Tuesday, August 31, 2010

BruCON Training: Module 1, An Introduction to ...

An Introduction to VoIP technology, security threats and solutions, module 1. This module allow us to set the stage for the rest of the training. We will introduce the players - Asterisk, Cisco unified communications and other products. We will introduce the protocols briefly - SIP, SCCP (Skinny), IAX2, H.323 and MGCP. We will also look at how VLANs and other solutions are used to provide security (and where they fail).

We will then focus on security in terms of confidentiality, integrity and availability without going into too much detail (just to wet your appetite ;-)).

When it comes to VoIP, confidentiality ensures that the communications - phone calls and any signaling data - cannot be spied upon. Confidentiality is a major weakness in the case of many VoIP systems. One obvious security issue is when internal attackers spy on phone calls by sniffing the RTP stream. However this is not the only attack vector. We will give examples of tricks that can be pulled off by external attackers that allow them to compromise confidentiality remotely, without (layer 2) access to the network.

Caller ID spoofing, toll fraud and modification of signal or media affects the integrity of the VoIP system. In this section we will look at these and various other security flaws that do not necessarily allow attackers to gain illegal access to confidential information. These security flaws however, may allow attackers to cause organizations to loose large sums of money.

This tends to be the security flaw that really affects organizations directly. When the phone system is down, many organizations suffer. This is especially true for call centers, which base their revenues on phone calls. With VoIP, attackers can abuse flaws at various levels to cause denial of service. In this section we will introduce some attacks that are specific to VoIP and others that affect systems in general.

Monday, August 30, 2010

BruCON Training: A crashcourse in pentesting VOIP networks (update)

We just updated the outline of the 2 day crashcourse on the main BruCON training website! In the coming days I'll be highlighting the modules to explain what each consist of. Training registration is from this page, and for any questions get in contact with Sn0rky or myself.
This is what it looks like:

Module 1: Introduction to VoIP technology, security threats and solutions
  1. Introduce the protocols
  2. Mitigation technologies
  3. How confidentiality / integrity / availability applies to VoIP
    1. fraud
    2. spying on phone calls
    3. modification of phone data
    4. denial of service
Module 2: Attacking signaling protocols
  1. SIP
    1. introduction to the protocol
    2. scanning for SIP
    3. attacking SIP
    4. exercises include:
      1. sniffing SIP
      2. scanning SIP
      3. SIP extension enumeration and online password cracking
      4. Avoiding toll / fraudulent calls
      5. INVITE floods
      6. Fuzzing SIP
      7. Using John the ripper to crack SIP passwords
  2. IAX2
    1. introduction to the protocol
    2. scanning for IAX2
    3. attacks on IAX2
    4. exercises include:
      1. online and offline password cracking
      2. scanning IAX2
  3. SCCP
    1. introduction to the protocol
    2. scanning for Cisco PBX / SCCP
    3. Attacks on SCCP
    4. exercises include:
      1. MiTM attacks using SCCP proxy
      2. Capture FAC code
      3. Callmanager hijack
  4. MGCP
    1. introduction to the protocol
    2. scanning for MGCP
    3. attacks on MGCP
    4. exercises include:
      1. Call fraud
      2. DoS on MGCP
      3. RTP redirection
  5. H.323
    1. introduction to the protocol
      1. H.225
      2. H.245
    2. scanning for H323
    3. attacks on H323
      1. Frames Injection
      2. DoS on H323
Module 3: Attacking the media
  1. Wiretapping
    1. Understanding the basics, ARP poisoning and other MiTM attacks
    2. exercises include using various tools, including Wireshark, for tapping VoIP calls
  2. RTP stream modification
    1. how it works
  3. Convert channels
    1. how it works, concepts and reality
Module 4: Attacking Unified Communications
  1. Trixbox / Elastix vulnerabilities
    1. default passwords are common
    2. TFTP abuse
    3. Spying on phone calls using your phone
    4. Privilege escalation
    5. Exercises include:
      1. spying on phone calls
      2. abusing Trixbox features
      3. exploitation of weak permissions
  2. Asterisk
    1. Dialplan injection
    2. Setting up a backdoor
  3. Hardware information gathering
    1. physical bridging
    2. passive ethernet tap
    3. bypassing lock / restrictions on the phone
    4. exercises include:
      1. hardware for tapping
      2. hardware phone abuse
  4. Cisco Unified Communications vulnerabilities
    1. Extension mobility abuse
    2. Webdialer
    3. CCMuser SQL injection
    4. Billing system
    5. Jailbreaking CUCM
    6. Exercises include:
    7. Jailbreaking CUCM
    8. Webdialer abuse