Sep 30, 2014

VoIP Wars: Attack of the Cisco Phones (Black Hat USA 2014 Video)

Black Hat USA 2014 videos are published yesterday. The following video is my Black Hat USA 2014 presentation, VoIP Wars: Attack of the Cisco Phones. Also I have added the presentation itself and the live demo remake video as well.

VoIP Wars: Attack of the Cisco Phones (Video)

VoIP Wars: Attack of the Cisco Phones (Presentation)

VoIP Wars: Attack of the Cisco Phones (Live Demo Remake)

Sep 26, 2014

VoIP Wars and the Awesome Audience

Last year, was my first DEF CON presentation “VoIP Wars: Return of the SIP.” I really enjoyed being a part of this amazing security conference. I presented some next generation VoIP attacks such as SIP trust hacking, SIP proxy bounce attacks and attacking mobile applications through the SIP protocol. I also announced my security assessment tool Viproy VoIP penetration testing kit during the security conference.

Aug 16, 2014

VoIP Wars: Attack of the Cisco Phones

I have shared my Cisco based hosted VoIP networks security research at Blackhat USA 2014 and DEF CON 22 last week. This research contains several different attack vectors, published vulnerabilities, unpatched vulnerabilities, Skinny protocol attacks, new SIP protocol attacks, VOSS IP phone XML services attacks and new version of Viproy VoIP penetration testing kit. I'll prepare a few detailed blog entries for them, before this, you can review the slide set and the recap of the live demos of the presentation.

VoIP Wars: Attack of the Cisco Phones (Presentation)

VoIP Wars: Attack of the Cisco Phones (Live Demo Remake)

Mar 21, 2014

AusCERT 2014 Tutorials from Sense of Security

Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event. 

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services
  • Mobile Applications 101
    • Preparing a mobile pen-test lab 
  • Auditing platform integration 
    • Compile options, Encryption, Storage, Caching, Logs
  • Reverse engineering
    • Unpacking, Deobfuscating, Permission Management
    • Source code analysis, Protection bypass, Sandbox Issues
    • Runtime manipulation, Debugging
  • Transport and communication features 
    • Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP
  • Network Infrastructure Analysis
    • WAN/LAN/VLAN analysis, Service discovery
  • IP Telephony Server Security
    • Weak configuration, Management issues
  • SIP, Skinny and RTP Analysis
    • Discovery, Authentication, Call tests, VAS
    • Enumeration, Eavesdropping, Call Spoofing
  • VoIP Clients’ Security 
  • Advanced Attacks
    • Trust hacking, Proxy hacking, DoS, Fuzzing
If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at 

Sep 2, 2013

The Notes about my USA Trip: Defcon, Blackhat and Cluecon

I have been USA for 2 weeks. I have presented my VoIP research and Viproy VoIP Penetration Testing Kit at Blackhat Arsenal 2013, Defcon 21 and Cluecon 2013. My presentation is below, VoIP Wars: Return of the SIP and you can get Viproy from I'll share my USA experience in this blog entry, my plans about Viproy and its new modules/features will be explained in an another blog entry. 

Jun 18, 2013

Hacking SIP Like a Boss! (Athcon 2013) Live Demo Remake

I had a presentation at Athcon 2013, Hacking SIP Like a Boss!. I have showed a Live Demo after Basic Usage Videos. This video is remake of Live Demo part. You can check basic usage of Viproy VoIP Penetration Kit from here.

Live Demo Headlines
  1. SIP Proxy Bounce Attack
  2. Hacking SIP Trust Relationships
  3. Attacking Mobile Applications Using SIP Trust

Viproy VoIP Penetration Kit Homepage


Jun 12, 2013

Blackhat Arsenal USA 2013

Viproy VoIP Penetration Testing and Exploitation Kit is accepted for Blackhat Arsenal USA 2013. It will be amazing for me, I will present it at Las Vegas, USA. Blackhat Arsenal USA 2013 line up is announced and many good tools are waiting for us. You can check all tools and author via this Blackhat Arsenal USA page.

Line up contains many cool tools. My favorite tools are armitage, dalvik inspector, drozer, gotbeef, hookme, smartphone pen-test framework, set and vega. They have created an author page for me, I liked it :-)

I'm working on a few modules for Viproy and I'm planning to announce them at Blackhat Arsenal USA 2013. SIP Message support, DDOS via SIP servers and MITM Fuzzing modules are coming.

Athcon 2013 - Presentation, Notes and Photos

Athcon is annual, two-day security conference at Greece. I have presented "Hacking SIP Like a Boss" there and I had so much fun. It was amazing and there were really cool presentations at Athcon. Also I have met a few good friends such as Juriaan Breemer (@skier_t), George Nicolaou (@george_nicolaou), Michele Orru' (@antisnatchor), Ben Williams (@insidetrust) and Max Sobell (@msobell). Great thanks to  Christian Papathanasiou, Kyprianos Vasilopoulos and the Athcon team. They have created an impressive security conference at Greece.

My favorite presentations at Athcon
  • Rooting your internals: custom shellcode, BeEF and Inter-Protocol Exploitation (Michele Orru')
  • Attacking NFC Mobile Wallets: Where Trust Breaks Down (Max Sobell)
  • Automated analysis and Deobfuscation of Android Apps & Malware (Jurriaan Bremer)
  • The Icarus story (George Nicolaou)
  • Hacking Appliances: Ironic exploits in security products (Ben Williams)

Slide Set of Hacking SIP Like a Boss!

Special thanks to Athcon team, because they let me add a few slides in my presentation about Gezi Park Protest in Istanbul (#occupygezi). You can check them in my presentation.

Of course, pics or it didn't happen! :-)  (continue for pics...)

May 7, 2013

UDP Port Scanning Using SIP Proxies

Port Scanning is an important phase of network mapping. All attacks and collected information rely on this phase. It's more important when discovering VoIP networks, because of UDP and IP based trust infrastructure. We can discover network services and SIP services via UDP scan, but we can detect only accessible servers. We need more information to execute SIP Trust based attacks. 

However a simple technique helps us to discover inaccessible SIP servers. SIP Proxies redirect SIP requests to host in SIP URI. When the request contains this header "sip:HOST:PORT", SIP Proxy try to redirect request to the target HOST and its PORT. SIP Proxy returns HOST's response if there is a response, otherwise time out error generated. We can use this configuration to scan inaccessible servers such as trusted servers, 3rd party servers and private gateway services. 

I developed a PoC scanning module to scan 3rd party servers via SIP Proxies. It's useful for UDP based SIP Server discovery. This module reports accessible servers, ports and SIP service software. I prepared a demo, this is a usage of scanning module to discover ports of and Vulnerable SIP Proxy is, we try to scan a port range of target hosts. 

Viproy VoIP Penetration and Exploitation Kit - Github Page

Viproy VoIP Penetration and Exploitation Kit - Homepage

msf auxiliary(vsipportscan-options) > show options 

Module options (auxiliary/scanner/sip/vsipportscan-options):

   Name                    Current Setting                            Required  Description
   ----                        ---------------                                --------  -----------
   CHOST                                       no        The local client address
   CPORT                   5091                                            no        The local client port
   RHOSTS               yes       IP Range for UDP Port Scan
   RPORTS                 5060-5065                                    yes       Port Range for UDP Port Scan
   SIP_SERVER_IP                              yes       Vulnerable SIP Server IP
   SIP_SERVER_PORT  5060                                            yes       Vulnerable SIP Server Port
   THREADS               1                                                  yes       The number of concurrent threads

msf auxiliary(vsipportscan-options) > set RPORTS 5058-5062
RPORTS => 5058-5062

msf auxiliary(vsipportscan-options) > set VERBOSE true
VERBOSE => true

msf auxiliary(vsipportscan-options) > run

[*] Starting SIP Socket on
[*] Sending Packet for
[*] 5058 is Close/Filtered

[*] Sending Packet for
[*] 5059 is Close/Filtered

[*] Sending Packet for
[+] 5060 is Open
    Server : FPBX-2.11.0beta2(11.2.1)

[*] Sending Packet for
[*] 5061 is Close/Filtered

[*] Sending Packet for
[*] 5062 is Close/Filtered

[*] Sending Packet for
[*] 5058 is Close/Filtered

[*] Sending Packet for
[*] 5059 is Close/Filtered

[*] Sending Packet for
[+] 5060 is Open
    User-Agent : 3CXPhoneSystem 11.0.28976.849 (28862)

[*] Sending Packet for
[*] 5061 is Close/Filtered

[*] Sending Packet for
[*] 5062 is Close/Filtered

[*] Stopping SIP Sockets...
[*] Auxiliary module execution completed

Apr 29, 2013

Security Audit of NGN and VoIP Systems (Turkish)

I have presented a seminar about NGN and VoIP Security Analysis at Cypsec 2013 event. This slide set includes NGN and VoIP Attacking Techniques in Basic, Using Viproy VoIP Kit for Attacks and Its Features.