Date post: | 08-May-2015 |
Category: |
Education |
Upload: | nu-the-open-security-community |
View: | 9,486 times |
Download: | 2 times |
VoIP – Vulnerabilities and Attacks
Presented by- push
http://nullcon.net/
Agenda
• Introduction to VoIP– VoIP Architecture– VoIP Components– VoIP Protocols
• A PenTester Perspective– Attack Vectors– Scanning– Attacks– Tools of Trade– Countermeasures and Security
http://null.co.in/
http://nullcon.net/
Remember Something?
http://null.co.in/
http://nullcon.net/
VoIP
• IP Telephony• Voice over Internet Protocol• Subset of IP Telephony• Transmission of “Voice” over Packet-Switched
Network.
• Is it only Voice??? – Data, Audio, Video
http://null.co.in/
http://nullcon.net/
• Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets
http://null.co.in/
VoIP
Analog Voice Signals
1010101010101101101101
1010101010101101101101
Internet
1010101010101101101101
1010101010101101101101
Analog Voice Signals 101010101010110110
11011010101010101101101
101
http://nullcon.net/
VoIP Architecture
http://null.co.in/
Ordinary Phone ATA Ethernet Router Internet
http://nullcon.net/http://null.co.in/
VoIP Architecture
IP Phone Ethernet IP-PBX Router Internet
Internet
IP Phone IP - PBX Modem / Router
http://nullcon.net/http://null.co.in/
VoIP Architecture
Softphone Phone Ethernet Router Internet
Internet
http://nullcon.net/http://null.co.in/
VoIP Architecture
http://nullcon.net/
VoIP Components
• User Agents (devices)• Media gateways• Signaling gateways• Gatekeepers• Proxy Servers
http://null.co.in/
GW Gateway MG Media Gateway GK GatekeeperMGC Media Gateway Controller NMS Network Management System IVR Interactive Voice Response
• Redirect Servers• Registrar Servers• Location Servers• Network management system• Billing systems
http://nullcon.net/
VoIP Protocols• Vendor Proprietary• Signaling Protocols• Media Protocols
http://null.co.in/
http://nullcon.net/http://null.co.in/
VoIP ProtocolsSIP Session Initiation Protocol
SGCP Simple Gateway Control Protocol
IPDC Internet Protocol device Control
RTP Real Time Transmission Protocol
SRTP Secure Real Time Transmission Protocol
RTCP RTP Control Protocol
SRTCP Secure RTP Control Protocol
MGCP Media Gateway Control Protocol
SDP Session Description Protocol
SAP Session Announcement Protocol
MIME Multipurpose Internet Mail
Extensions – Set of Standards
IAX Inter-Asterisk eXchange
Megaco H.248 Gateway Control Protocol
RVP over IP Remote Voice Protocol over IP
RTSP Real Time Streaming Protocol
SCCP Skinny Client Control Protocol (Cisco).
UNISTIM Unified Network Stimulus (Nortel).
http://nullcon.net/
VoIP Protocols - SIP
http://null.co.in/
http://nullcon.net/http://null.co.in/
VoIP Protocols – H.323
http://nullcon.net/
A PenTester Perspective
http://null.co.in/
http://nullcon.net/
VoIP – Attack Vectors
• Vulnerabilities of Both Data and Telephone Network
• CIA Triad
http://null.co.in/
http://nullcon.net/
VoIP - Scanning
• Scanning a network for VoIP enabled systems / devices.• Tools for Scanning and Enumeration :
– Nmap port scanner– Smap sip scanner. Finds SIP Enabled Servers– Svmap sip scanner– Svwar sip extension enumerator– Iwar VoIP Enabled modem Dialer– Metasploit Modules :
• H.323 version scanner• SIP enumerator SIP Username enumerator(UDP)• SIP enumerator_tcp SIP Username Enumerator(TCP)• Options SIP scanner(TCP)• Options_tcp SIP scanner(UDP)
http://null.co.in/
http://nullcon.net/
• Nmap scan
http://null.co.in/
VoIP – Scanning Demo
http://nullcon.net/
VoIP – Common Ports
http://null.co.in/
Protocol TCP Port UDP PortSIP 5060 5060SIP-TLS 5061 5061IAX2 - 4569http – web based management console
80 / 8080 -
tftp - 69RTP - 5004RTCP - 5005IAX1 - 5036SCCP 2000 SCCPS 2443 H.323 1720
http://nullcon.net/http://null.co.in/
VoIP – Scanning Demo• Smap• svmap
http://nullcon.net/http://null.co.in/
VoIP – Scanning Demo• Metasploit Scanner
http://nullcon.net/
VoIP - Attacks
• Identity Spoofing• Conversation Eavesdropping / Sniffing• Password Cracking• Man-In-The-Middle• SIP-Bye DoS• SIP Bombing• RTP Insertion Attacks• Web Based Management Console Hacks• Fuzzing• Default Passwords
http://null.co.in/
http://nullcon.net/
• Identity – Caller ID Spoofing– Tools Used :
• Metasploit- SIP_INVITE_Spoof• VoIP Fuzzer – Protos -Sip
http://null.co.in/
VoIP – Attacks Demo
http://nullcon.net/
• Conversation Eavesdropping– Tools used :
• Cain & Abel• Ettercap• Arpspoof• Wireshark
http://null.co.in/
VoIP – Attacks Demo
http://nullcon.net/
• Man-In-The-Middle– Tools Used :
• Wireshark• Arpspoof / ettercap• RTPInject• RTPmixsound
http://null.co.in/
VoIP – Attacks Demo
http://nullcon.net/
• Password Cracking– Tools Used :
• SIPDump• SIPCrack• svcrack
http://null.co.in/
VoIP – Attacks Demo
http://nullcon.net/
Some Default Passwords for VoIP Devices and Consoles:
•Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf
http://null.co.in/
VoIP - AttacksDevice / Console Username Password
Uniden UIP1868P VoIP phone Web Interface
- admin
Hitachi IP5000 VOIP WIFI Phone 1.5.6
- 0000
Vonage VoIP Telephone Adapter
user user
Grandstream Phones - Web Adimistrator Interface
Administrator /admin admin
user user
http://nullcon.net/
• UCSniff• VoIPHopper• Vomit• VoIPong• IAX Flood• InviteFlood• RTPFlood• IAXFlood• BYE-TearDown
http://null.co.in/
VoIP – Audit & PenTest Tools• MetaSploit Modules :
– Auxillary Modules • SIP enumerator SIP Username enumerator• SIP enumerator_tcp SIP USERNAME Enumerator• Options SIP scanner• Options_tcp SIP scanner• Asterisk_login Asterisk Manager Login Utility
– Exploits• Aol_icq_downloadagent AOL ICQ Arbitary File
Downlowd• Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer
Overflow• Sipxezphone_cseq sipxezphone 0.35a Cseq Filed
Overflow• Sipxphone_cseq sipxPhone 2.6.0.27 Cseq Buffer
Overflow
http://nullcon.net/
Countermeasures & Security
• Separate Infrasrtucture• Do not integrate Data and VoIP Networks• VoIP-aware Firewalls,• Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS• Harden Network Security – IDS – IPS - NIPS
http://null.co.in/
http://nullcon.net/http://null.co.in/
Thank YouSee you all @ nullcon - Delhi
Q & A