VoIP)Voice over IP (VoIP)
Voice over IP (VoIP)Peter R. Egli
 
Voip
VoipVoip
VoipMuhammad Hamza
 
Asterisk presentation v1.1
Asterisk presentation v1.1Asterisk presentation v1.1
Asterisk presentation v1.1Farhan Fuad
 
VoIP Security
VoIP SecurityVoIP Security
VoIP SecurityDayanand Prabhakar
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 

More Related Content

What's hot

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...ALTANAI BISHT
 
Voip introduction
Voip introductionVoip introduction
Voip introductiondaksh bhatt
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration FlowKent Loh
 
IT6601 Mobile Computing Unit III
IT6601 Mobile Computing Unit IIIIT6601 Mobile Computing Unit III
IT6601 Mobile Computing Unit IIIpkaviya
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocolMichal Hrncirik
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloningAnkur Kumar
 
SIP Trunking overview
SIP Trunking overviewSIP Trunking overview
SIP Trunking overviewJohn Downing
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIPMahmoud Abudaqa
 
Voice over IP (VoIP)
Voice over IP (VoIP)Voice over IP (VoIP)
Voice over IP (VoIP)Peter R. Egli
 
Asterisk presentation v1.1
Asterisk presentation v1.1Asterisk presentation v1.1
Asterisk presentation v1.1Farhan Fuad
 

What's hot (20)

WirelessHART
WirelessHARTWirelessHART
WirelessHART
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
 
Voip
VoipVoip
Voip
 
Voip
VoipVoip
Voip
 
Voip introduction
Voip introductionVoip introduction
Voip introduction
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
 
IT6601 Mobile Computing Unit III
IT6601 Mobile Computing Unit IIIIT6601 Mobile Computing Unit III
IT6601 Mobile Computing Unit III
 
WiFi Technology & IEEE
WiFi Technology & IEEEWiFi Technology & IEEE
WiFi Technology & IEEE
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocol
 
Mobile IP
Mobile IPMobile IP
Mobile IP
 
sigtran
sigtransigtran
sigtran
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloning
 
VOIP security
VOIP securityVOIP security
VOIP security
 
SIP Trunking overview
SIP Trunking overviewSIP Trunking overview
SIP Trunking overview
 
Wireshark
WiresharkWireshark
Wireshark
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIP
 
Voice over IP (VoIP)
Voice over IP (VoIP)Voice over IP (VoIP)
Voice over IP (VoIP)
 
Voip
VoipVoip
Voip
 
Asterisk presentation v1.1
Asterisk presentation v1.1Asterisk presentation v1.1
Asterisk presentation v1.1
 

Viewers also liked

VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
What is VoIP and How it works?
What is VoIP and How it works?What is VoIP and How it works?
What is VoIP and How it works?broadconnect
 
Voip powerpoint
Voip powerpointVoip powerpoint
Voip powerpointGW1992
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Security Challenges In VoIP
Security Challenges In VoIPSecurity Challenges In VoIP
Security Challenges In VoIPTomGilis
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
Introduction to SIP(Session Initiation Protocol)
Introduction to SIP(Session Initiation Protocol)Introduction to SIP(Session Initiation Protocol)
Introduction to SIP(Session Initiation Protocol)William Lee
 
Voice over Internet Protocol (VoIP) using Asterisk
Voice over Internet Protocol (VoIP) using AsteriskVoice over Internet Protocol (VoIP) using Asterisk
Voice over Internet Protocol (VoIP) using AsteriskSameer Verma
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation tofael1
 

Viewers also liked (16)

VoIP Security
VoIP SecurityVoIP Security
VoIP Security
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
What is VoIP and How it works?
What is VoIP and How it works?What is VoIP and How it works?
What is VoIP and How it works?
 
Voip powerpoint
Voip powerpointVoip powerpoint
Voip powerpoint
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Security Challenges In VoIP
Security Challenges In VoIPSecurity Challenges In VoIP
Security Challenges In VoIP
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
SIP Beyond VoIP
SIP Beyond VoIPSIP Beyond VoIP
SIP Beyond VoIP
 
Introduction to SIP(Session Initiation Protocol)
Introduction to SIP(Session Initiation Protocol)Introduction to SIP(Session Initiation Protocol)
Introduction to SIP(Session Initiation Protocol)
 
voip gateway
voip gateway voip gateway
voip gateway
 
Voice over Internet Protocol (VoIP) using Asterisk
Voice over Internet Protocol (VoIP) using AsteriskVoice over Internet Protocol (VoIP) using Asterisk
Voice over Internet Protocol (VoIP) using Asterisk
 
Introduction to VoIP
Introduction to VoIPIntroduction to VoIP
Introduction to VoIP
 
VoIP Seminar
VoIP SeminarVoIP Seminar
VoIP Seminar
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation
 

Similar to VoIP – vulnerabilities and attacks

I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1Adebayo Ojo
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Lorenzo Miniero
 
voip elements by Karan singh cypher
voip elements by Karan singh cypher voip elements by Karan singh cypher
voip elements by Karan singh cypher Karan Maker
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Lorenzo Miniero
 
Practical Fundamentals of Voice over IP (VoIP) for Engineers and Technicians
Practical Fundamentals of Voice over IP (VoIP) for Engineers and TechniciansPractical Fundamentals of Voice over IP (VoIP) for Engineers and Technicians
Practical Fundamentals of Voice over IP (VoIP) for Engineers and TechniciansLiving Online
 
Introduction to VoIP, RTP and SIP
Introduction to VoIP, RTP and SIP Introduction to VoIP, RTP and SIP
Introduction to VoIP, RTP and SIP ThousandEyes
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.Sumutiu Marius
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017Juan De Bravo
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)Abdullah Shah
 
Voip softswitch providers
Voip softswitch providersVoip softswitch providers
Voip softswitch providersVoIP Infotech
 

Similar to VoIP – vulnerabilities and attacks (20)

Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip security
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
 
VOIP services
VOIP servicesVOIP services
VOIP services
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
voip elements by Karan singh cypher
voip elements by Karan singh cypher voip elements by Karan singh cypher
voip elements by Karan singh cypher
 
Linux VOIP
Linux VOIP Linux VOIP
Linux VOIP
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019
 
Voip
VoipVoip
Voip
 
Practical Fundamentals of Voice over IP (VoIP) for Engineers and Technicians
Practical Fundamentals of Voice over IP (VoIP) for Engineers and TechniciansPractical Fundamentals of Voice over IP (VoIP) for Engineers and Technicians
Practical Fundamentals of Voice over IP (VoIP) for Engineers and Technicians
 
Introduction to VoIP, RTP and SIP
Introduction to VoIP, RTP and SIP Introduction to VoIP, RTP and SIP
Introduction to VoIP, RTP and SIP
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCH
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
 
VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)
 
Softswitch
SoftswitchSoftswitch
Softswitch
 
Softswitch
SoftswitchSoftswitch
Softswitch
 
Voip softswitch providers
Voip softswitch providersVoip softswitch providers
Voip softswitch providers
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 

Recently uploaded (20)

prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 

VoIP – vulnerabilities and attacks

  • 1. VoIP – Vulnerabilities and Attacks Presented by - push
  • 2. Agenda • Introduction to VoIP – VoIP Architecture – VoIP Components – VoIP Protocols • A PenTester Perspective – Attack Vectors – Scanning – Attacks – Tools of Trade – Countermeasures and Security http://null.co.in/ http://nullcon.net/
  • 4. VoIP • IP Telephony • Voice over Internet Protocol • Subset of IP Telephony • Transmission of “Voice” over Packet-Switched Network. • Is it only Voice??? – Data, Audio, Video http://null.co.in/ http://nullcon.net/
  • 5. VoIP • Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets Analog Voice Signals 101010101010 1101101101 Analog Voice 1010101010101101101 101010101010110110 Signals 101 1101 101010101010 1101101101 Internet 1010101010101101101 101010101010110110 101 1101 http://null.co.in/ http://nullcon.net/
  • 6. VoIP Architecture Ordinary Phone  ATA  Ethernet  Router  Internet http://null.co.in/ http://nullcon.net/
  • 7. VoIP Architecture IP Phone  Ethernet  IP-PBX  Router  Internet Internet IP Phone IP - PBX Modem / Router http://null.co.in/ http://nullcon.net/
  • 8. VoIP Architecture Softphone Phone  Ethernet  Router  Internet Internet http://null.co.in/ http://nullcon.net/
  • 10. VoIP Components • User Agents (devices) • Redirect Servers • Media gateways • Registrar Servers • Signaling gateways • Location Servers • Network management system • Gatekeepers • Billing systems • Proxy Servers GW  Gateway MG  Media Gateway GK  Gatekeeper MGC  Media Gateway Controller NMS  Network Management System IVR  Interactive Voice Response http://null.co.in/ http://nullcon.net/
  • 11. VoIP Protocols • Vendor Proprietary • Signaling Protocols • Media Protocols http://null.co.in/ http://nullcon.net/
  • 12. VoIP Protocols SIP Session Initiation Protocol SAP  Session Announcement Protocol SGCP  Simple Gateway Control Protocol MIME  Multipurpose Internet Mail IPDC  Internet Protocol device Control Extensions – Set of Standards RTP  Real Time Transmission Protocol IAX  Inter-Asterisk eXchange SRTP  Secure Real Time Transmission Protocol Megaco H.248  Gateway Control Protocol RTCP  RTP Control Protocol RVP over IP  Remote Voice Protocol over IP SRTCP  Secure RTP Control Protocol RTSP  Real Time Streaming Protocol MGCP  Media Gateway Control Protocol SCCP  Skinny Client Control Protocol (Cisco). SDP  Session Description Protocol UNISTIM  Unified Network Stimulus (Nortel). http://null.co.in/ http://nullcon.net/
  • 13. VoIP Protocols - SIP http://null.co.in/ http://nullcon.net/
  • 14. VoIP Protocols – H.323 http://null.co.in/ http://nullcon.net/
  • 16. VoIP – Attack Vectors • Vulnerabilities of Both Data and Telephone Network • CIA Triad http://null.co.in/ http://nullcon.net/
  • 17. VoIP - Scanning • Scanning a network for VoIP enabled systems / devices. • Tools for Scanning and Enumeration : – Nmap  port scanner – Smap  sip scanner. Finds SIP Enabled Servers – Svmap  sip scanner – Svwar  sip extension enumerator – Iwar VoIP Enabled modem Dialer – Metasploit Modules : • H.323 version scanner • SIP enumerator  SIP Username enumerator(UDP) • SIP enumerator_tcp  SIP Username Enumerator(TCP) • Options  SIP scanner(TCP) • Options_tcp  SIP scanner(UDP) http://null.co.in/ http://nullcon.net/
  • 18. VoIP – Scanning Demo • Nmap scan http://null.co.in/ http://nullcon.net/
  • 19. VoIP – Common Ports Protocol TCP Port UDP Port SIP 5060 5060 SIP-TLS 5061 5061 IAX2 - 4569 http – web based 80 / 8080 - management console tftp - 69 RTP - 5004 RTCP - 5005 IAX1 - 5036 SCCP 2000 SCCPS 2443 H.323 1720 http://null.co.in/ http://nullcon.net/
  • 20. VoIP – Scanning Demo • Smap • svmap http://null.co.in/ http://nullcon.net/
  • 21. VoIP – Scanning Demo • Metasploit Scanner http://null.co.in/ http://nullcon.net/
  • 22. VoIP - Attacks • Identity Spoofing • Conversation Eavesdropping / Sniffing • Password Cracking • Man-In-The-Middle • SIP-Bye DoS • SIP Bombing • RTP Insertion Attacks • Web Based Management Console Hacks • Fuzzing • Default Passwords http://null.co.in/ http://nullcon.net/
  • 23. VoIP – Attacks Demo • Identity – Caller ID Spoofing – Tools Used : • Metasploit- SIP_INVITE_Spoof • VoIP Fuzzer – Protos -Sip http://null.co.in/ http://nullcon.net/
  • 24. VoIP – Attacks Demo • Conversation Eavesdropping – Tools used : • Cain & Abel • Ettercap • Arpspoof • Wireshark http://null.co.in/ http://nullcon.net/
  • 25. VoIP – Attacks Demo • Man-In-The-Middle – Tools Used : • Wireshark • Arpspoof / ettercap • RTPInject • RTPmixsound http://null.co.in/ http://nullcon.net/
  • 26. VoIP – Attacks Demo • Password Cracking – Tools Used : • SIPDump • SIPCrack • svcrack http://null.co.in/ http://nullcon.net/
  • 27. VoIP - Attacks Some Default Passwords for VoIP Devices and Consoles: Device / Console Username Password Uniden UIP1868P VoIP - admin phone Web Interface Hitachi IP5000 VOIP WIFI - 0000 Phone 1.5.6 Vonage VoIP Telephone user user Adapter Grandstream Phones - Web Administrator /admin admin Adimistrator Interface user user •Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf http://null.co.in/ http://nullcon.net/
  • 28. VoIP – Audit & PenTest Tools • UCSniff • MetaSploit Modules : – Auxillary Modules • VoIPHopper • SIP enumerator  SIP Username enumerator • SIP enumerator_tcp  SIP USERNAME • Vomit Enumerator • VoIPong • Options  SIP scanner • Options_tcp  SIP scanner • IAX Flood • Asterisk_login  Asterisk Manager Login Utility – Exploits • InviteFlood • Aol_icq_downloadagent  AOL ICQ Arbitary File Downlowd • RTPFlood • Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer Overflow • IAXFlood • Sipxezphone_cseq sipxezphone 0.35a Cseq Filed Overflow • BYE-TearDown • Sipxphone_cseq  sipxPhone 2.6.0.27 Cseq Buffer Overflow http://null.co.in/ http://nullcon.net/
  • 29. Countermeasures & Security • Separate Infrasrtucture • Do not integrate Data and VoIP Networks • VoIP-aware Firewalls, • Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS • Harden Network Security – IDS – IPS - NIPS http://null.co.in/ http://nullcon.net/
  • 30. Thank You See you all @ nullcon - Delhi http://null.co.in/ http://nullcon.net/

Editor's Notes

  1. IP Telephony - 1990
  2.  Run all VoIP traffic through a separate Internet connection, separating voice and data into their own network segments (VLAN). Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. VoIP connections between different buildings use a Virtual Private Network (VPN) to authenticate users to prevent spoofing. Avoid use of cheap VoIP systems. Encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. Put VoIP servers in a secure physical location. Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed. Restrict access to VoIP servers to only system administrators and log and monitor all access. Use intrusion detection systems to monitor malicious attempts to access your VoIP network. Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls. Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through.