+ All Categories
Home > Education > VoIP – vulnerabilities and attacks

VoIP – vulnerabilities and attacks

Date post: 08-May-2015
Category:

Education
Upload: nu-the-open-security-community
View: 9,486 times
Download: 2 times
Download Report this document
Share this document with a friend
Description:
null Mumbai July-August 2012 Meet
30
VoIP – Vulnerabilities and Attacks Presented by - push
Transcript
Page 1: VoIP – vulnerabilities and attacks

VoIP – Vulnerabilities and Attacks

Presented by- push

Page 2: VoIP – vulnerabilities and attacks

http://nullcon.net/

Agenda

• Introduction to VoIP– VoIP Architecture– VoIP Components– VoIP Protocols

• A PenTester Perspective– Attack Vectors– Scanning– Attacks– Tools of Trade– Countermeasures and Security

http://null.co.in/

Page 3: VoIP – vulnerabilities and attacks

http://nullcon.net/

Remember Something?

http://null.co.in/

Page 4: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP

• IP Telephony• Voice over Internet Protocol• Subset of IP Telephony• Transmission of “Voice” over Packet-Switched

Network.

• Is it only Voice??? – Data, Audio, Video

http://null.co.in/

Page 5: VoIP – vulnerabilities and attacks

http://nullcon.net/

• Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets

http://null.co.in/

VoIP

Analog Voice Signals

1010101010101101101101

1010101010101101101101

Internet

1010101010101101101101

1010101010101101101101

Analog Voice Signals 101010101010110110

11011010101010101101101

101

Page 6: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP Architecture

http://null.co.in/

Ordinary Phone ATA Ethernet Router Internet

Page 7: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP Architecture

IP Phone Ethernet IP-PBX Router Internet

Internet

IP Phone IP - PBX Modem / Router

Page 8: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP Architecture

Softphone Phone Ethernet Router Internet

Internet

Page 9: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP Architecture

Page 10: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP Components

• User Agents (devices)• Media gateways• Signaling gateways• Gatekeepers• Proxy Servers

http://null.co.in/

GW Gateway MG Media Gateway GK GatekeeperMGC Media Gateway Controller NMS Network Management System IVR Interactive Voice Response

• Redirect Servers• Registrar Servers• Location Servers• Network management system• Billing systems

Page 11: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP Protocols• Vendor Proprietary• Signaling Protocols• Media Protocols

http://null.co.in/

Page 12: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP ProtocolsSIP Session Initiation Protocol

SGCP Simple Gateway Control Protocol

IPDC Internet Protocol device Control

RTP Real Time Transmission Protocol

SRTP Secure Real Time Transmission Protocol

RTCP RTP Control Protocol

SRTCP Secure RTP Control Protocol

MGCP Media Gateway Control Protocol

SDP Session Description Protocol

SAP Session Announcement Protocol

MIME Multipurpose Internet Mail

Extensions – Set of Standards

IAX Inter-Asterisk eXchange

Megaco H.248 Gateway Control Protocol

RVP over IP Remote Voice Protocol over IP

RTSP Real Time Streaming Protocol

SCCP Skinny Client Control Protocol (Cisco).

UNISTIM Unified Network Stimulus (Nortel).

Page 13: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP Protocols - SIP

http://null.co.in/

Page 14: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP Protocols – H.323

Page 15: VoIP – vulnerabilities and attacks

http://nullcon.net/

A PenTester Perspective

http://null.co.in/

Page 16: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP – Attack Vectors

• Vulnerabilities of Both Data and Telephone Network

• CIA Triad

http://null.co.in/

Page 17: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP - Scanning

• Scanning a network for VoIP enabled systems / devices.• Tools for Scanning and Enumeration :

– Nmap port scanner– Smap sip scanner. Finds SIP Enabled Servers– Svmap sip scanner– Svwar sip extension enumerator– Iwar VoIP Enabled modem Dialer– Metasploit Modules :

• H.323 version scanner• SIP enumerator SIP Username enumerator(UDP)• SIP enumerator_tcp SIP Username Enumerator(TCP)• Options SIP scanner(TCP)• Options_tcp SIP scanner(UDP)

http://null.co.in/

Page 18: VoIP – vulnerabilities and attacks

http://nullcon.net/

• Nmap scan

http://null.co.in/

VoIP – Scanning Demo

Page 19: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP – Common Ports

http://null.co.in/

Protocol TCP Port UDP PortSIP 5060 5060SIP-TLS 5061 5061IAX2 - 4569http – web based management console

80 / 8080 -

tftp - 69RTP - 5004RTCP - 5005IAX1 - 5036SCCP 2000 SCCPS 2443 H.323 1720

Page 20: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP – Scanning Demo• Smap• svmap

Page 21: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

VoIP – Scanning Demo• Metasploit Scanner

Page 22: VoIP – vulnerabilities and attacks

http://nullcon.net/

VoIP - Attacks

• Identity Spoofing• Conversation Eavesdropping / Sniffing• Password Cracking• Man-In-The-Middle• SIP-Bye DoS• SIP Bombing• RTP Insertion Attacks• Web Based Management Console Hacks• Fuzzing• Default Passwords

http://null.co.in/

Page 23: VoIP – vulnerabilities and attacks

http://nullcon.net/

• Identity – Caller ID Spoofing– Tools Used :

• Metasploit- SIP_INVITE_Spoof• VoIP Fuzzer – Protos -Sip

http://null.co.in/

VoIP – Attacks Demo

Page 24: VoIP – vulnerabilities and attacks

http://nullcon.net/

• Conversation Eavesdropping– Tools used :

• Cain & Abel• Ettercap• Arpspoof• Wireshark

http://null.co.in/

VoIP – Attacks Demo

Page 25: VoIP – vulnerabilities and attacks

http://nullcon.net/

• Man-In-The-Middle– Tools Used :

• Wireshark• Arpspoof / ettercap• RTPInject• RTPmixsound

http://null.co.in/

VoIP – Attacks Demo

Page 26: VoIP – vulnerabilities and attacks

http://nullcon.net/

• Password Cracking– Tools Used :

• SIPDump• SIPCrack• svcrack

http://null.co.in/

VoIP – Attacks Demo

Page 27: VoIP – vulnerabilities and attacks

http://nullcon.net/

Some Default Passwords for VoIP Devices and Consoles:

•Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf

http://null.co.in/

VoIP - AttacksDevice / Console Username Password

Uniden UIP1868P VoIP phone Web Interface

- admin

Hitachi IP5000 VOIP WIFI Phone 1.5.6

- 0000

Vonage VoIP Telephone Adapter

user user

Grandstream Phones - Web Adimistrator Interface

Administrator /admin admin

user user

Page 28: VoIP – vulnerabilities and attacks

http://nullcon.net/

• UCSniff• VoIPHopper• Vomit• VoIPong• IAX Flood• InviteFlood• RTPFlood• IAXFlood• BYE-TearDown

http://null.co.in/

VoIP – Audit & PenTest Tools• MetaSploit Modules :

– Auxillary Modules • SIP enumerator SIP Username enumerator• SIP enumerator_tcp SIP USERNAME Enumerator• Options SIP scanner• Options_tcp SIP scanner• Asterisk_login Asterisk Manager Login Utility

– Exploits• Aol_icq_downloadagent AOL ICQ Arbitary File

Downlowd• Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer

Overflow• Sipxezphone_cseq sipxezphone 0.35a Cseq Filed

Overflow• Sipxphone_cseq sipxPhone 2.6.0.27 Cseq Buffer

Overflow

Page 29: VoIP – vulnerabilities and attacks

http://nullcon.net/

Countermeasures & Security

• Separate Infrasrtucture• Do not integrate Data and VoIP Networks• VoIP-aware Firewalls,• Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS• Harden Network Security – IDS – IPS - NIPS

http://null.co.in/

Page 30: VoIP – vulnerabilities and attacks

http://nullcon.net/http://null.co.in/

Thank YouSee you all @ nullcon - Delhi

Q & A

http://nullcon.net/
http://nullcon.net/

Recommended
Blended attacks exploits, Vulnerabilities and Buffer-Overlow Techinques.pdf

Blended attacks exploits, Vulnerabilities and Buffer-Overlow Techinques.pdf

Documents

Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow ...

Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow ...

Documents

Attacks on Crown Jewels: SAP Vulnerabilities and Exploits

Attacks on Crown Jewels: SAP Vulnerabilities and Exploits

Documents

VoIP Security - Attacks and Solutionsoro.open.ac.uk/35292/1/JISS08_Voip_Attacks_n_Solutions_Revised.pdf · VoIP Security - Attacks and Solutions ... Voice over IP (VoIP) technology

VoIP Security - Attacks and Solutionsoro.open.ac.uk/35292/1/JISS08_Voip_Attacks_n_Solutions_Revised.pdf · VoIP Security - Attacks and Solutions ... Voice over IP (VoIP) technology

Documents

Vulnerabilities, Threats, Attacks, and Controls 11 coml A ...€¦ · Vulnerabilities, Threats, Attacks, and Controls . coml . A computer-based system has three separate but valuable

Vulnerabilities, Threats, Attacks, and Controls 11 coml A ...€¦ · Vulnerabilities, Threats, Attacks, and Controls . coml . A computer-based system has three separate but valuable

Documents

Ch04 Network Vulnerabilities and Attacks

Ch04 Network Vulnerabilities and Attacks

Education

802.11 Denial-of-Service Attacks Real Vulnerabilities …...802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department

802.11 Denial-of-Service Attacks Real Vulnerabilities …...802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department

Documents

Threats, Attacks, and Vulnerabilities · Threats, Attacks, and Vulnerabilities ... Salami Attack from Office Space. ... A computer virus is a type of malware that, when

Threats, Attacks, and Vulnerabilities · Threats, Attacks, and Vulnerabilities ... Salami Attack from Office Space. ... A computer virus is a type of malware that, when

Documents

Blended Attacks Exploits, Vulnerabilities and Buffer ... BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES √ Types of Vulnerability BUFFER

Blended Attacks Exploits, Vulnerabilities and Buffer ... BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES √ Types of Vulnerability BUFFER

Documents

Threats, Vulnerabilities, and Attacks

Threats, Vulnerabilities, and Attacks

Documents

Security-Web Vulnerabilities-Browser Attacks

Security-Web Vulnerabilities-Browser Attacks

Technology

Blended Attacks Exploits, Vulnerabilities and Buffer - Symantec

Blended Attacks Exploits, Vulnerabilities and Buffer - Symantec

Documents

Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities

Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities

Documents

Server-side web security (part 1 - attacks)...We illustrate common PHP vulnerabilities: String comparison attacks File inclusion attacks Deserialization attacks SQL injection attacks.

Server-side web security (part 1 - attacks)...We illustrate common PHP vulnerabilities: String comparison attacks File inclusion attacks Deserialization attacks SQL injection attacks.

Documents

Research Article Messaging Attacks on Android: Vulnerabilities …downloads.hindawi.com/journals/misy/2015/746930.pdf · Messaging Attacks on Android: Vulnerabilities and Intrusion

Research Article Messaging Attacks on Android: Vulnerabilities …downloads.hindawi.com/journals/misy/2015/746930.pdf · Messaging Attacks on Android: Vulnerabilities and Intrusion

Documents

Predicting Attacks on Vulnerabilities using Random Forest Sarell …trap.ncirl.ie/4177/1/sarelllopes.pdf · 2020-04-03 · Predicting Attacks on Vulnerabilities using Random Forest

Predicting Attacks on Vulnerabilities using Random Forest Sarell …trap.ncirl.ie/4177/1/sarelllopes.pdf · 2020-04-03 · Predicting Attacks on Vulnerabilities using Random Forest

Documents

Top 10 most interesting SAP vulnerabilities and attacks ... · PDF fileTop 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov. ... Verb tampering 7 ... Слайд

Top 10 most interesting SAP vulnerabilities and attacks ... · PDF fileTop 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov. ... Verb tampering 7 ... Слайд

Documents

Protect your IPPBX against VOIP attacks

Protect your IPPBX against VOIP attacks

Technology