Cutting Edge VoIP Security Issues Color presentation

About This Presentation

Title:

Cutting Edge VoIP Security Issues Color

Description:

Hacking Exposed: VoIP Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier_at_securelogix.com Outline Overview Gathering Information ... –

Number of Views:279

Avg rating:3.0/5.0

Slides: 86

Provided by: markco1

Category:

more less

Transcript and Presenter's Notes

Title: Cutting Edge VoIP Security Issues Color

1
Hacking Exposed VoIP
Mark D. CollierChief Technology
OfficerSecureLogix Corporationmark.collier_at_secur
elogix.com
2
Outline
Outline

Overview
Gathering Information
Footprinting
Scanning
Enumeration
Attacking the Network
Network Infrastructure Denial of Service
Network Eavesdropping
Network and Application Interception

3
Outline
Outline

Attacking the Application
Fuzzing
Disruption of Service
Signaling and Media Manipulation
Social Attacks
Voice SPAM/SPIT
Voice Phishing

4
Introduction
Introduction

VoIP systems are vulnerable
Platforms, networks, and applications are
vulnerable
VoIP-specific attacks are becoming more common
Security isnt always a consideration during
deployment
The threat is increasing
VoIP deployment is growing
Deployments are critical to business operations
Greater integration with the data network
More attack tools being published
The hacking community is taking notice

5
Gathering Information
Gathering Information

This is the process a hacker goes through to
gather information about your organization and
prepare their attack
Consists of
Footprinting
Scanning
Enumeration

6
Footprinting
Gathering InformationFootprinting

Steps taken by a hacker to learn about your
enterprise before they start the actual attack
Consists of
Public website research
Google hacking

7
Public Website ResearchIntroduction
Gathering InformationFootprinting

An enterprise website often contains a lot of
information that is useful to a hacker
Organizational structure and corporate locations
Help and technical support
Job listings
Phone numbers and extensions

8
Public Website ResearchJob Listings
Gathering InformationFootprinting

Job listings can contain a ton of information
about the enterprise VoIP system.
Here is a portion of an actual job listing
Required Technical SkillsMinimum 3-5 years
experience in the management and implementation
of Avaya telephone systems/voicemails
Advanced programming knowledge of the Avaya
Communication Servers and voicemails.

9
Public Website ResearchPhone Numbers
Gathering InformationFootprinting

Google can be used to find all phone numbers on
an enterprise web site
Type 111..999-1000..9999 sitewww.mcgraw-hill.co
m

10
Public Website ResearchVoice Mail
Gathering InformationFootprinting

By calling into some of these numbers, you can
listen to the voice mail system and determine the
vendor
Check out our voice mail hacking database at
www.hackingvoip.com

11
Public Website Research Countermeasures
Gathering InformationFootprinting

It is difficult to control what is on your
enterprise website, but it is a good idea to be
aware of what is on it
Try to limit amount of detail in job postings
Remove technical detail from help desk web pages

12
Google HackingIntroduction
Gathering InformationFootprinting

Google is incredibly good at finding details on
the web
Vendor press releases and case studies
Resumes of VoIP personnel
Mailing lists and user group postings
Web-based VoIP logins

13
Google Hacking
Gathering InformationFootprinting

Vendors and enterprises may post press releases
and case studies
Type siteavaya.com case study or
siteavaya.com company
Users place resumes on the Internet when
searching for jobs
Search Monster for resumes for company employees
Mailing lists and user group postings
www.inuaa.org
www.innua.org
forums.cisco.com
forums.digium.com

14
Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting

Use Google to search for
Type inrulccmuser/logon.asp
Type inurlccmuser/logon.asp siteexample.com
Type inurlNetworkConfiguration cisco

15
Google HackingCountermeasures
Gathering InformationFootprinting

Determine what your exposure is
Be sure to remove any VoIP phones which are
visible to the Internet
Disable the web servers on your IP phones
There are services that can helpyou monitor your
exposure
www.cyveilance.com
ww.baytsp.com

16
ScanningIntroduction
Gathering InformationScanning

Steps taken by a hacker to identify IP addresses
and hosts running VoIP
Consists
Gaining access
Host/device discovery and identification
Port scanning and service discovery

17
ScanningGaining Access
Attacking The NetworkGaining Access

Several attack vectors include
Installing a simple wired hub
Wi-Fi sniffing
Compromising a network node
Compromising a VoIP phone
Compromising a switch
Compromising a proxy, gateway, or PC/softphone
ARP poisoning
Circumventing VLANs

18
Host/DeviceDiscovery and Identification
Gathering InformationScanning

Consists of various techniques used to find
hosts
Ping sweeps
ARP pings
TCP ping scans
SNMP sweeps
After hosts are found, the type of device can be
determined
Classifies host/device by operating system
Network stack fingerprinting is a common
technique for identifying hosts/devices

19
Host/Device DiscoveryUsing nmap
Gathering InformationScanning

nmap -O -P0 192.168.1.1-254
Starting Nmap 4.01 ( http//www.insecure.org/nmap/
) at 2006-02-20 0103 CST
Interesting ports on 192.168.1.21
(The 1671 ports scanned but not shown below are
in state filtered)
PORT STATE SERVICE
23/tcp open telnet
MAC Address 000F34118045 (Cisco Systems)
Device type VoIP phone
Running Cisco embedded
OS details Cisco IP phone (POS3-04-3-00,
PC030301)
Interesting ports on 192.168.1.23
(The 1671 ports scanned but not shown below are
in state closed)
PORT STATE SERVICE
80/tcp open http
MAC Address 00156286BA3E (Cisco Systems)
Device type VoIP phoneVoIP adapter
Running Cisco embedded
OS details Cisco VoIP Phone 7905/7912 or ATA 186
Analog Telephone Adapter

20
Host/Device DiscoveryPing Sweeps/ARP Pings
Gathering InformationScanning
21
Host/Device DiscoverySNMP Sweeps
Gathering InformationScanning
22
Host/Device DiscoveryCountermeasures
Gathering InformationScanning

Use firewalls and Intrusion Prevention Systems
(IPSs) to block ping and TCP sweeps
VLANs can help isolate ARP pings
Ping sweeps can be blocked at the perimeter
firewall

23
Port Scanning/Service Discovery
Gathering InformationScanning

Consists of various techniques used to find open
ports and services on hosts
These ports can be targeted later
nmap is the most commonly used tool for TCP SYN
and UDP scans

24
Port Scanning/Service DiscoveryCountermeasures
Gathering InformationScanning

Using non-Internet routable IP addresses will
prevent external scans
Firewalls and IPSs can detect and possibly block
scans
VLANs can be used to partition the network to
prevent scans from being effective

25
EnumerationIntroduction
Gathering InformationEnumeration

Involves testing open ports and services on
hosts/devices to gather more information
Includes running tools to determine if open
services have known vulnerabilities
Also involves scanning for VoIP-unique
information such as phone numbers
Includes gathering information from TFTP servers
and SNMP

26
Vulnerability TestingTools
Gathering InformationEnumeration
27
Vulnerability TestingTools
Gathering InformationEnumeration
28
Vulnerability TestingTools
Gathering InformationEnumeration
29
Vulnerability TestingCountermeasures
Gathering InformationEnumeration

The best solution is to upgrade your applications
and make sure you continually apply patches
Some firewalls and IPSs can detect and mitigate
vulnerability scans

30
SIP EnumerationDirectory Scanning
Gathering InformationEnumeration

root_at_attacker nc 192.168.1.104 5060
OPTIONS siptest_at_192.168.1.104 SIP/2.0
Via SIP/2.0/TCP 192.168.1.120branch4ivBcVj5ZnPY
gb
To alice ltsiptest_at_192.168.1.104gt
Content-Length 0
SIP/2.0 404 Not Found
Via SIP/2.0/TCP
192.168.1.120branch4ivBcVj5ZnPYgbreceived192.1
68.1.103
To alice siptest_at_192.168.1.104gttagb27e1a1d3376
1e85846fc98f5f3a7e58.0503
Server Sip EXpress router (0.9.6 (i386/linux))
Content-Length 0
Warning 392 192.168.1.1045060 "Noisy feedback
tells pid29801
req_src_ip192.168.1.120 req_src_port32773
in_urisiptest_at_192.168.1.104
out_urisiptest_at_192.168.1.104 via_cnt1"

31
SIP EnumerationDirectory Scanning
Gathering InformationEnumeration
32
TFTP EnumerationIntroduction
Gathering InformationEnumeration

Almost all phones we tested use TFTP to download
their configuration files
The TFTP server is rarely well protected
If you know or can guess the name of a
configuration or firmware file, you can download
it without even specifying a password
The files are downloaded in the clear and can be
easily sniffed
Configuration files have usernames, passwords, IP
addresses, etc. in them

33
TFTP EnumerationUsing TFTPBRUTE
Gathering InformationEnumeration

root_at_attacker perl tftpbrute.pl 192.168.1.103
brutefile.txt 100tftpbrute.pl, , V 0.1
TFTP file word database brutefile.txt
TFTP server 192.168.1.103
Max processes 100
Processes are 1
ltsnipgt
Processes are 12
Found TFTP server remote filename sip.cfg
Found TFTP server remote filename
46xxsettings.txt
Processes are 13
Processes are 14
Found TFTP server remote filename
sip_4602D02A.txt
Found TFTP server remote filename
XMLDefault.cnf.xml
Found TFTP server remote filename
SipDefault.cnf

34
TFTP EnumerationCountermeasures
Gathering InformationEnumeration

It is difficult not to use TFTP, since it is so
commonly used by VoIP vendors
Some vendors offer more secure alternatives
Firewalls can be used to restrict access to TFTP
servers to valid devices

35
SNMP EnumerationIntroduction
Gathering InformationEnumeration

SNMP is enabled by default on most IP PBXs and IP
phones
Simple SNMP sweeps will garner lots of useful
information
If you know the device type, you can use snmpwalk
with the appropriate OID
You can find the OID using Solarwinds MIB
Default passwords, called community strings,
are common

36
SNMP EnumerationSolarwinds
Gathering InformationEnumeration
37
SNMP Enumerationsnmpwalk
Gathering InformationEnumeration

root_at_domain2 snmpwalk -c public -v 1
192.168.1.53 1.3.6.1.4.1.6889
SNMPv2-SMIenterprises.6889.2.69.1.1.1.0
STRING "Obsolete"
SNMPv2-SMIenterprises.6889.2.69.1.1.2.0
STRING "4620D01B"
SNMPv2-SMIenterprises.6889.2.69.1.1.3.0
STRING "AvayaCallserver"
SNMPv2-SMIenterprises.6889.2.69.1.1.4.0
IpAddress 192.168.1.103
SNMPv2-SMIenterprises.6889.2.69.1.1.5.0
INTEGER 1719
SNMPv2-SMIenterprises.6889.2.69.1.1.6.0
STRING "051612501065"
SNMPv2-SMIenterprises.6889.2.69.1.1.7.0
STRING "700316698"
SNMPv2-SMIenterprises.6889.2.69.1.1.8.0
STRING "051611403489"
SNMPv2-SMIenterprises.6889.2.69.1.1.9.0
STRING "00040D5040B0"
SNMPv2-SMIenterprises.6889.2.69.1.1.10.0
STRING "100"
SNMPv2-SMIenterprises.6889.2.69.1.1.11.0
IpAddress 192.168.1.53
SNMPv2-SMIenterprises.6889.2.69.1.1.12.0
INTEGER 0
SNMPv2-SMIenterprises.6889.2.69.1.1.13.0
INTEGER 0
SNMPv2-SMIenterprises.6889.2.69.1.1.14.0
INTEGER 0
SNMPv2-SMIenterprises.6889.2.69.1.1.15.0
STRING "192.168.1.1"
SNMPv2-SMIenterprises.6889.2.69.1.1.16.0
IpAddress 192.168.1.1
SNMPv2-SMIenterprises.6889.2.69.1.1.17.0
IpAddress 255.255.255.0

38
SNMP EnumerationCountermeasures
Gathering InformationEnumeration

Disable SNMP on any devices where it is not
needed
Change default public and private community
strings
Try to use SNMPv3, which supports authentication

39
Attacking The Network
Attacking The Network

The VoIP network and supporting infrastructure
are vulnerable to attacks
Most attacks will originate inside the network,
once access is gained
Attacks include
Network infrastructure DoS
Network eavesdropping
Network and application interception

40
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access

Some techniques for circumventing VLANs
Without MAC filtering, disconnect a phone and
connect a PC
Even if MAC filtering is used, you can easily
spoof the MAC
Be especially cautious of VoIP phones in public
areas
Some other VLAN attacks
MAC flooding attack
802.1q and ISL tagging attack
Double-encapsulated 802.1q/Nested VLAN attack
Private VLAN attack
Spanning-tree protocol attack/VLAN trunking
protocol attack

41
Network Infrastructure DoS
Attacking The NetworkNetwork DoS

The VoIP network and supporting infrastructure
are vulnerable to attacks
VoIP media/audio is particularly susceptible to
any DoS attack which introduces latency and
jitter
Attacks include
Flooding attacks
Network availability attacks
Supporting infrastructure attacks

42
Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS

Flooding attacks generate so many packets at a
target, that it is overwhelmed and cant process
legitimate requests

43
Flooding AttacksTypes of Floods
Attacking The NetworkNetwork DoS

Some types of floods are
UDP floods
TCP SYN floods
ICMP and Smurf floods
Worm and virus oversubscription side effect
QoS manipulation
Application flooding

44
Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS

Layer 2 and 3 QoS mechanisms are commonly used to
give priority to VoIP media (and signaling)
Use rate limiting in network switches
Use anti-DoS/DDoS products
Some vendors have DoS support in their products
(in newer versions of software)

45
Network Availability Attacks
Attacking The NetworkNetwork DoS

This type of attack involves an attacker trying
to crash the underlying operating system
Fuzzing involves sending malformed packets, which
exploit a weakness in software
Packet fragmentation
Buffer overflows

46
Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS

A network IPS is an inline device that detects
and blocks attacks
Some firewalls also offer this capability
Host based IPS software also provides this
capability

47
Supporting Infrastructure Attacks
Attacking The NetworkNetwork DoS

VoIP systems rely heavily on supporting services
such as DHCP, DNS, TFTP, etc.
DHCP exhaustion is an example, where a hacker
uses up all the IP addresses, denying service to
VoIP phones
DNS cache poisoning involves tricking a DNS
server into using a fake DNS response

48
Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS

Configure DHCP servers not to lease addresses to
unknown MAC addresses
DNS servers should be configured to analyze info
from non-authoritative servers and dropping any
response not related to queries

49
Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping

VoIP configuration files, signaling, and media
are vulnerable to eavesdropping
Attacks include
TFTP configuration file sniffing (already
discussed)
Number harvesting and call pattern tracking
Conversation eavesdropping

50
Numbers/Call Patterns
Attacking The NetworkEavesdropping

By sniffing signaling, it is possible to build a
directory of numbers and track calling patterns
voipong automates the process of logging all
calls
Wireshark is very good at sniffing VoIP signaling

51
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
52
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
53
Conversation RecordingCain And Abel
Attacking The NetworkEavesdropping
54
Conversation RecordingOther Tools
Attacking The NetworkEavesdropping

Other tools include
vomit
Voipong
voipcrack (not public)
DTMF decoder

55
Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping

Use encryption
Many vendors offer encryption for signaling
Use the Transport Layer Security (TLS) for
signaling
Many vendors offer encryption for media
Use Secure Real-time Transport Protocol (SRTP)
Use ZRTP
Use proprietary encryption if you have to

56
Network/Application InterceptionIntroduction
Attacking The NetworkNet/App Interception

The VoIP network is vulnerable to
Man-In-The-Middle (MITM) attacks, allowing
Eavesdropping on the conversation
Causing a DoS condition
Altering the conversation by omitting, replaying,
or inserting media
Redirecting calls
Attacks include
Network-level interception
Application-level interception

57
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception

The most common network-level MITM attack is ARP
poisoning
Involves tricking a host into thinking the MAC
address of the attacker is the intended address
There are a number of tools available to support
ARP poisoning
Cain and Abel
ettercap
Dsniff
hunt

58
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
59
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
60
Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception

Some countermeasures for ARP poisoning are
Static OS mappings
Switch port security
Proper use of VLANs
Signaling encryption/authentication
ARP poisoning detection tools, such as arpwatch

61
Attacking The Application
Attacking The Application

VoIP systems are vulnerable to application
attacks against the various VoIP protocols
Attacks include
Fuzzing attacks
Flood-based DoS
Signaling and media manipulation

62
FuzzingIntroduction
Attacking The ApplicationFuzzing

Fuzzing describes attacks where malformed packets
are sent to a VoIP system in an attempt to crash
it
Research has shown that VoIP systems, especially
those employing SIP, are vulnerable to fuzzing
attacks

63
FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via SIP/2.0/UDP 192.168.22.366060 From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
64
FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaa From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
65
FuzzingPublic Domain Tools
Attacking The ApplicationFuzzing

There are many public domain tools available for
fuzzing
Protos suite
Asteroid
Fuzzy Packet
NastySIP
Scapy

SipBomber
SFTF
SIP Proxy
SIPp
SIPsak

66
FuzzingCommercial Tools
Attacking The ApplicationFuzzing

There are some commercial tools available
Beyond Security BeStorm
Codenomicon
MuSecurity Mu-4000 Security Analyzer
Security Innovation Hydra
Sipera Systems LAVA tools

67
FuzzingCountermeasures
Attacking The ApplicationFuzzing

Make sure your vendor has tested their systems
for fuzzing attacks
Consider running your own tests
An VoIP-aware IPS can monitor for and block
fuzzing attacks

68
Flood-Based DoS
Attacking The ApplicationFlood-Based DoS

Several tools are available to generate floods at
the application layer
rtpflood generates a flood of RTP packets
inviteflood generates a flood of SIP INVITE
packets
SiVuS a tool which a GUI that enables a variety
of flood-based attacks
Virtually every device we tested was susceptible
to these attacks

69
Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS

There are several countermeasures you can use for
flood-based DoS
Use VLANs to separate networks
Use TCP and TLS for SIP connections
Use rate limiting in switches
Enable authentication for requests
Use SIP firewalls/IPSs to monitor and block
attacks

70
Signaling/Media ManipulationIntroduction
Attacking The Application Sig/Media Manipulation

In SIP and RTP, there are a number of attacks
possible, which exploit the protocol
Registration manipulation
Redirection attacks
Session teardown
SIP phone reboot
RTP insertion/mixing

71
Registration Manipulation
Attacking The Application Sig/Media Manipulation
72
Redirection Attacks
Attacking The Application Sig/Media Manipulation
73
Session Teardown
Attacking The Application Sig/Media Manipulation

74
IP Phone Reboot
Attacking The Application Sig/Media Manipulation

75
Audio Insertion/Mixing
Attacking The Application Sig/Media Manipulation

Attacker SeesPackets AndInserts/Mixes InNew
Audio
76
Signaling/Media ManipulationCountermeasures
Attacking The Application Sig/Media Manipulation

Some countermeasures for signaling and media
manipulation include
Use digest authentication where possible
Use TCP and TLS where possible
Use SIP-aware firewalls/IPSs to monitor for and
block attacks
Use audio encryption to prevent RTP
injection/mixing

77
Social Attacks
Social Attacks

There are a couple of evolving social threats
that will affect enterprises
Voice SPAM or SPAM over Internet Telephony (SPIT)
Voice phishing

78
Voice SPAMIntroduction
Social AttacksVoice SPAM

Voice SPAM refers to bulk, automatically
generated, unsolicited phone calls
Similar to telemarketing, but occurring at the
frequency of email SPAM
Not an issue yet, but will become prevalent when
The network makes it very inexpensive or free to
generate calls
Attackers have access to VoIP networks that allow
generation of a large number of calls
It is easy to set up a voice SPAM operation,
using Asterisk, tools like spitter, and free
VoIP access

79
Voice SPAM
Social AttacksVoice SPAM

Voice SPAM has the potential to be very
disruptive because
Voice calls tend to interrupt a user more than
email
Calls arrive in realtime and the content cant be
analyzed to determine it is voice SPAM
Even calls saved to voice mail must be converted
from audio to text, which is an imperfect process
There isnt any capability in the protocols that
looks like it will address Voice SPAM

80
Voice SPAMCountermeasures
Social AttacksVoice SPAM

Some potential countermeasures for voice SPAM
are
Authenticated identity movements, which may help
to identify callers
Legal measures
Enterprise voice SPAM filters
Black lists/white lists
Approval systems
Audio content filtering
Turing tests

81
VoIP PhishingIntroduction
Social AttacksPhishing

Similar to email phishing, but with a phone
number delivered though email or voice
When the victim dials the number, the recording
requests entry of personal information
The hacker comes back later and retrieves the
touch tones or other information

82
VoIP PhishingExample
Social AttacksPhishing

Hi, this is Bob from Bank of America calling.
Sorry I missed you. If you could give us a call
back at 1-866-555-1324 we have an urgent issue to
discuss with you about your bank account.
Hello. This is Bank of America. So we may best
serve you, please enter your account number
followed by your PIN.

83
VoIP PhishingExample
Social AttacksPhishing
84
VoIP PhishingCountermeasures
Social AttacksPhishing

Traditional email spam/phishing countermeasures
come in to play here.
Educating users is a key

85
Final Thoughts
Social AttacksPhishing

VoIP systems can be secured, but are often
installed in a non-secure way
A VoIP security assessment/audit is a great way
to identify issues and countermeasures
Dont forget about legacy systems. Issues still
exist and VoIP can make some worse

Write a Comment

User Comments (0)

About PowerShow.com