1 / 27

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009. Abhijeet Hatekar. Vulnerability Research Engineer. Agenda. Introduction Overview of VoIP/UC Security Microsoft OCS Overview OAT Demo - Online Dictionary Attack OAT Demo - IM Flood/ Call Walk/ Call DoS

berit
Download Presentation

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UC Securitywith Microsoft Office Communication Server R1/R2FRHACKSept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer

  2. Agenda • Introduction • Overview of VoIP/UC Security • Microsoft OCS Overview • OAT Demo - Online Dictionary Attack • OAT Demo - IM Flood/ Call Walk/ Call DoS • OAT Reporting • Future Research Areas • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK2

  3. Introduction • About VIPER Lab • VIPER ~ Voice over IP Exploit Research • Security research lab dedicated to finding • New UC / VoIP attack vectors • Structural vulnerabilities in insecure protocol / deployment / configuration • Penetration testing team specialized in VoIP / UC Security • Passionate about VoIP / UC Security • Replicated a production, enterprise network in VIPER Lab • Security assessment professionals supported by research and exploit developers Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 3

  4. Introduction • Who am I? Vulnerability Research Engineer in VIPER Lab • Tools I have Authored • Xtest(http://xtest.sf.net) • VideoJak(http://videojak.sf.net) Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 4

  5. Agenda • Introduction • Overview of Unified Communication and Security • What is Unified Communication? • VoIP Vulnerabilities • VoIP Attacks • Microsoft OCS Overview • OAT Demo - Online Dictionary Attack • OAT Demo - IM Flood/ Call Walk/ Call DoS • OAT Reporting • Future Research Areas • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 5

  6. What is UC? • Integration of real time communication services with non real time communication services. • Suite of products for communication across multiple devices and media types. Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 6

  7. VoIP Vulnerabilities And Attacks • Signaling Vulnerabilities • Most hard-phones have limited or underpowered hardware. • Protocol stack are poorly implemented. • Protocols lack authentication and encryption. • Different responses for valid/invalid usernames • Signaling Attacks • Flooding, Fuzzing, DoS • Signaling message injection • Call Teardown, Registration Hijack, Media Hijack • Caller-ID spoofing, • Username Enumeration Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 7

  8. VoIP Vulnerabilities And Attacks • Media Vulnerabilities • Media channels are unauthenticated. • Media protocols are un-encrypted. • Poor implementation of Media protocols • Media Manipulation Attacks • Media QoS Degradation, DoS • Media Injection, Modification, Deletion • Eavesdropping Media Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 8

  9. Agenda • Introduction • Overview of Unified Communication and Security • Microsoft OCS Overview • Introduction to OCS • OAT Overview • Why OAT • OAT features • OAT Demo - Online Dictionary Attack • OAT Demo - IM Flood/ Call Walk/ Call DoS • OAT Reporting • Future Research Areas • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 9

  10. Microsoft OCS Overview • A Software based UC Solution from Microsoft • Streamlined Communications • Operational Flexibility and Control • Extensible Communications Platform Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 10

  11. OAT Overview • MS Office Communication Server Assessment Tool (OAT) • Result of reverse engineering of OCS client • Started RE work in Feb 2008 and developed PoC tool to register with OCS using normal Win32 SDK APIs in May 2008 • Used UC SDK to build OAT and supported features Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 11

  12. OAT Features • What's New in OAT v2.0? • Call DoS attack feature • Targeted IM and Call Walk • Auto detection of authentication protocol between NTLM & Kerberos • TLS transport support • More organized settings and attack tab pages • Verbose reports in various formats including PDF, Word, RTF and Text • Features in OAT v1.0 • Online Dictionary Attack • Presence Stealing • Contact List Stealing • IM Flood • Call Walk • Spam Call • User friendly interface • TCP transport • NTLM authentication protocol support • Basic reports Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 12

  13. OAT Internal Assessment Mode • Supported Attacks • Online Dictionary Attacks • Domain User Enumeration • Presence Stealing • Contact List Stealing • Domain IM Flood • Domain Call Walk • Call DoS • Typical Deployment Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 13

  14. OAT External Assessment Mode • Supported Attacks • Online Dictionary Attacks • Domain User Enumeration • Presence Stealing • Contact List Stealing • Contact List IM Flood • Contact List Call Walk • Call DoS • Typical Deployment Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 14

  15. Agenda • Introduction • Overview of Unified Communication and Security • Microsoft OCS Overview • OAT Demo - Online Dictionary Attack • Overview • Demo • OAT Demo - IM Flood/ Call Walk/ Call DoS • OAT Reporting • Future Research Areas • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 15

  16. OAT Online Dictionary Attack • OAT tests the password strength of OCS enabled users. • Imitates a real outside attack. • Successful attack opens a door for launching attacks with dire implications. Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 16

  17. Agenda • Introduction • Overview of Unified Communication and Security • Microsoft OCS Overview • OAT Demo - Online Dictionary Attack • OAT Demo - IM Flood/ Call Walk/ Call DoS • Overview • Demo • OAT Reporting • Future Research Areas • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 17

  18. OAT IM Flood • OAT IM Flood feature can flood targeted user(s) with custom IM messages. • Can be used to send SPAM IM • Can be used for fishing attack if proper measures are not enabled. Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 18

  19. OAT Call Walk • OAT Call Walk feature enumerate all OCS enabled users • Steal their presence information • Make prank calls and play custom SPAM audio clip Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 19

  20. OAT Attacks from External Network • OAT Call Walk feature steal contact list from External Network • Steal their presence information • Make prank calls and play custom SPAM audio clip Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 20

  21. OAT Call DoS • OAT Call DoS feature can flood targeted user with custom hi-priority Calls • Results in DoS on Communicator client, need to forcefully restart communicator client . • Works on Hard pones and force user to re-register with OCS server. Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 21

  22. Agenda • Introduction • Overview of Unified Communication and Security • Microsoft OCS Overview • OAT Demo - Online Dictionary Attack • OAT Demo - IM Flood/ Call Walk/ Call DoS • OAT Reporting • Verbose Reports • Report formats include - PDF, Word, RTF and Text • Future Research Areas • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 22

  23. OAT Reports • Generate detailed report of configuration, selected attack and result. • Can save report in PDF, DOC, RTF and Text file format. • Reports can used in final penetration testing report. Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 23

  24. Agenda • Introduction • Overview of Unified Communication and Security • Microsoft OCS Overview • OAT Demo - Online Dictionary Attack • OAT Demo - IM Flood/ Call Walk/ Call DoS • OAT Reporting • Future Research Areas • Group Chat Server • OCS Video Calls and Web Conference • Conclusion Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 24

  25. Future Research Areas • Office Communication Server R2 Audio/Video Conferencing Sever • Office Communication Server R2 Group Chat Server Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 25

  26. Conclusion • The objective of OAT is to help identify vulnerabilities in the configuration and deployment of Microsoft OCS. • OAT is not a hacking tool to expose vulnerabilities that can’t be protected against. • All of the security issues uncovered by the tool can be mitigated by following Microsoft recommended Security Best Practices. Resources • Microsoft OCS Best Practices Analyzer Tool Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 26

  27. Contact Information • Abhijeet Hatekar • Vulnerability Research Engineer • abhijeet@viperlab.net; abhi,hatekar@gmail.com • For more information about Sipera VIPER Lab, visit us online at http://www.viperlab.net • For more information about Sipera Systems, visit us online at http://www.sipera.com Sipera Confidential - Do not reproduce or distribute without express written consent FRHACK 27

More Related