Tuesday, September 7, 2010

BruCON Training: Module 4, Attacking Unified Communications

The final module in the upcoming pentesting VoIP crashcourse is the most exciting one. In this section we look at VoIP systems as a whole. Unified communications is one of those words that have been hyped up to include everything, from chat to video phone calls and SMS. What we will look at in this section is how to go about breaking into the following during a penetration test:
  1. Web application security flaws in Asterisk-based PBX servers
  2. Attacking various services open in PBX servers, such as TFTP
  3. How once you're on a PBX network, you can sometimes simply use your phone to spy on other phone calls
  4. How to make use of hardware taps 
  5. Hardware phone features that can be abused
  6. Abuse of various exposed features in Cisco call manager accessible on the HTTP server

This module will help familiarize the attendees with the target servers and system. Who knows, it may even give a kick-start to find some new 0-days in one of these Unified Communications solutions ;-)

Thursday, September 2, 2010

BruCON Training: Module 3, Attacking the media

This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website.

We trust our phones with our sensitive data more than most other forms of communications. We may not trust sending our credit card number by email to the hotel. In the end we give it to them on the phone anyway, and it may not matter if the phone is a mobile phone or a VoIP phone.

Since VoIP phones look very much like traditional phones, most people are impressed to learn (the hard way) that they can be intercepted just like other devices and computers on the network. This is one of the topics covered in the third module. We will use readily available tools that will allow you to sniff phone calls over the network very easily. Tools include Wireshark, UCSniff and Cain and Abel.

These tools will handle RTP and codecs differently so we will see which ones are best for the job. 



As a penetration tester, you will encounter setups that try to prevent ARP cache poisoning and other attacks that allow for media interception. During this training we will look at each of these solutions and look how they can be often defeated.

When it comes to media, interception is not the only concern. There are tools that perform RTP injection, i.e. modify the RTP stream on the fly, which can make an interesting demonstration. Then there's convert channels, where an insider embeds his/her data inside the RTP stream.

Wednesday, September 1, 2010

BruCON Training: Module 2, Attacking signaling protocols

This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website.

Most VoIP systems perform signaling using a protocol separate than the media transfer protocol. Signaling protocols allow VoIP systems to register, authenticate, and initiate phone calls and tends to carry a lot of intelligence with it. In this part of the training, Joffrey and myself will talk you through the following different signaling protocols and attacks that apply to these protocols:
  • SIP - an open standard
  • IAX2 - used by Asterisk PBX and compatible phones
  • SCCP (Skinny) - used by Cisco systems
  • MGCP - the media gateway control protocol, typically used between gateways and IVR systems
  • H.323 - found in gateways and older systems
The fun part? The exercises! We plan to use a hands-on approach rather than simply describe the protocols and attacks.



These are some of the practicals we have in store:

  1. Sniffing SIP, in order to understand how it all works and also spy on the metadata or signal
  2. Scanning SIP, to see how we can easily identify SIP devices very quickly using SIPVicious and other tools
  3. SIP extension enumeration and online password cracking, to understand better how VoIP attackers are in fact making phone calls for free at the expense of their victims
  4. Avoiding toll / fraudulent calls, featuring the main ways that attackers are abusing SIP PBX servers out there
  5. INVITE floods, which is still an effective attack and bring down various SIP enabled devices
  6. Fuzzing SIP, existent tools and their usage
  7. Using John the ripper to crack SIP passwords, which also includes capturing the SIP authentication messages and patching John the ripper to crack the hash
  8. Online and offline password cracking in IAX2, the tools and their usage
  9. Scanning IAX2 which allows us to find Asterisk servers
  10. MiTM attacks using SCCP proxy, which is a fun way of playing with the phones and can allow us to turn Cisco phones into remote spy bugs
  11. Capture FAC (Forced Authorization Codes) code, which is a restriction usually used in Cisco VoIP environments to allow / block international calls
  12. Call fraud with MGCP, since MGCP has little or no security
  13. DoS on MGCP, or how to cause your VoIP Gateway to go down
  14. RTP redirection, which can allow all sorts of fun (and sometimes profit)
  15. Callmanager hijack (details later ;-))
With all these exercises we expect all the attendees to get really busy and gain useful experience with the signaling protocols.