8/8/2019 Voip Vulnerability IPCOMM_SIP
1/46
Session Initiation Protocol(SIP) Vulnerabilities
Mark D. CollierChief Technology OfficerSecureLogix Corporation
8/8/2019 Voip Vulnerability IPCOMM_SIP
2/46
What Will Be Covered
Introduction to SIP
General SIP security
SIP vulnerabilities and attack tools
RecommendationsLinks
8/8/2019 Voip Vulnerability IPCOMM_SIP
3/46
SIP Introduction
Session Initiation Protocol (SIP):Is a general-purpose protocol for managing sessions
Can be used for any type of session
Provides a means for voice signaling
Defined by the IETF (looks like an Internet protocol)Resembles HTTP
ASCII requests/responses
8/8/2019 Voip Vulnerability IPCOMM_SIP
4/46
SIP Introduction
Why is SIP important:Generally viewed as the protocol of the future
Designed to be simple (its not) and extensible
Supported by major vendors (sort of)
Used by many service providersProvides a foundation for application support
Will be used for public VoIP access
8/8/2019 Voip Vulnerability IPCOMM_SIP
5/46
SIP Introduction
Internet
ConnectionInternet
Voice VLAN
Public
Voice
Network
IP
PBX
SIP Trunk
TDM Phones
IP Phones
Data VLAN
PCs
8/8/2019 Voip Vulnerability IPCOMM_SIP
6/46
SIP Components
User AgentsProxy
SDP Codecs
UDP
RTPRTCP
SIP
TCP
IPv4 IPv6
8/8/2019 Voip Vulnerability IPCOMM_SIP
7/46
SIP Call Flow
SIP/SDP
UDP/TCP
RTP/RTCP
UDP
Proxy
User
Proxy
User
SIP/SDP
UDP/TCP
SIP/SDP
UDP/TCP
8/8/2019 Voip Vulnerability IPCOMM_SIP
8/46
SIP Vulnerabilities
Security issues with SIP:SIP is a complex, free format protocol
SIP itself does not require any security
Security mentioned in SIP RFC, but not required
Security degrades to common feature set
Security is not mandatory even if available
UDP is commonly used for SIP transport
Network Address Translation (NAT) breaks securityData firewalls do not monitor SIP
8/8/2019 Voip Vulnerability IPCOMM_SIP
9/46
SIP Vulnerabilities
SIP-Specific Vulnerabilities:Eavesdropping
General and directory scanning
Flood-based Denial of Service (DoS)
Fuzzing Denial of Service (DoS)
Registration manipulation and hijacking
Application man-in-the-middle attacks
Session tear downcheck-sync reboots
Redirect attacks
RTP attacks
SPIT
8/8/2019 Voip Vulnerability IPCOMM_SIP
10/46
Eavesdropping
Proxy
User
Proxy
UserAttacker
8/8/2019 Voip Vulnerability IPCOMM_SIP
11/46
Eavesdropping Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
12/46
Eavesdropping Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
13/46
Eavesdropping Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
14/46
General/Directory Scanning
ProxyProxy
Attacker
INVITE, OPTION, or
REGISTER
Requests
8/8/2019 Voip Vulnerability IPCOMM_SIP
15/46
General Scanning Tools
Nmap has the best VoIP fingerprinting databasenmap -O -P0 192.168.1.1-254Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-20 01:03 CST
Interesting ports on 192.168.1.21:(The 1671 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE23/tcp open telnetMAC Address: 00:0F:34:11:80:45 (Cisco Systems)Device type: VoIP phoneRunning: Cisco embeddedOS details: Cisco IP phone (POS3-04-3-00, PC030301)Interesting ports on 192.168.1.23:
(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:15:62:86:BA:3E (Cisco Systems)Device type: VoIP phone|VoIP adapterRunning: Cisco embeddedOS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone AdapterInteresting ports on 192.168.1.24:(The 1671 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE80/tcp open httpMAC Address: 00:0E:08:DA:DA:17 (Sipura Technology)Device type: VoIP adapterRunning: Sipura embeddedOS details: Sipura SPA-841/1000/2000/3000 POTSVoIP gateway
8/8/2019 Voip Vulnerability IPCOMM_SIP
16/46
General Scanning Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
17/46
Directory Scanning Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
18/46
Directory Scanning Tools
Linux tools:dirscan uses requests to find valid UAs
authtool used to crack digest authentication
8/8/2019 Voip Vulnerability IPCOMM_SIP
19/46
Denial of Service
MediaGateway
MediaGateway
Every ComponentProcessing
Signaling or Media
Is A Target
Proxy Proxy RegistrarRegistrar
User User
FW/NAT FW/NAT
8/8/2019 Voip Vulnerability IPCOMM_SIP
20/46
Flood-based Denial of Service
SIP Phone
Flood
Application
On PC
INVITE, REGISTER
Floods
SIP
Proxy
SIP Phone SIP Phone SIP Phone
8/8/2019 Voip Vulnerability IPCOMM_SIP
21/46
Flood-based Denial of Service Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
22/46
Flood-based Denial of Service Tools
Linux tools:inviteflood floods target with INVITE requests
registerflood floods registrar with REGISTER requests
8/8/2019 Voip Vulnerability IPCOMM_SIP
23/46
Fuzzing Denial of Service
INVITE sip:[email protected]:6060;user=phone SIP/2.0
Via: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaa
From: UserAgent
To: 6713
Call-ID: [email protected]: 1 INVITE
Subject: VovidaINVITE
Contact:
Content-Type: application/sdp
Content-Length: 0
8/8/2019 Voip Vulnerability IPCOMM_SIP
24/46
Fuzzing Denial of Service Tools
Linux tools:protos SIP test suite
Commercial tools:Codenomicon
8/8/2019 Voip Vulnerability IPCOMM_SIP
25/46
8/8/2019 Voip Vulnerability IPCOMM_SIP
26/46
Registration Manipulation Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
27/46
Registration Manipulation Tools
Linux tools:erase_registrations removes a registration
add_registrations adds one or more bogus registrations
8/8/2019 Voip Vulnerability IPCOMM_SIP
28/46
Registration Hijacking
Proxy
User
Proxy
UserAttacker
Hijacked
Session
Hijacked
Media
8/8/2019 Voip Vulnerability IPCOMM_SIP
29/46
Registration Hijacking Tools
Linux tools:reghijacker hijacks a registration, even when usingauthentication
authtool cracks digest authentication
8/8/2019 Voip Vulnerability IPCOMM_SIP
30/46
Application Man-in-the-middle
User UserAttacker
Attacker
Proxy
Attacker Places
ThemselvesBetween Proxies
Or Proxy/UA
Proxy
8/8/2019 Voip Vulnerability IPCOMM_SIP
31/46
Application Man-in-the-middle Tools
Linux tools:sip_rogue rogue SIP proxy or B2BUA
8/8/2019 Voip Vulnerability IPCOMM_SIP
32/46
Session Tear Down
Attacker Sends
BYE MessagesTo UAs
Attacker
Proxy Proxy
User User
8/8/2019 Voip Vulnerability IPCOMM_SIP
33/46
Session Tear Down Tools
Linux tools:teardown used to terminate a SIP call
8/8/2019 Voip Vulnerability IPCOMM_SIP
34/46
Check-sync Reboot
Attacker Sends
check-sync MessagesTo UA
Attacker
Proxy Proxy
User User
8/8/2019 Voip Vulnerability IPCOMM_SIP
35/46
Check-sync Reboot Tools
8/8/2019 Voip Vulnerability IPCOMM_SIP
36/46
Check-sync Reboot Tools
Linux tools:check_sync causes a SIP phone to reboot
8/8/2019 Voip Vulnerability IPCOMM_SIP
37/46
Redirection
Inbound Calls
Are Redirected
Attacker
Proxy Proxy
User User
Attacker Sends301/302 Moved
Message
8/8/2019 Voip Vulnerability IPCOMM_SIP
38/46
Redirection Tools
Linux tools:redirector used to redirect calls from a SIP UA
8/8/2019 Voip Vulnerability IPCOMM_SIP
39/46
RTP/Audio Injection/Mixing
Attacker Observes
RTP and Injects orMixes in New Audio
Attacker
Proxy Proxy
User User
8/8/2019 Voip Vulnerability IPCOMM_SIP
40/46
RTP/Audio Injection/Mixing
Linux tools:rtpinjector monitors an RTP session and injects or mixes in newaudio
8/8/2019 Voip Vulnerability IPCOMM_SIP
41/46
SPIT
8/8/2019 Voip Vulnerability IPCOMM_SIP
42/46
SPIT Tools
Linux tools:Asterisk a free, easily installed SIP PBX that makes it easy togenerate SPIT
spitter a tool that creates SPIT files for Asterisk
8/8/2019 Voip Vulnerability IPCOMM_SIP
43/46
Links
www.hackingvoip.comSIP attack tools
ethereal www.ethereal.com
wireshark www.wireshark.com
SiVuS www.vopsecurity.orgCain and Abel - http://www.oxid.it/cain.html
Fuzzing - http://www.ee.oulu.fi/research/ouspg/protos/index.html
Codenomicon www.codenomicon.com
Asterisk www.asterisk.org
Trixbox www.trixbox.org
http://www.hackingvoip.com/http://www.ethereal.com/http://www.wireshark.com/http://www.vopsecurity.org/http://www.oxid.it/cain.htmlhttp://www.ee.oulu.fi/research/ouspg/protos/index.htmlhttp://www.codenomicon.com/http://www.asterisk.org/http://www.trixbox.org/http://www.trixbox.org/http://www.asterisk.org/http://www.codenomicon.com/http://www.ee.oulu.fi/research/ouspg/protos/index.htmlhttp://www.oxid.it/cain.htmlhttp://www.vopsecurity.org/http://www.wireshark.com/http://www.ethereal.com/http://www.hackingvoip.com/8/8/2019 Voip Vulnerability IPCOMM_SIP
44/46
Recommendations
Establish policies and procedures
Follow best practices for data security
Secure the platforms, network, & applications
Use standards-based security, such as TLSand SRTP
Use SIP firewalls
Continue to protect legacy networks
Use knowledgeable security consultants, to
design,test, and secure your network
8/8/2019 Voip Vulnerability IPCOMM_SIP
45/46
Key Points to Take Home
SIP is an important VoIP protocol
SIP will be used for public VoIP access
SIP is vulnerable to attacks
There are tools available to implementthese attacks
There are steps you can take to improve
security
8/8/2019 Voip Vulnerability IPCOMM_SIP
46/46
Contact:Mark D. [email protected]
www.securelogix.com(210) 402-9669
QUESTIONS?
mailto:[email protected]://www.securelogix.com/http://www.securelogix.com/mailto:[email protected]