Unified Communications (UC) is widely used by larger organisations for video conferences, office collaboration, cloud services and mobile communications. These services also have key roles in the IP Multimedia Subsystem (IMS) implementations of next generation mobile networks. As a result of these, customers require unified collaboration; and the telecommunications industry offers managed communications services and infrastructure using UC and IMS technologies. These offerings also come with design issues, well-known security vulnerabilities and legacy services.
Security testing of communication networks, however, is underestimated, and mostly under-scoped. Due to the lack of time and resources, the results of the security tests are only providing a security illusion. On the other hand, the advanced VoIP and UC attacks can be much faster and efficient with a proper methodology used. Therefore, this talk aims to improve the testing skills of the assurance teams for better penetration testing results. The theme of the talk is on transferring the VoIP and UC knowledge from a phreak to penetration testers. This will be performed through practical attack demonstrations, testing tips and automated actions.
2. 207/04/2017
Speaker
• Fatih Ozavci, Managing Consultant
– VoIP & phreaking
– Mobile applications and devices
– Network infrastructure
– CPE, hardware and IoT hacking
• Author of Viproy and VoIP Wars
• Public speaker and trainer
– Blackhat, Defcon, HITB, AusCert, Troopers
3. 307/04/2017
Agenda
• VoIP, UC, IMS and more
• Security breaches
• Various implementations and issues
• Testing techniques
• Demonstrations
10. 1007/04/2017
Summary of Security Breaches
• Legacy systems (15 years old)
• Insecure CPE deployment
• Lack of authentication
• Broken authorisation
• Too much trust
• No security patch whatsoever
It’s NOt
a Faulty Router
11. 1107/04/2017
VoIP in Real Life
Corporate/Federated
Communications
Service Providers
Cloud Services
Mobile Operators
12. 1207/04/2017
Warming Up
• VoIP Wars research series
– Return of the SIP (Advanced SIP attacks)
– Attack of the Cisco Phones (Cisco specific attacks)
– Destroying Jar Jar Lync (SFB specific attacks)
– The Phreakers Awaken (UC and IMS specific attacks)
• Tools
– Viproy for sending signalling and cloud attacks
– Viproxy for intercepting UC client/server traffic
• Viproy.com for videos and training videos
15. 1507/04/2017
Analysing Corporate Communications
• Find a way to get in
– Courtesy phones, meeting rooms, lobby
– Replace or compromise it (e.g. raspberry pi)
• Analyse the network access
– CDP discovery, VLAN hopping, ARP spoofing
• Compromise faster
– Harvest conf and creds on TFTP/HTTP
– Compromise conf files to deploy SSH keys
• Exploit service/server management
– Legacy software, missing patches, default creds
16. 1607/04/2017
Federated Communications
Edge Server
sky.com
Edge Server
kenobi.com
DNS
Server
DNS / SRV DNS / SRV
SIP / RTP
Kenobi Corp
Phone X
x@kenobi.com
VoIP
Server
Windows
Server
Office
Server
Active
Directory
Virtual
Machines
Phone A
a@sky.com
Skywalker Corp
Phone B
b@sky.com
Phone C
c@sky.com
17. 1707/04/2017
Attacking Through Signalling
• Discover the protocols
– SIP, Cisco Skinny/SCCP, Alcatel UA
• Discover the signalling gateways
– Lack of authentication, insecure management
• Perform essential signalling attacks
– Enumeration, brute force, call forwarding
• Inject custom headers to calls
– Caller ID spoofing, billing or dial plan bypass
• Attack with a real client
– Voicemail access, toll fraud, spread the attack to clients
• Combining other attacks
18. 1807/04/2017
Attacking Through Messaging
• Unified Messaging
– Message types (e.g. rtf, html, images)
– Message content (e.g. JavaScript)
– File transfers and sharing features
– Code or script execution (e.g. SFB)
– Encoding (e.g. Base64, Charset)
• Various protocols
– MSRP, XMPP, SIP/MESSAGE
• Combining other attacks
19. 1907/04/2017
Mass Compromise
Attacking through a gateway
• Send a malicious meeting request
• Combine the attacks discussed
• Wait for the shells
Viproy Skype for Business
Server
SIP PBX Server
Signalling Gateway
Forwarded Meeting
Request
Meeting Request
(Attack in SIP content/headers)
PRIVATE NETWORK
Forwarded
Requests
34. 3407/04/2017
Viproyable PBX
Vulnerable VoIP server with exercises (hands-on during workshops)
• VoIP service discovery
• Enumeration using various responses
• Gathering unauthorised access to the extensions
• Hijacking voicemails
• Performing call spoofing attacks
• Discovering SIP trust relationships
• Harvesting information via IP phone configuration files
• Gaining unauthorised access to Asterisk Management
• Remote code execution through SIP services
• Remote code execution through FreePBX modules
• Decoding RTP sessions and Decrypting SRTP sessions for eavesdropping
• Exploiting Cisco CUCDM services
35. 3507/04/2017
QumpIn Communications Analyser
• QumpIn: Communications Officer in Klingon
• Replaces Viproy and Viproxy
– Lack of programming, lack of community support
– Metasploit Framework, unstable communications
• What’s On
– Under development, pure Python 3.x code
– Module structure like Empire and Metasploit Framework
• Phases
1. Core functionalities of Viproy and Viproxy
2. Advanced protocol and authentication support, fuzzers and exploits
36. 3607/04/2017
Upcoming Features of QumpIn
Signalling
Media
IMS & VoLTE
Cloud UC
Assessment
IVR & CC
Voicemail
Practical
Exploits
Research
Tools