Post on 18-May-2015
description
http://null.co.in/ http://nullcon.net/
Remember these Titans???
Spying was a manual labor!
Spying has become digital
Meet
Abhijeet Hatekar
A Geek who works for
Who happens to be a hardcore
Linux Guy
Delves into…
Loves to develop
New Security /
Hacking Tools
Also, a good cook!
I was at
Where I developed tools like…
oat.sf.net
Presented papers at…
And active contributor for
a magazine
Can be followed at my blog
and reached at my website: www.chackraview.net
What
brings
me here?
What
brings
me here?
What
brings
me here?
What
brings
me here?
What
brings
me here?
Let’s go
a step
ahead
Unified Communication
VoIP is a piece of technical excellence
VoIP Benefits
�Cost efficient
�Flexibility
�Feature rich
�Simple and Scalable
infrastructure
Competition: a Goose
race
To provide rich features,
Slick boxes within slim
timeline; vendors often
overlook security issues.
VoIP Attack Vectors
Eavesdropping
Denial of Service(DOS)
Call Hijack
Call Teardown
Call Fraud
Media Manipulations
Codec Manipulation
What’s at stake???
Money
Data
Reputation and faith
&...
YOU
Let’s focus on
something
more
interesting!
Prologue
Major Global Video Phone
Solutions Providers
Why Grandstream???
Cheap
Reliable
Feature Rich
Features of
Grandstream Video Phone
nmap scan
The Awareness Hurdle
Non-aware
95%
The Hack Begins….
Login Authentication
Survey Facts
78% people do not change the default password.
Out of remaining 22%, 42.98% just increment a number.
e.g.Password1, admin2 etc.
Source: Symantec Inc.
75% of social networking username and password samples
collected online were identical to those used for email
accounts.
69.30% people write down their password to remember.
Source: www.securityweek.com
63% people do not change their password often.
Source: www.cnet.com
The Password
leaks some
facts ☺
The Wireshark Trace
The Wireshark Trace
The Research
After burning the midnight oil over couple of smokes
Packet captures
Grey cells
I found out different interesting configuration variables.
The Research:
Mapping Configuration Variables
P2 = password
P97 = iLBC Frame size
P927 = Video packet size
P39 = local RTP port
P928 = ??? <interesting>
The Research
These variables correspond
to some features directly
affecting the Grandstream
phone.
Among all the variables,P928
caught my attention because
as soon as I set that variable.
The Research: 2nd nmap Scan
The Research
P928 starts RTSP server on phone
P928 starts RTSP server on phone
Can stream video from the video phone camera Can stream video from
the video phone camera
User is not aware of this and moreover
User is not aware of this and moreover
User cannot control it from phone menu
User cannot control it from phone menu
Cracking SRTP Authentication
• Phone tries to authenticate RTSP
client
• http digest authentication mode
• QoP is only auth and not
auth_int(little safe)
• Vulnerable to MiTM and
password brute force attacks
So far I have not seen this
room getting into
the sleeping zone…
I believe then it’s not that
boring ☺
Crack web password
Enable RTSP Server
Crack RTSP authentication
Profit / fun
Synopsis
Presenting
Chupa Rustam FundamentalsWritten in “C”..
Uses libvlc
For Linux Platform
Generic Grandstreamweb cracking support
Remote administration of surveillance feature
RTSP password cracker SSL support
Chupa Rustam
Features
Getting back to
“something more
interesting”…
Titans are back…
with ninja skills!
Worldwide Usage of
Grandstream Video Phones
Grandstream GXV 3xx Series Clients
Lessons Learned for Vendors
� Use strong authentication
mechanisms
� Document all features and secure
them
� provide features only if necessary
Lessons Learned for End Users
Change default passwords
to something better than
alphanumeric
There is no fix for the human
stupidity
DON’T bring video phones to your bedroom ☺
http://tools.chackraview.net/chuparustam
How can I get Chupa-Rustam?
Got questions???
Hit ‘em!
Thank You
&
Stay safe!
ahatekar@microsoft.com