Jan 30, 2017

Troopers'17 - VoIP Wars: The Live Training

Troopers security conference in Heidelberg, Germany is one of my favourites. I have provided a VoIP training during Troopers'15, I also enjoyed some talks and social activities during the event. This year, Troopers will celebrate the 10 year anniversary, and my training will also take a place in during Troopers'17, thanks to Enno Rey and Niki Vonderwell.

VoIP Wars: The Live Training will be a hands-on phreaking experience for the participants. The training will have less talk, but more hands-on exercises using the especially designed Viproyable virtual machine. The participants will use Viproy and some open source tools to discover the vulnerabilities of Viproyable, solve the CTF challenges and demonstrate their knowledge during the training. This will be first announcement of Viproyable VM, but the project (after some fixes) may be a public project after Troopers as well. 

The training will take a place on March 20, 2017 (at 9:00 am), the Troopers web page can be used to register. The summary information and detailed topics are also below in case of you need more information about what will be on this training.

Hands-on Exercises of Viproyable:

  • VoIP service discovery
  • Enumeration using various responses
  • Gathering unauthorised access to the extensions
  • Hijacking voicemails
  • Performing call spoofing attacks
  • Discovering SIP trust relationships
  • Harvesting information via IP phone configuration files
  • Gaining unauthorised access to Asterisk Management
  • Remote code execution through SIP services
  • Remote code execution through FreePBX modules
  • Decoding RTP sessions and Decrypting SRTP sessions for eavesdropping
  • Exploiting Cisco CUCDM services

Training Abstract:


VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to experience these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Modern attack vectors and broad threats against the VoIP ecosystem will be discussed and analysed for major vendor and protocol vulnerabilities with references to their targets. The major products to be targeting in the workshop are Cisco CUCM, Microsoft Lync/Skype and Asterisk. 

In this hands-on workshop, the participants will learn about Unified Communications security fundamentals and testing with practical attacks to improve their skills. Attack scenarios will be discussed for various types of UC implementations to cover business services such as call centres, service operator networks and cloud services. In addition, they will be provided with the workshop and exercises notes as well as a USB stick that includes virtual machines and software to be used during workshop. The workshop exercises will be conducted using the open source tools and Viproy VoIP penetration testing kit developed by the trainer.

Training Details:


IP Telephony Server Security 
IP telephony servers are responsible to provide UC services such as SIP, Skinny, RTP and XMPP for clients and connected third-party systems. Also they may have various essential services such as DHCP, DNS, TFTP, FTP, HTTP, management services and IP phone services. The services running on the IP telephony servers are susceptible to mainstream vulnerabilities, vulnerabilities detected on open source libraries and insecure configuration. Those vulnerabilities can be exploited to permanently compromise the UC infrastructure through IP telephony servers. The participants will discover well-known vulnerabilities, published vulnerabilities of the VoIP servers and insecure configuration to exploit IP telephony servers in the lab. They will be supplied with customised exploits, code samples and scenario plot to complete the exploitation tasks.
  • Design analysis of the sample networks
  • Network and service discovery
  • Missing patches and code execution 
  • Management services analysis

UC Services Security Analysis
Signalling services like SIP and Skinny are used to initiate, operate and manage VoIP calls. This section is prepared to explain and demonstrate weaknesses of the selected signalling services. Information disclosure, authentication issues and authorisation bypass issues are the major vulnerabilities on the signalling services. The participants will experience exploiting protocol and service level vulnerabilities to gain unauthorised access to the UC environment and services. 
UC services are also vulnerable to some specific attacks such as caller identity spoofing, SIP trust relationships hacking, SIP proxy bounce attack or DDoS attacks. These attacks can be used to bypass security restrictions of the SIP networks using protocol vulnerabilities or service configuration. Dial plans used, SIP trunks, clients connected and network infrastructures are the major targets for advanced attacks. The live exercises will cover sample scenarios for the advanced attacks to gain unauthorised access to the UC services such as voicemail services, SIP trunks and Instant Messaging (IM) services.
  • SIP discovery, enumeration and password attacks 
  • Advanced attacks targeting SIP networks
  • Skinny signalling protocol attacks 

Media Transport Security
UC infrastructures uses media transport protocols such as (S)RTP for the voice calls, file, desktop and presentation sharing. The media transmitted may have confidential or sensitive information which can be an object of PCI, COBIT or compliance requirements (e.g. credit card information on the calls to IVR services or costumer privacy). Due to the insecure encryption implementation and design issues, the sensitive information in the media transmitted can be exposed.  The media transport security requirements and implementation issues will be explained with live exercises in this section.
  • Analysing media transport for voice calls
  • Capturing and decoding voice calls
  • Decrypting SRTP encrypted calls

Security Analysis of Major Unified Communications Suites
Major UC product suites such as Cisco CUCM/CUCDM or Microsoft Skype for Business are commonly used for the enterprise services. These suites provide an isolated ecosystem with customised clients (e.g. Cisco Jabber, Cisco Unified Communicator, Cisco IP phones, Microsoft Lync, Microsoft Skype for Business, Polycom IP phones) and service components. UC analysis for a product suite should be customised to identify suite specific vulnerabilities. This section is designed to highlight the vulnerabilities identified on the major product suites and the exploitation vectors. Hosted VoIP environment, enterprise communication and mobile services will be on the target for the live exercises which will be conducted by the participants.
  • Security analysis of UC environments
  • Attacking XML based IP phones services
  • Attacking support services for IP phones 
  • MITM testing of UC via Viproxy



Mar 22, 2016

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence

Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.

Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure. 

Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service. 

The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.

AusCERT 2016 - Thursday, 26th May 2016 - 11:40

Offensive Security Testing of Mobile Applications

Mobile applications and services are playing a key role in enterprise communications as well as financial and subscriber services. Larger organisations supervise mobile devices of employees for corporate communication and office collaboration. Financial companies offer mobile services to improve customer satisfaction and to shape their new habits. Service providers also supply mobile devices with some applications to offer their subscriber services such as entertainment or communication. However, due to insufficient security enforced on mobile applications, they are also under attack by malware, state-sponsored actors or just causal attackers who are after unauthorised financial benefits or cyber intelligence. Android, Windows and iOS mobile platforms offer security features to improve mobile security, they require full integration of mobile applications though.

This tutorial will be focused on the mobile applications security testing with practical exercises to highlight mobile security vulnerabilities of applications and design. Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed with demonstrations. New security testing techniques for Android, Windows and iOS applications will also be parts of the exercises such as assessing secure storage requirements, analysing multi-platform security integration, reverse engineering of mobile applications, testing cloud services and debugging supervised devices. The exercises are based on sample vulnerable applications as well as real life mobile applications available on the application stores. Improving mobile security testing skills may help software developers, consultants, administrators and architects to improve existing services as well as penetration testers to improve existing security testing services such as mobile applications and MDM security testing.

Tutorial registration (AusCERT Conference 2016)

TUTORIAL HEADLINES 

SECURITY TESTING REQUIREMENTS FOR MOBILITY 

Mobile applications and devices need a well-designed test platform for security assessments. Various test devices including tablets, mobile phones, virtual machines, embedded devices and watches are required to run target mobile applications. Jailbreaking and customisation of devices is another task to create a flexible test platform. In addition, essential test tools, official SDKs and vulnerable applications should be parts the test lab. In this section, participants will learn fundamentals of mobile security and how can they build a test lab.

DEVICE INTEGRATION SECURITY

Supervised devices, financial applications and subscriber services may need a secure platform integration to manage users’ actions. Secure storage, secure compile, encryption used and platform security objects such as sandboxing, internal services used (e.g. intent, broadcast, content provider, keychain/keystore), fingerprint modules, two-factor authentication and device policies are essential testing targets. Moreover, application specific services, information disclosure issues and functions used should be analysed in security perspective. During exercises, sample applications will be tested for common mobile security vulnerabilities, lack of platform integration, application specific security issues and insecure design.

REVERSE ENGINEERING

Reverse engineering for mobile applications is required to identify fundamental security issues such as information disclosure through source code, security bypass using runtime manipulation, insecure security and access management. In addition, it can be used for attacking target applications as malware, bypassing sandboxed information and bypassing security policies such as jailbreak detection and device enforcements. Reverse engineering section will teach fundamentals for mobile security such ARM shellcoding, explaining VMs (e.g. Xamarin/Mono, Dalvik and ART), disassembling mobile applications and debugging using GDB, LLDB and ADB. The exercises in this section will include unpacking and dissembling applications, Drozer exercises, runtime manipulation exercises using Cyript and GDB.

TRANSPORT SECURITY

Mobile applications need backend services on cloud or corporate networks to complete their features. However, most of mobile applications have security issues to implement transport security for backend services. Encryption issues such as lack of TLS enforcements, insecure crypto options and missing TLS pinning features are well-known security vulnerabilities for mobile implementations. Exercises in this section are based on using various proxies to intercept mobile traffic, attacking TLS implementations and bypassing TLS pinning.


BYOD and MDM SECURITY

Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed in this section. Various security problems of MDM solutions, well-known design issues, lack of cloud security and bypassing enforcements will be demonstrated.

Nov 26, 2015

VoIP Wars: Destroying Jar Jar Lync Materials

VoIP Wars: Destroying Jar Jar Lync has been presented at Blackhat Europe 2015, GSEC Hack In The Box Singapore 2015 and Ruxcon 2015. The presentation contains newly published security vulnerabilities for the Microsoft Skype for Business platform, a test methodology and a customised testing tool named Viproxy. The unfiltered edition of the presentation, Viproxy 2.0, exploits, security advisory and demonstration video are available below.
VoIP Wars: Destroying Jar Jar Lync (HITB Singapore presentation video)



VoIP Wars: Destroying Jar Jar Lync (Presentation) 

SOS-15-005 – Microsoft Skype for Business 2016 unauthorised script execution security advisory (including P0C exploits)
SOS-15-005 – Microsoft Skype for Business 2016 unauthorised script execution demonstration

Viproxy 2.0
Detailed information about Viproy VoIP Pen-Test Kit and VoIP Wars research series.

Oct 26, 2015

VoIP Wars – Destroying Jar Jar Lync (Filtered version)


Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
•    A brief introduction to Microsoft Lync ecosystem
•    Security requirements, design vulnerabilities and priorities
•    Modern threats against commercial Microsoft Lync services
•    Demonstration of new attack vectors against target test platform

Aug 18, 2015

Viproy VoIP penetration testing kit 2.99.1 is released.

Viproy VoIP penetration testing kit 2.99.1 is released. This version requires ruby 2.1.5/2.1.6 and current Github version of the Metasploit Framework.

Download: https://github.com/fozavci/viproy-voipkit

Pre-installed version: https://github.com/fozavci/metasploit-framework-with-viproy

New features:

  • SIP message and MSRP supports with SIP INVITE
  • MSRP message tester, MSRP and SDP PoC fuzzers
  • PoC client exploits for Boghe VoIP client 
  • and bug fixes for the current version of the Metasploit Framework.

New modules and libraries released:

  • MSRP library for MSRP messaging
  • Boghe VoIP Client INVITE PoC Exploit 
  • Boghe VoIP Client MSRP PoC Exploit 
  • SIP Message with INVITE Support 
  • Sample SIP SDP Fuzzer 
  • MSRP Message Tester with SIP INVITE Support 
  • Sample MSRP Message Fuzzer with SIP INVITE Support 
  • Sample MSRP Message Header Fuzzer with SIP INVITE Support 

Aug 13, 2015

The Art of VoIP Hacking - DEF CON 23 Workshop Materials

The Art of VoIP Hacking workshop has beed provided during the DEF CON 23 USA last week. We have discussed about the VoIP vulnerabilities, design issues and current treats targeting the VoIP environments. In addition, we have also demonstrated the major attack vectors for the VoIP services including the advanced SIP attacks, exploitation of the VoIP server vulnerabilities, Cisco Skinny attacks, attacking Cisco hosted VoIP services (CUCM/CUCDM), decryption of the SRTP traffic and exploitation of the VoIP client vulnerabilities. Over than 35 attendees have used the Viproy VoIP Penetration Testing Kit to attack to the test environment which has samples for each attack exercises. The following materials are provided for the DEF CON 23 workshop, but also for the VoIP community to improve unified communications security. 

Jul 21, 2015

Defcon 23 Workshop: The Art of VoIP Hacking

VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
Details and registration
Who should attend
Penetration testers, VoIP engineers, security engineers, internal auditors and all hackers who have a wireless card and a VM player.
Workshop Requirements
Participants should have an up to date Kali Linux virtual machine with Metasploit Framework. (The disk image will be provided by the tutors)
Christos Archimandritis has nearly 5 years’ of experience in information security consulting, having performed various security assessments for clients in the banking, telecom and government sector. Prior to joining Sense of Security, he was a senior security consultant with a major consulting company in Europe. While working there, he performed network and web application penetration tests, mobile application penetration tests and wireless assessments for various clients in Europe and the Middle East. Before that, he worked in the European branch of a major company in the automotive sector, developing solutions for the company’s SAP and Business Objects environments as well as administering the company’s data warehouse.
Fatih Ozavci is a Security Researcher, Principal Security Consultant with Sense of Security, and the author of the Viproy VoIP Penetration Testing Kit. Fatih has discovered several previously unknown security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments for his customers. He has completed several unique penetration testing services during his career of more than 15 years. His current research is based on securing IMS/UC services, IPTV systems, attacking mobile VoIP clients, VoIP service level vulnerabilities, SaaS, mobility security testing, hardware hacking and MDM analysis. Fatih has presented his VoIP and mobile research at BlackHat USA’14, DefCon 22 and 21, Troopers’15, Cluecon 2013 and Ruxcon 2013. He has also provided VoIP and Mobility Security Testing workshop at AustCert’14, Kiwicon'15 and Troopers'15 events.

Feb 10, 2015

Training: Tactical VoIP Hacking with Viproy | Troopers 15

SIP and Skinny servers provide signalling services and they are the centre of Unified Communication networks and VoIP services. Signalling protocols are susceptible to IP spoofing, proxy trust issues, call spoofing, authentication bypass and bogus signalling flows. It can be hacked with legacy techniques, but a few new attack types will be demonstrated in this training. This training includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy to analyse SIP services using novel techniques.

Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the trainer). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a Metasploit Framework environment and full integration. The training contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Registration : Troopers 15  

Training Agenda

  1. Network Infrastructure 
  2. VoIP Server Security
  3. Signalling Security
    1. Signalling Essentials
    2. Testing of SIP and Skinny Services
  4. Media Transport Security
    1. Media Transport Essentials
    2. Testing of RTP, SRTP and Proxy Services
  5. Cloud VoIP Solutions Security
  6. VoIP Client Security
  7. Capture the Flag



Nov 4, 2014

Progress of the Viproy pull requests for the Metasploit Framework

I saw a few challenges to submit Viproy modules to the Metasploit Framework;

Firstly, I'm not a developer, but a pen-tester and a researcher. this means, I prepared this code during an engagement or in a testing environment. 400+ features/skills are implemented in the SIP/Skinny libraries and modules, some skills/features require special systems which I have no access now. Because of this, I cannot provide a lab environment to test all the features/options, maybe during the Kiwicon 2015 training. That's why the source code is pretty dirty, but works in many cases, especially in VoIP pen-test engagement.

Moreover, I'm the only one who improves these modules during actual VoIP penetration tests, limited feedback and no code support. This prevents me to detect/fix errors of the software, only the Metasploit Framework team submitted code modifications on them. Thanks for all the commits and suggestions.

Finally, I have some timing issues before January 2015. "rspec" modifications and full review of the features are really hard tasks, and require a working test lab with all components. I'm not sure I can provide this time to major changes, but I will try.

I believe that Viproy should have a community support, that's why it is developed with the Metasploit Framework, not as a standalone software. These commits and comments show that it still has too much errors to fix and too much features to demonstrate. Also they show that community support is very useful, the Viproy's source code is improved by a team, not the author anymore. Basically this process does work.

Thanks for all support.

Now, we have two ways to decide;

  • It may be slow, but I can support/update these pull requests with you to make Viproy a part of the Metasploit Framework, as soon as I can.
  • or, preparing a good plan and waiting for 2015 Q1 for the major Viproy source improvements for the full Metasploit Framework integration.
Please think about it as a team, and suggest a way to do that. Remember, the code is licensed as the Metasploit License, you're free to fix/improve all features. I'm comfortable for the both options, the problem is only my schedule before Jan 2015.

Original post link at Github : https://github.com/rapid7/metasploit-framework/pull/4066#issuecomment-61608013

/cc @todb-r7 @jhart-r7 @jvazquez-r7 @hmoore-r7