voip – vulnerabilities and attacks
DESCRIPTION
null Mumbai July-August 2012 MeetTRANSCRIPT
![Page 1: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/1.jpg)
VoIP – Vulnerabilities and Attacks
Presented by- push
![Page 2: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/2.jpg)
http://nullcon.net/
Agenda
• Introduction to VoIP– VoIP Architecture– VoIP Components– VoIP Protocols
• A PenTester Perspective– Attack Vectors– Scanning– Attacks– Tools of Trade– Countermeasures and Security
http://null.co.in/
![Page 3: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/3.jpg)
http://nullcon.net/
Remember Something?
http://null.co.in/
![Page 4: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/4.jpg)
http://nullcon.net/
VoIP
• IP Telephony• Voice over Internet Protocol• Subset of IP Telephony• Transmission of “Voice” over Packet-Switched
Network.
• Is it only Voice??? – Data, Audio, Video
http://null.co.in/
![Page 5: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/5.jpg)
http://nullcon.net/
• Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets
http://null.co.in/
VoIP
Analog Voice Signals
1010101010101101101101
1010101010101101101101
Internet
1010101010101101101101
1010101010101101101101
Analog Voice Signals 101010101010110110
11011010101010101101101
101
![Page 6: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/6.jpg)
http://nullcon.net/
VoIP Architecture
http://null.co.in/
Ordinary Phone ATA Ethernet Router Internet
![Page 7: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/7.jpg)
http://nullcon.net/http://null.co.in/
VoIP Architecture
IP Phone Ethernet IP-PBX Router Internet
Internet
IP Phone IP - PBX Modem / Router
![Page 8: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/8.jpg)
http://nullcon.net/http://null.co.in/
VoIP Architecture
Softphone Phone Ethernet Router Internet
Internet
![Page 9: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/9.jpg)
http://nullcon.net/http://null.co.in/
VoIP Architecture
![Page 10: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/10.jpg)
http://nullcon.net/
VoIP Components
• User Agents (devices)• Media gateways• Signaling gateways• Gatekeepers• Proxy Servers
http://null.co.in/
GW Gateway MG Media Gateway GK GatekeeperMGC Media Gateway Controller NMS Network Management System IVR Interactive Voice Response
• Redirect Servers• Registrar Servers• Location Servers• Network management system• Billing systems
![Page 11: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/11.jpg)
http://nullcon.net/
VoIP Protocols• Vendor Proprietary• Signaling Protocols• Media Protocols
http://null.co.in/
![Page 12: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/12.jpg)
http://nullcon.net/http://null.co.in/
VoIP ProtocolsSIP Session Initiation Protocol
SGCP Simple Gateway Control Protocol
IPDC Internet Protocol device Control
RTP Real Time Transmission Protocol
SRTP Secure Real Time Transmission Protocol
RTCP RTP Control Protocol
SRTCP Secure RTP Control Protocol
MGCP Media Gateway Control Protocol
SDP Session Description Protocol
SAP Session Announcement Protocol
MIME Multipurpose Internet Mail
Extensions – Set of Standards
IAX Inter-Asterisk eXchange
Megaco H.248 Gateway Control Protocol
RVP over IP Remote Voice Protocol over IP
RTSP Real Time Streaming Protocol
SCCP Skinny Client Control Protocol (Cisco).
UNISTIM Unified Network Stimulus (Nortel).
![Page 13: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/13.jpg)
http://nullcon.net/
VoIP Protocols - SIP
http://null.co.in/
![Page 14: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/14.jpg)
http://nullcon.net/http://null.co.in/
VoIP Protocols – H.323
![Page 15: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/15.jpg)
http://nullcon.net/
A PenTester Perspective
http://null.co.in/
![Page 16: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/16.jpg)
http://nullcon.net/
VoIP – Attack Vectors
• Vulnerabilities of Both Data and Telephone Network
• CIA Triad
http://null.co.in/
![Page 17: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/17.jpg)
http://nullcon.net/
VoIP - Scanning
• Scanning a network for VoIP enabled systems / devices.• Tools for Scanning and Enumeration :
– Nmap port scanner– Smap sip scanner. Finds SIP Enabled Servers– Svmap sip scanner– Svwar sip extension enumerator– Iwar VoIP Enabled modem Dialer– Metasploit Modules :
• H.323 version scanner• SIP enumerator SIP Username enumerator(UDP)• SIP enumerator_tcp SIP Username Enumerator(TCP)• Options SIP scanner(TCP)• Options_tcp SIP scanner(UDP)
http://null.co.in/
![Page 18: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/18.jpg)
http://nullcon.net/
• Nmap scan
http://null.co.in/
VoIP – Scanning Demo
![Page 19: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/19.jpg)
http://nullcon.net/
VoIP – Common Ports
http://null.co.in/
Protocol TCP Port UDP PortSIP 5060 5060SIP-TLS 5061 5061IAX2 - 4569http – web based management console
80 / 8080 -
tftp - 69RTP - 5004RTCP - 5005IAX1 - 5036SCCP 2000 SCCPS 2443 H.323 1720
![Page 20: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/20.jpg)
http://nullcon.net/http://null.co.in/
VoIP – Scanning Demo• Smap• svmap
![Page 21: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/21.jpg)
http://nullcon.net/http://null.co.in/
VoIP – Scanning Demo• Metasploit Scanner
![Page 22: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/22.jpg)
http://nullcon.net/
VoIP - Attacks
• Identity Spoofing• Conversation Eavesdropping / Sniffing• Password Cracking• Man-In-The-Middle• SIP-Bye DoS• SIP Bombing• RTP Insertion Attacks• Web Based Management Console Hacks• Fuzzing• Default Passwords
http://null.co.in/
![Page 23: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/23.jpg)
http://nullcon.net/
• Identity – Caller ID Spoofing– Tools Used :
• Metasploit- SIP_INVITE_Spoof• VoIP Fuzzer – Protos -Sip
http://null.co.in/
VoIP – Attacks Demo
![Page 24: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/24.jpg)
http://nullcon.net/
• Conversation Eavesdropping– Tools used :
• Cain & Abel• Ettercap• Arpspoof• Wireshark
http://null.co.in/
VoIP – Attacks Demo
![Page 25: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/25.jpg)
http://nullcon.net/
• Man-In-The-Middle– Tools Used :
• Wireshark• Arpspoof / ettercap• RTPInject• RTPmixsound
http://null.co.in/
VoIP – Attacks Demo
![Page 26: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/26.jpg)
http://nullcon.net/
• Password Cracking– Tools Used :
• SIPDump• SIPCrack• svcrack
http://null.co.in/
VoIP – Attacks Demo
![Page 27: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/27.jpg)
http://nullcon.net/
Some Default Passwords for VoIP Devices and Consoles:
•Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf
http://null.co.in/
VoIP - AttacksDevice / Console Username Password
Uniden UIP1868P VoIP phone Web Interface
- admin
Hitachi IP5000 VOIP WIFI Phone 1.5.6
- 0000
Vonage VoIP Telephone Adapter
user user
Grandstream Phones - Web Adimistrator Interface
Administrator /admin admin
user user
![Page 28: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/28.jpg)
http://nullcon.net/
• UCSniff• VoIPHopper• Vomit• VoIPong• IAX Flood• InviteFlood• RTPFlood• IAXFlood• BYE-TearDown
http://null.co.in/
VoIP – Audit & PenTest Tools• MetaSploit Modules :
– Auxillary Modules • SIP enumerator SIP Username enumerator• SIP enumerator_tcp SIP USERNAME Enumerator• Options SIP scanner• Options_tcp SIP scanner• Asterisk_login Asterisk Manager Login Utility
– Exploits• Aol_icq_downloadagent AOL ICQ Arbitary File
Downlowd• Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer
Overflow• Sipxezphone_cseq sipxezphone 0.35a Cseq Filed
Overflow• Sipxphone_cseq sipxPhone 2.6.0.27 Cseq Buffer
Overflow
![Page 29: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/29.jpg)
http://nullcon.net/
Countermeasures & Security
• Separate Infrasrtucture• Do not integrate Data and VoIP Networks• VoIP-aware Firewalls,• Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS• Harden Network Security – IDS – IPS - NIPS
http://null.co.in/
![Page 30: VoIP – vulnerabilities and attacks](https://reader036.vdocuments.net/reader036/viewer/2022062312/554beb01b4c90556328b4f30/html5/thumbnails/30.jpg)
http://nullcon.net/http://null.co.in/
Thank YouSee you all @ nullcon - Delhi
Q & A