Feb 10, 2015

Training: Tactical VoIP Hacking with Viproy | Troopers 15

SIP and Skinny servers provide signalling services and they are the centre of Unified Communication networks and VoIP services. Signalling protocols are susceptible to IP spoofing, proxy trust issues, call spoofing, authentication bypass and bogus signalling flows. It can be hacked with legacy techniques, but a few new attack types will be demonstrated in this training. This training includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy to analyse SIP services using novel techniques.

Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the trainer). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a Metasploit Framework environment and full integration. The training contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Registration : Troopers 15  

Training Agenda

  1. Network Infrastructure 
  2. VoIP Server Security
  3. Signalling Security
    1. Signalling Essentials
    2. Testing of SIP and Skinny Services
  4. Media Transport Security
    1. Media Transport Essentials
    2. Testing of RTP, SRTP and Proxy Services
  5. Cloud VoIP Solutions Security
  6. VoIP Client Security
  7. Capture the Flag

Nov 4, 2014

Progress of the Viproy pull requests for the Metasploit Framework

I saw a few challenges to submit Viproy modules to the Metasploit Framework;

Firstly, I'm not a developer, but a pen-tester and a researcher. this means, I prepared this code during an engagement or in a testing environment. 400+ features/skills are implemented in the SIP/Skinny libraries and modules, some skills/features require special systems which I have no access now. Because of this, I cannot provide a lab environment to test all the features/options, maybe during the Kiwicon 2015 training. That's why the source code is pretty dirty, but works in many cases, especially in VoIP pen-test engagement.

Moreover, I'm the only one who improves these modules during actual VoIP penetration tests, limited feedback and no code support. This prevents me to detect/fix errors of the software, only the Metasploit Framework team submitted code modifications on them. Thanks for all the commits and suggestions.

Finally, I have some timing issues before January 2015. "rspec" modifications and full review of the features are really hard tasks, and require a working test lab with all components. I'm not sure I can provide this time to major changes, but I will try.

I believe that Viproy should have a community support, that's why it is developed with the Metasploit Framework, not as a standalone software. These commits and comments show that it still has too much errors to fix and too much features to demonstrate. Also they show that community support is very useful, the Viproy's source code is improved by a team, not the author anymore. Basically this process does work.

Thanks for all support.

Now, we have two ways to decide;

  • It may be slow, but I can support/update these pull requests with you to make Viproy a part of the Metasploit Framework, as soon as I can.
  • or, preparing a good plan and waiting for 2015 Q1 for the major Viproy source improvements for the full Metasploit Framework integration.
Please think about it as a team, and suggest a way to do that. Remember, the code is licensed as the Metasploit License, you're free to fix/improve all features. I'm comfortable for the both options, the problem is only my schedule before Jan 2015.

Original post link at Github : https://github.com/rapid7/metasploit-framework/pull/4066#issuecomment-61608013

/cc @todb-r7 @jhart-r7 @jvazquez-r7 @hmoore-r7

Oct 27, 2014

Training: Practical VoIP Hacking with Viproy (Kiwicon'14)

We have prepared a VoIP hacking training for the Kiwicon security conference at New Zealand. The training focus is the testing of the VoIP signalling protocols using Viproy. We'll explain the VoIP essentials and the protocol basics for SIP and Skinny. Also it will be demonstrated that how we can attack to the VoIP servers using web management interfaces, essential services and signalling services. Viproy VoIP penetration testing kit will be in use for the basic and advanced attacks such as SIP trust hacking, SIP proxy bounce attack, Skinny service manipulation, CUCDM exploitation and attacking VoIP clients. If you're interested in about VoIP and attending to Kiwicon, come and join us in this training.


You can sign up this training using the form at the Kiwicon homepage.

Oct 23, 2014

Viproy VoIP Testing Modules Pull Requests for Metasploit Framework

I have made some cosmetic and required changes on the source of Viproy. Some modules, names and functions are changed for the Metasploit Framework compatibility. I need your testing and development support for those modules. I have submitted the Viproy SIP, Skinny, CDP testing modules, CUCDM exploits and libraries to the Metasploit Framework repository as pull requests. Please feel free to obtain the pull requests, try the code and send comments about the code or usage.

Viproy VoIP Pen-Test Kit pull requests in the Metasploit Framework Repository:

Viproy VoIP Pen-Test Kit - SIP Testing Modules

Viproy VoIP Pen-Test Kit - Cisco CDP Testing Module

Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits

Viproy VoIP Pen-Test Kit - Cisco Skinny Testing Modules


Usage and packet capture samples for SIP modules are available at the following link.

Usage and packet capture samples for SIP modules are available at the following link.

Usage and packet capture samples for the auxiliary Viproy modules are available at the following link.

Potential testing targets could be VulnVoIP, AsteriskNow or SipXecs distributions.

Sep 30, 2014

VoIP Wars: Attack of the Cisco Phones (Black Hat USA 2014 Video)

Black Hat USA 2014 videos are published yesterday. The following video is my Black Hat USA 2014 presentation, VoIP Wars: Attack of the Cisco Phones. Also I have added the presentation itself and the live demo remake video as well.

VoIP Wars: Attack of the Cisco Phones (Video)

VoIP Wars: Attack of the Cisco Phones (Presentation)

VoIP Wars: Attack of the Cisco Phones (Live Demo Remake)

Sep 26, 2014

VoIP Wars and the Awesome Audience

Last year, was my first DEF CON presentation “VoIP Wars: Return of the SIP.” I really enjoyed being a part of this amazing security conference. I presented some next generation VoIP attacks such as SIP trust hacking, SIP proxy bounce attacks and attacking mobile applications through the SIP protocol. I also announced my security assessment tool Viproy VoIP penetration testing kit during the security conference.

Aug 16, 2014

VoIP Wars: Attack of the Cisco Phones

I have shared my Cisco based hosted VoIP networks security research at Blackhat USA 2014 and DEF CON 22 last week. This research contains several different attack vectors, published vulnerabilities, unpatched vulnerabilities, Skinny protocol attacks, new SIP protocol attacks, VOSS IP phone XML services attacks and new version of Viproy VoIP penetration testing kit. I'll prepare a few detailed blog entries for them, before this, you can review the slide set and the recap of the live demos of the presentation.

VoIP Wars: Attack of the Cisco Phones (Presentation)

VoIP Wars: Attack of the Cisco Phones (Live Demo Remake)

Mar 21, 2014

AusCERT 2014 Tutorials from Sense of Security

Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event. 

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services
  • Mobile Applications 101
    • Preparing a mobile pen-test lab 
  • Auditing platform integration 
    • Compile options, Encryption, Storage, Caching, Logs
  • Reverse engineering
    • Unpacking, Deobfuscating, Permission Management
    • Source code analysis, Protection bypass, Sandbox Issues
    • Runtime manipulation, Debugging
  • Transport and communication features 
    • Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP
  • Network Infrastructure Analysis
    • WAN/LAN/VLAN analysis, Service discovery
  • IP Telephony Server Security
    • Weak configuration, Management issues
  • SIP, Skinny and RTP Analysis
    • Discovery, Authentication, Call tests, VAS
    • Enumeration, Eavesdropping, Call Spoofing
  • VoIP Clients’ Security 
  • Advanced Attacks
    • Trust hacking, Proxy hacking, DoS, Fuzzing
If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at viproy.com. 

Sep 2, 2013

The Notes about my USA Trip: Defcon, Blackhat and Cluecon

I have been USA for 2 weeks. I have presented my VoIP research and Viproy VoIP Penetration Testing Kit at Blackhat Arsenal 2013, Defcon 21 and Cluecon 2013. My presentation is below, VoIP Wars: Return of the SIP and you can get Viproy from www.viproy.com. I'll share my USA experience in this blog entry, my plans about Viproy and its new modules/features will be explained in an another blog entry. 

Jun 18, 2013

Hacking SIP Like a Boss! (Athcon 2013) Live Demo Remake

I had a presentation at Athcon 2013, Hacking SIP Like a Boss!. I have showed a Live Demo after Basic Usage Videos. This video is remake of Live Demo part. You can check basic usage of Viproy VoIP Penetration Kit from here.

Live Demo Headlines
  1. SIP Proxy Bounce Attack
  2. Hacking SIP Trust Relationships
  3. Attacking Mobile Applications Using SIP Trust

Viproy VoIP Penetration Kit Homepage