Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Scanning The Intertubes For Voip
1. ENABLESECURITY
Scanning the Intertubes for VOIP
Telephony exposed on the ‘net
Con dence 2009
2. ENABLESECURITY
whoami
• EnableSecurity
• 9 years old
• SIPVicious and VOIPPACK (for CANVAS)
• Surfjack, Extended HTML Form attack
Con dence 2009
3. ENABLESECURITY
next few minutes
• Brief intro to how VoIP is being abused
• Scanning for VoIP systems
• How to fingerprint VoIP systems
• Possibilities for abuse
Con dence 2009
4. ENABLESECURITY
VoIP Scanning
• SIP
• IAX2
• H.323
• SCCP
Con dence 2009
5. ENABLESECURITY
A primer on SIP
• Text based just like HTTP
• UDP port 5060
• INVITE gets things to buzz and ring
• REGISTER sends phone calls your way
• OPTIONS gives you supported options
Con dence 2009
6. ENABLESECURITY
A primer on IAX2
• Binary protocol running on port 4569
• POKE is like ping
• PONG is like er.. pong
• REGREQ is like REGISTER
• REGREJ stands for registration rejected
Con dence 2009
7. ENABLESECURITY
VoIP and Cybercrime
• Scans for SIP are on the rise
• News of fraud
• What is happening in the background?
• What tools are they using?
Con dence 2009
30. ENABLESECURITY
Introducing REGISTER
• Binds an extension to an IP and port
• Normally requires authentication
• If no password is set it binds without auth
Con dence 2009
31. ENABLESECURITY
More interesting facts
• The REGISTER scan
• Dangerous
• Useful for cheap honeypots :-)
Con dence 2009
32. ENABLESECURITY
Enumeration of
extensions
• Response to a REGISTER for non-existent
extension
• A different response indicates that the
extension exists
• If the extension has no password it sends a
200 OK
• Otherwise asks for authentication
Con dence 2009
33. ENABLESECURITY
*
1 00
ER
EG IST
R
ISTE R 101
REG
REGISTER 102
Con dence 2009
34. ENABLESECURITY
*
nd
ot fou
40 4N
20 0 OK
401 Auth required
Con dence 2009
50. ENABLESECURITY
But ...
• There’s no SIP Phones on the ‘net!
• There are ;-)
• The ‘net is full of Fritzbox
• Internal endpoints behind NAT
Con dence 2009
51. ENABLESECURITY
More at..
• EnableSecurity.com/research
• Sipvicious.org
• VOIPSA.org
Con dence 2009
52. ENABLESECURITY
Shoutouts!
• Sjur at usken.no
• dudes from .mt =)
Con dence 2009