Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...
Transcript of Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...
Description: VoIP SIP based is becoming widely used by corporations. It envolves money and it is insecure, so let's enjoy some attacks :-).Lecturer: Pedro Paganela
WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.
Grenoble INPEnsimag
2011-05-19
Some Network Threats: VoIP SIP Based
2 SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
3
REALLY Simple SIP-VoIP Architecture
Proxy and Registar50.50.50.50
Register [email protected] at 49.49.49.49
Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
49.49.49.49
4
Simple SIP-VoIP Architecture
Proxy and Registar50.50.50.50
Denied, required authentication Nonce:12das7298asa5sd
Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
49.49.49.49
5
Simple SIP-VoIP Architecture
Proxy and RegistarRegister [email protected] is at 49.49.49.49
*F(nonce, Password)
Alice
*Function F is based in the MD5 hash
49.49.49.49 50.50.50.50
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
6
Simple SIP-VoIP Architecture
Proxy and Registar50.50.50.50
Accepted Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
49.49.49.49
7 SecurIMAG - title - author - date
Simple SIP-VoIP Architecture
Proxy and RegistarInvite [email protected]
At 51.51.51.51*
Alice
*It is not exactly like that, but it has the same idea
49.49.49.49 50.50.50.50
Internet
Proxy and Registar
Invite [email protected]
Bob
52.52.52.52 51.51.51.51
Invite [email protected]
8
Simple SIP-VoIP Architecture
Proxy and Registar
Accept Alice
49.49.49.49 50.50.50.50
Internet
Proxy and Registar
Accept
Bob
52.52.52.52 51.51.51.51
Accept
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
9
Simple SIP-VoIP Architecture
Alice
49.49.49.49
Bob
52.52.52.52
Internet
RTP Traffic = Media
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
10
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
11
Bruteforce REGISTAR Authentification
Proxy and Registar50.50.50.50
Register [email protected] at 70.70.70.70
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
12
Bruteforce REGISTAR Authentification
Proxy and Registar50.50.50.50
Denied, required authentication Nonce:asdee128vw9
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
13
Bruteforce REGISTAR Authentification
Proxy and RegistarRegister [email protected] is at 70.70.70.70
F(nonce, Password)
50.50.50.50
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
14
Bruteforce REGISTAR Authentification
Proxy and Registar50.50.50.50
403 – forbidden
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
15
Bruteforce REGISTAR Authentification
● Bruteforce: Repeat the process until it finds the correct password
● The process is way slow● Need of good wordlists
● After discovering the password, game over.
● Tools:● Svcrack from the audit VoIP tools set called SipVicious
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
16
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
17
Crack SIP MD5 Authentication
Proxy and Registar50.50.50.50
Register [email protected] at 49.49.49.49
Alice
Eve70.70.70.70
Eavesdropping
Let's see, username=Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
18
Crack SIP MD5 Authentication
Proxy and Registar50.50.50.50
Denied, required authentication Nonce:12das7298asa5sd
Alice
Eve70.70.70.70
nonce=12das7298asa5sd
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
19
Crack SIP MD5 Authentication
Proxy and RegistarRegister [email protected] is at 49.49.49.49
*F(nonce, Password)
Alice
49.49.49.49 50.50.50.50
Eve70.70.70.70
Yep, F(nonce, password)Time to crack!
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
20
Crack SIP MD5 Authentication
● The Bruteforce is made locally● Way faster● Easy passwords are fast to be cracked
● Wordlists● Small passwords
● After discovering the password, game over.
● Tools:● Sipdump: capture the relation of nonces and hashes● Sipcrack: implements a bruteforce guessing passwords
Backtrack
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
21
Capture Call Sessions
Alice
49.49.49.49
Bob
52.52.52.52
Internet
RTP Traffic = Media
Eve70.70.70.70
eavesdropping
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
22
Capture Call Sessions
● RTP packets are not encrypted● Conversations pass in clear!
● It is just necessary to have a decoder
● Tools● Wireshark VoIP plugin● Vomit
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
23
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
24
SIP Invite Flooding
Invite [email protected]
Eve
70.70.70.70
Alice
49.49.49.49
● Normally Alice will accept the invite without any test● Flood the device with Invites
● Ringing forever :-)
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
25
SIP Invite Flooding
Invite [email protected]
Eve
70.70.70.70
● Attacking the Proxy and Registar● Two possible cases
Proxy and Registar50.50.50.50
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
26
SIP Invite Flooding
Invite [email protected] From: don't care
Eve
70.70.70.70
● Accept to forward the Invite without authentication.● Again, ringing forever...
Proxy and Registar50.50.50.50
Internet Alice
49.49.49.49
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
27
SIP Invite Flooding
Invite [email protected] From: a valid user (e.g. Bob)
Eve
70.70.70.70
Proxy and Registar50.50.50.50
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
28
SIP Invite Flooding
407: Authentication RequiredNonce: qsdkqsj123fn
Eve
70.70.70.70
Proxy and Registar50.50.50.50
Wait sometime forthe answer...
● Flood the proxy of Invites● Will answer which one with an authentication required● Similar to a TCP syn DoS
● A DoS is not very effective● A DDoS however is very effective...
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
29
SIP Invite Flooding
● DoS:● Attack easy to be made :-)● Also easy to be detected in an internal network :-(● Inviteflood from the Backtrack VoIP pentest tools
● DDoS:● Normally Botnet based● Hard to be stopped● Powerful
*photos from google images
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
30
SIP Fuzzing
● A simple definition of Fuzzing● Flood a device with invalid/malformed/unexpected packets
● This attack exploits the lack of ability of the firmware/sofware to treat bad inputs
● Many firmwares (to do not say all) have design flaws
● Devices can have weird behaviors over fuzzing attacks● Including DoS
● Tool: SIP-Protos (again, at Backtrack)
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
31
SIP Fuzzing
DEMO
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
32
Thank you for the Attention!
Questions?
● Also news are coming http://conference.auscert.org.au/conf2011/speaker_Chris_Gatford_&_Peter_Wesley.html
● Workshop of Hacklabs showing some new threats against Cisco VoIP phones
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011