We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

VoIP Wars: Return of the SIP

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
24
 Cite
 Share
 Related Material
 Download Purchase
No logo availableDEF CON
 Özavcı, Fatih

Formal Metadata

Title
VoIP Wars: Return of the SIP
Title of Series
Number of Parts
112
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
NGN (Next Generation Network) is modern TDM/PSTN system for communication infrastructure. SIP (Session Initiation Protocol) Servers are center of NGN services, they provide signaling services. SIP based communication is insecure, because of protocol implementation. Based on this fact, NGN is not actually Next Generation. It can be hacked with old stuff, but a few new attack types will be demonstrated in this presentation. This presentation includes that basic attack types for NGN infrastructure, old school techniques for SIP analysis, a new hacking tool to analysis of SIP services and SIP Trust Hacking technique. Also a few fuzzing techniques will be explained in this presentation. SIP networks provide its services based on Trust Infrastructure. SIP Soft Switches trust each other and accept calls from trusted SIP servers. A new technique will be demonstrated in this presentation, Hacking Trust Relationships Between SIP Gateways. SIP trust will be detected and hacked with a sip trust analyzer tool. For explaining basic attack types, a few tools will be demonstrated such as footprinting, register, enumerator, bruteforcer, call analyzer and SIP proxy. Another dangerous thing is outdated software in NGN infrastructure. VoIP devices have responsibilities to serve signaling such as MSAN, MGW and Soft Switches. They support SIP protocol with vulnerable software which should be analyzed. New fuzzing techniques such as Response based fuzzing, MITM fuzzing and proxy tool usage will be explained. Fatih Ozavci (@fozavci) is a Security Researcher and Consultant of Viproy Security, Turkey. He is author of Viproy VoIP Penetration and Exploitation Testing Kit, also he has published a paper about Hacking of SIP Trust Relationships. He has discovered many unknown private security vulnerabilities, design and protocol flaws in VoIP environments for his customers. Also he analyzes VoIP design and implementation flaws, and helps to improve VoIP infrastructures as a service. While Fatih's primary areas of expertise are VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. In addition to that, he is a well-known speaker at many security events in Turkey. He is one of the speakers of Athcon 2013 and Blackhat Arsenal USA 2013, he will present his VoIP research and tools.
DEF CON 2180 / 112
1
Thumbnail
49:49
An Open Letter - The White Hat's Dilemma
2
Thumbnail
48:50
Conducting Massive Attacks With Open Source Distributed Computing
3
Thumbnail
44:09
Dude, WTF in my car?
4
Thumbnail
1:41:26
Hostile Hardware reverse engineering by chip de-capping and analysys
5
Thumbnail
19:50
Open Source Data Analysis and Trend Monitoring
6
Thumbnail
49:07
Hacking Driverless Vehicles
7
Thumbnail
12:47
Transcending Cloud Limitations by Obtaining Inner Piece
8
Thumbnail
40:54
Pwn The Pwn Plug
9
Thumbnail
15:25
HTTP Time Bandit
10
Thumbnail
37:32
Kill 'em All — DDoS Protection Total Annihilation!
11
Thumbnail
18:36
Collaborative Penetration Testing With Lair
12
Thumbnail
44:30
De Anonymizing Alt Anonymous Messages
13
Thumbnail
21:49
GoPro or GTFO
14
Thumbnail
40:32
Made Open: Hacking Capitalism
15
Thumbnail
41:26
Prowling P2P Botnets After Dark
16
Thumbnail
1:32:40
Closing Ceremonies
17
Thumbnail
24:11
The dawn of Web 3.0
18
Thumbnail
23:34
Evolving Exploits Through Genetic Algorithms
19
Thumbnail
39:53
HiveMind: Distributed File Storage Using JavaScript Botnets
20
Thumbnail
15:41
Man In The Middle ALL THE IPv6 THINGS!
21
Thumbnail
41:19
Evil DoS Attacks and Strong Defenses
22
Thumbnail
16:19
Data Evaporation from SSDs
23
Thumbnail
40:28
DragonLady
24
Thumbnail
23:48
The Bluetooth Device Database
25
Thumbnail
48:54
Safety of the Tor network
26
Thumbnail
37:01
DNS Has Been Found To Be Hazardous To Your Health
27
Thumbnail
42:54
Legal Aspects of Full Spectrum Computer Network (Active) Defense
28
Thumbnail
39:23
Phantom Network Surveillance UAV / Drone
29
Thumbnail
46:16
The Government and UFOs
30
Thumbnail
23:47
Mach-O Malware Analysis: Combatting Mac OSX iOS Malware with Data Visualization
31
Thumbnail
46:04
The Road Less Surreptitiously Traveled
32
Thumbnail
18:35
Pwn'ing You(r) Cyber Offenders
33
Thumbnail
40:27
Hacking Embedded Devices
34
Thumbnail
18:52
Defeating Security Enhancements (SE) for Android
35
Thumbnail
44:11
Panel - The ACLU Presents NSA Surveillance
36
Thumbnail
45:59
Panel - Recognize Awards
37
Thumbnail
47:11
Panel - Meet the VCs
38
Thumbnail
32:20
Panel - Key Decoding and Duplication Attacks for the Schlage Primus High-Security Lock
39
Thumbnail
42:51
Panel - Home Invasion v2.0
40
Thumbnail
50:24
Hardware Hacking with Microcontrollers: A Panel Discussion
41
Thumbnail
47:31
Panel - Google TV or: How I Learned to Stop Worrying and Exploit Secure Boot
42
Thumbnail
1:05:39
Panel - Do It Yourself Cellular IDS
43
Thumbnail
1:50:14
DEF CON Comedy Jam Part VI, Return of the Fail
44
Thumbnail
1:47:54
Panel - Ask the EFF The Year in Digital Civil Liberties
45
Thumbnail
48:26
The Dark Arts of OSINT
46
Thumbnail
41:47
PowerPreter: Post Exploitation Like a Boss
47
Thumbnail
29:34
Please Insert Inject More Coins
48
Thumbnail
45:00
The Cavalry Isn't Coming: Starting the Revolution to Fsck it All!
49
Thumbnail
38:57
EMET 4.0 PKI Mitigation
50
Thumbnail
52:08
Unexpected Stories From a Hacker Who Made it Inside the Government
51
Thumbnail
26:51
How my Botnet Purchased Millions of Dollars in Cars
52
Thumbnail
44:47
ACL Steganography: Permissions to Hide Your Porn
53
Thumbnail
20:26
Abusing NoSQL Databases
54
Thumbnail
42:58
Noise Floor: Exploring the world of unintentional radio emissions
55
Thumbnail
34:45
The Growing Irrelevance of US Govt Cybersecurity Intelligence Info
56
Thumbnail
19:37
A Thorny Piece Of Malware (And Me): A Talk about Exception Handlers, VfTables, Multi-Threading and other Nastiness
57
Thumbnail
46:09
A Failure of Imagination: Kwikset Smartkey and Insecurity Engineering
58
Thumbnail
51:27
Alternative Approaches to Leverage and Defend Cyberspace
59
Thumbnail
30:24
LosT - Welcome and Making of the Badges
60
Thumbnail
21:38
How to use CSP to stop XSS
61
Thumbnail
42:35
The Secret Life of SIM Cards
62
Thumbnail
22:24
So You Think Your Domain Controller is Secure
63
Thumbnail
18:30
Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)
64
Thumbnail
47:50
BYOD PEAP Show
65
Thumbnail
26:32
Boutique Kit
66
Thumbnail
36:51
Blucat: Netcat For Bluetooth
67
Thumbnail
45:12
Fast Forensics Using Simple Statistics and Cool Tools
68
Thumbnail
47:05
JTAGulator: Assisted Discovery Of On-Chip Debug Interfaces
69
Thumbnail
22:26
PowerPwning: Post-Exploiting By Overpowering PowerShell
70
Thumbnail
20:05
How to Hack Your Mini Cooper: Reverse Engineering Controller Area Network (CAN) Messages on Passenger Automobiles
71
Thumbnail
1:41:23
Making Of The DEF CON Documentary
72
Thumbnail
36:57
How to Disclose or Sell an Exploit Without Getting in Trouble
73
Thumbnail
20:24
Examining the Bitsquatting Attack Surface
74
Thumbnail
23:24
C.R.E.A.M. - Cache Rules Evidently Ambiguous, Misunderstood
75
Thumbnail
29:46
Hacking Wireless Networks of the Future: Security in Cognitive Radio Networks
76
Thumbnail
43:20
Let's Screw with nMap
77
Thumbnail
33:02
Exploiting Music Streaming with JavaScript
78
Thumbnail
37:02
RFID Hacking: Live Free or RFID Hard
79
Thumbnail
39:30
10,000 Yen into the Sea
80
Thumbnail
47:10
VoIP Wars: Return of the SIP
81
Thumbnail
47:09
Forensic Fails: Shift + Delete Won't Help You Here
82
Thumbnail
18:03
Getting The Goods With smbexec
83
Thumbnail
44:27
The Politics of Privacy and Technology: Fighting an Uphill Battle
84
Thumbnail
30:19
The Evidence Self-Destructing Message Apps Leave Behind
85
Thumbnail
31:52
Torturing Open Government Systems for Fun, Profit and Time Travel
86
Thumbnail
43:19
We are Legion: Pentesting with an Army of Low-power Low-cost Devices
87
Thumbnail
46:46
Traffic Interception and Remote Mobile Phone
88
Thumbnail
45:43
BYO-Disaster and Why Corporate Wireless Security Still Sucks
89
Thumbnail
41:05
The Dirty South
90
Thumbnail
45:04
A Password is Not Enough: Why disk encryption is broken and how we might fix it
91
Thumbnail
20:00
Utilizing Popular Websites for Malicious Purposes Using RDI
92
Thumbnail
21:59
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
93
Thumbnail
23:27
Android WebLogin: Google's Skeleton Key
94
Thumbnail
45:13
Privacy in DSRC connected vehicles
95
Thumbnail
42:43
Predicting Susceptibility to Social Bots on Twitter
96
Thumbnail
49:32
Defense by numb3r5: Making problems for script kiddies and scanner monkeys
97
Thumbnail
31:18
FeartheEvil FOCA: Attacking Internet Connections with IPv6
98
Thumbnail
43:15
Java Every-Days: Exploiting Software Running on 3 Billion Devices
99
Thumbnail
45:19
Stalking a City for Fun and Frivolity
100
Thumbnail
44:46
Defeating Internet Censorship with Dust, the Polymorphic Protocol Engine
101
Thumbnail
33:26
Business logic flaws in mobile operators services
102
Thumbnail
18:09
Offensive Forensics: CSI for the Bad Guy
103
Thumbnail
1:33:02
All Your RFz Are Belong to Me
104
Thumbnail
42:28
Stepping P3wns: Adventures in full spectrum embedded exploitation (and defense!)
105
Thumbnail
25:30
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions
106
Thumbnail
45:15
EDS Exploitation Detection System
107
Thumbnail
52:20
Suicide Risk Assessment and Intervention Tactics
108
Thumbnail
44:20
Proliferation
109
Thumbnail
47:58
Defending Networks with Incomplete Information: A Machine Learning Approach
110
Thumbnail
20:21
gitDigger: Creating useful wordlists from public GitHub repositories
111
Thumbnail
19:04
Building an Android IDS on Network Level
112
Thumbnail
43:49
Backdoors, Government Hacking and The Next Crypto Wars
00:00
Information securityStatistical hypothesis testingPenetrationstestInternettelefonieHacker (term)System programmingMobile WebComputer networkRegular graphGroup actionMultiplication signWritingEndliche ModelltheorieLevel (video gaming)Enumerated typeSoftware development kitInformation1 (number)Group actionMereologyDirectory serviceReverse engineeringMetastabilitätServer (computing)InternettelefonieStatistical hypothesis testingAuthorizationRight angleRootMobile appStatistical hypothesis testingMobile WebHacker (term)Computer animation
02:02
Group actionInformationCommunications protocolServer (computing)MereologySource codeComputer animation
02:40
Group actionClient (computing)Endliche ModelltheorieStatistical hypothesis testingLibrary (computing)BuildingState observerEmailSession Initiation ProtocolProxy serverArithmetic progressionServer (computing)Source codeComputer animation
03:37
Group actionFirewall (computing)Presentation of a groupMultiplication signLevel (video gaming)Computer animationSource code
04:22
Group actionComputer networkInternettelefonieProxy serverWeb serviceHacker (term)Level (video gaming)Group actionVideoconferencingRight anglePresentation of a groupMereologyComputer animationSource code
05:20
Service (economics)InternettelefonieComputer networkProxy serverServer (computing)Hacker (term)Client (computing)ForceStatistical hypothesis testingComputer networkDigital rights managementNext Generation <Programm>SIP <Kommunikationsprotokoll>Communications protocolPlastikkarteInformation securityVirtuelles privates NetzwerkInternetworkingBootingSystem administratorDenial-of-service attackDensity of statesMobile WebSoftwarePasswordOpen setCASE <Informatik>Modul <Datentyp>Module (mathematics)Library (computing)EmailAuthenticationMessage passingPort scannerSystem identificationReal numberNumberGateway (telecommunications)Image registrationDirected setPhysical systemCodeInformation securityElectric generatorServer (computing)Message passingCommunications protocolModemPresentation of a groupLetterpress printingAuthenticationBuildingVaporComputer networkType theoryRemote procedure callProxy serverWordStatistical hypothesis testingDensity of statesEndliche ModelltheorieHoaxState observerMemory managementNumberForcing (mathematics)AlgorithmLatent heatTerm (mathematics)1 (number)Conditional-access moduleStatistical hypothesis testingWorkstation <Musikinstrument>Enumerated typeSign (mathematics)Vulnerability (computing)Link (knot theory)Sampling (statistics)VideoconferencingClient (computing)PlastikkarteCASE <Informatik>Computing platformSession Initiation ProtocolMobile appYouTubeRadical (chemistry)Axiom of choicePasswordInformationPoint (geometry)Electronic mailing listMobile WebTorusEmailInternet service providerException handlingFuzzy logicHacker (term)Denial-of-service attackMetadataComputer animation
13:46
Web serviceSystem identificationSoftwareReal numberNumberGateway (telecommunications)Image registrationPasswordDirected setStatistical hypothesis testingEmailServer (computing)Dependent and independent variablesInformationSet (mathematics)Vector spaceRow (database)Data typeForceClient (computing)FreewareProxy serverField (computer science)Identity managementDigital rights managementLimit (category theory)Fallbasiertes SchließenRing (mathematics)Module (mathematics)UDP <Protokoll>Revision controlLevel (video gaming)Regular graphTelecommunicationMathematicsDirection (geometry)EmailSoftware developerRight angleComputer virusGeneric programmingLatent heatRegular graphClient (computing)BuildingInformationIP addressStatistical hypothesis testingWordRule of inferenceBitFuzzy logicEndliche ModelltheorieRepository (publishing)Type theoryImage registrationMetropolitan area networkAuthenticationPort scannerForcing (mathematics)Group actionProxy serverRow (database)File Transfer ProtocolStatistical hypothesis testingDependent and independent variablesSoftwareField (computer science)Vector spaceWorkstation <Musikinstrument>Server (computing)Message passingValue-added networkRemote procedure callVideoconferencingMultiplication signSheaf (mathematics)Information securityIdentity managementSession Initiation ProtocolGateway (telecommunications)Address spaceVulnerability (computing)Firewall (computing)Raw image formatSign (mathematics)1 (number)Front and back endsHoaxComputer animation
22:12
Density of statesServer (computing)Statistical hypothesis testingWeb serviceImage registrationMessage passingFallbasiertes SchließenLimit (category theory)Dependent and independent variablesDenial-of-service attackConcurrency (computer science)Drop (liquid)NumberModule (mathematics)Personal identification numberCellular automatonAuthenticationInformationComputer networkSocial classSheaf (mathematics)Gateway (telecommunications)Hacker (term)Client (computing)Operator (mathematics)SoftwareField (computer science)Buffer overflowUDP <Protokoll>Software-defined radioCrash (computing)Server (computing)Computer-assisted translationMessage passingMultiplication signMathematicsBackupClient (computing)Field (computer science)EncryptionMobile WebView (database)Proxy serverSharewareGateway (telecommunications)Product (business)Dependent and independent variablesDenial-of-service attackLatent heatNumberEmailHacker (term)Limit (category theory)Sheaf (mathematics)SoftwareComputer networkAuthenticationInformationCuboidComputer hardwareBuffer overflowInternettelefonieComputer networkIP addressExploit (computer security)Remote procedure callSession Initiation ProtocolStreaming mediaBefehlsprozessorData structureValue-added networkCase moddingKey (cryptography)Resource allocationSpacetimeState of matterCommunications protocolState observerDataflowDirection (geometry)Sign (mathematics)Computer animation
30:37
Server (computing)Field (computer science)Client (computing)Buffer overflowUDP <Protokoll>Statistical hypothesis testingModule (mathematics)Software-defined radioCrash (computing)Operator (mathematics)Proxy serverSoftwareVideoconferencingSystem programmingComputer hardwareMobile WebFirewall (computing)Product (business)Dependent and independent variablesPlastikkarteData typeAuthenticationMessage passingWeb serviceRead-only memoryState of matterEmailLibrary (computing)Fuzzy logicSkeleton (computer programming)Communications protocolDisintegrationCodeCodierung <Programmierung>Extension (kinesiology)Vector spaceMountain passReal numberContent (media)InformationVector potentialDependent and independent variablesLibrary (computing)Type theoryField (computer science)SharewareData miningVulnerability (computing)Computer fileClient (computing)Server (computing)NumberDressing (medical)Content (media)MiniDiscAuthenticationLine (geometry)Cartesian coordinate systemState of matterMobile appProduct (business)Address spaceInteractive televisionFreewareEmailData storage deviceLimit (category theory)DataflowCommunications protocolProxy serverPerspective (visual)Different (Kate Ryan album)Machine visionMessage passingIP addressVisualization (computer graphics)Latent heatTrailMeta elementNatural languageRow (database)Remote procedure callValue-added networkFilm editingFuzzy logicRaw image formatHacker (term)Multiplication signMilitary basePlastikkarteCellular automatonReading (process)Endliche ModelltheorieComputer animation
39:03
Local area networkClient (computing)Remote procedure callServer (computing)Sound effectSocial classStatistical hypothesis testingPhysicalismPlastikkarteMobile appType theoryNumberHacker (term)Field (computer science)Group actionVideoconferencingComputing platformControl flowLatent heatEndliche ModelltheorieRange (statistics)Interface (computing)Set (mathematics)SatelliteElectronic mailing listRow (database)YouTubeComputer networkMathematicsTwitterRight angleHome pageInformation securityData storage deviceGastropod shellWorkstation <Musikinstrument>Radical (chemistry)DebuggerSession Initiation ProtocolSampling (statistics)ModemFuzzy logicOpen sourceRaw image formatSource codeComputer animation
44:55
DebuggerModule (mathematics)IP addressSemiconductor memoryKernel (computing)Mobile appEmailVulnerability (computing)Denial-of-service attackAddress spacePrincipal ideal domainAnalytic continuationSource codeComputer animation
46:02
InternettelefonieIntegrated development environmentServer (computing)Hacker (term)Probability density functionYouTubeHome pageVulnerability (computing)Presentation of a groupSheaf (mathematics)VideoconferencingPlastikkarteWeb pageSource codeWave packetLatent heatHome pageSource codeComputer animation
Transcript: English(auto-generated)
00:00
First of all, my apologies about my English level. It's Yoda level and it's a Jedi tradition. Just forgive me. I'm a penetration tester for 13 years. My special expertise on voice over IP servers, voice over IP infrastructure, mobile applications,
00:26
also other ones. I'm author of voice over IP testing kit. Also I published a small paper about relationship hacking. Also I demonstrated voice over IP testing kit yesterday in Black Hat
00:58
and I will discuss a few advanced attacks and Viproy have a few models to demonstrate or exploit these attacks.
01:11
And this is a small Viproy demonstration. Viproy has a few models, time models right now.
01:25
But I'm working on three models. It's a Metasploit models pack. You can download and extract in Metasploit root directory. So you can use it to discover SIP infrastructure, voice
01:41
over IP infrastructure. You can collect information from SIP servers. Also you can get a few important things from SIP servers. Also you can enumerate target servers. Here is the Viproy in action. It has debug support. Also it has verbose support. That means
02:07
you can easily collect information from this debug data. Discovery can be used for collecting information. So we can use all methods, all SIP infrastructure and protocol
02:25
methods in this collecting part and discovery part. So Viproy has register, options, invite, subscribe, and a few methods to discover features of SIP server. It's basically a
02:43
SIP client but a smart one. You can easily develop another model for your custom test or something else. It has a SIP library, actually Metasploit race library. That's
03:02
the register test. We can register an infrastructure or we can register a client or we can register a user using Viproy to a SIP server. Also we can initiate calls with a user or without a user or a SIP proxy or not. Also we have a few headers in request so we can manipulate
03:27
this request and its headers to bypass or to bypass billing, to bypass restrictions of SIP ACS or SIP fireballs. This is a basic demonstration, basic features of Viproy. I
03:53
will talk about these basic features now but I will discuss a few advanced attacks in this session. Also I have another demo at last of this presentation for these advanced
04:07
attacks. So this is his first time speaking so we need him to do a shot on stage.
04:34
Okay. Cheers. What a surprise. Do you need another one? No, not now. Maybe later.
04:51
All right. Thanks a lot. Thank you guys. I was nervous and I'm fine right now. Okay.
05:05
We should pass this part, this action or okay, we have a few people are coming. We can start actual presentation. You can watch this video but I just played. It's
05:27
already in YouTube. Also I played this video in many security conferences to show Viproy's basic features and basic attack abilities. So I will discuss these attacks
05:40
and how can we use these attacks to bypass security features of SIP servers. And this is my agenda today. Discovery, footprinting, collecting information, initiating a call, initiating a bypass for CDR or billing or restrictions or something else. Also we
06:02
have another attack, SIP bounce attack. I will explain it. Also fake services and MITM. Yeah, we have another model for SIP proxy for MITM thing. Also SIP servers should be available 7.24 so we can attack them using those features or something else.
06:27
Also we have another feature, hacking SIP trust relationships because they trust each other so we can act like just one. Also we can use these SIP features or SIP trust hacking features to attack another client, a specific mobile client and other desktop client. Also
06:48
fuzzing in advance, another subject for us. I will discuss a few fuzzing features. Out of scope is actually RTP. I will add RTP features later. Also additional services
07:04
are not subject. Also XML or JSON based supporting services is not required for this presentation. SIP is session initiation protocol. It's just a sign-in protocol for NGN services or SIP based telephony services. Next generation network is post-modern TDM devices.
07:30
Actually, sorry, HP blade like systems. They have three or maybe more soft switches, RTP proxy, SIP proxy or something else. So they should connect MSAM or MDP devices.
07:45
I will show an infrastructure for this sample. So SIP and Megago protocol, also RTP, they are heart of this NGN infrastructure. Also SIP should be implemented securely, this
08:03
NGN platforms. So we will hack this SIP protocol and we will hack this NGN infrastructure. They use next generation network term but I believe it's not because SIP is all protocol. SIP has many security weaknesses and we will discuss in this presentation these weaknesses.
08:26
This is sample SIP server in your network. If you have a network, commercial network, it should be placed just like that. By the way, commercial services are completely different. This is sample next generation network infrastructure. SIP server, also known
08:44
as soft switches, heart of this infrastructure. SDP servers, also other servers such as VAS or DBI or CDR. These servers should be connected with soft switches. Also MSAM
09:05
devices and metadata devices should be implemented for end point termination. For between MSAM, metadata devices and soft switches, the protocol is Megago.
09:22
Other connections, especially redirecting calls between soft switches, it should be SIP. Also, you should know, you used many soft phone application in your mobile phones.
09:42
That means you already have SIP services and you are a customer of SIP provider. But
10:02
SIP is vulnerable. This infrastructure, not closed, but they think it's closed. Actually, it's open physical access. Also, you can easily manipulate end point terminators such as smart modems or something else. Also, they think abusing SIP requires specific
10:25
knowledge. That's no longer the case because we have many features to easily test this SIP server's features and security. Also, they focused on toll based attacks, toll
10:42
fraud or something else, but we have many attacks, spying, phishing, surveillance, or DDoS attacks or attacking actual mobile clients or desktop clients. Also, value added services are another important vulnerable servers.
11:01
Also they think they are vulnerable devices, well configured and securely. They are vulnerable. They use all softwares. They use actually legacy softwares, Solaris 5 or Linux Slackware 2.1 or something else. So we can easily bypass and exploit them. But that is not
11:27
our real subject. We will discuss specific one SIP protocol. VProi is a Volcanic word. That means call. VProi has many models to test SIP server's
11:42
security. So we can actually initiate a few advanced attacks and mostly all basic attacks for this target SIP servers using VProi's models. Also, it has custom header support. It has authentication support. But in many ways. Just proxy authentication,
12:05
server authentication for different hashing algorithms and a few ones. Also, I have a few new models such as trust analyzer, short message service, tester or bounce cam model, DDoS initializer or directly MITM proxy tool. You can use this
12:28
tool to test attacks which we will discuss now. Basic attacks are important. They are not new. But we have no sufficient tool to analyze
12:43
this type of attacks. So we should create another one. I should create another one because I need it. So I create VProi to analyze security of SIP servers. Especially
13:06
their features. Discovering SIP servers. Enumerating SIP servers. Collecting remote users, internal numbers or clients. Brute force attacks for internal numbers, users
13:21
with a password list or not. Also, identifying specific numbers, identifying value added services or something else. If you use this test after authentication, you have no choice except VProi. By the way, brute forcing or invite features, they are
13:45
required to test special features of SIP security. Also, we can initiate direct invite attacks. We can initiate invite spoofing attacks or we can initiate proxy directly in voice attacks. So we can easily bypass CDR records or ACLs or maybe invoice things.
14:12
VProi easily automate this type of attacks. This is basic discovery thing. This discovery step is basic, just like other penetration testing types. We should send a request and
14:28
wait for response to analyze. So we can send options, register in my subscribe message or all methods. So we have all in VProi. Another one is we should analyze headers in
14:45
response. So left side generic headers and the right side proxy headers and warnings. Otherwise we can collect many information from these headers. M sign devices, invoice information, remote server software or it's vulnerable or not. Register is another important
15:08
test because many services have no authentication. Another thing is these specific services or
15:20
specific trunks or specific gateways has no authentication to speed up the connection. So we can initiate register attack to detect this no authentication services. Also we can register our specific port and IP address to initiate raw attacks such as raw fuzzing.
15:44
We will discuss in fuzzing section. But you should know, some servers have many authentication skills. So if it has an authentication just like that, it waits your registration
16:02
and it's underprivileged ACL or it accepts your specific IP address and port for other types of authentication. By the way, register attack could be used for brute force or something
16:28
else. We have many more attack types. Also we can bypass many things using proxy headers or a few specific features such as changing from field, changing contact field,
16:46
adding specific proxy headers such as changing vector or changing identity over proxy headers such as the identity calling ID or preferred identity. These headers could be used to
17:01
bypass billing or security AC, other SIP specific firewalls acting just like another SIP proxy. We can use these attacks. Also we have another attack just invite or update. We can send invite request or update request during a call to change its charging vector,
17:27
or change its billing features. So we can use these features. Also you can develop specific tool or specific model for vproj. Invite request issues just like that, we
17:44
will send an invite and we will get a specific response. We can change many headers. So we can easily bypass rules. Protected or not. Specific headers I already mentioned.
18:03
Also it's just basic usage. But we will use invite for specific tests, for another test, just trust analyzer or something else. This is similar to FTP bounce attack. If
18:20
remote target has a proxy support, we can use it to scan other servers which is trusted or not. So we can use it basically. These are the screen shots. So this tool exposes user agent or server software, remote servers and untrusted ones. It works just
18:48
like that. We will send a register or option or invite request to target remote server. Also we will change its real or URI to connect another one. So we can collect this
19:05
information. It's important for us because remote servers and frontend servers are well protected and this server has many call ACLs. So we can use this remote targets if it
19:23
is a proxy support. Scan other specific features and other inaccessible servers. Also we can initiate other attacks such as trust relationships. Also just now I should mention another thing. I have a friend for you. I will mention after the ‑‑ sorry. I should
19:47
mention after the video, but I already shot, you know. So this is my friend. It's a gift for best question. It's five‑year‑old special Turkish record. I'm from Turkey as you know. So if you shot me a good question, you will have this ball. If we will no time
20:14
to create QA section, you will find me at chili bar, chili out bar or QA section
20:20
or just push me or attack me to ask a question. So we will continue again. Fake services and other subject. We should discuss about fuzzing features or specific MITM attacks because our regular SIP clients, generic SIP clients has no features to bypass
20:46
billing or security features. Also it has no support in my spoofing. So we will add a MITM tool. We can change our clients' features. For example, adding in my support,
21:01
in my spoofing support, specific proxy header support to bypass billing. Also we can use this feature to fuzz SIP clients or servers. We can easily change specific data with fuzzing requests. So we will have if you crash from SIP clients or servers.
21:23
Fake servers ‑‑ fake services is not yet ready. Not ready yet. By the way, MITM is ready. I updated the GitHub repository so you can easily download it and you can use it. This MITM feature is useful for testing or adding specific features. You
21:47
can use it freely. But I should mention if you use it to collect information, collect credentials from clients such as MITM attacks or something else, you should use ARP scan
22:01
or ARP spoof or VLAN hoping attacks. You should be a man in the middle to collect this information. Also, this is another important thing when we will discuss about SIP servers. It's not a server. It's a business. So money is really
22:21
important for them. So we can attack their availability. Locking all users if they have a cat locking policy. Also, we can initiate many calls at the same time. So we can overflow call limits of server. Or we can ring all clients at the same time. It's possible.
22:46
So we can use this ‑‑ those things easily. By the way, we can use these attacks to bypass a few features. For example, if you ‑‑ if you act ‑‑ if you need to act just like a SIP proxy, you should disable it. So you can use these tools to
23:09
disable or unresponsive this remote SIP server. By the way, we have another attack. SIP servers send many responses. It's an RFC. So we can initiate a bogus request. For example,
23:29
unauthenticated invite or something else. They will send us many responses. Ten plus, ten plus, maybe more. So we can send IP spoofed requests to target SIP servers. So this
23:47
remote SIP server will send responses to another DDoS target. Just like that. So we can search many servers, many SIP servers, and we can collect all of them to initiate
24:05
a DDoS attack. You should remember all SIP servers ‑‑ all SIP services should contain many SIP servers for gateway connection, for international connection, for the direction or backup. So we can use all of them in the same network. And I think another one
24:26
we cannot access. Also, trust relationship hacking is another subject. We can act just like SIP proxy. So we ‑‑ we can act and we can initiate
24:41
call, we can send messages or we can attack mobile clients via this SIP trust relationships. Engine servers should trust each other because TCP is slow and TLS or other encryptions are slow. By the way, they require many CPU usage. So engine infrastructure and vendors
25:06
prefer UDP‑based SIP authentication and UDP‑based trust. So we can attack just like SIP proxy or something else. We need specific information for this attack. We
25:24
should have an internal number. Basically we should be a customer of this service. Because we should have a software or a hardware client to view caller ID. We will spread IP spoofed and port spoofed packets, this target server, and if this server trust
25:49
other IPs, there will be a call and we will learn its basic IP address and port. It's in baby steps. We should find trusted SIP networks, mostly B‑class. We should
26:06
send request, invite request for each IP and port. That means 60,000, maybe more request. If this server, target server accepts one of them, we will have a call. But we will
26:25
have no idea about which one is trusted. Here is the thing. We have in my spoofing section, so I will add IP and port section in from field. That means when we will have a call,
26:42
we should see which IP and port is trusted in from field and calling number. Okay. Here is the demo. There is an attacker. Attackers have no idea about Ankara's or Istanbul's IP addresses and networks. He should know only B‑class network, maybe
27:05
C‑class network. He should have a soft client from ISMIR server, this production server. He will initiate IP spoof packets from this field, just like sending from Istanbul
27:27
or Ankara. And when we have a call, we will see IP address and port. That means ISMIR trust Istanbul's IP address and port. Okay. How can we use it?
27:44
It's trusted, but we can initiate a call. If we have a specific IP address and port, we can send specific IP address and port and we can send specific from field and we
28:01
can initiate a call. So in my spoofing also, it's CDR and billing bypass. By the way, probably you should ask or you will ask, it's just one package and we used IP spoofing and we have no responses and how the call works, how will it resume?
28:26
It's not. All required is we have a packet to send another one. For example, internal number 101. One package is sufficient for main attacks. I will show you. By the way,
28:44
in message protocol, a message method has no resume or no state. So you can send this message, short message or something else to remove server, just like came from Istanbul or something else, which trust. That means you can exploit specific voice over IP features,
29:08
voice mail box features, value added services, just like send a register request for us with short message service. Invoice me at this month. We can spoof this message.
29:23
So we can change billing features or we can acting a few features. I'm not here. Redirect me for something else. Okay. Just send us a message. Which one is required or where you will be available. Okay. Redirect space, my internal number. That's a small message.
29:46
We can send it. So we can handle all calls. It's possible. By the way, we can use it to initiate those attacks. For example, ringing all clients by passing a few features, initiating many calls to overloading servers or vast services.
30:10
By the way, we can attack specific mobile clients or desktop clients. When we send this invite request or message request, we have a few features. From, from name, contact
30:30
fields will be same. We can send this request to remove server and remove server redirect these fields to client. So we can fuzz it or we can crush it with many AAAs in from
30:48
field or from name field or contact field. Also we have message support. So we can exploit this vulnerability over message too. Also, maybe, you know, SIP and STP has many features.
31:07
So this type of STP request or STP content should be redirected. Also mine time support should be available. And you can manipulate mime types or its contents of this request
31:23
to crush mobile application. These clients trust remote IP address and port. So we can initiate IP spoofing easily. Basically, I crushed an application. Other iPhone SIP clients
31:44
you can download it from app store. It has a vulnerability. It has no border control in from field. So we can send 550 charts in this field and it will crash. It will
32:01
be crashed. So we can exploit it. Okay. We should summarize and collect it. We can send a packet from Istanbul. We have no idea and we cannot access this Istanbul to Izmir, the production server. We have its IP address, yes. But it will redirect this call to another
32:26
one, something else. We have no idea its IP address. But it has an internal number, just your cell number or something else. So there is no user interaction. The application will crash. There is a client attack. So many applications can be vulnerable to this
32:47
type of attacks. Asterisk has a limit for this from field. Only 1,000 charts, maybe more. By the way, SIP sex or other commercial products has no restriction for it. So
33:04
we can use this from field, from name field, contact field or other MIME types to crash specific application. Also, we have fuzzing. Anybody love fuzz? But fuzzing is completely
33:24
different in SIP protocol. You have many fuzzers. But these fuzzers are old. And it's really important because vendors use these old tools to evolve their products.
33:41
So you have no vulnerabilities to find using these tools. You should change your perspective and vision. We can fuzz it in many ways, acting just like SIP server, SIP client, MITM attack or just acting like proxy or something else. But old school fuzzing is not sufficient.
34:07
Request based and response based fuzzing difference has a few differences. Request based fuzzing is popular and we have many tools for request fuzzing. But they have
34:23
no state feature. They cannot track all call and they cannot fuzz during a call. Our newest SIP fuzzing tool published in DEF CON 2007. So we have no new tool almost
34:44
six years. We can develop our specific fuzzing tool. Especially for response based fuzzing. So we can use these features in the specific SIP library. We can initiate specific fuzzing
35:02
features. How about smart fuzzing? Smart fuzzing should be really smart. It should have state support. It should have many methods such as subscribe, act, frag or invite,
35:21
re invite, update. We have no support in metatools. Also fuzzing is completely different thing because we have no tool to fuzz remote servers after authentication or read authentication. So we have another thing. Yes, fuzzing is cool, especially crashing an application.
35:46
But in SIP servers we should fuzz specific numbers for value added services. Detecting its features, detecting free call features or detecting a few specific things. So you
36:04
can easily create your basic fuzzer. Okay. How it helps you? It is a basic SIP library. A few models have a damp fuzzing support. I will show you. Also, we have custom header
36:26
support. So we can easily bypass many things before fuzzing. Also, less code. Only 20 lines, maybe more. We can easily develop our tools. Also, it has raw request support
36:42
so you can combine it with your generic fuzzer. It's really free. Fuzzing SIP services request based. Okay. You already knew this request based fuzzing and I will bypass it. But you should know headers should be fuzz, proxy headers or something else. Okay. Here's the
37:13
fast response features of SIP server. Just imagine you have two clients, one for acting
37:22
just like remote SIP clients, just one for attacking and fuzzing remote server during this call. You can initiate two clients separately and you can drive separately all of them. Also, you can initiate many using this library.
37:46
Starting one and starting two. After that, you will initiate a call from starting two and target is one. Also, you can add re invite fuzzing feature during this call.
38:02
You can add STP fuzzing feature during this call. Also, this response is important because when you send a request to a server, server redirects the request to another client. If this client sends bogus responses, this remote server should assess and analyze
38:24
and execute this response. 200 okay such as. So we can send bogus responses. So it's a specific feature. You can develop your tools using vproj. Vproj has many features.
38:40
So we have a few things to develop such as advanced fuzzing support, RTP support, TCP support or many more. By the way, it's MSF licensed so you can download it freely, you can change it. You can develop your tools with this library. That's it. I will show
39:02
another demo. This demo prepared to show SIP bounce attack, hacking SIP trust relationships, detecting trusted servers, initiating a fake call. After that, crashing a mobile client.
39:27
This is a sample. I have a network, actually a small network, three SIP servers and four SIP clients. We can initiate this SIP bounce attack to detect servers and clients, trusted
39:47
or not. We can use remote SIP proxy server. We will have two SIP servers.
40:11
SIP servers now. One is ours, another one is inaccessible for us. Also we have another
40:23
range 200 and 210. I will set this range to the date. Remove SIP servers and clients during test. As you see, there are many SIP services. One of them, SIP server, other
40:52
SIP clients. SIP trust hacking is basic and old method but we can use it easily for
41:14
engine platforms, especially in local network. So we can easily break physical network with
41:20
smart modems hacking or physical hacking, breaking locks or something else and we can initiate this attack. Also, SIP services is also vulnerable to this type of attacks. SIP services, trust hacking should be prepared with a specific target range. And I set SIP
41:44
server, the remote server, source remotos is potential network. Also, I can set a port range because they can use any ports for trust or something else. Also, we should
42:06
set interface for IP spoofing and a raw request and internal number 103 and we will initiate this attack. If you have a number, you have IP or something else, we will learn
42:26
which host is trust. As you see, 202 and it's port 5060 is trusted. It's a pair. It's a port for restriction and ACL. So I can set specifically this one and I will initiate
42:50
a call. This is trusted host and I set from field for in my spoof. I can write
43:18
anything. I write occupy Gezi. If you already knew, Gezi Park Resistance in Turkey,
43:25
it's a tribute. By the way, if you don't know, you can search this tag in Twitter. As you see, we have a call. Also, we can crash mobile application. This mobile application
43:44
is other phone in iPhone. You can download it from App Store. I download it and I initiate a secure shell session, left side, and I start a debugger and I crash it with a right
44:00
terminal. I set only a set action to call. I set from field to fuzz features. For example, set from fuzz 550. Also, I will set to field, that means our destination, our internal number removed. So, I initiated debugger. You can watch this video from YouTube too.
44:48
It's available from Viproy WebKit's homepage. As you see, it's really easy to use because it's a Metasploit module set. Left side, as you see, 138 is iPhone's IP address
45:11
but I have no idea and I didn't set it in my tool. I initiated a debugger to debug
45:20
other phone application. It's PID. Engineering debugger will be initiated for this PID. It's continuing. When I start the attack, you should watch and you should see left side,
45:45
a kernel email address issue. We have a memory corruption vulnerability and it's a
46:03
you feel free to develop and exploit for this vulnerability using this tool. So, you can download this presentation from my homepage, also Viproy's homepage. You can download
46:21
this tool from Viproy's homepage, also it's GitHub source code section. By the way, you have a 15 minutes training video. You can use it. Also, these papers. You can get these people help me to present. Also, they encourage me. I have many respect for
46:46
them. Yes, I have only one minute. So, I will be chilling out cafe. I have this one for you. If you will came to ask specific question or smart question, I will give you.
47:03
Okay. Thank you.