Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере распространенных IP-PBX и абонентских устройств. Рассматриваются как типовые сетевые уязвимости, так и сложные случаи, обнаруживаемые в ходе анализа защищенности реальных сетей.
Positive Hack Days. Gritsai. VOIP insecurities workshop
1. VOIPinsecuritiesworkshop “I just called to say I pwn you I just called to say how much I care I just called to say I own you And I mean it from the bottom of my heart” Stevie Wonder
2. Agenda VOIP PSTN & VOIP PSTN vs. VOIP VOIP protocols VOIP security Attacking VOIP Enumerating VOIP devices RTP attacks +demonstration SIPattacks +practice Further readings
5. PSTN vs. VOIP Network PSTN – Closed network VOIP – Public network(Internet) End-user devices PSTN – Simple devices VOIP – Complex devices Authentication PSTN – No mobility (Authentication by wire) VOIP – Mobility
6. VOIP protocols Signaling protocols Media protocols Call control and media stream use different routes
7. VOIP protocols: SignalingShort overview SIPSession Initiation Protocol SDPSession Description Protocol H.323H.323 MGCPMedia Gateway Control Protocol SCCPSkinny Client Control Protocol RTCPReal-time Transfer Control Protocol
8. VOIP protocols: Media and HybridShort overview Media RTP/SRTP Hybrid (signaling + media) IAX/IAX2
9. VOIP insecurities Confidentiality eavesdropping, recording, … Availability DoS, buffer overflows, … Authentication registration hijacking, Caller ID spoofing, … Fraud toll fraud, data masquerading, … SPIT (SPAM over IP Telephony) voice phishing, unsolicited calling, …
10. VOIP insecuritiesTopics for today Enumeration of VOIP devices search engines port scanning RTP eavesdropping/recording calls inserting data into media stream DoS SIP searching extensions Caller name spoofing DoS
14. Enumerating VOIP devicesnmap VOIP scanners smap svmap (sipvicious) Fyodor’s nmap -sU UDP scanning common problems
15. Enumerating VOIP devicesCommon ports VOIP protocols 5060-5070, 1718-1720, 2517, …. RTP ports are allocated dynamically Management protocols TCP 21-23, 80, 443, 8088, … UDP 161, 162, 69, … IANA Internet Assigned Numbers Authority grep<vendor> www.iana.org/assignments/port-numbers
16. RTP Real-time Transport Protocol RFC 1889 (1996) ->RFC 3550 (2003) Media over IP/UDP Packer reordering Used with signaling protocols (SIP, H.323, MGCP) RTCP (Real-time Transport Control Protocol) RTCP port =RTP port + 1
17. RTP Attacks Call interception Attacking layers2, 3 Decoding intercepted data Injection into call Finding RTP port Injecting media stream Denial of Service RTP flood
18. RTP AttacksCall interception ARP spoofing Cain & abel ettercap arpspoof (dsniff) Wireshark Telephony VOIP calls / Demo
19. RTP AttacksInjection: Synchronization in RTP sequence number position in media stream +=1 timestampsampling +=1 SSRCidentifying source const (random 32 bit value) payload type codec in use
20. RTPAttacksInjection Unencrypted deployment issues (debug) QoSissues key distribution UDP – connectionless Data requirements: SSRC timestamp, sequence number – monotonically increasing timestamp, sequence number - fuzzing
21. RTP AttacksInjection Finding RTP port InterceptSDP Port scan Media injection Requirements frequency codec Demo SDP || nmap rtpinsertsound not working 100%?
22. RTP AttacksDenial of Service Flood Low bandwidth requirements Media stream = high load Authentication - SIP and again … UDP - connectionless / Demo rtpflood
24. SIP Components UA (User agent), Proxy, Registrar, Redirect Call viaProxy Call via Redirect
25. SIP Attacks Using somebodies PBX Extension enumeration Bruteforce extension password Caller name spoofing Registration hijacking Denial of service Busy lines
26. SIPRequests INVITEindicates a client is being invited to participate in a call session BYETerminates a call and can be sent by either the caller or the callee OPTIONSQueries the capabilities of servers REGISTERRegisters the address listed in the To header field with a SIP server ACKConfirms that the client has received a final response to an INVITE request CANCELCancels any pending request more …
27. SIPAnswers 1хх Informational (100 Trying, 180 Ringing) 2xx Successful (200 OK, 202 Accepted) 3xx Redirection (302 Moved Temporarily) 4xx Request Failure (404 Not Found, 482 Loop Detected) 5xx Server Failure (501 Not Implemented) 6xx Global Failure (603 Decline)
29. SIP AttacksUsing somebodies PBX PBX Extension enumeration Bruteforcing passwords Making a call Practice withSipvicious svmap <ip> svwar –e<extensions> <ip> -m<REQUEST> svcrack –u<extension> -d <dictionary> <ip> Setting up asoftphone
30. SIP AttacksCaller name spoofing Caller Name spoofing Softphone Practicing X-Lite Softphone–caller name spoofing Display name‘ 1=1 -- Domain ip of UA Register disable
31. SIP AttacksRegistration hijacking Registration hijacking INVITE to PBX Search user in Registar Registration is in Contact header: ip address Practicing with X-Lite Register settings rate
32. SIP AttacksDenial of Service Denial of Service No auth -> INVITE <- TRYING… <- Busy here HTTP digest -> INVITE generation/storingnonce Practice inviteflood
33. Further reading Set up a lab http://enablesecurity.com/resources/how-to-set-up-a-voip-lab-on-a-shoe-string/ Read and practice Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions Advanced attacks “Having fun with RTP” by kapejod “SIP home gateways under fire” by AnhängteDateien Fuzzing