voip security
play

VoIP Security Title : Something Old (H.323), Something New (IAX), - PowerPoint PPT Presentation

Nov 26, 2023 •182 likes •768 views

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ), & Something Blue (VoIP Administrators) BlackHat 2007 Presented by: Himanshu Dwivedi (hdwivedi@isecpartners.com) Zane Lackey

  1. VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ), & Something Blue (VoIP Administrators) BlackHat 2007 • Presented by: Himanshu Dwivedi (hdwivedi@isecpartners.com) Zane Lackey (zane@isecpartners.com) iSEC Partners https://www.isecpartners.com

  2. Agenda – Introduction – H.323 Attacks • Authenication Attacks • Authorization Attacks • DOS Attacks – IAX Attacks • Background • Authenication Attacks • DOS Attacks – Conclusion iSEC Partners https://www.isecpartners.com

  3. Why VoIP (H.323/IAX) Security • Privacy – Assumed privacy on telephone calls – Voicemail passwords – indicate the desire to protect our voice communication • Data – Sensitive information over HTTP = Unacceptable – Sensitive information over RTP = Acceptable? • Social Security Numbers • Credit Card Numbers • Medical Health Information • Confidential Data • Regulations – Focuses on stored data in file formats. What about stored data in media format? • Security – Authenication – Basic – Authorization – Can be subverted – Encryption – Absent by default iSEC Partners https://www.isecpartners.com

  4. Definition of Terms – H.323 Endpoint: Soft or hard phone on VoIP network using H.323 for session setup (versus SIP) – H.323 Gatekeeper: Registers/authenticates H.323 endpoints. Stores a database of all registered H.323 clients on the network – H.323 Gateway: A device that is used to route calls from one H.323 gatekeepers to other H.323 gatekeepers – IAX Client: Soft or hard phone on VoIP network using IAX for session setup and media transfer (versus SIP/H.323 & RTP) – IAX Server: A device that is used to route calls from one IAX client to another, such as Asterisk iSEC Partners https://www.isecpartners.com

  5. VoIP Attacks (H.323 & IAX) iSEC Partners https://www.isecpartners.com

  6. H.323 https://www.isecpartners.com iSEC Partners

  7. Session Setup – H.323 • H.323 Example iSEC Partners https://www.isecpartners.com

  8. H.323 Ports iSEC Partners https://www.isecpartners.com

  9. Session Setup – H.323 • Authenication – MD5 Authenication using challenge and timestamp – Vulnerable to an offline brute force attack • Authorization – E.164 Alias (4158675309) • Encryption – None (by default) • Compromised authenication open doors for: – Owning the phone – Impersonating the phone – Joining the VoIP network iSEC Partners https://www.isecpartners.com

  10. Auth Request Timestamp Timestamp H.323 Client NTP Server Gatekeeper MD5 Hash (ASN.1 Encoded: Username + password, timestamp) = MD5 Hash (ASN.1 Encoded: Username + password, timestamp) = MD5 Hash Authenticated! iSEC Partners https://www.isecpartners.com

  11. H.323 Authenication ASN.1 Encoded( H323-ID + Password + Timestamp) MD5 = Hash iSEC Partners https://www.isecpartners.com

  12. H.323 Authenication ASN.1 Encoded( H323-ID + Password + Timestamp) MD5 = Hash Sniffed (Captured) Entities over the network: • Username: USER • Timestamp: 1162895565 = No Match = Match • MD5 Hash: 1c8451595d9ac7b983350d268db7f36e Dictionary Attack: • USER + test + 1162895565 + = D41D8CD98F00B204E9800998ECF8427E • USER + Sonia + 1162895565 + = 00F17E991424CAA2B171C390BBB8BEAA • USER + Raina + 1162895565 + = 1FB59F6D6C96C286EFA597742013FB87 • USER + 1108 + 1162895565 + = 74F3946DBDB748B9C969B2BF90ED4B44 • USER + 1117 + 1162895565 + = E7484514C0464642BE7B4DC2689354C8 • USER + isec + 1162895565 + = ED43F5D53B5F97E5B8BD402AD6ECD421 • USER + PASS + 1162895565 + = 1C8451595D9AC7B983350D268DB7F36E iSEC Partners https://www.isecpartners.com

  13. H.323 Replay Attack • H.225 authentication is vulnerable to a replay attack – A replay attack occurs when an MD5 hash, a password equivalent value, is allowed to be captured and replayed by an attacker • ( H323-ID + Password + Timestamp) MD5 = Hash – In order to prevent a self-DOS, the timestamp is valid between 15min to 30min (user configurable) • An attacker can sniff the MD5 challenge across the network, resubmit it, and become authenticated iSEC Partners https://www.isecpartners.com

  14. H.323 Replay Attack 1. Capture a authenication hash over the network iSEC Partners https://www.isecpartners.com

  15. H.323 Replay Attack 2. Modify the following raw packet iSEC Partners https://www.isecpartners.com

  16. H.323 Replay Attack 3. Using nemesis, send the update replay packet to the gatekeeper nemesis udp -x 1719 -y 1719 -S 172.16.1.103 -D 172.16.1.140 -H 00:05:4E:4A:E0:E1 -M 02:34:4F:3B:A0:D3 –P iSEC.Registration.Replay iSEC Partners https://www.isecpartners.com

  17. Auth Request Timestamp H.323 Client Timestamp NTP Server Gatekeeper MD5 Hash: XYZ Authenticated! Capture and Replay MD5 hash MD5 Hash: XYZ Authenticated! Attacker iSEC Partners https://www.isecpartners.com

  18. H.323 Authorization • E.164 Alias – H.323 endpoints each contain an E.164 alias. The E.164 alias is an international number system compromised of a country code (CC), national destination code (NDC), and a subscriber number (SN). – An E.164 alias can be up to 15 alpha-number values, which can be set dynamically by a gatekeeper device or can be set locally by the endpoint itself iSEC Partners https://www.isecpartners.com

  19. E.164 Alias Enumeration • E.164 Alias Enumeration – H.323 endpoints each contain an E.164 alias. The E.164 alias is an international number system compromised of a country code (CC), national destination code (NDC), and a subscriber number (SN). – An E.164 alias can be up to 15 alpha-number values, which can be set dynamically by a gatekeeper device or can be set locally by the endpoint itself iSEC Partners https://www.isecpartners.com

  20. Group C: E.164 Aliases (Executive Conference Bridge) E.164 Alias: 123abc 415* securityDenial E.164 Alias: 415abc Group B: E.164 Aliases (Call Internal) H.323 H.323 Gatekeeper duplicateAlias Attacker 605* E.164 Alias: 415abc Authorized! DOS Group A: E.164 Aliases (Call Anywhere) 510* 415* 605* H.323 Client: 415abc iSEC Partners https://www.isecpartners.com

  21. E.164 Alias Spoofing/Hopping • E.164 Alias are often used for authorization • E.164 alias can be spoofed quite easily in software iSEC Partners https://www.isecpartners.com

  22. E.164 Alias Spoofing/Hopping 1. Open an H.323 Client, such as Ekiga 2. Select Edit -> Accounts -> [H.323 account] -> Properties 3. Expand More Options and change the E.164 Alias (Gatekeeper ID) iSEC Partners https://www.isecpartners.com

  23. DOS via NTP • H.323 authentication uses the timestamp from a NTP server • An attacker can ensure that no H.323 endpoints can register to the network by updating NTP information incorrectly on all H.323 devices – A malicious NTP server send timestamps to H.323 endpoints that are not the same timestamps used by the gatekeeper – Attacker could send timestamps to the gatekeeper that differ from the ones used by the endpoint – Since most H.323 endpoints and gatekeepers do not require authentication for timestamp updates, they will simply accept the timestamp received from the attacker. – Some endpoints and gatekeepers will only accept timestamp information from certain IP addresses where IP spoof needs to be used iSEC Partners https://www.isecpartners.com

  24. Auth Request Timestamp Timestamp H.323 Client NTP Server MD5 Hash: XYZ Unauthenticated! Authenticated! Gatekeeper NTP Update Timestamp NTP Update Timestamp Attacker iSEC Partners https://www.isecpartners.com

  25. DOS via NTP 1. Start nemesis from the BackTrack CD 2. Download iSEC.NTP.DOS from www.isecpartners.com/voipsecurity.html; the input file we'll use with Nemesis in order to execute the NTP DOS. 3. Using nemesis, send the update replay packet to the gatekeeper nemesis udp -x 123 -y 123 -S 172.16.1.103 -D 172.16.1.140 -H 00:05:4E:4A:E0:E1 -M 02:34:4F:3B:A0:D3 –P iSEC.NTP.DOS 4. Repeat step 3 repeatedly as long as you want the DOS to occur (or create a script to repeat this indefinitely). iSEC Partners https://www.isecpartners.com

  26. DOS via Registration Reject • Registration Reject is used to reject registration or unregiester an existing H.323 endpoint • No authentication to reject H.323 endpoints on the network – If a H.323 endpoint is legitimately authenticated a gatekeeper, an attacker can simply send the endpoint one UDP registration reject packet to unregister it. The legitimate endpoint would then attempt to re- register, but the attacker can simply send another UDP packet and immediately unregister it. iSEC Partners https://www.isecpartners.com

  27. DOS via Registration Reject Auth Request Timestamp Timestamp H.323 Client NTP Server MD5 Hash: XYZ Unauthenticated! Authenticated! Gatekeeper H.323 RegistrationReject Attacker iSEC Partners https://www.isecpartners.com

  28. DOS via Registration Reject 1. Start nemesis from the BackTrack CD 2. Download iSEC.Registration.Reject.DOS from www.isecpartners.com/voipsecurity.html; the input file we'll use with Nemesis in order to execute the DOS. 3. Using nemesis, send the update replay packet to the gatekeeper nemesis udp -x 123 -y 123 -S 172.16.1.103 -D 172.16.1.140 -H 00:05:4E:4A:E0:E1 -M 02:34:4F:3B:A0:D3 –P iSEC.Registration.Reject.DOS 4. Repeat step 3 repeatedly as long as you want the DOS to occur (or create a script to repeat this indefinitely). iSEC Partners https://www.isecpartners.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary

388 views • 23 slides
What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
Security in VoIP Systems Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla Security in VoIP

Security in VoIP Systems Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla Security in VoIP

Security in VoIP Systems Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla Security in VoIP Systems 1 Background: the PSTN Cell Cell POTS POTS Subscriber To wer Subscriber Subscriber POTS Qwest Trunk Line Verizon Subscriber

801 views • 57 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 *Thanks to Prof. Angelos Keromytis for materials for these lecture slides. CSE545 - Advanced Network Security - Professor McDaniel Page 1 Example of

941 views • 34 slides
Viproy VoIP Penetration and Exploitation Toolkit Fatih zavc Security Consultant @ Sense of

Viproy VoIP Penetration and Exploitation Toolkit Fatih zavc Security Consultant @ Sense of

Viproy VoIP Penetration and Exploitation Toolkit Fatih zavc Security Consultant @ Sense of Security (Australia) # whois Security Consultant @ Sense of Security (Australia) 10+ Years Experience in Penetration Testing 800+

494 views • 21 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
A Holistic Approach to Open-Source VoIP Security Preliminary results from the EUX2010Sec

A Holistic Approach to Open-Source VoIP Security Preliminary results from the EUX2010Sec

www.nr.no A Holistic Approach to Open-Source VoIP Security Preliminary results from the EUX2010Sec project Lothar Fritsch, Arne-Kristian Groven, and Lars Strand Cancun, Mexico March 2009 Overview Goal The EUX2010Sec project

490 views • 19 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP & SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

4/3/2015 Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP increasingly important Skype, Google Talk, and MSN Started with inexpensive use at home with friends and family Messenger Now businesses

631 views • 7 slides
Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel

Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel

Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel Jrgen Wurzer Institute of IT Security Research St. Plten University of Applied Sciences DeepSec 2010 November 25 th 2010 Mobile VoIP Steganography

528 views • 27 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 & VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY OPERATOR DATA MVNO OTTs Services that 100% guarantee reliable and lucrative partnerships lead to absolute success. premier global communications

331 views • 7 slides
W E S T E R N G O V E R N O R S U N I V E R S I T Y Transfer to Success: RN to BSN/MSN RN-BSN P

W E S T E R N G O V E R N O R S U N I V E R S I T Y Transfer to Success: RN to BSN/MSN RN-BSN P

W E S T E R N G O V E R N O R S U N I V E R S I T Y Transfer to Success: RN to BSN/MSN RN-BSN P ROGRAM H IGHLIGHTS 100% online in Competency Based Education (CBE) model Complete courses at your own pace as you prove mastery of the

428 views • 4 slides
Take control & keep control M AV C O U N C I L L O R D E V E L O P M E N T W E E K E N D 2

Take control & keep control M AV C O U N C I L L O R D E V E L O P M E N T W E E K E N D 2

SOCIAL MEDIA: Take control & keep control M AV C O U N C I L L O R D E V E L O P M E N T W E E K E N D 2 0 1 9 S T R AT E G I C , S K I L L E D , I N F O R M E D . R O S S M O N A G H A N , D E A K I N U N I V E R S I T Y SOCIAL

304 views • 27 slides
Sydney - December 2017 French Nuclear Safety Authority mickael.gandolin@asn.fr Presentation 1.

Sydney - December 2017 French Nuclear Safety Authority mickael.gandolin@asn.fr Presentation 1.

IAEA Workshop - Research Reactors Implementation of the post-Fukushima Daiichi accident Enhancement Programme for RRs Sydney - December 2017 French Nuclear Safety Authority mickael.gandolin@asn.fr Presentation 1. Regulatory Programme 2.

457 views • 24 slides
Bachelor of Screen Media Dr Marc C-Scott Medias Future 1 in 3 Australians have Netflix Hours

Bachelor of Screen Media Dr Marc C-Scott Medias Future 1 in 3 Australians have Netflix Hours

Bachelor of Screen Media Dr Marc C-Scott Medias Future 1 in 3 Australians have Netflix Hours spent watching TV continues to declined Video services continue to be grow, SVoD, Social Media, Technology Companies. Mobile video will increase

292 views • 10 slides
Geographical differences

Geographical differences

The agent (mixture) is carcinogenic to humans. Geographical differences Legislative frame work - WA Occupational Safety Health Act 1984 (Updated Sept 2014)

235 views • 22 slides
Entertainment Entertainment Presentation Group Limited Group Limited 9 February 2018

Entertainment Entertainment Presentation Group Limited Group Limited 9 February 2018

SKYCITY SKYCITY 1H18 Results Investor Entertainment Entertainment Presentation Group Limited Group Limited 9 February 2018 Disclaimer All information included in this presentation is provided as at 9 February 2018 This

371 views • 36 slides
ASN Broker Public Company Limited Opportunity Day 26 November 2018 ASN Broker Public Company

ASN Broker Public Company Limited Opportunity Day 26 November 2018 ASN Broker Public Company

ASN Broker Public Company Limited ASN Broker Public Company Limited Opportunity Day 26 November 2018 ASN Broker Public Company Limited Agenda Company Overview I Q3 2018 Financial Performance II Q3 2018 Key Developments III 2 ASN Broker Public

542 views • 16 slides
Quality industry-led research: What the CRC Advisory Committee is looking for Mr Philip Marcus

Quality industry-led research: What the CRC Advisory Committee is looking for Mr Philip Marcus

Quality industry-led research: What the CRC Advisory Committee is looking for Mr Philip Marcus Clark AM Chair, Cooperative Research Centres Advisory Committee Industry Led Research Introduction of CRC Projects Stream Role of Growth Centres in

38 views • 3 slides

More recommend