Offensive Security Testing of Mobile Applications

Mobile applications and services are playing a key role in enterprise communications as well as financial and subscriber services. Larger organisations supervise mobile devices of employees for corporate communication and office collaboration. Financial companies offer mobile services to improve customer satisfaction and to shape their new habits. Service providers also supply mobile devices with some applications to offer their subscriber services such as entertainment or communication. However, due to insufficient security enforced on mobile applications, they are also under attack by malware, state-sponsored actors or just causal attackers who are after unauthorised financial benefits or cyber intelligence. Android, Windows and iOS mobile platforms offer security features to improve mobile security, they require full integration of mobile applications though.

This tutorial will be focused on the mobile applications security testing with practical exercises to highlight mobile security vulnerabilities of applications and design. Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed with demonstrations. New security testing techniques for Android, Windows and iOS applications will also be parts of the exercises such as assessing secure storage requirements, analysing multi-platform security integration, reverse engineering of mobile applications, testing cloud services and debugging supervised devices. The exercises are based on sample vulnerable applications as well as real life mobile applications available on the application stores. Improving mobile security testing skills may help software developers, consultants, administrators and architects to improve existing services as well as penetration testers to improve existing security testing services such as mobile applications and MDM security testing.

Tutorial registration (AusCERT Conference 2016)

https://conference.auscert.org.au/registration  

TUTORIAL HEADLINES 

SECURITY TESTING REQUIREMENTS FOR MOBILITY 

Mobile applications and devices need a well-designed test platform for security assessments. Various test devices including tablets, mobile phones, virtual machines, embedded devices and watches are required to run target mobile applications. Jailbreaking and customisation of devices is another task to create a flexible test platform. In addition, essential test tools, official SDKs and vulnerable applications should be parts the test lab. In this section, participants will learn fundamentals of mobile security and how can they build a test lab.

DEVICE INTEGRATION SECURITY

Supervised devices, financial applications and subscriber services may need a secure platform integration to manage users’ actions. Secure storage, secure compile, encryption used and platform security objects such as sandboxing, internal services used (e.g. intent, broadcast, content provider, keychain/keystore), fingerprint modules, two-factor authentication and device policies are essential testing targets. Moreover, application specific services, information disclosure issues and functions used should be analysed in security perspective. During exercises, sample applications will be tested for common mobile security vulnerabilities, lack of platform integration, application specific security issues and insecure design.

REVERSE ENGINEERING

Reverse engineering for mobile applications is required to identify fundamental security issues such as information disclosure through source code, security bypass using runtime manipulation, insecure security and access management. In addition, it can be used for attacking target applications as malware, bypassing sandboxed information and bypassing security policies such as jailbreak detection and device enforcements. Reverse engineering section will teach fundamentals for mobile security such ARM shellcoding, explaining VMs (e.g. Xamarin/Mono, Dalvik and ART), disassembling mobile applications and debugging using GDB, LLDB and ADB. The exercises in this section will include unpacking and dissembling applications, Drozer exercises, runtime manipulation exercises using Cyript and GDB.

TRANSPORT SECURITY

Mobile applications need backend services on cloud or corporate networks to complete their features. However, most of mobile applications have security issues to implement transport security for backend services. Encryption issues such as lack of TLS enforcements, insecure crypto options and missing TLS pinning features are well-known security vulnerabilities for mobile implementations. Exercises in this section are based on using various proxies to intercept mobile traffic, attacking TLS implementations and bypassing TLS pinning.

BYOD and MDM SECURITY

Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed in this section. Various security problems of MDM solutions, well-known design issues, lack of cloud security and bypassing enforcements will be demonstrated.

The Art of VoIP Hacking - DEF CON 23 Workshop Materials

The Art of VoIP Hacking workshop has beed provided during the DEF CON 23 USA last week. We have discussed about the VoIP vulnerabilities, design issues and current treats targeting the VoIP environments. In addition, we have also demonstrated the major attack vectors for the VoIP services including the advanced SIP attacks, exploitation of the VoIP server vulnerabilities, Cisco Skinny attacks, attacking Cisco hosted VoIP services (CUCM/CUCDM), decryption of the SRTP traffic and exploitation of the VoIP client vulnerabilities. Over than 35 attendees have used the Viproy VoIP Penetration Testing Kit to attack to the test environment which has samples for each attack exercises. The following materials are provided for the DEF CON 23 workshop, but also for the VoIP community to improve unified communications security. 

Defcon 23 Workshop: The Art of VoIP Hacking

VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.

In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.

Details and registration

https://www.defcon.org/html/defcon-23/dc-23-workshops-schedule.html#Ozavci 

Who should attend

Penetration testers, VoIP engineers, security engineers, internal auditors and all hackers who have a wireless card and a VM player.

Workshop Requirements

Participants should have an up to date Kali Linux virtual machine with Metasploit Framework. (The disk image will be provided by the tutors)

Christos Archimandritis has nearly 5 years’ of experience in information security consulting, having performed various security assessments for clients in the banking, telecom and government sector. Prior to joining Sense of Security, he was a senior security consultant with a major consulting company in Europe. While working there, he performed network and web application penetration tests, mobile application penetration tests and wireless assessments for various clients in Europe and the Middle East. Before that, he worked in the European branch of a major company in the automotive sector, developing solutions for the company’s SAP and Business Objects environments as well as administering the company’s data warehouse.

Linkedin : http://gr.linkedin.com/pub/chris-archimandritis/52/580/478

Fatih Ozavci is a Security Researcher, Principal Security Consultant with Sense of Security, and the author of the Viproy VoIP Penetration Testing Kit. Fatih has discovered several previously unknown security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments for his customers. He has completed several unique penetration testing services during his career of more than 15 years. His current research is based on securing IMS/UC services, IPTV systems, attacking mobile VoIP clients, VoIP service level vulnerabilities, SaaS, mobility security testing, hardware hacking and MDM analysis. Fatih has presented his VoIP and mobile research at BlackHat USA’14, DefCon 22 and 21, Troopers’15, Cluecon 2013 and Ruxcon 2013. He has also provided VoIP and Mobility Security Testing workshop at AustCert’14, Kiwicon'15 and Troopers'15 events.

Homepage : http://viproy.com/fozavci
Linkedin : http://tr.linkedin.com/pub/fatih-ozavci/54/a71/a94

Training: Tactical VoIP Hacking with Viproy | Troopers 15

SIP and Skinny servers provide signalling services and they are the centre of Unified Communication networks and VoIP services. Signalling protocols are susceptible to IP spoofing, proxy trust issues, call spoofing, authentication bypass and bogus signalling flows. It can be hacked with legacy techniques, but a few new attack types will be demonstrated in this training. This training includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy to analyse SIP services using novel techniques.

Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the trainer). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a Metasploit Framework environment and full integration. The training contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Registration : Troopers 15  

Training Agenda

1. Network Infrastructure 
2. VoIP Server Security
3. Signalling Security
1. Signalling Essentials
2. Testing of SIP and Skinny Services
4. Media Transport Security
1. Media Transport Essentials
2. Testing of RTP, SRTP and Proxy Services
5. Cloud VoIP Solutions Security
6. VoIP Client Security
7. Capture the Flag

Training: Practical VoIP Hacking with Viproy (Kiwicon'14)

We have prepared a VoIP hacking training for the Kiwicon security conference at New Zealand. The training focus is the testing of the VoIP signalling protocols using Viproy. We'll explain the VoIP essentials and the protocol basics for SIP and Skinny. Also it will be demonstrated that how we can attack to the VoIP servers using web management interfaces, essential services and signalling services. Viproy VoIP penetration testing kit will be in use for the basic and advanced attacks such as SIP trust hacking, SIP proxy bounce attack, Skinny service manipulation, CUCDM exploitation and attacking VoIP clients. If you're interested in about VoIP and attending to Kiwicon, come and join us in this training.

Registration:

You can sign up this training using the form at the Kiwicon homepage.

https://kiwicon.org/the-con/training/practical-voip-hacking-with-viproy