1 / 144

Hacking Exposed: VoIP

Hacking Exposed: VoIP. Mark D. Collier Chief Technology Officer mark.collier@securelogix.com. www.securelogix.com. Hacking Exposed: VoIP.

kieran-silva
Download Presentation

Hacking Exposed: VoIP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking Exposed: VoIP Mark D. CollierChief Technology Officermark.collier@securelogix.com www.securelogix.com

  2. Hacking Exposed: VoIP We took on this project because there were no practical books on enterprise VoIP security that gave examples of how hackers attack VoIP deployments and explained to administrators how to defend against these attacks. We spent more than a year of research writing new VoIP security tools, using them to test the latest VoIP products, and scouring VoIP state-of-the-art security. This tutorial is based on material fromthe book. The book was published December 1, 2006http://www.hackingvoip.com536 pages

  3. Outline Outline Overview Gathering Information: • Footprinting • Scanning • Enumeration Attacking the Network: • Network Infrastructure Denial of Service • Network Eavesdropping • Network and Application Interception

  4. Outline Outline Attacking Vendor Platforms: • Avaya • Cisco Attacking the Application: • Fuzzing • Disruption of Service • Signaling and Media Manipulation

  5. Outline Outline Social Attacks: • Voice SPAM/SPIT • Voice Phishing

  6. Introduction Introduction VoIP systems are vulnerable: • Platforms, networks, and applications are vulnerable • VoIP-specific attacks are becoming more common • Security isn’t always a consideration during deployment The threat is increasing: • VoIP deployment is growing • Deployments are critical to business operations • Greater integration with the data network • More attack tools being published • The hacking community is taking notice

  7. Introduction IntroductionLayers of Security

  8. Introduction IntroductionCampus VoIP TDM Phones TDMTrunks PublicVoiceNetwork IPPBX IP Phones Voice VLAN Data VLAN InternetConnection Internet PCs

  9. Introduction IntroductionPublic VoIP TDM Phones VoIPConnection PublicVoiceNetwork IPPBX IP Phones Voice VLAN Data VLAN InternetConnection Internet PCs

  10. Gathering Information Gathering Information This is the process a hacker goes through to gather information about your organization and prepare their attack Consists of: • Footprinting • Scanning • Enumeration

  11. Gathering InformationFootprinting Footprinting Steps taken by a hacker to learn about your enterprise before they start the actual attack Consists of: • Public website research • Google hacking • Using WHOIS and DNS

  12. Gathering InformationFootprinting Public Website ResearchIntroduction An enterprise website often contains a lot of information that is useful to a hacker: • Organizational structure and corporate locations • Help and technical support • Job listings • Phone numbers and extensions

  13. Gathering InformationFootprinting Public Website ResearchOrganization Structure

  14. Gathering InformationFootprinting Public Website ResearchCorporate Locations

  15. Gathering InformationFootprinting Public Website ResearchHelpdesk

  16. Gathering InformationFootprinting Public Website ResearchHelpdesk

  17. Gathering InformationFootprinting Public Website ResearchJob Listings Job listings can contain a ton of information about the enterprise VoIP system. Here is a portion of an actual job listing: Required Technical Skills:Minimum 3-5 years experience in the management and implementation of Avaya telephone systems/voicemails: * Advanced programming knowledge of the Avaya Communication Servers and voicemails.

  18. Gathering InformationFootprinting Public Website ResearchPhone Numbers Google can be used to find all phone numbers on an enterprise web site: • Type: “111..999-1000..9999 site:www.mcgraw-hill.com”

  19. Gathering InformationFootprinting Public Website ResearchVoice Mail By calling into some of these numbers, you can listen to the voice mail system and determine the vendor Check out our voice mail hacking database at: • www.hackingvoip.com

  20. Gathering InformationFootprinting Public Website Research Countermeasures It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it Try to limit amount of detail in job postings Remove technical detail from help desk web pages

  21. Gathering InformationFootprinting Google HackingIntroduction Google is incredibly good at finding details on the web: • Vendor press releases and case studies • Resumes of VoIP personnel • Mailing lists and user group postings • Web-based VoIP logins

  22. Gathering InformationFootprinting Google Hacking Vendors and enterprises may post press releases and case studies: • Type: “site:avaya.com case study” or “site:avaya.com company” Users place resumes on the Internet when searching for jobs • Search Monster for resumes for company employees Mailing lists and user group postings: • www.inuaa.org • www.innua.org • forums.cisco.com • forums.digium.com

  23. Gathering InformationFootprinting Google HackingWeb-Based VoIP Logins Some VoIP phones are accidentally exposed to the Internet Use Google to search for: • Type: inrul:”ccmuser/logon.asp” • Type: inurl:”ccmuser/logon.asp” site:example.com • Type: inurl:”NetworkConfiguration” cisco

  24. Gathering InformationFootprinting Google HackingWeb-Based VoIP Logins

  25. Gathering InformationFootprinting Google HackingCountermeasures Determine what your exposure is Be sure to remove any VoIP phones which are visible to the Internet Disable the web servers on your IP phones There are services that can help you monitor your exposure: • www.cyveilance.com • ww.baytsp.com

  26. Attacking The PlatformCisco Google HackingCountermeasures

  27. Gathering InformationFootprinting WHOIS and DNSIntroduction Enterprises depend on DNS to route website visitors and external email WHOIS searches can reveal IP addresses used by an enterprise

  28. Gathering InformationFootprinting WHOIS and DNSCountermeasures Use generic names where possible Disable anonymous zone transfers on your DNS servers

  29. Gathering InformationScanning ScanningIntroduction Steps taken by a hacker to identify IP addresses and hosts running VoIP Consists: • Host/device discovery • Port scanning and service discovery • Host/device identification

  30. Gathering InformationScanning Host/Device Discovery Consists of various techniques used to find hosts: • Ping sweeps • ARP pings • TCP ping scans • SNMP sweeps

  31. Gathering InformationScanning Host/Device DiscoveryUsing nmap nmap -O -P0 192.168.1.1-254 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-20 01:03 CST Interesting ports on 192.168.1.21: (The 1671 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Device type: VoIP phone Running: Cisco embedded OS details: Cisco IP phone (POS3-04-3-00, PC030301) Interesting ports on 192.168.1.23: (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:15:62:86:BA:3E (Cisco Systems) Device type: VoIP phone|VoIP adapter Running: Cisco embedded OS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone Adapter Interesting ports on 192.168.1.24: (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Device type: VoIP adapter Running: Sipura embedded OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway

  32. Gathering InformationScanning Host/Device DiscoveryPorts SIP enabled devices will usually respond on UDP/TCP ports 5060 and 5061 SCCP enabled phones (Cisco) responds on UDP/TCP 2000-2001 Sometimes you might see UDP or TCP port 17185 (VXWORKS remote debugging!)

  33. Gathering InformationScanning Host/Device DiscoveryPing Sweeps

  34. Gathering InformationScanning Host/Device DiscoveryARP Pings

  35. Gathering InformationScanning Host/Device DiscoveryTCP Ping Scans Several tools available: • nmap • hping

  36. Gathering InformationScanning Host/Device DiscoverySNMP Sweeps

  37. Gathering InformationScanning Host/Device DiscoveryCountermeasures Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps VLANs can help isolate ARP pings Ping sweeps can be blocked at the perimeter firewall Use secure (SNMPv3) version of SNMP Change SNMP public strings

  38. Gathering InformationScanning Port Scanning/Service Discovery Consists of various techniques used to find open ports and services on hosts These ports can be targeted later nmap is the most commonly used tool for TCP SYN and UDP scans

  39. Gathering InformationScanning Port Scanning/Service DiscoveryCountermeasures Using non-Internet routable IP addresses will prevent external scans Firewalls and IPSs can detect and possibly block scans VLANs can be used to partition the network to prevent scans from being effective

  40. Gathering InformationScanning Host/Device Identification After hosts are found and ports identified, the type of device can be determined Classifies host/device by operating system Network stack fingerprinting is a common technique for identifying hosts/devices nmap is commonly used for this purpose

  41. Gathering InformationScanning Host/Device IdentificationCountermeasures Firewalls and IPSs can detect and possibly block scans Disable unnecessary ports and services on hosts

  42. Gathering InformationEnumeration EnumerationIntroduction Involves testing open ports and services on hosts/devices to gather more information Includes running tools to determine if open services have known vulnerabilities Also involves scanning for VoIP-unique information such as phone numbers Includes gathering information from TFTP servers and SNMP

  43. Gathering InformationEnumeration Vulnerability TestingTools

  44. Gathering InformationEnumeration Vulnerability TestingTools

  45. Gathering InformationEnumeration Vulnerability TestingCountermeasures The best solution is to upgrade your applications and make sure you continually apply patches Some firewalls and IPSs can detect and mitigate vulnerability scans

  46. Gathering InformationEnumeration SIP EnumerationIntroduction

  47. Gathering InformationEnumeration SIP EnumerationDirectory Scanning [root@attacker]# nc 192.168.1.104 5060 OPTIONS sip:test@192.168.1.104 SIP/2.0 Via: SIP/2.0/TCP 192.168.1.120;branch=4ivBcVj5ZnPYgb To: alice <sip:test@192.168.1.104> Content-Length: 0 SIP/2.0 404 Not Found Via: SIP/2.0/TCP 192.168.1.120;branch=4ivBcVj5ZnPYgb;received=192.168.1.103 To: alice sip:test@192.168.1.104>;tag=b27e1a1d33761e85846fc98f5f3a7e58.0503 Server: Sip EXpress router (0.9.6 (i386/linux)) Content-Length: 0 Warning: 392 192.168.1.104:5060 "Noisy feedback tells: pid=29801 req_src_ip=192.168.1.120 req_src_port=32773 in_uri=sip:test@192.168.1.104 out_uri=sip:test@192.168.1.104 via_cnt==1"

  48. Gathering InformationEnumeration SIP EnumerationDirectory Scanning

  49. Gathering InformationEnumeration SIP EnumerationAutomated Directory Scanning

  50. Gathering InformationEnumeration TFTP EnumerationIntroduction Almost all phones we tested use TFTP to download their configuration files The TFTP server is rarely well protected If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password The files are downloaded in the clear and can be easily sniffed Configuration files have usernames, passwords, IP addresses, etc. in them

More Related