Feb 14, 2013

Hacking Trust Relationships Between SIP Gateways

----------------------------------a Good Introduction from Mr. Paul Henry (phenry at sans.org)-----------------
The ability to abuse trust relationships has plagued (and continues to) many aspects of network security. One of the most memorable attacks that clearly illustrated an abuse of trust relationships was back in 1995 - the Kevin Mitnick / Tsutomu Shimomura hack. Through a combination of spoofing his IP address, guessing predictable IP sequence numbers and a SYN flood attack Kevin Mitnick was able to abuse the trust relationship of Tsutomu Shimomura's network. Once he had successfully abused the trust relationship of Tsutomu Shimomura's network he was able to then maintain persistence by simply adding himself to the .rhosts file on Tsutomu Shimomura's computer. While it was 18 years ago the premiss of the attack is still just as relevant today as shown in this blog post - Trust Relationship + Reconnaissance + Predictability = HACKED ! 
----------------------------------------------------Thanks for Introduction---------------------------------------------------

NGN (Next Generation Networks) operators provide SIP services for their customers. Customers can call other operator's customers via SIP services and SIP gateways. SIP gateways use SIP Trunks for trusted call initiation and cdr/invoice management.

SIP trunk defines as an IP address or specific FROM number in many cases. Challenge-Response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Besides, most of SIP trunks have Direct INVITE privilege without REGISTER.

Feb 8, 2013

SIP/NGN Services Pen-Testing using SIP Pen-Testing Kit (Training Video)

SIP Pen-Testing Kit for Metasploit is developed to help SIP Pen-Tests. This video prepared for demonstration and training for SIP Pen-Testing Kit.

Pen-Testing Steps in the Video

  • SIP Service Discovery
    • Using OPTIONS Requests
    • Using REGISTER Requests
    • REGISTER Without Credentials
    • REGISTER With Valid Credentials
  • Call Tests
    • Direct INVITE Without Credentials
    • INVITE With Credentials
    • INVITE Spoofing With Credentials
  • DOS Tests
    • INVITE Sending to Valid Users (With/Without Credentials)
    • INVITE Sending to Numeric Range (With/Without Credentials)
  • Enumeration
    • Enumerating Users and Accounts with Numeric Range (SUBSCRIBE, REGISTER, INVITE)
    • Enumerating Users and Accounts with a Users File (SUBSCRIBE, REGISTER, INVITE)
  • Brute Force
    • Password Brute Force to a Target Account
    • Password Brute Force to a Numeric Range
    • Password Brute Force with a Users File
For Code

Feb 7, 2013

GamaSEC SIP Pen-Test Kit for Metasploit Framework

Project Page : http://www.github.com/fozavci/gamasec-sipmodules

SIP library for Metasploit is developed to help SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 5 different modules with authentication support: options tester, brute forcer, enumerator, invite tester and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.

Pen-Tester's Guide for Metasploit Framework (in Turkish)

I prepared a detailed penetration testing guide for Metasploit Framework. This guide includes many basic usage samples, exploitation basics, auxiliary modules usage and more. Also there are chapters for basic exploit development, module development and post-exploitation samples. It's prepared in Turkish, but all codes are readable in English.