Upload
positive-hack-days
View
2.529
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Участник получит представление об основе IP-телефонии, а также базовые навыки поиска уязвимостей на примере распространенных IP-PBX и абонентских устройств. Рассматриваются как типовые сетевые уязвимости, так и сложные случаи, обнаруживаемые в ходе анализа защищенности реальных сетей.
Citation preview
VOIPinsecuritiesworkshop
“I just called to say I pwn youI just called to say how much I care
I just called to say I own youAnd I mean it from the bottom of my heart”
Stevie Wonder
Agenda
VOIP• PSTN & VOIP• PSTN vs. VOIP• VOIP protocols• VOIP security
Attacking VOIP• Enumerating VOIP devices• RTP attacks +demonstration• SIP attacks +practice• Further readings
PSTN / Public switched telephone network
VOIP / Voice over Internet Protocol
PSTN vs. VOIP
Network• PSTN – Closed network• VOIP – Public network (Internet)
End-user devices• PSTN – Simple devices• VOIP – Complex devices
Authentication• PSTN – No mobility (Authentication by wire)• VOIP – Mobility
VOIP protocols
Signaling protocolsMedia protocols
Call control and media stream use different routes
VOIP protocols: SignalingShort overview
• SIP Session Initiation Protocol• SDP Session Description Protocol• H.323 H.323• MGCP Media Gateway Control Protocol• SCCP Skinny Client Control Protocol• RTCP Real-time Transfer Control Protocol
VOIP protocols: Media and HybridShort overview
Media• RTP/SRTP
Hybrid (signaling + media)• IAX/IAX2
VOIP insecurities
Confidentiality• eavesdropping, recording, …
Availability• DoS, buffer overflows, …
Authentication• registration hijacking, Caller ID spoofing, …
Fraud• toll fraud, data masquerading, …
SPIT (SPAM over IP Telephony)• voice phishing, unsolicited calling, …
VOIP insecuritiesTopics for today
Enumeration of VOIP devices• search engines• port scanning
RTP• eavesdropping/recording calls• inserting data into media stream• DoS
SIP• searching extensions • Caller name spoofing• DoS
Enumerating VOIP devicesGoogle hacking
Google hacking• GHDB• User manual -> request Google
inurl: intitle: site:<Customer> !
Examples:Asterisk Management Portal: intitle:asterisk.management.portal web-accessCisco Phones: inurl:"NetworkConfiguration" ciscoCisco CallManager: inurl:"ccmuser/logon.asp"D-Link Phones: intitle:"D-Link DPH" "web login setting"Grandstream Phones: intitle:"Grandstream Device Configuration" passwordLinksys (Sipura) Phones: intitle:" SPA Configuration"Polycom Soundpoint Phones: intitle:"SoundPoint IP Configuration"
Enumerating VOIP devicesShodan [1/2]
www.shodanhq.com• search for domain names, ips, ports
Enumerating VOIP devicesShodan [2/2]
Banner grabbing• passwordless Snom phones
Enumerating VOIP devicesnmap
VOIP scanners• smap• svmap (sipvicious)
Fyodor’s nmap• -sU
UDP scanning common problems
Enumerating VOIP devicesCommon ports
VOIP protocols• 5060-5070, 1718-1720, 2517, ….• RTP ports are allocated dynamically
Management protocols• TCP 21-23, 80, 443, 8088, …• UDP 161, 162, 69, …
IANA• Internet Assigned Numbers Authority• grep <vendor> www.iana.org/assignments/port-numbers
RTP
Real-time Transport Protocol• RFC 1889 (1996) -> RFC 3550 (2003)• Media over IP/UDP• Packer reordering• Used with signaling protocols (SIP, H.323, MGCP)
RTCP (Real-time Transport Control Protocol)• RTCP port = RTP port + 1
RTP Attacks
Call interception• Attacking layers 2, 3• Decoding intercepted data
Injection into call• Finding RTP port• Injecting media stream
Denial of Service• RTP flood
RTP AttacksCall interception
ARP spoofing• Cain & abel• ettercap• arpspoof (dsniff)
Wireshark• Telephony• VOIP calls
/ Demo
RTP AttacksInjection: Synchronization in RTP
sequence number position in media stream +=1
timestamp sampling +=1
SSRC identifying source const(random 32 bit value)
payload type codec in use
RTP AttacksInjection
Unencrypted• deployment issues (debug)• QoS issues• key distribution
UDP – connectionless
Data requirements:• SSRC• timestamp, sequence number – monotonically
increasing• timestamp, sequence number - fuzzing
RTP AttacksInjection
Finding RTP port• Intercept SDP• Port scan
Media injection• Requirements
frequency codec
\ Demo• SDP || nmap• rtpinsertsound• not working 100%?
RTP AttacksDenial of Service
Flood• Low bandwidth requirements• Media stream = high load• Authentication - SIP• and again … UDP - connectionless
/ Demo• rtpflood
SIP
Session Initiation ProtocolApplication layer (TCP/UDP)ASCII headerSIP header ~= e-mail header
• URI
SIP Components
UA (User agent), Proxy, Registrar, Redirect
Call via Proxy Call via Redirect
SIP Attacks
Using somebodies PBX• Extension enumeration• Bruteforce extension password
Caller name spoofing
Registration hijacking
Denial of service• Busy lines
SIP Requests
INVITE indicates a client is being invited to participate in a call session
BYE Terminates a call and can be sent by either the caller or the callee
OPTIONS Queries the capabilities of servers
REGISTER Registers the address listed in the To header field with a SIP server
ACK Confirms that the client has received a final response to an INVITE request
CANCEL Cancels any pending request
more …
SIP Answers
1хх Informational (100 Trying, 180 Ringing)2xx Successful (200 OK, 202 Accepted)3xx Redirection (302 Moved Temporarily)4xx Request Failure (404 Not Found, 482 Loop Detected)5xx Server Failure (501 Not Implemented)6xx Global Failure (603 Decline)
basic SIP call
SIP AttacksUsing somebodies PBX
PBX• Extension enumeration• Bruteforcing passwords• Making a call
Practice with Sipvicious• svmap <ip>• svwar –e<extensions> <ip> -m<REQUEST>• svcrack –u<extension> -d <dictionary> <ip>• Setting up a softphone
SIP AttacksCaller name spoofing
Caller Name spoofing• Softphone
Practicing X-Lite• Softphone – caller name spoofing
Display name ‘ 1=1 -- Domain ip of UA Register disable
SIP AttacksRegistration hijacking
Registration hijacking• INVITE to PBX• Search user in Registar• Registration is in
Contact header: ip address
Practicing with X-Lite Register settings
• rate
SIP AttacksDenial of Service
Denial of Service• No auth
-> INVITE <- TRYING … <- Busy here
• HTTP digest -> INVITE generation/storing nonce
Practice• inviteflood
Further reading
Set up a lab• http://enablesecurity.com/resources/how-to-set-up-a-
voip-lab-on-a-shoe-string/
Read and practice• Hacking Exposed VoIP—Voice Over IP Security
Secrets & Solutions
Advanced attacks• “Having fun with RTP” by kapejod• “SIP home gateways under fire” by Anhängte
Dateien
Fuzzing
QA