VoIP Security Analysis

Transcript

1. VoIP Security Analysis

2. Powered by

3. About Developed by: Reviewed by: Hiram A. Camarillo Seekurity @hiramcoop

   Leon A. Ramos Tienda IP @fulvous Mohamed A. Baset Seekurity @SymbianSyMoh Seekurity is an information security consulting firm specialized in Penetration Testing (Web, Mobile and Desktop), Vulnerabilities Assessments, Security Researches, Malware Analysis and more! We deliver detailed, comprehensive, and customizable report at the end of each security engagement. Visit us! www.seekurity.com TiendaIP.mx is an online store focused on VoIP and infrastructure technology for Latam companies. We have a wide range offer of brands and solutions tailored for your requirements. 10 years of experience and success stories in implementing IT projects at your service. Visit us! tiendaip.mx This work is subject to the license Attribution-ShareAlike 4.0 International Creative Commons. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/

4. Dear reader One of the most common activities to communicate

   immediately with others, when texts or written messages are not enough, is through a phone call, simply! pick up the phone and dial the phone number you want to call. The internet has given way to a endless of technologies that offer huge advantages over conventional tools as VoIP. This technology offers advantages such as cost reduction in calls compared to conventional telephony. To make a call just you need to have a working Internet connection through which VoIP server access will have. Which means that it is necessary that the server is connected to the Internet all the time, waiting for a request to make or receive calls, This is how it works!, Which made us wonder, How safe it is to use VoIP? Can we live in peace or worried while waiting to receive a huge bill with calls to everyone who ever did? We decided to conduct a little experiment to see how exposed we are, So we installed a VoIP server with internet access and we leave it alone without protection in the Internet jungle for a few days to see what would happen! Simple, nothing striking, we never throw fireworks so they would know it was there and this is what we found… Does anyone believe that will never be hacked?

5. Summary 1st attack received: 1 Hour 39 Min. after connecting

   the server to Internet Scans received searching for VoIP services Brute Force attacks from 8 different IPs from 3 countries Each IP conducted attacks daily but in short periods of time 160 IPs registered from more than 10 different countries For all stages of attacks The use of technologies such as VoIP has many advantages which makes this technology popular. Primarily and the most important, is the cost of calls against the costs of conventional telephony, free calls (not completely) within the internal network of the company, calls across different devices, call forwarding, centralized administration and among other features. But every technology has it’s own security risks, some of them like surveillance, compromised devices, unauthorized calls, call monitoring, call forwarding, interception of calls, remote microphones activation of devices for listening everything around the equipment, upload malicious firmware, Denial of Services Attacks, among other potential attacks. Many of these activities are conducted thanks to the use of weak passwords or default settings/configurations. According to the report “VoIP Services Market (Corporate Consumers and Individual Consumers) - Global Industry Analysis, Size, Share, Growth, Trends and Forecast, 2014 - 2020”10, VoIP services market will generate revenue worth US$136.76 billion. It will increase from 169.6 million to 348.5 million subscribers until 2020, which will represent an increase of 9.7% in revenues (2014- 2020). With the increased use of VoIP services, the number of threats, hacking techniques and tools increases considerably towards these services. We can find generally three main layers forming part of a VoIP service. The PBX in the first place, Network as the second and for last VoIP devices. We must be concerned about these 3 layers, because we can be vulnerable to attacks that could derive the risks mentioned above. This analysis focuses on the network activity captured, because the server never was compromised. But the recommendations are focused to the network, infrastructure and services. But, what we found? Which will be the target? PBX Network Device

6. Just a little brief technical introduction VoIP basics The process

   of making a call, pick up the phone and dialing the called number, is apparently the same as in conventional telephony, but the internal process differs. “Once the called party answers, voice must be transmitted by converting the voice into digitized form, then segmenting the voice signal into a stream of packets. The first step in this process is converting analog voice signals to digital, using an analog-digital converter. Since digitized voice requires a large number of bits, a compression algorithm can be used to reduce the volume of data to be transmitted. Next, the voice samples are inserted into data packets to be carried on the Internet. The protocol for the voice packets is typically the Real-time Transport Protocol, RTP packets have special header fields that hold data needed to correctly reassemble the packets into a voice signal on the other end. But voice packets will be carried as payload by UDP protocols that are also used for ordinary data transmission. In other words, the RTP packets are carried as data by the UDP datagrams, which can then be processed by ordinary network nodes throughout the Internet. At the other end, the process is reversed: the packets are disassembled and put into the proper order, digitized voice data extracted from the packets and uncompressed, then the digitized voice is processed by a digital-to-analog converter to render it into analog signals for the called party’s handset speaker.” Special Publication 800-58 Security Considerations for Voice Over IP Systems Fig. 1. VoIP responses Alice Bob INVITE to Bob INVITE [email protected] Asterisk OK from [email protected] OK from [email protected] ACK [email protected] ACK [email protected] Conversation BYE [email protected] BYE [email protected] OK OK 1. Alice sends an INVITE request to Bob. 2. Asterisk resolves the IP address for Bob. 3. Bob responds with an OK, to establish the communication. 4. Alice sends an ACK and establishes the communication between Alice and Bob. 5. After the call is finished, Alice sends a BYE request.

7. VoIP (Voice over IP) From Wikipedia, the free encyclopedia Voice

   over IP (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms commonly associated with VoIP are IP telephony, Internet telephony, broadband telephony, and broadband phone service. Just a little brief technical introduction Asterisk (PBX) From Wikipedia, the free encyclopedia Asterisk is a software implementation of a telephone private branch exchange (PBX); it allows attached telephones to make calls to one another, and to connect to other telephone services, such as the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Its name comes from the asterisk symbol. Asterisk is released with a dual license model, using the GNU General Public License (GPL) as a free software license and a proprietary software license to permit licensees to distribute proprietary, unpublished system components. SIP Vicious Reference GitHub SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. SipCLi Reference SipCLI is a command line SIP (Session Initiation Protocol) user agent runs under Windows (XP, Vista, 7/8, 2003/2008/2012 Server) which enables making SIP (Based on RFC 3261) based calls. You can use SipCLI for: Test phone numbers (Penetration test for a SIP network). You can set source IP interface, SIP port, SIP proxy/port, SIP username and password. Session Initiation Protocol Reference The Session Initiation Protocol (SIP) is a communications protocol for signaling and controlling multimedia communication sessions. The most common applications of SIP are in Internet telephony for voice and video calls, as well as instant messaging, over Internet Protocol (IP) networks. We recommend to read the following topics for understanding how the protocol, sessions and VoIP technology works, the type of tools, functionality and purpose of each tool. Digest access authentication From Wikipedia, the free encyclopedia Is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of encryption, making it non-secure unless used in conjunction with SSL. Technically, digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.

8. Network Diagram

9. Traffic analysis with Wireshark The first thing that we need

   to know is: Did someone broke our system? If so, How worse it is? We opened our "pcap" file with Wireshark. In the Frame No. "10047" and identified a request using the SIP protocol. 1) Frame number 10047, contains a request with the OPTIONS method, a SIP request with the OPTIONS method is usually used to to see what response come back, using 100 as the extension (before the @) This request is part of the recognition stage, attackers are trying to identify if there is equipment and ports running VoIP services. Fig 2. 2) Inside the request, we can identify what type of tool or device is making the request “User-Agent: friendly-scanner”. The User-Agent tell us that the tool used for scanning is SIP Vicious. 1) This time isn’t an OPTIONS request. This request use the INVITE method, this method is used for initialize a session dialog (phone call). Fig 3. 2) INVITE sip:01253XXXXXXX This number is maybe a real phone number, so after searching in the country codes database, we found: Republic of Djibouti has this dial code. From the field From we can identify that the extension 100 was used to place the call. 3) Also we notice that the User-Agent changed in this request User- Agent: sipcli/v1.8 4) Following the UDP stream, shows 1 INVITE request followed by 11 responses SIP/2.0 401 Unauthorized 5) By analyzing the data with WireShark it is possible for us to see the call flow or even to play the call. Fig. 2 Our server replay the request. Here we are! Fig. 3

10. Traffic analysis with Wireshark Understanding responses and Digest Access Authentication.

    6) WireShark results show the attempt to establish a call and rejection by the server, generating a 401 error. The response means: requires user authentication. This means that attackers were doing a brute force attack, trying to guess user/password to establish the call. Fig 4. sipdump -p eth0.pcap logs.dump 8) Inside the traffic are parameters such as user/response (the "response" parameter contains the password). It is not possible to read the password, because it is not sent either in plaintext or encrypted, is transformed into an MD5 hash!. And it is not the same simple MD5 we know. 9) The authentication process use Digest Access Authentication method, which generates the value "Response“. Fig 6. 7) Other responses: 403 Forbidden. when the server blocks the client. The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. Fig. 5 10) Now we know how the MD5 is generated, let's use SIPDump to see the passwords. 11) The next line is going to execute SIPDump over “eth0.pcap” and save the results in “logs.dump” file: Fig. 4 Fig. 5 Fig. 6

11. Traffic Analysis with SIPcrack 12) The SIPdump analysis, shows if

    the traffic contains login attempts. The result produced 14,402 attempts. "logs.dump" file contains columns: source IP, destination IP, user, type of request, request body, datatype of the password field, password, among others. This file contains sufficient information to generate the MD5 with the major possible accuracy. Fig 7a, Fig 7b. Using SIPDump and SIPCrack 14) We get the first result. The user is "1000" and the password is "1234". But SIPCrack has a BIG disadvantage, requires user interaction per execution, asking for the number of the record to crack. Fig 8. sipcrack –w home/pass.txt logs.dump 13) Now is the turn for SIPCrack. This time, we are going to use a password dictionary and the “logs.dump”. SIPCrack transforms the words of our dictionary into a "response", will compare the result “response” if an equal record exists. Fig. 7a Fig. 8 Fig. 7b

12. Traffic Analysis with SIPcrack Using SIPDump and SIPCrack #!/bin/bash i=1

    while [ $i -lt 14402 ]; do (echo $i)|sipcrack –w home/pass.txt logs. dump let i=$[$i+1] done 15) "logs.dump" contains 14,402 records, SIPCrack only can analyze record by record per execution as we have already seen... To analyze them all, we automated with a script: 16) Passwords obtained by SIPCrack, will appear in Plain Text with the word PLAIN in the column before the password column. The undecoded password will still appear like "MD5". Fig 9 17) The next step is to identify in which country the attack source IPs are. The following map shows the countries with more IPs which generated attacks. Fig. 9 - 7,276 passwords obtained

13. Attacks using INVITE method Attacks using OPTIONS method

14. Calling a frequently called number in the attack traces. When

    analyzing the traces, we noticed a frequently called number, so we decided to call that number directly from a landline connected to the PSTN (Public Subscriber Telephone Network). 18) The call progress was as follows: a) Ringing tone generated by the local Carrier. Normally expected, same as dialing a local number. b) Call answered. c) 1 or 2 seconds pause. d) Ringing tone (a little different than the first ringing tone) generated by the callee. e) Fast busy dial tone generated by the callee 19) This behavior makes us think that the callee has a softswitch system running and awaiting for calls. When an incoming call is detected it is matched to a recent attack. This way the attacker can gather the following information: a) Validate attack effectiveness - Be sure that remote system was effectively compromised. b) Caller ID and trunk information - If calls are placed correctly, the attacker will receive the caller ID. This can give him geographical information (IP + Caller ID).

15. Now… What about our security? a) Implement Fail2Ban. b) Implement

    Session Border Controller. c) Change default ports. d) Install security patches and make sure they are applied. e) Use strong passwords for server administration. a) Hardening all the configurations. b) Operate phones only on segmented networks whenever possible, for example via a VLAN. c) Install new firmware for devices on a regular basis, but beware in case upgrades revert the devices to insecure "default" settings. d) Encryption (individual endpoints) a) Use strong passwords and store it in a trusted password manager. Network Servers Devices Here we have some recommendations Users a) Block traffic by country. b) Block by Agent. c) Use TLS to protect the signposting. d) Use SRTP instead of RTP. e) Use virtual private network (VPN) tunnels to connect a remote phone to the corporate office phone system. f) Restrict access to all device APIs, "even if they're only used internally “. But, what could happen if we are worried about Performance, QoS, Privacy, Bandwidth or problems with our infrastructure?...

16. Security recommendations vs Benefits Performance Quality of Service Latency Delay

    Availability Confidentiality Privacy Packet loss Bandwidth congestion Encryption (individual endpoints). Encryption (communication infrastructure). Separate voice and data traffic. Strong authentication. ACL. Change default protocols. Session Border Controllers. IPsec or Secure Shell (SSH) for all remote management. Fail2Ban. Hardening all the configurations. Operate phones only on segmented networks. Use SRTP instead of RTP. Please, before considering this evaluation, be aware about your own assets

17. 1. http://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-1/ 2. http://tools.kali.org/sniffingspoofing/sipvicious 3. https://en.wikipedia.org/wiki/Digest_access_authentication 4. https://en.wikipedia.org/wiki/Voice_over_IP 5. http://hotfixed.net/analisis-voip-en-asterisk-con-wireshark/

    6. http://telefonia.blog.tartanga.net/2014/04/25/voz-sobre-ip-fundamentos-de-la-senalizacion-mediante-el-protocolo-sip 7. http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP#SIP_Requests_.2F_Methods 8. https://paul.reviews/pwnphone-default-passwords-allow-covert-surveillance/ 9. http://www.businesswire.com/news/home/20150115005322/en/Global-VoIP-Services-Market-Worth-US136.76-Billion 10. http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf 11. http://www.databreachtoday.com/voip-phones-eavesdropping-alert-a-8869?rf=2016-02-16-edbt&mkt_tok=3RkMMJWWfF9wsRonuKrMcu% 2FhmjTEU5z17OovWaWwlMI%2F0ER3fOvrPUfGjI4ATsVnN6%2BTFAwTG5toziV8R7DALc16wtwQWRLl Appendix

18. License