Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...

Description: VoIP SIP based is becoming widely used by corporations. It envolves money and it is insecure, so let's enjoy some attacks :-).Lecturer: Pedro Paganela

WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

Grenoble INPEnsimag

2011-05-19

Some Network Threats: VoIP SIP Based

http://www.ensimag.fr/

2 SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011

Summary

● REALLY Simple SIP-VoIP Architecture

● Bruteforce REGISTAR Authentification

● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions

● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing

3

REALLY Simple SIP-VoIP Architecture

Proxy and Registar50.50.50.50

Register [email protected] at 49.49.49.49

Alice

SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011

49.49.49.49

mailto:[email protected]

4

Simple SIP-VoIP Architecture


Denied, required authentication Nonce:12das7298asa5sd

Alice


49.49.49.49

5


Proxy and RegistarRegister [email protected] is at 49.49.49.49

*F(nonce, Password)

Alice

*Function F is based in the MD5 hash

49.49.49.49 50.50.50.50



6



Accepted Alice


49.49.49.49

7 SecurIMAG - title - author - date


Proxy and RegistarInvite [email protected]

At 51.51.51.51*

Alice

*It is not exactly like that, but it has the same idea

49.49.49.49 50.50.50.50

Internet

Proxy and Registar

Invite [email protected]

Bob

52.52.52.52 51.51.51.51


8


Proxy and Registar

Accept Alice

49.49.49.49 50.50.50.50

Internet

Proxy and Registar

Accept

Bob

52.52.52.52 51.51.51.51

Accept


9


Alice

49.49.49.49

Bob

52.52.52.52

Internet

RTP Traffic = Media


10

Summary






11

Bruteforce REGISTAR Authentification



Eve

70.70.70.70



12



Denied, required authentication Nonce:asdee128vw9

Eve

70.70.70.70


13



F(nonce, Password)

50.50.50.50

Eve

70.70.70.70



14



403 – forbidden

Eve

70.70.70.70


15


● Bruteforce: Repeat the process until it finds the correct password

● The process is way slow● Need of good wordlists

● After discovering the password, game over.

● Tools:● Svcrack from the audit VoIP tools set called SipVicious


16

Summary






17

Crack SIP MD5 Authentication



Alice

Eve70.70.70.70

Eavesdropping

Let's see, username=Alice



18



Denied, required authentication Nonce:12das7298asa5sd

Alice

Eve70.70.70.70

nonce=12das7298asa5sd


19



*F(nonce, Password)

Alice

49.49.49.49 50.50.50.50

Eve70.70.70.70

Yep, F(nonce, password)Time to crack!



20


● The Bruteforce is made locally● Way faster● Easy passwords are fast to be cracked

● Wordlists● Small passwords

● After discovering the password, game over.

● Tools:● Sipdump: capture the relation of nonces and hashes● Sipcrack: implements a bruteforce guessing passwords

Backtrack


21

Capture Call Sessions

Alice

49.49.49.49

Bob

52.52.52.52

Internet

RTP Traffic = Media

Eve70.70.70.70

eavesdropping


22

Capture Call Sessions

● RTP packets are not encrypted● Conversations pass in clear!

● It is just necessary to have a decoder

● Tools● Wireshark VoIP plugin● Vomit


23

Summary






24

SIP Invite Flooding


Eve

70.70.70.70

Alice

49.49.49.49

● Normally Alice will accept the invite without any test● Flood the device with Invites

● Ringing forever :-)


25

SIP Invite Flooding


Eve

70.70.70.70

● Attacking the Proxy and Registar● Two possible cases



26

SIP Invite Flooding

Invite [email protected] From: don't care

Eve

70.70.70.70

● Accept to forward the Invite without authentication.● Again, ringing forever...


Internet Alice

49.49.49.49


27

SIP Invite Flooding

Invite [email protected] From: a valid user (e.g. Bob)

Eve

70.70.70.70



28

SIP Invite Flooding

407: Authentication RequiredNonce: qsdkqsj123fn

Eve

70.70.70.70


Wait sometime forthe answer...

● Flood the proxy of Invites● Will answer which one with an authentication required● Similar to a TCP syn DoS

● A DoS is not very effective● A DDoS however is very effective...


29

SIP Invite Flooding

● DoS:● Attack easy to be made :-)● Also easy to be detected in an internal network :-(● Inviteflood from the Backtrack VoIP pentest tools

● DDoS:● Normally Botnet based● Hard to be stopped● Powerful

*photos from google images


30

SIP Fuzzing

● A simple definition of Fuzzing● Flood a device with invalid/malformed/unexpected packets

● This attack exploits the lack of ability of the firmware/sofware to treat bad inputs

● Many firmwares (to do not say all) have design flaws

● Devices can have weird behaviors over fuzzing attacks● Including DoS

● Tool: SIP-Protos (again, at Backtrack)


31

SIP Fuzzing

DEMO


32

Thank you for the Attention!

Questions?

● Also news are coming http://conference.auscert.org.au/conf2011/speaker_Chris_Gatford_&_Peter_Wesley.html

● Workshop of Hacklabs showing some new threats against Cisco VoIP phones


Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...

Documents

Transcript of Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...