voip phreaking
play

VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz - PowerPoint PPT Presentation

Dec 10, 2023 •275 likes •532 views

VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ 22C3, 2005-12-27 Berlin, Germany Agenda What is Voice Over IP? Infrastucture Protocols SIP attacks Conclusion VoIP

  1. VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ 22C3, 2005-12-27 Berlin, Germany

  2. Agenda ● What is Voice Over IP? ● Infrastucture ● Protocols ● SIP attacks ● Conclusion VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  3. VoIP is ● generally considered cheap ● TCO ● end user perspective ● in production use today ● undergoing explosive growth ● free calls VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  4. VoIP also ● converges with the PSTN ● replaces PSTN networks ● is growing rapidly ● is immature ● generally used without TLS VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  5. Infrastructure ● VoIP phones – hardware (Cisco, AVM, Snom, ...) – software (X-Lite, kphone, ...) ● Server software – registrar, route/proxy server, presence ● PSTN integration – VoIP->PSTN, PSTN->VoIP gateway ● misc services – billing, webinterfaces, media proxies, STUN VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  6. Infrastructure overview VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  7. Protocols ● Separation of signalling and media ● Signalling – SIP, H.323 – MGCP, Megaco – Skype ● Media w/ RTP – G711u/a, G7xx,GSM, iLBC, Speex, proprietary VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  8. SIP vs. MGCP VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  9. SIP vs. MGCP cont'd VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  10. Media Gateway Control Protocol ● Media Gateways are controlled by a Media Gateway Controller ● MGWC translates SIP/H.323 to MGCP ● RFC 3435, sect 5: „Any entity can send a command to an MGCP endpoint. If unauthorized entities could use the MGCP, they would be able to set-up unauthorized calls, or to interfere with authorized calls. We expect that MGCP messages will always be carried over secure Internet connections, as defined“ ● MGCP is out of scope for this talk ● still it is VERY interesting VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  11. SIP ● SIP = Session Initiation Protocol ● RFC 3261 (superseded 2543) ● looks like http – plain text – status codes (200 OK, 404 Not Found) – key/value pairs ● transport: UDP (most common), TCP, TLS, DTLS VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  12. SIP cont'd ● complex state engine ● always changing due to additions ● hard to do complete implementation – different ways of doing things (Route header) – case insensitiveness, whitespaces VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  13. Open Source SIP software ● open source stacks – libosip, eXosip, reSIProcate, libdissipate ● clients – kphone, linphone, sfl-phone, PhoneGaim ● tools – sipsak, sipp, protos test suite, ngrep, ethereal ● server – SER, Asterisk, sipd, partysip, Vocal VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  14. Attack Vector: Signalling ● buffer overflows in all devices? ● race conditions – CANCEL during call-setup – media faster than signalling SIP RE-INVITE (change codec, redirect media) ● Alert-Info header – change ringtone to a more distinctive one ● internal symbol (bellcore-dr1) ● http URL VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  15. Attack Vector: media/RTP ● injection of media – esp. premature media ● spoof receiver reports to fake bad quality and tear down the call ● various (private) tools exist ● recording of media streams – sniffing – proxying traffic VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  16. Attack Vector: Billing evasion ● make somebody other pay for the call – usually exploit ISP-related bugs/features ● get free calls – SIP based – MGCP based ● highjacking equipment – search for webinterface on hardware phone – initiate 3-party calls from webinterface VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  17. Attack Vector: SIP Spoofing ● SIP packets contain – To/From To: <sip:0124@123.org;user=phone> From: "Hendrik Scholz" <sip:0123@123.org> – Contact Contact: <sip:0123@10.1.1.1:5060> VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  18. Attack Vector: SIP Spoofing cont'd ● To/From tags From: "Hendrik Scholz" <sip:0123@123.org>;tag=000750c6848803683ac37 616-1a257852 ● Call-ID Call-ID: 000750c6-84880034-5071af22- 2898d775@10.1.1.1 ● Cseq CSeq: 102 INVITE ● Record-Route Record-Route: <sip:10.1.1.2;ftag=000750c6848803683ac37616- 1a257852;lr=on> VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  19. Attack Vector: SIP Spoofing cont'd ● hard to guess all values ● luckly hardly any device checks all, Exploit! VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  20. Attack Vector: devices ● SIP NOTIFY message w/ sync-check header – Event: check-sync – perform update/reboot – Cisco 79x0 related ● AVM 7050 'Bier holen' – „everything but the kitchen sink“ – send #96*6* from an ISDN phone – phone displays 'Bier holen' VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  21. Attack Vector: Caller-ID ● messages contain – From – Remote-Party-ID – P-Asserted-Identity ● set and see what happens ● look for ISP proprietary extensions (P-Headers, SetCallerID header on nufone.net) ● use spoofed SIP Caller ID to call somebodies PSTN/cell phone voice mailbox VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  22. Easy Attack Example ● Route: caller -> proxy/billing -> PSTN -> callee ● Max-Forwards set too low on BYE ● packet expires on the way, cheap call VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  23. Resources ● RFCs: http://www.packetizer.com/voip/sip/standar ds.html ● http://iptel.org/ ● Cisco Bugreports, esp. open bugs ● http://voip-info.org/ ● http://onsip.org/ VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  24. Conclusions ● VoIP is emerging while still under development ● convergence of trusted and untrusted networks ● TLS hardly used ● attack MGCP behind SIP ● attack applications (voice mail) VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
CIS 6930 - Cellular and Mobile Network Security: Phreaking and Eavesdropping Professor Patrick

CIS 6930 - Cellular and Mobile Network Security: Phreaking and Eavesdropping Professor Patrick

CIS 6930 - Cellular and Mobile Network Security: Phreaking and Eavesdropping Professor Patrick Traynor 11/15/18 Florida Institute for Cybersecurity (FICS) Research Closing Notes Remember, 50% of the course grade comes from this project.

624 views • 33 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP &amp; SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

4/3/2015 Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP increasingly important Skype, Google Talk, and MSN Started with inexpensive use at home with friends and family Messenger Now businesses

631 views • 7 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 &amp; VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY OPERATOR DATA MVNO OTTs Services that 100% guarantee reliable and lucrative partnerships lead to absolute success. premier global communications

331 views • 7 slides
FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

GLOBAL TELECOMMUNICATIONS AND MEDIA INDUSTRY GROUP E-NEWS JUNE 8, 2005 FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services Required to Supply Enhanced 911 (E911) capabilities. Must File Letters

357 views • 4 slides
VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ),

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ),

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ), &amp; Something Blue (VoIP Administrators) BlackHat 2007 Presented by: Himanshu Dwivedi (hdwivedi@isecpartners.com) Zane Lackey

768 views • 58 slides
Requirements for VoIP Header Compression over Multiple-Hop Paths

Requirements for VoIP Header Compression over Multiple-Hop Paths

Requirements for VoIP Header Compression over Multiple-Hop Paths (draft-ash-e2e-voip-hdr-comp-rqmts-01.txt) Jerry Ash Jim Hand AT&amp;T AT&amp;T gash@att.com jameshand@att.com Bur Goode Raymond Zhang AT&amp;T Infonet Services Corporation

325 views • 20 slides
Overview Overview VoIP Introduction Basic PSTN Concepts and SS7 Old Private

Overview Overview VoIP Introduction Basic PSTN Concepts and SS7 Old Private

Overview Overview VoIP Introduction Basic PSTN Concepts and SS7 Old Private Telephony Solutions Internet Telephony and Services Voice- -over over- -IP (VoIP) IP (VoIP) Voice VoIP-PSTN Interoperability IP PBX

405 views • 7 slides
Voice Over IP (VoIP) Private Label Reseller Program Start selling VoIP services with no minimum

Voice Over IP (VoIP) Private Label Reseller Program Start selling VoIP services with no minimum

Callika Internet Telephony Voice Over IP (VoIP) Private Label Reseller Program Start selling VoIP services with no minimum investment no equipment purchases no hidden fees 1 888 276 8881 info@callika.com http://www.callika.com

597 views • 28 slides
StanleyWilf Limits of Layered Patterns Permutation Patterns 2012 Anders Claesson, V t

StanleyWilf Limits of Layered Patterns Permutation Patterns 2012 Anders Claesson, V t

StanleyWilf Limits of Layered Patterns Permutation Patterns 2012 Anders Claesson, V t Jel nek, Einar Steingr msson StanleyWilf Limits Definition Av( ) is the set of -avoiding permutations. Av n ( ) is the set of

690 views • 47 slides
Deconfinement Transition As Black Hole Formation By The Condensation Of QCD Strings Jonathan

Deconfinement Transition As Black Hole Formation By The Condensation Of QCD Strings Jonathan

Deconfinement Transition As Black Hole Formation By The Condensation Of QCD Strings Jonathan Maltz 1 Masanori Hanada 2 Leonard Susskind 3 and 1 Kavli IPMU - University of Tokyo 2 Yukawa Institute for Theoretical Physics - University of Kyoto 3

473 views • 24 slides
Network Centric Operations Industry Consortium www.ncoic.org Industry working together with our

Network Centric Operations Industry Consortium www.ncoic.org Industry working together with our

Network Centric Operations Industry Consortium www.ncoic.org Industry working together with our customers Sheryl Sizelove NCOIC Technical Council Chairman Emeritus 16 April 2007 Approved for Public Release NCOIC March 9, 2007 1 Approved by

238 views • 10 slides
XMG: a tool for implementing frames Timm Lichte 1 , Simon Petitjean 2 , Laura Kallmeyer 1 &amp;

XMG: a tool for implementing frames Timm Lichte 1 , Simon Petitjean 2 , Laura Kallmeyer 1 &amp;

XMG: a tool for implementing frames Timm Lichte 1 , Simon Petitjean 2 , Laura Kallmeyer 1 &amp; Younes Samih 1 1 University of Dsseldorf, Germany, and 2 Universit dOrlans, France CTF14, August 26, 2014 SFB 991 1 / 24 Table of contents 1

492 views • 24 slides
CRE Yield Business Plan The Problem All Commercial Real Estate (CRE) is periodically valued

CRE Yield Business Plan The Problem All Commercial Real Estate (CRE) is periodically valued

CRE Yield Business Plan The Problem All Commercial Real Estate (CRE) is periodically valued throughout each year for non- regulatory purposes. It is estimated the U.S. internal labor and external fees expended annually on non-regulatory CRE

435 views • 22 slides
CS 423 Operating System Design Tianyin Xu * Thanks for Prof. Adam Bates for the slides. CS423:

CS 423 Operating System Design Tianyin Xu * Thanks for Prof. Adam Bates for the slides. CS423:

CS 423 Operating System Design Tianyin Xu * Thanks for Prof. Adam Bates for the slides. CS423: Operating Systems Design Learning Objectives Before CS 423: Knowledge of C/C++ Basic knowledge of Linux/POSIX APIs and functions After CS

877 views • 50 slides
CFPB Update on Origination Rules Presented by the CFPB and MBA October 17, 2013 Transcript

CFPB Update on Origination Rules Presented by the CFPB and MBA October 17, 2013 Transcript

CFPB Update on Origination Rules Presented by the CFPB and MBA October 17, 2013 Transcript prepared by BuckleySandler LLP 1 DAVE STEVENS : Good Afternoon everybody, this is Dave Stevens. Im the President and CEO of the Mortgage Bankers

575 views • 33 slides
International Stakeholder Forum Please note that these update slides replace the March 2020

International Stakeholder Forum Please note that these update slides replace the March 2020

International Stakeholder Forum Please note that these update slides replace the March 2020 meeting, which has been cancelled due to coronavirus. Ofcom March 2020 PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM Agenda

534 views • 25 slides

More recommend