Unified Communications (UC) is widely used by larger organisations for video conferences, office collaboration, cloud services and mobile communications. These services also have key roles in the IP Multimedia Subsystem (IMS) implementations of next generation mobile networks. As a result of these, customers require unified collaboration; and the telecommunications industry offers managed communications services and infrastructure using UC and IMS technologies. These offerings also come with design issues, well-known security vulnerabilities and legacy services. Security testing of communication networks, however, is underestimated, and mostly under-scoped. Due to the lack of time and resources, the results of the security tests are only providing a security illusion. On the other hand, the advanced VoIP and UC attacks can be much faster and efficient with a proper methodology used. Therefore, this talk aims to improve the testing skills of the assurance teams for better penetration testing results. The theme of the talk is on transferring the VoIP and UC knowledge from a phreak to penetration testers. This will be performed through practical attack demonstrations, testing tips and automated actions.

1. 107/04/2017
Departed Communications:
Learn The Ways to Smash Them!
Fatih Ozavci (@fozavci)
Managing Consultant – Context Information Security

2. 207/04/2017
Speaker
• Fatih Ozavci, Managing Consultant
– VoIP & phreaking
– Mobile applications and devices
– Network infrastructure
– CPE, hardware and IoT hacking
• Author of Viproy and VoIP Wars
• Public speaker and trainer
– Blackhat, Defcon, HITB, AusCert, Troopers

3. 307/04/2017
Agenda
• VoIP, UC, IMS and more
• Security breaches
• Various implementations and issues
• Testing techniques
• Demonstrations

4. 407/04/2017
Traditional Phone Systems
Audio Call
TDM
Alice
Bob

5. 507/04/2017
Unified Communications
Alice
Signalling
Media
RTP Proxy
SIP Server
Bob

6. 607/04/2017
Unified Collaboration
Alice
Signalling
Media
RTP Proxy
SIP Server
Bob

7. 707/04/2017
Unified Attack Surfaces
Alice
Signalling
Media
RTP Proxy
SIP Server
Bob

8. 807/04/2017
Security Concerns
• Toll Fraud
• Tenant
Isolation
• Confidentiality
• Availability
• Privacy (eg PII)
• Regulations
• Call quality
• Infrastructure
• Endpoint
Security
• Lawful / Illegal
Interception
• Reputation
Damage

9. 907/04/2017
Modern Challenges and Incidents

10. 1007/04/2017
Summary of Security Breaches
• Legacy systems (15 years old)
• Insecure CPE deployment
• Lack of authentication
• Broken authorisation
• Too much trust
• No security patch whatsoever
It’s NOt
a Faulty Router

11. 1107/04/2017
VoIP in Real Life
Corporate/Federated
Communications
Service Providers
Cloud Services
Mobile Operators

12. 1207/04/2017
Warming Up
• VoIP Wars research series
– Return of the SIP (Advanced SIP attacks)
– Attack of the Cisco Phones (Cisco specific attacks)
– Destroying Jar Jar Lync (SFB specific attacks)
– The Phreakers Awaken (UC and IMS specific attacks)
• Tools
– Viproy for sending signalling and cloud attacks
– Viproxy for intercepting UC client/server traffic
• Viproy.com for videos and training videos

13. 1307/04/2017
Practical Design Analysis
• Service requirements
– Cloud, subscriber services, IMS
– Billing, recordings, CDR, encryption
• Trusted servers and gateways
– SIP proxies, federations, SBCs
• SIP headers used (e.g. ID, billing)
• Tele/Video conference settings
• Analyse the encryption design
– SIP/(M)TLS, SRTP (SDES, ZRTP, MIKEY)

14. 1407/04/2017
Corporate Communications
VoIP
Server
Windows
Server
Office
Server
Active
Directory
Virtual
Machines
1 2
ABC
3
DEF
4 5
JKL
6
MNOGHI
7 8
TUV
9
WXYZPQRS
*
0
OPER
#
?
+
-
CISCO IP PHONE
7970 SERIES

15. 1507/04/2017
Analysing Corporate Communications
• Find a way to get in
– Courtesy phones, meeting rooms, lobby
– Replace or compromise it (e.g. raspberry pi)
• Analyse the network access
– CDP discovery, VLAN hopping, ARP spoofing
• Compromise faster
– Harvest conf and creds on TFTP/HTTP
– Compromise conf files to deploy SSH keys
• Exploit service/server management
– Legacy software, missing patches, default creds

16. 1607/04/2017
Federated Communications
Edge Server
sky.com
Edge Server
kenobi.com
DNS
Server
DNS / SRV DNS / SRV
SIP / RTP
Kenobi Corp
Phone X
x@kenobi.com
VoIP
Server
Windows
Server
Office
Server
Active
Directory
Virtual
Machines
Phone A
a@sky.com
Skywalker Corp
Phone B
b@sky.com
Phone C
c@sky.com

17. 1707/04/2017
Attacking Through Signalling
• Discover the protocols
– SIP, Cisco Skinny/SCCP, Alcatel UA
• Discover the signalling gateways
– Lack of authentication, insecure management
• Perform essential signalling attacks
– Enumeration, brute force, call forwarding
• Inject custom headers to calls
– Caller ID spoofing, billing or dial plan bypass
• Attack with a real client
– Voicemail access, toll fraud, spread the attack to clients
• Combining other attacks

18. 1807/04/2017
Attacking Through Messaging
• Unified Messaging
– Message types (e.g. rtf, html, images)
– Message content (e.g. JavaScript)
– File transfers and sharing features
– Code or script execution (e.g. SFB)
– Encoding (e.g. Base64, Charset)
• Various protocols
– MSRP, XMPP, SIP/MESSAGE
• Combining other attacks

19. 1907/04/2017
Mass Compromise
Attacking through a gateway
• Send a malicious meeting request
• Combine the attacks discussed
• Wait for the shells
Viproy Skype for Business
Server
SIP PBX Server
Signalling Gateway
Forwarded Meeting
Request
Meeting Request
(Attack in SIP content/headers)
PRIVATE NETWORK
Forwarded
Requests

20. 2007/04/2017
Attack Using Original Clients
MANIPULATE SIP CONTENT
INJECT MALICIOUS SUBJECTS
SEND PHISHING MESSAGES
Attacker’s Client Viproxy
Interactive Console
HACME 1
HACME 2
HACME 3
Reason: adding features
Attacker’s Client
 TLS / Proxy
 Certificate
 Compression
Console
 Enabling Features
 Content Injection
 Security Bypass

21. 2107/04/2017

22. 2207/04/2017
Cloud Communications
SIP & Media
Server
Database
Server
Tenant Services
Management
Applications
Client
Applications
PBX
Shared Services
1 2
ABC
3
DEF
4 5
JKL
6
MNOGHI
7 8
TUV
9
WXYZPQRS
*
0
OPER
#
?
+
-
CISCO IP PHONE
7970 SERIES

23. 2307/04/2017
Targeting Tenants or Providers
• Persistent access
– Raspberry PI with PoE, eavesdropping
• Shared services to jailbreak
– Billing, PBX, recordings, client applications
• Unauthorised service access
– Toll fraud, call forwarding, speed dial harvesting
– Privilege escalation on shared management
– SIP header manipulations for good
• Practical attacks w/ caller ID spoofing
– Voicemail harvesting, robocalls

24. 2407/04/2017
Targeting Clients
• Attacks with NO user interaction
• Calls with caller ID spoofing
– Fake IVR, social engineering
• Messages with caller ID spoofing
– Smishing (e.g. fake software update)
– Injected XSS, file-type exploits
– Bogus content-types or messages
– Meetings, multi-callee events

25. 2507/04/2017
Attacking Through UC/IMS
SIGNALLING / MESSAGING
• SDP / XML
• SIP Headers
• XMPP
• MSRP
CONTENT
• Message types (HTML, RTF, Docs)
• File types (Docs, Codecs)
• Caller ID Spoofing
• DoS / TDoS / Robocalls, Smishing
FORWARDED REQUESTS
• Call Settings
• Message Content
NO USER INTERACTION
• Call request parsing
• Message content parsing
• 3rd party libraries
reachable

26. 2607/04/2017
UC/VoIP Subscriber Services
Service Provider
ACS SIP
TR-069 / DOCSIS
RADIUSVOIP (SIP + RTP)
PSTN
PSTN
Service Provider
Media/Call
Gateway
VOIP (SIP + RTP)
Management

27. 2707/04/2017
Subscriber Services Testing
• Vulnerable CPE
– Credential extraction
– Attacking through embedded devices
• Insecurely located gateways
– Hardware hacking, eavesdropping
– Tampering gateways for persistent access
• SIP header manipulations
– Toll Fraud
– Attacking legacy systems (e.g. Nortel?)
– Voicemail hijacking

28. 2807/04/2017
Call Centre Security Testing
• Analysing encryption design
– Implementation (e.g. SRTP, SIP/TLS)
– Inter-vendor SRTP key exchange
• Privacy and PCI compliance
– Network segregation
– IVR recordings (e.g. RTP events)
– Eavesdropping
– Call recordings security

29. 2907/04/2017
Mobile Networks (IMS / VoLTE)
Call Session Control
Function
(P-CSCF, S-CSCF, I-CSCF) VoLTE/LTE Infrastructure
Mobile Subscribers
UC/VoIP Subscribers Session Border
Controller (SBC)
Session Border
Controller (SBC)
ACCESS NETWORK ACCESS NETWORKCORE NETWORK
Application
Server (AS)
Home Subscriber
Server (HSS)
Media Resource
Function
MRFC / MRFP

30. 3007/04/2017
Mobile Networks Testing
• Inter-vendor services design
• Accessing through mobile phones
– Tampered phone/SIM/IMSI
– IPSec interception for mobile phone – ENode-B traffic
• Network and service segregation
– *CSCF locations, SBC services used
– VoLTE design, application services
• SIP headers are very sensitive
– Internal trust relationships
– Filtered/Ignored SIP headers
– Caller ID spoofing, Billing bypass
• Encryption design (SIP, SRTP, MSRP)

31. 3107/04/2017
Security Testing Using Vipro(x)y
• Cloud communications
– SIP header tests, caller ID spoofing,
– Billing bypass, hijacking IP phones
• Signalling services
– Attacking tools for SIP and Skinny
– Advanced SIP attacks
• Proxy bounce, SIP trust hacking
• Custom headers, custom message-types
• UC tests w/ Viproxy + Real Client

32. 3207/04/2017
Sample SIP INVITE/SDP Exploit

33. 3307/04/2017

34. 3407/04/2017
Viproyable PBX
Vulnerable VoIP server with exercises (hands-on during workshops)
• VoIP service discovery
• Enumeration using various responses
• Gathering unauthorised access to the extensions
• Hijacking voicemails
• Performing call spoofing attacks
• Discovering SIP trust relationships
• Harvesting information via IP phone configuration files
• Gaining unauthorised access to Asterisk Management
• Remote code execution through SIP services
• Remote code execution through FreePBX modules
• Decoding RTP sessions and Decrypting SRTP sessions for eavesdropping
• Exploiting Cisco CUCDM services

35. 3507/04/2017
QumpIn Communications Analyser
• QumpIn: Communications Officer in Klingon
• Replaces Viproy and Viproxy
– Lack of programming, lack of community support
– Metasploit Framework, unstable communications
• What’s On
– Under development, pure Python 3.x code
– Module structure like Empire and Metasploit Framework
• Phases
1. Core functionalities of Viproy and Viproxy
2. Advanced protocol and authentication support, fuzzers and exploits

36. 3607/04/2017
Upcoming Features of QumpIn
Signalling
Media
IMS & VoLTE
Cloud UC
Assessment
IVR & CC
Voicemail
Practical
Exploits
Research
Tools

37. 3707/04/2017

38. 3807/04/2017
References
• Viproy VoIP Penetration Testing Kit
• QumpIn Communications Analyser
http://www.viproy.com
• Context Information Security
http://www.contextis.com

39. 3907/04/2017
Any Questions
Context Information Security
https://www.contextis.com

40. 4007/04/2017
Thanks
Context Information Security
https://www.contextis.com