Jan 30, 2017

Troopers'17 - VoIP Wars: The Live Training

Troopers security conference in Heidelberg, Germany is one of my favourites. I have provided a VoIP training during Troopers'15, I also enjoyed some talks and social activities during the event. This year, Troopers will celebrate the 10 year anniversary, and my training will also take a place in during Troopers'17, thanks to Enno Rey and Niki Vonderwell.

VoIP Wars: The Live Training will be a hands-on phreaking experience for the participants. The training will have less talk, but more hands-on exercises using the especially designed Viproyable virtual machine. The participants will use Viproy and some open source tools to discover the vulnerabilities of Viproyable, solve the CTF challenges and demonstrate their knowledge during the training. This will be first announcement of Viproyable VM, but the project (after some fixes) may be a public project after Troopers as well. 

The training will take a place on March 20, 2017 (at 9:00 am), the Troopers web page can be used to register. The summary information and detailed topics are also below in case of you need more information about what will be on this training.

Hands-on Exercises of Viproyable:

  • VoIP service discovery
  • Enumeration using various responses
  • Gathering unauthorised access to the extensions
  • Hijacking voicemails
  • Performing call spoofing attacks
  • Discovering SIP trust relationships
  • Harvesting information via IP phone configuration files
  • Gaining unauthorised access to Asterisk Management
  • Remote code execution through SIP services
  • Remote code execution through FreePBX modules
  • Decoding RTP sessions and Decrypting SRTP sessions for eavesdropping
  • Exploiting Cisco CUCDM services

Training Abstract:

VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to experience these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Modern attack vectors and broad threats against the VoIP ecosystem will be discussed and analysed for major vendor and protocol vulnerabilities with references to their targets. The major products to be targeting in the workshop are Cisco CUCM, Microsoft Lync/Skype and Asterisk. 

In this hands-on workshop, the participants will learn about Unified Communications security fundamentals and testing with practical attacks to improve their skills. Attack scenarios will be discussed for various types of UC implementations to cover business services such as call centres, service operator networks and cloud services. In addition, they will be provided with the workshop and exercises notes as well as a USB stick that includes virtual machines and software to be used during workshop. The workshop exercises will be conducted using the open source tools and Viproy VoIP penetration testing kit developed by the trainer.

Training Details:

IP Telephony Server Security 
IP telephony servers are responsible to provide UC services such as SIP, Skinny, RTP and XMPP for clients and connected third-party systems. Also they may have various essential services such as DHCP, DNS, TFTP, FTP, HTTP, management services and IP phone services. The services running on the IP telephony servers are susceptible to mainstream vulnerabilities, vulnerabilities detected on open source libraries and insecure configuration. Those vulnerabilities can be exploited to permanently compromise the UC infrastructure through IP telephony servers. The participants will discover well-known vulnerabilities, published vulnerabilities of the VoIP servers and insecure configuration to exploit IP telephony servers in the lab. They will be supplied with customised exploits, code samples and scenario plot to complete the exploitation tasks.
  • Design analysis of the sample networks
  • Network and service discovery
  • Missing patches and code execution 
  • Management services analysis

UC Services Security Analysis
Signalling services like SIP and Skinny are used to initiate, operate and manage VoIP calls. This section is prepared to explain and demonstrate weaknesses of the selected signalling services. Information disclosure, authentication issues and authorisation bypass issues are the major vulnerabilities on the signalling services. The participants will experience exploiting protocol and service level vulnerabilities to gain unauthorised access to the UC environment and services. 
UC services are also vulnerable to some specific attacks such as caller identity spoofing, SIP trust relationships hacking, SIP proxy bounce attack or DDoS attacks. These attacks can be used to bypass security restrictions of the SIP networks using protocol vulnerabilities or service configuration. Dial plans used, SIP trunks, clients connected and network infrastructures are the major targets for advanced attacks. The live exercises will cover sample scenarios for the advanced attacks to gain unauthorised access to the UC services such as voicemail services, SIP trunks and Instant Messaging (IM) services.
  • SIP discovery, enumeration and password attacks 
  • Advanced attacks targeting SIP networks
  • Skinny signalling protocol attacks 

Media Transport Security
UC infrastructures uses media transport protocols such as (S)RTP for the voice calls, file, desktop and presentation sharing. The media transmitted may have confidential or sensitive information which can be an object of PCI, COBIT or compliance requirements (e.g. credit card information on the calls to IVR services or costumer privacy). Due to the insecure encryption implementation and design issues, the sensitive information in the media transmitted can be exposed.  The media transport security requirements and implementation issues will be explained with live exercises in this section.
  • Analysing media transport for voice calls
  • Capturing and decoding voice calls
  • Decrypting SRTP encrypted calls

Security Analysis of Major Unified Communications Suites
Major UC product suites such as Cisco CUCM/CUCDM or Microsoft Skype for Business are commonly used for the enterprise services. These suites provide an isolated ecosystem with customised clients (e.g. Cisco Jabber, Cisco Unified Communicator, Cisco IP phones, Microsoft Lync, Microsoft Skype for Business, Polycom IP phones) and service components. UC analysis for a product suite should be customised to identify suite specific vulnerabilities. This section is designed to highlight the vulnerabilities identified on the major product suites and the exploitation vectors. Hosted VoIP environment, enterprise communication and mobile services will be on the target for the live exercises which will be conducted by the participants.
  • Security analysis of UC environments
  • Attacking XML based IP phones services
  • Attacking support services for IP phones 
  • MITM testing of UC via Viproxy


  1. Hi Fatih,
    Here, You have perfectly explained about VoIP service discovery and VoIP attacks. It's True! One needs to be ready and tighten its security for the VoIP Attacks. So, if we are using VoIP technology, we should be aware about the different aspects, pros and cons of it. Informative article :)
    Check VoIP Solution Provider for more details about VoIP.

  2. Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information..
    Security Services in Chennai

  3. This blog is having the general information. Got a creative work and this is very different one.We have to develop our creativity mind.This blog helps for this. Thank you for this blog. This is very interesting and useful.

    Salesforce Training in Chennai

  4. I think your blog has many related info about the How to Overthrow a Government and you are doing a great job.

    How to Overthrow a Government

  5. Thank you...Nice Explanation nice blog about penetration testing Penetration testing services offered by Suma Soft encompass IT Risk assessment, IT Risk analysis, Intrusion Detection, Anti-virus and Malware protection, SPAM and web filters and Firewalls. Suma Soft ensures that the data that matters the most is best-protected. Get a free penetration testing trial here>> Read More: http://bit.ly/2u6wSut

  6. Such a nice blog and I appreciate your all efforts about your thoughts. It’s really good work. well done, keep it up.


  7. Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. email

  8. Thanks for sharing informative blog. Few Things You Should Know visit here :
    Cloud Dial
    Cloud telephony for Food and Beverages

  9. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us. Do check | Get trained by an expert who will enrich you with the latest updates.
    Salesforce Training in Chennai
    German Classes in Chennai
    Salesforce crm Training in Chennai
    Salesforce administrator training in chennai
    German Courses in Chennai
    best german classes in chennai