Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | crs4-research-center-in-sardinia |
View: | 2,448 times |
Download: | 2 times |
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
VoIP (in)SecurityAll your bases belong to us
Alessio L.R. Pennasilico 2
$ whois mayhem
Board of Directors:CLUSIT, ISSA Italian Chapter, Italian Linux Society, OpenBSD
Italian User Group, Metro Olografix, Sikurezza.org, Spippolatori Hacker Club
Hacker’s Profiling Project, CrISTAL, Recursiva.org
Security Evangelist @
Alessio L.R. Pennasilico
IT Security...
Un inutile impedimento
che rallenta le comuni operazioni
e danneggia il business?
3
Alessio L.R. Pennasilico
IT Security...
O prevenzione e risposta ad eventi che danneggerebbero il business in modo peggiore?
4
Alessio L.R. Pennasilico
Evoluzione
5
La tecnologia si evolve…
… e con essa anche le minacce!
Alessio L.R. Pennasilico
Video: I signori della truffa
6
Alessio L.R. Pennasilico 6
Alessio L.R. Pennasilico
mayhem
I’m worried
8
Alessio L.R. Pennasilico 9
VoIP explosion
“Mobile VoIP Users to Nearly 139 Million by 2014
Says In-Stat”
Alessio L.R. Pennasilico
Telecom
news
10
Alessio L.R. Pennasilico
CALEA
laws
11
Alessio L.R. Pennasilico
Spyware
economic interests
12
Alessio L.R. Pennasilico
mayhem
everyone wants to know
something about me
13
Alessio L.R. Pennasilico
mayhem
it’s none of your business (KL)
14
Alessio L.R. Pennasilico
History
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Benjamin Franklin, 1759
15
Alessio L.R. Pennasilico
Phones
eavesdropping
17
Alessio L.R. Pennasilico
Phones
It’s possible
to listen to others’ conversations
from another shared line phone.
18
Alessio L.R. Pennasilico
Phones
It’s possible to connect
a specific eavesdropping device
to the phone line
with a crocodile clips
19
Alessio L.R. Pennasilico
Phones
It’s possible to eavesdrop
from the central PBX
or from ISP switches.
20
Alessio L.R. Pennasilico
Phones
It’s possible to eavesdrop
from trunks
with advanced technologies.
21
Alessio L.R. Pennasilico
Deployment
Faster, easier and cheaper to deploy
over national IP network infrastructure
23
Alessio L.R. Pennasilico
Services
Native advanced services
for every user
Fax2Mail, VoiceMail, IVR, text2speech
24
Alessio L.R. Pennasilico
Tools
Plenty of OpenSource Projects
full functionals and very mature
user, business and carrier oriented
Asterisk, FreeSwitch, OpenSER, OpenSBC
25
Alessio L.R. Pennasilico
Standards
Using standard protocols
it’s truly interoperable
SIP, H.323, IAX
26
Alessio L.R. Pennasilico
Integration
The PBX or the VoIP client
can interact with other applications
and use centralized data
billing, E.164,CRM integration
27
Alessio L.R. Pennasilico
Question
but what about security?
28
http
://w
ww
.alb
a.st
/
All your VoIP belongs to us :)
Alessio L.R. Pennasilico 30
Traditional Telephony“I do it for one reason and one reason only. I'm learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Computers, systems, that's my bag. The phone company is nothing but a computer.”
Captain Crunch, “Secrets of the Little Blue Box“, 1971
(slide from Hacker's Profile Project, http://hpp.recursiva.org)
Alessio L.R. Pennasilico 31
Eavesdropping
“Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister.”
Bruce Schneier, his blog, 22nd June 2006
Greek wiretapping scandal
Alessio L.R. Pennasilico 32
First attacks ...
“A brute-force password attack was launched against a SIP-based PBX in what appeared to be an attempt to guess passwords. Queries were coming in about 10 per second. Extension/identities were incrementing during each attempt, and it appeared that a full range of extensions were cycled over and over with the new password. The User-Agent: string was almost certainly falsified.”
John Todd on VoIPSA mailinglist, May 24th 2006
Alessio L.R. Pennasilico 33
Frauds
“Edwin Andreas Pena, a 23 year old Miami resident, was arrested by the Federal government: he was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and routing connections through their networks.”
The New York Times, June 7th 2006
Alessio L.R. Pennasilico
Robert Moore
34
Alessio L.R. Pennasilico
Robert Moore
“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.
34
Alessio L.R. Pennasilico
Robert Moore
“I'd say 85% of them were misconfigured routers. They had the default passwords on them: you would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them”.
34
"It's so easy a caveman can do it!"
Alessio L.R. Pennasilico
VoIP Risks
Telephones had always been seen as secure, because they use proprietary hardware,
proprietary protocols, and are disconnected from the other devices.
35
Alessio L.R. Pennasilico
VoIP Risks
Telephones had always been seen as secure, because they use proprietary hardware,
proprietary protocols, and are disconnected from the other devices.
VoIP multiply traditional telephony risks for IP network risks.
35
Alessio L.R. Pennasilico
ISDN2SIP
36
Alessio L.R. Pennasilico 37
Protect us!
End user has no way to protect himself: he has to adhere to its carrier configuration.
Providers and companies implementing a VoIP infrastructure should take care of their customers’
security and privacy.
Alessio L.R. Pennasilico 38
SPIT
SPAM over Internet Telephony will become an emergency.
Low cost of VoIP calls, widespreading of human and tech resources, use of recorded messages, high revenues even on
low purchases make SPIT an attractive business.
Alessio L.R. Pennasilico 39
Vishing
Voice Phishing is a typical fraud against end users, available thanks to VoIP characteristics.
Cheapness of this technology permit to deploy this attack on a large scale, integrating some “old style”
attacks (e.g. wardialing, caller id spoofing).
This fraud is based on user’s trust in “telephone device” and trust in caller identity.
Alessio L.R. Pennasilico 40
Risks
Denial of Service (DoS), eavesdropping, identity theft, toll fraud, Vishing, SPIT are real risks.
There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and
devices.
Alessio L.R. Pennasilico 40
Risks
Denial of Service (DoS), eavesdropping, identity theft, toll fraud, Vishing, SPIT are real risks.
There are dozens of free, OpenSource, downloadable tools that are specific to test/attack VoIP protocols and
devices.
We can use them to secure our infrastructure!
Alessio L.R. Pennasilico
Boot sequence
42
• Boot• Retrieve Conf• Registration• Signaling• RTP
Alessio L.R. Pennasilico 43
Power up the phone ...
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
• Phones download configuration from the TFTP server
Alessio L.R. Pennasilico 43
Power up the phone ...
VoIP phones execute some actions at bootstrap, many of these vulnerable to different legacy
attacks:• Phones obtain IP address from a DHCP server
• DHCP furnishes the TFTP server address to the phone
• Phones download the firmware from the TFTP server
• Phones download configuration from the TFTP server
• Phones authenticate on the VoIP server
Alessio L.R. Pennasilico 44
...and start a call.
When bootstrap is complete the phone exchanges some information with the server, to describe its status and inform the VoIP PBX about calls status
(signaling).
When a call is answered a new traffic flow of UDP packets starts, carrying our voice. This is called RTP
and can be established between end points or between each SIP-UA and its server.
Alessio L.R. Pennasilico
What can I do? :)
DHCP Spoofing -> TFTP redirect
TFTP Spoofing -> OS substitution
TFTP Queries -> obtain configurations
Password Sniffing
PBX Spoofing -> negotiate auth
RTP Traffic in clear
45
Alessio L.R. Pennasilico
VLAN
47
Alessio L.R. Pennasilico
VLAN Packets
48
macsrc
macdst
TAG
Dati
macsrc
macdst Dati
Alessio L.R. Pennasilico
Configure the phone
49
Alessio L.R. Pennasilico
Configure the switch
50
Alessio L.R. Pennasilico
Inter-VLAN routing
You need at least a L3 device
Can be a Firewall with ACL
A VoIP protocols aware firewall is much more effective
51
Alessio L.R. Pennasilico
AAA
Authentication
Authorization
Accounting
Do you have all 3 A ?
52
Alessio L.R. Pennasilico
Encrypting
VPN?
Signaling -> TLS
RTP -> SRTP
PKI? Lawful interception?
53
Alessio L.R. Pennasilico
Periodic PenTests
Is your infrastructure secure today?
If yes, will still be secure in 6 months?
54
Alessio L.R. Pennasilico
mis-configuration
0039081XXXXXXX
“Press 1 for commercial office,
2 for sales dept, 3 to access the search menu,
9 to talk with an operator”
3 0 0456152498
“Alba S.T. buon giorno, come posso esserle utile?”
56
Alessio L.R. Pennasilico
“clever” devices
Many network devices supports security feature to mitigate known attacks:
✓ gratuitous ARP block
✓ DHCP snooping
✓ flood detection
✓ QoS support
✓ …
57
Alessio L.R. Pennasilico
Power over Ethernet
Is you switch under an UPS?
How long is your UPS able to stand
on-battery powering phones?
58
Alessio L.R. Pennasilico
Quality of Service
Security feature?
Can preserve the VoIP traffic from being delayed / dropped
...needed...
59
Alessio L.R. Pennasilico
Redudancy
Is it a security feature, or just about business continuity?
Don’t know, but you need it :)
60
Alessio L.R. Pennasilico
Training
Security is unsuccessfully if you do not teach people what to do, how to use the new
technology you give them, the importance of data they’re managing.
61
http
://w
ww
.alb
a.st
/
Tools to test your infrastructures...
Alessio L.R. Pennasilico 63
Ettercap
The Man in the Middle attack suite. Multiplatform, usable from console or in a window manager.
Ettercap allows to perform all typical layer 2 tests to understand how vulnerable our switched network is
if not correctly protected.
Keywords: arp spoofing, arp poisoning, hijacking, sniffing, decoding, dns spoofing, dos, flood.
http://ettercap.sourceforge.net/
Alessio L.R. Pennasilico 64
Ettercap (2)
Alessio L.R. Pennasilico 65
Vomit
Voice Over Misconfigured Internet Telephones, from a standard tcpdump log trace, can create a wave file
with the audio conversation intercepted on the monitored network.
It supports MGCP protocol with G.711 codec and works only on Linux.
./vomit -r elisa.dump | waveplay -S 8000 -B 16 -C 1
Alessio L.R. Pennasilico 66
Wireshark
Multiplatform Sniffer, with a lot of decoders that allows to manage the intercepted traffic.
Wireshark can identify and decode both signaling and RTP traffic and shows all information needed for
a successive analysis.
http://www.wireshark.org/
Alessio L.R. Pennasilico 67
Wireshark (2)
Alessio L.R. Pennasilico 68
Oreka
Available for Windows and Linux, supports Cisco Call Manager, Lucent APX8000, Avaya, S8500, Siemens
HiPath, VocalData, Sylantro and Asterisk SIP channel protocols.
Eavesdrops and records RTP part of phone calls.
Simple, intuitive, accessible through a web interface, based on a MySQL database.
http://oreka.sourceforge.net/
Alessio L.R. Pennasilico 69
Ohrwurm
“Ear worm” is an RTP fuzzer. It sends a large amount of requests, with different combinations of
parameters, some correct and some with few or no sense, to interprete the answers and identify
anomalies..
Anomalies are often the launchpad to discover a bug or some implementation defect.
http://mazzoo.de/blog/2006/08/25#ohrwurm
Alessio L.R. Pennasilico 70
SipSak
SIP Swiss Army Knife permits to interact with any SIP device, forging ad-hoc SIP traffic to gather
information on its target features and behaviour.
http://sipsak.org/
Alessio L.R. Pennasilico 71
Smap
By merging nmap and SipSak, this project realizes a new specific tool, a program able to detect all SIP devices in the network and produce a report for
each one.
This will permit us to obtain a map of VoIP devices, with their features, brand and model.
http://www.wormulon.net/index.php?/archives/1125-smap-released.html
Alessio L.R. Pennasilico 72
SiVus
It’s a SIP security scanner: it verifies characteristics of scan targets and compares them against a database
of known misconfigurations or bugs.
This database is increasing in a very impressive way …
http://www.vopsecurity.org/html/tools.html
Alessio L.R. Pennasilico
SipVicious
SIPVicious is an integrated suite that allows to scan, enumerate, and crack SIP accounts.
svmap - this is a sip scanner. Lists SIP devices found on an IP range
svwar - identifies active extensions on a PBX
svcrack - an online password cracker for SIP PBX
svreport - manages sessions and exports reports to various formats
73
Alessio L.R. Pennasilico
Scan
mayhem$ python svmap.py 192.168.99.0/24
| SIP Device | User Agent |-------------------------------------| 192.168.99.13:5060 | Asterisk PBX |
74
Alessio L.R. Pennasilico
Enumerate
mayhem$ python svwar.py -e 100-200 192.168.99.13
| Extension | Authentication |------------------------------| 120 | reqauth || 111 | reqauth || 125 | noauth |
75
Alessio L.R. Pennasilico
Brute Force
mayhem$ python svcrack.py -n -u 111 -r 1000-9999 192.168.99.13
| Extension | Password |------------------------| 111 | 1234 |
mayhem$ python svcrack.py -n -u 120 -r 1000-9999 192.168.99.13
| Extension | Password |------------------------| 120 | 1357 |
76
Alessio L.R. Pennasilico 77
Other tools
Packet Gen & Packet ScanShootSipnessSipshare
Sip scenarioSiptest harnessSipv6analyzer
Winsip Call GeneratorSipsim
MediaproNetdude
SipBomber
RTP FlooderInvite flooderRTP injector
Sipscanreg. hijacker eraser/adder
Fuzzy PacketIax FlooderCain & Abel
SipKillSFTF
VoIPongSipP
Alessio L.R. Pennasilico
Conclusions✓ Pay attention to risk analysis and planning!
✓ Divide in multiple VLAN
✓ Implement QoS
✓ Be extremely careful in AAA
✓ Use cryptography! (TLS, SRTP)
✓ Use “clever” devices
(can mitigate mitm, garp, spoofing, flooding and other known attacks)
✓ Application level Firewall
✓ Avoid single point of failure
✓ Periodic security test
79
Alessio L.R. Pennasilico 80
Bibliography
http://www.voipsa.org
http://www.voip-info.org
http://misitano.com/pubs/voip-ictsec.pdf
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58.zip
http://www.nytimes.com/2006/06/08/technology/08voice.html
http://www.schneier.com/blog/
http://www.cloudmark.com/press/releases/?release=2006-04-25-2
http://www.usdoj.gov/usao/nj/press/files/pdffiles/penacomplaint.pdf
http://www.usdoj.gov/usao/pae/News/Pr/2005/feb/Moore.pdf
Scholz - Attacking VoIP Networks
Alessio L.R. Pennasilico 81
VoIP explosion
“Mobile VoIP Users to Nearly 139 Million by 2014
Says In-Stat”
Alessio L.R. Pennasilico
Conclusioni
VoIP can be secure
82
Alessio L.R. Pennasilico
Conclusioni
more secure
than traditional telephony
83
Alessio L.R. Pennasilico
Conclusioni
it depends on us
84
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
Domande? T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271222Verona, Milano, Romahttp://www.alba.st/
!
Cagliari, 13 Giugno 2011
T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)Grazie dell’attenzione!
Alessio L.R. Pennasilico
Quote del Video
Il nostro mondo non è più dominato dalle armi, dall'energia, dai soldi; è dominato da piccoli uno e zero,
da bit e da dati, tutto è solo elettronica.
C'è una guerra là fuori, amico mio. Una guerra mondiale. E non ha la minima importanza chi ha più pallottole, ha
importanza chi controlla le informazioni. Ciò che si vede, si sente, come lavoriamo, cosa pensiamo, si basa
tutto sull'informazione!
86