SlideShare a Scribd company logo

Hacking SIP Services and Bypassing Billing Like a Boss

Fatih Ozavci
Fatih Ozavci

This is my Athcon 2013 slide set. I also demonstrated that attacking mobile applications via SIP Trust, scanning via SIP proxies and MITM fuzzing in Live Demo.

TechnologyBusiness
1 of 35
Download to read offline
Hacking SIP Services Like a Boss Fatih Özavcı Information Security Researcher & Consultant fatih.ozavci at viproy.com viproy.com/fozavci
2#occupygezi #occupygezi #direngezi
3#occupygezi #occupygezi #direngezi
4#occupygezi #occupygezi #direngezi
5#occupygezi About Me Information Security Consultant @ Viproy / Turkey 10+ Years Experience in Penetration Testing 800+ Penetration Tests, 40+ Focused on NGN/VoIP SIP/NGN/VoIP Systems Penetration Testing Mobile Application Penetration Testing IPTV Penetration Testing Regular Stuff (Network Inf., Web, SOAP, Exploitation...) Author of Viproy VoIP Penetration Testing Kit Author of Hacking SIP Trust Relationships of SIP Gateways Blackhat Arsenal USA 2013 – Viproy VoIP Pen-Test Kit So, that's me
6#occupygezi Agenda VoIP Networks are Insecure, but Why? Viproy What? Discovery Register/Subscribe Tests Invite Tests CDR and Billing Bypass Denial of Service Fuzzing Hacking SIP Trust Relationships Out of Scope RTP Services and Network Tests Management and Additional Services XML/JSON Based Soap Services
7#occupygezi SIP, NGN, VoIP SIP – Session Initiation Protocol Only Signaling not Transporting Call Extended with Session Discovery Protocol NGN – Next Generation Network Forget TDM and PSTN SIP, H.248 / Megaco, RTP, MSAN/MGW Smart Customer Modems & Phones Easy Management Security Free, It's NOT Required?! Next Generation! Because We Said So!
8#occupygezi Administrators Think... Root Doesn't! Their VoIP Network Isolated Open Physical Access for Many Network Operators Insufficient Network Segmentation Insecure VPNs (IPSec, MPLS) Abusing VoIP Requires Knowledge It's Easy With Right Automated Tools, But That's the Case ! Most Attacks are Network Based or Toll Fraud Call Based DOS Attacks, Response Based DDOS Attacks, Compromising Clients for Surveillance, Spying Phishing, Fake Calls for Fun&Profit, Abusing VAS Services VoIP Devices are Well-Configured Many Operators and Vendors Have No Idea About The Security Requirements SIP Accounts without Passwords, Trunks, Management Problems Old Version and Insecure Software (Especially VAS, CDR, DB, Operating System) Insecure Additional Services (TFTP, Telnet, SNMP, FTP, DHCP, Soap Services)
9#occupygezi SIP Services : Internal IP Telephony INTERNET SIP Server Support Servers SIP Clients Factory/Campus SIP over VPN Commercial Gateways Analog/Digital PBX
10#occupygezi SIP Services : Commercial Operators INTERNET Soft Switch (SIP Server) VAS, CDR, DB Servers MSAN/MGW PSTN/ISDN Distrubutor MPLS 3rd Party Gateways SDP Servers Customers RTP, Proxy Servers Mobile
11#occupygezi Why Other SIP Tools are not Efficient ? Sipvicious, Sipsak, Sipp : Basic Tools, Basic Functions They Need Complete Protocol Information to Perform a Test They Prepared for Simple Tasks, not Complete Operation Performing Security Tests After Authentication is Painful Call Spoofing, Bypassing CDR/Invoice, Spying DOS Attacks for Call Limits, VAS Services, Toll Fraud Special Tests Require 3-4 Steps They Don't Have Pen-Test Features Database Support, Integration with Other Tools Knowledge Transfer Quick Action & Development for Specific Cases
12#occupygezi Why Metasploit Framework or New Modules? Metasploit Has Many Penetration Testing Features 1000+ Exploits & Tools, Database Support, Automated Tasks Handy Functions for Development, Sample Modules, Less Code Integration Between Tools and Exploits Why New Metasploit Modules? There is NO SIP Library in REX, Auxiliary Development is Painful There is NO Module for Testing SIP Services after Authentication Presented SIP Auxiliaries are Useful Only Specific Tests 8 Simple Modules and 1 Library, Less Code for SIP Tests Integrated SIP Tests with Metasploit Framework Infrastructure
13#occupygezi Viproy What? Viproy is a Vulcan-ish Word that means "Call" Viproy VoIP Penetration and Exploitation Kit Testing Modules for Metasploit, MSF License Old Techniques, New Approach SIP Library for New Module Development Custom Header Support, Authentication Support New Stuffs for Testing: Trust Analyzer, Proxy etc Modules Options, Register, Invite Brute Forcers, Enumerator SIP Trust Analyzer, Port Scan SIP Proxy, Fake Service
14#occupygezi Discovery Finding and Identifying SIP Services Different Ports, Different Purposes Internal Communication Service or PSTN Gateway Discovering Available Methods Register, Direct Invite, Options Soft Switch, Call Manager, Mobile Client Software, IP Phone Discovering SIP Software Well-Known Software Vulnerabilities Compliant Softwares and Architecture Network Points and 3rd Party Detection
15#occupygezi Discovery Soft Switch (SIP Server) Clients Gateways OPTIONS / REGISTER / INVITE / SUBSCRIBE 100 Trying 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Collecting Information from Response Headers User-Agent Server Realm Call-ID Record-Route Warning P-Asserted-Identity P-Called-Party-ID P-Preferred-Identity P-Charging-Vector
16#occupygezi Register/Subscribe Tests Unauthenticated Registration Special Trunks Special VAS Numbers Gateways Identifying Valid Target Numbers, Users, Realm De-Registration for Valid Users Brute Forcing Valid Accounts and Passwords With Well-Known User List Numeric User Ranges
17#occupygezi Register/Subscribe Tests Soft Switch (SIP Server) Clients Gateways REGISTER / SUBSCRIBE (From, To, Credentials) 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error RESPONSE Depends on Informations in REQUEST Type of Request (REGISTER, SUBSCRIBE) FROM, TO, Credentials with Realm Via Actions/Tests Depends on RESPONSE Brute Force (FROM, TO, Credentials) Detecting/Enumerating Special TOs, FROMs or Trunks Detecting/Enumerating Accounts With Weak or Null Passwords ….
18#occupygezi Invite Tests Invite Without Registration Client Software, IP Phone, Test SIP Server Bypassing “After Register” Restrictions Direct Invite from Special Trunk (IP Based) VAS Services, Trusted Soft Switches, Gateways, MSAN, MGW Invite Spoofing (After or Before Registration, Via Trunk) For Phishing, Spying, Surveillance, Restriction Bypass, VAS Via Field, From Field P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ISDN Calling Party Number, Remote-Party-ID
19#occupygezi CDR and Billing Bypass Invite Spoofing (After or Before Registration, Via Trunk) Via Field, From Field P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ISDN Calling Party Number, Remote-Party-ID Bypass Techniques Faking as a Cheap Gateway, Another Customer or Trunk Direct Call to Client, VAS Service or Gateway Call Count Information on Headers P-Charging-Vector (Spoofing, Manipulating) Re-Invite, Update (Without/With P-Charging-Vector)
20#occupygezi Invite, CDR and Billing Tests Soft Switch (SIP Server) Clients Gateways INVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA ...) 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Actions/Tests Depends on RESPONSE Brute Force (FROM&TO) for VAS and Gateways Testing Call Limits, Unauthenticated Calls, CDR Management INVITE Spoofing for Restriction Bypass, Spying, Invoice …. 100 Trying 183 Session Progress 180 Ringing 200 OK RESPONSE Depends on Informations in INVITE REQUEST FROM, TO, Credentials with Realm, FROM <>, TO <> Via, Record-Route Direct INVITE from Specific IP:PORT (IP Based Trunks)
21#occupygezi Denial of Service Denial of Service Vulnerabilities of SIP Services Many Responses for Bogus Requests DDOS→ Concurrent Registered User/Call Limits Voice Message Box, CDR, VAS based DOS Attacks Bye And Cancel Tests for Call Drop Locking All Accounts if Account Locking is Active for Multiple Fails Multiple Invite (After or Before Registration, Via Trunk) Calling All Numbers at Same Time Overloading Sip Server's Call Limits Calling Expensive Gateways,Targets or VAS From Customers
22#occupygezi Fuzzing SIP Services or Fuzz Me Maybe Fuzzing as a SIP Client | SIP Server | Proxy | MITM SIP Server Softwares SIP Clients Hardware Devices, IP Phones, Video Conference Systems Desktop Application or Web Based Software Mobile Software Special SIP Devices/Softwares SIP Firewalls, ACL Devices, Proxies Connected SIP Trunks, 3rd Party Gateways MSAN/MGW Logging Softwares (Indirect) Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE...
23#occupygezi Fuzzing SIP Services or Fuzz Me Maybe Request Fuzzing Fuzzing Registration and Authentication Parameters Fuzzing Invite Parameters Fuzzing Options Parameters Fuzzing Bye and Cancel Parameters Fuzzing Authentication Functions Response Fuzzing Authentication Options (Nonce, Digest, URI etc) [1|2]0x 200 OK, 100 Trying, 180 Ringing, 183 Session Progress 30x 301 Moved Permanently, 305 Use Proxy, 380 Alternate Services 40x 401 Unauthorized, 403 Forbidden, 402 Payment Required 60x 600 Busy, 603 Decline, 606 Not Acceptable
24#occupygezi Static and Stateful SIP Fuzzers Static Fuzzers Protos https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip SipFuzzer http://code.google.com/p/sipfuzzer/ Asteroid SIP Fuzzer http://www.infiltrated.net/asteroid/ Stateful Fuzzers Interstate http://testlab.ics.uci.edu/interstate/ Kif http://kif.gforge.inria.fr/ Snooze http://seclab.cs.ucsb.edu/academic/projects/projects/snooze/
25#occupygezi Missing Features in SIP Fuzzers Static Fuzzers State Tracking is Biggest Problem Missing Important SIP Features and Headers Stateful Fuzzers (Old Tools, Last Update 2007) Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE) Fuzzing After Authentication (Double Account, Self-Call) Response Fuzzing (Before or After Authentication) Missing SIP Features IP Spoofing for SIP Trunks Proxy Headers, Custom Headers, Invoice Headers SDP and ISUP Support Numeric Fuzzing for Services is NOT Buffer Overflow Dial Plan Fuzzing, VAS Fuzzing
26#occupygezi How This SIP Library Helps Fuzzing Tests Skeleton for Feature Fuzzing, NOT Only SIP Protocol Multiple SIP Service Initiation Call Fuzzing in Many States, Response Fuzzing Integration With Other Metasploit Features Fuzzers, Encoding Support, Auxiliaries, Immortality etc. Custom Header Support Future Compliance, Vendor Specific Extensions, VAS Raw Data Send Support (Useful with External Static Tools) Authentication Support Authentication Fuzzing , Custom Fuzzing with Authentication Less Code, Custom Fuzzing, State Checks Some Features (Fuzz Library, SDP) are in Development
27#occupygezi Fuzzing SIP Services : Request Based Soft Switch (SIP Server) Clients Gateways OPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE.... 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Fuzzing Targets, REQUEST Fields Request Type, Protocol, Description Via, Branch, Call-ID, From, To, Cseq, Contact, Record-Route Proxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...) Authentication in Different Requests (User, Pass, Realm, Nonce) Content-Type, Content-Lenth SDP Information Fields ISUP Fields 100 Trying 183 Session Progress 180 Ringing 200 OK
28#occupygezi Fuzzing SIP Services : Response Based Soft Switch (SIP Server) Clients Gateways OPTIONS INVITE/ACK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error 100 Trying 183 Session Progress 180 Ringing 200 OK INVITE Myself / INVITE I'm Proxy MALICOUS RESPONSE MALICOUS RESPONSE Potential RESPONSE Types for Fuzzing
29#occupygezi Hacking SIP Trust Relationships NGN SIP Services Trust Each Other Authentication and TCP are Slow, They Need Speed IP and Port Based Trust are Most Effective Way What We Need Target Number to Call (Cell Phone if Service is Public) Tech Magazine, Web Site Information, News Baby Steps Finding Trusted SIP Networks (Mostly B Class) Sending IP Spoofed Requests from Each IP:Port Each Call Should Contain IP:Port in From Section Note The Trusted SIP Gateway When We Have a Call Brace Yourselves The Call is Coming
30#occupygezi The Wall # Hacking SIP Trust Relationships Slow Motion 192.168.1.201 – Izmir Production SIP Service Ankara Istanbul Trusted International Operator IP Spoofed Call Request Contains IP:Port Data in From White Walker
31#occupygezi The Wall # Hacking SIP Trust Relationships Brace Yourselves The Call is Coming 192.168.1.201 – Izmir Production SIP Service Ankara Istanbul Trusted International Operator IP Spoofed Call Request Somebody Known in From Billing ? CDR ? Log ? Come Again?From Citadel White Walker
32#occupygezi References and Further Information My Personal Page (viproy.com/fozavci) Hacking Trust Relationships Between SIP Gateways SIP Pen-Testing Kit for Metasploit Framework Pen-Testing Guide for SIP Services in English Pen-Testing Using Metasploit Framework in Turkish (300 Pages) Blog : fozavci.blogspot.com SIP Pen-Testing Kit for Metasploit Framework http://github.com/fozavci/viproy-voipkit Metasploit Project (www.metasploit.com) Metasploit Unleashed www.offensive-security.com/metasploit-unleashed/Main_Page
33#occupygezi DEMO Attacking SIP Servers Using Viproy SIP Pen-Testing Kit http://www.youtube.com/watch?v=AbXh_L0-Y5A
34#occupygezi Q ?
35#occupygezi Thank You

Recommended

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 

Recommended

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
8 palo alto security policy concepts
8 palo alto security policy concepts8 palo alto security policy concepts
8 palo alto security policy conceptsMostafa El Lathy
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy conceptsMostafa El Lathy
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksn|u - The Open Security Community
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)Mostafa El Lathy
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to siteMostafa El Lathy
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 

More Related Content

What's hot

C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
8 palo alto security policy concepts
8 palo alto security policy concepts8 palo alto security policy concepts
8 palo alto security policy conceptsMostafa El Lathy
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy conceptsMostafa El Lathy
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)Mostafa El Lathy
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 

What's hot (20)

C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Security testing
Security testingSecurity testing
Security testing
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
8 palo alto security policy concepts
8 palo alto security policy concepts8 palo alto security policy concepts
8 palo alto security policy concepts
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy concepts
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 

Similar to Hacking SIP Services and Bypassing Billing Like a Boss

Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Carl Blume
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo WestGraham Francis
 
Analysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence ProcedureAnalysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence Procedureijsrd.com
 
Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2George Wahome
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip OverviewMayank Vora
 
1 Vo I P Overview
1 Vo I P Overview1 Vo I P Overview
1 Vo I P OverviewMayank Vora
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsOlle E Johansson
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 

Similar to Hacking SIP Services and Bypassing Billing Like a Boss (20)

Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
 
Dalton Jim
Dalton JimDalton Jim
Dalton Jim
 
Sip
SipSip
Sip
 
Analysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence ProcedureAnalysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence Procedure
 
Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2
 
1 Vo Ip Overview
1 Vo Ip Overview1 Vo Ip Overview
1 Vo Ip Overview
 
1 Vo I P Overview
1 Vo I P Overview1 Vo I P Overview
1 Vo I P Overview
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installations
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 

More from Fatih Ozavci

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiFatih Ozavci
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi KoruyunFatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeFatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiFatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarFatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriFatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiFatih Ozavci
 

More from Fatih Ozavci (16)

Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Hacking SIP Services and Bypassing Billing Like a Boss

  • 1. Hacking SIP Services Like a Boss Fatih Özavcı Information Security Researcher & Consultant fatih.ozavci at viproy.com viproy.com/fozavci
  • 5. 5#occupygezi About Me Information Security Consultant @ Viproy / Turkey 10+ Years Experience in Penetration Testing 800+ Penetration Tests, 40+ Focused on NGN/VoIP SIP/NGN/VoIP Systems Penetration Testing Mobile Application Penetration Testing IPTV Penetration Testing Regular Stuff (Network Inf., Web, SOAP, Exploitation...) Author of Viproy VoIP Penetration Testing Kit Author of Hacking SIP Trust Relationships of SIP Gateways Blackhat Arsenal USA 2013 – Viproy VoIP Pen-Test Kit So, that's me
  • 6. 6#occupygezi Agenda VoIP Networks are Insecure, but Why? Viproy What? Discovery Register/Subscribe Tests Invite Tests CDR and Billing Bypass Denial of Service Fuzzing Hacking SIP Trust Relationships Out of Scope RTP Services and Network Tests Management and Additional Services XML/JSON Based Soap Services
  • 7. 7#occupygezi SIP, NGN, VoIP SIP – Session Initiation Protocol Only Signaling not Transporting Call Extended with Session Discovery Protocol NGN – Next Generation Network Forget TDM and PSTN SIP, H.248 / Megaco, RTP, MSAN/MGW Smart Customer Modems & Phones Easy Management Security Free, It's NOT Required?! Next Generation! Because We Said So!
  • 8. 8#occupygezi Administrators Think... Root Doesn't! Their VoIP Network Isolated Open Physical Access for Many Network Operators Insufficient Network Segmentation Insecure VPNs (IPSec, MPLS) Abusing VoIP Requires Knowledge It's Easy With Right Automated Tools, But That's the Case ! Most Attacks are Network Based or Toll Fraud Call Based DOS Attacks, Response Based DDOS Attacks, Compromising Clients for Surveillance, Spying Phishing, Fake Calls for Fun&Profit, Abusing VAS Services VoIP Devices are Well-Configured Many Operators and Vendors Have No Idea About The Security Requirements SIP Accounts without Passwords, Trunks, Management Problems Old Version and Insecure Software (Especially VAS, CDR, DB, Operating System) Insecure Additional Services (TFTP, Telnet, SNMP, FTP, DHCP, Soap Services)
  • 9. 9#occupygezi SIP Services : Internal IP Telephony INTERNET SIP Server Support Servers SIP Clients Factory/Campus SIP over VPN Commercial Gateways Analog/Digital PBX
  • 10. 10#occupygezi SIP Services : Commercial Operators INTERNET Soft Switch (SIP Server) VAS, CDR, DB Servers MSAN/MGW PSTN/ISDN Distrubutor MPLS 3rd Party Gateways SDP Servers Customers RTP, Proxy Servers Mobile
  • 11. 11#occupygezi Why Other SIP Tools are not Efficient ? Sipvicious, Sipsak, Sipp : Basic Tools, Basic Functions They Need Complete Protocol Information to Perform a Test They Prepared for Simple Tasks, not Complete Operation Performing Security Tests After Authentication is Painful Call Spoofing, Bypassing CDR/Invoice, Spying DOS Attacks for Call Limits, VAS Services, Toll Fraud Special Tests Require 3-4 Steps They Don't Have Pen-Test Features Database Support, Integration with Other Tools Knowledge Transfer Quick Action & Development for Specific Cases
  • 12. 12#occupygezi Why Metasploit Framework or New Modules? Metasploit Has Many Penetration Testing Features 1000+ Exploits & Tools, Database Support, Automated Tasks Handy Functions for Development, Sample Modules, Less Code Integration Between Tools and Exploits Why New Metasploit Modules? There is NO SIP Library in REX, Auxiliary Development is Painful There is NO Module for Testing SIP Services after Authentication Presented SIP Auxiliaries are Useful Only Specific Tests 8 Simple Modules and 1 Library, Less Code for SIP Tests Integrated SIP Tests with Metasploit Framework Infrastructure
  • 13. 13#occupygezi Viproy What? Viproy is a Vulcan-ish Word that means "Call" Viproy VoIP Penetration and Exploitation Kit Testing Modules for Metasploit, MSF License Old Techniques, New Approach SIP Library for New Module Development Custom Header Support, Authentication Support New Stuffs for Testing: Trust Analyzer, Proxy etc Modules Options, Register, Invite Brute Forcers, Enumerator SIP Trust Analyzer, Port Scan SIP Proxy, Fake Service
  • 14. 14#occupygezi Discovery Finding and Identifying SIP Services Different Ports, Different Purposes Internal Communication Service or PSTN Gateway Discovering Available Methods Register, Direct Invite, Options Soft Switch, Call Manager, Mobile Client Software, IP Phone Discovering SIP Software Well-Known Software Vulnerabilities Compliant Softwares and Architecture Network Points and 3rd Party Detection
  • 15. 15#occupygezi Discovery Soft Switch (SIP Server) Clients Gateways OPTIONS / REGISTER / INVITE / SUBSCRIBE 100 Trying 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Collecting Information from Response Headers User-Agent Server Realm Call-ID Record-Route Warning P-Asserted-Identity P-Called-Party-ID P-Preferred-Identity P-Charging-Vector
  • 16. 16#occupygezi Register/Subscribe Tests Unauthenticated Registration Special Trunks Special VAS Numbers Gateways Identifying Valid Target Numbers, Users, Realm De-Registration for Valid Users Brute Forcing Valid Accounts and Passwords With Well-Known User List Numeric User Ranges
  • 17. 17#occupygezi Register/Subscribe Tests Soft Switch (SIP Server) Clients Gateways REGISTER / SUBSCRIBE (From, To, Credentials) 200 OK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error RESPONSE Depends on Informations in REQUEST Type of Request (REGISTER, SUBSCRIBE) FROM, TO, Credentials with Realm Via Actions/Tests Depends on RESPONSE Brute Force (FROM, TO, Credentials) Detecting/Enumerating Special TOs, FROMs or Trunks Detecting/Enumerating Accounts With Weak or Null Passwords ….
  • 18. 18#occupygezi Invite Tests Invite Without Registration Client Software, IP Phone, Test SIP Server Bypassing “After Register” Restrictions Direct Invite from Special Trunk (IP Based) VAS Services, Trusted Soft Switches, Gateways, MSAN, MGW Invite Spoofing (After or Before Registration, Via Trunk) For Phishing, Spying, Surveillance, Restriction Bypass, VAS Via Field, From Field P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ISDN Calling Party Number, Remote-Party-ID
  • 19. 19#occupygezi CDR and Billing Bypass Invite Spoofing (After or Before Registration, Via Trunk) Via Field, From Field P-Asserted-Identity, P-Called-Party-ID, P-Preferred-Identity ISDN Calling Party Number, Remote-Party-ID Bypass Techniques Faking as a Cheap Gateway, Another Customer or Trunk Direct Call to Client, VAS Service or Gateway Call Count Information on Headers P-Charging-Vector (Spoofing, Manipulating) Re-Invite, Update (Without/With P-Charging-Vector)
  • 20. 20#occupygezi Invite, CDR and Billing Tests Soft Switch (SIP Server) Clients Gateways INVITE/ACK/RE-INVITE/UPDATE (From, To, Credentials, VIA ...) 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Actions/Tests Depends on RESPONSE Brute Force (FROM&TO) for VAS and Gateways Testing Call Limits, Unauthenticated Calls, CDR Management INVITE Spoofing for Restriction Bypass, Spying, Invoice …. 100 Trying 183 Session Progress 180 Ringing 200 OK RESPONSE Depends on Informations in INVITE REQUEST FROM, TO, Credentials with Realm, FROM <>, TO <> Via, Record-Route Direct INVITE from Specific IP:PORT (IP Based Trunks)
  • 21. 21#occupygezi Denial of Service Denial of Service Vulnerabilities of SIP Services Many Responses for Bogus Requests DDOS→ Concurrent Registered User/Call Limits Voice Message Box, CDR, VAS based DOS Attacks Bye And Cancel Tests for Call Drop Locking All Accounts if Account Locking is Active for Multiple Fails Multiple Invite (After or Before Registration, Via Trunk) Calling All Numbers at Same Time Overloading Sip Server's Call Limits Calling Expensive Gateways,Targets or VAS From Customers
  • 22. 22#occupygezi Fuzzing SIP Services or Fuzz Me Maybe Fuzzing as a SIP Client | SIP Server | Proxy | MITM SIP Server Softwares SIP Clients Hardware Devices, IP Phones, Video Conference Systems Desktop Application or Web Based Software Mobile Software Special SIP Devices/Softwares SIP Firewalls, ACL Devices, Proxies Connected SIP Trunks, 3rd Party Gateways MSAN/MGW Logging Softwares (Indirect) Special Products: Cisco, Alcatel, Avaya, Huawei, ZTE...
  • 23. 23#occupygezi Fuzzing SIP Services or Fuzz Me Maybe Request Fuzzing Fuzzing Registration and Authentication Parameters Fuzzing Invite Parameters Fuzzing Options Parameters Fuzzing Bye and Cancel Parameters Fuzzing Authentication Functions Response Fuzzing Authentication Options (Nonce, Digest, URI etc) [1|2]0x 200 OK, 100 Trying, 180 Ringing, 183 Session Progress 30x 301 Moved Permanently, 305 Use Proxy, 380 Alternate Services 40x 401 Unauthorized, 403 Forbidden, 402 Payment Required 60x 600 Busy, 603 Decline, 606 Not Acceptable
  • 24. 24#occupygezi Static and Stateful SIP Fuzzers Static Fuzzers Protos https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip SipFuzzer http://code.google.com/p/sipfuzzer/ Asteroid SIP Fuzzer http://www.infiltrated.net/asteroid/ Stateful Fuzzers Interstate http://testlab.ics.uci.edu/interstate/ Kif http://kif.gforge.inria.fr/ Snooze http://seclab.cs.ucsb.edu/academic/projects/projects/snooze/
  • 25. 25#occupygezi Missing Features in SIP Fuzzers Static Fuzzers State Tracking is Biggest Problem Missing Important SIP Features and Headers Stateful Fuzzers (Old Tools, Last Update 2007) Missing State Features (ACK,PHRACK,RE-INVITE,UPDATE) Fuzzing After Authentication (Double Account, Self-Call) Response Fuzzing (Before or After Authentication) Missing SIP Features IP Spoofing for SIP Trunks Proxy Headers, Custom Headers, Invoice Headers SDP and ISUP Support Numeric Fuzzing for Services is NOT Buffer Overflow Dial Plan Fuzzing, VAS Fuzzing
  • 26. 26#occupygezi How This SIP Library Helps Fuzzing Tests Skeleton for Feature Fuzzing, NOT Only SIP Protocol Multiple SIP Service Initiation Call Fuzzing in Many States, Response Fuzzing Integration With Other Metasploit Features Fuzzers, Encoding Support, Auxiliaries, Immortality etc. Custom Header Support Future Compliance, Vendor Specific Extensions, VAS Raw Data Send Support (Useful with External Static Tools) Authentication Support Authentication Fuzzing , Custom Fuzzing with Authentication Less Code, Custom Fuzzing, State Checks Some Features (Fuzz Library, SDP) are in Development
  • 27. 27#occupygezi Fuzzing SIP Services : Request Based Soft Switch (SIP Server) Clients Gateways OPTIONS/REGISTER/SUBSCRIBE/INVITE/ACK/RE-INVITE/UPDATE.... 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error Fuzzing Targets, REQUEST Fields Request Type, Protocol, Description Via, Branch, Call-ID, From, To, Cseq, Contact, Record-Route Proxy Headers, P-*-* (P-Asserted-Identity, P-Charging-Vector...) Authentication in Different Requests (User, Pass, Realm, Nonce) Content-Type, Content-Lenth SDP Information Fields ISUP Fields 100 Trying 183 Session Progress 180 Ringing 200 OK
  • 28. 28#occupygezi Fuzzing SIP Services : Response Based Soft Switch (SIP Server) Clients Gateways OPTIONS INVITE/ACK 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error 100 Trying 183 Session Progress 180 Ringing 200 OK INVITE Myself / INVITE I'm Proxy MALICOUS RESPONSE MALICOUS RESPONSE Potential RESPONSE Types for Fuzzing
  • 29. 29#occupygezi Hacking SIP Trust Relationships NGN SIP Services Trust Each Other Authentication and TCP are Slow, They Need Speed IP and Port Based Trust are Most Effective Way What We Need Target Number to Call (Cell Phone if Service is Public) Tech Magazine, Web Site Information, News Baby Steps Finding Trusted SIP Networks (Mostly B Class) Sending IP Spoofed Requests from Each IP:Port Each Call Should Contain IP:Port in From Section Note The Trusted SIP Gateway When We Have a Call Brace Yourselves The Call is Coming
  • 30. 30#occupygezi The Wall # Hacking SIP Trust Relationships Slow Motion 192.168.1.201 – Izmir Production SIP Service Ankara Istanbul Trusted International Operator IP Spoofed Call Request Contains IP:Port Data in From White Walker
  • 31. 31#occupygezi The Wall # Hacking SIP Trust Relationships Brace Yourselves The Call is Coming 192.168.1.201 – Izmir Production SIP Service Ankara Istanbul Trusted International Operator IP Spoofed Call Request Somebody Known in From Billing ? CDR ? Log ? Come Again?From Citadel White Walker
  • 32. 32#occupygezi References and Further Information My Personal Page (viproy.com/fozavci) Hacking Trust Relationships Between SIP Gateways SIP Pen-Testing Kit for Metasploit Framework Pen-Testing Guide for SIP Services in English Pen-Testing Using Metasploit Framework in Turkish (300 Pages) Blog : fozavci.blogspot.com SIP Pen-Testing Kit for Metasploit Framework http://github.com/fozavci/viproy-voipkit Metasploit Project (www.metasploit.com) Metasploit Unleashed www.offensive-security.com/metasploit-unleashed/Main_Page
  • 33. 33#occupygezi DEMO Attacking SIP Servers Using Viproy SIP Pen-Testing Kit http://www.youtube.com/watch?v=AbXh_L0-Y5A