d1 - the grugq - ravage unleashed
Post on 10-Apr-2018
235 Views
Preview:
TRANSCRIPT
-
8/8/2019 D1 - The Grugq - Ravage Unleashed
1/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
Ravage Unleashed:Tactical VoIP Assault Tool
the grugq c2007
April 9, 2007
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 1/48
http://goforward/http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
2/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
Outline
1 Overview
2 IP Telephony
3 Telephony Security
4 Tactical VoIP Toolkit
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 2/48
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
3/50
-
8/8/2019 D1 - The Grugq - Ravage Unleashed
4/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony Security
HistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool
Assault Scenarios
Siping: Subversive Signaling
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 4/48
O i
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
5/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
A Bit of SIP
Outline
1 Overview
2IP TelephonyA Bit of SIP
3 Telephony Security
4 Tactical VoIP Toolkit
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 5/48
O i
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
6/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
A Bit of SIP
Public Switched Telephone Network (PSTN)
Over a century old
Acoustic based control system
Signaling is In Band
First (known) attacks in the 1950s
Secured (mostly) circa 2000
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 6/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
7/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
A Bit of SIP
VoIP Functionality
What it is Multimedia content exchange over IP network(s)
That means Voice/Video calls over the internet
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 7/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
8/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
A Bit of SIP
VoIP Functionality
What it is Multimedia content exchange over IP network(s)
That means Voice/Video calls over the internet
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 7/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
9/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
A Bit of SIP
VoIP Benefits
Significant cost savings
Added functionalityportabilitycontent tie-in
Expanded multimedia capabilities
videowhiteboards
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 8/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
10/50
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
A Bit of SIP
VoIP Costs
No such thing as a free lunch
Quality of serviceUnreliableSound quality issuescomfort noise
Security problems abound
All telephony assets are exposedincluding those on the PSTN
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 9/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
11/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
VoIP Costs
No such thing as a free lunch
Quality of serviceUnreliableSound quality issuescomfort noise
Security problems abound
All telephony assets are exposedincluding those on the PSTN
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 9/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
12/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
VoIP: Under the hood
Several protocols providing different functionality
Core IP Telephony requirements:
Signaling Call control
LookupNegotiationTear down
Media Call contentCompeting protocols for signaling
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 10/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
13/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
Major Signaling Protocols
H.323
ASN.1 (binary) PER encoded protocol suite
Proprietary vendor stacks not interoperableCommon in Enterprise environments
Session Initiation Protocol SIP
Bastard son of HTTP & email
Plain text protocol over UDPCommon on the internet due to interoperabilityand ease of development
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 11/48
Overview
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
14/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3Telephony SecurityHistory
Components of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault Tool
Assault Scenarios
Siping: Subversive Signaling
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 12/48
OverviewIP T l h
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
15/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
The SIP Protocol
Client-Server model
Based on HTTP
Defined in RFC 3261
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 13/48
OverviewIP T l h
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
16/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
Architecture Components
Telephone User Agent (UA)
Hardware
SoftwareProxy Authorizes access to services
Interface to a local VoIP Network
Registrar URI lookup to IP network address
maps bob@biloxi.com tobob@pc13.biloxi.com
Gateways Convert call sessions from one network to another
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 14/48
OverviewIP Telephony
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
17/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
SIP Message
Command Line METHOD URI VERSIONINVITE bob@biloxi.com SIP/2.0
Headers Name : Value[, Value]
Body Mime content
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 15/48
OverviewIP Telephony
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
18/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
A Bit of SIP
Example INVITE
INVITE sip:bob@biloxi.com SIP/2.0
Via: SIP/2.0/UDP localhost;branch=z9hG4bKaca45b4c3;rport=
To: Bob From: siping
Call-ID: eb92357c0ca7c60a
Max-Forwards: 70
Contact: siping
CSeq: 1 INVITE
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 16/48
OverviewIP Telephony History
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
19/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
HistoryComponents of Telephone SecuritySIP Assault Tactics
Outline
1 Overview
2 IP Telephony
3 Telephony SecurityHistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP Toolkit
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 17/48
OverviewIP Telephony History
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
20/50
IP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
HistoryComponents of Telephone SecuritySIP Assault Tactics
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony SecurityHistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolAssault Scenarios
Siping: Subversive Signaling
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 18/48
OverviewIP Telephony History
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
21/50
p yTelephony Security
Tactical VoIP ToolkitConclusion
yComponents of Telephone SecuritySIP Assault Tactics
PSTN Phreaking
Generate correct acoustic tone issue control commands
Hardware based phreakingBlue Box 2600Hz to access trunk line
Captain CrunchSteve Jobs & Steve Wozniak
Red Box imitate coins in a pay phone
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 19/48
OverviewIP Telephony History
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
22/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Death of Phreaking
Aggressive prosecution of caught phreakers
Non technical fraud detectionCommand & Control system was moved to digital
Out of Band
Cant access it Cant control it
Process started in the 90s, mostly completed by 2000
Few hold outs across the world
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 20/48
OverviewIP Telephony History
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
23/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony SecurityHistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolAssault Scenarios
Siping: Subversive Signaling
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 21/48
OverviewIP Telephony
T l h S iHistoryC f T l h S i
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
24/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Summary
Telephony . . .
Service Access to services, e.g. PSTN, Voice Mail, etc.
Session Phone call in progress
Identity Phone number
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 22/48
OverviewIP Telephony
T l h S itHistoryC t f T l h S it
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
25/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Target: Telephony Services
Access to services
Toll Fraud free telephony services
Long Distance (very important historically)PSTN access (land lines & mobile phones)
Revenue Generation toll fraud can be lucrative
Resell stolen access/minutesPremium rate numbers
900 numbers
SMSToll mismatch:
Luxembourg example
Termination cost 2 euro
Origination charge 9 cents
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 23/48
OverviewIP Telephony
Telephony SecurityHistoryComponents of Telephone Security
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
26/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Target: Telephone Session
Phone call in progress
Monitor
Eavesdrop on call session content
Modify Inject new contentSuppress existing content
Deny
Tear down a sessionDegrade session quality
Hijack
Combination modification/denialMalicious redirection
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 24/48
OverviewIP Telephony
Telephony SecurityHistoryComponents of Telephone Security
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
27/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Target: Telephony Identity
Phone number
Impersonate
Spoof out going call identification
Hijack
Capture incoming calls
Deny
Null route/re-route calls
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 25/48
OverviewIP Telephony
Telephony SecurityHistoryComponents of Telephone Security
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
28/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony SecurityHistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolAssault Scenarios
Siping: Subversive Signaling
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 26/48
OverviewIP Telephony
Telephony SecurityHistoryComponents of Telephone Security
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
29/50
Telephony SecurityTactical VoIP Toolkit
Conclusion
Components of Telephone SecuritySIP Assault Tactics
Target: Service
Service Gain access to PSTN/VoIP network
Toll FraudResell access to generate revenue
Architecture Targets
Proxies
Gateways
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 27/48
OverviewIP Telephony
Telephony SecurityHistoryComponents of Telephone Security
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
30/50
p y yTactical VoIP Toolkit
Conclusion
p p ySIP Assault Tactics
Session
Signaling manipulation of an existing sessions is limited toredirecting session members
Session Redirect in session content via malicious signalsMan in the MiddleInject spurious messages
Architecture Targets
ProxiesUser Agents
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 28/48
OverviewIP Telephony
Telephony SecurityHistoryComponents of Telephone Security
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
31/50
p y yTactical VoIP Toolkit
Conclusion
p p ySIP Assault Tactics
Identity
Falsify outbound identity
Modify SIP From header
Subvert URI lookups
Remove association = Denial of ServiceModify association = Hijack
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 29/48
OverviewIP Telephony
Telephony SecurityVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
32/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
Outline
1 Overview
2 IP Telephony
3 Telephony Security
4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTK
Ravage: Registrar Assault ToolAssault ScenariosSiping: Subversive Signaling
5 Conclusion
the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 30/48
OverviewIP TelephonyTelephony Security
T i l V IP T lki
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSi i S b i Si li
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
33/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
Overview
The TacVTK provides:
Core Tools Specific assessment tasks
Framework Easy extention for custom audit requirementsAddresses lack of definitive VoIP auditting tools
First development in 2004
Under sporadic development ever since
Developed in pythonAvailable at: http://www.tacticalvoip.com/tools.html
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 31/48
OverviewIP TelephonyTelephony Security
T ti l V IP T lkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSi i S b i Si li
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
34/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony SecurityHistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool
Assault Scenarios
Siping: Subversive Signaling
5 Conclusion
the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 32/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping S b ersi e Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
35/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
VoIPy: heart of the TacVTK
Python module implementing core VoIP protocolsCurrently supports only SIP
Enables rapid development of custom attack tools
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 33/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
36/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
Example VoIPy code
Send an INVITE
from voipy import sip
to_uri = Bob
from_uri = Alice
msg = sip.request.Invite(to=to_uri, from=from_uri, contact=from_
sock.sendto(str(msg), (biloxi.com, 5060))
the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 34/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
37/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony Security
HistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool
Assault Scenarios
Siping: Subversive Signaling
5 Conclusion
the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 35/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
38/50
Tactical VoIP ToolkitConclusion
Siping: Subversive Signaling
Ravage: Registrar Assault Tool
Core tool for auditting SIP registarsSIP registrars are critical components for secure SIP networks
Ravage provides several attack modes
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 36/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
39/50
act ca o oo tConclusion
S p g Sub e s e S g a g
Ravage: Attack Modes
Enum enumerate usernames on a Registrar
OPTIONS
INVITE
REGISTER
Bruteforce guess user/pass combos for a Registrar
REGISTER
INVITE
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 37/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
40/50
Conclusionp g g g
Ravage: Subversion Attack Modes
Inject insert a binding into a registrarRemove delete a binding from a registrar
Hijack take over a binding in a registrar
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 38/48
OverviewIP TelephonyTelephony Security
Tactical VoIP Toolkit
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
41/50
Conclusion
Ravage textttENUM
Enumerate usernames within a SIP environmentTechniques:
INVITE
If response is not 404 Not Found user existsOPTIONS
Identical to INVITELess noisy, since OPTIONS doesnt initiate a call
sessionREGISTER
If response is 401 Unauthorised user exists
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 39/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitC
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
42/50
Conclusion
Ravage textttBRUTE
Try username/password combinations to gain accessTechniques:
REGISTERTarget a RegistrarAttempt to insert/remove a binding
INVITE
Target an authorising proxyAttempt to initiate a call session
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 40/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitC l i
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
43/50
Conclusion
Ravage Modification
Alter the bindings of within a SIP RegistrarTechniques:
Remove
REGISTER with an Expires set to 0
Insert
REGISTER with a new Contact URI
Hijack
REGISTER with an Expires set to 0REGISTER with a new Contact URI
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 41/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitC l i
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
44/50
Conclusion
Toll Fraud for Dummies
Enumerate accounts in a SIP environment
$ ravage enum ...
Gain access to an account$ ravage brute ...
Create a trunk using the account
asterisk
Sell access to the illicit trunkProfit!
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 42/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
45/50
Conclusion
Phishing Accelerator
Directed attack against a financial institution
Potential telephony infrastructure targets:
Call center loginsTelecos providing VoIP services
Redirect incoming phone calls to VoIP harvester
Victim calls phone banking hotline
Hallo. Welcome your bank. Please be entering pin number.Thanking you.
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 43/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
46/50
Conclusion
Outline
1 Overview
2 IP TelephonyA Bit of SIP
3 Telephony Security
HistoryComponents of Telephone SecuritySIP Assault Tactics
4 Tactical VoIP ToolkitVoIPy: Heart of the TacVTKRavage: Registrar Assault Tool
Assault Scenarios
Siping: Subversive Signaling
5 Conclusion
the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 44/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
47/50
Conclusion
siping
Craft custom SIP messages on the command line
Provides limited UA logic
Useful for poking servers
Capable of creating arbitrary SIP message content
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 45/48
OverviewIP TelephonyTelephony Security
Tactical VoIP ToolkitConclusion
VoIPy: Heart of the TacVTKRavage: Registrar Assault ToolSiping: Subversive Signaling
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
48/50
Conclusion
siping example
Example INVITE
grugq@zer0gee:~/siping$ siping.py -v -mI sip:bob@biloxi.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
INVITE sip:bob@biloxi.com SIP/2.0Via: SIP/2.0/UDP localhost;branch=z9hG4bKac2ba31c6;rport=
To:
From: siping
Call-ID: d42e27136a5dd71c
Max-Forwards: 70
Contact: siping
CSeq: 1 INVITE
the grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 46/48
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
49/50
Outline
1 Overview
2 IP Telephony
3 Telephony Security
4 Tactical VoIP Toolkit
5 Conclusion
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 47/48
OverviewIP Telephony
Telephony SecurityTactical VoIP Toolkit
Conclusion
http://find/http://goback/ -
8/8/2019 D1 - The Grugq - Ravage Unleashed
50/50
VoIP Security more Critical
VoIP continues to gain traction
VoIP security is still primitive
TacVTK provides new capabilities to auditors
ravage: SIP registrar security analysissiping: SIP signaling injection toolVoIPy: flexible VoIP development framework
VoIP makes phone calls as secure as email
he grugq c2007 Ravage Unleashed: Tactical VoIP Assault Tool 48/48
http://find/http://goback/
top related