Hacking Exposed: VoIP Mark D. Collier Chief Technology Officer [email protected].

Hacking Exposed: VoIP

www.securelogix.com

Mark D. CollierChief Technology Officer

[email protected]

Hacking Exposed: VoIP

We took on this project because there were no practical books on enterprise VoIP security that gave examples of how hackers attack VoIP deployments and explained to administrators how to defend against these attacks.

We spent more than a year of research writing new VoIP security tools, using them to test the latest VoIP products, and scouring VoIP state-of-the-art security.

This tutorial is based on material fromthe book.

The book was published December 1, 2006http://www.hackingvoip.com536 pages

Overview

Gathering Information: Footprinting

Scanning

Enumeration

Attacking the Network: Network Infrastructure Denial of Service

Network Eavesdropping

Network and Application Interception

OutlineOutline

Attacking Vendor Platforms: Avaya

Cisco

Attacking the Application: Fuzzing

Disruption of Service

Signaling and Media Manipulation

OutlineOutline

Social Attacks: Voice SPAM/SPIT

Voice Phishing

OutlineOutline

VoIP systems are vulnerable: Platforms, networks, and applications are vulnerable

VoIP-specific attacks are becoming more common

Security isn’t always a consideration during deployment

The threat is increasing: VoIP deployment is growing

Deployments are critical to business operations

Greater integration with the data network

More attack tools being published

The hacking community is taking notice

IntroductionIntroductionIntroduction

IntroductionLayers of Security

Introduction

InternetConnectionInternet

Voice VLAN

PublicVoice

NetworkIP

PBX

IntroductionIntroductionCampus VoIPCampus VoIP

TDMTrunks

TDM Phones

IP Phones

Data VLAN

PCs

Introduction

InternetConnectionInternet

Voice VLAN

PublicVoice

NetworkIP

PBX

IntroductionIntroductionPublic VoIPPublic VoIP

VoIPConnection

TDM Phones

IP Phones

Data VLAN

PCs

Introduction

This is the process a hacker goes through to gather information about your organization and prepare their attack

Consists of: Footprinting

Scanning

Enumeration

Gathering InformationGathering Information

Steps taken by a hacker to learn about your enterprise before they start the actual attack

Consists of: Public website research

Google hacking

Using WHOIS and DNS

FootprintingGathering InformationFootprinting

An enterprise website often contains a lot of information that is useful to a hacker: Organizational structure and corporate locations

Help and technical support

Job listings

Phone numbers and extensions

Public Website ResearchIntroduction

Gathering InformationFootprinting

Public Website ResearchOrganization Structure


Public Website ResearchCorporate Locations


Public Website ResearchHelpdesk


Gathering InformationFootprintingPublic Website Research

Helpdesk

Public Website ResearchJob Listings

Job listings can contain a ton of information about the enterprise VoIP system.

Here is a portion of an actual job listing:Required Technical Skills:

Minimum 3-5 years experience in the management and implementation of Avaya telephone systems/voicemails:

* Advanced programming knowledge of the Avaya Communication Servers and voicemails.


Public Website ResearchPhone Numbers

Google can be used to find all phone numbers on an enterprise web site: Type: “111..999-1000..9999 site:www.mcgraw-hill.com”


Public Website ResearchVoice Mail

By calling into some of these numbers, you can listen to the voice mail system and determine the vendor

Check out our voice mail hacking database at: www.hackingvoip.com


Public Website Research Countermeasures

It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it

Try to limit amount of detail in job postings

Remove technical detail from help desk web pages


Google is incredibly good at finding details on the web: Vendor press releases and case studies

Resumes of VoIP personnel

Mailing lists and user group postings

Web-based VoIP logins

Google HackingIntroduction


Vendors and enterprises may post press releases and case studies: Type: “site:avaya.com case study” or “site:avaya.com company”

Users place resumes on the Internet when searching for jobs Search Monster for resumes for company employees

Mailing lists and user group postings: www.inuaa.org

www.innua.org

forums.cisco.com

forums.digium.com

Google HackingGathering InformationFootprinting

Some VoIP phones are accidentally exposed to the Internet

Use Google to search for: Type: inrul:”ccmuser/logon.asp”

Type: inurl:”ccmuser/logon.asp” site:example.com

Type: inurl:”NetworkConfiguration” cisco

Google HackingWeb-Based VoIP Logins


Google HackingWeb-Based VoIP Logins


Determine what your exposure is

Be sure to remove any VoIP phones which are visible to the Internet

Disable the web servers on your IP phones

There are services that can help you monitor your exposure: www.cyveilance.com

ww.baytsp.com

Google HackingCountermeasures


Google HackingCountermeasures

Attacking The PlatformCisco

Enterprises depend on DNS to route website visitors and external email

WHOIS searches can reveal IP addresses used by an enterprise

WHOIS and DNSIntroduction


Use generic names where possible

Disable anonymous zone transfers on your DNS servers

WHOIS and DNSCountermeasures


Steps taken by a hacker to identify IP addresses and hosts running VoIP

Consists: Host/device discovery

Port scanning and service discovery

Host/device identification

ScanningIntroduction

Gathering InformationScanning

Consists of various techniques used to find hosts: Ping sweeps

ARP pings

TCP ping scans

SNMP sweeps

Host/Device DiscoveryGathering InformationScanning

Host/Device DiscoveryUsing nmap

nmap -O -P0 192.168.1.1-254

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-20 01:03 CSTInteresting ports on 192.168.1.21:(The 1671 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE23/tcp open telnetMAC Address: 00:0F:34:11:80:45 (Cisco Systems)Device type: VoIP phoneRunning: Cisco embeddedOS details: Cisco IP phone (POS3-04-3-00, PC030301)Interesting ports on 192.168.1.23:(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:15:62:86:BA:3E (Cisco Systems)Device type: VoIP phone|VoIP adapterRunning: Cisco embeddedOS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone AdapterInteresting ports on 192.168.1.24:(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:0E:08:DA:DA:17 (Sipura Technology)Device type: VoIP adapterRunning: Sipura embeddedOS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway


Host/Device DiscoveryPorts

SIP enabled devices will usually respond on UDP/TCP ports 5060 and 5061

SCCP enabled phones (Cisco) responds on UDP/TCP 2000-2001

Sometimes you might see UDP or TCP port 17185 (VXWORKS remote debugging!)


Host/Device DiscoveryPing Sweeps


Gathering InformationScanningHost/Device Discovery

ARP Pings

Several tools available: nmap

hping

Host/Device DiscoveryTCP Ping Scans


Host/Device DiscoverySNMP Sweeps


Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps

VLANs can help isolate ARP pings

Ping sweeps can be blocked at the perimeter firewall

Use secure (SNMPv3) version of SNMP

Change SNMP public strings

Host/Device DiscoveryCountermeasures


Consists of various techniques used to find open ports and services on hosts

These ports can be targeted later

nmap is the most commonly used tool for TCP SYN and UDP scans

Port Scanning/Service DiscoveryGathering InformationScanning

Using non-Internet routable IP addresses will prevent external scans

Firewalls and IPSs can detect and possibly block scans

VLANs can be used to partition the network to prevent scans from being effective

Port Scanning/Service DiscoveryCountermeasures


After hosts are found and ports identified, the type of device can be determined

Classifies host/device by operating system

Network stack fingerprinting is a common technique for identifying hosts/devices

nmap is commonly used for this purpose

Host/Device IdentificationGathering InformationScanning

Firewalls and IPSs can detect and possibly block scans

Disable unnecessary ports and services on hosts

Host/Device IdentificationCountermeasures


Involves testing open ports and services on hosts/devices to gather more information

Includes running tools to determine if open services have known vulnerabilities

Also involves scanning for VoIP-unique information such as phone numbers

Includes gathering information from TFTP servers and SNMP

EnumerationIntroduction

Gathering InformationEnumeration

Vulnerability TestingTools


Vulnerability TestingTools


Vulnerability TestingCountermeasures


The best solution is to upgrade your applications and make sure you continually apply patches

Some firewalls and IPSs can detect and mitigate vulnerability scans

SIP EnumerationIntroduction


SIP EnumerationDirectory Scanning

[root@attacker]# nc 192.168.1.104 5060

OPTIONS sip:[email protected] SIP/2.0Via: SIP/2.0/TCP 192.168.1.120;branch=4ivBcVj5ZnPYgbTo: alice <sip:[email protected]>Content-Length: 0

SIP/2.0 404 Not FoundVia: SIP/2.0/TCP192.168.1.120;branch=4ivBcVj5ZnPYgb;received=192.168.1.103To: alice sip:[email protected]>;tag=b27e1a1d33761e85846fc98f5f3a7e58.0503Server: Sip EXpress router (0.9.6 (i386/linux))Content-Length: 0Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29801req_src_ip=192.168.1.120 req_src_port=32773 in_uri=sip:[email protected]_uri=sip:[email protected] via_cnt==1"


SIP EnumerationDirectory Scanning


SIP EnumerationAutomated Directory Scanning


TFTP EnumerationIntroduction

Almost all phones we tested use TFTP to download their configuration files

The TFTP server is rarely well protected

If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password

The files are downloaded in the clear and can be easily sniffed

Configuration files have usernames, passwords, IP addresses, etc. in them


TFTP EnumerationUsing TFTPBRUTE

[root@attacker]# perl tftpbrute.pl 192.168.1.103 brutefile.txt 100tftpbrute.pl, , V 0.1

TFTP file word database: brutefile.txtTFTP server 192.168.1.103Max processes 100 Processes are: 1<snip>Processes are: 12*** Found TFTP server remote filename : sip.cfg*** Found TFTP server remote filename : 46xxsettings.txt Processes are: 13 Processes are: 14*** Found TFTP server remote filename : sip_4602D02A.txt*** Found TFTP server remote filename : XMLDefault.cnf.xml*** Found TFTP server remote filename : SipDefault.cnf


TFTP EnumerationCountermeasures


It is difficult not to use TFTP, since it is so commonly used by VoIP vendors

Some vendors offer more secure alternatives

Firewalls can be used to restrict access to TFTP servers to valid devices

SNMP EnumerationIntroduction

SNMP is enabled by default on most IP PBXs and IP phones

Simple SNMP sweeps will garner lots of useful information

If you know the device type, you can use snmpwalk with the appropriate OID

You can find the OID using Solarwinds MIB

Default “passwords”, called community strings, are common


SNMP EnumerationSolarwinds


SNMP Enumerationsnmpwalk

[root@domain2 ~]# snmpwalk -c public -v 1 192.168.1.53 1.3.6.1.4.1.6889

SNMPv2-SMI::enterprises.6889.2.69.1.1.1.0 = STRING: "Obsolete"SNMPv2-SMI::enterprises.6889.2.69.1.1.2.0 = STRING: "4620D01B"SNMPv2-SMI::enterprises.6889.2.69.1.1.3.0 = STRING: "AvayaCallserver"SNMPv2-SMI::enterprises.6889.2.69.1.1.4.0 = IpAddress: 192.168.1.103SNMPv2-SMI::enterprises.6889.2.69.1.1.5.0 = INTEGER: 1719SNMPv2-SMI::enterprises.6889.2.69.1.1.6.0 = STRING: "051612501065"SNMPv2-SMI::enterprises.6889.2.69.1.1.7.0 = STRING: "700316698"SNMPv2-SMI::enterprises.6889.2.69.1.1.8.0 = STRING: "051611403489"SNMPv2-SMI::enterprises.6889.2.69.1.1.9.0 = STRING: "00:04:0D:50:40:B0"SNMPv2-SMI::enterprises.6889.2.69.1.1.10.0 = STRING: "100"SNMPv2-SMI::enterprises.6889.2.69.1.1.11.0 = IpAddress: 192.168.1.53SNMPv2-SMI::enterprises.6889.2.69.1.1.12.0 = INTEGER: 0SNMPv2-SMI::enterprises.6889.2.69.1.1.13.0 = INTEGER: 0SNMPv2-SMI::enterprises.6889.2.69.1.1.14.0 = INTEGER: 0SNMPv2-SMI::enterprises.6889.2.69.1.1.15.0 = STRING: "192.168.1.1"SNMPv2-SMI::enterprises.6889.2.69.1.1.16.0 = IpAddress: 192.168.1.1SNMPv2-SMI::enterprises.6889.2.69.1.1.17.0 = IpAddress: 255.255.255.0...SNMPv2-SMI::enterprises.6889.2.69.1.4.8.0 = INTEGER: 20SNMPv2-SMI::enterprises.6889.2.69.1.4.9.0 = STRING: "503"


Disable SNMP on any devices where it is not needed

Change default public and private community strings

Try to use SNMPv3, which supports authentication

SNMP EnumerationCountermeasures


The VoIP network and supporting infrastructure are vulnerable to attacks

Most attacks will originate inside the network, once access is gained

Attacks include: Network infrastructure DoS

Network eavesdropping

Network and application interception

Attacking The NetworkAttacking The Network

Several attack vectors include: Installing a simple wired hub

Wi-Fi sniffing

Compromising a network node

Compromising a VoIP phone

Compromising a switch

Compromising a proxy, gateway, or PC/softphone

ARP poisoning

Circumventing VLANs

Attacking The NetworkGaining Access


Some techniques for circumventing VLANs: If MAC filtering is not used, you can disconnect a VoIP phone

and connect a PC

Even if MAC filtering is used, you can easily spoof the MAC

Be especially cautious of VoIP phones in public areas (such as lobby phones)



Some other VLAN attacks: MAC flooding attack

802.1q and ISL tagging attack

Double-encapsulated 802.1q/Nested VLAN attack

Private VLAN attack

Spanning-tree protocol attack

VLAN trunking protocol attack



The VoIP network and supporting infrastructure are vulnerable to attacks

VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter

Attacks include: Flooding attacks

Network availability attacks

Supporting infrastructure attacks

Network Infrastructure DoSAttacking The NetworkNetwork DoS

Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests

Flooding AttacksIntroduction

Attacking The NetworkNetwork DoS

VoIP is much more sensitive to network issues than traditional data applications like web and email: Network Latency – amount of time it takes for a packet to travel

from the speaker to the listener

Jitter – occurs when the speaker sends packets at constant rates but they arrive at the listener at variable rates

Packet Loss – occurs under heavy load and oversubscription

Mean Opinion Score – subjective quality of a conversation measured from 1 (unintelligible) to 5 (very clear)

R-value – mathematical measurement from 1 (unintelligible) to 100 (very clear)

Flooding AttacksCall Quality


Software applications (wireshark, adventnet, Wildpackets, etc.)

Hardware Appliances (Aglient, Empirix, Qovia,, etc.)

Integrated router and switches (e.g. Cisco QoS Policy Manager)

Flooding AttacksCall Quality


Some types of floods are: UDP floods

TCP SYN floods

ICMP and Smurf floods

Worm and virus oversubscription side effect

QoS manipulation

Application flooding

Flooding AttacksTypes of Floods


Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)

Use rate limiting in network switches

Use anti-DoS/DDoS products

Some vendors have DoS support in their products (in newer versions of software)

Flooding AttacksCountermeasures


This type of attack involves an attacker trying to crash the underlying operating system: Fuzzing involves sending malformed packets, which exploit a

weakness in software

Packet fragmentation

Buffer overflows

Network Availability AttacksAttacking The NetworkNetwork DoS

A network IPS is an inline device that detects and blocks attacks

Some firewalls also offer this capability

Host based IPS software also provides this capability

Network Availability Attacks Countermeasures


VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.

DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones

DNS cache poisoning involves tricking a DNS server into using a fake DNS response

Supporting Infrastructure AttacksAttacking The NetworkNetwork DoS

Configure DHCP servers not to lease addresses to unknown MAC addresses

DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries

Supporting Infrastructure AttacksCountermeasures


VoIP signaling, media, and configuration files are vulnerable to eavesdropping

Attacks include: TFTP configuration file sniffing

Number harvesting and call pattern tracking

Conversation eavesdropping

Network EavesdroppingIntroduction

Attacking The NetworkEavesdropping

TFTP files are transmitted in the clear and can be sniffed

One easy way is to connect a hub to a VoIP phone, reboot it, and capture the file

By sniffing signaling, it is possible to build a directory of numbers and track calling patterns

voipong automates the process of logging all calls

TFTP/Numbers/Call PatternsAttacking The NetworkEavesdropping

Conversation RecordingWireshark


Attacking The NetworkEavesdroppingConversation Recording

Wireshark

Attacking The NetworkEavesdroppingConversation Recording

Cain And Abel

Other tools include: vomit

Voipong

voipcrack (not public)

DTMF decoder

Conversation RecordingOther Tools


Place the TFTP server on the same VLAN as the VoIP phones and use a firewall to ensure that only VoIP phones communicate with it

Use encryption: Many vendors offer encryption for signaling

Use the Transport Layer Security (TLS) for signaling

Many vendors offer encryption for media

Use Secure Real-time Transport Protocol (SRTP)

Use ZRTP

Use proprietary encryption if you have to

Network EavesdroppingCountermeasures


The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: Eavesdropping on the conversation

Causing a DoS condition

Altering the conversation by omitting, replaying, or inserting media

Redirecting calls

Attacks include: Network-level interception

Application-level interception

Network/Application InterceptionIntroduction

Attacking The NetworkNet/App Interception

The most common network-level MITM attack is ARP poisoning

Involves tricking a host into thinking the MAC address of the attacker is the intended address

There are a number of tools available to support ARP poisoning: Cain and Abel

ettercap

Dsniff

hunt

Network InterceptionARP Poisoning








Network InterceptionCountermeasures


Some countermeasures for ARP poisoning are: Static OS mappings

Switch port security

Proper use of VLANs

Signaling encryption/authentication

ARP poisoning detection tools, such as arpwatch

Application InterceptionIntroduction


It is also possible to perform a MITM attack at the application layer

Some possible ways to perform this attack include: Registration hijacking

Redirection attacks

VoIP phone reconfiguration

Inserting a bridge via physical network access

User UserAttacker

Attacker

Proxy Proxy

Attacker PlacesThemselves

Between ProxiesOr Proxy/UA

Application InterceptionAttacking The NetworkNet/App Interception

Application InterceptionCountermeasures


Some countermeasures to application-level interception are: Use VLANs for separation

Use TCP/IP

Use signaling encryption/authentication (such as TLS)

Enable authentication for requests

Deploy SIP firewalls to protect SIP proxies from attacks

This section describes unique attacks against specific VoIP vendor platforms, including: Avaya

Cisco

Attacking The PlatformAttacking The Platform

The Avaya Communication Manager is Avaya’s enterprise-class offering

Offers strong security, but some default configuration should be changed

Avaya uses Linux and VxWorks as the underlying operating system on many components, which is arguably more secure than Windows

Avaya Communication ManagerAttacking The PlatformAvaya

Avaya Communication ManagerAttacking The PlatformAvaya

Open PortsAttacking The PlatformAvaya






Open PortsCountermeasures

Attacking The PlatformAvaya

Open PortsCountermeasures


SNMP and TFTPAttacking The PlatformAvaya

Avaya uses TFTP and SNMP

In 3.0, SNMP is enabled by default on the IP PBX and IP phones

Some components ship with default public and private community strings

SNMP and TFTPCountermeasures


Use the same countermeasures as before

Avaya provides a secure copy feature as an alternative to TFTP

Communication Manager 4.0 disables SNMP by default

Version 2.6 for IP phones does not ship with default community strings

Flooding AttacksAttacking The PlatformAvaya

We used udpflood and tcpsynflood to perform DoS attacks against various components

Unfortunately, these attacks were very disruptive

Flooding AttacksCountermeasures


Use the same countermeasures as before

Avaya C-LAN cards provide some level of DoS mitigation

Newer IP phone software provides better DoS mitigation

http://support.avaya.com/security

Miscellaneous Security IssuesAttacking The PlatformAvaya

Avaya signaling and media are vulnerable to eavesdropping

Avaya uses some default passwords on key IP PBX components

Password recommendations for IP phones are weak

By default, Avaya IP phones can be reconfigured when booted

Miscellaneous Security IssuesCountermeasures


Avaya supports proprietary encryption for signaling and media. SRTP will be supported in Communication Manager 4.0

Default passwords should be changed to strong values

Local access to the IP phone can be controlled with a password

The Cisco Unified Call Manager is Cisco’s enterprise class offering

Offers strong security, but requires some configuration

Version 4.1 is based on Windows. Version 5.0 is based on Linux

A Must Read Document is the Solution Reference Network Design (SRND) for Voice communications. (http://tinyurl.com/gd5r4).

Includes great deployment scenarios and security use cases (lobby phone, desktop phone, call manager encryption how-to, etc.)

Cisco Unified Call ManagerAttacking The PlatformAvaya

CiscoIntroduction


Cisco Discovery Protocol – Cisco’s proprietary layer 2 network management protocol.

Contains juicy information that is broadcast on the entire segment – Disable it!

Cisco Discovery ProtocolAttacking The PlatformCisco

Cisco Unified Call Manager requires a large number of open ports

Port ScanningAttacking The PlatformCisco

Cisco IOS has a great feature called “autosecure” that” disables a slew of services (finger, http, ICMP, source routing,

etc.)

enables some services (password encryption, TCP synwait-time, logging, etc.).

And locks down the router and switch (enables only ssh, blocks private address blocks from traversing, enables netflow, etc.)

Port ScanningCountermeasures


Network Flooding Countermeasures: Another great feature from Cisco is AutoQos, a new IOS feature

(auto qos command).

Enables Quality of Service for VoIP traffic across every Cisco router and switch

Scavenger class QoS also a relatively new Cisco strategy – rate shape all bursty non-VoIP traffic

FloodingCountermeasures


Patch Management is key – use the Cisco Voice Technology Group Subscription Tool (http://www.cisco.com/cgi-bin/Software/Newsbuilder/Builder/VOICE.cgi)

DoS and OS ExploitationCountermeasures


Eavesdropping and Interception Countermeasures: Enable port security on Cisco Switches to help mitigate ARP

Spoofing

Enable Dynamic ARP inspection to thwart ARP Spoofing

Dynamically restrict Ethernet port access with 802.1x port authentication

Enable DHCP Snooping to prevent DHCP Spoofing

Configure IP source guard on Switches

Eavesdropping and InterceptionCountermeasures


Eavesdropping and Interception Countermeasures: Configure VTP Transparent Mode

Change the default Native VLAN Value to thwart VLAN hopping

Disable Dynamic Trunk Protocol (DTP) to thwart VLAN Hopping

Eavesdropping and InterceptionCountermeasures


Eavesdropping and Interception Countermeasures: Activate authentication and encryption of the signaling and

media streams

Skinny over TLS

SRTP

Requires creating and distributing certificates on phones

Attacking The PlatformCisco Eavesdropping and Interception

Countermeasures

VoIP systems are vulnerable to application attacks against the various VoIP protocols

Attacks include: Fuzzing attacks

Flood-based DoS

Signaling and media manipulation

Attacking The ApplicationAttacking The Application

Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it

Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks

There are many public domain tools available for fuzzing: Protos suite

Asteroid

Fuzzy Packet

NastySIP

Scapy

FuzzingIntroduction

Attacking The ApplicationFuzzing

SipBomber

SFTF

SIP Proxy

SIPp

SIPsak

INVITE sip:[email protected]:6060;user=phone SIP/2.0Via: SIP/2.0/UDP 192.168.22.36:6060From: UserAgent<sip:[email protected]:6060;user=phone>To: 6713<sip:[email protected]:6060;user=phone>Call-ID: [email protected]: 1 INVITESubject: VovidaINVITEContact: <sip:[email protected]:6060;user=phone>Content-Type: application/sdpContent-Length: 168

Attacking The ApplicationFuzzingFuzzing

Example

INVITE sip:[email protected]:6060;user=phone SIP/2.0Via: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa…From: UserAgent<sip:[email protected]:6060;user=phone>To: 6713<sip:[email protected]:6060;user=phone>Call-ID: [email protected]: 1 INVITESubject: VovidaINVITEContact: <sip:[email protected]:6060;user=phone>Content-Type: application/sdpContent-Length: 168

Attacking The ApplicationFuzzingFuzzing

Example

There are many public domain tools available for fuzzing: Protos suite

Asteroid

Fuzzy Packet

NastySIP

Scapy

FuzzingPublic Domain Tools


SipBomber

SFTF

SIP Proxy

SIPp

SIPsak

There are some commercial tools available: Beyond Security BeStorm

Codenomicon

MuSecurity Mu-4000 Security Analyzer

Security Innovation Hydra

Sipera Systems LAVA tools

FuzzingCommercial Tools


Make sure your vendor has tested their systems for fuzzing attacks

Consider running your own tests

An VoIP-aware IPS can monitor for and block fuzzing attacks

FuzzingCountermeasures


Describes an attack where a flood of packets overwhelms a target, such as a SIP proxy or phone

Attacking The ApplicationFlood-Based DoSFlood-Based DoS

Introduction

Several tools are available to generate floods at the application layer: rtpflood – generates a flood of RTP packets

inviteflood – generates a flood of SIP INVITE packets

SiVuS – a tool which a GUI that enables a variety of flood-based attacks

Virtually every device we tested was susceptible to these attacks



SiVuS

There are several countermeasures you can use for flood-based DoS: Use VLANs to separate networks

Use TCP and TLS for SIP connections

Use rate limiting in switches

Enable authentication for requests

Use SIP firewalls/IPSs to monitor and block attacks

Flood-Based DoSCountermeasures

Attacking The ApplicationFlood-Based DoS

In SIP and RTP, there are a number of attacks possible, which exploit the protocol: Registration removal/addition

Registration hijacking

Redirection attacks

Session teardown

SIP phone reboot

RTP insertion/mixing

Attacking The Application Sig/Media ManipulationSignaling/Media Manipulation

Introduction

Proxy

User

Proxy

Attacker User

Attacker ErasesOr Adds Bogus

Registrations, CausingCalls to be Dropped

Or Sent to theWrong Address

Registration Removal/AdditionAttacking The Application Sig/Media Manipulation

Proxy

User

Proxy

Attacker

HijackedMedia

HijackedSession

User

Registration HijackingAttacking The Application Sig/Media Manipulation

Registration HijackingAttacking The Application Sig/Media Manipulation

Inbound CallsAre Redirected

Attacker

Proxy Proxy

User

Attacker Sends“301/302 – Moved”

Message

User

Redirection AttacksAttacking The Application Sig/Media Manipulation

Attacker SendsBYE Messages

To UAs

Attacker

Proxy Proxy

User User

Session TeardownAttacking The Application Sig/Media Manipulation

Attacker Sendscheck-sync Messages

To UA

Attacker

Proxy Proxy

User User

IP Phone RebootAttacking The Application Sig/Media Manipulation

Attacker SeesPackets And

Inserts/Mixes InNew Audio

Attacker

Proxy Proxy

User User

Audio Insertion/MixingAttacking The Application Sig/Media Manipulation

Some countermeasures for signaling and media manipulation include: Use digest authentication where possible

Use TCP and TLS where possible

Use SIP-aware firewalls/IPSs to monitor for and block attacks

Use audio encryption to prevent RTP injection/mixing

Attacking The Application Sig/Media ManipulationSignaling/Media Manipulation

Countermeasures

There are a couple of evolving social threats that will affect enterprises: Voice SPAM or SPAM over Internet Telephony (SPIT)

Voice phishing

Social AttacksSocial Attacks

Voice SPAM refers to bulk, automatically generated, unsolicited phone calls

Similar to telemarketing, but occurring at the frequency of email SPAM

Not an issue yet, but will become prevalent when: The network makes it very inexpensive or free to generate calls

Attackers have access to VoIP networks that allow generation of a large number of calls

It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access

Voice SPAMIntroduction

Social AttacksVoice SPAM

Voice SPAM has the potential to be very disruptive because: Voice calls tend to interrupt a user more than email

Calls arrive in realtime and the content can’t be analyzed to determine it is voice SPAM

Even calls saved to voice mail must be converted from audio to text, which is an imperfect process

There isn’t any capability in the protocols that looks like it will address Voice SPAM

Voice SPAMSocial AttacksVoice SPAM

Some potential countermeasures for voice SPAM are: Authenticated identity movements, which may help to identify

callers

Legal measures

Enterprise voice SPAM filters: Black lists/white lists

Approval systems

Audio content filtering

Turing tests

Voice SPAMCountermeasures

Social AttacksVoice SPAM

VoIP PhishingIntroduction

Similar to email phishing, but with a phone number delivered though email or voice

When the victim dials the number, the recording requests entry of personal information

The hacker comes back later and retrieves the touch tones or other information

Social AttacksPhishing

VoIP PhishingExample

“Hi, this is Bob from Bank of America calling. Sorry I missed you. If you could give us a call back at 1-866-555-1324 we have an urgent issue to discuss with you about your bank account.”

Hello. This is Bank of America. So we may best serve you, please enter your account number followed by your PIN.


VoIP PhishingExample


VoIP PhishingCountermeasures

Traditional email spam/phishing countermeasures come in to play here.

Educating users is a key


Questions?

Notes…

Notes…

Date post:	20-Jan-2016
Category:	Documents
View:	228 times
Download:	0 times

Hacking Exposed: VoIP Mark D. Collier Chief Technology Officer [email protected].

Documents