Apr 29, 2013

Security Audit of NGN and VoIP Systems (Turkish)

I have presented a seminar about NGN and VoIP Security Analysis at Cypsec 2013 event. This slide set includes NGN and VoIP Attacking Techniques in Basic, Using Viproy VoIP Kit for Attacks and Its Features. 

Apr 24, 2013

SSL over IO Usage for Converting HTTPS Connect Requests on MITM Analysis

Mobile applications use SSL Connect requests to connect remote server for HTTPS Communications. Mobile Applications should be analyzed dynamically during Penetration Tests and MITM attacks are very useful in this stage. HTTPS communications should be converted via MITM Proxies such as Burp Proxy and Fiddler2. These tools useful to convert HTTPS Connect requests and intercept them. Manual request mangling and fuzzing depend on this HTTPS Connect conversion. These tools are closed source and they don't explain this feature.   

MBFuzzer is a subproject of Yakindan Egitim, I'm mentor of this MBFuzzer and Mehmet Kilic is the developer of it. MBFuzzer is an MITM Mobile Application Fuzzing tool, HTTPS Connect conversion is one of the main requirements. We presented a way to convert HTTPS Connect requests via IO (Input/Output).  It has a little CA Error bug but it works for conversion, it will be fixed later.

When MBFuzzer Proxy detects a HTTPS Connect Request (CONNECT domain:port HTTP/1.1), it connects target (domain:port) and send "HTTP/1.1 200 Connection Established" message to client socket. After this message, Client tries to initiate a HTTPS session and MBFuzzer accepts this connection as a server via sending connection to ssl_io function (ssl_connection=ssl_io(connection)).

This Code is Responsible to Convert HTTPS Requests

#creating ssl io object
def ssl_io(io)
   sslContext = OpenSSL::SSL::SSLContext.new
   sslContext.cert = OpenSSL::X509::Certificate.new(File.open('./certs/server.crt'))
   sslContext.key = OpenSSL::PKey::RSA.new(File.open('./certs/server.key'))
   sslContext.ca_file = './certs/cacert.pem'
   sslContext.verify_mode = OpenSSL::SSL::VERIFY_NONE
sslio = OpenSSL::SSL::SSLSocket.new(io, sslContext)
sslio.sync_close = true
rescue Exception => sslException
puts "SSL Exception : #{sslException}"
return sslio

Standard implementations of ruby SSL servers use OpenSSL::SSL::SSLServer class, unfortunately this class is not useful in this situation. It's designed to serve SSL via TCP Socket and it doesn't work without it. We used OpenSSL::SSL::SSLSocket class that designed to initiate SSL client requests. We disabled "sync" that try to make an SSL handshake and started to accept this IO as an SSL socket. After this modifications; MBFuzzer accepts HTTPS Connect requests, handles SSL IO as a server, manipulate content, sends it to remote server and redirect response to client via SSL session.

We have a few bugs of course, a tls error caused by CA issues and IO.sysread problems. You can inspect our project, use this HTTPS Proxy Library in your project or send us fixes. It's license is GPL, you can use or contribute it. We are working on bugs, on-the-fly certification generation and request mangling features. I'll keep this blog updated about MBFuzzer and Yakindan Egitim projects.

Apr 13, 2013

Viproy - VoIP Penetration and Exploitation Testing Kit

Viproy Voip Pen-Test Kit is developed to improve quality of SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 7 different modules with authentication support: options tester, brute forcer, enumerator, invite tester, trust analyzer, proxy and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.

Project Page : http://www.github.com/fozavci/viproy-voipkit
Download : https://github.com/fozavci/viproy-voipkit/archive/master.zip

Attacking SIP/VoIP Servers Using VIPROY VoIP Pen-Test Kit for Fun & Profit - Video

This is a training video for penetration testing of SIP servers.

Chapters of Training Video
1-Footprinting of SIP Services
2-Enumerating SIP Services
3-Registering SIP Service with/without Credentials
4-Brute Force Attack for SIP Service
5-Call Initiation with/without Spoof & Credentials
6-Hacking Trust Relationships
7-Intercepting SIP Client with SIP Proxy

Apr 8, 2013

Exploit Development Using Metasploit Framework (Presentation)

Me and my friend, Canberk Bolat, have presented a seminar about Exploit Development and Metasploit Framework at Free Software and Linux Days 2013 event. This slide set includes basic Exploit Development Techniques, Metasploit Framework Mixins and Its Features. Also we have demonstrated exploit development techniques with sample codes and exploit modules.

Apr 2, 2013

Hacking Trust Relationships of SIP Gateways (Video Demo)

I prepared an on-the-fly video demo for SIP Trust hacking. This video contains a demonstration about my technical paper, hacking trust relationships of SIP gateways. This paper and my "SIP Pen-Testing Kit for Metasploit" available at http://gamasec.net/fozavci/index-en.html. The tool, SIP Trust Analyzer will be available after Athcon 2013. Another Shiny demo will be presented at Athcon 2013, this video means only "it's just working".