Title: Cutting Edge VoIP Security Issues Color
1Hacking Exposed VoIP
Mark D. CollierChief Technology
Officermark.collier_at_securelogix.com
www.securelogix.com
2Hacking Exposed VoIP
- We took on this project because there were no
practical books on enterprise VoIP security that
gave examples of how hackers attack VoIP
deployments and explained to administrators how
to defend against these attacks. - We spent more than a year of research writing new
VoIP security tools, using them to test the
latest VoIP products, and scouring VoIP
state-of-the-art security. - This tutorial is based on material fromthe book.
- The book was published December 1,
2006http//www.hackingvoip.com536 pages
3Outline
Outline
- Overview
- Gathering Information
- Footprinting
- Scanning
- Enumeration
- Attacking the Network
- Network Infrastructure Denial of Service
- Network Eavesdropping
- Network and Application Interception
4Outline
Outline
- Attacking Vendor Platforms
- Avaya
- Cisco
- Attacking the Application
- Fuzzing
- Disruption of Service
- Signaling and Media Manipulation
5Outline
Outline
- Social Attacks
- Voice SPAM/SPIT
- Voice Phishing
6Introduction
Introduction
- VoIP systems are vulnerable
- Platforms, networks, and applications are
vulnerable - VoIP-specific attacks are becoming more common
- Security isnt always a consideration during
deployment - The threat is increasing
- VoIP deployment is growing
- Deployments are critical to business operations
- Greater integration with the data network
- More attack tools being published
- The hacking community is taking notice
7IntroductionLayers of Security
Introduction
8Introduction
IntroductionCampus VoIP
TDM Phones
TDMTrunks
PublicVoiceNetwork
IPPBX
IP Phones
Voice VLAN
Data VLAN
InternetConnection
Internet
PCs
9Introduction
IntroductionPublic VoIP
TDM Phones
VoIPConnection
PublicVoiceNetwork
IPPBX
IP Phones
Voice VLAN
Data VLAN
InternetConnection
Internet
PCs
10Gathering Information
Gathering Information
- This is the process a hacker goes through to
gather information about your organization and
prepare their attack - Consists of
- Footprinting
- Scanning
- Enumeration
11Footprinting
Gathering InformationFootprinting
- Steps taken by a hacker to learn about your
enterprise before they start the actual attack - Consists of
- Public website research
- Google hacking
- Using WHOIS and DNS
12Public Website ResearchIntroduction
Gathering InformationFootprinting
- An enterprise website often contains a lot of
information that is useful to a hacker - Organizational structure and corporate locations
- Help and technical support
- Job listings
- Phone numbers and extensions
13Public Website ResearchOrganization Structure
Gathering InformationFootprinting
14Public Website ResearchCorporate Locations
Gathering InformationFootprinting
15Public Website ResearchHelpdesk
Gathering InformationFootprinting
16Public Website ResearchHelpdesk
Gathering InformationFootprinting
17Public Website ResearchJob Listings
Gathering InformationFootprinting
- Job listings can contain a ton of information
about the enterprise VoIP system. - Here is a portion of an actual job listing
- Required Technical SkillsMinimum 3-5 years
experience in the management and implementation
of Avaya telephone systems/voicemails - Advanced programming knowledge of the Avaya
Communication Servers and voicemails.
18Public Website ResearchPhone Numbers
Gathering InformationFootprinting
- Google can be used to find all phone numbers on
an enterprise web site - Type 111..999-1000..9999 sitewww.mcgraw-hill.co
m
19Public Website ResearchVoice Mail
Gathering InformationFootprinting
- By calling into some of these numbers, you can
listen to the voice mail system and determine the
vendor - Check out our voice mail hacking database at
- www.hackingvoip.com
20Public Website Research Countermeasures
Gathering InformationFootprinting
- It is difficult to control what is on your
enterprise website, but it is a good idea to be
aware of what is on it - Try to limit amount of detail in job postings
- Remove technical detail from help desk web pages
21Google HackingIntroduction
Gathering InformationFootprinting
- Google is incredibly good at finding details on
the web - Vendor press releases and case studies
- Resumes of VoIP personnel
- Mailing lists and user group postings
- Web-based VoIP logins
22Google Hacking
Gathering InformationFootprinting
- Vendors and enterprises may post press releases
and case studies - Type siteavaya.com case study or
siteavaya.com company - Users place resumes on the Internet when
searching for jobs - Search Monster for resumes for company employees
- Mailing lists and user group postings
- www.inuaa.org
- www.innua.org
- forums.cisco.com
- forums.digium.com
23Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting
- Some VoIP phones are accidentally exposed to the
Internet - Use Google to search for
- Type inrulccmuser/logon.asp
- Type inurlccmuser/logon.asp siteexample.com
- Type inurlNetworkConfiguration cisco
24Google HackingWeb-Based VoIP Logins
Gathering InformationFootprinting
25Google HackingCountermeasures
Gathering InformationFootprinting
- Determine what your exposure is
- Be sure to remove any VoIP phones which are
visible to the Internet - Disable the web servers on your IP phones
- There are services that can help you monitor your
exposure - www.cyveilance.com
- ww.baytsp.com
26Google HackingCountermeasures
Attacking The PlatformCisco
27WHOIS and DNSIntroduction
Gathering InformationFootprinting
- Enterprises depend on DNS to route website
visitors and external email - WHOIS searches can reveal IP addresses used by an
enterprise
28WHOIS and DNSCountermeasures
Gathering InformationFootprinting
- Use generic names where possible
- Disable anonymous zone transfers on your DNS
servers
29ScanningIntroduction
Gathering InformationScanning
- Steps taken by a hacker to identify IP addresses
and hosts running VoIP - Consists
- Host/device discovery
- Port scanning and service discovery
- Host/device identification
30Host/Device Discovery
Gathering InformationScanning
- Consists of various techniques used to find
hosts - Ping sweeps
- ARP pings
- TCP ping scans
- SNMP sweeps
31Host/Device DiscoveryUsing nmap
Gathering InformationScanning
- nmap -O -P0 192.168.1.1-254
- Starting Nmap 4.01 ( http//www.insecure.org/nmap/
) at 2006-02-20 0103 CST - Interesting ports on 192.168.1.21
- (The 1671 ports scanned but not shown below are
in state filtered) - PORT STATE SERVICE
- 23/tcp open telnet
- MAC Address 000F34118045 (Cisco Systems)
- Device type VoIP phone
- Running Cisco embedded
- OS details Cisco IP phone (POS3-04-3-00,
PC030301) - Interesting ports on 192.168.1.23
- (The 1671 ports scanned but not shown below are
in state closed) - PORT STATE SERVICE
- 80/tcp open http
- MAC Address 00156286BA3E (Cisco Systems)
- Device type VoIP phoneVoIP adapter
- Running Cisco embedded
- OS details Cisco VoIP Phone 7905/7912 or ATA 186
Analog Telephone Adapter
32Host/Device DiscoveryPorts
Gathering InformationScanning
- SIP enabled devices will usually respond on
UDP/TCP ports 5060 and 5061 - SCCP enabled phones (Cisco) responds on UDP/TCP
2000-2001 - Sometimes you might see UDP or TCP port 17185
(VXWORKS remote debugging!)
33Host/Device DiscoveryPing Sweeps
Gathering InformationScanning
34Host/Device DiscoveryARP Pings
Gathering InformationScanning
35Host/Device DiscoveryTCP Ping Scans
Gathering InformationScanning
- Several tools available
- nmap
- hping
36Host/Device DiscoverySNMP Sweeps
Gathering InformationScanning
37Host/Device DiscoveryCountermeasures
Gathering InformationScanning
- Use firewalls and Intrusion Prevention Systems
(IPSs) to block ping and TCP sweeps - VLANs can help isolate ARP pings
- Ping sweeps can be blocked at the perimeter
firewall - Use secure (SNMPv3) version of SNMP
- Change SNMP public strings
38Port Scanning/Service Discovery
Gathering InformationScanning
- Consists of various techniques used to find open
ports and services on hosts - These ports can be targeted later
- nmap is the most commonly used tool for TCP SYN
and UDP scans
39Port Scanning/Service DiscoveryCountermeasures
Gathering InformationScanning
- Using non-Internet routable IP addresses will
prevent external scans - Firewalls and IPSs can detect and possibly block
scans - VLANs can be used to partition the network to
prevent scans from being effective
40Host/Device Identification
Gathering InformationScanning
- After hosts are found and ports identified, the
type of device can be determined - Classifies host/device by operating system
- Network stack fingerprinting is a common
technique for identifying hosts/devices - nmap is commonly used for this purpose
41Host/Device IdentificationCountermeasures
Gathering InformationScanning
- Firewalls and IPSs can detect and possibly block
scans - Disable unnecessary ports and services on hosts
42EnumerationIntroduction
Gathering InformationEnumeration
- Involves testing open ports and services on
hosts/devices to gather more information - Includes running tools to determine if open
services have known vulnerabilities - Also involves scanning for VoIP-unique
information such as phone numbers - Includes gathering information from TFTP servers
and SNMP
43Vulnerability TestingTools
Gathering InformationEnumeration
44Vulnerability TestingTools
Gathering InformationEnumeration
45Vulnerability TestingCountermeasures
Gathering InformationEnumeration
- The best solution is to upgrade your applications
and make sure you continually apply patches - Some firewalls and IPSs can detect and mitigate
vulnerability scans
46SIP EnumerationIntroduction
Gathering InformationEnumeration
47SIP EnumerationDirectory Scanning
Gathering InformationEnumeration
- root_at_attacker nc 192.168.1.104 5060
- OPTIONS siptest_at_192.168.1.104 SIP/2.0
- Via SIP/2.0/TCP 192.168.1.120branch4ivBcVj5ZnPY
gb - To alice ltsiptest_at_192.168.1.104gt
- Content-Length 0
- SIP/2.0 404 Not Found
- Via SIP/2.0/TCP
- 192.168.1.120branch4ivBcVj5ZnPYgbreceived192.1
68.1.103 - To alice siptest_at_192.168.1.104gttagb27e1a1d3376
1e85846fc98f5f3a7e58.0503 - Server Sip EXpress router (0.9.6 (i386/linux))
- Content-Length 0
- Warning 392 192.168.1.1045060 "Noisy feedback
tells pid29801 - req_src_ip192.168.1.120 req_src_port32773
in_urisiptest_at_192.168.1.104 - out_urisiptest_at_192.168.1.104 via_cnt1"
48SIP EnumerationDirectory Scanning
Gathering InformationEnumeration
49SIP EnumerationAutomated Directory Scanning
Gathering InformationEnumeration
50TFTP EnumerationIntroduction
Gathering InformationEnumeration
- Almost all phones we tested use TFTP to download
their configuration files - The TFTP server is rarely well protected
- If you know or can guess the name of a
configuration or firmware file, you can download
it without even specifying a password - The files are downloaded in the clear and can be
easily sniffed - Configuration files have usernames, passwords, IP
addresses, etc. in them
51TFTP EnumerationUsing TFTPBRUTE
Gathering InformationEnumeration
- root_at_attacker perl tftpbrute.pl 192.168.1.103
brutefile.txt 100tftpbrute.pl, , V 0.1 - TFTP file word database brutefile.txt
- TFTP server 192.168.1.103
- Max processes 100
- Processes are 1
- ltsnipgt
- Processes are 12
- Found TFTP server remote filename sip.cfg
- Found TFTP server remote filename
46xxsettings.txt - Processes are 13
- Processes are 14
- Found TFTP server remote filename
sip_4602D02A.txt - Found TFTP server remote filename
XMLDefault.cnf.xml - Found TFTP server remote filename
SipDefault.cnf
52TFTP EnumerationCountermeasures
Gathering InformationEnumeration
- It is difficult not to use TFTP, since it is so
commonly used by VoIP vendors - Some vendors offer more secure alternatives
- Firewalls can be used to restrict access to TFTP
servers to valid devices
53SNMP EnumerationIntroduction
Gathering InformationEnumeration
- SNMP is enabled by default on most IP PBXs and IP
phones - Simple SNMP sweeps will garner lots of useful
information - If you know the device type, you can use snmpwalk
with the appropriate OID - You can find the OID using Solarwinds MIB
- Default passwords, called community strings,
are common
54SNMP EnumerationSolarwinds
Gathering InformationEnumeration
55SNMP Enumerationsnmpwalk
Gathering InformationEnumeration
- root_at_domain2 snmpwalk -c public -v 1
192.168.1.53 1.3.6.1.4.1.6889 - SNMPv2-SMIenterprises.6889.2.69.1.1.1.0
STRING "Obsolete" - SNMPv2-SMIenterprises.6889.2.69.1.1.2.0
STRING "4620D01B" - SNMPv2-SMIenterprises.6889.2.69.1.1.3.0
STRING "AvayaCallserver" - SNMPv2-SMIenterprises.6889.2.69.1.1.4.0
IpAddress 192.168.1.103 - SNMPv2-SMIenterprises.6889.2.69.1.1.5.0
INTEGER 1719 - SNMPv2-SMIenterprises.6889.2.69.1.1.6.0
STRING "051612501065" - SNMPv2-SMIenterprises.6889.2.69.1.1.7.0
STRING "700316698" - SNMPv2-SMIenterprises.6889.2.69.1.1.8.0
STRING "051611403489" - SNMPv2-SMIenterprises.6889.2.69.1.1.9.0
STRING "00040D5040B0" - SNMPv2-SMIenterprises.6889.2.69.1.1.10.0
STRING "100" - SNMPv2-SMIenterprises.6889.2.69.1.1.11.0
IpAddress 192.168.1.53 - SNMPv2-SMIenterprises.6889.2.69.1.1.12.0
INTEGER 0 - SNMPv2-SMIenterprises.6889.2.69.1.1.13.0
INTEGER 0 - SNMPv2-SMIenterprises.6889.2.69.1.1.14.0
INTEGER 0 - SNMPv2-SMIenterprises.6889.2.69.1.1.15.0
STRING "192.168.1.1" - SNMPv2-SMIenterprises.6889.2.69.1.1.16.0
IpAddress 192.168.1.1 - SNMPv2-SMIenterprises.6889.2.69.1.1.17.0
IpAddress 255.255.255.0
56SNMP EnumerationCountermeasures
Gathering InformationEnumeration
- Disable SNMP on any devices where it is not
needed - Change default public and private community
strings - Try to use SNMPv3, which supports authentication
57Attacking The Network
Attacking The Network
- The VoIP network and supporting infrastructure
are vulnerable to attacks - Most attacks will originate inside the network,
once access is gained - Attacks include
- Network infrastructure DoS
- Network eavesdropping
- Network and application interception
58Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
- Several attack vectors include
- Installing a simple wired hub
- Wi-Fi sniffing
- Compromising a network node
- Compromising a VoIP phone
- Compromising a switch
- Compromising a proxy, gateway, or PC/softphone
- ARP poisoning
- Circumventing VLANs
59Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
- Some techniques for circumventing VLANs
- If MAC filtering is not used, you can disconnect
a VoIP phone and connect a PC - Even if MAC filtering is used, you can easily
spoof the MAC - Be especially cautious of VoIP phones in public
areas (such as lobby phones)
60Attacking The NetworkGaining Access
Attacking The NetworkGaining Access
- Some other VLAN attacks
- MAC flooding attack
- 802.1q and ISL tagging attack
- Double-encapsulated 802.1q/Nested VLAN attack
- Private VLAN attack
- Spanning-tree protocol attack
- VLAN trunking protocol attack
61Network Infrastructure DoS
Attacking The NetworkNetwork DoS
- The VoIP network and supporting infrastructure
are vulnerable to attacks - VoIP media/audio is particularly susceptible to
any DoS attack which introduces latency and
jitter - Attacks include
- Flooding attacks
- Network availability attacks
- Supporting infrastructure attacks
62Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS
- Flooding attacks generate so many packets at a
target, that it is overwhelmed and cant process
legitimate requests
63Flooding AttacksCall Quality
Attacking The NetworkNetwork DoS
- VoIP is much more sensitive to network issues
than traditional data applications like web and
email - Network Latency amount of time it takes for a
packet to travel from the speaker to the listener - Jitter occurs when the speaker sends packets at
constant rates but they arrive at the listener at
variable rates - Packet Loss occurs under heavy load and
oversubscription - Mean Opinion Score subjective quality of a
conversation measured from 1 (unintelligible) to
5 (very clear) - R-value mathematical measurement from 1
(unintelligible) to 100 (very clear)
64Flooding AttacksCall Quality
Attacking The NetworkNetwork DoS
- Software applications (wireshark, adventnet,
Wildpackets, etc.) - Hardware Appliances (Aglient, Empirix, Qovia,,
etc.) - Integrated router and switches (e.g. Cisco QoS
Policy Manager)
65Flooding AttacksTypes of Floods
Attacking The NetworkNetwork DoS
- Some types of floods are
- UDP floods
- TCP SYN floods
- ICMP and Smurf floods
- Worm and virus oversubscription side effect
- QoS manipulation
- Application flooding
66Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS
- Layer 2 and 3 QoS mechanisms are commonly used to
give priority to VoIP media (and signaling) - Use rate limiting in network switches
- Use anti-DoS/DDoS products
- Some vendors have DoS support in their products
(in newer versions of software)
67Network Availability Attacks
Attacking The NetworkNetwork DoS
- This type of attack involves an attacker trying
to crash the underlying operating system - Fuzzing involves sending malformed packets, which
exploit a weakness in software - Packet fragmentation
- Buffer overflows
68Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS
- A network IPS is an inline device that detects
and blocks attacks - Some firewalls also offer this capability
- Host based IPS software also provides this
capability
69Supporting Infrastructure Attacks
Attacking The NetworkNetwork DoS
- VoIP systems rely heavily on supporting services
such as DHCP, DNS, TFTP, etc. - DHCP exhaustion is an example, where a hacker
uses up all the IP addresses, denying service to
VoIP phones - DNS cache poisoning involves tricking a DNS
server into using a fake DNS response
70Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS
- Configure DHCP servers not to lease addresses to
unknown MAC addresses - DNS servers should be configured to analyze info
from non-authoritative servers and dropping any
response not related to queries
71Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping
- VoIP signaling, media, and configuration files
are vulnerable to eavesdropping - Attacks include
- TFTP configuration file sniffing
- Number harvesting and call pattern tracking
- Conversation eavesdropping
72TFTP/Numbers/Call Patterns
Attacking The NetworkEavesdropping
- TFTP files are transmitted in the clear and can
be sniffed - One easy way is to connect a hub to a VoIP phone,
reboot it, and capture the file - By sniffing signaling, it is possible to build a
directory of numbers and track calling patterns - voipong automates the process of logging all calls
73Conversation RecordingWireshark
Attacking The NetworkEavesdropping
74Conversation RecordingWireshark
Attacking The NetworkEavesdropping
75Conversation RecordingCain And Abel
Attacking The NetworkEavesdropping
76Conversation RecordingOther Tools
Attacking The NetworkEavesdropping
- Other tools include
- vomit
- Voipong
- voipcrack (not public)
- DTMF decoder
77Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping
- Place the TFTP server on the same VLAN as the
VoIP phones and use a firewall to ensure that
only VoIP phones communicate with it - Use encryption
- Many vendors offer encryption for signaling
- Use the Transport Layer Security (TLS) for
signaling - Many vendors offer encryption for media
- Use Secure Real-time Transport Protocol (SRTP)
- Use ZRTP
- Use proprietary encryption if you have to
78Network/Application InterceptionIntroduction
Attacking The NetworkNet/App Interception
- The VoIP network is vulnerable to
Man-In-The-Middle (MITM) attacks, allowing - Eavesdropping on the conversation
- Causing a DoS condition
- Altering the conversation by omitting, replaying,
or inserting media - Redirecting calls
- Attacks include
- Network-level interception
- Application-level interception
79Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
- The most common network-level MITM attack is ARP
poisoning - Involves tricking a host into thinking the MAC
address of the attacker is the intended address - There are a number of tools available to support
ARP poisoning - Cain and Abel
- ettercap
- Dsniff
- hunt
80Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
81Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
82Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
83Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception
- Some countermeasures for ARP poisoning are
- Static OS mappings
- Switch port security
- Proper use of VLANs
- Signaling encryption/authentication
- ARP poisoning detection tools, such as arpwatch
84Application InterceptionIntroduction
Attacking The NetworkNet/App Interception
- It is also possible to perform a MITM attack at
the application layer - Some possible ways to perform this attack
include - Registration hijacking
- Redirection attacks
- VoIP phone reconfiguration
- Inserting a bridge via physical network access
85Application Interception
Attacking The NetworkNet/App Interception
86Application InterceptionCountermeasures
Attacking The NetworkNet/App Interception
- Some countermeasures to application-level
interception are - Use VLANs for separation
- Use TCP/IP
- Use signaling encryption/authentication (such as
TLS) - Enable authentication for requests
- Deploy SIP firewalls to protect SIP proxies from
attacks
87Attacking The Platform
Attacking The Platform
- This section describes unique attacks against
specific VoIP vendor platforms, including - Avaya
- Cisco
88Avaya Communication Manager
Attacking The PlatformAvaya
- The Avaya Communication Manager is Avayas
enterprise-class offering - Offers strong security, but some default
configuration should be changed - Avaya uses Linux and VxWorks as the underlying
operating system on many components, which is
arguably more secure than Windows
89Avaya Communication Manager
Attacking The PlatformAvaya
90Open Ports
Attacking The PlatformAvaya
91Open Ports
Attacking The PlatformAvaya
92Open Ports
Attacking The PlatformAvaya
93Open Ports
Attacking The PlatformAvaya
94Open Ports
Attacking The PlatformAvaya
95Open Ports
Attacking The PlatformAvaya
96Open PortsCountermeasures
Attacking The PlatformAvaya
97Open PortsCountermeasures
Attacking The PlatformAvaya
98SNMP and TFTP
Attacking The PlatformAvaya
- Avaya uses TFTP and SNMP
- In 3.0, SNMP is enabled by default on the IP PBX
and IP phones - Some components ship with default public and
private community strings -
99SNMP and TFTPCountermeasures
Attacking The PlatformAvaya
- Use the same countermeasures as before
- Avaya provides a secure copy feature as an
alternative to TFTP - Communication Manager 4.0 disables SNMP by
default - Version 2.6 for IP phones does not ship with
default community strings -
100Flooding Attacks
Attacking The PlatformAvaya
- We used udpflood and tcpsynflood to perform DoS
attacks against various components - Unfortunately, these attacks were very disruptive
-
101Flooding AttacksCountermeasures
Attacking The PlatformAvaya
- Use the same countermeasures as before
- Avaya C-LAN cards provide some level of DoS
mitigation - Newer IP phone software provides better DoS
mitigation - http//support.avaya.com/security
-
102Miscellaneous Security Issues
Attacking The PlatformAvaya
- Avaya signaling and media are vulnerable to
eavesdropping - Avaya uses some default passwords on key IP PBX
components - Password recommendations for IP phones are weak
- By default, Avaya IP phones can be reconfigured
when booted
103Miscellaneous Security IssuesCountermeasures
Attacking The PlatformAvaya
- Avaya supports proprietary encryption for
signaling and media. SRTP will be supported in
Communication Manager 4.0 - Default passwords should be changed to strong
values - Local access to the IP phone can be controlled
with a password -
104Cisco Unified Call Manager
Attacking The PlatformAvaya
- The Cisco Unified Call Manager is Ciscos
enterprise class offering - Offers strong security, but requires some
configuration - Version 4.1 is based on Windows. Version 5.0 is
based on Linux - A Must Read Document is the Solution Reference
Network Design (SRND) for Voice communications.
(http//tinyurl.com/gd5r4). - Includes great deployment scenarios and security
use cases (lobby phone, desktop phone, call
manager encryption how-to, etc.)
105CiscoIntroduction
Attacking The PlatformCisco
106Cisco Discovery Protocol
Attacking The PlatformCisco
- Cisco Discovery Protocol Ciscos proprietary
layer 2 network management protocol. - Contains juicy information that is broadcast on
the entire segment Disable it!
107Port Scanning
Attacking The PlatformCisco
- Cisco Unified Call Manager requires a large
number of open ports
108Port ScanningCountermeasures
Attacking The PlatformCisco
- Cisco IOS has a great feature called autosecure
that - disables a slew of services (finger, http, ICMP,
source routing, etc.) - enables some services (password encryption, TCP
synwait-time, logging, etc.). - And locks down the router and switch (enables
only ssh, blocks private address blocks from
traversing, enables netflow, etc.)
109FloodingCountermeasures
Attacking The PlatformCisco
- Network Flooding Countermeasures
- Another great feature from Cisco is AutoQos, a
new IOS feature (auto qos command). - Enables Quality of Service for VoIP traffic
across every Cisco router and switch - Scavenger class QoS also a relatively new Cisco
strategy rate shape all bursty non-VoIP traffic
110DoS and OS ExploitationCountermeasures
Attacking The PlatformCisco
- Patch Management is key use the Cisco Voice
Technology Group Subscription Tool
(http//www.cisco.com/cgi-bin/Software/Newsbuilder
/Builder/VOICE.cgi)
111Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
- Eavesdropping and Interception Countermeasures
- Enable port security on Cisco Switches to help
mitigate ARP Spoofing - Enable Dynamic ARP inspection to thwart ARP
Spoofing - Dynamically restrict Ethernet port access with
802.1x port authentication - Enable DHCP Snooping to prevent DHCP Spoofing
- Configure IP source guard on Switches
112Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
- Eavesdropping and Interception Countermeasures
- Configure VTP Transparent Mode
- Change the default Native VLAN Value to thwart
VLAN hopping - Disable Dynamic Trunk Protocol (DTP) to thwart
VLAN Hopping
113Eavesdropping and InterceptionCountermeasures
Attacking The PlatformCisco
- Eavesdropping and Interception Countermeasures
- Activate authentication and encryption of the
signaling and media streams - Skinny over TLS
- SRTP
- Requires creating and distributing certificates
on phones
114Attacking The Application
Attacking The Application
- VoIP systems are vulnerable to application
attacks against the various VoIP protocols - Attacks include
- Fuzzing attacks
- Flood-based DoS
- Signaling and media manipulation
115FuzzingIntroduction
Attacking The ApplicationFuzzing
- Fuzzing describes attacks where malformed packets
are sent to a VoIP system in an attempt to crash
it - Research has shown that VoIP systems, especially
those employing SIP, are vulnerable to fuzzing
attacks - There are many public domain tools available for
fuzzing - Protos suite
- Asteroid
- Fuzzy Packet
- NastySIP
- Scapy
- SipBomber
- SFTF
- SIP Proxy
- SIPp
- SIPsak
116FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via SIP/2.0/UDP 192.168.22.366060 From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
117FuzzingExample
Attacking The ApplicationFuzzing
INVITE sip6713_at_192.168.26.1806060userphone
SIP/2.0 Via aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaa From
UserAgentltsip6710_at_192.168.22.366060userphonegt
To 6713ltsip6713_at_192.168.26.1806060userphonegt
Call-ID 96561418925909_at_192.168.22.36 Cseq 1
INVITE Subject VovidaINVITE Contact
ltsip6710_at_192.168.22.366060userphonegt Content-T
ype application/sdp Content-Length 168
118FuzzingPublic Domain Tools
Attacking The ApplicationFuzzing
- There are many public domain tools available for
fuzzing - Protos suite
- Asteroid
- Fuzzy Packet
- NastySIP
- Scapy
- SipBomber
- SFTF
- SIP Proxy
- SIPp
- SIPsak
119FuzzingCommercial Tools
Attacking The ApplicationFuzzing
- There are some commercial tools available
- Beyond Security BeStorm
- Codenomicon
- MuSecurity Mu-4000 Security Analyzer
- Security Innovation Hydra
- Sipera Systems LAVA tools
120FuzzingCountermeasures
Attacking The ApplicationFuzzing
- Make sure your vendor has tested their systems
for fuzzing attacks - Consider running your own tests
- An VoIP-aware IPS can monitor for and block
fuzzing attacks
121Flood-Based DoSIntroduction
Attacking The ApplicationFlood-Based DoS
- Describes an attack where a flood of packets
overwhelms a target, such as a SIP proxy or phone
122Flood-Based DoS
Attacking The ApplicationFlood-Based DoS
- Several tools are available to generate floods at
the application layer - rtpflood generates a flood of RTP packets
- inviteflood generates a flood of SIP INVITE
packets - SiVuS a tool which a GUI that enables a variety
of flood-based attacks - Virtually every device we tested was susceptible
to these attacks
123Flood-Based DoSSiVuS
Attacking The ApplicationFlood-Based DoS
124Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS
- There are several countermeasures you can use for
flood-based DoS - Use VLANs to separate networks
- Use TCP and TLS for SIP connections
- Use rate limiting in switches
- Enable authentication for requests
- Use SIP firewalls/IPSs to monitor and block
attacks
125Signaling/Media ManipulationIntroduction
Attacking The Application Sig/Media Manipulation
- In SIP and RTP, there are a number of attacks
possible, which exploit the protocol - Registration removal/addition
- Registration hijacking
- Redirection attacks
- Session teardown
- SIP phone reboot
- RTP insertion/mixing
126Registration Removal/Addition
Attacking The Application Sig/Media Manipulation
Attacker ErasesOr Adds BogusRegistrations,
CausingCalls to be Dropped Or Sent to the Wrong
Address
127Registration Hijacking
Attacking The Application Sig/Media Manipulation
128Registration Hijacking
Attacking The Application Sig/Media Manipulation
129Redirection Attacks
Attacking The Application Sig/Media Manipulation
130Session Teardown
Attacking The Application Sig/Media Manipulation
131IP Phone Reboot
Attacking The Application Sig/Media Manipulation
132Audio Insertion/Mixing
Attacking The Application Sig/Media Manipulation
Attacker SeesPackets AndInserts/Mixes InNew
Audio
133Signaling/Media ManipulationCountermeasures
Attacking The Application Sig/Media Manipulation
- Some countermeasures for signaling and media
manipulation include - Use digest authentication where possible
- Use TCP and TLS where possible
- Use SIP-aware firewalls/IPSs to monitor for and
block attacks - Use audio encryption to prevent RTP
injection/mixing
134Social Attacks
Social Attacks
- There are a couple of evolving social threats
that will affect enterprises - Voice SPAM or SPAM over Internet Telephony (SPIT)
- Voice phishing
135Voice SPAMIntroduction
Social AttacksVoice SPAM
- Voice SPAM refers to bulk, automatically
generated, unsolicited phone calls - Similar to telemarketing, but occurring at the
frequency of email SPAM - Not an issue yet, but will become prevalent when
- The network makes it very inexpensive or free to
generate calls - Attackers have access to VoIP networks that allow
generation of a large number of calls - It is easy to set up a voice SPAM operation,
using Asterisk, tools like spitter, and free
VoIP access
136Voice SPAM
Social AttacksVoice SPAM
- Voice SPAM has the potential to be very
disruptive because - Voice calls tend to interrupt a user more than
email - Calls arrive in realtime and the content cant be
analyzed to determine it is voice SPAM - Even calls saved to voice mail must be converted
from audio to text, which is an imperfect process - There isnt any capability in the protocols that
looks like it will address Voice SPAM
137Voice SPAMCountermeasures
Social AttacksVoice SPAM
- Some potential countermeasures for voice SPAM
are - Authenticated identity movements, which may help
to identify callers - Legal measures
- Enterprise voice SPAM filters
- Black lists/white lists
- Approval systems
- Audio content filtering
- Turing tests
138VoIP PhishingIntroduction
Social AttacksPhishing
- Similar to email phishing, but with a phone
number delivered though email or voice - When the victim dials the number, the recording
requests entry of personal information - The hacker comes back later and retrieves the
touch tones or other information
139VoIP PhishingExample
Social AttacksPhishing
- Hi, this is Bob from Bank of America calling.
Sorry I missed you. If you could give us a call
back at 1-866-555-1324 we have an urgent issue to
discuss with you about your bank account. - Hello. This is Bank of America. So we may best
serve you, please enter your account number
followed by your PIN.
140VoIP PhishingExample
Social AttacksPhishing
141VoIP PhishingCountermeasures
Social AttacksPhishing
- Traditional email spam/phishing countermeasures
come in to play here. - Educating users is a key
142 143Notes
144Notes