SEARCH
TOOLBOX
LANGUAGES
Training 2

Training 2

From BruCON 2010

Jump to: navigation, search


Training - A crashcourse in pentesting VOIP networks

Instructors

Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.

Joffrey CZARNY , working for Devoteam Security Business Unit (FR). Since 2001, Joffrey is a pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at Hack.lu 2005, VoIP at Hack.lu 2007/2008 and ITunderground 2008/2009). On his site, www.insomnihack.net, he maintains the Elsenot project ("http://insomnihack.net/elsenot/") and posts video tutorials and tools on several security aspects.

Description:

As VoIP networks become more and more part of the way organizations communicate, security professionals need to understand their strengths and weaknesses. This knowledge will help them make sound decisions on the security (or lack of) of their VoIP system and network.

Attendees who follow the VoIP security training will gain valuable hands-on experience in testing VoIP equipment and networks. During the training they will make use of existent security tools as well as custom built tools to help them get the job done.

Course outline:

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

Module 1: Introduction to VoIP technology, security threats and solutions

  1. Introduce the protocols
  2. Mitigation technologies
  3. How confidentiality / integrity / availability applies to VoIP
    1. fraud
    2. spying on phone calls
    3. modification of phone data
    4. denial of service

Module 2: Attacking signaling protocols

  1. SIP
    1. introduction to the protocol
    2. scanning for SIP
    3. attacking SIP
    4. exercises include:
      1. sniffing SIP
      2. scanning SIP
      3. SIP extension enumeration and online password cracking
      4. Avoiding toll / fraudulent calls
      5. INVITE floods
      6. Fuzzing SIP
      7. Using John the ripper to crack SIP passwords
  2. IAX2
    1. introduction to the protocol
    2. scanning for IAX2
    3. attacks on IAX2
    4. exercises include:
      1. online and offline password cracking
      2. scanning IAX2
  3. SCCP
    1. introduction to the protocol
    2. scanning for Cisco PBX / SCCP
    3. Attacks on SCCP
    4. exercises include:
      1. MiTM attacks using SCCP proxy
      2. Capture FAC code
      3. Callmanager hijack
  4. MGCP
    1. introduction to the protocol
    2. scanning for MGCP
    3. attacks on MGCP
    4. exercises include:
      1. Call fraud
      2. DoS on MGCP
      3. RTP redirection
  5. H.323
    1. introduction to the protocol
      1. H.225
      2. H.245
    2. scanning for H323
    3. attacks on H323
      1. Frames Injection
      2. DoS on H323

Module 3: Attacking the media

  1. Wiretapping
    1. Understanding the basics, ARP poisoning and other MiTM attacks
    2. exercises include using various tools, including Wireshark, for tapping VoIP calls
  2. RTP stream modification
    1. how it works
  3. Convert channels
    1. how it works, concepts and reality

Module 4: Attacking Unified Communications

  1. Trixbox / Elastix vulnerabilities
    1. default passwords are common
    2. TFTP abuse
    3. Spying on phone calls using your phone
    4. Privilege escalation
    5. Exercises include:
      1. spying on phone calls
      2. abusing Trixbox features
      3. exploitation of weak permissions
  2. Asterisk
    1. Dialplan injection
    2. Setting up a backdoor
  3. Hardware information gathering
    1. physical bridging
    2. passive ethernet tap
    3. bypassing lock / restrictions on the phone
    4. exercises include:
      1. hardware for tapping
      2. hardware phone abuse
  4. Cisco Unified Communications vulnerabilities
    1. Extension mobility abuse
    2. Webdialer
    3. CCMuser SQL injection
    4. Billing system
    5. Jailbreaking CUCM
    6. Exercises include:
    7. Jailbreaking CUCM
    8. Webdialer abuse

Prerequisites

  • Attendees should be comfortable with both windows and linux command prompt
  • Basic knowledge of TCP/IP
  • Basic knowledge of scripting language like python or perl/ruby
  • Enthusiasm for VOIP security

What to bring

  • Notebook with 10 GB free and:
    • capable of booting from CDROM or USB
    • VMWare or Virtualbox installed
    • Admin rights

Location & Date

This course will be given on 22 & 23 September in Belgacom University (BCU), Carlistraat 2, B-1140 Evere. (Google Maps Link)

The course starts at 9h00 and ends at 17h00.

Registration

The price is 895 € early bird (+ VAT) per attendee. After 1st of July this will become 995 €.

Retrieved from "http://2010.brucon.org/index.php/Training_2"