voip phreaking
play

VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz - PowerPoint PPT Presentation

Dec 10, 2023 •275 likes •532 views

VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ 22C3, 2005-12-27 Berlin, Germany Agenda What is Voice Over IP? Infrastucture Protocols SIP attacks Conclusion VoIP

  1. VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ 22C3, 2005-12-27 Berlin, Germany

  2. Agenda ● What is Voice Over IP? ● Infrastucture ● Protocols ● SIP attacks ● Conclusion VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  3. VoIP is ● generally considered cheap ● TCO ● end user perspective ● in production use today ● undergoing explosive growth ● free calls VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  4. VoIP also ● converges with the PSTN ● replaces PSTN networks ● is growing rapidly ● is immature ● generally used without TLS VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  5. Infrastructure ● VoIP phones – hardware (Cisco, AVM, Snom, ...) – software (X-Lite, kphone, ...) ● Server software – registrar, route/proxy server, presence ● PSTN integration – VoIP->PSTN, PSTN->VoIP gateway ● misc services – billing, webinterfaces, media proxies, STUN VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  6. Infrastructure overview VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  7. Protocols ● Separation of signalling and media ● Signalling – SIP, H.323 – MGCP, Megaco – Skype ● Media w/ RTP – G711u/a, G7xx,GSM, iLBC, Speex, proprietary VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  8. SIP vs. MGCP VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  9. SIP vs. MGCP cont'd VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  10. Media Gateway Control Protocol ● Media Gateways are controlled by a Media Gateway Controller ● MGWC translates SIP/H.323 to MGCP ● RFC 3435, sect 5: „Any entity can send a command to an MGCP endpoint. If unauthorized entities could use the MGCP, they would be able to set-up unauthorized calls, or to interfere with authorized calls. We expect that MGCP messages will always be carried over secure Internet connections, as defined“ ● MGCP is out of scope for this talk ● still it is VERY interesting VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  11. SIP ● SIP = Session Initiation Protocol ● RFC 3261 (superseded 2543) ● looks like http – plain text – status codes (200 OK, 404 Not Found) – key/value pairs ● transport: UDP (most common), TCP, TLS, DTLS VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  12. SIP cont'd ● complex state engine ● always changing due to additions ● hard to do complete implementation – different ways of doing things (Route header) – case insensitiveness, whitespaces VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  13. Open Source SIP software ● open source stacks – libosip, eXosip, reSIProcate, libdissipate ● clients – kphone, linphone, sfl-phone, PhoneGaim ● tools – sipsak, sipp, protos test suite, ngrep, ethereal ● server – SER, Asterisk, sipd, partysip, Vocal VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  14. Attack Vector: Signalling ● buffer overflows in all devices? ● race conditions – CANCEL during call-setup – media faster than signalling SIP RE-INVITE (change codec, redirect media) ● Alert-Info header – change ringtone to a more distinctive one ● internal symbol (bellcore-dr1) ● http URL VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  15. Attack Vector: media/RTP ● injection of media – esp. premature media ● spoof receiver reports to fake bad quality and tear down the call ● various (private) tools exist ● recording of media streams – sniffing – proxying traffic VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  16. Attack Vector: Billing evasion ● make somebody other pay for the call – usually exploit ISP-related bugs/features ● get free calls – SIP based – MGCP based ● highjacking equipment – search for webinterface on hardware phone – initiate 3-party calls from webinterface VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  17. Attack Vector: SIP Spoofing ● SIP packets contain – To/From To: <sip:0124@123.org;user=phone> From: "Hendrik Scholz" <sip:0123@123.org> – Contact Contact: <sip:0123@10.1.1.1:5060> VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  18. Attack Vector: SIP Spoofing cont'd ● To/From tags From: "Hendrik Scholz" <sip:0123@123.org>;tag=000750c6848803683ac37 616-1a257852 ● Call-ID Call-ID: 000750c6-84880034-5071af22- 2898d775@10.1.1.1 ● Cseq CSeq: 102 INVITE ● Record-Route Record-Route: <sip:10.1.1.2;ftag=000750c6848803683ac37616- 1a257852;lr=on> VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  19. Attack Vector: SIP Spoofing cont'd ● hard to guess all values ● luckly hardly any device checks all, Exploit! VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  20. Attack Vector: devices ● SIP NOTIFY message w/ sync-check header – Event: check-sync – perform update/reboot – Cisco 79x0 related ● AVM 7050 'Bier holen' – „everything but the kitchen sink“ – send #96*6* from an ISDN phone – phone displays 'Bier holen' VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  21. Attack Vector: Caller-ID ● messages contain – From – Remote-Party-ID – P-Asserted-Identity ● set and see what happens ● look for ISP proprietary extensions (P-Headers, SetCallerID header on nufone.net) ● use spoofed SIP Caller ID to call somebodies PSTN/cell phone voice mailbox VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  22. Easy Attack Example ● Route: caller -> proxy/billing -> PSTN -> callee ● Max-Forwards set too low on BYE ● packet expires on the way, cheap call VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  23. Resources ● RFCs: http://www.packetizer.com/voip/sip/standar ds.html ● http://iptel.org/ ● Cisco Bugreports, esp. open bugs ● http://voip-info.org/ ● http://onsip.org/ VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

  24. Conclusions ● VoIP is emerging while still under development ● convergence of trusted and untrusted networks ● TLS hardly used ● attack MGCP behind SIP ● attack applications (voice mail) VoIP Phreaking – 22C3, Berlin - hscholz@raisdorf.net

Recommend

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
CIS 6930 - Cellular and Mobile Network Security: Phreaking and Eavesdropping Professor Patrick

CIS 6930 - Cellular and Mobile Network Security: Phreaking and Eavesdropping Professor Patrick

CIS 6930 - Cellular and Mobile Network Security: Phreaking and Eavesdropping Professor Patrick Traynor 11/15/18 Florida Institute for Cybersecurity (FICS) Research Closing Notes Remember, 50% of the course grade comes from this project.

624 views • 33 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP &amp; SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

4/3/2015 Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP increasingly important Skype, Google Talk, and MSN Started with inexpensive use at home with friends and family Messenger Now businesses

631 views • 7 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 &amp; VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY OPERATOR DATA MVNO OTTs Services that 100% guarantee reliable and lucrative partnerships lead to absolute success. premier global communications

331 views • 7 slides
FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

GLOBAL TELECOMMUNICATIONS AND MEDIA INDUSTRY GROUP E-NEWS JUNE 8, 2005 FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services Required to Supply Enhanced 911 (E911) capabilities. Must File Letters

357 views • 4 slides
VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ),

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ),

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ), &amp; Something Blue (VoIP Administrators) BlackHat 2007 Presented by: Himanshu Dwivedi (hdwivedi@isecpartners.com) Zane Lackey

768 views • 58 slides
Requirements for VoIP Header Compression over Multiple-Hop Paths

Requirements for VoIP Header Compression over Multiple-Hop Paths

Requirements for VoIP Header Compression over Multiple-Hop Paths (draft-ash-e2e-voip-hdr-comp-rqmts-01.txt) Jerry Ash Jim Hand AT&amp;T AT&amp;T gash@att.com jameshand@att.com Bur Goode Raymond Zhang AT&amp;T Infonet Services Corporation

325 views • 20 slides
Overview Overview VoIP Introduction Basic PSTN Concepts and SS7 Old Private

Overview Overview VoIP Introduction Basic PSTN Concepts and SS7 Old Private

Overview Overview VoIP Introduction Basic PSTN Concepts and SS7 Old Private Telephony Solutions Internet Telephony and Services Voice- -over over- -IP (VoIP) IP (VoIP) Voice VoIP-PSTN Interoperability IP PBX

405 views • 7 slides
Voice Over IP (VoIP) Private Label Reseller Program Start selling VoIP services with no minimum

Voice Over IP (VoIP) Private Label Reseller Program Start selling VoIP services with no minimum

Callika Internet Telephony Voice Over IP (VoIP) Private Label Reseller Program Start selling VoIP services with no minimum investment no equipment purchases no hidden fees 1 888 276 8881 info@callika.com http://www.callika.com

597 views • 28 slides
50 YEARS Let Us Fulfill Your Needs Let Us Fulfill Your Needs We Are VoIP Supply VoIP Supply

50 YEARS Let Us Fulfill Your Needs Let Us Fulfill Your Needs We Are VoIP Supply VoIP Supply

50 YEARS Let Us Fulfill Your Needs Let Us Fulfill Your Needs We Are VoIP Supply VoIP Supply Programs Let Us Fulfill Your Needs Fulfillment &amp; Provisioning Let Us Fulfill Your Needs Become an Agent Today Let Us Fulfill Your

814 views • 47 slides
Modern VoIP in Modern Infrastructures Designing and implementing VoIP architectures in the cloud

Modern VoIP in Modern Infrastructures Designing and implementing VoIP architectures in the cloud

Modern VoIP in Modern Infrastructures Designing and implementing VoIP architectures in the cloud and container era Federico Cabiddu - RTC Architect @ Libon Giacomo Vacca - RTC Architect @ Nexmo About us Giacomo Vacca Federico Cabiddu VoIP

708 views • 27 slides
By: Jen DosSantos, Kerry Cassidy &amp; Mike Dunn VoIP is an acronym for Voice over Internet

By: Jen DosSantos, Kerry Cassidy &amp; Mike Dunn VoIP is an acronym for Voice over Internet

By: Jen DosSantos, Kerry Cassidy &amp; Mike Dunn VoIP is an acronym for Voice over Internet Protocol. VoIP describes any kind of connection uses the internet to make phone calls. VoIP calls can be made from a computer to another computer, a

448 views • 13 slides
TFRC for Voice: the VoIP Variant Sally Floyd, Eddie Kohler. November 2005

TFRC for Voice: the VoIP Variant Sally Floyd, Eddie Kohler. November 2005

TFRC for Voice: the VoIP Variant Sally Floyd, Eddie Kohler. November 2005 draft-ietf-dccp-tfrc-voip-02.txt Slides: http://www.icir.org/floyd/talks.html Graphics: http://www.icir.org/floyd/papers/voipimages.pdf VoIP: fairness in Bps. In

218 views • 9 slides
Improving QoS of VoIP Improving QoS of VoIP over Wireless Networks over Wireless Networks

Improving QoS of VoIP Improving QoS of VoIP over Wireless Networks over Wireless Networks

Improving QoS of VoIP Improving QoS of VoIP over Wireless Networks over Wireless Networks (IQ-VW) (IQ-VW) Mona Habib &amp; Nirmala Bulusu Mona Habib &amp; Nirmala Bulusu CS522 12/09/2002 1 Agenda Agenda Voice over IP (VoIP): Why?

266 views • 26 slides
B REAKING THE M YTHS Satellite: Breaking the Myths - VoIP Y

B REAKING THE M YTHS Satellite: Breaking the Myths - VoIP Y

B REAKING THE M YTHS Satellite: Breaking the Myths - VoIP Y ES V O IP WORKS What is the #1 reason people tell you VoIP will not work over

461 views • 12 slides
Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin Matthews, Kevin Snow, and Fabian Monrose Presented By Corly Leung Introduction - Google Hangout, Skype, FaceTime - Encrypting VoIP Packets -

480 views • 14 slides
INTRODUCTION TO TELEPHONY &amp; VOIP Advanced Internet Services (COMS 6181 Spring 2015)

INTRODUCTION TO TELEPHONY &amp; VOIP Advanced Internet Services (COMS 6181 Spring 2015)

1 INTRODUCTION TO TELEPHONY &amp; VOIP Advanced Internet Services (COMS 6181 Spring 2015) Henning Schulzrinne Columbia University 2 Overview The Public Switched Telephone System (PSTN) VoIP as black phone replacement

810 views • 37 slides

More recommend