The Art of VoIP Hacking - DEF CON 23 Workshop Materials

The Art of VoIP Hacking workshop has beed provided during the DEF CON 23 USA last week. We have discussed about the VoIP vulnerabilities, design issues and current treats targeting the VoIP environments. In addition, we have also demonstrated the major attack vectors for the VoIP services including the advanced SIP attacks, exploitation of the VoIP server vulnerabilities, Cisco Skinny attacks, attacking Cisco hosted VoIP services (CUCM/CUCDM), decryption of the SRTP traffic and exploitation of the VoIP client vulnerabilities. Over than 35 attendees have used the Viproy VoIP Penetration Testing Kit to attack to the test environment which has samples for each attack exercises. The following materials are provided for the DEF CON 23 workshop, but also for the VoIP community to improve unified communications security. 

UDP Port Scanning Using SIP Proxies

Port Scanning is an important phase of network mapping. All attacks and collected information rely on this phase. It's more important when discovering VoIP networks, because of UDP and IP based trust infrastructure. We can discover network services and SIP services via UDP scan, but we can detect only accessible servers. We need more information to execute SIP Trust based attacks. 

However a simple technique helps us to discover inaccessible SIP servers. SIP Proxies redirect SIP requests to host in SIP URI. When the request contains this header "sip:HOST:PORT", SIP Proxy try to redirect request to the target HOST and its PORT. SIP Proxy returns HOST's response if there is a response, otherwise time out error generated. We can use this configuration to scan inaccessible servers such as trusted servers, 3rd party servers and private gateway services. 

I developed a PoC scanning module to scan 3rd party servers via SIP Proxies. It's useful for UDP based SIP Server discovery. This module reports accessible servers, ports and SIP service software. I prepared a demo, this is a usage of scanning module to discover ports of 192.168.1.146 and 192.168.1.203. Vulnerable SIP Proxy is 192.168.1.145, we try to scan a port range of target hosts. 

Viproy VoIP Penetration and Exploitation Kit - Github Page

http://github.com/fozavci/viproy-voipkit

Viproy VoIP Penetration and Exploitation Kit - Homepage
http://www.viproy.com/voipkit

msf auxiliary(vsipportscan-options) > show options 

Module options (auxiliary/scanner/sip/vsipportscan-options):

   Name                    Current Setting                            Required  Description
   ----                        ---------------                                --------  -----------
   CHOST                   192.168.1.100                              no        The local client address
   CPORT                   5091                                            no        The local client port
   RHOSTS                 192.168.1.146 192.168.1.203        yes       IP Range for UDP Port Scan
   RPORTS                 5060-5065                                    yes       Port Range for UDP Port Scan
   SIP_SERVER_IP       192.168.1.145                              yes       Vulnerable SIP Server IP
   SIP_SERVER_PORT  5060                                            yes       Vulnerable SIP Server Port
   THREADS               1                                                  yes       The number of concurrent threads

msf auxiliary(vsipportscan-options) > set RPORTS 5058-5062
RPORTS => 5058-5062

msf auxiliary(vsipportscan-options) > set VERBOSE true
VERBOSE => true

msf auxiliary(vsipportscan-options) > run

[*] Starting SIP Socket on 192.168.1.100:5091
[*] Sending Packet for 192.168.1.146:5058
[*] 192.168.1.146 5058 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5059
[*] 192.168.1.146 5059 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5060
[+] 192.168.1.146 5060 is Open
    Server : FPBX-2.11.0beta2(11.2.1)

[*] Sending Packet for 192.168.1.146:5061
[*] 192.168.1.146 5061 is Close/Filtered

[*] Sending Packet for 192.168.1.146:5062
[*] 192.168.1.146 5062 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5058
[*] 192.168.1.203 5058 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5059
[*] 192.168.1.203 5059 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5060
[+] 192.168.1.203 5060 is Open
    User-Agent : 3CXPhoneSystem 11.0.28976.849 (28862)

[*] Sending Packet for 192.168.1.203:5061
[*] 192.168.1.203 5061 is Close/Filtered

[*] Sending Packet for 192.168.1.203:5062
[*] 192.168.1.203 5062 is Close/Filtered

[*] Stopping SIP Sockets...
[*] Auxiliary module execution completed

Viproy - VoIP Penetration and Exploitation Testing Kit

Viproy Voip Pen-Test Kit is developed to improve quality of SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 7 different modules with authentication support: options tester, brute forcer, enumerator, invite tester, trust analyzer, proxy and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.

Project Page : http://www.github.com/fozavci/viproy-voipkit
Download : https://github.com/fozavci/viproy-voipkit/archive/master.zip


Attacking SIP/VoIP Servers Using VIPROY VoIP Pen-Test Kit for Fun & Profit - Video

This is a training video for penetration testing of SIP servers.

Chapters of Training Video
1-Footprinting of SIP Services
2-Enumerating SIP Services
3-Registering SIP Service with/without Credentials
4-Brute Force Attack for SIP Service
5-Call Initiation with/without Spoof & Credentials
6-Hacking Trust Relationships
7-Intercepting SIP Client with SIP Proxy

Hacking Trust Relationships of SIP Gateways (Video Demo)

I prepared an on-the-fly video demo for SIP Trust hacking. This video contains a demonstration about my technical paper, hacking trust relationships of SIP gateways. This paper and my "SIP Pen-Testing Kit for Metasploit" available at http://gamasec.net/fozavci/index-en.html. The tool, SIP Trust Analyzer will be available after Athcon 2013. Another Shiny demo will be presented at Athcon 2013, this video means only "it's just working".

Hacking Trust Relationships Between SIP Gateways

----------------------------------a Good Introduction from Mr. Paul Henry (phenry at sans.org)-----------------

The ability to abuse trust relationships has plagued (and continues to) many aspects of network security. One of the most memorable attacks that clearly illustrated an abuse of trust relationships was back in 1995 - the Kevin Mitnick / Tsutomu Shimomura hack. Through a combination of spoofing his IP address, guessing predictable IP sequence numbers and a SYN flood attack Kevin Mitnick was able to abuse the trust relationship of Tsutomu Shimomura's network. Once he had successfully abused the trust relationship of Tsutomu Shimomura's network he was able to then maintain persistence by simply adding himself to the .rhosts file on Tsutomu Shimomura's computer. While it was 18 years ago the premiss of the attack is still just as relevant today as shown in this blog post - Trust Relationship + Reconnaissance + Predictability = HACKED ! 

----------------------------------------------------Thanks for Introduction---------------------------------------------------

NGN (Next Generation Networks) operators provide SIP services for their customers. Customers can call other operator's customers via SIP services and SIP gateways. SIP gateways use SIP Trunks for trusted call initiation and cdr/invoice management.

SIP trunk defines as an IP address or specific FROM number in many cases. Challenge-Response or certificate based authentication is slow for quick response in this type of large call counts. Because of that, SIP trunks have no password or IP based filter applied for trunk authentication. These SIP trunks use specific FROM numbers or Proxy fields to initiate a call. Besides, most of SIP trunks have Direct INVITE privilege without REGISTER.

SIP/NGN Services Pen-Testing using SIP Pen-Testing Kit (Training Video)

SIP Pen-Testing Kit for Metasploit is developed to help SIP Pen-Tests. This video prepared for demonstration and training for SIP Pen-Testing Kit.

Pen-Testing Steps in the Video

• SIP Service Discovery
• Using OPTIONS Requests
• Using REGISTER Requests
• REGISTER Without Credentials
• REGISTER With Valid Credentials
• Call Tests
• Direct INVITE Without Credentials
• INVITE With Credentials
• INVITE Spoofing With Credentials
• DOS Tests
• INVITE Sending to Valid Users (With/Without Credentials)
• INVITE Sending to Numeric Range (With/Without Credentials)
• Enumeration
• Enumerating Users and Accounts with Numeric Range (SUBSCRIBE, REGISTER, INVITE)
• Enumerating Users and Accounts with a Users File (SUBSCRIBE, REGISTER, INVITE)
• Brute Force
• Password Brute Force to a Target Account
• Password Brute Force to a Numeric Range
• Password Brute Force with a Users File

For Code
http://www.github.com/fozavci/gamasec-sipmodules

GamaSEC SIP Pen-Test Kit for Metasploit Framework

Project Page : http://www.github.com/fozavci/gamasec-sipmodules

SIP library for Metasploit is developed to help SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 5 different modules with authentication support: options tester, brute forcer, enumerator, invite tester and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.