Cutting Edge VoIP Security Issues Color

1
Hacking Exposed VoIP
Mark D. CollierChief Technology
Officermark.collier_at_securelogix.com
www.securelogix.com
2
Hacking Exposed VoIP

• We took on this project because there were no
  practical books on enterprise VoIP security that
  gave examples of how hackers attack VoIP
  deployments and explained to administrators how
  to defend against these attacks.
• We spent more than a year of research writing new
  VoIP security tools, using them to test the
  latest VoIP products, and scouring VoIP
  state-of-the-art security.
• This tutorial is based on material fromthe book.
• The book was published December 1,
  2006http//www.hackingvoip.com536 pages

3
Outline
Outline

• Overview
• Gathering Information
• Footprinting
• Scanning
• Enumeration
• Attacking the Network
• Network Infrastructure Denial of Service
• Network Eavesdropping
• Network and Application Interception

4
Outline
Outline

• Attacking Vendor Platforms
• Avaya
• Cisco
• Attacking the Application
• Fuzzing
• Disruption of Service
• Signaling and Media Manipulation

5
Outline
Outline

• Social Attacks
• Voice SPAM/SPIT
• Voice Phishing

6
Introduction
Introduction

• VoIP systems are vulnerable
• Platforms, networks, and applications are
  vulnerable
• VoIP-specific attacks are becoming more common
• Security isnt always a consideration during
  deployment
• The threat is increasing
• VoIP deployment is growing
• Deployments are critical to business operations
• Greater integration with the data network
• More attack tools being published
• The hacking community is taking notice

7
IntroductionLayers of Security
Introduction
8
Introduction
IntroductionCampus VoIP
TDM Phones
TDMTrunks
PublicVoiceNetwork
IPPBX
IP Phones
Voice VLAN
Data VLAN
InternetConnection
Internet
PCs
9
Introduction
IntroductionPublic VoIP
TDM Phones
VoIPConnection
PublicVoiceNetwork
IPPBX
IP Phones
Voice VLAN
Data VLAN
InternetConnection
Internet
PCs
10
Gathering Information
Gathering Information

• This is the process a hacker goes through to
  gather information about your organization and
  prepare their attack
• Consists of
• Footprinting
• Scanning
• Enumeration

11
Footprinting
Gathering InformationFootprinting

• Steps taken by a hacker to learn about your
  enterprise before they start the actual attack
• Consists of
• Public website research
• Google hacking
• Using WHOIS and DNS

12
Public Website ResearchIntroduction
Gathering InformationFootprinting

• An enterprise website often contains a lot of
  information that is useful to a hacker
• Organizational structure and corporate locations
• Help and technical support
• Job listings
• Phone numbers and extensions

13
Public Website ResearchOrganization Structure
Gathering InformationFootprinting
14
Public Website ResearchCorporate Locations
Gathering InformationFootprinting
15
Public Website ResearchHelpdesk
Gathering InformationFootprinting
16
Public Website ResearchHelpdesk
Gathering InformationFootprinting
17
Public Website ResearchJob Listings
Gathering InformationFootprinting

• Job listings can contain a ton of information
  about the enterprise VoIP system.
• Here is a portion of an actual job listing
• Required Technical SkillsMinimum 3-5 years
  experience in the management and implementation
  of Avaya telephone systems/voicemails
• Advanced programming knowledge of the Avaya
  Communication Servers and voicemails.

18
Public Website ResearchPhone Numbers
Gathering InformationFootprinting

• Google can be used to find all phone numbers on
  an enterprise web site
• Type 111..999-1000..9999 sitewww.mcgraw-hill.co
  m

19
Public Website ResearchVoice Mail
Gathering InformationFootprinting

• By calling into some of these numbers, you can
  listen to the voice mail system and determine the
  vendor
• Check out our voice mail hacking database at
• www.hackingvoip.com

20
Public Website Research Countermeasures
Gathering InformationFootprinting

• It is difficult to control what is on your
  enterprise website, but it is a good idea to be
  aware of what is on it
• Try to limit amount of detail in job postings
• Remove technical detail from help desk web pages

21
Google HackingIntroduction
Gathering InformationFootprinting

• Google is incredibly good at finding details on
  the web
• Vendor press releases and case studies
• Resumes of VoIP personnel
• Mailing lists and user group postings
• Web-based VoIP logins

22
Google Hacking
Gathering InformationFootprinting

• Vendors and enterprises may post press releases
  and case studies
• Type siteavaya.com case study or
  siteavaya.com company
• Users place resumes on the Internet when
  searching for jobs
• Search Monster for resumes for company employees
• Mailing lists and user group postings
• www.inuaa.org
• www.innua.org
• forums.cisco.com
• forums.digium.com

23
Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting

• Some VoIP phones are accidentally exposed to the
  Internet
• Use Google to search for
• Type inrulccmuser/logon.asp
• Type inurlccmuser/logon.asp siteexample.com
• Type inurlNetworkConfiguration cisco

24
Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting
25
Google HackingCountermeasures
Gathering InformationFootprinting

• Determine what your exposure is
• Be sure to remove any VoIP phones which are
  visible to the Internet
• Disable the web servers on your IP phones
• There are services that can help you monitor your
  exposure
• www.cyveilance.com
• ww.baytsp.com

26
Google HackingCountermeasures
Attacking The PlatformCisco
27
WHOIS and DNSIntroduction
Gathering InformationFootprinting

• Enterprises depend on DNS to route website
  visitors and external email
• WHOIS searches can reveal IP addresses used by an
  enterprise

28
WHOIS and DNSCountermeasures
Gathering InformationFootprinting

• Use generic names where possible
• Disable anonymous zone transfers on your DNS
  servers

29
ScanningIntroduction
Gathering InformationScanning

• Steps taken by a hacker to identify IP addresses
  and hosts running VoIP
• Consists
• Host/device discovery
• Port scanning and service discovery
• Host/device identification

30
Host/Device Discovery
Gathering InformationScanning

• Consists of various techniques used to find
  hosts
• Ping sweeps
• ARP pings
• TCP ping scans
• SNMP sweeps

31
Host/Device DiscoveryUsing nmap
Gathering InformationScanning

• nmap -O -P0 192.168.1.1-254
• Starting Nmap 4.01 ( http//www.insecure.org/nmap/
  ) at 2006-02-20 0103 CST
• Interesting ports on 192.168.1.21
• (The 1671 ports scanned but not shown below are
  in state filtered)
• PORT STATE SERVICE
• 23/tcp open telnet
• MAC Address 000F34118045 (Cisco Systems)
• Device type VoIP phone
• Running Cisco embedded
• OS details Cisco IP phone (POS3-04-3-00,
  PC030301)
• Interesting ports on 192.168.1.23
• (The 1671 ports scanned but not shown below are
  in state closed)
• PORT STATE SERVICE
• 80/tcp open http
• MAC Address 00156286BA3E (Cisco Systems)
• Device type VoIP phoneVoIP adapter
• Running Cisco embedded
• OS details Cisco VoIP Phone 7905/7912 or ATA 186
  Analog Telephone Adapter

32
Host/Device DiscoveryPorts
Gathering InformationScanning

• SIP enabled devices will usually respond on
  UDP/TCP ports 5060 and 5061
• SCCP enabled phones (Cisco) responds on UDP/TCP
  2000-2001
• Sometimes you might see UDP or TCP port 17185
  (VXWORKS remote debugging!)

33
Host/Device DiscoveryPing Sweeps
Gathering InformationScanning
34
Host/Device DiscoveryARP Pings
Gathering InformationScanning
35
Host/Device DiscoveryTCP Ping Scans
Gathering InformationScanning

• Several tools available
• nmap
• hping

36
Host/Device DiscoverySNMP Sweeps
Gathering InformationScanning
37
Host/Device DiscoveryCountermeasures
Gathering InformationScanning

• Use firewalls and Intrusion Prevention Systems
  (IPSs) to block ping and TCP sweeps
• VLANs can help isolate ARP pings
• Ping sweeps can be blocked at the perimeter
  firewall
• Use secure (SNMPv3) version of SNMP
• Change SNMP public strings

38
Port Scanning/Service Discovery
Gathering InformationScanning

• Consists of various techniques used to find open
  ports and services on hosts
• These ports can be targeted later
• nmap is the most commonly used tool for TCP SYN
  and UDP scans

39
Port Scanning/Service DiscoveryCountermeasures
Gathering InformationScanning

• Using non-Internet routable IP addresses will
  prevent external scans
• Firewalls and IPSs can detect and possibly block
  scans
• VLANs can be used to partition the network to
  prevent scans from being effective

40
Host/Device Identification
Gathering InformationScanning

• After hosts are found and ports identified, the
  type of device can be determined
• Classifies host/device by operating system
• Network stack fingerprinting is a common
  technique for identifying hosts/devices
• nmap is commonly used for this purpose

41
Host/Device IdentificationCountermeasures
Gathering InformationScanning

• Firewalls and IPSs can detect and possibly block
  scans
• Disable unnecessary ports and services on hosts

42
EnumerationIntroduction
Gathering InformationEnumeration

• Involves testing open ports and services on
  hosts/devices to gather more information
• Includes running tools to determine if open
  services have known vulnerabilities
• Also involves scanning for VoIP-unique
  information such as phone numbers
• Includes gathering information from TFTP servers
  and SNMP

43
Vulnerability TestingTools
Gathering InformationEnumeration
44
Vulnerability TestingTools
Gathering InformationEnumeration
45
Vulnerability TestingCountermeasures
Gathering InformationEnumeration

• The best solution is to upgrade your applications
  and make sure you continually apply patches
• Some firewalls and IPSs can detect and mitigate
  vulnerability scans

46
SIP EnumerationIntroduction
Gathering InformationEnumeration
47
SIP EnumerationDirectory Scanning
Gathering InformationEnumeration

• root_at_attacker nc 192.168.1.104 5060
• OPTIONS siptest_at_192.168.1.104 SIP/2.0
• Via SIP/2.0/TCP 192.168.1.120branch4ivBcVj5ZnPY
  gb
• To alice ltsiptest_at_192.168.1.104gt
• Content-Length 0
• SIP/2.0 404 Not Found
• Via SIP/2.0/TCP
• 192.168.1.120branch4ivBcVj5ZnPYgbreceived192.1
  68.1.103
• To alice siptest_at_192.168.1.104gttagb27e1a1d3376
  1e85846fc98f5f3a7e58.0503
• Server Sip EXpress router (0.9.6 (i386/linux))
• Content-Length 0
• Warning 392 192.168.1.1045060 "Noisy feedback
  tells pid29801
• req_src_ip192.168.1.120 req_src_port32773
  in_urisiptest_at_192.168.1.104
• out_urisiptest_at_192.168.1.104 via_cnt1"

48
SIP EnumerationDirectory Scanning
Gathering InformationEnumeration
49
SIP EnumerationAutomated Directory Scanning
Gathering InformationEnumeration
50
TFTP EnumerationIntroduction
Gathering InformationEnumeration

• Almost all phones we tested use TFTP to download
  their configuration files
• The TFTP server is rarely well protected
• If you know or can guess the name of a
  configuration or firmware file, you can download
  it without even specifying a password
• The files are downloaded in the clear and can be
  easily sniffed
• Configuration files have usernames, passwords, IP
  addresses, etc. in them

51
TFTP EnumerationUsing TFTPBRUTE
Gathering InformationEnumeration

• root_at_attacker perl tftpbrute.pl 192.168.1.103
  brutefile.txt 100tftpbrute.pl, , V 0.1
• TFTP file word database brutefile.txt
• TFTP server 192.168.1.103
• Max processes 100
• Processes are 1
• ltsnipgt
• Processes are 12
• Found TFTP server remote filename sip.cfg
• Found TFTP server remote filename
  46xxsettings.txt
• Processes are 13
• Processes are 14
• Found TFTP server remote filename
  sip_4602D02A.txt
• Found TFTP server remote filename
  XMLDefault.cnf.xml
• Found TFTP server remote filename
  SipDefault.cnf

52
TFTP EnumerationCountermeasures
Gathering InformationEnumeration

• It is difficult not to use TFTP, since it is so
  commonly used by VoIP vendors
• Some vendors offer more secure alternatives
• Firewalls can be used to restrict access to TFTP
  servers to valid devices

53
SNMP EnumerationIntroduction
Gathering InformationEnumeration

• SNMP is enabled by default on most IP PBXs and IP
  phones
• Simple SNMP sweeps will garner lots of useful
  information
• If you know the device type, you can use snmpwalk
  with the appropriate OID
• You can find the OID using Solarwinds MIB
• Default passwords, called community strings,
  are common

54
SNMP EnumerationSolarwinds
Gathering InformationEnumeration
55
SNMP Enumerationsnmpwalk
Gathering InformationEnumeration

• root_at_domain2 snmpwalk -c public -v 1
  192.168.1.53 1.3.6.1.4.1.6889
• SNMPv2-SMIenterprises.6889.2.69.1.1.1.0
  STRING "Obsolete"
• SNMPv2-SMIenterprises.6889.2.69.1.1.2.0
  STRING "4620D01B"
• SNMPv2-SMIenterprises.6889.2.69.1.1.3.0
  STRING "AvayaCallserver"
• SNMPv2-SMIenterprises.6889.2.69.1.1.4.0
  IpAddress 192.168.1.103
• SNMPv2-SMIenterprises.6889.2.69.1.1.5.0
  INTEGER 1719
• SNMPv2-SMIenterprises.6889.2.69.1.1.6.0
  STRING "051612501065"
• SNMPv2-SMIenterprises.6889.2.69.1.1.7.0
  STRING "700316698"
• SNMPv2-SMIenterprises.6889.2.69.1.1.8.0
  STRING "051611403489"
• SNMPv2-SMIenterprises.6889.2.69.1.1.9.0
  STRING "00040D5040B0"
• SNMPv2-SMIenterprises.6889.2.69.1.1.10.0
  STRING "100"
• SNMPv2-SMIenterprises.6889.2.69.1.1.11.0
  IpAddress 192.168.1.53
• SNMPv2-SMIenterprises.6889.2.69.1.1.12.0
  INTEGER 0
• SNMPv2-SMIenterprises.6889.2.69.1.1.13.0
  INTEGER 0
• SNMPv2-SMIenterprises.6889.2.69.1.1.14.0
  INTEGER 0
• SNMPv2-SMIenterprises.6889.2.69.1.1.15.0
  STRING "192.168.1.1"
• SNMPv2-SMIenterprises.6889.2.69.1.1.16.0
  IpAddress 192.168.1.1
• SNMPv2-SMIenterprises.6889.2.69.1.1.17.0
  IpAddress 255.255.255.0

56
SNMP EnumerationCountermeasures
Gathering InformationEnumeration

• Disable SNMP on any devices where it is not
  needed
• Change default public and private community
  strings
• Try to use SNMPv3, which supports authentication

57
Attacking The Network
Attacking The Network

• The VoIP network and supporting infrastructure
  are vulnerable to attacks
• Most attacks will originate inside the network,
  once access is gained
• Attacks include
• Network infrastructure DoS
• Network eavesdropping
• Network and application interception

58
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access

• Several attack vectors include
• Installing a simple wired hub
• Wi-Fi sniffing
• Compromising a network node
• Compromising a VoIP phone
• Compromising a switch
• Compromising a proxy, gateway, or PC/softphone
• ARP poisoning
• Circumventing VLANs

59
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access

• Some techniques for circumventing VLANs
• If MAC filtering is not used, you can disconnect
  a VoIP phone and connect a PC
• Even if MAC filtering is used, you can easily
  spoof the MAC
• Be especially cautious of VoIP phones in public
  areas (such as lobby phones)

60
Attacking The NetworkGaining Access
Attacking The NetworkGaining Access

• Some other VLAN attacks
• MAC flooding attack
• 802.1q and ISL tagging attack
• Double-encapsulated 802.1q/Nested VLAN attack
• Private VLAN attack
• Spanning-tree protocol attack
• VLAN trunking protocol attack

61
Network Infrastructure DoS
Attacking The NetworkNetwork DoS

• The VoIP network and supporting infrastructure
  are vulnerable to attacks
• VoIP media/audio is particularly susceptible to
  any DoS attack which introduces latency and
  jitter
• Attacks include
• Flooding attacks
• Network availability attacks
• Supporting infrastructure attacks

62
Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS

• Flooding attacks generate so many packets at a
  target, that it is overwhelmed and cant process
  legitimate requests

63
Flooding AttacksCall Quality
Attacking The NetworkNetwork DoS

• VoIP is much more sensitive to network issues
  than traditional data applications like web and
  email
• Network Latency amount of time it takes for a
  packet to travel from the speaker to the listener
• Jitter occurs when the speaker sends packets at
  constant rates but they arrive at the listener at
  variable rates
• Packet Loss occurs under heavy load and
  oversubscription
• Mean Opinion Score subjective quality of a
  conversation measured from 1 (unintelligible) to
  5 (very clear)
• R-value mathematical measurement from 1
  (unintelligible) to 100 (very clear)

64
Flooding AttacksCall Quality
Attacking The NetworkNetwork DoS

• Software applications (wireshark, adventnet,
  Wildpackets, etc.)
• Hardware Appliances (Aglient, Empirix, Qovia,,
  etc.)
• Integrated router and switches (e.g. Cisco QoS
  Policy Manager)

65
Flooding AttacksTypes of Floods
Attacking The NetworkNetwork DoS

• Some types of floods are
• UDP floods
• TCP SYN floods
• ICMP and Smurf floods
• Worm and virus oversubscription side effect
• QoS manipulation
• Application flooding

66
Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS

• Layer 2 and 3 QoS mechanisms are commonly used to
  give priority to VoIP media (and signaling)
• Use rate limiting in network switches
• Use anti-DoS/DDoS products
• Some vendors have DoS support in their products
  (in newer versions of software)

67
Network Availability Attacks
Attacking The NetworkNetwork DoS

• This type of attack involves an attacker trying
  to crash the underlying operating system
• Fuzzing involves sending malformed packets, which
  exploit a weakness in software
• Packet fragmentation
• Buffer overflows

68
Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS

• A network IPS is an inline device that detects
  and blocks attacks
• Some firewalls also offer this capability
• Host based IPS software also provides this
  capability

69
Supporting Infrastructure Attacks
Attacking The NetworkNetwork DoS

• VoIP systems rely heavily on supporting services
  such as DHCP, DNS, TFTP, etc.
• DHCP exhaustion is an example, where a hacker
  uses up all the IP addresses, denying service to
  VoIP phones
• DNS cache poisoning involves tricking a DNS
  server into using a fake DNS response

70
Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS

• Configure DHCP servers not to lease addresses to
  unknown MAC addresses
• DNS servers should be configured to analyze info
  from non-authoritative servers and dropping any
  response not related to queries

71
Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping

• VoIP signaling, media, and configuration files
  are vulnerable to eavesdropping
• Attacks include
• TFTP configuration file sniffing
• Number harvesting and call pattern tracking
• Conversation eavesdropping

72
TFTP/Numbers/Call Patterns
Attacking The NetworkEavesdropping

• TFTP files are transmitted in the clear and can
  be sniffed
• One easy way is to connect a hub to a VoIP phone,
  reboot it, and capture the file
• By sniffing signaling, it is possible to build a
  directory of numbers and track calling patterns
• voipong automates the process of logging all calls

73
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
74
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
75
Conversation RecordingCain And Abel
Attacking The NetworkEavesdropping
76
Conversation RecordingOther Tools
Attacking The NetworkEavesdropping

• Other tools include
• vomit
• Voipong
• voipcrack (not public)
• DTMF decoder

77
Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping

• Place the TFTP server on the same VLAN as the
  VoIP phones and use a firewall to ensure that
  only VoIP phones communicate with it
• Use encryption
• Many vendors offer encryption for signaling
• Use the Transport Layer Security (TLS) for
  signaling
• Many vendors offer encryption for media
• Use Secure Real-time Transport Protocol (SRTP)
• Use ZRTP
• Use proprietary encryption if you have to

78
Network/Application InterceptionIntroduction
Attacking The NetworkNet/App Interception

• The VoIP network is vulnerable to
  Man-In-The-Middle (MITM) attacks, allowing
• Eavesdropping on the conversation
• Causing a DoS condition
• Altering the conversation by omitting, replaying,
  or inserting media
• Redirecting calls
• Attacks include
• Network-level interception
• Application-level interception

79
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception

• The most common network-level MITM attack is ARP
  poisoning
• Involves tricking a host into thinking the MAC
  address of the attacker is the intended address
• There are a number of tools available to support
  ARP poisoning
• Cain and Abel
• ettercap
• Dsniff
• hunt

80
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
81
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
82
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
83
Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception

• Some countermeasures for ARP poisoning are
• Static OS mappings
• Switch port security
• Proper use of VLANs
• Signaling encryption/authentication
• ARP poisoning detection tools, such as arpwatch

84
Application InterceptionIntroduction
Attacking The NetworkNet/App Interception

• It is also possible to perform a MITM attack at
  the application layer
• Some possible ways to perform this attack
  include
• Registration hijacking
• Redirection attacks
• VoIP phone reconfiguration
• Inserting a bridge via physical network access

85
Application Interception
Attacking The NetworkNet/App Interception
86
Application InterceptionCountermeasures
Attacking The NetworkNet/App Interception

• Some countermeasures to application-level
  interception are
• Use VLANs for separation
• Use TCP/IP
• Use signaling encryption/authentication (such as
  TLS)
• Enable authentication for requests
• Deploy SIP firewalls to protect SIP proxies from
  attacks

87
Attacking The Platform
Attacking The Platform

• This section describes unique attacks against
  specific VoIP vendor platforms, including
• Avaya
• Cisco

88
Avaya Communication Manager
Attacking The PlatformAvaya

• The Avaya Communication Manager is Avayas
  enterprise-class offering
• Offers strong security, but some default
  configuration should be changed
• Avaya uses Linux and VxWorks as the underlying
  operating system on many components, which is
  arguably more secure than Windows

89
Avaya Communication Manager
Attacking The PlatformAvaya
90
Open Ports
Attacking The PlatformAvaya
91
Open Ports
Attacking The PlatformAvaya
92
Open Ports
Attacking The PlatformAvaya
93
Open Ports
Attacking The PlatformAvaya
94
Open Ports
Attacking The PlatformAvaya
95
Open Ports
Attacking The PlatformAvaya
96
Open PortsCountermeasures
Attacking The PlatformAvaya
97
Open PortsCountermeasures
Attacking The PlatformAvaya
98
SNMP and TFTP
Attacking The PlatformAvaya

• Avaya uses TFTP and SNMP
• In 3.0, SNMP is enabled by default on the IP PBX
  and IP phones
• Some components ship with default public and
  private community strings

99
SNMP and TFTPCountermeasures
Attacking The PlatformAvaya

• Use the same countermeasures as before
• Avaya provides a secure copy feature as an
  alternative to TFTP
• Communication Manager 4.0 disables SNMP by
  default
• Version 2.6 for IP phones does not ship with
  default community strings

100
Flooding Attacks
Attacking The PlatformAvaya

• We used udpflood and tcpsynflood to perform DoS
  attacks against various components
• Unfortunately, these attacks were very disruptive
  

101
Flooding AttacksCountermeasures
Attacking The PlatformAvaya

• Use the same countermeasures as before
• Avaya C-LAN cards provide some level of DoS
  mitigation
• Newer IP phone software provides better DoS
  mitigation
• http//support.avaya.com/security

102
Miscellaneous Security Issues
Attacking The PlatformAvaya

• Avaya signaling and media are vulnerable to
  eavesdropping
• Avaya uses some default passwords on key IP PBX
  components
• Password recommendations for IP phones are weak
• By default, Avaya IP phones can be reconfigured
  when booted

103
Miscellaneous Security IssuesCountermeasures
Attacking The PlatformAvaya

• Avaya supports proprietary encryption for
  signaling and media. SRTP will be supported in
  Communication Manager 4.0
• Default passwords should be changed to strong
  values
• Local access to the IP phone can be controlled
  with a password

104
Cisco Unified Call Manager
Attacking The PlatformAvaya

• The Cisco Unified Call Manager is Ciscos
  enterprise class offering
• Offers strong security, but requires some
  configuration
• Version 4.1 is based on Windows. Version 5.0 is
  based on Linux
• A Must Read Document is the Solution Reference
  Network Design (SRND) for Voice communications.
  (http//tinyurl.com/gd5r4).
• Includes great deployment scenarios and security
  use cases (lobby phone, desktop phone, call
  manager encryption how-to, etc.)

105
CiscoIntroduction
Attacking The PlatformCisco
106
Cisco Discovery Protocol
Attacking The PlatformCisco

• Cisco Discovery Protocol Ciscos proprietary
  layer 2 network management protocol.
• Contains juicy information that is broadcast on
  the entire segment Disable it!

107
Port Scanning
Attacking The PlatformCisco

• Cisco Unified Call Manager requires a large
  number of open ports

108
Port ScanningCountermeasures
Attacking The PlatformCisco

• Cisco IOS has a great feature called autosecure
  that
• disables a slew of services (finger, http, ICMP,
  source routing, etc.)
• enables some services (password encryption, TCP
  synwait-time, logging, etc.).
• And locks down the router and switch (enables
  only ssh, blocks private address blocks from
  traversing, enables netflow, etc.)

109
FloodingCountermeasures
Attacking The PlatformCisco

• Network Flooding Countermeasures
• Another great feature from Cisco is AutoQos, a
  new IOS feature (auto qos command).
• Enables Quality of Service for VoIP traffic
  across every Cisco router and switch
• Scavenger class QoS also a relatively new Cisco
  strategy rate shape all bursty non-VoIP traffic

110
DoS and OS ExploitationCountermeasures
Attacking The PlatformCisco

• Patch Management is key use the Cisco Voice
  Technology Group Subscription Tool
  (http//www.cisco.com/cgi-bin/Software/Newsbuilder
  /Builder/VOICE.cgi)

111
Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco

• Eavesdropping and Interception Countermeasures
• Enable port security on Cisco Switches to help
  mitigate ARP Spoofing
• Enable Dynamic ARP inspection to thwart ARP
  Spoofing
• Dynamically restrict Ethernet port access with
  802.1x port authentication
• Enable DHCP Snooping to prevent DHCP Spoofing
• Configure IP source guard on Switches

112
Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco

• Eavesdropping and Interception Countermeasures
• Configure VTP Transparent Mode
• Change the default Native VLAN Value to thwart
  VLAN hopping
• Disable Dynamic Trunk Protocol (DTP) to thwart
  VLAN Hopping

113
Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco

• Eavesdropping and Interception Countermeasures
• Activate authentication and encryption of the
  signaling and media streams
• Skinny over TLS
• SRTP
• Requires creating and distributing certificates
  on phones

114
Attacking The Application
Attacking The Application

• VoIP systems are vulnerable to application
  attacks against the various VoIP protocols
• Attacks include
• Fuzzing attacks
• Flood-based DoS
• Signaling and media manipulation

115
FuzzingIntroduction
Attacking The ApplicationFuzzing

• Fuzzing describes attacks where malformed packets
  are sent to a VoIP system in an attempt to crash
  it
• Research has shown that VoIP systems, especially
  those employing SIP, are vulnerable to fuzzing
  attacks
• There are many public domain tools available for
  fuzzing
• Protos suite
• Asteroid
• Fuzzy Packet
• NastySIP
• Scapy

• SipBomber
• SFTF
• SIP Proxy
• SIPp
• SIPsak

116
FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via SIP/2.0/UDP 192.168.22.366060 From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
117
FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaa From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
118
FuzzingPublic Domain Tools
Attacking The ApplicationFuzzing

• There are many public domain tools available for
  fuzzing
• Protos suite
• Asteroid
• Fuzzy Packet
• NastySIP
• Scapy

• SipBomber
• SFTF
• SIP Proxy
• SIPp
• SIPsak

119
FuzzingCommercial Tools
Attacking The ApplicationFuzzing

• There are some commercial tools available
• Beyond Security BeStorm
• Codenomicon
• MuSecurity Mu-4000 Security Analyzer
• Security Innovation Hydra
• Sipera Systems LAVA tools

120
FuzzingCountermeasures
Attacking The ApplicationFuzzing

• Make sure your vendor has tested their systems
  for fuzzing attacks
• Consider running your own tests
• An VoIP-aware IPS can monitor for and block
  fuzzing attacks

121
Flood-Based DoSIntroduction
Attacking The ApplicationFlood-Based DoS

• Describes an attack where a flood of packets
  overwhelms a target, such as a SIP proxy or phone

122
Flood-Based DoS
Attacking The ApplicationFlood-Based DoS

• Several tools are available to generate floods at
  the application layer
• rtpflood generates a flood of RTP packets
• inviteflood generates a flood of SIP INVITE
  packets
• SiVuS a tool which a GUI that enables a variety
  of flood-based attacks
• Virtually every device we tested was susceptible
  to these attacks

123
Flood-Based DoSSiVuS
Attacking The ApplicationFlood-Based DoS
124
Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS

• There are several countermeasures you can use for
  flood-based DoS
• Use VLANs to separate networks
• Use TCP and TLS for SIP connections
• Use rate limiting in switches
• Enable authentication for requests
• Use SIP firewalls/IPSs to monitor and block
  attacks

125
Signaling/Media ManipulationIntroduction
Attacking The Application Sig/Media Manipulation

• In SIP and RTP, there are a number of attacks
  possible, which exploit the protocol
• Registration removal/addition
• Registration hijacking
• Redirection attacks
• Session teardown
• SIP phone reboot
• RTP insertion/mixing

126
Registration Removal/Addition
Attacking The Application Sig/Media Manipulation
Attacker ErasesOr Adds BogusRegistrations,
CausingCalls to be Dropped Or Sent to the Wrong
Address
127
Registration Hijacking
Attacking The Application Sig/Media Manipulation
128
Registration Hijacking
Attacking The Application Sig/Media Manipulation
129
Redirection Attacks
Attacking The Application Sig/Media Manipulation
130
Session Teardown
Attacking The Application Sig/Media Manipulation

131
IP Phone Reboot
Attacking The Application Sig/Media Manipulation

132
Audio Insertion/Mixing
Attacking The Application Sig/Media Manipulation

Attacker SeesPackets AndInserts/Mixes InNew
Audio
133
Signaling/Media ManipulationCountermeasures
Attacking The Application Sig/Media Manipulation

• Some countermeasures for signaling and media
  manipulation include
• Use digest authentication where possible
• Use TCP and TLS where possible
• Use SIP-aware firewalls/IPSs to monitor for and
  block attacks
• Use audio encryption to prevent RTP
  injection/mixing

134
Social Attacks
Social Attacks

• There are a couple of evolving social threats
  that will affect enterprises
• Voice SPAM or SPAM over Internet Telephony (SPIT)
• Voice phishing

135
Voice SPAMIntroduction
Social AttacksVoice SPAM

• Voice SPAM refers to bulk, automatically
  generated, unsolicited phone calls
• Similar to telemarketing, but occurring at the
  frequency of email SPAM
• Not an issue yet, but will become prevalent when
• The network makes it very inexpensive or free to
  generate calls
• Attackers have access to VoIP networks that allow
  generation of a large number of calls
• It is easy to set up a voice SPAM operation,
  using Asterisk, tools like spitter, and free
  VoIP access

136
Voice SPAM
Social AttacksVoice SPAM

• Voice SPAM has the potential to be very
  disruptive because
• Voice calls tend to interrupt a user more than
  email
• Calls arrive in realtime and the content cant be
  analyzed to determine it is voice SPAM
• Even calls saved to voice mail must be converted
  from audio to text, which is an imperfect process
• There isnt any capability in the protocols that
  looks like it will address Voice SPAM

137
Voice SPAMCountermeasures
Social AttacksVoice SPAM

• Some potential countermeasures for voice SPAM
  are
• Authenticated identity movements, which may help
  to identify callers
• Legal measures
• Enterprise voice SPAM filters
• Black lists/white lists
• Approval systems
• Audio content filtering
• Turing tests

138
VoIP PhishingIntroduction
Social AttacksPhishing

• Similar to email phishing, but with a phone
  number delivered though email or voice
• When the victim dials the number, the recording
  requests entry of personal information
• The hacker comes back later and retrieves the
  touch tones or other information

139
VoIP PhishingExample
Social AttacksPhishing

• Hi, this is Bob from Bank of America calling.
  Sorry I missed you. If you could give us a call
  back at 1-866-555-1324 we have an urgent issue to
  discuss with you about your bank account.
• Hello. This is Bank of America. So we may best
  serve you, please enter your account number
  followed by your PIN.

140
VoIP PhishingExample
Social AttacksPhishing
141
VoIP PhishingCountermeasures
Social AttacksPhishing

• Traditional email spam/phishing countermeasures
  come in to play here.
• Educating users is a key

142

• Questions?

143
Notes
144
Notes