Alessio Pennasilico VoIP security

Alessio L.R. [email protected]

twitter: mayhemsppFaceBook: alessio.pennasilico

Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/

!

Cagliari, 13 Giugno 2011

VoIP (in)SecurityAll your bases belong to us

http://www.aisgroup.it/


















































mailto:[email protected]


http://www.alba.st

http://www.alba.st

Alessio L.R. Pennasilico 2

$ whois mayhem

Board of Directors:CLUSIT, ISSA Italian Chapter, Italian Linux Society, OpenBSD

Italian User Group, Metro Olografix, Sikurezza.org, Spippolatori Hacker Club

Hacker’s Profiling Project, CrISTAL, Recursiva.org

Security Evangelist @

http://www.alba.st/

http://www.alba.st/

Alessio L.R. Pennasilico

IT Security...

Un inutile impedimento

che rallenta le comuni operazioni

e danneggia il business?

3


IT Security...

O prevenzione e risposta ad eventi che danneggerebbero il business in modo peggiore?

4


Evoluzione

5

La tecnologia si evolve…

… e con essa anche le minacce!


Video: I signori della truffa

6


http

://w

ww

.alb

a.st

/

How do I feel today?

http://www.aisgroup.it



mayhem

I’m worried

8


VoIP explosion

“Mobile VoIP Users to Nearly 139 Million by 2014

Says In-Stat”


Telecom

news

10


CALEA

laws

11


Spyware

economic interests

12


mayhem

everyone wants to know

something about me

13


mayhem

it’s none of your business (KL)

14


History

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

Benjamin Franklin, 1759

15

http

://w

ww

.alb

a.st

/

Phones




Phones

eavesdropping

17


Phones

It’s possible

to listen to others’ conversations

from another shared line phone.

18


Phones

It’s possible to connect

a specific eavesdropping device

to the phone line

with a crocodile clips

19


Phones

It’s possible to eavesdrop

from the central PBX

or from ISP switches.

20


Phones

It’s possible to eavesdrop

from trunks

with advanced technologies.

21

http

://w

ww

.alb

a.st

/

You want VoIP!




Deployment

Faster, easier and cheaper to deploy

over national IP network infrastructure

23


Services

Native advanced services

for every user

Fax2Mail, VoiceMail, IVR, text2speech

24


Tools

Plenty of OpenSource Projects

full functionals and very mature

user, business and carrier oriented

Asterisk, FreeSwitch, OpenSER, OpenSBC

25


Standards

Using standard protocols

it’s truly interoperable

SIP, H.323, IAX

26


Integration

The PBX or the VoIP client

can interact with other applications

and use centralized data

billing, E.164,CRM integration

27


Question

but what about security?

28

http

://w

ww

.alb

a.st

/

All your VoIP belongs to us :)




Traditional Telephony“I do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer.”

Captain Crunch, “Secrets of the Little Blue Box“, 1971

(slide from Hacker's Profile Project, http://hpp.recursiva.org)

http://hpp.recursiva.org

http://hpp.recursiva.org


Eavesdropping

“Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister.”

Bruce Schneier, his blog, 22nd June 2006

Greek wiretapping scandal


First attacks ...

“A brute-force password attack was launched against a SIP-based PBX in what appeared to be an attempt to guess passwords. Queries were coming in about 10 per second. Extension/identities were incrementing during each attempt, and it appeared that a full range of extensions were cycled over and over with the new password. The User-Agent: string was almost certainly falsified.”

John Todd on VoIPSA mailinglist, May 24th 2006


Frauds

“Edwin Andreas Pena, a 23 year old Miami resident, was arrested by the Federal government: he was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and routing connections through their networks.”

The New York Times, June 7th 2006


Robert Moore

34


Robert Moore

“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.

34


Robert Moore

“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.

34

"It's so easy a caveman can do it!"


VoIP Risks

Telephones had always been seen as secure, because they use proprietary hardware,

proprietary protocols, and are disconnected from the other devices.

35


VoIP Risks

Telephones had always been seen as secure, because they use proprietary hardware,

proprietary protocols, and are disconnected from the other devices.

VoIP multiply traditional telephony risks for IP network risks.

35


ISDN2SIP

36


Protect us!

End user has no way to protect himself: he has to adhere to its carrier configuration.

Providers and companies implementing a VoIP infrastructure should take care of their customers’

security and privacy.


SPIT

SPAM over Internet Telephony will become an emergency.

Low cost of VoIP calls, widespreading of human and tech resources, use of recorded messages, high revenues even on

low purchases make SPIT an attractive business.


Vishing

Voice Phishing is a typical fraud against end users, available thanks to VoIP characteristics.

Cheapness of this technology permit to deploy this attack on a large scale, integrating some “old style”

attacks (e.g. wardialing, caller id spoofing).

This fraud is based on user’s trust in “telephone device” and trust in caller identity.


Risks

Denial of Service (DoS), eavesdropping, identity theft, toll fraud, Vishing, SPIT are real risks.

There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and

devices.


Risks

Denial of Service (DoS), eavesdropping, identity theft, toll fraud, Vishing, SPIT are real risks.

There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and

devices.

We can use them to secure our infrastructure!

http

://w

ww

.alb

a.st

/

How does a phone call works?




Boot sequence

42

• Boot• Retrieve Conf• Registration• Signaling• RTP


Power up the phone ...



VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy

attacks:




attacks:• Phones obtain IP address from a DHCP server





• DHCP furnishes the TFTP server address to the phone






• Phones download the firmware from the TFTP server







• Phones download configuration from the TFTP server







• Phones download configuration from the TFTP server

• Phones authenticate on the VoIP server


...and start a call.

When bootstrap is complete the phone exchanges some information with the server, to describe its status and inform the VoIP PBX about calls status

(signaling).

When a call is answered a new traffic flow of UDP packets starts, carrying our voice. This is called RTP

and can be established between end points or between each SIP-UA and its server.


What can I do? :)

DHCP Spoofing -> TFTP redirect

TFTP Spoofing -> OS substitution

TFTP Queries -> obtain configurations

Password Sniffing

PBX Spoofing -> negotiate auth

RTP Traffic in clear

45

http

://w

ww

.alb

a.st

/

Hardening tips & triks




VLAN

47


VLAN Packets

48

macsrc

macdst

TAG

Dati

macsrc

macdst Dati


Configure the phone

49


Configure the switch

50


Inter-VLAN routing

You need at least a L3 device

Can be a Firewall with ACL

A VoIP protocols aware firewall is much more effective

51


AAA

Authentication

Authorization

Accounting

Do you have all 3 A ?

52


Encrypting

VPN?

Signaling -> TLS

RTP -> SRTP

PKI? Lawful interception?

53


Periodic PenTests

Is your infrastructure secure today?

If yes, will still be secure in 6 months?

54

http

://w

ww

.alb

a.st

/

Other advices...




mis-configuration

0039081XXXXXXX

“Press 1 for commercial office,

2 for sales dept, 3 to access the search menu,

9 to talk with an operator”

3 0 0456152498

“Alba S.T. buon giorno, come posso esserle utile?”

56


“clever” devices

Many network devices supports security feature to mitigate known attacks:

✓ gratuitous ARP block

✓ DHCP snooping

✓ flood detection

✓ QoS support

✓ …

57


Power over Ethernet

Is you switch under an UPS?

How long is your UPS able to stand

on-battery powering phones?

58


Quality of Service

Security feature?

Can preserve the VoIP traffic from being delayed / dropped

...needed...

59


Redudancy

Is it a security feature, or just about business continuity?

Don’t know, but you need it :)

60


Training

Security is unsuccessfully if you do not teach people what to do, how to use the new

technology you give them, the importance of data they’re managing.

61

http

://w

ww

.alb

a.st

/

Tools to test your infrastructures...




Ettercap

The Man in the Middle attack suite. Multiplatform, usable from console or in a window manager.

Ettercap allows to perform all typical layer 2 tests to understand how vulnerable our switched network is

if not correctly protected.

Keywords: arp spoofing, arp poisoning, hijacking, sniffing, decoding, dns spoofing, dos, flood.

http://ettercap.sourceforge.net/




Ettercap (2)


Vomit

Voice Over Misconfigured Internet Telephones, from a standard tcpdump log trace, can create a wave file

with the audio conversation intercepted on the monitored network.

It supports MGCP protocol with G.711 codec and works only on Linux.

./vomit -r elisa.dump | waveplay -S 8000 -B 16 -C 1


Wireshark

Multiplatform Sniffer, with a lot of decoders that allows to manage the intercepted traffic.

Wireshark can identify and decode both signaling and RTP traffic and shows all information needed for

a successive analysis.

http://www.wireshark.org/




Wireshark (2)


Oreka

Available for Windows and Linux, supports Cisco Call Manager, Lucent APX8000, Avaya, S8500, Siemens

HiPath, VocalData, Sylantro and Asterisk SIP channel protocols.

Eavesdrops and records RTP part of phone calls.

Simple, intuitive, accessible through a web interface, based on a MySQL database.

http://oreka.sourceforge.net/




Ohrwurm

“Ear worm” is an RTP fuzzer. It sends a large amount of requests, with different combinations of

parameters, some correct and some with few or no sense, to interprete the answers and identify

anomalies..

Anomalies are often the launchpad to discover a bug or some implementation defect.

http://mazzoo.de/blog/2006/08/25#ohrwurm

http://mazzoo.de/blog/2006/08/25%23ohrwurm

http://mazzoo.de/blog/2006/08/25%23ohrwurm


SipSak

SIP Swiss Army Knife permits to interact with any SIP device, forging ad-hoc SIP traffic to gather

information on its target features and behaviour.

http://sipsak.org/


Smap

By merging nmap and SipSak, this project realizes a new specific tool, a program able to detect all SIP devices in the network and produce a report for

each one.

This will permit us to obtain a map of VoIP devices, with their features, brand and model.

http://www.wormulon.net/index.php?/archives/1125-smap-released.html




SiVus

It’s a SIP security scanner: it verifies characteristics of scan targets and compares them against a database

of known misconfigurations or bugs.

This database is increasing in a very impressive way …

http://www.vopsecurity.org/html/tools.html




SipVicious

SIPVicious is an integrated suite that allows to scan, enumerate, and crack SIP accounts.

svmap - this is a sip scanner. Lists SIP devices found on an IP range

svwar - identifies active extensions on a PBX

svcrack - an online password cracker for SIP PBX

svreport - manages sessions and exports reports to various formats

73


Scan

mayhem$ python svmap.py 192.168.99.0/24

| SIP Device | User Agent |-------------------------------------| 192.168.99.13:5060 | Asterisk PBX |

74


Enumerate

mayhem$ python svwar.py -e 100-200 192.168.99.13

| Extension | Authentication |------------------------------| 120 | reqauth || 111 | reqauth || 125 | noauth |

75


Brute Force

mayhem$ python svcrack.py -n -u 111 -r 1000-9999 192.168.99.13

| Extension | Password |------------------------| 111 | 1234 |

mayhem$ python svcrack.py -n -u 120 -r 1000-9999 192.168.99.13

| Extension | Password |------------------------| 120 | 1357 |

76


Other tools

Packet Gen & Packet ScanShootSipnessSipshare

Sip scenarioSiptest harnessSipv6analyzer

Winsip Call GeneratorSipsim

MediaproNetdude

SipBomber

RTP FlooderInvite flooderRTP injector

Sipscanreg. hijacker eraser/adder

Fuzzy PacketIax FlooderCain & Abel

SipKillSFTF

VoIPongSipP

http

://w

ww

.alb

a.st

/

Conclusions




Conclusions✓ Pay attention to risk analysis and planning!

✓ Divide in multiple VLAN

✓ Implement QoS

✓ Be extremely careful in AAA

✓ Use cryptography! (TLS, SRTP)

✓ Use “clever” devices

(can mitigate mitm, garp, spoofing, flooding and other known attacks)

✓ Application level Firewall

✓ Avoid single point of failure

✓ Periodic security test

79


Bibliography

http://www.voipsa.org

http://www.voip-info.org

http://misitano.com/pubs/voip-ictsec.pdf

http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58.zip

http://www.nytimes.com/2006/06/08/technology/08voice.html

http://www.schneier.com/blog/

http://www.cloudmark.com/press/releases/?release=2006-04-25-2

http://www.usdoj.gov/usao/nj/press/files/pdffiles/penacomplaint.pdf

http://www.usdoj.gov/usao/pae/News/Pr/2005/feb/Moore.pdf

Scholz - Attacking VoIP Networks




VoIP explosion

“Mobile VoIP Users to Nearly 139 Million by 2014

Says In-Stat”


Conclusioni

VoIP can be secure

82


Conclusioni

more secure

than traditional telephony

83


Conclusioni

it depends on us

84




!


T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)

























































http://www.alba.st

http://www.alba.st




!


Domande? T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)

























































http://www.alba.st

http://www.alba.st




!


T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)Grazie dell’attenzione!

























































http://www.alba.st

http://www.alba.st


Quote del Video

Il nostro mondo non è più dominato dalle armi, dall'energia, dai soldi; è dominato da piccoli uno e zero,

da bit e da dati, tutto è solo elettronica.

C'è una guerra là fuori, amico mio. Una guerra mondiale. E non ha la minima importanza chi ha più pallottole, ha

importanza chi controlla le informazioni. Ciò che si vede, si sente, come lavoriamo, cosa pensiamo, si basa

tutto sull'informazione!

86

Date post:	08-May-2015
Category:	Technology
Upload:	crs4-research-center-in-sardinia
View:	2,448 times
Download:	2 times

Alessio Pennasilico VoIP security

Technology