SIP Tactics

1
SIP Tactics Exploitation
ILHACK 2009
By Jacky Altal and Yosseff Cohen
2
About us Jacky 4lt4l

• Professional Experience
• Two years as a security and data communication
  expert at local company.
• Six years as a software developer and Security
  Consultant at a local Bio-Tech company.
• Hacking Defined Leading Instructor Technion
  CISO/SECPROF programs.
• Specializing in
• Penetration Testing
• Vulnerability Research
• Forensics Investigations

3
TOC
\x01 VoIP The Real World \x02 VoIP - Know Your
Environment \x03 VoIP - Security Threats \x04
VoIP - Lab \x05 VoIP - QA
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
\x01 VoIP Reality
Why do we ask those Questions? According to
Emerging Cyber Threats for 2009 (Georgia Tech
Info Sec Center) more then 75 percents of
corporate phone lines will be using Voice Over IP
(VoIP) in the next two years. From the outset,
VoIP infrastructure has been vulnerable to the
same types of attacks that plague other networked
computing architectures. When voice is digitized,
encoded, compressed into packets and exchanged
over IP networks, it is susceptible to misuse.
Cyber criminals will be drawn to the VoIP medium
to engage in voice fraud, data theft and other
scamssimilar to the problems email has
experienced. Denial of service, remote code
execution and botnets all apply to VoIP networks,
and will become more problematic for mobile
devices as well.   Emerging Cyber Threats for
2009 by the Georgia Tech Information Security
Center
8
\x01 VoIP Reality
VoIP is about convergence. The idea is that you
save money and resources and time, Next
Generation Security
Because VoIP connects telephone calls via the
Internet, it shares the Internets
weaknesses. many incumbent telecommunication
carriers have started offering VoIP the aspect
of security, or lack thereof, is misunderstood by
some of the VoIP service providers. Includes
local Providers Im n0t Smiling
9
\x01 VoIP Reality
10
\x01 VoIP Home
11
(No Transcript)
12
About us Yossef Cohen (SIPM4ST3R)

• Professional Experience
• 10 years of experience in the telecom market
  working for Amdocs Israel, last 3 years as
  Integration Manager for projects as Sprint 4G,
  ATT and BMCC china
• Founder of MaxxVoice.com, developed during the
  Sabbatical year in 2006.
• Specializing in
• Penetration Testing
• Vulnerability Research
• Forensics Investigations

13
\x01 VoIP Know Your Environment VoIP

• VoIP Voice Over Internet Protocol
• Phone calls over the internet
• Is used through softphones or IP phones/ATA
• Supports QoS
• Supports several audio codecs

14
\x02 VoIP Know Your Environment SIP

• SIP Session Initialization Protocol
• Used for signaling
• Supports audio and video
• TCP and UDP
• Uses port 5060
• ASCII protocol like SMTP and HTTP

15
\x02 VoIP Know Your Environment RTP

• RTP Real-time Transport Protocol
• Used for the voice transport
• UDP
• Is dynamic, not using standard ports
• RTCP RTP Control Protocol
• Controls and monitors the voice transport

16
\x02 VoIP Know Your Environment
Addressing

• SIP uses mail format address, in the pattern
• ltuser phone numbergt_at_ltdomain hostname IP
  addressgt
• Some examples
• jacky_at_sip.maxxvoice.com
• yossef_at_sip.maxxvoice.com

17
\x02 VoIP Know Your Environment SIP
Signaling
18
\x02 VoIP Know Your Environment SIP
Signaling

• INVITE from caller
• INVITE sip401_at_192.168.5.15 SIP/2.0
• Via SIP/2.0/UDP 192.168.0.2045060rportbranchz
  9hG4bK42ccbc6905
• From ltsip402_at_192.168.5.10gttag33a31c9c
• To ltsip401_at_192.168.5.15gt
• Call-ID 42fe147836f1f4a446f4572a5386aaca_at_192.168.
  0.204
• Contact ltsip402_at_192.168.15.105060gt
• CSeq 801 INVITE
• Max-Forwards 70
• Allow INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS,
  INFO,MESSAGE
• Content-Type application/sdp
• User-Agent Nologo
• Content-Length 429

19
\x02 VoIP Know Your Environment SIP
Signaling

• Ringing
• lt--- SIP read from 192.168.5.155060 ---gt
• SIP/2.0 180 Ringing
• Via SIP/2.0/UDP 192.168.0.2015060branchz9hG4bK
  565267b5
• From ltsip401_at_192.168.5.15gttagas23f90079
• To ltsip402_at_192.168.5.10userphonegttag419b9912
  cbfa34b2
• Call-ID 1bdfcd7c378f2a7e55c3b4591d608db0_at_cohenet.
  dyndns.org
• CSeq 102 INVITE
• User-Agent Grandstream HT488 1.0.3.64 FXS
• Content-Length 0

20
\x02 VoIP Know Your Environment SIP
Signaling

• Ok from Called peer (answered)
• lt--- SIP read from 192.168.5.105060 ---gt
• SIP/2.0 200 OK
• Via SIP/2.0/UDP 192.168.5.105060rportbranchz9
  hG4bK62b65b4f29received192.168.5.10
• From ltsip402_at_192.168.5.10gttag1983eb6f
• To ltsip401_at_192.168.5.15gttagas36a497bc
• Call-ID 73bf4cb01443f22e78d0b4664df3d281_at_192.168.
  0.204
• CSeq 802 INVITE
• User-Agent SIPM4ST3R
• Allow INVITE, ACK, CANCEL, OPTIONS, BYE, REFER,
  SUBSCRIBE, NOTIFY
• Supported replaces
• Contact ltsip401_at_192.168.5.15gt
• Content-Type application/sdp
• Content-Length 264

21
\x02 VoIP Know Your Environment SIP
Signaling

• ACK from caller to start the RTP session
• lt--- SIP read from 192.168.5.105060 ---gt
• ACK sip401_at_192.168.5.15userphone SIP/2.0
• Via SIP/2.0/UDP 192.168.0.2015060branchz9hG4bK
  384d1e7a
• From ltsip402_at_192.168.5.10gttagas23f90079
• To ltsip401_at_192.168.5.15userphonegttag419b9912
  cbfa34b2
• Contact ltsip402_at_192.168.5.10gt
• Call-ID 1bdfcd7c378f2a7e55c3b4591d608db0_at_192.168.
  5.10
• CSeq 102 ACK
• User-Agent SIPM4ST3R
• Max-Forwards 70
• Content-Length 0

22
\x02 VoIP Know Your Environment SIP
Signaling

• BYE from called peer, hang-up
• lt--- SIP read from 192.168.5.155060 ---gt
• BYE sip402_at_192.168.5.10 SIP/2.0
• Via SIP/2.0/UDP 192.168.0.202branchz9hG4bKbcb6e
  24514450a48
• From ltsip401_at_192.168.5.15userphonegttag2efac6
  b2150259f8
• To ltsip402_at_192.168.5.10gttagas1ca51ab9
• Call-ID 68b836e61e5356b820593f69008a74de_at_192.168.
  5.10
• CSeq 33409 BYE
• User-Agent Grandstream HT488 1.0.3.64 FXS
• Max-Forwards 70
• Allow INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,
  INFO,SUBSCRIBE
• Content-Length 0

23
\x02 VoIP Know Your Environment SIP
Signaling

• BYE from caller
• lt--- SIP read from 192.168.5.105060 ---gt
• SIP/2.0 200 OK
• Via SIP/2.0/UDP 192.168.0.2015060branchz9hG4bK
  099b03fe
• From ltsip401_at_192.168.5.10gttagas36a497bc
• To ltsip402_at_192.168.5.15gttag1983eb6f
• Call-ID 73bf4cb01443f22e78d0b4664df3d281_at_192.168.
  5.15
• CSeq 102 BYE
• Content-Length 0

24
\x03 VoIP - Security Threats
Layer
MAC Spoofing ARP Flood ARP Cache Physical attack Network
IP Frag Redirect via IP IP Spoofing Internet
TCP/UDP Replay TCP/UDP Flood Transport
RTP Tamper Spoof DHCP Insertion Tftp Insertion Application
25
\x01 VoIP Reality
26
\x01 VoIP Reality
27
\x01 VoIP Reality
28
Unblock the Blocker Kevin Mitnik
29
(No Transcript)
30
Google Dork intext"FreePBX Administration"
"Welcome" inurlAdmin Default Trix Box VOIP
Servers
Default passwords, vulnerable servers.
31
Google Dork intext"FreePBX Administration"
"Welcome" inurlAdmin
Default passwords, vulnerable servers.
32
Google Dork intext"FreePBX Administration"
"Welcome" inurlAdmin
Default passwords, vulnerable servers.
33
Directory Harvesting VoIP directory harvesting
attacks occur when attackers attempt to find
valid VoIP addresses by conducting brute force
attacks on a network.  The attacker can send
thousands of VoIP addresses to a particular VoIP
domain, those that are not returned, are valid
VoIP clients.
?????? ?? ????? ??? ?? ????? 5060 ?????
34

• Eavesdropping
• Voice packets are subject to man-in-the-middle
  attacks where a hacker spoofs the MAC address of
  two parties and forces VoIP packets to flow
  through the hacker's system.
• Reassemble voice packets
• Listen in to real-time conversations
• Hackers can also gain access to all sorts of
  sensitive data and information, such as user
  names, passwords, and VoIP system information.
• SQL-Injection Password Guessing can be launched
  in distributed nature with different SIP URI

35
SQL-Injection Tampering via SIP AuthorizationDig
est header can be tampered in order to inject SQL
query. Update subcriber set first_namejacky_alt
al Where usernameasterisk--, realm-192.168.1
0.100, algortimmd5, Nonce41351a34b342b43434d
223421d, Responsea6466dce7890e087e6e55e67e2ee3

36
Invite Of Death Attack The Invite of Death
attack simply demonstrates that VoIP is affected
by exactly the same types of vulnerabilities as
any other IP application. In this case a simple
implementation error leaves the application open
to a remote Denial Of Service attack. This
vulnerability has already been fixed but there
are many others to come. In other words, if you
are relying on a generic firewall to protect your
voice system, the chances are that it will not
block or even detect these threats.
37
SIPy send spoofed call to sip client
Killer Written by Jacky Altal and Yossef Cohen
38
SipY SIP software testing,
39
SipY SIP Server/Client Vulnerability testing,
40
Modify Request
Reverse Request
Modify Request
41
Are You R-E-A-D-Y??? Lets F-I-G-H-T!!!
42
LAB
CentOS - Linux Distro
http//www.centos.org/ Asterisk Open Source PBX
http//www.asterisk.org/ xLite SIP Client
Iphone sip client ( home made ) Of course that
there are many other codecs and other stuff.
43
iWar012 ) Network Range Mass Scanning
We can find other lines, scan network ranges, by
IPs and phone numbers. Find FREE X.25
networks Free SEX Lines,
http//www.softwink.com/iwar/
44
Encryption what is it good for?
45
Provisioning Servers
???? ?? Shikata ga nai.
46
Question? gt /dev/null
47
The End
jacky_at_see-security.com yossef_at_maxxvoice.com

http//4lt4l.blogspot.com