Mar 21, 2014

AusCERT 2014 Tutorials from Sense of Security

Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event. 

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services
  • Mobile Applications 101
    • Preparing a mobile pen-test lab 
  • Auditing platform integration 
    • Compile options, Encryption, Storage, Caching, Logs
  • Reverse engineering
    • Unpacking, Deobfuscating, Permission Management
    • Source code analysis, Protection bypass, Sandbox Issues
    • Runtime manipulation, Debugging
  • Transport and communication features 
    • Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP
  • Network Infrastructure Analysis
    • WAN/LAN/VLAN analysis, Service discovery
  • IP Telephony Server Security
    • Weak configuration, Management issues
  • SIP, Skinny and RTP Analysis
    • Discovery, Authentication, Call tests, VAS
    • Enumeration, Eavesdropping, Call Spoofing
  • VoIP Clients’ Security 
  • Advanced Attacks
    • Trust hacking, Proxy hacking, DoS, Fuzzing
If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at viproy.com. 

Sep 2, 2013

The Notes about my USA Trip: Defcon, Blackhat and Cluecon

I have been USA for 2 weeks. I have presented my VoIP research and Viproy VoIP Penetration Testing Kit at Blackhat Arsenal 2013, Defcon 21 and Cluecon 2013. My presentation is below, VoIP Wars: Return of the SIP and you can get Viproy from www.viproy.com. I'll share my USA experience in this blog entry, my plans about Viproy and its new modules/features will be explained in an another blog entry. 

Jun 18, 2013

Hacking SIP Like a Boss! (Athcon 2013) Live Demo Remake

I had a presentation at Athcon 2013, Hacking SIP Like a Boss!. I have showed a Live Demo after Basic Usage Videos. This video is remake of Live Demo part. You can check basic usage of Viproy VoIP Penetration Kit from here.

Live Demo Headlines
  1. SIP Proxy Bounce Attack
  2. Hacking SIP Trust Relationships
  3. Attacking Mobile Applications Using SIP Trust



Viproy VoIP Penetration Kit Homepage
http://viproy.com/voipkit

Blog
http://fozavci.blogspot.com

Jun 12, 2013

Blackhat Arsenal USA 2013

Viproy VoIP Penetration Testing and Exploitation Kit is accepted for Blackhat Arsenal USA 2013. It will be amazing for me, I will present it at Las Vegas, USA. Blackhat Arsenal USA 2013 line up is announced and many good tools are waiting for us. You can check all tools and author via this Blackhat Arsenal USA page.

Line up contains many cool tools. My favorite tools are armitage, dalvik inspector, drozer, gotbeef, hookme, smartphone pen-test framework, set and vega. They have created an author page for me, I liked it :-)

I'm working on a few modules for Viproy and I'm planning to announce them at Blackhat Arsenal USA 2013. SIP Message support, DDOS via SIP servers and MITM Fuzzing modules are coming.

Athcon 2013 - Presentation, Notes and Photos

Athcon is annual, two-day security conference at Greece. I have presented "Hacking SIP Like a Boss" there and I had so much fun. It was amazing and there were really cool presentations at Athcon. Also I have met a few good friends such as Juriaan Breemer (@skier_t), George Nicolaou (@george_nicolaou), Michele Orru' (@antisnatchor), Ben Williams (@insidetrust) and Max Sobell (@msobell). Great thanks to  Christian Papathanasiou, Kyprianos Vasilopoulos and the Athcon team. They have created an impressive security conference at Greece.

My favorite presentations at Athcon
  • Rooting your internals: custom shellcode, BeEF and Inter-Protocol Exploitation (Michele Orru')
  • Attacking NFC Mobile Wallets: Where Trust Breaks Down (Max Sobell)
  • Automated analysis and Deobfuscation of Android Apps & Malware (Jurriaan Bremer)
  • The Icarus story (George Nicolaou)
  • Hacking Appliances: Ironic exploits in security products (Ben Williams)

Slide Set of Hacking SIP Like a Boss!


Special thanks to Athcon team, because they let me add a few slides in my presentation about Gezi Park Protest in Istanbul (#occupygezi). You can check them in my presentation.




Of course, pics or it didn't happen! :-)  (continue for pics...)

May 7, 2013

UDP Port Scanning Using SIP Proxies

Port Scanning is an important phase of network mapping. All attacks and collected information rely on this phase. It's more important when discovering VoIP networks, because of UDP and IP based trust infrastructure. We can discover network services and SIP services via UDP scan, but we can detect only accessible servers. We need more information to execute SIP Trust based attacks. 

However a simple technique helps us to discover inaccessible SIP servers. SIP Proxies redirect SIP requests to host in SIP URI. When the request contains this header "sip:HOST:PORT", SIP Proxy try to redirect request to the target HOST and its PORT. SIP Proxy returns HOST's response if there is a response, otherwise time out error generated. We can use this configuration to scan inaccessible servers such as trusted servers, 3rd party servers and private gateway services. 

I developed a PoC scanning module to scan 3rd party servers via SIP Proxies. It's useful for UDP based SIP Server discovery. This module reports accessible servers, ports and SIP service software. I prepared a demo, this is a usage of scanning module to discover ports of 192.168.1.146 and 192.168.1.203. Vulnerable SIP Proxy is 192.168.1.145, we try to scan a port range of target hosts. 

Viproy VoIP Penetration and Exploitation Kit - Github Page
http://github.com/fozavci/viproy-voipkit

Viproy VoIP Penetration and Exploitation Kit - Homepage
http://www.viproy.com/voipkit



msf auxiliary(vsipportscan-options) > show options 

Module options (auxiliary/scanner/sip/vsipportscan-options):

   Name                    Current Setting                            Required  Description
   ----                        ---------------                                --------  -----------
   CHOST                   192.168.1.100                              no        The local client address
   CPORT                   5091                                            no        The local client port
   RHOSTS                 192.168.1.146 192.168.1.203        yes       IP Range for UDP Port Scan
   RPORTS                 5060-5065                                    yes       Port Range for UDP Port Scan
   SIP_SERVER_IP       192.168.1.145                              yes       Vulnerable SIP Server IP
   SIP_SERVER_PORT  5060                                            yes       Vulnerable SIP Server Port
   THREADS               1                                                  yes       The number of concurrent threads

msf auxiliary(vsipportscan-options) > set RPORTS 5058-5062
RPORTS => 5058-5062

msf auxiliary(vsipportscan-options) > set VERBOSE true
VERBOSE => true

msf auxiliary(vsipportscan-options) > run

[*] Starting SIP Socket on 192.168.1.100:5091
[*] Sending Packet for 192.168.1.146:5058
[*] 192.168.1.146 5058 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5059
[*] 192.168.1.146 5059 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5060
[+] 192.168.1.146 5060 is Open
    Server : FPBX-2.11.0beta2(11.2.1)

[*] Sending Packet for 192.168.1.146:5061
[*] 192.168.1.146 5061 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5062
[*] 192.168.1.146 5062 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5058
[*] 192.168.1.203 5058 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5059
[*] 192.168.1.203 5059 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5060
[+] 192.168.1.203 5060 is Open
    User-Agent : 3CXPhoneSystem 11.0.28976.849 (28862)

[*] Sending Packet for 192.168.1.203:5061
[*] 192.168.1.203 5061 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5062
[*] 192.168.1.203 5062 is Close/Filtered

[*] Stopping SIP Sockets...
[*] Auxiliary module execution completed


Apr 29, 2013

Security Audit of NGN and VoIP Systems (Turkish)

I have presented a seminar about NGN and VoIP Security Analysis at Cypsec 2013 event. This slide set includes NGN and VoIP Attacking Techniques in Basic, Using Viproy VoIP Kit for Attacks and Its Features. 


Apr 24, 2013

SSL over IO Usage for Converting HTTPS Connect Requests on MITM Analysis

Mobile applications use SSL Connect requests to connect remote server for HTTPS Communications. Mobile Applications should be analyzed dynamically during Penetration Tests and MITM attacks are very useful in this stage. HTTPS communications should be converted via MITM Proxies such as Burp Proxy and Fiddler2. These tools useful to convert HTTPS Connect requests and intercept them. Manual request mangling and fuzzing depend on this HTTPS Connect conversion. These tools are closed source and they don't explain this feature.   

MBFuzzer is a subproject of Yakindan Egitim, I'm mentor of this MBFuzzer and Mehmet Kilic is the developer of it. MBFuzzer is an MITM Mobile Application Fuzzing tool, HTTPS Connect conversion is one of the main requirements. We presented a way to convert HTTPS Connect requests via IO (Input/Output).  It has a little CA Error bug but it works for conversion, it will be fixed later.

When MBFuzzer Proxy detects a HTTPS Connect Request (CONNECT domain:port HTTP/1.1), it connects target (domain:port) and send "HTTP/1.1 200 Connection Established" message to client socket. After this message, Client tries to initiate a HTTPS session and MBFuzzer accepts this connection as a server via sending connection to ssl_io function (ssl_connection=ssl_io(connection)).

This Code is Responsible to Convert HTTPS Requests


#creating ssl io object
def ssl_io(io)
begin
   sslContext = OpenSSL::SSL::SSLContext.new
   sslContext.cert = OpenSSL::X509::Certificate.new(File.open('./certs/server.crt'))
   sslContext.key = OpenSSL::PKey::RSA.new(File.open('./certs/server.key'))
   sslContext.ca_file = './certs/cacert.pem'
   sslContext.verify_mode = OpenSSL::SSL::VERIFY_NONE
sslio = OpenSSL::SSL::SSLSocket.new(io, sslContext)
sslio.sync_close = true
sslio.accept
rescue Exception => sslException
puts "SSL Exception : #{sslException}"
end
return sslio
end


Standard implementations of ruby SSL servers use OpenSSL::SSL::SSLServer class, unfortunately this class is not useful in this situation. It's designed to serve SSL via TCP Socket and it doesn't work without it. We used OpenSSL::SSL::SSLSocket class that designed to initiate SSL client requests. We disabled "sync" that try to make an SSL handshake and started to accept this IO as an SSL socket. After this modifications; MBFuzzer accepts HTTPS Connect requests, handles SSL IO as a server, manipulate content, sends it to remote server and redirect response to client via SSL session.

We have a few bugs of course, a tls error caused by CA issues and IO.sysread problems. You can inspect our project, use this HTTPS Proxy Library in your project or send us fixes. It's license is GPL, you can use or contribute it. We are working on bugs, on-the-fly certification generation and request mangling features. I'll keep this blog updated about MBFuzzer and Yakindan Egitim projects.




Apr 13, 2013

Viproy - VoIP Penetration and Exploitation Testing Kit

Viproy Voip Pen-Test Kit is developed to improve quality of SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 7 different modules with authentication support: options tester, brute forcer, enumerator, invite tester, trust analyzer, proxy and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.


Project Page : http://www.github.com/fozavci/viproy-voipkit
Download : https://github.com/fozavci/viproy-voipkit/archive/master.zip


Attacking SIP/VoIP Servers Using VIPROY VoIP Pen-Test Kit for Fun & Profit - Video

This is a training video for penetration testing of SIP servers.

Chapters of Training Video
1-Footprinting of SIP Services
2-Enumerating SIP Services
3-Registering SIP Service with/without Credentials
4-Brute Force Attack for SIP Service
5-Call Initiation with/without Spoof & Credentials
6-Hacking Trust Relationships
7-Intercepting SIP Client with SIP Proxy



Apr 8, 2013

Exploit Development Using Metasploit Framework (Presentation)

Me and my friend, Canberk Bolat, have presented a seminar about Exploit Development and Metasploit Framework at Free Software and Linux Days 2013 event. This slide set includes basic Exploit Development Techniques, Metasploit Framework Mixins and Its Features. Also we have demonstrated exploit development techniques with sample codes and exploit modules.