Chapter 6Chapter 6

Remote Connectivity and VoIP Remote Connectivity and VoIP Hacking Hacking

Virtual Private Network (VPN) Virtual Private Network (VPN) Hacking Hacking

Virtual Private Network (VPN)Virtual Private Network (VPN)

A VPN connects two computers securely A VPN connects two computers securely over an insecure network (usually the over an insecure network (usually the Internet), using Internet), using tunnelingtunneling

InternetInternet

Physical connection

Logical connection

TunnelingTunneling

An Ethernet frame is encapsulated in an An Ethernet frame is encapsulated in an IP packet, so it can be sent over the IP packet, so it can be sent over the InternetInternet– It can be done with other protocols tooIt can be done with other protocols too

Usually the frame is also encrypted, so Usually the frame is also encrypted, so that only the intended recipient can read itthat only the intended recipient can read it

The end result is like you used a long The end result is like you used a long cable to connect the two computerscable to connect the two computers

Cost SavingsCost Savings

You could use a T-1 line or a POTS phone You could use a T-1 line or a POTS phone call with a modem, to make a secure call with a modem, to make a secure connection between two computersconnection between two computers

But a VPN is much cheaper, requiring only But a VPN is much cheaper, requiring only an Internet connection at each endan Internet connection at each end

VPN StandardsVPN Standards

The modern wayThe modern way– IP Security (IPSec) and the Layer 2 Tunneling IP Security (IPSec) and the Layer 2 Tunneling

Protocol (L2TP) Protocol (L2TP)

Older techniquesOlder techniques– Point-to-Point Tunneling Protocol (PPTP)Point-to-Point Tunneling Protocol (PPTP)

Microsoft proprietary Microsoft proprietary

– Layer 2 Forwarding (L2F)Layer 2 Forwarding (L2F)An obsolete Cisco protocolAn obsolete Cisco protocol

For more details, see link Ch 611For more details, see link Ch 611

Breaking Microsoft PPTP Breaking Microsoft PPTP

Microsoft's secure authentication protocol, MS-Microsoft's secure authentication protocol, MS-CHAP, uses LM HashesCHAP, uses LM Hashes– Easily cracked with OphcrackEasily cracked with Ophcrack

Session keys and encryption are poorly Session keys and encryption are poorly implemented and vulnerable to attacksimplemented and vulnerable to attacks

The control channel is open to snooping and The control channel is open to snooping and denial of servicedenial of service

PPTP clients could act as a backdoor into the PPTP clients could act as a backdoor into the network network – See links Ch 612 & 613See links Ch 612 & 613

Fixing PPTP Fixing PPTP

Microsoft patched PPTP in Win NT Microsoft patched PPTP in Win NT Service Pack 4 by using MS-CHAPv2Service Pack 4 by using MS-CHAPv2– And it's really much better (link Ch 614)And it's really much better (link Ch 614)

Win 2000 and later also offer IPSec and Win 2000 and later also offer IPSec and L2TP, which is saferL2TP, which is safer– "In our opinion, IPSec is too complex to be "In our opinion, IPSec is too complex to be

secure" secure" -- Schneier and Ferguson-- Schneier and Ferguson (link Ch 615)(link Ch 615)

– But it's the best IP security available nowBut it's the best IP security available now

Google Hacking for VPNGoogle Hacking for VPN

Search for filetype:pcfSearch for filetype:pcf

Stored profile settings for Stored profile settings for the Cisco VPN clientthe Cisco VPN client

You get encrypted You get encrypted passwords in this filepasswords in this file– I truncated the hash in this I truncated the hash in this

exampleexample

Cracking VPN Password with CainCracking VPN Password with Cain

It cracked It cracked instantly for instantly for meme– Password Password

removed from removed from figurefigure

It took longer It took longer for a stronger for a stronger passwordpassword– Link Ch 625Link Ch 625

Attacking IKEAttacking IKE

IPSec VPNs use Internet Key Exchange IPSec VPNs use Internet Key Exchange (IKE) to establish the session(IKE) to establish the session

The faster, less secure, "Aggressive The faster, less secure, "Aggressive mode" IKE is vulnerable to an offline brute mode" IKE is vulnerable to an offline brute force attackforce attack

Tool: IKECrack (link Ch 626)Tool: IKECrack (link Ch 626)

Voice Over IP (VoIP) Attacks Voice Over IP (VoIP) Attacks

Voice over IP (VoIP) Voice over IP (VoIP)

Voice on an IP NetworkVoice on an IP Network

Most VoIP solutions rely on multiple protocols, at Most VoIP solutions rely on multiple protocols, at least one for signaling and one for transport of least one for signaling and one for transport of the encoded voice trafficthe encoded voice traffic

The two most common signaling protocols are The two most common signaling protocols are H.323 and Session Initiation Protocol (SIP)H.323 and Session Initiation Protocol (SIP)– Their role is to manage call setup, modification, and Their role is to manage call setup, modification, and

closingclosing

H.323H.323

H.323 is a suite of protocolsH.323 is a suite of protocols– Defined by the International Defined by the International

Telecommunication Union (ITUTelecommunication Union (ITU– The deployed base is larger than SIPThe deployed base is larger than SIP– Encoding is ASN.1 – different than text, a bit Encoding is ASN.1 – different than text, a bit

like C++ Data Structures (link Ch 618)like C++ Data Structures (link Ch 618)– Designed to make integration with the public Designed to make integration with the public

switched telephone network (PSTN) easierswitched telephone network (PSTN) easier

Session Initiation Protocol (SIP) Session Initiation Protocol (SIP)

The Internet Engineering Task Force The Internet Engineering Task Force (IETF) protocol(IETF) protocolPeople are migrating from H.323 to SIPPeople are migrating from H.323 to SIPUsed to signal voice traffic, and also other Used to signal voice traffic, and also other data like instant messaging (IM)data like instant messaging (IM)Similar to the HTTP protocolSimilar to the HTTP protocolThe encoding is text (UTF8)The encoding is text (UTF8)SIP uses port 5060 (TCP/UDP) for SIP uses port 5060 (TCP/UDP) for communicationcommunication

Real-time Transport Protocol (RTP) Real-time Transport Protocol (RTP)

Transports the encoded voice traffic Transports the encoded voice traffic

Control channel for RTP is provided by the Control channel for RTP is provided by the Real-time Control Protocol (RTCP)Real-time Control Protocol (RTCP)

Consists mainly of quality of service (QoS) Consists mainly of quality of service (QoS) information (delay, packet loss, jitter, and information (delay, packet loss, jitter, and so on)so on)– Timing is more critical for VoIP than other IP Timing is more critical for VoIP than other IP

traffic traffic

Most Common VoIP Attacks Most Common VoIP Attacks

Denial of Service Denial of Service – Send a lot of SIP INVITE packets, initiating Send a lot of SIP INVITE packets, initiating

callscalls– Flood a phone with unwanted IP trafficFlood a phone with unwanted IP traffic

Spoofing the CLID (Caller ID) Spoofing the CLID (Caller ID) – Swatting is a popular and dangerous attack, Swatting is a popular and dangerous attack,

spoofing caller ID and calling police (link Ch spoofing caller ID and calling police (link Ch 619)619)

Injecting data into an established callInjecting data into an established call

Most Common VoIP AttacksMost Common VoIP Attacks

Altering the phone's configuration Altering the phone's configuration – Connect to the phone via Telnet or HTTPConnect to the phone via Telnet or HTTP– Sometimes no password is neededSometimes no password is needed– Or upload malicious code with your own Or upload malicious code with your own

DHCP and TFTP serversDHCP and TFTP serversWhen a phone boots, it can upload updated When a phone boots, it can upload updated firmware with TFTPfirmware with TFTP

Most Common VoIP AttacksMost Common VoIP Attacks

Attacking though services linked to VoIPAttacking though services linked to VoIP– Advanced voicemailAdvanced voicemail– Instant messagingInstant messaging– Calendar servicesCalendar services– User management User management

Attacks may use XSS (cross-site Attacks may use XSS (cross-site scripting), client-side JavaScript alteration, scripting), client-side JavaScript alteration, SQL injection, and so onSQL injection, and so on

Most Common VoIP AttacksMost Common VoIP Attacks

Accessing repository of recorded callsAccessing repository of recorded calls

Making free calls through a company's Making free calls through a company's VoIP-to-PSTN gatewayVoIP-to-PSTN gateway

Interception Attack Interception Attack

Sniff the IP PacketsSniff the IP Packets– With ARP poisoningWith ARP poisoning

Attacker is set to route traffic, but not Attacker is set to route traffic, but not decrement the TTLdecrement the TTL

Captured RTP TrafficCaptured RTP Traffic

It's compressed with a codecIt's compressed with a codec

Common codecsCommon codecs– G.711 (uses up a lot of bandwidth)G.711 (uses up a lot of bandwidth)– G.729 (uses less bandwidth)G.729 (uses less bandwidth)

VOMIT VOMIT

vomit - voice over misconfigured internet vomit - voice over misconfigured internet telephonestelephones– Converts G.711 to WAVConverts G.711 to WAV– It works because many IP phones don't or It works because many IP phones don't or

can't encrypt trafficcan't encrypt traffic– Link Ch 620Link Ch 620

Scapy is an even better tool, plays traffic Scapy is an even better tool, plays traffic from eth0 right out the speakersfrom eth0 right out the speakers– Link Ch 621Link Ch 621

Interception CountermeasuresInterception Countermeasures

Turn on the security features available for Turn on the security features available for your phones, such as encryptionyour phones, such as encryption

They are often left turned off, to get higher They are often left turned off, to get higher quality or just through lazinessquality or just through laziness

VoIP ProjectsVoIP Projects

Project 16: VoIPProject 16: VoIP– Set up a free Windows-based VoIP serverSet up a free Windows-based VoIP server– Install a free software phoneInstall a free software phone– Sniff RTP streams with Wireshark and replay Sniff RTP streams with Wireshark and replay

themthem

Project 17: Fuzzing X-Lite with VoIPerProject 17: Fuzzing X-Lite with VoIPer

Project 18: SIPVicious scanning 3CX and Project 18: SIPVicious scanning 3CX and Asterix PBX Servers Asterix PBX Servers

iClicker Questions

Which item is used in the most modern VPNs, but has known security vulnerabilities?A. PPTPB. L2FC. IKED. IPSecE. L2TP

1 of 3

Which of these is an old Cisco protocol?

A. PPTPB. L2FC. IKED. IPSecE. L2TP

2 of 3

Which protocol is used to make the phone ring in modern VoIP systems?

A. H.323B. SIPC. RTPD. G.711E. G.729

3 of 3