Presentation is loading. Please wait.

Presentation is loading. Please wait.

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

Published byPeter Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer."— Presentation transcript:

1 UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer

2 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda  Introduction  Overview of VoIP/UC Security  Microsoft OCS Overview  OAT Demo - Online Dictionary Attack  OAT Demo - IM Flood/ Call Walk/ Call DoS  OAT Reporting  Future Research Areas  Conclusion FRHACK2 Sipera Confidential - Do not reproduce or distribute without express written consent

3 © 2008 Sipera Systems, Inc. All Rights Reserved. Introduction  About VIPER Lab  VIPER ~ Voice over IP Exploit Research  Security research lab dedicated to finding  New UC / VoIP attack vectors  Structural vulnerabilities in insecure protocol / deployment / configuration  Penetration testing team specialized in VoIP / UC Security  Passionate about VoIP / UC Security  Replicated a production, enterprise network in VIPER Lab  Security assessment professionals supported by research and exploit developers FRHACK 3 Sipera Confidential - Do not reproduce or distribute without express written consent

4 © 2008 Sipera Systems, Inc. All Rights Reserved. Introduction  Who am I? Vulnerability Research Engineer in VIPER Lab  Tools I have Authored Xtest (http://xtest.sf.net)http://xtest.sf.net VideoJak (http://videojak.sf.net)http://videojak.sf.net FRHACK 4 Sipera Confidential - Do not reproduce or distribute without express written consent

5 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction  Overview of Unified Communication and Security -What is Unified Communication? -VoIP Vulnerabilities -VoIP Attacks  Microsoft OCS Overview  OAT Demo - Online Dictionary Attack  OAT Demo - IM Flood/ Call Walk/ Call DoS  OAT Reporting  Future Research Areas  Conclusion FRHACK 5 Sipera Confidential - Do not reproduce or distribute without express written consent

6 © 2008 Sipera Systems, Inc. All Rights Reserved. What is UC?  Integration of real time communication services with non real time communication services.  Suite of products for communication across multiple devices and media types. FRHACK 6 Sipera Confidential - Do not reproduce or distribute without express written consent

7 © 2008 Sipera Systems, Inc. All Rights Reserved. VoIP Vulnerabilities And Attacks Signaling Vulnerabilities -Most hard-phones have limited or underpowered hardware. -Protocol stack are poorly implemented. -Protocols lack authentication and encryption. -Different responses for valid/invalid usernames Signaling Attacks -Flooding, Fuzzing, DoS -Signaling message injection -Call Teardown, Registration Hijack, Media Hijack -Caller-ID spoofing, -Username Enumeration FRHACK 7 Sipera Confidential - Do not reproduce or distribute without express written consent

8 © 2008 Sipera Systems, Inc. All Rights Reserved. VoIP Vulnerabilities And Attacks Media Vulnerabilities -Media channels are unauthenticated. -Media protocols are un-encrypted. -Poor implementation of Media protocols Media Manipulation Attacks -Media QoS Degradation, DoS -Media Injection, Modification, Deletion -Eavesdropping Media FRHACK 8 Sipera Confidential - Do not reproduce or distribute without express written consent

9 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of Unified Communication and Security  Microsoft OCS Overview Introduction to OCS OAT Overview -Why OAT -OAT features  OAT Demo - Online Dictionary Attack  OAT Demo - IM Flood/ Call Walk/ Call DoS  OAT Reporting  Future Research Areas  Conclusion FRHACK 9 Sipera Confidential - Do not reproduce or distribute without express written consent

10 © 2008 Sipera Systems, Inc. All Rights Reserved. Microsoft OCS Overview A Software based UC Solution from Microsoft Streamlined Communications Operational Flexibility and Control Extensible Communications Platform FRHACK 10 Sipera Confidential - Do not reproduce or distribute without express written consent

11 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Overview MS Office Communication Server Assessment Tool (OAT) Result of reverse engineering of OCS client Started RE work in Feb 2008 and developed PoC tool to register with OCS using normal Win32 SDK APIs in May 2008 Used UC SDK to build OAT and supported features FRHACK 11 Sipera Confidential - Do not reproduce or distribute without express written consent

12 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Features Features in OAT v1.0 -Online Dictionary Attack -Presence Stealing -Contact List Stealing -IM Flood -Call Walk -Spam Call -User friendly interface -TCP transport -NTLM authentication protocol support -Basic reports FRHACK 12 Sipera Confidential - Do not reproduce or distribute without express written consent What's New in OAT v2.0? –Call DoS attack feature –Targeted IM and Call Walk –Auto detection of authentication protocol between NTLM & Kerberos –TLS transport support –More organized settings and attack tab pages –Verbose reports in various formats including PDF, Word, RTF and Text

13 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Internal Assessment Mode Typical Deployment FRHACK 13 Sipera Confidential - Do not reproduce or distribute without express written consent Supported Attacks -Online Dictionary Attacks -Domain User Enumeration -Presence Stealing -Contact List Stealing -Domain IM Flood -Domain Call Walk -Call DoS

14 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT External Assessment Mode Typical Deployment FRHACK 14 Sipera Confidential - Do not reproduce or distribute without express written consent Supported Attacks -Online Dictionary Attacks -Domain User Enumeration -Presence Stealing -Contact List Stealing -Contact List IM Flood -Contact List Call Walk -Call DoS

15 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of Unified Communication and Security Microsoft OCS Overview  OAT Demo - Online Dictionary Attack Overview Demo  OAT Demo - IM Flood/ Call Walk/ Call DoS  OAT Reporting  Future Research Areas  Conclusion FRHACK 15 Sipera Confidential - Do not reproduce or distribute without express written consent

16 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Online Dictionary Attack FRHACK 16 Sipera Confidential - Do not reproduce or distribute without express written consent OAT tests the password strength of OCS enabled users. Imitates a real outside attack. Successful attack opens a door for launching attacks with dire implications.

17 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of Unified Communication and Security Microsoft OCS Overview OAT Demo - Online Dictionary Attack  OAT Demo - IM Flood/ Call Walk/ Call DoS Overview Demo  OAT Reporting  Future Research Areas  Conclusion FRHACK 17 Sipera Confidential - Do not reproduce or distribute without express written consent

18 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT IM Flood FRHACK 18 Sipera Confidential - Do not reproduce or distribute without express written consent OAT IM Flood feature can flood targeted user(s) with custom IM messages. Can be used to send SPAM IM Can be used for fishing attack if proper measures are not enabled.

19 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Call Walk FRHACK 19 Sipera Confidential - Do not reproduce or distribute without express written consent OAT Call Walk feature enumerate all OCS enabled users Steal their presence information Make prank calls and play custom SPAM audio clip

20 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Attacks from External Network FRHACK 20 Sipera Confidential - Do not reproduce or distribute without express written consent OAT Call Walk feature steal contact list from External Network Steal their presence information Make prank calls and play custom SPAM audio clip

21 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Call DoS FRHACK 21 Sipera Confidential - Do not reproduce or distribute without express written consent OAT Call DoS feature can flood targeted user with custom hi-priority Calls Results in DoS on Communicator client, need to forcefully restart communicator client. Works on Hard pones and force user to re-register with OCS server.

22 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of Unified Communication and Security Microsoft OCS Overview OAT Demo - Online Dictionary Attack OAT Demo - IM Flood/ Call Walk/ Call DoS  OAT Reporting Verbose Reports Report formats include - PDF, Word, RTF and Text  Future Research Areas  Conclusion FRHACK 22 Sipera Confidential - Do not reproduce or distribute without express written consent

23 © 2008 Sipera Systems, Inc. All Rights Reserved. OAT Reports FRHACK 23 Sipera Confidential - Do not reproduce or distribute without express written consent Generate detailed report of configuration, selected attack and result. Can save report in PDF, DOC, RTF and Text file format. Reports can used in final penetration testing report.

24 © 2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of Unified Communication and Security Microsoft OCS Overview OAT Demo - Online Dictionary Attack OAT Demo - IM Flood/ Call Walk/ Call DoS OAT Reporting  Future Research Areas Group Chat Server OCS Video Calls and Web Conference  Conclusion FRHACK 24 Sipera Confidential - Do not reproduce or distribute without express written consent

25 © 2008 Sipera Systems, Inc. All Rights Reserved. Future Research Areas FRHACK 25 Sipera Confidential - Do not reproduce or distribute without express written consent Office Communication Server R2 Audio/Video Conferencing Sever Office Communication Server R2 Group Chat Server

26 © 2008 Sipera Systems, Inc. All Rights Reserved. Conclusion FRHACK 26 Sipera Confidential - Do not reproduce or distribute without express written consent  The objective of OAT is to help identify vulnerabilities in the configuration and deployment of Microsoft OCS.  OAT is not a hacking tool to expose vulnerabilities that can’t be protected against.  All of the security issues uncovered by the tool can be mitigated by following Microsoft recommended Security Best Practices. Resources Microsoft OCS Best Practices Analyzer Tool

27 © 2008 Sipera Systems, Inc. All Rights Reserved. Contact Information FRHACK 27 Sipera Confidential - Do not reproduce or distribute without express written consent  Abhijeet Hatekar Vulnerability Research Engineer abhijeet@viperlab.net; abhi,hatekar@gmail.comabhijeet@viperlab.netabhi,hatekar@gmail.com  For more information about Sipera VIPER Lab, visit us online at http://www.viperlab.net  For more information about Sipera Systems, visit us online at http://www.sipera.com

Download ppt "UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer."

Similar presentations

Unified Communications Bill Palmer ADNET Technologies, Inc.

Unified Communications Bill Palmer ADNET Technologies, Inc.
Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
PC Client Training Customer Name © 2010 CYPRESS COMMUNICATIONS, INC. 1.

PC Client Training Customer Name © 2010 CYPRESS COMMUNICATIONS, INC. 1.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
HOW DOES UNIFIED COMMUNICATIONS HELP FIRMS SAVE MONEY? Larry Velez, Director Industry Initiatives Unified Communications Group 1 December 2008.

HOW DOES UNIFIED COMMUNICATIONS HELP FIRMS SAVE MONEY? Larry Velez, Director Industry Initiatives Unified Communications Group 1 December 2008.
UCA Lync Client for Avaya

UCA Lync Client for Avaya
Vodacom Microsoft Hosted Lync

Vodacom Microsoft Hosted Lync
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.
UCA Lync Client for ShoreTel V3.4. Key Messages No Enterprise or Plus CAL required Works with ShoreTel You can use (most clients don’t offer this) Lync.

UCA Lync Client for ShoreTel V3.4. Key Messages No Enterprise or Plus CAL required Works with ShoreTel You can use (most clients don’t offer this) Lync.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
Your Webinar Software Just Isn’t That into You Understanding the Difference between Webcasting and Web Conferencing Hugh Taylor VP of Marketing MediaPlatform,

Your Webinar Software Just Isn’t That into You Understanding the Difference between Webcasting and Web Conferencing Hugh Taylor VP of Marketing MediaPlatform,
4/15/2017 5:36 AM 1 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/15/2017 5:36 AM 1 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Similar presentations

Ads by Google