sip headers
TRANSCRIPT
![Page 1: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/1.jpg)
VOIP WARS: THE PHREAKERS AWAKEN
Fatih Ozavci – @fozavci
Managing Consultant – Context Information Security
![Page 2: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/2.jpg)
2
Fatih Ozavci, Managing Consultant
VoIP & phreaking
Mobile applications and devices
Network infrastructure
CPE, hardware and IoT hacking
Author of Viproy and VoIP Wars
Public speaker and trainer
Blackhat, Defcon, HITB, AusCert, Troopers
![Page 3: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/3.jpg)
3
FundamentalsDesign
VulnerabilitiesPractical
UC Attacks
UC and IMS fundamentals
Security issues and vulnerabilities
Practical attacks
Securing communication services
![Page 4: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/4.jpg)
4
Audio Call
TDM
Alice
Bob
![Page 5: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/5.jpg)
5
Alice
Signalling
MediaRTP Proxy
SIP Server
Bob
![Page 6: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/6.jpg)
6
Alice
Signalling
MediaRTP Proxy
SIP Server
Bob
![Page 7: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/7.jpg)
7
Alice
Signalling
MediaRTP Proxy
SIP Server
Bob
![Page 8: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/8.jpg)
8
1- REGISTER
1- 200 OK
2- INVITE SDP/XML
2- 100 Trying 3- INVITESDP/XML
3- 200 OKSDP/XML
4- ACK
RTP
RTP4- 200 OK SDP/XML
SIP Server
Phone A
Phone BRTP Proxy RTP Proxy
RTP
SIP Headers
• Caller ID
• Billing
SIP Content
• SDP
• Enc. Keys
RTP Content
• Audio/Video
• File sharing
• RDP
![Page 9: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/9.jpg)
9
![Page 10: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/10.jpg)
10
![Page 11: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/11.jpg)
11
VoIP Server
Windows Server
Office Server
Active Directory
Virtual Machines
1 2ABC
3DEF
4 5JKL
6MNOGHI
7 8TUV
9WXYZPQRS
*0
OPER#
?
+-
CISCO IP PHONE
7970 SERIES
![Page 12: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/12.jpg)
12
SIP & Media Server
Database Server
Tenant Services
Management Applications
Client Applications
PBX
Shared Services
1 2ABC
3DEF
4 5JKL
6MNOGHI
7 8TUV
9WXYZPQRS
*0
OPER#
?
+-
CISCO IP PHONE
7970 SERIES
![Page 13: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/13.jpg)
13
Edge Serversky.com
Edge Serverkenobi.com
DNS Server
DNS / SRV DNS / SRV
SIP / RTP
Kenobi Corp
Phone [email protected]
VoIP Server
Windows Server
Office Server
Active Directory
Virtual Machines
Phone [email protected]
Skywalker Corp
Phone [email protected]
Phone [email protected]
![Page 14: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/14.jpg)
14
Call Session Control Function
(P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure
Mobile Subscribers
UC/VoIP Subscribers Session Border Controller (SBC)
Session Border Controller (SBC)
ACCESS NETWORK ACCESS NETWORKCORE NETWORK
Application Server (AS)
Home Subscriber Server (HSS)
Media Resource Function
MRFC / MRFP
![Page 15: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/15.jpg)
15
Inter-vendor security issues
INSUFFICIENT client management
Missing client monitoring
Missing software updates
NO SIP/SDP or message filtering
Centralised attack deployment
Internal trust relationships
Meeting and conferencing options
Flexible collaboration options
![Page 16: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/16.jpg)
16
Content transferred to clients
SIP/SDP content (e.g. format, codecs)
Rich messaging (e.g. rtf, html, audio)
Unified messaging
Injecting files, XSS, phishing, RCE
File transfers, embedded content
Communication subsystem
Call or SIP headers
Rarely secured protocols (e.g. MSRP)
![Page 17: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/17.jpg)
17
Engage through a first contact point
UC messaging, conference invitation, courtesy phones
Combine old and new techniques
Use UC for malicious activities (e.g. MS-RTASPF)
![Page 18: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/18.jpg)
18
Red Teaming Exercises
Courtesy phones, conference rooms, media gateways
Human Factor Testing
Vishing, smishing, instant messaging, UC exploits
Infrastructure Analysis
Toll fraud, caller ID spoofing, TDoS/DDoS
Application Security Assessments
Management portals, self-care portals
WebRTC, VoIP/UC apps, IVR software
![Page 19: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/19.jpg)
19
Service requirements
Cloud, subscriber services, IMS
Billing, recordings, CDR, encryption
Trusted servers and gateways
SIP proxies, federations, SBCs
SIP headers used (e.g. ID, billing)
Tele/Video conference settings
Analyse the encryption design
SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
![Page 20: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/20.jpg)
20
SIP header analysis
Caller ID spoofing, billing bypass
Communication types allowed
File transfer, RDP, MSRP, teleconference
Message content-types allowed
XSS, corrupted RTF, HTML5, images
Conference and collaboration
Fuzzing clients and servers
SIP headers, SDP content, file types
Combine with known attacks
![Page 21: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/21.jpg)
21
Attacks with NO user interaction
Calls with caller ID spoofing
Fake IVR, social engineering
Messages with caller ID spoofing
Smishing (e.g. fake software update)
Injected XSS, file-type exploits
Bogus content-types or messages
Meetings, multi-callee events
Attacking infrastructure
Raspberry PI with PoE, Eavesdropping
![Page 22: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/22.jpg)
22
Unified Communication Solutions
Cisco Hosted Collaboration Suite
Microsoft Skype for Business (a.k.a Lync)
Free software (e.g. Kamalio, OpenIMS)
Other vendors (Avaya, Alcatel, Huawei)
Attacking through
Signalling services
Messaging, voicemail and conference system
Cloud management and billing
Authorisation scheme
Client services (self-care, IP phone services)
![Page 23: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/23.jpg)
23
Vulnerable CPE
Credential extraction
Attacking through embedded devices
Insecurely located distributors
Hardware hacking, eavesdropping
SIP header and manipulation for
Toll Fraud
Attacking legacy systems (e.g. Nortel?)
Voicemail hijacking
![Page 24: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/24.jpg)
24
Analysing encryption design
Implementation (e.g. SRTP, SIP/TLS)
Inter-vendor SRTP key exchange
Privacy and PCI compliance
Network segregation
IVR recordings (e.g. RTP events)
Eavesdropping
Call recordings security
![Page 25: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/25.jpg)
25
Inter-vendor services design
Network and service segregation
*CSCF locations, SBC services used
VoLTE design, application services
SIP headers are very sensitive
Internal trust relationships
Filtered/Ignored SIP headers
Caller ID spoofing, Billing bypass
Encryption design (SIP, SRTP, MSRP)
![Page 26: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/26.jpg)
26
Viproy VoIP Penetration Testing Kit (v4)
VoIP modules for Metasploit Framework
SIP, Skinny and MSRP services
SIP authentication, fuzzing, business logic tests
Cisco CUCDM exploits, trust analyser...
Viproxy MITM Security Analyser (v3)
A standalone Metasploit Framework module
Supports TCP/TLS interception with custom TLS certs
Provides a command console to analyse custom protocols
![Page 27: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/27.jpg)
27
Cloud communications
SIP header tests, caller ID spoofing,
Billing bypass, hijacking IP phones
Signalling services
Attacking tools for SIP and Skinny
Advanced SIP attacks
Proxy bounce, SIP trust hacking
Custom headers, custom message-types
UC tests w/ Viproxy + Real Client
![Page 28: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/28.jpg)
28
SIGNALLING / MESSAGING• SDP / XML• SIP Headers• XMPP• MSRP
CONTENT• Message types (HTML, RTF, Docs)• File types (Docs, Codecs)• Caller ID Spoofing• DoS / TDoS / Robocalls, Smishing
FORWARDED REQUESTS• Call Settings• Message Content
NO USER INTERACTION• Call request parsing• Message content parsing• 3rd party libraries reachable
![Page 29: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/29.jpg)
29
![Page 30: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/30.jpg)
![Page 31: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/31.jpg)
31
Unified Messaging
Message types (e.g. rtf, html, images)
Message content (e.g. JavaScript)
File transfers and sharing features
Code or script execution (e.g. SFB)
Encoding (e.g. Base64, Charset)
Various protocols
MSRP, XMPP, SIP/MESSAGE
Combining other attacks
![Page 32: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/32.jpg)
32
MANIPULATE SIP CONTENTINJECT MALICIOUS SUBJECTSSEND PHISHING MESSAGES
Skype for BusinessAttacker’s Client
Viproxy
Interactive Console
HACME 1
HACME 2
HACME 3
Attacker’s Client
TLS / Proxy
Certificate
Compression
Console
Enabling Features
Content Injection
Security Bypass
![Page 33: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/33.jpg)
![Page 34: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/34.jpg)
34
UC content forwarded to UC clients (NO interaction)
SIP INVITE headers
Message content
SIP/SDP content
Office 365
Federations
*MS15-123Skype for Business
Attacker’s Client Viproxy Skype for Business Server
Changed Request
Forwarded Request
Call Request
![Page 35: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/35.jpg)
35
URL filter bypass via JavaScript
<script>var u1="ht"; u2="tp"; u3="://";o="w"; k="."; i="";
u4=i.concat(o,o,o,k);
window.location=u1+u2+u3+u4+"viproy.com"</script>
Script execution via SIP messages
<script>window.location="viproy.com"</script>
Script execution via SIP headers
Ms-IM-Format: text/html; charset=UTF-8; ms-
body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cudmlwc
m95LmNvbSI8L3NjcmlwdD4=
![Page 36: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/36.jpg)
36
Attacking through a PBX or proxy
Sending a meeting request
Using a CUSTOM SIP header
Waiting for the shells
ViproySkype for Business
ServerSIP PBX Server
Forwarded Meeting Request
Meeting Request(Attack in SIP headers)
PRIVATE NETWORK
Forwarded Requests
![Page 37: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/37.jpg)
![Page 38: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/38.jpg)
38
Secure design
Enforce security via SBCs
Messaging, SIP headers, meetings…
Enforce authentication
Secure inter-vendor configuration
Protect the legacy systems
Protect the clients
![Page 39: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/39.jpg)
39
Securing Unified Communications (UC) is NOT
just securing VoIP.
Brace yourselves, VoIP/UC are attacks are coming.
#TaylorYourCommunicationSecurity !
![Page 40: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/40.jpg)
40
Viproy VoIP Penetration Testing Kit
http://www.viproy.com
Context Information Security
http://www.contextis.com
![Page 41: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/41.jpg)
QUESTIONS?
![Page 42: SIP Headers](https://reader034.vdocuments.net/reader034/viewer/2022050807/588c70b01a28ab8c218b8ee2/html5/thumbnails/42.jpg)
THANKS!