Oct 23, 2014

Viproy VoIP Testing Modules Pull Requests for Metasploit Framework

I have made some cosmetic and required changes on the source of Viproy. Some modules, names and functions are changed for the Metasploit Framework compatibility. I need your testing and development support for those modules. I have submitted the Viproy SIP, Skinny, CDP testing modules, CUCDM exploits and libraries to the Metasploit Framework repository as pull requests. Please feel free to obtain the pull requests, try the code and send comments about the code or usage.

Viproy VoIP Pen-Test Kit pull requests in the Metasploit Framework Repository:

Viproy VoIP Pen-Test Kit - SIP Testing Modules
https://github.com/rapid7/metasploit-framework/pull/4060

Viproy VoIP Pen-Test Kit - Cisco CDP Testing Module
https://github.com/rapid7/metasploit-framework/pull/4061

Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits
https://github.com/rapid7/metasploit-framework/pull/4065

Viproy VoIP Pen-Test Kit - Cisco Skinny Testing Modules
https://github.com/rapid7/metasploit-framework/pull/4066

Documentation:

Usage and packet capture samples for SIP modules are available at the following link.
https://github.com/fozavci/viproy-voipkit/blob/master/SIPUSAGE.md

Usage and packet capture samples for SIP modules are available at the following link.
https://github.com/fozavci/viproy-voipkit/blob/master/SKINNYUSAGE.md

Usage and packet capture samples for the auxiliary Viproy modules are available at the following link.
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md

Potential testing targets could be VulnVoIP, AsteriskNow or SipXecs distributions.

Sep 30, 2014

VoIP Wars: Attack of the Cisco Phones (Black Hat USA 2014 Video)

Black Hat USA 2014 videos are published yesterday. The following video is my Black Hat USA 2014 presentation, VoIP Wars: Attack of the Cisco Phones. Also I have added the presentation itself and the live demo remake video as well.

VoIP Wars: Attack of the Cisco Phones (Video)


VoIP Wars: Attack of the Cisco Phones (Presentation)




VoIP Wars: Attack of the Cisco Phones (Live Demo Remake)

Sep 26, 2014

VoIP Wars and the Awesome Audience

Last year, was my first DEF CON presentation “VoIP Wars: Return of the SIP.” I really enjoyed being a part of this amazing security conference. I presented some next generation VoIP attacks such as SIP trust hacking, SIP proxy bounce attacks and attacking mobile applications through the SIP protocol. I also announced my security assessment tool Viproy VoIP penetration testing kit during the security conference.


Aug 16, 2014

VoIP Wars: Attack of the Cisco Phones

I have shared my Cisco based hosted VoIP networks security research at Blackhat USA 2014 and DEF CON 22 last week. This research contains several different attack vectors, published vulnerabilities, unpatched vulnerabilities, Skinny protocol attacks, new SIP protocol attacks, VOSS IP phone XML services attacks and new version of Viproy VoIP penetration testing kit. I'll prepare a few detailed blog entries for them, before this, you can review the slide set and the recap of the live demos of the presentation.


VoIP Wars: Attack of the Cisco Phones (Presentation)




VoIP Wars: Attack of the Cisco Phones (Live Demo Remake)

Mar 21, 2014

AusCERT 2014 Tutorials from Sense of Security

Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event. 

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services
  • Mobile Applications 101
    • Preparing a mobile pen-test lab 
  • Auditing platform integration 
    • Compile options, Encryption, Storage, Caching, Logs
  • Reverse engineering
    • Unpacking, Deobfuscating, Permission Management
    • Source code analysis, Protection bypass, Sandbox Issues
    • Runtime manipulation, Debugging
  • Transport and communication features 
    • Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP
  • Network Infrastructure Analysis
    • WAN/LAN/VLAN analysis, Service discovery
  • IP Telephony Server Security
    • Weak configuration, Management issues
  • SIP, Skinny and RTP Analysis
    • Discovery, Authentication, Call tests, VAS
    • Enumeration, Eavesdropping, Call Spoofing
  • VoIP Clients’ Security 
  • Advanced Attacks
    • Trust hacking, Proxy hacking, DoS, Fuzzing
If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at viproy.com. 

Sep 2, 2013

The Notes about my USA Trip: Defcon, Blackhat and Cluecon

I have been USA for 2 weeks. I have presented my VoIP research and Viproy VoIP Penetration Testing Kit at Blackhat Arsenal 2013, Defcon 21 and Cluecon 2013. My presentation is below, VoIP Wars: Return of the SIP and you can get Viproy from www.viproy.com. I'll share my USA experience in this blog entry, my plans about Viproy and its new modules/features will be explained in an another blog entry. 

Jun 18, 2013

Hacking SIP Like a Boss! (Athcon 2013) Live Demo Remake

I had a presentation at Athcon 2013, Hacking SIP Like a Boss!. I have showed a Live Demo after Basic Usage Videos. This video is remake of Live Demo part. You can check basic usage of Viproy VoIP Penetration Kit from here.

Live Demo Headlines
  1. SIP Proxy Bounce Attack
  2. Hacking SIP Trust Relationships
  3. Attacking Mobile Applications Using SIP Trust



Viproy VoIP Penetration Kit Homepage
http://viproy.com/voipkit

Blog
http://fozavci.blogspot.com

Jun 12, 2013

Blackhat Arsenal USA 2013

Viproy VoIP Penetration Testing and Exploitation Kit is accepted for Blackhat Arsenal USA 2013. It will be amazing for me, I will present it at Las Vegas, USA. Blackhat Arsenal USA 2013 line up is announced and many good tools are waiting for us. You can check all tools and author via this Blackhat Arsenal USA page.

Line up contains many cool tools. My favorite tools are armitage, dalvik inspector, drozer, gotbeef, hookme, smartphone pen-test framework, set and vega. They have created an author page for me, I liked it :-)

I'm working on a few modules for Viproy and I'm planning to announce them at Blackhat Arsenal USA 2013. SIP Message support, DDOS via SIP servers and MITM Fuzzing modules are coming.

Athcon 2013 - Presentation, Notes and Photos

Athcon is annual, two-day security conference at Greece. I have presented "Hacking SIP Like a Boss" there and I had so much fun. It was amazing and there were really cool presentations at Athcon. Also I have met a few good friends such as Juriaan Breemer (@skier_t), George Nicolaou (@george_nicolaou), Michele Orru' (@antisnatchor), Ben Williams (@insidetrust) and Max Sobell (@msobell). Great thanks to  Christian Papathanasiou, Kyprianos Vasilopoulos and the Athcon team. They have created an impressive security conference at Greece.

My favorite presentations at Athcon
  • Rooting your internals: custom shellcode, BeEF and Inter-Protocol Exploitation (Michele Orru')
  • Attacking NFC Mobile Wallets: Where Trust Breaks Down (Max Sobell)
  • Automated analysis and Deobfuscation of Android Apps & Malware (Jurriaan Bremer)
  • The Icarus story (George Nicolaou)
  • Hacking Appliances: Ironic exploits in security products (Ben Williams)

Slide Set of Hacking SIP Like a Boss!


Special thanks to Athcon team, because they let me add a few slides in my presentation about Gezi Park Protest in Istanbul (#occupygezi). You can check them in my presentation.




Of course, pics or it didn't happen! :-)  (continue for pics...)

May 7, 2013

UDP Port Scanning Using SIP Proxies

Port Scanning is an important phase of network mapping. All attacks and collected information rely on this phase. It's more important when discovering VoIP networks, because of UDP and IP based trust infrastructure. We can discover network services and SIP services via UDP scan, but we can detect only accessible servers. We need more information to execute SIP Trust based attacks. 

However a simple technique helps us to discover inaccessible SIP servers. SIP Proxies redirect SIP requests to host in SIP URI. When the request contains this header "sip:HOST:PORT", SIP Proxy try to redirect request to the target HOST and its PORT. SIP Proxy returns HOST's response if there is a response, otherwise time out error generated. We can use this configuration to scan inaccessible servers such as trusted servers, 3rd party servers and private gateway services. 

I developed a PoC scanning module to scan 3rd party servers via SIP Proxies. It's useful for UDP based SIP Server discovery. This module reports accessible servers, ports and SIP service software. I prepared a demo, this is a usage of scanning module to discover ports of 192.168.1.146 and 192.168.1.203. Vulnerable SIP Proxy is 192.168.1.145, we try to scan a port range of target hosts. 

Viproy VoIP Penetration and Exploitation Kit - Github Page
http://github.com/fozavci/viproy-voipkit

Viproy VoIP Penetration and Exploitation Kit - Homepage
http://www.viproy.com/voipkit



msf auxiliary(vsipportscan-options) > show options 

Module options (auxiliary/scanner/sip/vsipportscan-options):

   Name                    Current Setting                            Required  Description
   ----                        ---------------                                --------  -----------
   CHOST                   192.168.1.100                              no        The local client address
   CPORT                   5091                                            no        The local client port
   RHOSTS                 192.168.1.146 192.168.1.203        yes       IP Range for UDP Port Scan
   RPORTS                 5060-5065                                    yes       Port Range for UDP Port Scan
   SIP_SERVER_IP       192.168.1.145                              yes       Vulnerable SIP Server IP
   SIP_SERVER_PORT  5060                                            yes       Vulnerable SIP Server Port
   THREADS               1                                                  yes       The number of concurrent threads

msf auxiliary(vsipportscan-options) > set RPORTS 5058-5062
RPORTS => 5058-5062

msf auxiliary(vsipportscan-options) > set VERBOSE true
VERBOSE => true

msf auxiliary(vsipportscan-options) > run

[*] Starting SIP Socket on 192.168.1.100:5091
[*] Sending Packet for 192.168.1.146:5058
[*] 192.168.1.146 5058 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5059
[*] 192.168.1.146 5059 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5060
[+] 192.168.1.146 5060 is Open
    Server : FPBX-2.11.0beta2(11.2.1)

[*] Sending Packet for 192.168.1.146:5061
[*] 192.168.1.146 5061 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5062
[*] 192.168.1.146 5062 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5058
[*] 192.168.1.203 5058 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5059
[*] 192.168.1.203 5059 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5060
[+] 192.168.1.203 5060 is Open
    User-Agent : 3CXPhoneSystem 11.0.28976.849 (28862)

[*] Sending Packet for 192.168.1.203:5061
[*] 192.168.1.203 5061 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5062
[*] 192.168.1.203 5062 is Close/Filtered

[*] Stopping SIP Sockets...
[*] Auxiliary module execution completed