VoIP Wars: Return of the SIP
VoIP Wars : Return of the SIP
Fatih Özavcı
Security Consultant @ Sense of Security (Australia)
www.senseofsecurity.com.au
@fozavci
# whois
●
Security Consultant @ Sense of Security (Australia)
●
10+ Years Experience in Penetration Testing
●
800+ Penetration Tests, 40+ Focused on NGN/VoIP
–
SIP/NGN/VoIP Systems Penetration Testing
–
Mobile Application Penetration Testing
–
IPTV Penetration Testing
–
Regular Stuff (Network Inf., Web, SOAP, Exploitation...)
●
Author of Viproy VoIP Penetration Testing Kit
●
Author of Hacking Trust Relationships Between SIP Gateways
●
Blackhat Arsenal USA 2013 – Viproy VoIP Pen-Test Kit
●
So, that's me
2
Viproy in Action
http://www.youtube.com/watch?v=1vDTujNVKGM
# traceroute
●
VoIP Networks are Insecure, but Why?
●
Basic Attacks
Discovery, Footprinting, Brute Force
– Initiating a Call, Spoofing, CDR and Billing Bypass
SIP Proxy Bounce Attack
–
●
●
Fake Services and MITM
Fuzzing Servers and Clients, Collecting Credentials
(Distributed) Denial of Service
–
●
Attacking SIP Soft Switches and SIP Clients, SIP Amplification Attack
Hacking Trust Relationships of SIP Gateways
–
●
●
Attacking SIP Clients via SIP Trust Relationships
●
Fuzzing in Advance
●
Out of Scope
–
–
–
RTP Services and Network Tests, Management
Additional Services
XML/JSON Based Soap Services
4
# info
●
●
●
SIP – Session Initiation Protocol
–
Only Signalling, not for Call Transporting
–
Extended with Session Discovery Protocol
NGN – Next Generation Network
–
Forget TDM and PSTN
–
SIP, H.248 / Megaco, RTP, MSAN/MGW
–
Smart Customer Modems & Phones
–
Easy Management
–
Security is NOT a Concern?!
Next Generation! Because We Said So!
5
# SIP Services : Internal IP Telephony
Support Servers
Factory/Campus
SIP over VPN
SIP Clients
INTERNET
Commercial
Gateways
SIP Server
Analog/Digital PBX
6
# SIP Services : Commercial Services
Customers
VAS, CDR, DB Servers
MSAN/MGW
PSTN/ISDN Distributed
MPLS
SDP Servers
Soft Switch
INTERNET
(SIP Server)
Mobile
RTP, Proxy
Servers
3rd Party
Gateways
7
# Administrators Think... Root Doesn't!
●
Their VoIP Network Isolated
–
●
Abusing VoIP Requires Knowledge
–
●
●
Open Physical Access, Weak VPN or MPLS
With Viproy, That's No Longer The Case!
Most Attacks are Network Based or Toll Fraud
–
DOS, DDOS, Attacking Mobile Clients, Spying
–
Phishing, Surveliance, Abusing VAS Services
VoIP Devices are Well-Configured
–
Weak Passwords, Old Software, Vulnerable Protocols
8
# Viproy What?
●
Viproy is a Vulcan-ish Word that means "Call"
●
Viproy VoIP Penetration and Exploitation Kit
●
–
Testing Modules for Metasploit, MSF License
–
Old Techniques, New Approach
–
SIP Library for New Module Development
–
Custom Header Support, Authentication Support
–
New Stuff for Testing: Trust Analyzer, Bounce Scan, Proxy etc
Modules
–
Options, Register, Invite, Message
–
Brute Forcers, Enumerator
–
SIP Trust Analyzer, Service Scanner
–
SIP Proxy, Fake Service, DDOS Tester
9
# Basic Attacks
●
We are looking for...
–
–
–
–
–
–
–
–
–
●
Finding and Identifying SIP Services and Purposes
Discovering Available Methods and Features
Discovering SIP Software and Vulnerabilities
Identifying Valid Target Numbers, Users, Realm
Unauthenticated Registration (Trunk, VAS, Gateway)
Brute Forcing Valid Accounts and Passwords
Invite Without Registration
Direct Invite from Special Trunk (IP Based)
Invite Spoofing (After or Before Registration, Via Trunk)
Viproy Pen-Testing Kit Could Automate Discovery
10
# Basic Attacks
Discovery
OPTIONS / REGISTER / INVITE / SUBSCRIBE
100 Trying
200 OK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Clients
Gateways
Collecting Information from Response Headers
➔
User-Agent
➔ Server
➔ Realm
➔ Call-ID
➔ Record-Route
➔
Warning
➔ P-Asserted-Identity
➔ P-Called-Party-ID
➔ P-Preferred-Identity
➔ P-Charging-Vector
➔
Soft Switch
(SIP Server)
11
# Basic Attacks
Register
REGISTER / SUBSCRIBE (From, To, Credentials)
200 OK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
RESPONSE Depends on Informations in REQUEST
➔ Type of Request (REGISTER, SUBSCRIBE)
➔ FROM, TO, Credentials with Realm
➔ Via
Actions/Tests Depends on RESPONSE
➔ Brute Force (FROM, TO, Credentials)
➔ Detecting/Enumerating Special TOs, FROMs or Trunks
➔ Detecting/Enumerating Accounts With Weak or Null Passwords
➔ ….
Clients
Gateways
Soft Switch
(SIP Server)
12
# Basic Attacks
●
this isn't the call you're looking for
●
We are attacking for...
–
Free Calling, Call Spoofing
–
Free VAS Services, Free International Calling
–
Breaking Call Barriers
–
Spoofing with...
–
Via Field, From Field
● P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity
● ISDN Calling Party Number, Remote-Party-ID
Bypass with...
●
●
●
●
P-Charging-Vector (Spoofing, Manipulating)
Re-Invite, Update (Without/With P-Charging-Vector)
Viproy Pen-Testing Kit Supports Custom Headers
13
# Basic Attacks
Invite, CDR and Billing Tests
INVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA ...)
100 Trying
183 Session Progress
180 Ringing
200 OK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
RESPONSE Depends on Informations in INVITE REQUEST
➔ FROM, TO, Credentials with Realm, FROM <>, TO <>
➔ Via, Record-Route
➔ Direct INVITE from Specific IP:PORT (IP Based Trunks)
Actions/Tests Depends on RESPONSE
➔ Brute Force (FROM&TO) for VAS and Gateways
➔ Testing Call Limits, Unauthenticated Calls, CDR Management
➔ INVITE Spoofing for Restriction Bypass, Spying, Invoice
➔ ….
Clients
Gateways
Soft Switch
(SIP Server)
14
# SIP Proxy Bounce Attack
●
●
SIP Proxies Redirect Requests to Other SIP Servers
–
We Can Access Them via SIP Proxy then We Can Scan
–
We Can Scan Inaccessible Servers
–
URI Field is Useful for This Scan
Viproy Pen-Testing Kit Has a UDP Port Scan Module
15
# SIP Proxy Bounce Attack
192.168.1.145 – Izmir
Production SIP Service
The Wall
White Walker
How Can We Use It?
192.168.1.146
Ankara
192.168.1.201
Adana
●
SIP Trust Relationship Attacks
●
Attacking Inaccessible Servers
●
Attacking SIP Software
–
Software Version, Type
16
# Fake Services and MITM
●
We Need a Fake Service
Adding a Feature to Regular SIP Client
– Collecting Credentials
– Redirecting Calls
– Manipulating CDR or Billing Features
– Fuzzing Servers and Clients for Vulnerabilities
Fake Service Should be Semi-Automated
–
●
–
–
Communication Sequence Should be Defined
Sending Bogus Request/Result to Client/Server
●
Viproy Pen-Testing Kit Has a SIP Proxy and Fake Service
●
Fuzzing Support of Fake Service is in Development Stage
17
# Fake Services and MITM
Usage of Proxy & Fake Server Features
Soft Switch
(SIP Server)
●
●
●
●
●
●
Clients
Use ARP Spoof & VLAN Hopping & Manual Config
Collect Credentials, Hashes, Information
Change Client's Request to Add a Feature (Spoofing etc)
Change the SDP Features to Redirect Calls
Add a Proxy Header to Bypass Billing & CDR
Manipulate Request at Runtime to find BOF Vulnerabilities
18
# DOS – It's Not Service, It's Money
●
Locking All Customer Phones and Services for Blackmail
●
Denial of Service Vulnerabilities of SIP Services
Many Responses for Bogus Requests → DDOS
– Concurrent Registered User/Call Limits
– Voice Message Box, CDR, VAS based DOS Attacks
– Bye And Cancel Tests for Call Drop
– Locking All Accounts if Account Locking is Active for Multiple Fails
Multiple Invite (After or Before Registration, Via Trunk)
–
●
–
–
–
●
Calling All Numbers at Same Time
Overloading SIP Server's Call Limits
Calling Expensive Gateways,Targets or VAS From Customers
Viproy Pen-Testing Kit Has a few DOS Features
19
# DDOS – All Your SIP Gateways Belong to Us !
●
SIP Amplification Attack
+ SIP Servers Send Errors Many Times (10+)
+ We Can Send IP Spoofed Packets
+ SIP Servers Send Responses to Victim
=> 1 packet for 10+ Packets, ICMP Errors (Bonus)
●
Viproy Pen-Testing Kit Has a PoC DDOS Module
●
Can we use SIP Server's Trust ? -wait for it20
# DDOS – All Your SIP Gateways Belong to Us!
192.168.1.201 – Izmir
Production SIP Service
The Wall
IP Spoofed Call Request
192.168.1.202 – Ankara
Production SIP Service
White Walker
The Wall
192.168.1.203 – Adana
Production SIP Service
Citadel
21
# Hacking SIP Trust Relationships
●
●
●
NGN SIP Services Trust Each Other
–
Authentication and TCP are Slow, They Need Speed
–
IP and Port Based Trust are Most Effective Way
What We Need
–
Target Number to Call (Cell Phone if Service is Public)
–
Tech Magazine, Web Site Information, News
Baby Steps
–
Finding Trusted SIP Networks (Mostly B Class)
–
Sending IP Spoofed Requests from Each IP:Port
–
Each Call Should Contain IP:Port in "From" Section
–
If We Have a Call, We Have The Trusted SIP Gateway IP and Port
–
Brace Yourselves The Call is Coming
22
# Hacking SIP Trust Relationships
Slow Motion
192.168.1.201 – Izmir
Production SIP Service
The Wall
t
es om
u
eq n Fr
R
l
l ta i
a
d C rt Da
e
f
oo :Po
p
S
IP
IP ins
nta
o
C
Ankara
White Walker
Istanbul
International Trusted Operator
23
# Hacking SIP Trust Relationships
Brace Yourselves, The Call is Coming
192.168.1.201 – Izmir
Production SIP Service
The Wall
White Walker
st
e
qu rom
e
ll R in F
a
d C own
e
f
Fr
oo y Kn
p
om
d
S
IP ebo
Ci
m
tad
o
S
el
Come Again?
Ankara
Istanbul
●
●
International Trusted Operator
●
Billing ?
CDR ?
Log ?
24
# Hacking SIP Trust Relationships – Business Impact
●
●
●
Denial of Service
–
Short Message Service and Billing
–
Calling All Numbers at Same Time
–
Overloading SIP Server's Call Limits
–
Overloading VAS Service or International Limits
–
Overloading CDR Records with Spoofed Calls
Attacking a Server Software
–
Crashing/Exploiting Inaccesible Features
–
Call Redirection (working on it, not yet :/)
Attacking a Client?
–
Next Slide!
25
# Attacking a Client via SIP Trust Relationships
●
●
●
SIP Server Redirects a few Fields to Client
–
FROM, FROM NAME, Contact
–
Other Fields Depend on Server (SDP, MIME etc)
Clients Have Buffer Overflow in FROM?
–
Send 2000 Chars to Test it !
–
Crash it or Execute your Command if Available
Clients Trust SIP Servers and Trust is UDP Based
–
●
This module can be used for Trust Between Client and Server
Viproy Pen-Testing Kit SIP Trust Module
–
Simple Fuzz Support (FROM=FUZZ 2000)
–
You Can Modify it for Further Attacks
26
# Attacking a Client via SIP Trust Relationships
Brace Yourselves 550 Chars are Coming
192.168.1.201 – Izmir
Production SIP Service
The Wall
White Walker
Ankara
Istanbul
t
es
u
eq
R
The Wall
m
l
l
o
a
r
d C s in F
e
f
Bo
oo har
p
C
S
g
IP 550
Re us In
qu vit
es e
t
CRASSSSH!
●
●
International Trusted Operator
Command?
Why Not!
AdorePhone Iphone App
27
# Fuzz Me Maybe
●
Fuzzing as a SIP Client | SIP Server | Proxy | MITM
●
SIP Server Software
●
SIP Clients
Hardware Devices, IP Phones, Video Conference Systems
– Desktop Application or Web Based Software
– Mobile Software
Special SIP Devices/Software
–
●
–
–
–
–
–
SIP Firewalls, ACL Devices, Proxies
Connected SIP Trunks, 3rd Party Gateways
MSAN/MGW
Logging Software (Indirect)
Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE...
28
# Old School Fuzzing
●
Request Fuzzing
SDP Features
– MIME Type Fuzzing
Response Fuzzing
–
●
Authentication, Bogus Messages, Redirection
Static vs Stateful
–
●
●
How about Smart Fuzzing
–
–
–
–
–
–
Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE)
Fuzzing After Authentication (Double Account, Self-Call)
Response Fuzzing (Before or After Authentication)
Missing SIP Features (IP Spoofing for SIP Trunks, Proxy Headers)
Numeric Fuzzing for Services is NOT Memory Corruption
Dial Plan Fuzzing, VAS Fuzzing
29
# How Viproy Pen-Testing Kit Helps Fuzzing Tests
●
Skeleton for Feature Fuzzing, NOT Only SIP Protocol
●
Multiple SIP Service Initiation
Call Fuzzing in Many States, Response Fuzzing
Integration With Other Metasploit Features
–
●
Fuzzers, Encoding Support, Auxiliaries, Immortality etc.
Custom Header Support
–
●
Future Compliance, Vendor Specific Extensions, VAS
Raw Data Send Support (Useful with External Static Tools)
–
●
●
Authentication Support
Authentication Fuzzing, Custom Fuzzing with Authentication
Less Code, Custom Fuzzing, State Checks
–
●
●
Some Features (Fuzz Library, SDP) are Coming Soon
30
# Fuzzing SIP Services
Request Based
OPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE....
100 Trying
183 Session Progress
180 Ringing
200 OK
Fuzzing Targets, REQUEST Fields
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Request Type, Protocol, Description
➔ Via, Branch, Call-ID, From, To, Cseq, Contact, Record-Route
➔ Proxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...)
➔ Authentication in Various Requests (User, Pass, Realm, Nonce)
➔ Content-Type, Content-Lenth
➔ SDP Information Fields
➔ ISUP Fields
Clients
Gateways
➔
Soft Switch
(SIP Server)
31
# Fuzzing SIP Services
Response Based
OPTIONS
MALICOUS RESPONSE
Clients
INVITE Myself / INVITE I'm Proxy
INVITE/ACK
Gateways
MALICOUS RESPONSE
Potential RESPONSE Types for Fuzzing
100 Trying
183 Session Progress
180 Ringing
200 OK
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Soft Switch
(SIP Server)
32
SIP Bounce Attack, Hacking SIP Trust, Attacking Mobile Apps
http://www.youtube.com/watch?v=bSg3tAkh5gA
References
●
Viproy VoIP Penetration and Exploitation Kit
Author
: http://viproy.com/fozavci
Homepage : http://viproy.com/voipkit
Github
●
: http://www.github.com/fozavci/viproy-voipkit
Attacking SIP Servers Using Viproy VoIP Kit (50 mins)
https://www.youtube.com/watch?v=AbXh_L0-Y5A
●
Hacking Trust Relationships Between SIP Gateways (PDF)
http://viproy.com/files/siptrust.pdf
●
VoIP Pen-Test Environment – VulnVoIP
http://www.rebootuser.com/?cat=371
34
Special Thanks to...
Special Ones
●
Konca Ozavci
●
Kadir Altan
●
Anil Pazvant
Suggestions & Guidelines & Support
●
Paul Henry
●
Mark Collier
●
Jason Olstrom
●
Jesus Perez Rubio
35
Q?
Thanks
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising