VoIP Wars: Attack of the Cisco Phones

VoIP Wars:
Attack of the Cisco Phones
Compliance, Protection & Business Confidence
Sense of Security Pty Ltd
!
Sydney
Level 8, 66 King Street
Sydney NSW 2000 Australia
Melbourne
Level 10, 401 Docklands Drv
Docklands VIC 3008 Australia
T: 1300 922 923
T: +61 (0) 2 9290 4444
F: +61 (0) 2 9290 4455
info@senseofsecurity.com.au
www.senseofsecurity.com.au
ABN: 14 098 237 908
www.senseofsecurity.com.au © Sense of Security 2013 Page ‹#› – 13-Sep-13

Speaker
• Fatih Ozavci
• Senior Security Consultant
• Interests
• VoIP
• Mobile Applications
• Network Infrastructure
!
• Author of Viproy VoIP Penetration Testing Kit
• Public Speaker
• Defcon, BlackHat Arsenal, AusCert, Ruxcon
www.senseofsecurity.com.au © Sense of Security 2014 Page 2
of 60 – Aug-14

Viproy VoIP Toolkit
• Viproy is a Vulcan-ish Word that means "Call"
• Viproy VoIP Penetration and Exploitation Kit
• Testing modules for Metasploit, MSF license
• Old techniques, new approach
• SIP library for new module development
• Custom header support, authentication support
• Trust analyser, SIP proxy bounce, MITM proxy, Skinny
• Modules
• Options, Register, Invite, Message
• Brute-forcers, Enumerator
• SIP trust analyser,SIP proxy, Fake service
• Cisco Skinny analysers
• Cisco UCM/UCDM exploits
of 60 – Aug-14

Agenda
of 60 – Aug-14
Hosted VoIP 101
Network Attacks
Attacking CUCDM
Attacking CUCM
Attacking SIP
Attacking
Clients
Attacking
Skinny

Hosted VoIP services
of 60 – Aug-14

Hosted VoIP environment
• Vendors are Cisco and VOSS Solutions
• Web based services
• IP Phone services (Cisco, VOSS* IP Phone XML Services)
• Tenant client services management (VOSS* Selfcare)
• Tenant* services management (VOSS* Domain Manager)
• VoIP services
• Skinny (SCCP) services for Cisco phones
• SIP services for other tenant phones
• RTP services for media streaming
• PBX/ISDN gateways, network equipment
!
* Tenant => Customer of hosted VoIP service
* VOSS => VOSS Solutions, hosted VoIP provider & Cisco partner
* VOSS a.k.a Voice Over Super Slick, created by Jason Ostrom
of 60 – Aug-14

Discovery for hosted VoIP networks
• Discover VoIP network configuration, design and
requirements
• Find Voice VLAN and gain access
• Gain access using PC port on IP Phone
• Understand the switching security for:
• Main vendor for VoIP infrastructure
• Network authentication requirements
• VLAN ID and requirements
• IP Phone management services
• Supportive services in use
of 60 – Aug-14

Protected and isolated?
of 60 – Aug-14

Switching manipulation
• Attack Types
• PC Ports of the IP phone and handsets
• CDP sniffing/spoofing for Voice VLAN
• DTP and VLAN Trunking Protocol attacks
• ARP spoofing for MITM attacks
• DHCP spoofing & snooping
• Persistent access
• Tapberry Pi (a.k.a berry-tap)
• Tampered phone
• Power over ethernet (PoE)
• 3G/4G for connectivity
of 60 – Aug-14

How to make your own Tapberry Pi
of 60 – Aug-14
RJ45 Connection Pins

How to make your own Tapberry Pi
of 60 – Aug-14
Speaker Power
Patch the Cat5 cable

Attacking the TFTP server
• Obtaining configuration files for MAC addresses
• SEPDefault.cnf, SEPXXXXXXXXXXXX.cnf.xml
• SIPDefault.cnf, SIPXXXXXXXXXXXX.cnf.xml
• Identifying SIP, Skinny, RTP and web settings
• Finding IP phone software and updates
• Configuration files may contain credentials
• Digital signature/encryption usage for files
!
!
!
Tip: TFTPTheft, Metasploit, Viproy TFTP module
of 60 – Aug-14

Configuration file content
• <deviceProtocol>SCCP</deviceProtocol>!
• <sshUserId></sshUserId>!
• <sshPassword></sshPassword>!
!
• <webAccess>1</webAccess>!
• <settingsAccess>1</settingsAccess>!
• <sideToneLevel>0</sideToneLevel>!
• <spanToPCPort>1</spanToPCPort>!
• <sshAccess>1</sshAccess>!
!
• <phonePassword></phonePassword>
of 60 – Aug-14

Becoming the TFTP server
• Send fake configurations for
• HTTP server
• IP phone management server
• SIP server and proxy
• Skinny server
• RTP server and proxy
• Deploy SSH public keys for SSH on IP Phones
• Update custom settings of IP Phones
• Deploy custom OS update and code execution
!
Tip: Metasploit TFTP & FakeDNS servers, Viproxy
of 60 – Aug-14

Cisco Hosted Collaboration Suite
• Cisco UC Domain Manager
• VOSS IP Phone XML services
• VOSS Self Care customer portal
• VOSS Tenant services management
• Cisco UC Manager
• Cisco Unified Dialed Number Analyzer
• Cisco Unified Reporting
• Cisco Unified CM CDR Analysis and Reporting
!
• Multiple Vulnerabilities in Cisco Unified
Communications Domain Manager
http://tools.cisco.com/security/center/content/
CiscoSecurityAdvisory/cisco-sa-20140702-cucdm
of 60 – Aug-14

VOSS Self Care
Tenant user services
• Password & PIN management
• Voicemail configuration
• Presence
• Corporate Directory access
• Extension mobility
!
Weaknesses
• Cross-site scripting vulnerabilities
of 60 – Aug-14

Account details stored XSS
of 60 – Aug-14

VOSS domain manager
• Tenant administration services
• User management
• Location and dial plan management
• CLI and number translation configuration
!
Weaknesses
• User enumeration
• Privilege escalation vulnerabilities
• Cross-site scripting vulnerabilities
• SQL injections and SOAP manipulations
of 60 – Aug-14

Errors, Information Leakage
/emapp/EMAppServlet?device=USER
!
!
!
!
/bvsm/iptusermgt/disassociateuser.cgi
of 60 – Aug-14

Insecure File Upload
/bvsm/iptbulkadmin
/bvsm/iptbulkloadmgt/bulkloaduploadform.cgi
of 60 – Aug-14

Privilege Escalation
/bvsm/iptusermgt/moduser.cgi (stored XSS, change users’ role)
/bvsm/iptadminusermgt/adduserform.cgi?user_type=adminuser
!
!
!
!
!
/bvsm/iptnumtransmgt/editnumbertranslationform.cgi?id=1
!
of 60 – Aug-14

IP Phone management
VOSS IP Phone XML services
• Shared service for all tenants
• Call forwarding (Skinny has, SIP has not)
• Speed dial management
• Voicemail PIN management
http://1.2.3.4/bvsmweb/SRV.cgi?device=ID&cfoption=ACT
of 60 – Aug-14
Services
• speeddials
• changepinform
• showcallfwd
• callfwdmenu
Actions
• CallForwardAll
• CallForwardBusy

IP Phone management
• Authentication and Authorisation free!
• MAC address is sufficient
• Jailbreaking tenant services
!
• Viproy Modules
• Call Forwarding
• Speed Dial
of 60 – Aug-14

Demonstration of VOSS attacks
of 60 – Aug-14

Unified Communications
• Forget TDM and PSTN
• SIP, Skinny, H.248, RTP, MSAN/MGW
• Smart customer modems & phones
!
• Cisco UCM
• Linux operating system
• Web based management services
• VoIP services (Skinny, SIP, RTP)
• Essential network services (TFTP, DHCP)
• Call centre, voicemail, value added services
of 60 – Aug-14

Discovering VoIP servers
• Looking for
• Signalling servers (e.g. SIP, Skinny, H.323, H.248)
• Proxy servers (e.g. RTP, SIP, SDP)
• Contact Centre services
• Voicemail and email integration
• Call recordings, call data records, log servers
!
• Discovering
• Operating systems, versions and patch level
• Management services (e.g. SNMP, Telnet, HTTP, SSH)
• Weak or default credentials
of 60 – Aug-14

Attacking SIP services
• Essential analysis
• Registration and invitation analysis
• User enumeration, brute force for credentials
• Discovery for SIP trunks, gateways and trusts
• Caller ID spoofing (w/wo register or trunk)
!
• Advanced analysis
• Finding value added services and voicemail
• SIP trust hacking
• SIP proxy bounce attack
of 60 – Aug-14

Cisco specific SIP registration
• Extensions (e.g. 1001)
• MAC address in Contact field
• SIP digest authentication (user + password)
• SIP x.509 authentication
• All authentication elements must be valid!
!
• Good news, we have SIP enumeration inputs!
Warning: 399 bhcucm "Line not configured”
Warning: 399 bhcucm "Unable to find device/user in database"
Warning: 399 bhcucm "Unable to find a device handler for the
request received on port 52852 from 192.168.0.101”
Warning: 399 bhcucm "Device type mismatch"
of 60 – Aug-14

Register and Subscribe
of 60 – Aug-14
Register / Subscribe (FROM, TO, Credentials)

Invite, CDR and Billing tests
of 60 – Aug-14
Invite / Ack / Re-Invite / Update (FROM, TO, VIA, Credentials)

SIP Proxy Bounce attack
192.168.1.145 - Sydney
Production SIP Service
192.168.1.146
Melbourne
192.168.1.202
Brisbane
of 60 – Aug-14
SIP Proxy Bounce Attacks
• SIP trust relationship hacking
• Attacking inaccessible servers
• Attacking the SIP software and protocol
• Software, Version, Type, Realm

Denial of Service attacks
192.168.1.145 - Sydney
192.168.1.146
Melbourne
192.168.1.202
Brisbane
IP spoofed UDP SIP request
of 60 – Aug-14
SIP based DoS attacks
• UDP vulnerabilities and IP spoofing
• Too many errors, very very verbose mode
• ICMP errors
Alderaan

Hacking SIP trust relationships
From field has IP and Port
192.168.1.145 - Sydney
of 60 – Aug-14
Send INVITE/MESSAGE requests with
• IP spoofing (source is Brisbane),
• from field contains Spoofed IP and Port,
the caller ID will be your trusted host.
192.168.1.146
Melbourne
192.168.1.202
Brisbane
UDP Trust
Universal
Trust
Tatooine

Attacking a client using SIP trust
192.168.1.145 - Sydney
of 60 – Aug-14
From field has bogus characters
192.168.1.146
Melbourne
192.168.1.202
Brisbane
UDP Trust
Universal
Trust
Tatooine
It’s a TRAP!
• from field contains special number,
you will have fun or voicemail access.

Toll fraud for CUCM
• Cisco UCM accepts MAC address as identity
• No authentication (secure deployment?)
• Rogue SIP gateway with no authentication
• Caller ID spoofing with proxy headers
• Via field, From field
• P-Asserted-Identity, P-Called-Party-ID
• P-Preferred-Identity
• ISDN Calling Party Number, Remote-Party-ID*
• Billing bypass with proxy headers
• P-Charging-Vector (Spoofing, Manipulating)
• Re-Invite, Update (With/Without P-Charging-Vector)
!
* https://tools.cisco.com/bugsearch/bug/CSCuo51517
of 60 – Aug-14

Remote-Party-ID header
Source: Cisco CUCM SIP Line Messaging Guide
of 60 – Aug-14

Caller ID spoofing on CUCM
Remote-Party-ID header
Remote-Party-ID: <sip:007@1.2.3.4>;party=called;screen=yes;privacy=off
!
What for?
• Caller ID spoofing
• Billing bypass
• Accessing voicemail
• 3rd party operators
of 60 – Aug-14

Caller ID fraud for all operators?
• Telecom operators trust source Caller ID
• One insecure operator to rule them all
of 60 – Aug-14

Fake Caller ID for messages?
• Call me back function on voicemail / calls
• Sending many spoofed messages for DoS
• Overseas? Roaming?
• Social engineering (voicemail notification)
• Value added services
• Add a data package to my line
• Subscribe me to a new mobile TV service
• Reset my password/PIN/2FA
• Group messages, celebrations
of 60 – Aug-14

Demonstration of SIP attacks
of 60 – Aug-14

VoIP client security
• Different Client Types
• Mobile, Desktop, Teleconference, Handsets
• Information Disclosure
• Unnecessary services and ports (SNMP, FTP)
• Weak management services (Telnet, SSH, HTTP)
• Stored credentials and sensitive information
• Unauthorised Access
• Password or TFTP attacks, enforced upgrades
• Weak VoIP Services
• Clients may accept direct invite, register or notify
of 60 – Aug-14

Cisco VoIP clients
• Cisco IP Phones
• Cisco IP Communicator
• Cisco Unified Personal Communicator
• Cisco Webex Client
• Cisco Jabber services
• Cisco Jabber Voice/Video
• IM for 3rd party clients
• Mobile, desktop, Mac
• Jabber SDK for web
Source: www.arkadin.com
of 60 – Aug-14

Rogue services and DSITM
• Use ARP/DNS Spoof & VLAN hopping & Manual config
• Collect credentials, hashes, information
• Change client's request to add a feature (e.g. Spoofing)
• Change the SDP features to redirect calls
• Add a proxy header to bypass billing & CDR
• Manipulate request at runtime to find BoF vulnerabilities
• Trigger software upgrades for malwared executables
of 60 – Aug-14
Death Star in the Middle

Attacking a client using SIP service
• Caller ID spoofed messages
• to install a malicious application or an SSL certificate
• to redirect voicemails or calls
• Fake caller ID for Scam, Vishing or Spying
• Manipulate the content or content-type on messaging
• Trigger a crash/BoF on the remote client
• Inject cross-site scripting to the conversation
!
• Proxies with TLS+TCP interception and manipulation
• Viproxy (github.com/fozavci/viproxy)
• MITMproxy
of 60 – Aug-14

SMS phishing using SIP messages
of 60 – Aug-14

• SIP server redirects a few fields to client
• FROM, FROM NAME, Contact
• Other fields depend on server (e.g. SDP, MIME)
• Message content
• Clients have buffer overflow in FROM?
• Send 2000 chars to test it !
• Crash it or execute your shellcode if available
• Clients trust SIP servers and trust is UDP based
• Trust hacking module can be used for the trust between
server and client too.
• Viproy Penetration Testing Kit SIP Modules
• Simple fuzz support (FROM=FUZZ 2000)
• You can modify it for further attacks
of 60 – Aug-14

192.168.1.145 - Sydney
of 60 – Aug-14
From field has bogus characters
192.168.1.146
Melbourne
192.168.1.202
Brisbane
UDP Trust
Universal
Trust
Tatooine
Crash!
Adore iPhone App
• from field contains exploit,
the client will be your stormtrooper.

Attacking clients using VoIP
Video demo for SIP based client attacks
of 58 – Aug-14
• Manipulating instant messaging between clients
• Initiate a call using fake Caller ID
• Send a fake message from the Operator
• Send bogus message to crash
• Send too many calls and create a crash
!

Attacking Skinny services
• Cisco Skinny (SCCP)
• Binary, not plain text
• Different versions
• No authentication
• MAC address is identity
• Auto registration
!
• Basic attacks
• Register as a phone
• Disconnect other phones
• Call forwarding
• Unauthorised calls
Source: Cisco
of 60 – Aug-14

Other Skinny researches
• Skinny vulnerabilities published
http://tools.cisco.com/security/center/content/
CiscoSecurityAdvisory/cisco-sa-20120229-cucm
by Felix Lindner
http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-
20100303-cucm.html
by Sipera VIPER Lab
• IxVoice SCCP (Skinny) Test Library
• VIPER UCSniff supports Skinny
• VIPER LAVA has Skinny support(?)
!
VoIP Security not found. Did you mean Jason Ostrom?
He is not only passionate about VoIP…
of 60 – Aug-14

of 60 – Aug-14

Viproy has a Skinny library for easier
development and sample attack
modules
• Skinny auto registration
• Skinny register
• Skinny call
• Skinny call forwarding
of 60 – Aug-14

Everybody can develop a Skinny module now, even Ewoks! !
Register Unauthorised Call
of 60 – Aug-14

Preparing a proper client for Skinny
• Install Cisco IP Communicator
• Change the MAC address of Windows
• Register the software with this MAC
of 60 – Aug-14

Demonstration of Skinny attacks
of 60 – Aug-14

Summary
www.senseofsecurity.com.au © Sense of Security 2014 Page of 60 – Aug-14
56
Hosted VoIP 101
Network Attacks
Attacking CUCDM
Attacking CUCM
Attacking SIP
Attacking
Clients
Attacking
Skinny

Solutions
• Install the Cisco security patches
• From CVE-2014-3277 to CVE-2014-3283,
CVE-2014-2197, CVE-2014-3300
• CSCum75078, CSCun17309, CSCum77041,
CSCuo51517, CSCum76930, CSCun49862
• Secure network design
• IP phone services MUST be DEDICATED, not SHARED
• Secure deployment with PKI
• Authentication with X.509, software signatures
• Secure SSL configuration
• Secure protocols
• Skinny authentication, SIP authentication
• HTTP instead of TFTP, SSH instead of Telnet
of 60 – Aug-14

References
• Viproy Homepage and Documentation
http://www.viproy.com
!
• Attacking SIP servers using Viproy VoIP Kit
https://www.youtube.com/watch?v=AbXh_L0-Y5A
!
• VoIP Pen-Test Environment – VulnVoIP
http://www.rebootuser.com/?cat=371
!
• Credits and thanks go to…
Sense of Security Team, Jason Ostrom, Mark Collier,
Paul Henry, Sandro Gauci
of 60 – Aug-14

Questions ?
of 60 – Aug-14

Thank you
Recognised as Australia’s fastest growing information security and
risk management consulting firm through the Deloitte Technology
Fast 50 & BRW Fast 100 programs
Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia.
Owner of trademark and all copyright is Sense of Security Pty Ltd.
Neither text or images can be reproduced without written
permission.
T: 1300 922 923
T: +61 (0) 2 9290 4444
F: +61 (0) 2 9290 4455
info@senseofsecurity.com.au
www.senseofsecurity.com.au
www.senseofsecurity.com.au © Sense of Security 2014 Page of 60 60 – Aug-14

VoIP Wars: Attack of the Cisco Phones

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to VoIP Wars: Attack of the Cisco Phones (20)

More from Fatih Ozavci (13)

Recently uploaded (20)

VoIP Wars: Attack of the Cisco Phones