TOOLS FOR OFFENSIVE RTC SECURITY Introducing SIPVicious PRO and the demo server Sandro Gauci, 2021-04-30

INTRODUCTION

WHO AM I? Developed SIPVicious OSS Leading Enable Security: Offensive RTC security Security research / penetration testing Consultancy and training We develop SIPVicious PRO

CONTRIBUTE TO OPEN SOURCE RTC SECURITY? Yes we do! Security research and advisories Open-source tools, especially SIPVicious OSS (being updated) Our blog - Communication Breakdown at OpenSIPIt’01 https://rtcsec.com https://opensipit.org/

PREVIOUSLY AT A DIFFERENT TAD SUMMIT Why I think defensive security on its own is not enough The value of an offensive approach towards RTC security Why I think that RTC security lacks this approach: lack of training opportunities lack of robust testing tools

AGENDA: WHAT THIS ONE IS ABOUT A brief look at the RTC offensive security landscape SIPVicious OSS SIPVicious PRO The demo server as your playground Demos and walk-throughs Future plans

OFFENSIVE RTC SECURITY TOOLS LANDSCAPE

THE AWESOME RTC HACKING LIST https://github.com/EnableSecurity/awesome-rtc- hacking

A LITTLE ABOUT SIPVICIOUS OSS open-source, published back in 2007 python-based 3 main tools: svmap which is a scanner for SIP svwar which enumerates extensions on SIP devices svcrack that tries to guess passwords for SIP extensions

SIPVICIOUS OSS DEMO!

FAST FORWARD TO THE FUTURE (2021) the future is here

Credit: https://unsplash.com/@agk42

SIPVICIOUS PRO: AN INTRODUCTION shares the same name as SVOSS complete new code covers the entire RTC space not just SIP aims to be the most powerful offensive RTC security toolset

SIPVICIOUS PRO DEMO!

SIPVICIOUS PRO: FEATURE-SET Various new attacks supported e.g.: SIP ood RTP ood Digest leak RTP Bleed RTP inject Fuzzing Support for SIP over different transport protocols TCP, UDP, TLS and WebSockets

SIPVICIOUS PRO: FEATURE-SET Integration within QA , including CI/CD pipelines SIP messages may be easily modi ed using a exible Support for RTP attacks Insane speed, especially useful for ood attacks with rate limiting capabilities Compliance to RFCs automation systems templating system

TRAINING OPPORTUNITIES WITH THE DEMO SERVER

WHY? needed a place to show SIPVicious PRO reliable/deterministic response to attacks

WHAT IS IT?

diagram

VULNERABLE TO … EVERYTHING THAT CAN BE TESTED WITH SIPVICIOUS PRO (and more) SIP Digest Leak SIP extension enumeration SIP password cracking RTP Bleed RTP Inject RTP Flood TURN proxy abuse

TALK TO ME ABOUT PROTOCOLS SIP on TCP/TLS/UDP/WebSocket RTP/SRTP SDES and DTLS TURN server WebRTC interface

DEMO SERVER .. DEMO TIME! https://demo.sipvicious.pro/call/

FUTURE PLANS SIPVicious PRO covering RTC in general, e.g. adding coverage of: XMPP STUN/TURN Custom signalling protocols Keep supporting SIPVicious OSS Demo server should be open-sourced (put some pressure on us)

THANKS! Alfred Farrugia for developing most of SIPVicious PRO and the very cool web interface for calling over WebRTC Pinaki for helping keep SIPVicious OSS alive and kicking The TAD audience and Alan for inviting me to talk about security stuff :)

SOME WAYS TO GET IN TOUCH Subscribe to our blog at Enable Security: https://www.rtcsec.com [email protected] https://enablesecurity.com/#contact-us