Slide 1

Slide 1 text

TOOLS FOR OFFENSIVE RTC SECURITY Introducing SIPVicious PRO and the demo server Sandro Gauci, 2021-04-30

Slide 2

Slide 2 text

INTRODUCTION

Slide 3

Slide 3 text

WHO AM I? Developed SIPVicious OSS Leading Enable Security: Offensive RTC security Security research / penetration testing Consultancy and training We develop SIPVicious PRO

Slide 4

Slide 4 text

CONTRIBUTE TO OPEN SOURCE RTC SECURITY? Yes we do! Security research and advisories Open-source tools, especially SIPVicious OSS (being updated) Our blog - Communication Breakdown at OpenSIPIt’01 https://rtcsec.com https://opensipit.org/

Slide 5

Slide 5 text

PREVIOUSLY AT A DIFFERENT TAD SUMMIT Why I think defensive security on its own is not enough The value of an offensive approach towards RTC security Why I think that RTC security lacks this approach: lack of training opportunities lack of robust testing tools

Slide 6

Slide 6 text

AGENDA: WHAT THIS ONE IS ABOUT A brief look at the RTC offensive security landscape SIPVicious OSS SIPVicious PRO The demo server as your playground Demos and walk-throughs Future plans

Slide 7

Slide 7 text

OFFENSIVE RTC SECURITY TOOLS LANDSCAPE

Slide 8

Slide 8 text

THE AWESOME RTC HACKING LIST https://github.com/EnableSecurity/awesome-rtc- hacking

Slide 9

Slide 9 text

A LITTLE ABOUT SIPVICIOUS OSS open-source, published back in 2007 python-based 3 main tools: svmap which is a scanner for SIP svwar which enumerates extensions on SIP devices svcrack that tries to guess passwords for SIP extensions

Slide 10

Slide 10 text

SIPVICIOUS OSS DEMO!

Slide 11

Slide 11 text

FAST FORWARD TO THE FUTURE (2021) the future is here

Slide 12

Slide 12 text

Credit: https://unsplash.com/@agk42

Slide 13

Slide 13 text

SIPVICIOUS PRO: AN INTRODUCTION shares the same name as SVOSS complete new code covers the entire RTC space not just SIP aims to be the most powerful offensive RTC security toolset

Slide 14

Slide 14 text

SIPVICIOUS PRO DEMO!

Slide 15

Slide 15 text

SIPVICIOUS PRO: FEATURE-SET Various new attacks supported e.g.: SIP ood RTP ood Digest leak RTP Bleed RTP inject Fuzzing Support for SIP over different transport protocols TCP, UDP, TLS and WebSockets

Slide 16

Slide 16 text

SIPVICIOUS PRO: FEATURE-SET Integration within QA , including CI/CD pipelines SIP messages may be easily modi ed using a exible Support for RTP attacks Insane speed, especially useful for ood attacks with rate limiting capabilities Compliance to RFCs automation systems templating system

Slide 17

Slide 17 text

TRAINING OPPORTUNITIES WITH THE DEMO SERVER

Slide 18

Slide 18 text

WHY? needed a place to show SIPVicious PRO reliable/deterministic response to attacks

Slide 19

Slide 19 text

WHAT IS IT?

Slide 20

Slide 20 text

diagram

Slide 21

Slide 21 text

VULNERABLE TO … EVERYTHING THAT CAN BE TESTED WITH SIPVICIOUS PRO (and more) SIP Digest Leak SIP extension enumeration SIP password cracking RTP Bleed RTP Inject RTP Flood TURN proxy abuse

Slide 22

Slide 22 text

TALK TO ME ABOUT PROTOCOLS SIP on TCP/TLS/UDP/WebSocket RTP/SRTP SDES and DTLS TURN server WebRTC interface

Slide 23

Slide 23 text

DEMO SERVER .. DEMO TIME! https://demo.sipvicious.pro/call/

Slide 24

Slide 24 text

FUTURE PLANS SIPVicious PRO covering RTC in general, e.g. adding coverage of: XMPP STUN/TURN Custom signalling protocols Keep supporting SIPVicious OSS Demo server should be open-sourced (put some pressure on us)

Slide 25

Slide 25 text

THANKS! Alfred Farrugia for developing most of SIPVicious PRO and the very cool web interface for calling over WebRTC Pinaki for helping keep SIPVicious OSS alive and kicking The TAD audience and Alan for inviting me to talk about security stuff :)

Slide 26

Slide 26 text

SOME WAYS TO GET IN TOUCH Subscribe to our blog at Enable Security: https://www.rtcsec.com [email protected] https://enablesecurity.com/#contact-us