Oct 27, 2014

Training: Practical VoIP Hacking with Viproy (Kiwicon'14)

We have prepared a VoIP hacking training for the Kiwicon security conference at New Zealand. The training focus is the testing of the VoIP signalling protocols using Viproy. We'll explain the VoIP essentials and the protocol basics for SIP and Skinny. Also it will be demonstrated that how we can attack to the VoIP servers using web management interfaces, essential services and signalling services. Viproy VoIP penetration testing kit will be in use for the basic and advanced attacks such as SIP trust hacking, SIP proxy bounce attack, Skinny service manipulation, CUCDM exploitation and attacking VoIP clients. If you're interested in about VoIP and attending to Kiwicon, come and join us in this training.

Registration:

You can sign up this training using the form at the Kiwicon homepage.

Summary:

SIP and Skinny servers provide signalling services and they are the centre of Unified Communication networks and VoIP services. Signalling protocols are susceptible to IP spoofing, proxy trust issues, call spoofing, authentication bypass and bogus signalling flows. It can be hacked with legacy techniques, but a few new attack types will be demonstrated in this training. This training includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy to analyse SIP services using novel techniques. 

Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the trainer). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a Metasploit Framework environment and full integration. The training contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Outline:


1. IP Telephony Server Security

  • Operating System Security
  • Weak and Default Configuration Weaknesses
  • Management Features
  • Log and Call Record Security
  • 3rd party IP phone support, address book and global information services 

     Demonstrations: 
  • Missing patches and code execution 
  • Management and user accounts analysis
  • Attacking IP phone support services

2. Signalling Analysis

  • Basics of Protocols (SIP/Skinny)
  • Authentication and Authorisation Analysis
  • Signalling Features and Call Spoofing
  • Restriction Bypass Attacks
  • Man-In-The-Middle (MITM) Attacks
  • Custom SIP Tests, Feature and Dial Plan Analysis
  • Value Added Services Analysis
  • Encryption Analysis

     Demonstrations:
  • SIP service discovery
  • Authentication tests
  • Enumeration and password attacks 
  • Call, Message and DoS tests
  • Skinny signalling protocol attacks 
  • SIP MITM module of Viproy and usage
  • MITM attacks 
  • VAS testing 
  • Call eavesdropping

3. VoIP Clients’ Security

  • Client Management Procedure Analysis
  • Initialisation, Installation, Update and Upgrade Weaknesses
  • Support Services (TFTP, DHCP, FTP, HTTP)
  • Remote Management and Services Analysis 
  • Embedded Software Vulnerabilities
  • Denial of Service Vulnerabilities 

     Demonstrations:
  • VoIP handset vulnerabilities (Cisco IP Phone)
  • VoIP softphone vulnerabilities
  • Attacking to the support services 

4. Advanced Attacks 

  • Attacking Hosted VoIP Solutions
  • SIP Proxy Bounce Attack
  • Fake Services and MITM Fuzzing
  • (Distributed) Denial of Service
  • Attacking SIP Soft Switches and SIP Clients
  • SIP Amplification Attack
  • Hacking Trust Relationships of SIP Gateways
  • Attacking SIP Clients via SIP Trust Relationships
  • Fuzzing in Advance

     Demonstrations:
  • SIP proxy bounce attack
  • SIP trust hacking
  • Fuzzing samples 
  • DoS and DDoS attacks