SlideShare a Scribd company logo

VoIP Wars: The Phreakers Awaken

Fatih Ozavci
Fatih Ozavci

This document discusses vulnerabilities in voice over IP (VoIP) and unified communications systems. It begins by introducing the speaker and their background in VoIP security. It then outlines various attack vectors such as exploiting vulnerabilities in signaling protocols, message content, and unified messaging features to inject malicious content or execute code. The document emphasizes that securing UC involves more than just securing VoIP, and recommends approaches like secure infrastructure design, authentication, and client protection to help secure these systems.

Technology
1 of 42
Download to read offline
VOIP WARS: THE PHREAKERS AWAKEN Fatih Ozavci – @fozavci Managing Consultant – Context Information Security
2 Fatih Ozavci, Managing Consultant VoIP & phreaking Mobile applications and devices Network infrastructure CPE, hardware and IoT hacking Author of Viproy and VoIP Wars Public speaker and trainer  Blackhat, Defcon, HITB, AusCert, Troopers
3 Fundamentals Design Vulnerabilities Practical UC Attacks UC and IMS fundamentals Security issues and vulnerabilities Practical attacks Securing communication services
4 Audio Call TDM Alice Bob
5 Alice Signalling Media RTP Proxy SIP Server Bob
6 Alice Signalling Media RTP Proxy SIP Server Bob
7 Alice Signalling Media RTP Proxy SIP Server Bob
8 1- REGISTER 1- 200 OK 2- INVITE SDP/XML 2- 100 Trying 3- INVITE SDP/XML 3- 200 OK SDP/XML 4- ACK RTP RTP 4- 200 OK SDP/XML SIP Server Phone A Phone BRTP Proxy RTP Proxy RTP SIP Headers • Caller ID • Billing SIP Content • SDP • Enc. Keys RTP Content • Audio/Video • File sharing • RDP
9
10
11 VoIP Server Windows Server Office Server Active Directory Virtual Machines 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
12 SIP & Media Server Database Server Tenant Services Management Applications Client Applications PBX Shared Services 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
13 Edge Server sky.com Edge Server kenobi.com DNS Server DNS / SRV DNS / SRV SIP / RTP Kenobi Corp Phone X x@kenobi.com VoIP Server Windows Server Office Server Active Directory Virtual Machines Phone A a@sky.com Skywalker Corp Phone B b@sky.com Phone C c@sky.com
14 Call Session Control Function (P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure Mobile Subscribers UC/VoIP Subscribers Session Border Controller (SBC) Session Border Controller (SBC) ACCESS NETWORK ACCESS NETWORKCORE NETWORK Application Server (AS) Home Subscriber Server (HSS) Media Resource Function MRFC / MRFP
15 Inter-vendor security issues INSUFFICIENT client management Missing client monitoring Missing software updates NO SIP/SDP or message filtering Centralised attack deployment Internal trust relationships Meeting and conferencing options Flexible collaboration options
16 Content transferred to clients SIP/SDP content (e.g. format, codecs) Rich messaging (e.g. rtf, html, audio) Unified messaging Injecting files, XSS, phishing, RCE File transfers, embedded content Communication subsystem Call or SIP headers Rarely secured protocols (e.g. MSRP)
17 Engage through a first contact point UC messaging, conference invitation, courtesy phones Combine old and new techniques Use UC for malicious activities (e.g. MS-RTASPF)
18 Red Teaming Exercises Courtesy phones, conference rooms, media gateways Human Factor Testing Vishing, smishing, instant messaging, UC exploits Infrastructure Analysis Toll fraud, caller ID spoofing, TDoS/DDoS Application Security Assessments Management portals, self-care portals WebRTC, VoIP/UC apps, IVR software
19 Service requirements Cloud, subscriber services, IMS Billing, recordings, CDR, encryption Trusted servers and gateways SIP proxies, federations, SBCs SIP headers used (e.g. ID, billing) Tele/Video conference settings Analyse the encryption design SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
20 SIP header analysis  Caller ID spoofing, billing bypass Communication types allowed  File transfer, RDP, MSRP, teleconference Message content-types allowed  XSS, corrupted RTF, HTML5, images Conference and collaboration Fuzzing clients and servers  SIP headers, SDP content, file types  Combine with known attacks
21 Attacks with NO user interaction Calls with caller ID spoofing Fake IVR, social engineering Messages with caller ID spoofing Smishing (e.g. fake software update) Injected XSS, file-type exploits Bogus content-types or messages Meetings, multi-callee events Attacking infrastructure Raspberry PI with PoE, Eavesdropping
22 Unified Communication Solutions  Cisco Hosted Collaboration Suite  Microsoft Skype for Business (a.k.a Lync)  Free software (e.g. Kamalio, OpenIMS)  Other vendors (Avaya, Alcatel, Huawei) Attacking through  Signalling services  Messaging, voicemail and conference system  Cloud management and billing  Authorisation scheme  Client services (self-care, IP phone services)
23 Vulnerable CPE Credential extraction Attacking through embedded devices Insecurely located distributors Hardware hacking, eavesdropping SIP header and manipulation for Toll Fraud Attacking legacy systems (e.g. Nortel?) Voicemail hijacking
24 Analysing encryption design Implementation (e.g. SRTP, SIP/TLS) Inter-vendor SRTP key exchange Privacy and PCI compliance Network segregation IVR recordings (e.g. RTP events) Eavesdropping Call recordings security
25 Inter-vendor services design Network and service segregation *CSCF locations, SBC services used VoLTE design, application services SIP headers are very sensitive Internal trust relationships Filtered/Ignored SIP headers Caller ID spoofing, Billing bypass Encryption design (SIP, SRTP, MSRP)
26 Viproy VoIP Penetration Testing Kit (v4) VoIP modules for Metasploit Framework SIP, Skinny and MSRP services SIP authentication, fuzzing, business logic tests Cisco CUCDM exploits, trust analyser... Viproxy MITM Security Analyser (v3) A standalone Metasploit Framework module Supports TCP/TLS interception with custom TLS certs Provides a command console to analyse custom protocols
27 Cloud communications SIP header tests, caller ID spoofing, Billing bypass, hijacking IP phones Signalling services Attacking tools for SIP and Skinny Advanced SIP attacks  Proxy bounce, SIP trust hacking  Custom headers, custom message-types UC tests w/ Viproxy + Real Client
28 SIGNALLING / MESSAGING • SDP / XML • SIP Headers • XMPP • MSRP CONTENT • Message types (HTML, RTF, Docs) • File types (Docs, Codecs) • Caller ID Spoofing • DoS / TDoS / Robocalls, Smishing FORWARDED REQUESTS • Call Settings • Message Content NO USER INTERACTION • Call request parsing • Message content parsing • 3rd party libraries reachable
29
31 Unified Messaging Message types (e.g. rtf, html, images) Message content (e.g. JavaScript) File transfers and sharing features Code or script execution (e.g. SFB) Encoding (e.g. Base64, Charset) Various protocols MSRP, XMPP, SIP/MESSAGE Combining other attacks
32 MANIPULATE SIP CONTENT INJECT MALICIOUS SUBJECTS SEND PHISHING MESSAGES Skype for Business Attacker’s Client Viproxy Interactive Console HACME 1 HACME 2 HACME 3 Attacker’s Client TLS / Proxy Certificate Compression Console Enabling Features Content Injection Security Bypass
34 UC content forwarded to UC clients (NO interaction) SIP INVITE headers Message content SIP/SDP content Office 365 Federations *MS15-123 Skype for Business Attacker’s Client Viproxy Skype for Business Server Changed Request Forwarded Request Call Request
35 URL filter bypass via JavaScript <script>var u1="ht"; u2="tp"; u3="://";o="w"; k="."; i=""; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+"viproy.com"</script> Script execution via SIP messages <script>window.location="viproy.com"</script> Script execution via SIP headers Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cudmlwc m95LmNvbSI8L3NjcmlwdD4=
36 Attacking through a PBX or proxy Sending a meeting request Using a CUSTOM SIP header Waiting for the shells Viproy Skype for Business Server SIP PBX Server Forwarded Meeting Request Meeting Request (Attack in SIP headers) PRIVATE NETWORK Forwarded Requests
38 Secure design Enforce security via SBCs Messaging, SIP headers, meetings… Enforce authentication Secure inter-vendor configuration Protect the legacy systems Protect the clients
39 Securing Unified Communications (UC) is NOT just securing VoIP. Brace yourselves, VoIP/UC are attacks are coming. #TaylorYourCommunicationSecurity !
40 Viproy VoIP Penetration Testing Kit http://www.viproy.com Context Information Security http://www.contextis.com
QUESTIONS?
THANKS!

Recommended

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
Luthfi Widyanto
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Bettercap
BettercapBettercap
Bettercap
Shritesh Bhattarai
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 

Recommended

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
Luthfi Widyanto
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Bettercap
BettercapBettercap
Bettercap
Shritesh Bhattarai
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
itmind4u
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)
Chris Hammond-Thrasher
 
Firewall
FirewallFirewall
Firewall
Mudasser Afzal
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
TayabaZahid
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Kablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikKablosuz Ağlarda Güvenlik
Kablosuz Ağlarda Güvenlik
BGA Cyber Security
 
NMap
NMapNMap
NMap
Pritesh Raka
 
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma YöntemleriYeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
BGA Cyber Security
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
Deepak Upadhyay
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 
Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005
ir. Carmelo Zaccone
 
Take a sip of sip
Take a sip of sipTake a sip of sip
Take a sip of sip
LuxoftTraining
 

More Related Content

What's hot

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 

What's hot (20)

Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)
 
Firewall
FirewallFirewall
Firewall
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
NMAP
NMAPNMAP
NMAP
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Kablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikKablosuz Ağlarda Güvenlik
Kablosuz Ağlarda Güvenlik
 
NMap
NMapNMap
NMap
 
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma YöntemleriYeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
Mobile security
Mobile securityMobile security
Mobile security
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 

Similar to VoIP Wars: The Phreakers Awaken

Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
Waqas Daar
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCPrivacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Arnaud BUDKIEWICZ
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1
Adebayo Ojo
 
Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1
Carl Ford
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
Suhas Desai
 

Similar to VoIP Wars: The Phreakers Awaken (20)

Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005 Indigo Product And Technology Overivew 2005
Indigo Product And Technology Overivew 2005
 
Take a sip of sip
Take a sip of sipTake a sip of sip
Take a sip of sip
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
 
SBC: Do I really need it?
SBC: Do I really need it?SBC: Do I really need it?
SBC: Do I really need it?
 
OST Market - Hybrid Case Histories
OST Market - Hybrid Case HistoriesOST Market - Hybrid Case Histories
OST Market - Hybrid Case Histories
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Oki Printers, Audiocodes
Oki Printers, AudiocodesOki Printers, Audiocodes
Oki Printers, Audiocodes
 
Yeastar My pbx soho_datasheet_en
Yeastar My pbx soho_datasheet_enYeastar My pbx soho_datasheet_en
Yeastar My pbx soho_datasheet_en
 
Expocomm VoIP Presentation
Expocomm VoIP PresentationExpocomm VoIP Presentation
Expocomm VoIP Presentation
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCPrivacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERC
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1
 
Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1Sinnreich Henry Johnston Alan Pt 1
Sinnreich Henry Johnston Alan Pt 1
 
Current trends and innovations in voice over IP
Current trends and innovations in voice over IPCurrent trends and innovations in voice over IP
Current trends and innovations in voice over IP
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
SIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communicationsSIP servers on embedded systems: Powering SoHo communications
SIP servers on embedded systems: Powering SoHo communications
 
Audiocodes, Plantronics Cisco
Audiocodes, Plantronics CiscoAudiocodes, Plantronics Cisco
Audiocodes, Plantronics Cisco
 
SIP info
SIP infoSIP info
SIP info
 

More from Fatih Ozavci

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
Fatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
Fatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
Fatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
Fatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Fatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
Fatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
Fatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Fatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
Fatih Ozavci
 

More from Fatih Ozavci (14)

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

VoIP Wars: The Phreakers Awaken

  • 1. VOIP WARS: THE PHREAKERS AWAKEN Fatih Ozavci – @fozavci Managing Consultant – Context Information Security
  • 2. 2 Fatih Ozavci, Managing Consultant VoIP & phreaking Mobile applications and devices Network infrastructure CPE, hardware and IoT hacking Author of Viproy and VoIP Wars Public speaker and trainer  Blackhat, Defcon, HITB, AusCert, Troopers
  • 3. 3 Fundamentals Design Vulnerabilities Practical UC Attacks UC and IMS fundamentals Security issues and vulnerabilities Practical attacks Securing communication services
  • 8. 8 1- REGISTER 1- 200 OK 2- INVITE SDP/XML 2- 100 Trying 3- INVITE SDP/XML 3- 200 OK SDP/XML 4- ACK RTP RTP 4- 200 OK SDP/XML SIP Server Phone A Phone BRTP Proxy RTP Proxy RTP SIP Headers • Caller ID • Billing SIP Content • SDP • Enc. Keys RTP Content • Audio/Video • File sharing • RDP
  • 9. 9
  • 10. 10
  • 12. 12 SIP & Media Server Database Server Tenant Services Management Applications Client Applications PBX Shared Services 1 2 ABC 3 DEF 4 5 JKL 6 MNOGHI 7 8 TUV 9 WXYZPQRS * 0 OPER # ? + - CISCO IP PHONE 7970 SERIES
  • 13. 13 Edge Server sky.com Edge Server kenobi.com DNS Server DNS / SRV DNS / SRV SIP / RTP Kenobi Corp Phone X x@kenobi.com VoIP Server Windows Server Office Server Active Directory Virtual Machines Phone A a@sky.com Skywalker Corp Phone B b@sky.com Phone C c@sky.com
  • 14. 14 Call Session Control Function (P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure Mobile Subscribers UC/VoIP Subscribers Session Border Controller (SBC) Session Border Controller (SBC) ACCESS NETWORK ACCESS NETWORKCORE NETWORK Application Server (AS) Home Subscriber Server (HSS) Media Resource Function MRFC / MRFP
  • 15. 15 Inter-vendor security issues INSUFFICIENT client management Missing client monitoring Missing software updates NO SIP/SDP or message filtering Centralised attack deployment Internal trust relationships Meeting and conferencing options Flexible collaboration options
  • 16. 16 Content transferred to clients SIP/SDP content (e.g. format, codecs) Rich messaging (e.g. rtf, html, audio) Unified messaging Injecting files, XSS, phishing, RCE File transfers, embedded content Communication subsystem Call or SIP headers Rarely secured protocols (e.g. MSRP)
  • 17. 17 Engage through a first contact point UC messaging, conference invitation, courtesy phones Combine old and new techniques Use UC for malicious activities (e.g. MS-RTASPF)
  • 18. 18 Red Teaming Exercises Courtesy phones, conference rooms, media gateways Human Factor Testing Vishing, smishing, instant messaging, UC exploits Infrastructure Analysis Toll fraud, caller ID spoofing, TDoS/DDoS Application Security Assessments Management portals, self-care portals WebRTC, VoIP/UC apps, IVR software
  • 19. 19 Service requirements Cloud, subscriber services, IMS Billing, recordings, CDR, encryption Trusted servers and gateways SIP proxies, federations, SBCs SIP headers used (e.g. ID, billing) Tele/Video conference settings Analyse the encryption design SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)
  • 20. 20 SIP header analysis  Caller ID spoofing, billing bypass Communication types allowed  File transfer, RDP, MSRP, teleconference Message content-types allowed  XSS, corrupted RTF, HTML5, images Conference and collaboration Fuzzing clients and servers  SIP headers, SDP content, file types  Combine with known attacks
  • 21. 21 Attacks with NO user interaction Calls with caller ID spoofing Fake IVR, social engineering Messages with caller ID spoofing Smishing (e.g. fake software update) Injected XSS, file-type exploits Bogus content-types or messages Meetings, multi-callee events Attacking infrastructure Raspberry PI with PoE, Eavesdropping
  • 22. 22 Unified Communication Solutions  Cisco Hosted Collaboration Suite  Microsoft Skype for Business (a.k.a Lync)  Free software (e.g. Kamalio, OpenIMS)  Other vendors (Avaya, Alcatel, Huawei) Attacking through  Signalling services  Messaging, voicemail and conference system  Cloud management and billing  Authorisation scheme  Client services (self-care, IP phone services)
  • 23. 23 Vulnerable CPE Credential extraction Attacking through embedded devices Insecurely located distributors Hardware hacking, eavesdropping SIP header and manipulation for Toll Fraud Attacking legacy systems (e.g. Nortel?) Voicemail hijacking
  • 24. 24 Analysing encryption design Implementation (e.g. SRTP, SIP/TLS) Inter-vendor SRTP key exchange Privacy and PCI compliance Network segregation IVR recordings (e.g. RTP events) Eavesdropping Call recordings security
  • 25. 25 Inter-vendor services design Network and service segregation *CSCF locations, SBC services used VoLTE design, application services SIP headers are very sensitive Internal trust relationships Filtered/Ignored SIP headers Caller ID spoofing, Billing bypass Encryption design (SIP, SRTP, MSRP)
  • 26. 26 Viproy VoIP Penetration Testing Kit (v4) VoIP modules for Metasploit Framework SIP, Skinny and MSRP services SIP authentication, fuzzing, business logic tests Cisco CUCDM exploits, trust analyser... Viproxy MITM Security Analyser (v3) A standalone Metasploit Framework module Supports TCP/TLS interception with custom TLS certs Provides a command console to analyse custom protocols
  • 27. 27 Cloud communications SIP header tests, caller ID spoofing, Billing bypass, hijacking IP phones Signalling services Attacking tools for SIP and Skinny Advanced SIP attacks  Proxy bounce, SIP trust hacking  Custom headers, custom message-types UC tests w/ Viproxy + Real Client
  • 28. 28 SIGNALLING / MESSAGING • SDP / XML • SIP Headers • XMPP • MSRP CONTENT • Message types (HTML, RTF, Docs) • File types (Docs, Codecs) • Caller ID Spoofing • DoS / TDoS / Robocalls, Smishing FORWARDED REQUESTS • Call Settings • Message Content NO USER INTERACTION • Call request parsing • Message content parsing • 3rd party libraries reachable
  • 29. 29
  • 30.
  • 31. 31 Unified Messaging Message types (e.g. rtf, html, images) Message content (e.g. JavaScript) File transfers and sharing features Code or script execution (e.g. SFB) Encoding (e.g. Base64, Charset) Various protocols MSRP, XMPP, SIP/MESSAGE Combining other attacks
  • 32. 32 MANIPULATE SIP CONTENT INJECT MALICIOUS SUBJECTS SEND PHISHING MESSAGES Skype for Business Attacker’s Client Viproxy Interactive Console HACME 1 HACME 2 HACME 3 Attacker’s Client TLS / Proxy Certificate Compression Console Enabling Features Content Injection Security Bypass
  • 33.
  • 34. 34 UC content forwarded to UC clients (NO interaction) SIP INVITE headers Message content SIP/SDP content Office 365 Federations *MS15-123 Skype for Business Attacker’s Client Viproxy Skype for Business Server Changed Request Forwarded Request Call Request
  • 35. 35 URL filter bypass via JavaScript <script>var u1="ht"; u2="tp"; u3="://";o="w"; k="."; i=""; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+"viproy.com"</script> Script execution via SIP messages <script>window.location="viproy.com"</script> Script execution via SIP headers Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cudmlwc m95LmNvbSI8L3NjcmlwdD4=
  • 36. 36 Attacking through a PBX or proxy Sending a meeting request Using a CUSTOM SIP header Waiting for the shells Viproy Skype for Business Server SIP PBX Server Forwarded Meeting Request Meeting Request (Attack in SIP headers) PRIVATE NETWORK Forwarded Requests
  • 37.
  • 38. 38 Secure design Enforce security via SBCs Messaging, SIP headers, meetings… Enforce authentication Secure inter-vendor configuration Protect the legacy systems Protect the clients
  • 39. 39 Securing Unified Communications (UC) is NOT just securing VoIP. Brace yourselves, VoIP/UC are attacks are coming. #TaylorYourCommunicationSecurity !
  • 40. 40 Viproy VoIP Penetration Testing Kit http://www.viproy.com Context Information Security http://www.contextis.com