VoIP Wars: The Live Training will be a hands-on phreaking experience for the participants. The training will have less talk, but more hands-on exercises using the especially designed Viproyable virtual machine. The participants will use Viproy and some open source tools to discover the vulnerabilities of Viproyable, solve the CTF challenges and demonstrate their knowledge during the training. This will be first announcement of Viproyable VM, but the project (after some fixes) may be a public project after Troopers as well.
The training will take a place on March 20, 2017 (at 9:00 am), the Troopers web page can be used to register. The summary information and detailed topics are also below in case of you need more information about what will be on this training.
Hands-on Exercises of Viproyable:
- VoIP service discovery
- Enumeration using various responses
- Gathering unauthorised access to the extensions
- Hijacking voicemails
- Performing call spoofing attacks
- Discovering SIP trust relationships
- Harvesting information via IP phone configuration files
- Gaining unauthorised access to Asterisk Management
- Remote code execution through SIP services
- Remote code execution through FreePBX modules
- Decoding RTP sessions and Decrypting SRTP sessions for eavesdropping
- Exploiting Cisco CUCDM services
Training Abstract:
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to experience these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Modern attack vectors and broad threats against the VoIP ecosystem will be discussed and analysed for major vendor and protocol vulnerabilities with references to their targets. The major products to be targeting in the workshop are Cisco CUCM, Microsoft Lync/Skype and Asterisk.
In this hands-on workshop, the participants will learn about Unified Communications security fundamentals and testing with practical attacks to improve their skills. Attack scenarios will be discussed for various types of UC implementations to cover business services such as call centres, service operator networks and cloud services. In addition, they will be provided with the workshop and exercises notes as well as a USB stick that includes virtual machines and software to be used during workshop. The workshop exercises will be conducted using the open source tools and Viproy VoIP penetration testing kit developed by the trainer.
Training Details:
IP Telephony Server Security
IP telephony servers are responsible to provide UC services such as SIP, Skinny, RTP and XMPP for clients and connected third-party systems. Also they may have various essential services such as DHCP, DNS, TFTP, FTP, HTTP, management services and IP phone services. The services running on the IP telephony servers are susceptible to mainstream vulnerabilities, vulnerabilities detected on open source libraries and insecure configuration. Those vulnerabilities can be exploited to permanently compromise the UC infrastructure through IP telephony servers. The participants will discover well-known vulnerabilities, published vulnerabilities of the VoIP servers and insecure configuration to exploit IP telephony servers in the lab. They will be supplied with customised exploits, code samples and scenario plot to complete the exploitation tasks.
- Design analysis of the sample networks
- Network and service discovery
- Missing patches and code execution
- Management services analysis
UC Services Security Analysis
Signalling services like SIP and Skinny are used to initiate, operate and manage VoIP calls. This section is prepared to explain and demonstrate weaknesses of the selected signalling services. Information disclosure, authentication issues and authorisation bypass issues are the major vulnerabilities on the signalling services. The participants will experience exploiting protocol and service level vulnerabilities to gain unauthorised access to the UC environment and services.
UC services are also vulnerable to some specific attacks such as caller identity spoofing, SIP trust relationships hacking, SIP proxy bounce attack or DDoS attacks. These attacks can be used to bypass security restrictions of the SIP networks using protocol vulnerabilities or service configuration. Dial plans used, SIP trunks, clients connected and network infrastructures are the major targets for advanced attacks. The live exercises will cover sample scenarios for the advanced attacks to gain unauthorised access to the UC services such as voicemail services, SIP trunks and Instant Messaging (IM) services.
- SIP discovery, enumeration and password attacks
- Advanced attacks targeting SIP networks
- Skinny signalling protocol attacks
Media Transport Security
UC infrastructures uses media transport protocols such as (S)RTP for the voice calls, file, desktop and presentation sharing. The media transmitted may have confidential or sensitive information which can be an object of PCI, COBIT or compliance requirements (e.g. credit card information on the calls to IVR services or costumer privacy). Due to the insecure encryption implementation and design issues, the sensitive information in the media transmitted can be exposed. The media transport security requirements and implementation issues will be explained with live exercises in this section.
- Analysing media transport for voice calls
- Capturing and decoding voice calls
- Decrypting SRTP encrypted calls
Security Analysis of Major Unified Communications Suites
Major UC product suites such as Cisco CUCM/CUCDM or Microsoft Skype for Business are commonly used for the enterprise services. These suites provide an isolated ecosystem with customised clients (e.g. Cisco Jabber, Cisco Unified Communicator, Cisco IP phones, Microsoft Lync, Microsoft Skype for Business, Polycom IP phones) and service components. UC analysis for a product suite should be customised to identify suite specific vulnerabilities. This section is designed to highlight the vulnerabilities identified on the major product suites and the exploitation vectors. Hosted VoIP environment, enterprise communication and mobile services will be on the target for the live exercises which will be conducted by the participants.
- Security analysis of UC environments
- Attacking XML based IP phones services
- Attacking support services for IP phones
- MITM testing of UC via Viproxy