VoIP – vulnerabilities and attacks
Download as PPTX, PDF11 likes16,987 views
The document discusses vulnerabilities and attacks against Voice over IP (VoIP) systems. It begins with an introduction to VoIP architecture, components, and protocols. It then covers vulnerabilities and common attack vectors against VoIP, such as identity spoofing, eavesdropping, password cracking, and denial of service attacks. The document demonstrates some example attacks and outlines tools that can be used for scanning, attacking, and testing the security of VoIP systems. It concludes with recommendations for countermeasures like firewalls, encryption, and network hardening to better secure VoIP infrastructures.
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to VoIP – vulnerabilities and attacks (20)
Ad
More from n|u - The Open Security Community (20)
Recently uploaded (20)
VoIP – vulnerabilities and attacks
- 1. VoIP – Vulnerabilities and Attacks Presented by - push
- 2. Agenda • Introduction to VoIP – VoIP Architecture – VoIP Components – VoIP Protocols • A PenTester Perspective – Attack Vectors – Scanning – Attacks – Tools of Trade – Countermeasures and Security http://null.co.in/ http://nullcon.net/
- 3. Remember Something? http://null.co.in/ http://nullcon.net/
- 4. VoIP • IP Telephony • Voice over Internet Protocol • Subset of IP Telephony • Transmission of “Voice” over Packet-Switched Network. • Is it only Voice??? – Data, Audio, Video http://null.co.in/ http://nullcon.net/
- 5. VoIP • Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets Analog Voice Signals 101010101010 1101101101 Analog Voice 1010101010101101101 101010101010110110 Signals 101 1101 101010101010 1101101101 Internet 1010101010101101101 101010101010110110 101 1101 http://null.co.in/ http://nullcon.net/
- 6. VoIP Architecture Ordinary Phone ATA Ethernet Router Internet http://null.co.in/ http://nullcon.net/
- 7. VoIP Architecture IP Phone Ethernet IP-PBX Router Internet Internet IP Phone IP - PBX Modem / Router http://null.co.in/ http://nullcon.net/
- 8. VoIP Architecture Softphone Phone Ethernet Router Internet Internet http://null.co.in/ http://nullcon.net/
- 9. VoIP Architecture http://null.co.in/ http://nullcon.net/
- 10. VoIP Components • User Agents (devices) • Redirect Servers • Media gateways • Registrar Servers • Signaling gateways • Location Servers • Network management system • Gatekeepers • Billing systems • Proxy Servers GW Gateway MG Media Gateway GK Gatekeeper MGC Media Gateway Controller NMS Network Management System IVR Interactive Voice Response http://null.co.in/ http://nullcon.net/
- 11. VoIP Protocols • Vendor Proprietary • Signaling Protocols • Media Protocols http://null.co.in/ http://nullcon.net/
- 12. VoIP Protocols SIP Session Initiation Protocol SAP Session Announcement Protocol SGCP Simple Gateway Control Protocol MIME Multipurpose Internet Mail IPDC Internet Protocol device Control Extensions – Set of Standards RTP Real Time Transmission Protocol IAX Inter-Asterisk eXchange SRTP Secure Real Time Transmission Protocol Megaco H.248 Gateway Control Protocol RTCP RTP Control Protocol RVP over IP Remote Voice Protocol over IP SRTCP Secure RTP Control Protocol RTSP Real Time Streaming Protocol MGCP Media Gateway Control Protocol SCCP Skinny Client Control Protocol (Cisco). SDP Session Description Protocol UNISTIM Unified Network Stimulus (Nortel). http://null.co.in/ http://nullcon.net/
- 13. VoIP Protocols - SIP http://null.co.in/ http://nullcon.net/
- 14. VoIP Protocols – H.323 http://null.co.in/ http://nullcon.net/
- 15. A PenTester Perspective http://null.co.in/ http://nullcon.net/
- 16. VoIP – Attack Vectors • Vulnerabilities of Both Data and Telephone Network • CIA Triad http://null.co.in/ http://nullcon.net/
- 17. VoIP - Scanning • Scanning a network for VoIP enabled systems / devices. • Tools for Scanning and Enumeration : – Nmap port scanner – Smap sip scanner. Finds SIP Enabled Servers – Svmap sip scanner – Svwar sip extension enumerator – Iwar VoIP Enabled modem Dialer – Metasploit Modules : • H.323 version scanner • SIP enumerator SIP Username enumerator(UDP) • SIP enumerator_tcp SIP Username Enumerator(TCP) • Options SIP scanner(TCP) • Options_tcp SIP scanner(UDP) http://null.co.in/ http://nullcon.net/
- 18. VoIP – Scanning Demo • Nmap scan http://null.co.in/ http://nullcon.net/
- 19. VoIP – Common Ports Protocol TCP Port UDP Port SIP 5060 5060 SIP-TLS 5061 5061 IAX2 - 4569 http – web based 80 / 8080 - management console tftp - 69 RTP - 5004 RTCP - 5005 IAX1 - 5036 SCCP 2000 SCCPS 2443 H.323 1720 http://null.co.in/ http://nullcon.net/
- 20. VoIP – Scanning Demo • Smap • svmap http://null.co.in/ http://nullcon.net/
- 21. VoIP – Scanning Demo • Metasploit Scanner http://null.co.in/ http://nullcon.net/
- 22. VoIP - Attacks • Identity Spoofing • Conversation Eavesdropping / Sniffing • Password Cracking • Man-In-The-Middle • SIP-Bye DoS • SIP Bombing • RTP Insertion Attacks • Web Based Management Console Hacks • Fuzzing • Default Passwords http://null.co.in/ http://nullcon.net/
- 23. VoIP – Attacks Demo • Identity – Caller ID Spoofing – Tools Used : • Metasploit- SIP_INVITE_Spoof • VoIP Fuzzer – Protos -Sip http://null.co.in/ http://nullcon.net/
- 24. VoIP – Attacks Demo • Conversation Eavesdropping – Tools used : • Cain & Abel • Ettercap • Arpspoof • Wireshark http://null.co.in/ http://nullcon.net/
- 25. VoIP – Attacks Demo • Man-In-The-Middle – Tools Used : • Wireshark • Arpspoof / ettercap • RTPInject • RTPmixsound http://null.co.in/ http://nullcon.net/
- 26. VoIP – Attacks Demo • Password Cracking – Tools Used : • SIPDump • SIPCrack • svcrack http://null.co.in/ http://nullcon.net/
- 27. VoIP - Attacks Some Default Passwords for VoIP Devices and Consoles: Device / Console Username Password Uniden UIP1868P VoIP - admin phone Web Interface Hitachi IP5000 VOIP WIFI - 0000 Phone 1.5.6 Vonage VoIP Telephone user user Adapter Grandstream Phones - Web Administrator /admin admin Adimistrator Interface user user •Asterisk Manager User Accounts are configured in /etc/asterisk/manager.conf http://null.co.in/ http://nullcon.net/
- 28. VoIP – Audit & PenTest Tools • UCSniff • MetaSploit Modules : – Auxillary Modules • VoIPHopper • SIP enumerator SIP Username enumerator • SIP enumerator_tcp SIP USERNAME • Vomit Enumerator • VoIPong • Options SIP scanner • Options_tcp SIP scanner • IAX Flood • Asterisk_login Asterisk Manager Login Utility – Exploits • InviteFlood • Aol_icq_downloadagent AOL ICQ Arbitary File Downlowd • RTPFlood • Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer Overflow • IAXFlood • Sipxezphone_cseq sipxezphone 0.35a Cseq Filed Overflow • BYE-TearDown • Sipxphone_cseq sipxPhone 2.6.0.27 Cseq Buffer Overflow http://null.co.in/ http://nullcon.net/
- 29. Countermeasures & Security • Separate Infrasrtucture • Do not integrate Data and VoIP Networks • VoIP-aware Firewalls, • Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS • Harden Network Security – IDS – IPS - NIPS http://null.co.in/ http://nullcon.net/
- 30. Thank You See you all @ nullcon - Delhi http://null.co.in/ http://nullcon.net/
Editor's Notes
- #5: IP Telephony - 1990
- #30: Run all VoIP traffic through a separate Internet connection, separating voice and data into their own network segments (VLAN). Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. VoIP connections between different buildings use a Virtual Private Network (VPN) to authenticate users to prevent spoofing. Avoid use of cheap VoIP systems. Encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. Put VoIP servers in a secure physical location. Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed. Restrict access to VoIP servers to only system administrators and log and monitor all access. Use intrusion detection systems to monitor malicious attempts to access your VoIP network. Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls. Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through.