Thursday, December 10, 2009
Monday, October 5, 2009
Thursday, September 17, 2009
Joffrey will be focusing on Cisco and other vendors and I'm really looking forward to that! I, on the other hand, will be talking more about freely available software such as Asterisk, Trixbox and X-lite. Here's a small preview of what's to come:
- How to use siplib.py and iax2lib.py (used in VOIPPACK) to build security tools
- We'll build scanners and extension enumeration tools in both SIP and IAX2
- Showing that INVITE flood is just 3 lines of code which can bring down popular VoIP software (and we get to build those 3 lines of code!)
- Showing denial of service issues (patched) in Asterisk
- Reproducing the SIP digest leakage in less than 50 lines of code
- Demonstration of web related issues that affect PBX servers
- Show of how IPS systems can actually be harmful in the world of UDP
Monday, September 7, 2009
The presentation is called "Searching for phones on the Internet" and subtitled "Adventures with SIPVicious".
Will be posting more details on the presentation later on, but lets describe the new features in svmap.py:
- -d, --debug , which prints SIP messages received, very handy when you need to watch what's happening in the background
- -I scan1, --inputtext=scan1, allows you to specify a text file containing ranges of IP addresses just like you would on the command line; however instead of putting a space between each range, you should put each range in a separate line
- --first=100, allows you to specify the number of SIP messages to send until svmap quits; this is useful when you have large ranges of IP addresses and you only want to scan the first few thousand addresses; works well with --randomize
- stats : allows you to extract some basic statistics from the session files (saved svmap output)
- search : which simply searches through svmap's sessions
hostname:sipviciousdir user$ svn update
Please send me any feedback to [email protected] and let me know if you found these new options useful.
Thursday, August 13, 2009
Lastly if you're around, send me an email.
Monday, July 27, 2009
- The difference between a traditional phone call and a VoIP phone call is discussed (signals and circuits versus packets)
- With VoIP various devices may be used: software (softphones) installed on a pc, VoIP gateways and IP Phones
- Discussion of caller id spoofing, how it makes it harder for LE to tell if the call is from a VoIP provider or a real number or not (anonymous calls)
- Vishing, the act of phishing by involving VoIP
- Actively tracing VoIP calls is almost impossible
- 911 emergency calls or VoIP E911 is mentioned
- There are 4 ways to identify VoIP usage: the Caller ID (which may be spoofed), Phone records (where tracing is similar to tracing the source of email), VoIP hardware (eg. phones connected to ethernet) and VoIP software
- CALEA was updated in 2005 to cover VoIP providers so that LE to allow tapping, recording and tracing of phone calls
- Due to the international nature of the Internet, if the provider is not US-based, then it does not have to comply with these laws or LE requests
Friday, July 17, 2009
Using this tool consists of the following steps:
- Register an account and buy credit (or use the time limited promo SIPV to get some for free)
- Enter the IP address of your PBX server and scan away
- Receive a report by email that shows the findings
How does it work really?
VoIPScanner.com is making use of the next generation of SIPVicious (2.0) in the background and right now it does the following automatically:
- Checks if an IP PBX is listening on the given address
- Does extension enumeration, just like svwar in SIPVicious
- For each extension found it starts a password cracking attack
- Generate a PDF report such as this one
Sunday, May 10, 2009
What this means is that I'll be describing a healthy dose of SIP and IAX2 abuse together with various live and recorded demos. As usual my Twitter account will be getting some updates as long as I'm conscious and my laptop battery still has some juice left ;-)
Wednesday, April 15, 2009
My Twitter account will probably be getting a few updates ;-)
As a sidenote.. VOIPPACK now gets IAX2 support, with 3 additional tools. Most notable is IAX2autohack which is very similar to sipautohack but for the Asterisk protocol. The video demo can be found over here.
Tuesday, April 7, 2009
What is VOIPSCANNER.com?
VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.
beta.voipscanner.com demo from Sandro Gauci on Vimeo.
Wednesday, April 1, 2009
SIP Digest Leak from Sandro Gauci on Vimeo.
Also started a new project called voipscanner.com which is currently in private beta. If you have an internet facing IP PBX that you'd like to scan, give me a ping ;-) You might just about qualify for the private beta. Public beta will be available later this week or earlier next week.
Tuesday, March 24, 2009
Have you been wondering about what sort of security vulnerabilities apply to the VoIP network that’s coming up in your next assignment but have no equipment to test on yet?Download the PDF version
Truth is that most of the times there is no need for a lot of expensive hardware to setup a basic lab for testing VoIP security.
Hope this helps!
Tuesday, March 17, 2009
I'm currently planning on a major update of SIPVicious - email me with your suggestions and VoIP needs please ;-) Cleaner and extensible code guaranteed.
VOIPPACK gets to target IP Phones this month, with 2 major new modules that highlight what can be done to both hardphones and softphones: Ghostcall and "SIP Digest Leak".
Ghostcall might remind some people of the movie "The Omega Man" where all phones ring at the same time. Of course, the phones in the movie are most probably not VoIP phones but could very well be.
Then there's "SIP Digest Leak" that highlights a vulnerability that affects many IP Phones. This tool allows penetration testers and other security dudes to force IP Phones to reveal the digest credentials and possibly recover the password used to access a PBX or a VoIP provider.
More information about these tools was posted the EnableSecurity blog. Actual demonstration videos on the Vimeo account. And here's a clip from "The Omega Man" showing a 70's version of Ghostcall:
Wednesday, February 18, 2009
IAX2Scan and AsteriskNOW_Exec - security testing for Asterisk from Sandro Gauci on Vimeo.
Wednesday, January 21, 2009
The West Australian is running a feature article on various (undisclosed) cases where PBX systems, some traditional while others are IP-based (and exposed on the Internet) were abused to make phonecalls to foreign countries.
While looking for more information, an article from 2005 showed up which describes what happened to a couple of organizations (hospitals and businesses). The telco companies tend to ask the victim organizations to pay up the phone bill for calls that the phone phreaks made.
But now things are moving more towards the Internet, where attackers can be anywhere in the world and the cost of a packet is much less than that of a phonecall!
Tuesday, January 6, 2009
This video is a demo of sipautohack in action (looks and sounds better than the previous):
Demonstrating sipautohack from Sandro Gauci on Vimeo.
Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).
Here's some blogs and articles that mentioned SIPVicious scans:
drop me an email.