Monday, August 30, 2010

BruCON Training: A crashcourse in pentesting VOIP networks (update)

We just updated the outline of the 2 day crashcourse on the main BruCON training website! In the coming days I'll be highlighting the modules to explain what each consist of. Training registration is from this page, and for any questions get in contact with Sn0rky or myself.
This is what it looks like:

Module 1: Introduction to VoIP technology, security threats and solutions
  1. Introduce the protocols
  2. Mitigation technologies
  3. How confidentiality / integrity / availability applies to VoIP
    1. fraud
    2. spying on phone calls
    3. modification of phone data
    4. denial of service
Module 2: Attacking signaling protocols
  1. SIP
    1. introduction to the protocol
    2. scanning for SIP
    3. attacking SIP
    4. exercises include:
      1. sniffing SIP
      2. scanning SIP
      3. SIP extension enumeration and online password cracking
      4. Avoiding toll / fraudulent calls
      5. INVITE floods
      6. Fuzzing SIP
      7. Using John the ripper to crack SIP passwords
  2. IAX2
    1. introduction to the protocol
    2. scanning for IAX2
    3. attacks on IAX2
    4. exercises include:
      1. online and offline password cracking
      2. scanning IAX2
  3. SCCP
    1. introduction to the protocol
    2. scanning for Cisco PBX / SCCP
    3. Attacks on SCCP
    4. exercises include:
      1. MiTM attacks using SCCP proxy
      2. Capture FAC code
      3. Callmanager hijack
  4. MGCP
    1. introduction to the protocol
    2. scanning for MGCP
    3. attacks on MGCP
    4. exercises include:
      1. Call fraud
      2. DoS on MGCP
      3. RTP redirection
  5. H.323
    1. introduction to the protocol
      1. H.225
      2. H.245
    2. scanning for H323
    3. attacks on H323
      1. Frames Injection
      2. DoS on H323
Module 3: Attacking the media
  1. Wiretapping
    1. Understanding the basics, ARP poisoning and other MiTM attacks
    2. exercises include using various tools, including Wireshark, for tapping VoIP calls
  2. RTP stream modification
    1. how it works
  3. Convert channels
    1. how it works, concepts and reality
Module 4: Attacking Unified Communications
  1. Trixbox / Elastix vulnerabilities
    1. default passwords are common
    2. TFTP abuse
    3. Spying on phone calls using your phone
    4. Privilege escalation
    5. Exercises include:
      1. spying on phone calls
      2. abusing Trixbox features
      3. exploitation of weak permissions
  2. Asterisk
    1. Dialplan injection
    2. Setting up a backdoor
  3. Hardware information gathering
    1. physical bridging
    2. passive ethernet tap
    3. bypassing lock / restrictions on the phone
    4. exercises include:
      1. hardware for tapping
      2. hardware phone abuse
  4. Cisco Unified Communications vulnerabilities
    1. Extension mobility abuse
    2. Webdialer
    3. CCMuser SQL injection
    4. Billing system
    5. Jailbreaking CUCM
    6. Exercises include:
    7. Jailbreaking CUCM
    8. Webdialer abuse

No comments: