SlideShare una empresa de Scribd logo

How to Hack a Telecom and Stay Alive

Descargar como PPTX, PDF
Positive Hack Days
Positive Hack Days
TecnologíaEmpresariales
1 de 71
How to Hack a Telecom and Stay Alive Sergey Gordeychik Сер CTO. Positive Technologies
Ic Beo Sergey Gordeychik, Positive Technologies, CTO A “script writer” and a “director” of the Positive Hack Days forum Science editor of the SecurityLab.Ru portal Author of the Web Application Security course, and a book titled A Wireless Network Security and a namesake course A participant of WASC, RISSPA http://sgordey.blogspot.com
What Is It All About? What is so peculiar about telecoms? Attacks against subscribers/Attacks by subscribers Perimeter… Just a perimeter Partners and contractors Technology networks
What‟s So Peculiar?
Specific Features of Telecommunication Companies Large, large networks Unification of various services (broadband access, Wi-Fi, hosting, mobile communication) Great number of applications and systems on the perimeter Exotics inside and outside Lots of perimeters Most networks belong to third parties Forensics nightmare
How many perimeters do telecoms have? Internet Subscribers Partners Office Technology network
…and a bit more… Mobile communications Broadband Technological access network Wired broadband access Wireless broadband access VOIP Hosting Internet TV Hosting ...
…and a bit more… Vladivostok Moscow Roma Phnom Penh
Attack AGAINST Subscribers
Why Subscribers? Subscribers‟ $ = telecoms‟ $ DOS = - $$ - reputation - $$ PWN (100 000 PC) = Botnet Personal data!
Broadband Access Huge non-segmented networks Great number of end devices: • Various SOHO devices • Installed and unattended • Standard bugs configurations A manual on insecurity of network appliances  SNMP/Telnet/HTTP/UPnP control protocols in the Internet  Insecure/empty passwords  Web attacks on Client‟s side (Pinning, CSRF) Huge number of users • 1 out of1000, for 10 000 000 = 10 000 • Trivial passwords
Broadband Access. Attack Collecting information • Network scanning • Access layer error (BRAS) • Collecting information from internal forums and other resources • Self-service platform errors Invalid login or password vs Invalid username Preparing scenarios • Capturing devices • Guessing passwords $profit$
Well…yes, it happens
Pick a Task…
Examples of Risks Gaining access to a self-service portal • Cashout  guessing password or stealing the router cfg files (vpn/pppoe)  transferring money from a broadband access to a cell phone (integration!)  Cashing out via PRS • It drives me NUTS!!!  Guessing password or stealing the router cfg files (vpn/ppoe)  Purchasing the available  Balance =0 Performing a mass hacking of a router/PC Performing a mass changing of configurations
Attacks against Clients of Mobile Networks Faking Caller ID •self-service portal/USSD •voice mailbox •cash-out via PRS •direct money withdrawal Internet SS7 Taget GSM SIP-GW Tech FAKE ID Systems unauthorized access
Attacks against Clients of Mobile Networks Malware for mobile devices; Intercepting GSM – Not a magic – just a ROCKET SCIENCE! • attacking A5/1 • MITM, switch to A5/0 • downgrading UMTS -> GSM Traffic, SMS, one-time passwords... • Self-service portals/USSD • Cash-out via PRS • Voice mailbox
Hosting Local network for collocated/dedicated servers • Attacks of a network/data link layer, attacks against network infrastructure • ARP Spoofing, IP Spoofing… old school • Intrasegment IPv6 attacks Attack against infrastructure (DNS…) Shared hosting (once having intruded into one of the sites…)
Pentester Tips & Tricks || ||
Pentester Tips & Tricks We are only searching for vulnerabilities We use only our own resources for demonstration We avoid information protected by the law A fickle client… C: Prove it! Enter the portal! P: No, thank you. Here is a password – enter it yourself…
Attacks BY Subscribers
Why Subscribers? AGAIN? Subscribers are WITHIN one of the perimeters Many attacks are easier if performed on subscriber‟s side The number of subscribers of modern telecoms is quite large
General Problems Network access control weakness Intrasegment attacks Protection of the end equipment Web applications for subscribers
Network Access Control Errors A direct way does not always mean the most interesting one :) C:>tracert -d www.ru Tracing route to www.ru [194.87.0.50] over a maximum of 30 hops: 1 * * * Request timed out. 3 10 ms 13 ms 5 ms 192.168.5.4 4 7 ms 6 ms 5 ms 192.168.4.6
Per Aspera Ad…level 15 #sh run Using 10994 out of 155640 bytes ! version 12.3 ... ! username test1 password 7 <removed> username antipov password 7 <removed> username gordey password 7 <removed> username anisimov password 7 <removed> username petkov password 7 <removed> username mitnik password 7 <removed> username jeremiah password 7 <removed>
Network Access Control Errors GPRS/EDGE/3G, which traditionally stick to NAT Other clients are “invisible” This is not always true… GPRS: payment kiosks, ATMs, and etc., which can have: • A missing firewall; • Missing updates; • misconfigurations.
A Joke SNMP „private‟ on a GGSN
A Joke Captive portal “Your balance is low” •Linux •Apache •MySQL •PHP
Intrasegment Attacks Subscribers of broadcast access and hosting
Web Portals and Services for Subscribers A good few of resources • forums, dating sites, video convertors, online games, statistics, online shopping, photo hosting, file hosting, online radio… A good few of loopholes • Old versions of applications and CMS, SQLi, LFI and so on… Single-Sign-On or the same passwords… Are often placed into the DMZ together with “ordinary” servers
Web Portals and Servers for Subscribers Games server* Proxima CMS, path traversal + SQLi + configuration error= root About 20 more sites on the host • Online broadcasting • Branded desktop applications •…
Pentester Tips & Tricks Resources on the subscriber networks are often SUBSCRIBER‟s resources Getting approvals for every step of your work Many systems operate on a wing and a prayer They collapse all the time, but if you are online anyway… Avoiding (!) information protected by the law A fickle client…
Perimeter… Just a Perimeter
Perimeter? Large, large networks! •Use clouds Great number of “third-party” resources Get ready for rarities Corporate web applications The Lord of The Net
Great Number of Third-Party Resources Quite a large number of perimeter hosts belong to partners/subscribers Quite often these hosts are “mixed” with those of the client Yet, they should not be disregarded • Imagine that you are already a level 15/root/admin on the host and you just entered the segment
Great Number of Third-Party Resources SQLi on the mobile content portal (Oracle, sys) private at the VoIP gateway Maintained by partners No hacking  Are actually located at a flat DMZ together with client‟s servers Enabling the billing Front-End
Rarities So many different things can be found on the perimeter • Technology “hardware” • VoIP • Old-school firewalls • Web cameras •Unusual control systems: ELOM, conditioners (!), UPS (!), etc. Keep in mind the momentous attacks (X-mas scan, UNIX RPC, Finger, and etc.) Don‟t underrate the rarities
Rarities nc –P 20 xxx.xxx.xxx.xxx 8080 Wireless Access Point • Insecure password for web • Enabling Telnet • Compiling tcpdump/nc and others for the platform • Using them for traffic/tunnel interception Web camera • LFI via a web interface • Obtaining configuration files • Gaining an access password for the control system • Gaining access to the control system
Journey to Gattaca
Watching the Video
Cobweb Lots of Web. For real. Enterprise web applications are often accessible • Terminal services (Citrix) • Email systems • Helpdesk systems • Ill-equipped for operating on the “wild web”
Support system We found and applied Path Traversal ManageEngine ServiceDesk Plus Gained the “encrypted” password for integration with AD The password fitted for VPN The password fitted for AD (Enterprise Admin) The password fitted for Cisco ACS So we finally got lucky!
VPN Lots of VPN, good and not so good Passwords, IPSec Aggressive Mode…
The Lords of the Net Administrator, the Lord of the Net A large network means many administrators Feudalism • Rules are for wimps • Enterprise IT infrastructure VS “my infrastructure” • Remote access systems • Amusing web servers and trail apps
“All animals are equal but…”
The Lords of the Rings TCP:1337 (SSL) – a web server of the system administration department Radio broadcasting (ShoutCast Server with a default password) Location: an administrator workstation With all the consequences…
Pentester Tips & Tricks Try not to miss a thing on the perimeter Keep in mind third-party hosts Get approvals for every step of your work Don‟t disregard network rarities. Sometimes a web camera can pave the way to the network core! Pay special attention to Web Remember admins
Partners and Contractors
Contractors? Requirements for system access (VPN) Standard accounts (in order to remember) No update management Employees
Contractors… Contractor in the technology network • Wireless interface on a laptop • Everyone, a shared folder • The folder contains an installer of a control system for xDSL modems/end routers • With an in-built SA password in DBMS • Who also has the same system? Applications for agents, sale and activation of communication services package • Fat-client application • Build-in access password for DBMS • … as SYSDBA
There Are Different Contractors... OMG?! HAVE I PWND THAT?
Pentester Tips & Tricks Contractors are never to be hacked Get approvals for every step of your work Many scenarios can be efficiently demonstrated by a “white box” method Suppose, I were a contractor But you are not a contractor …A fickle client…
Technology Networks
Something special? Changes are highly dynamic in the network • New gadgets keep emerging • Contractors keep working • Configuration keeps changing Implemented components and protocols are standard • Threats typical for IP • Configuration errors • Platform vulnerabilities Some errors can cause failures and facilitate frauds
Technology Networks Are Networks First of All! Equipment vulnerabilities Test systems, contractors‟ systems FORGOTTEN(!) systems Network management systems
Forgotten Systems Non-configured switch Uptime: 2 years!
Network Management Systems Such treasure •Network topology •Device configuration •Passwords and keys for VPN/Wi-Fi/SNMP/RADIUS/VPN… “They are behind the firewall” + Web password - OS, DBMS, Web updates + Standard passwords for DBMS + File(!) shares
That‟s Tough! WPA-PSK for AP is found Where are the points located?!!
Backup Is Quite a Useful Thing! Especially on the Net!
VoIP Is a Honey Pie Call management Identity theft (fraud) Access to the enterprise network VoIP Attack against… Fraud or fraudulent infrastructure mispresentation gateways protocols i[P]Phone Wiretapping And more…
VoIP 1. VoIP Wi-Fi access (No WPA, so “slow”) 2. The nearest CISCO Call Manager a) SQLi, CVE-2008-0026 https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+SELECT+'','','',user,'',password+from+app licationuser;-- b) Collecting hash runsql select user,password from applicationuser c) Restoring passwords from the hash Компьютер нарушителя 3. Level 15 for the whole network 1 WEP ТОП ТОП 2 КЛВС Вне офиса Компании «А» PSTN IP PBX Компания «А» 3 SQL injection CVE-2008-0026
Mobile Networks – It‟s So Banal Only the perimeter is secure Some weird hardware? • 3G SoftSwitch – Solaris 10 с CVE-2007-0882 (telnet -f) •…
Self-Service Platform WEB/USSD/WAP Interface with payment systems A possibility of money withdrawal No authentication (Caller ID) Weak authentication (PIN-код?) Vulnerable applications (Web, SQL Injection, XSS)
VAS platforms Someone’s application on the operator’s network Malicious content, WAP-provisioning Rich access via mobile stations (WAP/HTTP): • Web application vulnerabilities • Platform vulnerabilities Platforms for service development
Instead of a Conclusion
Forensic Nightmare Large networks make it extremely difficult to investigate incidents Lots of vectors, tons of hardware, a great deal of administrators A couple of hops on the internal network, and no one will make head or tail of it
Who is there?
Trying To Make Head or Tail…
Some Are Concerned…
Others Are Happy
Thank you for your attention! Sergey Gordeychik gordey@ptsecurity.com http://sgordey.blogspot.com http://ptresearch.blogspot.com http://phdays.com

Recomendados

How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTCQuobis
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slidesguest1c1a9a
 

Recomendados

How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTCQuobis
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slidesguest1c1a9a
 
Phree As In Phone Call
Phree As In Phone CallPhree As In Phone Call
Phree As In Phone Calljohnm_nz
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsRainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsTEO LT, AB
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksRohan Fernandes
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Voip security
Voip securityVoip security
Voip securityShethwala Ridhvesh
 
Spying The Wire
Spying The WireSpying The Wire
Spying The WireDon Anto
 
XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)Pasquale Tursi
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Defcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillDefcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillPriyanka Aash
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsVi Tính Hoàng Nam
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnetsVi Tính Hoàng Nam
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101April Mardock CISSP
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 

Más contenido relacionado

La actualidad más candente

Phree As In Phone Call
Phree As In Phone CallPhree As In Phone Call
Phree As In Phone Calljohnm_nz
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsRainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsTEO LT, AB
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksRohan Fernandes
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Spying The Wire
Spying The WireSpying The Wire
Spying The WireDon Anto
 
XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)Pasquale Tursi
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Defcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillDefcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillPriyanka Aash
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsVi Tính Hoàng Nam
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 

La actualidad más candente (20)

Phree As In Phone Call
Phree As In Phone CallPhree As In Phone Call
Phree As In Phone Call
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsRainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Voip security
Voip securityVoip security
Voip security
 
Spying The Wire
Spying The WireSpying The Wire
Spying The Wire
 
XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
Defcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillDefcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveill
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnets
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
 

Similar a How to Hack a Telecom and Stay Alive

Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
WebRTC Security
WebRTC SecurityWebRTC Security
WebRTC SecurityAlex Hunte
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkSecurity Session
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxShivamBajaj36
 
From the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's PrimerFrom the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's PrimerRick G. Garibay
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computingmadhurbyheart
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityCambridge Intelligence
 
What is (not) Network Security
What is (not) Network SecurityWhat is (not) Network Security
What is (not) Network SecurityJohn ILIADIS
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?VOIP2DAY
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiShah Sheikh
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxamalouwarda1
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...Rick G. Garibay
 

Similar a How to Hack a Telecom and Stay Alive (20)

Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
WebRTC Security
WebRTC SecurityWebRTC Security
WebRTC Security
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
 
From the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's PrimerFrom the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's Primer
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
 
Day4
Day4Day4
Day4
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computing
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
 
What is (not) Network Security
What is (not) Network SecurityWhat is (not) Network Security
What is (not) Network Security
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptx
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

How to Hack a Telecom and Stay Alive

  • 1. How to Hack a Telecom and Stay Alive Sergey Gordeychik Сер CTO. Positive Technologies
  • 2. Ic Beo Sergey Gordeychik, Positive Technologies, CTO A “script writer” and a “director” of the Positive Hack Days forum Science editor of the SecurityLab.Ru portal Author of the Web Application Security course, and a book titled A Wireless Network Security and a namesake course A participant of WASC, RISSPA http://sgordey.blogspot.com
  • 3. What Is It All About? What is so peculiar about telecoms? Attacks against subscribers/Attacks by subscribers Perimeter… Just a perimeter Partners and contractors Technology networks
  • 5. Specific Features of Telecommunication Companies Large, large networks Unification of various services (broadband access, Wi-Fi, hosting, mobile communication) Great number of applications and systems on the perimeter Exotics inside and outside Lots of perimeters Most networks belong to third parties Forensics nightmare
  • 6. How many perimeters do telecoms have? Internet Subscribers Partners Office Technology network
  • 7. …and a bit more… Mobile communications Broadband Technological access network Wired broadband access Wireless broadband access VOIP Hosting Internet TV Hosting ...
  • 8. …and a bit more… Vladivostok Moscow Roma Phnom Penh
  • 9. Attack AGAINST Subscribers
  • 10. Why Subscribers? Subscribers‟ $ = telecoms‟ $ DOS = - $$ - reputation - $$ PWN (100 000 PC) = Botnet Personal data!
  • 11. Broadband Access Huge non-segmented networks Great number of end devices: • Various SOHO devices • Installed and unattended • Standard bugs configurations A manual on insecurity of network appliances  SNMP/Telnet/HTTP/UPnP control protocols in the Internet  Insecure/empty passwords  Web attacks on Client‟s side (Pinning, CSRF) Huge number of users • 1 out of1000, for 10 000 000 = 10 000 • Trivial passwords
  • 12. Broadband Access. Attack Collecting information • Network scanning • Access layer error (BRAS) • Collecting information from internal forums and other resources • Self-service platform errors Invalid login or password vs Invalid username Preparing scenarios • Capturing devices • Guessing passwords $profit$
  • 15. Examples of Risks Gaining access to a self-service portal • Cashout  guessing password or stealing the router cfg files (vpn/pppoe)  transferring money from a broadband access to a cell phone (integration!)  Cashing out via PRS • It drives me NUTS!!!  Guessing password or stealing the router cfg files (vpn/ppoe)  Purchasing the available  Balance =0 Performing a mass hacking of a router/PC Performing a mass changing of configurations
  • 16. Attacks against Clients of Mobile Networks Faking Caller ID •self-service portal/USSD •voice mailbox •cash-out via PRS •direct money withdrawal Internet SS7 Taget GSM SIP-GW Tech FAKE ID Systems unauthorized access
  • 17. Attacks against Clients of Mobile Networks Malware for mobile devices; Intercepting GSM – Not a magic – just a ROCKET SCIENCE! • attacking A5/1 • MITM, switch to A5/0 • downgrading UMTS -> GSM Traffic, SMS, one-time passwords... • Self-service portals/USSD • Cash-out via PRS • Voice mailbox
  • 18. Hosting Local network for collocated/dedicated servers • Attacks of a network/data link layer, attacks against network infrastructure • ARP Spoofing, IP Spoofing… old school • Intrasegment IPv6 attacks Attack against infrastructure (DNS…) Shared hosting (once having intruded into one of the sites…)
  • 19. Pentester Tips & Tricks || ||
  • 20. Pentester Tips & Tricks We are only searching for vulnerabilities We use only our own resources for demonstration We avoid information protected by the law A fickle client… C: Prove it! Enter the portal! P: No, thank you. Here is a password – enter it yourself…
  • 22. Why Subscribers? AGAIN? Subscribers are WITHIN one of the perimeters Many attacks are easier if performed on subscriber‟s side The number of subscribers of modern telecoms is quite large
  • 23. General Problems Network access control weakness Intrasegment attacks Protection of the end equipment Web applications for subscribers
  • 24. Network Access Control Errors A direct way does not always mean the most interesting one :) C:>tracert -d www.ru Tracing route to www.ru [194.87.0.50] over a maximum of 30 hops: 1 * * * Request timed out. 3 10 ms 13 ms 5 ms 192.168.5.4 4 7 ms 6 ms 5 ms 192.168.4.6
  • 25. Per Aspera Ad…level 15 #sh run Using 10994 out of 155640 bytes ! version 12.3 ... ! username test1 password 7 <removed> username antipov password 7 <removed> username gordey password 7 <removed> username anisimov password 7 <removed> username petkov password 7 <removed> username mitnik password 7 <removed> username jeremiah password 7 <removed>
  • 26. Network Access Control Errors GPRS/EDGE/3G, which traditionally stick to NAT Other clients are “invisible” This is not always true… GPRS: payment kiosks, ATMs, and etc., which can have: • A missing firewall; • Missing updates; • misconfigurations.
  • 27. A Joke SNMP „private‟ on a GGSN
  • 28. A Joke Captive portal “Your balance is low” •Linux •Apache •MySQL •PHP
  • 29. Intrasegment Attacks Subscribers of broadcast access and hosting
  • 30. Web Portals and Services for Subscribers A good few of resources • forums, dating sites, video convertors, online games, statistics, online shopping, photo hosting, file hosting, online radio… A good few of loopholes • Old versions of applications and CMS, SQLi, LFI and so on… Single-Sign-On or the same passwords… Are often placed into the DMZ together with “ordinary” servers
  • 31. Web Portals and Servers for Subscribers Games server* Proxima CMS, path traversal + SQLi + configuration error= root About 20 more sites on the host • Online broadcasting • Branded desktop applications •…
  • 32. Pentester Tips & Tricks Resources on the subscriber networks are often SUBSCRIBER‟s resources Getting approvals for every step of your work Many systems operate on a wing and a prayer They collapse all the time, but if you are online anyway… Avoiding (!) information protected by the law A fickle client…
  • 34. Perimeter? Large, large networks! •Use clouds Great number of “third-party” resources Get ready for rarities Corporate web applications The Lord of The Net
  • 35. Great Number of Third-Party Resources Quite a large number of perimeter hosts belong to partners/subscribers Quite often these hosts are “mixed” with those of the client Yet, they should not be disregarded • Imagine that you are already a level 15/root/admin on the host and you just entered the segment
  • 36. Great Number of Third-Party Resources SQLi on the mobile content portal (Oracle, sys) private at the VoIP gateway Maintained by partners No hacking  Are actually located at a flat DMZ together with client‟s servers Enabling the billing Front-End
  • 37. Rarities So many different things can be found on the perimeter • Technology “hardware” • VoIP • Old-school firewalls • Web cameras •Unusual control systems: ELOM, conditioners (!), UPS (!), etc. Keep in mind the momentous attacks (X-mas scan, UNIX RPC, Finger, and etc.) Don‟t underrate the rarities
  • 38. Rarities nc –P 20 xxx.xxx.xxx.xxx 8080 Wireless Access Point • Insecure password for web • Enabling Telnet • Compiling tcpdump/nc and others for the platform • Using them for traffic/tunnel interception Web camera • LFI via a web interface • Obtaining configuration files • Gaining an access password for the control system • Gaining access to the control system
  • 41. Cobweb Lots of Web. For real. Enterprise web applications are often accessible • Terminal services (Citrix) • Email systems • Helpdesk systems • Ill-equipped for operating on the “wild web”
  • 42. Support system We found and applied Path Traversal ManageEngine ServiceDesk Plus Gained the “encrypted” password for integration with AD The password fitted for VPN The password fitted for AD (Enterprise Admin) The password fitted for Cisco ACS So we finally got lucky!
  • 43. VPN Lots of VPN, good and not so good Passwords, IPSec Aggressive Mode…
  • 44. The Lords of the Net Administrator, the Lord of the Net A large network means many administrators Feudalism • Rules are for wimps • Enterprise IT infrastructure VS “my infrastructure” • Remote access systems • Amusing web servers and trail apps
  • 45. “All animals are equal but…”
  • 46. The Lords of the Rings TCP:1337 (SSL) – a web server of the system administration department Radio broadcasting (ShoutCast Server with a default password) Location: an administrator workstation With all the consequences…
  • 47. Pentester Tips & Tricks Try not to miss a thing on the perimeter Keep in mind third-party hosts Get approvals for every step of your work Don‟t disregard network rarities. Sometimes a web camera can pave the way to the network core! Pay special attention to Web Remember admins
  • 49. Contractors? Requirements for system access (VPN) Standard accounts (in order to remember) No update management Employees
  • 50. Contractors… Contractor in the technology network • Wireless interface on a laptop • Everyone, a shared folder • The folder contains an installer of a control system for xDSL modems/end routers • With an in-built SA password in DBMS • Who also has the same system? Applications for agents, sale and activation of communication services package • Fat-client application • Build-in access password for DBMS • … as SYSDBA
  • 51. There Are Different Contractors... OMG?! HAVE I PWND THAT?
  • 52. Pentester Tips & Tricks Contractors are never to be hacked Get approvals for every step of your work Many scenarios can be efficiently demonstrated by a “white box” method Suppose, I were a contractor But you are not a contractor …A fickle client…
  • 54. Something special? Changes are highly dynamic in the network • New gadgets keep emerging • Contractors keep working • Configuration keeps changing Implemented components and protocols are standard • Threats typical for IP • Configuration errors • Platform vulnerabilities Some errors can cause failures and facilitate frauds
  • 55. Technology Networks Are Networks First of All! Equipment vulnerabilities Test systems, contractors‟ systems FORGOTTEN(!) systems Network management systems
  • 56. Forgotten Systems Non-configured switch Uptime: 2 years!
  • 57. Network Management Systems Such treasure •Network topology •Device configuration •Passwords and keys for VPN/Wi-Fi/SNMP/RADIUS/VPN… “They are behind the firewall” + Web password - OS, DBMS, Web updates + Standard passwords for DBMS + File(!) shares
  • 58. That‟s Tough! WPA-PSK for AP is found Where are the points located?!!
  • 59. Backup Is Quite a Useful Thing! Especially on the Net!
  • 60. VoIP Is a Honey Pie Call management Identity theft (fraud) Access to the enterprise network VoIP Attack against… Fraud or fraudulent infrastructure mispresentation gateways protocols i[P]Phone Wiretapping And more…
  • 61. VoIP 1. VoIP Wi-Fi access (No WPA, so “slow”) 2. The nearest CISCO Call Manager a) SQLi, CVE-2008-0026 https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+SELECT+'','','',user,'',password+from+app licationuser;-- b) Collecting hash runsql select user,password from applicationuser c) Restoring passwords from the hash Компьютер нарушителя 3. Level 15 for the whole network 1 WEP ТОП ТОП 2 КЛВС Вне офиса Компании «А» PSTN IP PBX Компания «А» 3 SQL injection CVE-2008-0026
  • 62. Mobile Networks – It‟s So Banal Only the perimeter is secure Some weird hardware? • 3G SoftSwitch – Solaris 10 с CVE-2007-0882 (telnet -f) •…
  • 63. Self-Service Platform WEB/USSD/WAP Interface with payment systems A possibility of money withdrawal No authentication (Caller ID) Weak authentication (PIN-код?) Vulnerable applications (Web, SQL Injection, XSS)
  • 64. VAS platforms Someone’s application on the operator’s network Malicious content, WAP-provisioning Rich access via mobile stations (WAP/HTTP): • Web application vulnerabilities • Platform vulnerabilities Platforms for service development
  • 65. Instead of a Conclusion
  • 66. Forensic Nightmare Large networks make it extremely difficult to investigate incidents Lots of vectors, tons of hardware, a great deal of administrators A couple of hops on the internal network, and no one will make head or tail of it
  • 68. Trying To Make Head or Tail…
  • 71. Thank you for your attention! Sergey Gordeychik gordey@ptsecurity.com http://sgordey.blogspot.com http://ptresearch.blogspot.com http://phdays.com