Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP Tactics && Exploitation By Jacky Altal and Yosseff Cohen ILHACK 2009.

Published byGregory Winfred Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "SIP Tactics && Exploitation By Jacky Altal and Yosseff Cohen ILHACK 2009."— Presentation transcript:

1 SIP Tactics && Exploitation By Jacky Altal and Yosseff Cohen ILHACK 2009

2 About us – Jacky 4lt4l Professional Experience: Two years as a security and data communication expert at local company. Six years as a software developer and Security Consultant at a local Bio- Tech company. Hacking Defined Leading Instructor – Technion CISO/SECPROF programs. Specializing in: Penetration Testing Vulnerability Research Forensics Investigations

3 TOC \x01 VoIP – The Real World \x02 VoIP - Know Your Environment \x03 VoIP - Security Threats \x04 VoIP - Lab \x05 VoIP - Q&A

4

5

6

7 Why do we ask those Questions? According to Emerging Cyber Threats for 2009 (Georgia Tech Info Sec Center) more then 75 percents of corporate phone lines will be using Voice Over IP (VoIP) in the next two years. “From the outset, VoIP infrastructure has been vulnerable to the same types of attacks that plague other networked computing architectures. When voice is digitized, encoded, compressed into packets and exchanged over IP networks, it is susceptible to misuse. Cyber criminals will be drawn to the VoIP medium to engage in voice fraud, data theft and other scams—similar to the problems email has experienced. Denial of service, remote code execution and botnets all apply to VoIP networks, and will become more problematic for mobile devices as well. “ Emerging Cyber Threats for 2009 by the Georgia Tech Information Security Center \x01 VoIP – Reality

8 “VoIP is about convergence. The idea is that you save money and resources and time,” Next Generation Security Because VoIP connects telephone calls via the Internet, it shares the Internet’s weaknesses. many incumbent telecommunication carriers have started offering VoIP the aspect of security, or lack thereof, is misunderstood by some of the VoIP service providers. Includes local Providers I`m n0t Smiling… VoIP Tactics && Hacking \x01 VoIP – Reality

9

10 \x01 VoIP – Home

11

12 About us – Yossef Cohen (SIPM4ST3R) Professional Experience: 10 years of experience in the telecom market working for Amdocs Israel, last 3 years as Integration Manager for projects as Sprint 4G, AT&T and BMCC china; Founder of MaxxVoice.com, developed during the Sabbatical year in 2006. Specializing in: Penetration Testing Vulnerability Research Forensics Investigations

13 VoIP: Voice Over Internet Protocol – Phone calls over the internet – Is used through softphones or IP phones/ATA – Supports QoS – Supports several audio codecs \x01 VoIP – Know Your Environment VoIP VoIP

14 SIP: Session Initialization Protocol – Used for signaling – Supports audio and video – TCP and UDP – Uses port 5060 – ASCII protocol like SMTP and HTTP \x02 VoIP – Know Your Environment SIP SIP

15 RTP: Real-time Transport Protocol – Used for the voice transport – UDP – Is dynamic, not using standard ports RTCP: RTP Control Protocol – Controls and monitors the voice transport \x02 VoIP – Know Your Environment RTP RTP

16 SIP uses mail format address, in the pattern: – @ Some examples: – jacky@sip.maxxvoice.com – yossef@sip.maxxvoice.com \x02 VoIP – Know Your Environment Addressing Addressing

17 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

18 INVITE from caller INVITE sip:401@192.168.5.15 SIP/2.0 Via: SIP/2.0/UDP 192.168.0.204:5060;rport;branch=z9hG4bK42ccbc6905 From: ;tag=33a31c9c To: Call-ID: 42fe147836f1f4a446f4572a5386aaca@192.168.0.204 Contact: CSeq: 801 INVITE Max-Forwards: 70 Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS,INFO,MESSAGE Content-Type: application/sdp User-Agent: Nologo Content-Length: 429 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

19 Ringing SIP/2.0 180 Ringing Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK565267b5 From: ;tag=as23f90079 To: ;tag=419b9912cbfa34b2 Call-ID: 1bdfcd7c378f2a7e55c3b4591d608db0@cohenet.dyndns.org CSeq: 102 INVITE User-Agent: Grandstream HT488 1.0.3.64 FXS Content-Length: 0 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

20 Ok from Called peer (answered) SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.5.10:5060;rport;branch=z9hG4bK62b65b4f29;received=1 92.168.5.10 From: ;tag=1983eb6f To: ;tag=as36a497bc Call-ID: 73bf4cb01443f22e78d0b4664df3d281@192.168.0.204 CSeq: 802 INVITE User-Agent: SIPM4ST3R Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Contact: Content-Type: application/sdp Content-Length: 264 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

21 ACK from caller to start the RTP session ACK sip:401@192.168.5.15;user=phone SIP/2.0 Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK384d1e7a From: ;tag=as23f90079 To: ;tag=419b9912cbfa34b2 Contact: Call-ID: 1bdfcd7c378f2a7e55c3b4591d608db0@192.168.5.10 CSeq: 102 ACK User-Agent: SIPM4ST3R Max-Forwards: 70 Content-Length: 0 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

22 BYE from called peer, hang-up BYE sip:402@192.168.5.10 SIP/2.0 Via: SIP/2.0/UDP 192.168.0.202;branch=z9hG4bKbcb6e24514450a48 From: ;tag=2efac6b2150259f8 To: ;tag=as1ca51ab9 Call-ID: 68b836e61e5356b820593f69008a74de@192.168.5.10 CSeq: 33409 BYE User-Agent: Grandstream HT488 1.0.3.64 FXS Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE Content-Length: 0 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

23 BYE from caller SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK099b03fe From: ;tag=as36a497bc To: ;tag=1983eb6f Call-ID: 73bf4cb01443f22e78d0b4664df3d281@192.168.5.15 CSeq: 102 BYE Content-Length: 0 \x02 VoIP – Know Your Environment SIP Signaling SIP Signaling

24 \x03 VoIP - Security Threats Layer MAC Spoofing ARP FloodARP CachePhysical attackNetwork IP FragRedirect via IP IP SpoofingInternet TCP/UDP Replay TCP/UDP Flood Transport RTP TamperSpoofDHCP Insertion Tftp InsertionApplication

25 \x01 VoIP – Reality

26

27

28 Unblock the Blocker – Kevin Mitnik

29

30 Google Dork: intext:"FreePBX Administration" + "Welcome" inurl:Admin Default Trix Box VOIP Servers Default passwords, vulnerable servers.

31 Google Dork: intext:"FreePBX Administration" + "Welcome" inurl:Admin Default passwords, vulnerable servers.

32 Google Dork: intext:"FreePBX Administration" + "Welcome" inurl:Admin Default passwords, vulnerable servers.

33 Directory Harvesting VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP addresses by conducting brute force attacks on a network. The attacker can send thousands of VoIP addresses to a particular VoIP domain, those that are not returned, are valid VoIP clients. להוסיף פה תמונת מסך של סריקה 5060 לפטופ

34 Eavesdropping Voice packets are subject to man-in-the-middle attacks where a hacker spoofs the MAC address of two parties and forces VoIP packets to flow through the hacker's system. Reassemble voice packets Listen in to real-time conversations Hackers can also gain access to all sorts of sensitive data and information, such as user names, passwords, and VoIP system information. SQL-Injection & Password Guessing can be launched in distributed nature with different SIP URI

35 SQL-Injection Tampering via SIP AuthorizationDigest header can be tampered in order to inject SQL query. Update subcriber set first_name=‘jacky_altal’ Where username=‘asterisk’--, realm-=“192.168.10.100”, algortim=“md5”, Nonce=“41351a34b342b43434d223421d”, Response=“a6466dce7890e087e6e55e67e2ee3”

36 Invite Of Death Attack The Invite of Death attack simply demonstrates that VoIP is affected by exactly the same types of vulnerabilities as any other IP application. In this case a simple implementation error leaves the application open to a remote Denial Of Service attack. This vulnerability has already been fixed but there are many others to come. In other words, if you are relying on a generic firewall to protect your voice system, the chances are that it will not block or even detect these threats.

37 SIPy – send spoofed call to sip client Killer Written by Jacky Altal and Yossef Cohen

38 SipY – SIP software testing,

39 SipY – SIP Server/Client Vulnerability testing,

40 SIP Relay Attack ProxyAttackerVictimOut Dial Modify Request Reverse Request Modify Request

41 Are You R-E-A-D-Y??? Let`s F-I-G-H-T!!!

42 LAB CentOS - Linux Distro http://www.centos.org/http://www.centos.org/ Asterisk – Open Source PBX http://www.asterisk.org/http://www.asterisk.org/ xLite – SIP Client Iphone sip client ( home made ) Of course that there are many other codecs and other stuff….

43 iWar012 – ;) Network Range Mass Scanning http://www.softwink.com/iwar/ We can find other lines, scan network ranges, by IP`s and phone numbers. Find FREE X.25 networks Free SEX Lines,

44 Encryption what is it good for?

45 Provisioning Servers しかたが ない Shikata ga nai….

46 Question? > /dev/null

47 The End jacky@see-security.comjacky@see-security.com yossef@maxxvoice.comyossef@maxxvoice.com http://4lt4l.blogspot.com

Download ppt "SIP Tactics && Exploitation By Jacky Altal and Yosseff Cohen ILHACK 2009."

Similar presentations

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
NAT Traversal Panasonic Communications Co.,Ltd Office Network Company Network SE Team 2008 Feb 25 th.

NAT Traversal Panasonic Communications Co.,Ltd Office Network Company Network SE Team 2008 Feb 25 th.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.

Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
Session Initiation Protocol Winelfred G. Pasamba.

Session Initiation Protocol Winelfred G. Pasamba.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.

Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.
Session Initiation Protocol (SIP) By: Zhixin Chen.

Session Initiation Protocol (SIP) By: Zhixin Chen.
SIP/RTP/RTCP Implementation by George Fu, UCCS CS 525 Semester Project Fall 2006.

SIP/RTP/RTCP Implementation by George Fu, UCCS CS 525 Semester Project Fall 2006.
VoIP Using SIP/RTP by George Fu, UCCS CS 522 Semester Project Fall 2004.

VoIP Using SIP/RTP by George Fu, UCCS CS 522 Semester Project Fall 2004.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
VoIP Voice Transmission Over Data Network. What is VoIP?  A method for Taking analog audio signals Turning audio signals into digital data Digital data.

VoIP Voice Transmission Over Data Network. What is VoIP?  A method for Taking analog audio signals Turning audio signals into digital data Digital data.
12/05/2000CS590F, Purdue University1 Sip Implementation Protocol Presented By: Sanjay Agrawal Sambhrama Mundkur.

12/05/2000CS590F, Purdue University1 Sip Implementation Protocol Presented By: Sanjay Agrawal Sambhrama Mundkur.
CS158B Project By Shing Chau Jerry Ko Ying Li

CS158B Project By Shing Chau Jerry Ko Ying Li
CSc 461/561 CSc 461/561 Multimedia Systems Part C: 2. SIP.

CSc 461/561 CSc 461/561 Multimedia Systems Part C: 2. SIP.

Similar presentations

Ads by Google