D1 - The Grugq - Ravage Unleashed

8/8/2019 D1 - The Grugq - Ravage Unleashed

1/50

OverviewIP Telephony

Telephony SecurityTactical VoIP Toolkit

Conclusion

Ravage Unleashed:Tactical VoIP Assault Tool

the grugq c2007

April 9, 2007

he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 1/48
http://goforward/http://find/http://goback/


2/50



Conclusion

Outline

1 Overview

2 IP Telephony

3 Telephony Security

4 Tactical VoIP Toolkit

5 Conclusion

http://find/http://goback/


3/50


4/50



Conclusion

1 Overview

2 IP TelephonyA Bit of SIP


HistoryComponents of Telephone SecuritySIP Assault Tactics

4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool

Assault Scenarios

Siping: Subversive Signaling

5 Conclusion


O i


5/50



Conclusion

A Bit of SIP

Outline

1 Overview

2IP TelephonyA Bit of SIP



5 Conclusion


O i


6/50



Conclusion

A Bit of SIP

Public Switched Telephone Network (PSTN)

Over a century old

Acoustic based control system

Signaling is In Band

First (known) attacks in the 1950s

Secured (mostly) circa 2000


Overview


7/50



Conclusion

A Bit of SIP

VoIP Functionality

What it is Multimedia content exchange over IP network(s)

That means Voice/Video calls over the internet


Overview


8/50



Conclusion

A Bit of SIP

VoIP Functionality

What it is Multimedia content exchange over IP network(s)

That means Voice/Video calls over the internet


Overview


9/50



Conclusion

A Bit of SIP

VoIP Benefits

Significant cost savings

Added functionalityportabilitycontent tie-in

Expanded multimedia capabilities

videowhiteboards


Overview


10/50



Conclusion

A Bit of SIP

VoIP Costs

No such thing as a free lunch

Quality of serviceUnreliableSound quality issuescomfort noise

Security problems abound

All telephony assets are exposedincluding those on the PSTN


Overview


11/50

IP TelephonyTelephony Security

Tactical VoIP ToolkitConclusion

A Bit of SIP

VoIP Costs

No such thing as a free lunch

Quality of serviceUnreliableSound quality issuescomfort noise

Security problems abound

All telephony assets are exposedincluding those on the PSTN


Overview


12/50



A Bit of SIP

VoIP: Under the hood

Several protocols providing different functionality

Core IP Telephony requirements:

Signaling Call control

LookupNegotiationTear down

Media Call contentCompeting protocols for signaling


Overview


13/50



A Bit of SIP

Major Signaling Protocols

H.323

ASN.1 (binary) PER encoded protocol suite

Proprietary vendor stacks not interoperableCommon in Enterprise environments

Session Initiation Protocol SIP

Bastard son of HTTP & email

Plain text protocol over UDPCommon on the internet due to interoperabilityand ease of development


Overview


14/50



A Bit of SIP

Outline

1 Overview


3Telephony SecurityHistory

Components of Telephone SecuritySIP Assault Tactics


VoIPy: Heart of the TacVTKRavage: Registrar Assault Tool

Assault Scenarios


5 Conclusion


OverviewIP T l h


15/50



A Bit of SIP

The SIP Protocol

Client-Server model

Based on HTTP

Defined in RFC 3261


OverviewIP T l h


16/50



A Bit of SIP

Architecture Components

Telephone User Agent (UA)

Hardware

SoftwareProxy Authorizes access to services

Interface to a local VoIP Network

Registrar URI lookup to IP network address

maps [email protected] [email protected]

Gateways Convert call sessions from one network to another




17/50



A Bit of SIP

SIP Message

Command Line METHOD URI VERSIONINVITE [email protected] SIP/2.0

Headers Name : Value[, Value]

Body Mime content




18/50



A Bit of SIP

Example INVITE

INVITE sip:[email protected] SIP/2.0

Via: SIP/2.0/UDP localhost;branch=z9hG4bKaca45b4c3;rport=

To: Bob From: siping

Call-ID: eb92357c0ca7c60a

Max-Forwards: 70

Contact: siping

CSeq: 1 INVITE


OverviewIP Telephony History


19/50




Outline

1 Overview

2 IP Telephony

3 Telephony SecurityHistoryComponents of Telephone SecuritySIP Assault Tactics


5 Conclusion




20/50




Outline

1 Overview




VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolAssault Scenarios


5 Conclusion




21/50

p yTelephony Security


yComponents of Telephone SecuritySIP Assault Tactics

PSTN Phreaking

Generate correct acoustic tone issue control commands

Hardware based phreakingBlue Box 2600Hz to access trunk line

Captain CrunchSteve Jobs & Steve Wozniak

Red Box imitate coins in a pay phone




22/50


Conclusion


Death of Phreaking

Aggressive prosecution of caught phreakers

Non technical fraud detectionCommand & Control system was moved to digital

Out of Band

Cant access it Cant control it

Process started in the 90s, mostly completed by 2000

Few hold outs across the world




23/50


Conclusion


Outline

1 Overview






5 Conclusion



T l h S iHistoryC f T l h S i


24/50


Conclusion


Summary

Telephony . . .

Service Access to services, e.g. PSTN, Voice Mail, etc.

Session Phone call in progress

Identity Phone number



T l h S itHistoryC t f T l h S it


25/50


Conclusion


Target: Telephony Services

Access to services

Toll Fraud free telephony services

Long Distance (very important historically)PSTN access (land lines & mobile phones)

Revenue Generation toll fraud can be lucrative

Resell stolen access/minutesPremium rate numbers

900 numbers

SMSToll mismatch:

Luxembourg example

Termination cost 2 euro

Origination charge 9 cents



Telephony SecurityHistoryComponents of Telephone Security


26/50


Conclusion


Target: Telephone Session

Phone call in progress

Monitor

Eavesdrop on call session content

Modify Inject new contentSuppress existing content

Deny

Tear down a sessionDegrade session quality

Hijack

Combination modification/denialMalicious redirection





27/50


Conclusion


Target: Telephony Identity

Phone number

Impersonate

Spoof out going call identification

Hijack

Capture incoming calls

Deny

Null route/re-route calls





28/50


Conclusion


Outline

1 Overview






5 Conclusion





29/50


Conclusion


Target: Service

Service Gain access to PSTN/VoIP network

Toll FraudResell access to generate revenue

Architecture Targets

Proxies

Gateways





30/50

p y yTactical VoIP Toolkit

Conclusion

p p ySIP Assault Tactics

Session

Signaling manipulation of an existing sessions is limited toredirecting session members

Session Redirect in session content via malicious signalsMan in the MiddleInject spurious messages

Architecture Targets

ProxiesUser Agents





31/50

p y yTactical VoIP Toolkit

Conclusion

p p ySIP Assault Tactics

Identity

Falsify outbound identity

Modify SIP From header

Subvert URI lookups

Remove association = Denial of ServiceModify association = Hijack



Telephony SecurityVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool


32/50



Outline

1 Overview

2 IP Telephony


4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTK

Ravage: Registrar Assault ToolAssault ScenariosSiping: Subversive Signaling

5 Conclusion

the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 30/48

OverviewIP TelephonyTelephony Security

T i l V IP T lki

VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSi i S b i Si li


33/50



Overview

The TacVTK provides:

Core Tools Specific assessment tasks

Framework Easy extention for custom audit requirementsAddresses lack of definitive VoIP auditting tools

First development in 2004

Under sporadic development ever since

Developed in pythonAvailable at: http://www.tacticalvoip.com/tools.html



T ti l V IP T lkit

VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSi i S b i Si li


34/50



Outline

1 Overview




Assault Scenarios


5 Conclusion



Tactical VoIP Toolkit

VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping S b ersi e Signaling


35/50



VoIPy: heart of the TacVTK

Python module implementing core VoIP protocolsCurrently supports only SIP

Enables rapid development of custom attack tools




VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling


36/50



Example VoIPy code

Send an INVITE

from voipy import sip

to_uri = Bob

from_uri = Alice

msg = sip.request.Invite(to=to_uri, from=from_uri, contact=from_

sock.sendto(str(msg), (biloxi.com, 5060))






37/50



Outline

1 Overview





Assault Scenarios


5 Conclusion






38/50



Ravage: Registrar Assault Tool

Core tool for auditting SIP registarsSIP registrars are critical components for secure SIP networks

Ravage provides several attack modes






39/50

act ca o oo tConclusion

S p g Sub e s e S g a g

Ravage: Attack Modes

Enum enumerate usernames on a Registrar

OPTIONS

INVITE

REGISTER

Bruteforce guess user/pass combos for a Registrar

REGISTER

INVITE






40/50

Conclusionp g g g

Ravage: Subversion Attack Modes

Inject insert a binding into a registrarRemove delete a binding from a registrar

Hijack take over a binding in a registrar






41/50

Conclusion

Ravage textttENUM

Enumerate usernames within a SIP environmentTechniques:

INVITE

If response is not 404 Not Found user existsOPTIONS

Identical to INVITELess noisy, since OPTIONS doesnt initiate a call

sessionREGISTER

If response is 401 Unauthorised user exists



Tactical VoIP ToolkitC



42/50

Conclusion

Ravage textttBRUTE

Try username/password combinations to gain accessTechniques:

REGISTERTarget a RegistrarAttempt to insert/remove a binding

INVITE

Target an authorising proxyAttempt to initiate a call session



Tactical VoIP ToolkitC l i



43/50

Conclusion

Ravage Modification

Alter the bindings of within a SIP RegistrarTechniques:

Remove

REGISTER with an Expires set to 0

Insert

REGISTER with a new Contact URI

Hijack

REGISTER with an Expires set to 0REGISTER with a new Contact URI



Tactical VoIP ToolkitC l i



44/50

Conclusion

Toll Fraud for Dummies

Enumerate accounts in a SIP environment

$ ravage enum ...

Gain access to an account$ ravage brute ...

Create a trunk using the account

asterisk

Sell access to the illicit trunkProfit!






45/50

Conclusion

Phishing Accelerator

Directed attack against a financial institution

Potential telephony infrastructure targets:

Call center loginsTelecos providing VoIP services

Redirect incoming phone calls to VoIP harvester

Victim calls phone banking hotline

Hallo. Welcome your bank. Please be entering pin number.Thanking you.






46/50

Conclusion

Outline

1 Overview





Assault Scenarios


5 Conclusion






47/50

Conclusion

siping

Craft custom SIP messages on the command line

Provides limited UA logic

Useful for poking servers

Capable of creating arbitrary SIP message content






48/50

Conclusion

siping example

Example INVITE

grugq@zer0gee:~/siping$ siping.py -v -mI sip:[email protected]

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP localhost;branch=z9hG4bKac2ba31c6;rport=

To:

From: siping

Call-ID: d42e27136a5dd71c

Max-Forwards: 70

Contact: siping

CSeq: 1 INVITE




Conclusion


49/50

Outline

1 Overview

2 IP Telephony



5 Conclusion




Conclusion


50/50

VoIP Security more Critical

VoIP continues to gain traction

VoIP security is still primitive

TacVTK provides new capabilities to auditors

ravage: SIP registrar security analysissiping: SIP signaling injection toolVoIPy: flexible VoIP development framework

VoIP makes phone calls as secure as email


D1 - The Grugq - Ravage Unleashed

Documents

Transcript of D1 - The Grugq - Ravage Unleashed