attacking voip

77
Attacking VoIP the attacks & the attackers Tuesday, 13 April 2010

Upload: kbour23

Post on 19-Jul-2015

399 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Attacking voip

Attacking VoIPthe attacks & the attackers

Tuesday, 13 April 2010

Page 2: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Obligatory whois

• Sandro Gauci (from .mt)

• Security researcher and Pentester

• SIPVicious / VOIPPACK for CANVAS

• VOIPSCANNER.com

• Not just about VoIP

• EnableSecurity

Tuesday, 13 April 2010

Page 3: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Agenda

• Get the basics out of the way

• How does SIP scanning work?

• any advances in the area?

• What happens when you scan the ‘net

• Who is scanning the ‘net?

• ... why?

Tuesday, 13 April 2010

Page 4: Attacking voip

ENABLESECURITY Hackito Ergo Sum

A primer on SIP

• Text based just like HTTP

• Mostly UDP port 5060

• Endpoints

• “Servers”

• registrars

• proxies

Tuesday, 13 April 2010

Page 5: Attacking voip

ENABLESECURITY Hackito Ergo Sum

A primer on SIP

• Methods

• INVITE gets things to buzz and ring

• REGISTER sends phone calls your way

• OPTIONS gives you supported options

Tuesday, 13 April 2010

Page 6: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <[email protected]>From: Alice <[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Date: Thu, 21 Feb 2002 13:02:03 GMTContact: <sip:[email protected]>Content-Type: application/sdpContent-Length: 147

v=0o=UserA 2890844526 2890844526 IN IP4 here.coms=Session SDPc=IN IP4 pc33.atlanta.comt=0 0m=audio 49172 RTP/AVP 0a=rtpmap:0 PCMU/8000

method request URIsip address

caller address

dest address

Hea

der

Body media IP address

media rtp port

codecs

Tuesday, 13 April 2010

Page 7: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Scanning SIP

• Basic concept: elicit a response

• UDP has advantages for scanning

• send and forget

• no need to multiple sockets

Tuesday, 13 April 2010

Page 8: Attacking voip

ENABLESECURITY Hackito Ergo Sum

SIP: OPTIONS scan

scannerSIP

Registrar

OPTIONS

200 OK

Tuesday, 13 April 2010

Page 9: Attacking voip

ENABLESECURITY Hackito Ergo Sum

SIP: OPTIONS scan

OPTIONS sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 0.0.0.0:1498;branch=BCEA2F83-1CEF-FC6A-2989-54C18CE6425E;rportMax-Forwards: 70To: <sip:[email protected]>From: <sip:[email protected]>;tag=723535DC-E71F-E3D4-D572-2B41E58782E8Call-ID: 4203F1B5-3E1F-E6D6-32FF-B8C2DFAA190FCSeq: 1 OPTIONSContact: <sip:@0.0.0.0:1498;>Accept: application/sdpContent-Length: 0

Tuesday, 13 April 2010

Page 10: Attacking voip

ENABLESECURITY Hackito Ergo SumTuesday, 13 April 2010

Page 11: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Scanning lots!

scanner

Tuesday, 13 April 2010

Page 12: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Scanning lots!

scanner

Tuesday, 13 April 2010

Page 13: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Scanning VoIP protocols

• SIP (various tools: mine are SIPVicious,VOIPPACK,voipscanner.com)

• IAX2 (VOIPPACK, iaxscan, enumIAX)

• Works in progress

• SCCP

• H.323

• MGCP

Tuesday, 13 April 2010

Page 14: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Real life SIP scanning

• Different ranges

• Random scan

• Alternative ports

• Methods other than OPTIONS

• SRV records

Tuesday, 13 April 2010

Page 15: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Introducing svmap

• Trying out different ranges

• 1.1.1.1-1.1.1.20

• 1.1.1.1/24

• 1.1.1-3.*

Tuesday, 13 April 2010

Page 16: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Introducing svmap

• Random scans

• svmap.py --randomscan

• svmap.py --randomize 1.1.1.*

Tuesday, 13 April 2010

Page 17: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Choose your target

• Can scan by IP address class

• Scan by provider

• Scanning whole countries is interesting

• Location based trends

Tuesday, 13 April 2010

Page 18: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Live demo showing svmap random scanning in action

Tuesday, 13 April 2010

Page 19: Attacking voip

ENABLESECURITY Hackito Ergo Sum

backup demo ;-)

Tuesday, 13 April 2010

Page 20: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Fingerprinting

• Sometimes the User-agent is not set

• Or modified (opensource SIP software)

• Solution: fingerprinting

Tuesday, 13 April 2010

Page 21: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Fingerprinting request vs response

• In a request, various things are generated “randomly”

• From tag

• Call-ID value

• Branch value

• In a response, only the “To” tag is generated “randomly”

Tuesday, 13 April 2010

Page 22: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Headers of interest

SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0

Tuesday, 13 April 2010

Page 23: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Modified User-agent

SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0

Tuesday, 13 April 2010

Page 24: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Give away

SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0

Tuesday, 13 April 2010

Page 25: Attacking voip

ENABLESECURITY Hackito Ergo Sum

SIP/2.0 404 Not found Via: SIP/2.0/UDP 1.1.1.1:5061;branch=z9hG4bK-59472;received=1.1.1.1;rport=5061 From: "test" <sip:[email protected]:5060>;tag=d5a5bd3213c46cdd060c To: "test" <sip:[email protected]:5060>;tag=as05610bff Call-ID: 37012f88-24ac-44aa-ac45-2e6a05421e7d CSeq: 1 REGISTER User-Agent: MyVeryOwn PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0

Give away

Tuesday, 13 April 2010

Page 26: Attacking voip

ENABLESECURITY Hackito Ergo Sum

How is that generated?

snprintf(tagbuf, len, "as%08lx", ast_random());

Tuesday, 13 April 2010

Page 27: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Fingerprinting To Tag

Asterisk as[0-9a-f]{8}

Sipura / Linksys SPA [a-fA-F0-9]{16}i0

Cisco VoIP Gateway[a-fA-F0-9]{6,8}-[a-fA-

F0-9]{2,4}

AVM FRITZ!Box [a-fA-F0-9]{16,29}

Tuesday, 13 April 2010

Page 28: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Order of headers

SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: xxx voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0

Tuesday, 13 April 2010

Page 29: Attacking voip

ENABLESECURITY Hackito Ergo Sum

SIP/2.0 404 Not FoundVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f8a13c4d8bf89f5To: "hello" <sip:[email protected]:5060>;tag=as263e3393Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: xxx asteriskAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesAccept: application/sdpContent-Length: 0

Order of headers

Tuesday, 13 April 2010

Page 30: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Order of headers

SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0

SIP/2.0 404 Not FoundVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-59202;received=3.2.1.9;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f8a13c4d8bf89f5To: "hello" <sip:[email protected]:5060>;tag=as263e3393Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipbox asteriskAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesAccept: application/sdpContent-Length: 0

Tuesday, 13 April 2010

Page 31: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Order of headers

SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0

SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-57276;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f2813c40c17866cTo: "hello" <sip:[email protected]:5060>;tag=cfbe3ffc7182a98821d890d5d753dab6.dd37Cseq: 1 REGISTERCall-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663WWW-Authenticate: Digest realm="sipgate.at", nonce=" "Content-Length: 0

Tuesday, 13 April 2010

Page 32: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Case for header names

SIP/2.0 200 OKVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-24832;rport;received=3.2.1.9From: "hello" <sip:[email protected]:5060>;tag=d90a4f2313c4cc438e14To: "hello" <sip:[email protected]:5060>;tag=as00ea0c68Call-ID: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663CSeq: 1 OPTIONSUser-Agent: sipgate voicemailAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYContact: <sip:1.2.3.35>Accept: application/sdpContent-Length: 0

SIP/2.0 401 UnauthorizedVia: SIP/2.0/UDP 3.2.1.9:5061;branch=z9hG4bK-57276;rport=5061From: "hello" <sip:[email protected]:5060>;tag=d90a4f2813c40c17866cTo: "hello" <sip:[email protected]:5060>;tag=cfbe3ffc7182a98821d890d5d753dab6.dd37Cseq: 1 REGISTERCall-id: 6a53b3b9-3c0b-47d3-9e7f-b024ffe74663WWW-Authenticate: Digest realm="sipgate.at", nonce=" "Content-Length: 0

Tuesday, 13 April 2010

Page 33: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Fingerprinting SIP

• Just one packet needed

• To tag

• Headers

• Rewriting in progress

Tuesday, 13 April 2010

Page 34: Attacking voip

ENABLESECURITY Hackito Ergo Sum

What else?

• Find out which extensions are on the PBX

• Break their password

• Try to relay a phone call (INVITE scan)

• Or just go ahead and own the PBX

Tuesday, 13 April 2010

Page 35: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Demo showing how enumeration of extensions works

Tuesday, 13 April 2010

Page 36: Attacking voip

ENABLESECURITY Hackito Ergo SumTuesday, 13 April 2010

Page 37: Attacking voip

ENABLESECURITY Hackito Ergo Sum

svwar.py (SIPVicious) and sipenumerate (VOIPPACK)automate this fully

Tuesday, 13 April 2010

Page 38: Attacking voip

ENABLESECURITY Hackito Ergo SumTuesday, 13 April 2010

Page 39: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Demo showing SIP Digest Leak in action

Tuesday, 13 April 2010

Page 40: Attacking voip

ENABLESECURITY Hackito Ergo SumTuesday, 13 April 2010

Page 41: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Demo showing Elastix 1.5.2 with exploitable VTiger

Tuesday, 13 April 2010

Page 42: Attacking voip

ENABLESECURITY Hackito Ergo SumTuesday, 13 April 2010

Page 43: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE scans

• INVITE gets thing to ring

• Many times it requires a valid sip uri

• The problem is ...

Tuesday, 13 April 2010

Page 44: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Some phones will ring on any number

Tuesday, 13 April 2010

Page 45: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Some misconfigured SIP gateways / servers will try to terminate the call

Tuesday, 13 April 2010

Page 46: Attacking voip

ENABLESECURITY Hackito Ergo Sumhttp://www.ipcom.at/fileadmin/public/2008-10-22_Analysis_of_a_VoIP_Attack.pdf

Tuesday, 13 April 2010

Page 47: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Introducing voiphun

• Short for “voip honeypot” :-)

• A very simple fake SIP registration server

• And fake proxy too (i.e. takes calls)

• Which can be used as a honeypot

• Still limited in functionality

Tuesday, 13 April 2010

Page 48: Attacking voip

ENABLESECURITY Hackito Ergo Sum

What’s in voiphun’s hat?

Tuesday, 13 April 2010

Page 49: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK1e5f004e;rportMax-Forwards: 70From: "MeucciSolutions" <sip:[email protected]>;tag=as2e634a50To: <sip:[email protected]>Contact: <sip:[email protected]>Call-ID: [email protected]: 102 INVITEUser-Agent: MeucciSolutionsDate: Sun, 10 May 2009 15:39:15 GMTAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replaces, timerContent-Type: application/sdpContent-Length: 289

v=0o=root 2093936706 2093936706 IN IP4 93.190.143.10s=Asterisk PBX 1.6.0.5c=IN IP4 93.190.143.10t=0 0m=audio 13280 RTP/AVP 8 0 101a=rtpmap:8 PCMA/8000a=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-16a=silenceSupp:off - - - -a=ptime:20a=sendrecv

Tuesday, 13 April 2010

Page 50: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK553a8ca4;rportMax-Forwards: 70From: "MeucciSolutions" <sip:[email protected]>;tag=as059768a7To: <sip:[email protected]>Contact: <sip:[email protected]>Call-ID: [email protected]: 102 INVITEUser-Agent: MeucciSolutionsDate: Sun, 10 May 2009 16:08:05 GMTAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replaces, timerContent-Type: application/sdpContent-Length: 289

v=0o=root 2093113969 2093113969 IN IP4 93.190.143.10s=Asterisk PBX 1.6.0.5c=IN IP4 93.190.143.10t=0 0m=audio 16362 RTP/AVP 8 0 101a=rtpmap:8 PCMA/8000a=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-16a=silenceSupp:off - - - -a=ptime:20a=sendrecv

Tuesday, 13 April 2010

Page 51: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK63f6e79c;rportMax-Forwards: 70From: "MeucciSolutions" <sip:[email protected]>;tag=as5b7d22e8To: <sip:[email protected]>Contact: <sip:[email protected]>Call-ID: [email protected]: 102 INVITEUser-Agent: MeucciSolutionsDate: Sun, 10 May 2009 18:42:34 GMTAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replaces, timerContent-Type: application/sdpContent-Length: 289

v=0o=root 1890643109 1890643109 IN IP4 93.190.143.10s=Asterisk PBX 1.6.0.5c=IN IP4 93.190.143.10t=0 0m=audio 18572 RTP/AVP 8 0 101a=rtpmap:8 PCMA/8000a=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-16a=silenceSupp:off - - - -a=ptime:20a=sendrecv

Tuesday, 13 April 2010

Page 52: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Who are Meucci Solutions anyway?

Tuesday, 13 April 2010

Page 53: Attacking voip

ENABLESECURITY Hackito Ergo SumTuesday, 13 April 2010

Page 54: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Basic free calling

• Someone actually configured a softphone to use my honeypot

• Not a scanner ..

Tuesday, 13 April 2010

Page 55: Attacking voip

ENABLESECURITY Hackito Ergo Sum

REGISTER sip:xx.xx.xx.xx; SIP/2.0Via: SIP/2.0/UDP 188.27.208.189:62399;branch=z9hG4bK-d8754z-d97d7324ef9fe3b9-1---d8754z-Max-Forwards: 70Contact: <sip:[email protected]:62399;rinstance=27d34fb7751fabd2;>To: "UNKNOWN"<sip:>From: "UNKNOWN"<sip:>;tag=3832fc23Call-ID: OWE4NjIyODhhMjgxOGQ5OGRiNWFlYmEyMmNiYmJjZjQ.CSeq: 1 REGISTERExpires: 3600Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBEUser-Agent: Zoiper rev.5324Allow-Events: presenceContent-Length: 0

Tuesday, 13 April 2010

Page 56: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected];transport=UDP SIP/2.0Via: SIP/2.0/UDP 188.27.208.189:62399;branch=z9hG4bK-d8754z-ffab3c4b5a504640-1---d8754z-Max-Forwards: 70Contact: <sip:[email protected]:62399;transport=UDP>To: <sip:[email protected];transport=UDP>From: "UNKNOWN"<sip:[email protected];transport=UDP>;tag=9a46293cCall-ID: OGVmNmI1NmU3MTVmYTBmMTliMWZjMzdlYjI2N2U3ZTk.CSeq: 1 INVITEAllow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBEContent-Type: application/sdpUser-Agent: Zoiper rev.5324Content-Length: 332

v=0o=Zoiper_user 0 0 IN IP4 188.27.208.189s=Zoiper_sessionc=IN IP4 188.27.208.189t=0 0m=audio 65287 RTP/AVP 3 0 8 110 98 101a=rtpmap:3 GSM/8000a=rtpmap:0 PCMU/8000a=rtpmap:8 PCMA/8000a=rtpmap:110 speex/8000a=rtpmap:98 iLBC/8000a=fmtp:98 mode=30a=rtpmap:101 telephone-event/8000a=fmtp:101 0-15a=sendrecv

Tuesday, 13 April 2010

Page 57: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected];transport=UDP SIP/2.0Via: SIP/2.0/UDP 188.27.208.189:62399;branch=z9hG4bK-d8754z-025d9d26e0a72a55-1---d8754z-Max-Forwards: 70Contact: <sip:[email protected]:62399;transport=UDP>To: <sip:[email protected];transport=UDP>From: "UNKNOWN"<sip:[email protected];transport=UDP>;tag=92432566Call-ID: MTcxMzViODI1NmU5ZDRhYTA1ODRkNDUzZGVhODRhZWE.CSeq: 1 INVITEAllow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBEContent-Type: application/sdpUser-Agent: Zoiper rev.5324Content-Length: 332

v=0o=Zoiper_user 0 0 IN IP4 188.27.208.189s=Zoiper_sessionc=IN IP4 188.27.208.189t=0 0m=audio 65287 RTP/AVP 3 0 8 110 98 101a=rtpmap:3 GSM/8000a=rtpmap:0 PCMU/8000a=rtpmap:8 PCMA/8000a=rtpmap:110 speex/8000a=rtpmap:98 iLBC/8000a=fmtp:98 mode=30a=rtpmap:101 telephone-event/8000a=fmtp:101 0-15a=sendrecv

Tuesday, 13 April 2010

Page 58: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE sip:[email protected];transport=UDP SIP/2.0Via: SIP/2.0/UDP 188.27.208.189:62399;branch=z9hG4bK-d8754z-9452e55e784f770a-1---d8754z-Max-Forwards: 70Contact: <sip:[email protected]:62399;transport=UDP>To: <sip:[email protected];transport=UDP>From: "UNKNOWN"<sip:[email protected];transport=UDP>;tag=770afa6dCall-ID: MzM1ZWRhNjhiZGQyMzI1ZGQzNjEzYmI2OGEyMzZlYTM.CSeq: 1 INVITEAllow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBEContent-Type: application/sdpUser-Agent: Zoiper rev.5324Content-Length: 332

v=0o=Zoiper_user 0 0 IN IP4 188.27.208.189s=Zoiper_sessionc=IN IP4 188.27.208.189t=0 0m=audio 65287 RTP/AVP 3 0 8 110 98 101a=rtpmap:3 GSM/8000a=rtpmap:0 PCMU/8000a=rtpmap:8 PCMA/8000a=rtpmap:110 speex/8000a=rtpmap:98 iLBC/8000a=fmtp:98 mode=30a=rtpmap:101 telephone-event/8000a=fmtp:101 0-15a=sendrecv

Tuesday, 13 April 2010

Page 59: Attacking voip

ENABLESECURITY Hackito Ergo Sum

I <3 Patterns

• INVITE scans bruteforces phone numbers

• Why not extract those numbers?

• Group them by source IP / country

Tuesday, 13 April 2010

Page 60: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE scan 1

00000447799584555000044137245653900011442086702315000144012987090300044162262038800114478766175480014420758281870044118978031601144207633973301447850294946044207837545014420724253769004417676776669011442082163104904479736420159442074998161

Came from Romania Data Systems network

Tuesday, 13 April 2010

Page 61: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE scan 2

#44207650105000#442076501050011#442076501050011441616606065044207650105044207650105090044207650105090114420765010509442076501050

Also from China Telecom (Guangdong) network

fax number

Tuesday, 13 April 2010

Page 62: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE scan 3

00000447799584555000044137245653900004420762973470001144208670231500014401298709030001441844208220000441622620388000442073878081001144207638111100114478766175480014420758281870014477757421740044118978031601144207633973301244153561084001447024074657-- clipped --

Came from China Telecom (Shanxi) network

Tuesday, 13 April 2010

Page 63: Attacking voip

ENABLESECURITY Hackito Ergo Sum

INVITE scan 4

3368136831937322719718336813683193732271971833681368319373227197183368136831933681368319

Came from ProXad network

Tuesday, 13 April 2010

Page 64: Attacking voip

ENABLESECURITY Hackito Ergo Sum

The RIPE experiment

• 2010-01-27 they started announcing 1.1.1.0/24

• Only 10 MBit port

• It was maxed out immediately

Tuesday, 13 April 2010

Page 65: Attacking voip

ENABLESECURITY Hackito Ergo Sum

The RIPE experiment

graph from RIPE bloghttp://labs.ripe.net/content/pollution-18

Tuesday, 13 April 2010

Page 66: Attacking voip

ENABLESECURITY Hackito Ergo Sum

The RIPE experiment

graph from RIPE bloghttp://labs.ripe.net/content/pollution-18

Tuesday, 13 April 2010

Page 67: Attacking voip

ENABLESECURITY Hackito Ergo Sum

The RIPE experiment

graph from RIPE bloghttp://labs.ripe.net/content/pollution-18

Tuesday, 13 April 2010

Page 68: Attacking voip

ENABLESECURITY Hackito Ergo Sum

The RIPE experiment

graph from RIPE bloghttp://labs.ripe.net/content/pollution-18

Tuesday, 13 April 2010

Page 69: Attacking voip

ENABLESECURITY Hackito Ergo Sum

The RIPE experiment

“We found that almost 60% of the UDP packets are sent towards the IP address 1.1.1.1 on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets

start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value. Some sources (http://www.proxyblind.org/

trojan.shtml) list the port as being used by a trojan called "KiLo", however information about it seem sparse.”

quoting the RIPE bloghttp://labs.ripe.net/content/pollution-18

the part that i found interesting:

Tuesday, 13 April 2010

Page 70: Attacking voip

ENABLESECURITY Hackito Ergo Sum

back in voiphun landINVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 83.142.202.195:3058;branch=ca4b60ae7ba821fREPLACEDjrgrg;rportFrom: <sip:[email protected]>;tag=Za4b60aeREPLACEDTo: <sip:[email protected]>Contact: <sip:[email protected]>Call-ID: [email protected]: 102 INVITEUser-Agent: Asterisk PBXMax-Forwards: 70Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYSupported: replacesContent-Type: application/sdpContent-Length: 503

v=0o=sip 2147483647 1 IN IP4 1.1.1.1s=sipc=IN IP4 1.1.1.1t=0 0m=audio 15206 RTP/AVP 10 4 3 0 8 112 5 7 18 111 101a=rtpmap:10 L16/8000a=rtpmap:4 G723/8000a=fmtp:4 annexa=noa=rtpmap:3 GSM/8000a=rtpmap:0 PCMU/8000a=rtpmap:8 PCMA/8000a=rtpmap:112 AAL2-G726-32/8000a=rtpmap:5 DVI4/8000a=rtpmap:7 LPC/8000a=rtpmap:18 G729/8000a=fmtp:18 annexb=noa=rtpmap:111 G726-32/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-16a=silenceSupp:off - - - -a=ptime:20a=sendrecv

RTP Stream goes to IP 1.1.1.1

on port 15206

Tuesday, 13 April 2010

Page 71: Attacking voip

ENABLESECURITY Hackito Ergo Sum

RTP & SDP

• RTP (almost) always starts with an 0x80

• If an INVITE is accepted the RTP stream is sent to the IP in the SDP

• Yet another reflected DDoS opportunity?

Tuesday, 13 April 2010

Page 72: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Profit?

• Phone fraud has been going on for a while

• Phone call termination cost money

• Premium numbers even more

Tuesday, 13 April 2010

Page 73: Attacking voip

ENABLESECURITY Hackito Ergo Sum

One scheme

• Find SIP PBXs that have weak passwords

• Route phone calls through them

• Provide line termination to VoIP providers

Tuesday, 13 April 2010

Page 74: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Others

• May involve premium numbers

• Denial of Service can be a huge problem

• Millions of dollars in losses have been mentioned before (in toll fraud)

Tuesday, 13 April 2010

Page 75: Attacking voip

ENABLESECURITY Hackito Ergo Sum

Thanks

• The Hackito Ergo Sum team

• Sn0rky, Sjur & others who helped

• SIPVicious contributors and users

Tuesday, 13 April 2010

Page 76: Attacking voip

ENABLESECURITY Hackito Ergo Sum

More at..

• EnableSecurity.com/research

• Sipvicious.org

• VOIPSA.org

Tuesday, 13 April 2010

Page 77: Attacking voip

ENABLESECURITY Hackito Ergo Sum

alternatively contact me

[email protected]

Q.A

Tuesday, 13 April 2010