Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...
Transcript of Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and...
![Page 1: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/1.jpg)
Description: VoIP SIP based is becoming widely used by corporations. It envolves money and it is insecure, so let's enjoy some attacks :-).Lecturer: Pedro Paganela
WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.
Grenoble INPEnsimag
2011-05-19
Some Network Threats: VoIP SIP Based
![Page 2: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/2.jpg)
2 SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
![Page 3: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/3.jpg)
3
REALLY Simple SIP-VoIP Architecture
Proxy and Registar50.50.50.50
Register [email protected] at 49.49.49.49
Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
49.49.49.49
![Page 4: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/4.jpg)
4
Simple SIP-VoIP Architecture
Proxy and Registar50.50.50.50
Denied, required authentication Nonce:12das7298asa5sd
Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
49.49.49.49
![Page 5: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/5.jpg)
5
Simple SIP-VoIP Architecture
Proxy and RegistarRegister [email protected] is at 49.49.49.49
*F(nonce, Password)
Alice
*Function F is based in the MD5 hash
49.49.49.49 50.50.50.50
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 6: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/6.jpg)
6
Simple SIP-VoIP Architecture
Proxy and Registar50.50.50.50
Accepted Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
49.49.49.49
![Page 7: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/7.jpg)
7 SecurIMAG - title - author - date
Simple SIP-VoIP Architecture
Proxy and RegistarInvite [email protected]
At 51.51.51.51*
Alice
*It is not exactly like that, but it has the same idea
49.49.49.49 50.50.50.50
Internet
Proxy and Registar
Invite [email protected]
Bob
52.52.52.52 51.51.51.51
Invite [email protected]
![Page 8: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/8.jpg)
8
Simple SIP-VoIP Architecture
Proxy and Registar
Accept Alice
49.49.49.49 50.50.50.50
Internet
Proxy and Registar
Accept
Bob
52.52.52.52 51.51.51.51
Accept
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 9: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/9.jpg)
9
Simple SIP-VoIP Architecture
Alice
49.49.49.49
Bob
52.52.52.52
Internet
RTP Traffic = Media
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 10: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/10.jpg)
10
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 11: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/11.jpg)
11
Bruteforce REGISTAR Authentification
Proxy and Registar50.50.50.50
Register [email protected] at 70.70.70.70
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 12: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/12.jpg)
12
Bruteforce REGISTAR Authentification
Proxy and Registar50.50.50.50
Denied, required authentication Nonce:asdee128vw9
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 13: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/13.jpg)
13
Bruteforce REGISTAR Authentification
Proxy and RegistarRegister [email protected] is at 70.70.70.70
F(nonce, Password)
50.50.50.50
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 14: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/14.jpg)
14
Bruteforce REGISTAR Authentification
Proxy and Registar50.50.50.50
403 – forbidden
Eve
70.70.70.70
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 15: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/15.jpg)
15
Bruteforce REGISTAR Authentification
● Bruteforce: Repeat the process until it finds the correct password
● The process is way slow● Need of good wordlists
● After discovering the password, game over.
● Tools:● Svcrack from the audit VoIP tools set called SipVicious
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 16: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/16.jpg)
16
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 17: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/17.jpg)
17
Crack SIP MD5 Authentication
Proxy and Registar50.50.50.50
Register [email protected] at 49.49.49.49
Alice
Eve70.70.70.70
Eavesdropping
Let's see, username=Alice
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 18: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/18.jpg)
18
Crack SIP MD5 Authentication
Proxy and Registar50.50.50.50
Denied, required authentication Nonce:12das7298asa5sd
Alice
Eve70.70.70.70
nonce=12das7298asa5sd
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 19: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/19.jpg)
19
Crack SIP MD5 Authentication
Proxy and RegistarRegister [email protected] is at 49.49.49.49
*F(nonce, Password)
Alice
49.49.49.49 50.50.50.50
Eve70.70.70.70
Yep, F(nonce, password)Time to crack!
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 20: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/20.jpg)
20
Crack SIP MD5 Authentication
● The Bruteforce is made locally● Way faster● Easy passwords are fast to be cracked
● Wordlists● Small passwords
● After discovering the password, game over.
● Tools:● Sipdump: capture the relation of nonces and hashes● Sipcrack: implements a bruteforce guessing passwords
Backtrack
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 21: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/21.jpg)
21
Capture Call Sessions
Alice
49.49.49.49
Bob
52.52.52.52
Internet
RTP Traffic = Media
Eve70.70.70.70
eavesdropping
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 22: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/22.jpg)
22
Capture Call Sessions
● RTP packets are not encrypted● Conversations pass in clear!
● It is just necessary to have a decoder
● Tools● Wireshark VoIP plugin● Vomit
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 23: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/23.jpg)
23
Summary
● REALLY Simple SIP-VoIP Architecture
● Bruteforce REGISTAR Authentification
● Eavesdropping Attacks● Crack SIP MD5 Authentication● Capture Call Sessions
● DoS VoIP device SIP Based● SIP Invite Flooding● SIP Fuzzing
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 24: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/24.jpg)
24
SIP Invite Flooding
Invite [email protected]
Eve
70.70.70.70
Alice
49.49.49.49
● Normally Alice will accept the invite without any test● Flood the device with Invites
● Ringing forever :-)
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 25: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/25.jpg)
25
SIP Invite Flooding
Invite [email protected]
Eve
70.70.70.70
● Attacking the Proxy and Registar● Two possible cases
Proxy and Registar50.50.50.50
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 26: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/26.jpg)
26
SIP Invite Flooding
Invite [email protected] From: don't care
Eve
70.70.70.70
● Accept to forward the Invite without authentication.● Again, ringing forever...
Proxy and Registar50.50.50.50
Internet Alice
49.49.49.49
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 27: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/27.jpg)
27
SIP Invite Flooding
Invite [email protected] From: a valid user (e.g. Bob)
Eve
70.70.70.70
Proxy and Registar50.50.50.50
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 28: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/28.jpg)
28
SIP Invite Flooding
407: Authentication RequiredNonce: qsdkqsj123fn
Eve
70.70.70.70
Proxy and Registar50.50.50.50
Wait sometime forthe answer...
● Flood the proxy of Invites● Will answer which one with an authentication required● Similar to a TCP syn DoS
● A DoS is not very effective● A DDoS however is very effective...
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 29: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/29.jpg)
29
SIP Invite Flooding
● DoS:● Attack easy to be made :-)● Also easy to be detected in an internal network :-(● Inviteflood from the Backtrack VoIP pentest tools
● DDoS:● Normally Botnet based● Hard to be stopped● Powerful
*photos from google images
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 30: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/30.jpg)
30
SIP Fuzzing
● A simple definition of Fuzzing● Flood a device with invalid/malformed/unexpected packets
● This attack exploits the lack of ability of the firmware/sofware to treat bad inputs
● Many firmwares (to do not say all) have design flaws
● Devices can have weird behaviors over fuzzing attacks● Including DoS
● Tool: SIP-Protos (again, at Backtrack)
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 31: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/31.jpg)
31
SIP Fuzzing
DEMO
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011
![Page 32: Some Network Threats: VoIP SIP Based - ENSIMAG · 3 REALLY Simple SIP-VoIP Architecture Proxy and Registar 50.50.50.50 Register Alice@50.50.50.50 is at 49.49.49.49 Alice SecurIMAG](https://reader030.fdocuments.net/reader030/viewer/2022040506/5e405fc71dbf99689a573cab/html5/thumbnails/32.jpg)
32
Thank you for the Attention!
Questions?
● Also news are coming http://conference.auscert.org.au/conf2011/speaker_Chris_Gatford_&_Peter_Wesley.html
● Workshop of Hacklabs showing some new threats against Cisco VoIP phones
SecurIMAG – Some Network threats - VoIP SIP Based - Pedro Paganela - 19-05-2011