VoIP Wars Return of the SIP

My special expertise on voice over IP servers voice over IP infrastructure, mobile applications also other ones. I’M author of a VIP reversal right penetration testing kit, also i published, is a small paper about citrus relationships. Hacking also, i demonstrated vpro ways to write penetration testing kit. Yesterday implicit arsenal, anyone from blackett arsenal here, okay, we should wrap up this VI part. We press the penetration testing kit and i will discuss a few advantix and deploy have a few models to demonstrate or exploit these attacks, and this is a small demonstration. Vpro has a few models time models right now, but i am working on three models. It’S a metasploit models back. You can download and extract in metastability root directory, so you can use it to discover zip infrastructure voice over IP infrastructure. You can collect information from sip servers. Also, you can get a few important things from sip servers.

Also, you can enumerate target servers here is the V pro in action. It is debug support. Also, it has a verbal support. That means you can easily collect information from debug data. Discovery can be used for collecting information, so we can use all methods – Oh Steve, infrastructure and protocol metals in this collecting part and discovery park. Sobipro has register options, invite subscribe and a few metals to discover features of sip server. It’S basically a sip clients, but a smart one. You can easily develop another model for your custom test or something else. It has a sip library, a-actually metasploit, erased library, let’s register test, we can register and infrastructure or we can register a client or we can register a user using paper to an observer. Also, we can initiate calls with a user or without a user / a sip proxy or not.

Also, we have a few headers in progress, so we can manipulate this request and it’s Hatter’s to bypass or two by fast building to bypass restrictions of CBS or seek firewalls. This is a basic demonstration basic features of the boy. I will talk about these basic features. Now but i will discuss if you advance the texts in this session also, i have another demo at last of this presentation for this advanced attacks. It’S really hard to get picked to speak. It def cons, give him a big round of applause, so this is first time speaking, so we need to do a shot on stage. Ok cheers the purpose price and no not now, maybe later, all right thanks a lot. Thank you guys. I was no reason. I’M fine right now, so, okay, we should pass this part. This action or okay, we have a few people are coming.

We can start actual presentation, you can watch this video, but I just played a it’s already in YouTube. Also, i played this video in medical and security conferences to and show we pros basic features and basic attack abilities. So i will discuss these attacks and how can we use these attacks to bypass security features of a sip servers, and this is my agenda today? Discovery, food printing collecting information, initiating a call initiating a bypass for CDR or building or restrictions, or something else also we have a another attack bonus attack. I will explain it also fake services and MITM yeah. We have another model for a sip proxy for MIT empting. Also, a sip servers should be available 724, so we can attack them using those features or something else also. We have another feature hacking to see trust relationships because they trust each other, so we can act like just one also. We can use these cheap features or citrus hacking features to attack. Another client m, specific mobile client and other desktop client, also fighting fussing in advance. Another subject for us: i will discuss a few fuzzing features.

Otoscope is actually RTP. I will add. Rtp features a letter. Also, additional services are not subject also examined or Jason based. Supporting services is not required for this presentation. Cp station initiation protocol, it’s just a stagnant, a sign link, protocol for engine services or sip based telephony services. Next generation network is a postmodern TDM devices. Actually sorry HP blade like systems, they have three or maybe more so, switches, RTP proxy proxies or something else. So they should connect em, son or immediately devices. I will show an infrastructure for this sample and so steep and a mega code protocol also RTP. They are heart of this ancient infrastructure.

Also cheap should be implemented securely. This NGM platforms, so we will hack this sip protocol and we will hack this engine infrastructure. They used next generation network term, but i believe is not because Steve’s all protocols heap has many security weaknesses and we will discuss in this presentation these weaknesses a sample sip server in your network. If you have a network commercial network, it should replace just like that by the way commercial services are completely different. This is sample and next generation network infrastructure, zip server, also known as sauce twists heart of this infrastructure. Sdp servers also other servers such as vast or DVI or CDR disturbers should be connected with soft shoe. It’S also a mess on devices and mitigate way devices show be implemented for a and point termination for between em son, medica, Tory devices and saw switches. The protocol is mega Co. The other connections, especially a redirecting it calls between sauce switches.

It should be sip SI p. Also, you should know you have you used many soft phone application in your mobile phones. That means a you already have sip services and you are a customer of a sip provider, but the here’s, the thing they think a they are secure, but it’s not a special. Their infrastructure is vulnerable. This infrastructure not closed, but dating it’s closed. Actually, it’s open physical access. Also, you can easily manipulate antimony terminators such as mitigated devices, smart, modems or something else also, they think a beauty enjoys over IP requires specific knowledge. It’S that’s no longer the case weekly pro because we have many features to easily test these sip servers features and security. Also, they focused on toll based attacks, taller out or something else, but we have many attacks, spying, fishing server violence or did those leaders, attacks or attacking actual mobile clients or desktop clients? Also value-added services are another important venerable servers. Also, they think they’re vulnerable devices well configured and securely. They are vulnerable. They use also fares, they use actual legacies of fares, solar is five or Linux slackware a 2.1 or something else. So we can easily bypass and exploit them, but that is not our real subject. We will discuss specific one sip protocol vpro, a vaporizer Vulcans word. That means call.

People has many models to test sip server security, so we can actually initiate if you advance the tax on a mostly all basic attacks for these targets. Observers using the pros models. Also, it has custom header support. It has a my authentication support, but in many ways just proxy authentication, server, authentication for different hashing, algorithms, algorithms and a few ones. Also. I have a few new models, such as trust, analyzer, a short message, service, tester or bounced cam model de dos initial initializer or directly mi-tm proxy tool. You can use this tool to test attacks which we’ll discuss now. Basic attacks are important. There are not new, but we have a non stop fishing tool to analyze. This type of attacks sandra go to left, Sid, Vicious, also ship shark and other tools, not sufficient for penetration testing of sip servers.

We should create another one. I should create another one because I needed so I create vpro to analyze security of sip servers, especially their features discovering sip servers, enumerate observers, collecting remote users, internal numbers on a client’s, brute force, attacks for internal numbers users with a password list, or not also identifying Specific numbers identifying value-added services or so thing else. If you use this test after authentication, you have no choice except paper by the way, brute forcing or invites features. They are required to test a special features of SIP security. Also, we can initiate directing white attacks. We can initiate in my spoofing attacks or we can initiate proxy directive in most attacks, so we can easily bypass CDR records or ETS or maybe Amoy stings. If we pro easily automate this type of attacks.

This is basic discovery. Think and this discovery step is basic. Just like other penetration testing, ta types, we should stand a request and we will wait a full response to analyze, so we can send options register in my subscribe message or all meadows. So we have all in wipro another one. Is we should analyze headers in response? So left side, generic headers and low right side Brooks headers and warnings. We can collect many information from these headers, ms on devices, invoice information, they remove service software or its vulnerable or not registers. Another important test, because many a value-added services has no authentication. Another thing is these: their specific services or specific trunks or specific gateways a has not an occasion to a heat up or to speed up the connection, so we can initiate register attack to detect this notification services. Also, we can register our specific port and ipaddress to initiate row attacks such as robe fuzzing.

We will discuss in fuzzing section, but you should know a sip servers have a minute on occasion skills. So if it has an authentication just like that eh it waits a so a your registration and a it probably it sounded privileged ACL or it accepts your specific IP address and port for other requests without authentication. If this type of authentication is available, you can register your specific port, an IP address to initiate other attacks, such as directing white spoofing or fuzzing things a by the way register attack a could be used for brute force or something else. We have many more attack type also. We can bypass many things using proxy headers or a few specific features, such as a changing from field, changing contact field, aiding specific proxy hatters such as charging vector or a changing identity over proxy address, such as we asserted, identity, calling party ID or p preferred identity. These headers could be used to bypass on billing, or a security issues arose a sip specific virus acting just like another sip proxy.

We can use these attacks. Also, we have another attack, just bringing white or update. We can stand, we invite request or update request during a call to change its charging vector change its billing features, so we can use these features. Also, you can develop specific tool or specific model for wipro invite request issues just like that. We will send an invite and we will get a specific response if we can change many headers, so we can easily bypass rules protected or not specific headers. I already mentioned, and also it’s just basic usage, but we will use invite for specific tests for another test. Just trust, analyzer or something else this is the past attack it’s similar to ftp balanced attack. If remote target a has a proxy support, we can use it to stick an other servers which is trusted or not so we can use it. Basically, these are a screenshot. So this tool exposes a user agent or a server software, a remote servers and add untrust advanced it. It works just like that.

We will send a register or option or invite request to target remote server a also we will change its real or you are I to connect another one. So we can collect this information, it’s important for us because remove servers and fronting servers well protected and disturbers has many a call ACS. So we can use distribute targets if it is a proxy support, a scan, other specific features and other inaccessible servers. Also, we can initiate other attacks, such as, if trust relationships also just now, I should mention another thing. I have a friend for you. I will mention after the VDS re i should mention after the video, but i already shot see you know. So this is my friend: it’s a gift for best question its five-year age, special Turkish record, I’m from Turkey, as you know.

So, if you shot me a good question, you will have this bulb. If will had a if a video at no time to quake you a section, you will find me at a chili bar chill out bar or QA station or a just push muirhead attacked me to ask a question so and we will continue again. Effexor is another subject: we will discuss about fuzzing features or a specific mitm attacks, because our regular sip clients, generic ziplines, has no features to bypass a building or security features. Also, it has no support in my spoofing, so we will add mitm tool. We can change our clients features, for example, adding in might support in my spoofing, support, specific proxy header support to bypass building. Also, we can use this feature to fast sip clients or servers. We can easily change specific data, a bit fuzzy requests, so we will have if you crash from sip clients or servers, fax servers. Fixed services is not yet ready, not ready. Yet, by the way – and my team is ready – I updated reproached github repository, so you can easily download it and you can use it. This MIT on feature is useful for testing or adding specific features. You can use it freely, but I should mention if you use it to collect information, collect word actions from clients such as mitm attacks or something else. You should use a AR PS scan or ARP spoof or a villain, hoping attacks. You should be a man in the middle to collect this information.

Also, those is another important thing, a van we will discuss about sip servers, it’s not server, it’s a business, so money is really important for them, so we can attack their availability, locking all users if they have a cup locking policy. Also, we can initiate many call same time, so we can a overflow of a cold limits of server or we can ring all clients same time, it’s possible, so we can use this a dose think easily a by the way we can use these attacks to bypass A few features, for example, if you, if you act, if you need to act just like with a sip proxy, you should disable it. So you can use these tools to disable or unresponsive this remote, a sip server. By the way we have another attack, sip servers send many responses it’s in RFC, so we can initiate a bogus request, for example unauthenticated in white or something else they will send us many responses, 10 plus 20, plus, maybe more so we can send IP spoofed requests To targets observers, so this removes observer will send responses to another leaders target just like that.

So we can search many servers, many sip servers and we can collect all of them to initiate a DDoS attack. You should remember all sip servers. Alsip services should contain minute observers forget via connection for international connection, for the direction or wake up, so we can use all of them in same network and acting another one. We cannot access, also a trust relationship. Hacking is another subject. We can act just like the proxy, so we we can act and we can initiate call, we can send messages or we can attack mobile clients via these zip trust relationships. Ng on servers should trust each other, because TCP is slow and TLS or other encryptions. Our slope, by the way a day requires many cpu usage, so in general structure and vendors, a prefer UDP based support, allocation and UDP base trust. So we can attack just like sip proxy or something else they may. We need a specific information for a dis attack. We should have an internal number. Basically, we should be a customer of deserves because we should have a soft or hardware client to view caller ID.

We will spread IP spoofed and portsmouth packets, this target server and, if disturber trust a dry piece, there will be a call and we will learn its basic IP address and port it’s in baby steps. We should find transitive networks mostly because we should send request, invite request for each IP and port. That means 60,000, maybe more requests. If this server target server accepts one of them, we will have a call, but we we will have no idea which one is trusted. Here is the thing we have in mind, spoofing section, so i will add IP and port section in brownfield. That means van. We will have a call we should see which IP and port is trusted in flow field and calling number okay, here’s the Shema and demo. There is an attacker as I could have no idea about on cara’s or establish IP addresses and networks. He he should know only be closed Network, maybe c-class network. He should have a soft client from izmir server. This production server. He was surprised he will initiate IP spoofed packets from this field, just like a signing from Istanbul or Ankara, and when we have a call, we will see IP address and port. That means izmir trust, establish IP address and port. Ok, how can we use it stress, but but we can initiate a call if we have a specific IP address and port, we can send specific IP address and port and we can send specific from field and we can initiate a call. So it said I invite spoofing, also its CDR and building bypass by the way. He probably you should ask or a you will ask it’s just one package and we used IP spoofing and we have no responses and a how the coal works.

How will it resumed its not all required? Is we have a packet to send another one, for example, internal number: 10: 11 packages sufficient for main attacks. I will show you by the way in message. Protocol and message method has an aura stream or no state. So you can send this message short message or something else to remove server. Just like came from Istanbul or something else which trusted. That means you can exploit specific voice over IP features. Voicemail box features value-added services, just like a sandal register request for us with short message service annoys me at this mod. We can spoof this message, so we can change billing key features or we can acting a few features. I’M not here redirect me for something else. Okay, just send us a message which one is required or where you will be available: okay, redirect space my internal number: this is small message. We can stand it so we can handle all course is possible by the way we can use it to initiate those attacks. Then lost service attacks, for example ringing all clients by passing a few features initiating many calls to overloading servers or vast servers, vas services, value-added services or CDR fields. By the way we can attack specific mobile clients or desktop clients. Bambi sent this invite request or message request.

We have a few features from from name contact. Fields will be same. We can send this request to remove server and remove the redirect these fields to client, so we can facet or we can crush it with many AAAS. In front field, or from name field or contact field also, we have message support, so we can exploit this vulnerability. / message to also maybe a you know. Sip and stp has many features, so this type of sdp, request or HTTP content should be redirected. Also mine climb support should be available and you can manipulate mime types or its contents of this request to crash mobile application. A disk lines trusts remote IP address and port, so we can initiate IP spoofing easily do. Basically, I crushed an application. Other iphone, iphone, sip client, you can download it from app store, has a vulnerability. It has a no border control in from field, so we can send 550 charts in this field and it will crashed. It will be crushed, so we can exploit it.

Okay, we should summarize and collect it. We can send a packet from Istanbul, we have no idea and we cannot access this Istanbul to Izmir the production server. We have its IP address, yes, but it will redirect this call to another one something else. We have no ideas IP address, but it has an internal number, just your son number or something else. So there is no user interaction. The application will crashed. There is a client attack, so many applications can be vulnerable. This type of attacks asterisk has a limit. This from feel for this from field only 1000 charge, maybe more by the way a sip sex or other commercial products, has not so a no restriction for this flow field. So we can use this flow field from name field, contact field or other mimetypes to crush specific application. Also, we have fuzzing anyway.

The love fuss but passing is a completely different in sip protocol. You have many fathers, but these feathers are old and it’s really important, because vendors use this all tools to evolve their products. So you have no vulnerabilities to find using these tools. You should change your perspective and a vision. We can facet in many ways acting just like sip server, sip, client, mi-tm attack or just like a acting like proxy or something else, but also cool fasting is not sufficient request based and response based, fuzzing difference has a food. A few differences request based passing is popular and we have many tools for request fuzzing, but they have no state feature. They cannot track all call and they cannot fast during a call our newest sip phasing tool published in Def Con 2007. So we have no new tool. Almost six years. We can develop our specific phasing tool, especially for response based fuzzing, so we can use these features in the price specific, zip library we can initiate specific fighting features.

How about smart, fuzzing smart passing should be a real smart. It should have state support, it should has and many metals such as a subscribe, ack frack or invite we might update if we have no support in meta tools. Also, a fuzzing a certain occasions completely different thing, because we have no tool to fuss, remove service after authentication or reit authentication. So we have another thing: yes, fuzzing is cool, especially crashing an application, but in sip servers, visual fuss, specific numbers for value-added services, detecting is features directing free call features or directing a few specific things. So you can easily create your basic buzzer: okay, vpro, how it helps you. It is a basic supply, agree: f! You must have a Down fuzzing support. I will show you and also we have custom header support, so we can easily bypass melting before fuzzing. Also, let’s cut on the 20 lines may more.

We can easily develop our tools. Also, it has row request support, so you can combine it with your genetic father. It’S really a free fasting, sip services request based okay, you already knew this request based fasting and i will bypass it, but you shall know: Heather’s should be fast proxy headers or something else. Okay, here’s the thing response based fasting is not popular. Also, there is not too too fast response features of sip server. Just imagine you have two clients, one for acting just like removed if clients just one for attacking and phasing remove server during this call, you can initiate to clients separately and you can drive separately. All of them, also, you can initiate many using this library, starting one, and starting to after that, you will initiate a call from starting to and target is one also. You can add green light, fising feature during this call. You cannot SDP filing feature during this call. Also, this response is important because when you sent a request to a server server redirects the request to another client, if this client send bogus responses, this remote server should assess and analyzed and execute this response. 200. Okay, such as so we can sound bogus responses. So it’s a specific feature: you can develop your tools using wipro Libre has many features, so we have a few things to develop, such as a dress, fuzzing support, RTP support, TCP, TLS support or a minimal by the way it’s MSF licensed, so you can download it Firmly you can change it. You can develop your tools with this library.

That’S it. I will show another demo. This demo prepared to show zip bounced attack hacking, subtract relationships directing trusted servers initiating effect call after that crashing my clients example. I have a network actually a small network, three sip servers and a four zip clients. We can initiate this steep mountains attack to detect servers and clients, trust it or not. We can use remote sip proxy server. We will have to sip servers now one is ours. Another one is inaccessible for us. Also. We have another ranch, 200 and 210. I will set this ranch to the date, remove sip servers and class during test. As you see, there are many ships services, one of them sip server, other supplies. Cee-Trust hacking is basic and old method, but we can use it easily for Angel platforms, especially in the local network, so we can easily break physical network with smart models. Hacking or physical hacking, breaking locks or something else and we can initiate attack, also observes. It’S also narrable, this type of attacks, sip services tracking, should be prepared with a specific target range, and I i SAT sip server. The remote server sourced remote host its potential network.

Also, i can set a horse ranch because they can use any port to port trust or something else also. We should set interface for IP spoofing and a row request and internal number, 103 and vivian shaped miss attack. If you have a number, we have a IP for something else. We will learn which hostess trust acc 202 and if port 5060 is trusted, it’s a pair is support for restriction elation. So i can set specific lists one and i will initiate a call you. This is trans to toast and I set from field for in maths book. I can write anything i right occupied easy. If you already knew, is the park resistance in Turkey, it’s a to build by the way. If you don’t know a you can search this tag in Twitter. As you see, we have a call also. We can crash mobile application. This mobile applications other a phone in iphone FK in iphone. You can download it from app store.

I downloaded it and i initiate a secure shell station left side and i start a debugger and I crash it hit with a right terminal. I set only asset action call. I state from field to fast features, for example, set from fast 550 also. I will set to field that means our destination, our internal number remote. So i initiated the bugger. You can watch this video from YouTube too. It’S available from vpro work. Its homepage agency is really easy to use because it’s a Metasploit module set left side. As you see, 138 is iphone ipad rest, but i have no idea – and i didn’t set it in my tool. I initiate debugger to debug other a phone application, it’s PID and generate the burger you’ve initiated for this VIP, its containing. When i start the attack, you should watch and you should see less sides, a kernel, email address issue. We have a memory, corruption, vulnerability and it’s a basic dos attack. By the way a it can be exploited.

You feel free to explain. You feel free to develop and exploit for this vulnerability using this tool, so you can download this presentation from my home page also have a price on page. You can download this tool from the price on page. Also, it’s get up source code section by the way you have it a 15 minutes, training video you can use it also these papers. Yet these people help me a present. Also encourage me. I I have my respect for them. Yes, i have only one minute, so i will be a chilly out cafe. I have this one for you. If you will came to ask specific questions or smart question, i will give you okay. Thank you.