Presentation is loading. Please wait.

Presentation is loading. Please wait.

VoIPhreaking How to make free phone calls and influence people by the grugq.

Published byPrecious Silvester Modified over 10 years ago

Similar presentations

Presentation on theme: "VoIPhreaking How to make free phone calls and influence people by the grugq."— Presentation transcript:

1 VoIPhreaking How to make free phone calls and influence people by the grugq

2 Agenda ● Introduction ● VoIP Overview ● Infrastructure ● Security ● Conclusion

3 Voice over IP (VoIP) Good News ● Cheap phone calls ● Explosive growth in recent years ● Internet telephony converging with the PSTN Other News ● Immature security best practises ● Free, anonymous, phone calls

4 VoIP Overview

5 Agenda ● Infrastructure ● Protocols ● Signalling protocols ● Media protocols ● PSTN integration protocols

6 Infrastructure ● VoIP Phones – Software – Hardware ● Internet technology – Routers – DNS ● PSTN integration technology – Media Gateway – Signalling Gateway

7 VoIP Protocols

8 Protocols ● Separation of signalling and media ● Several competing standards – SIP vs. H.323 – MGCP vs. Megaco ● Proprietary protocols as well – Skype ● SIP is typically used for new deployments

9 Signalling Protocols

10 H.323 ● Early VoIP protocol set ● Based on ASN.1 – Think “convoluted” – Think “complex” – Think “probably vulnerable implementations” ● OpenH323 library – Complex API – Poor basis for attack tool development

11 SIP ● Session Initiation Protocol – RFC 3261 ● Based on HTTP – Error codes will look familiar ● 200 OK, 404 Not Found, 403 Forbidden, etc. – Plain text protocol ● Usually transported via UDP – Can use TCP and TLS as well

12 SIP, cont. ● Complex state engine for call handling ● Multiple open source SIP stacks – Most are poor for attack tool development

13 SIP Spec ● SIP packet comprised of command line and header fields ● Command line made: – Method and URI or, – Response code and response ● Header fields are ':' name value pairs – Value component can be list of values

14 SIP Packet Example INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob From: Alice ;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: Content-Type: application/sdp Content-Length: 142

15 Interesting SIP Methods ● INVITE – Set up a call session ● REGISTER – Update a registrar binding ● BYE – Terminate a call session ● OPTIONS – Query a SIP device for supported operations

16 SIP Call Setup

17 SDP ● Session Description Protocol – RFC 2371 – Obsolete – RFC 3262 ● Plain text protocol ● Defines media stream parameters – Codec – Protocol – IP address and port (range)

18 Media Protocols

19 RTP ● Real Time Protocol – RFC 1889 – Obsolete – RFC 3550 ● Supports multiple codecs for audio, video ● Layered on top of UDP – For speed ● Uses ID numbers for syncronisation – Not robust as security measure

20 RTP Packet 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V=2|P|X| CC |M| PT | sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | synchronization source (SSRC) identifier | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | contributing source (CSRC) identifiers | |.... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

21 PSTN Integration Protocols

22 Signalling Protocols ● PSTN uses SS7 for signalling ● SIGTRAN provides SS7 over IP ● SCTP – Stream Control Transmission Protocol – RFC 2960 – Developing signalling protocol ● Linux kernel implementation available

23 Media Protocols ● Megaco – H.323 based ASN.1 control protocol ● MGCP – Media Gateway Control Protocol – RFC 2705 – Obsolete – RFC 3435 ● Many commercial devices support both protocols ● RTP is the media transport protocol

24 VoIP Infrastructure

25 SIP Entities ● User Agent – Softphone – Hardware phone – Program ● Proxy – Provides single entry/exit point for local VoIP network – Often treated as VoIP firewall – Can provide NAT functionality

26 SIP Entities, cont. ● Registrar – Maps SIP URIs to IP addresses ● These are called “bindings” – Allows SIP UAs to roam ● Enabled via frequent bindings updates – Should require authentication to update bindings

27 Gateway Devices ● Gateway devices convert between IP encapsulated data and PSTN data ● Media Gateway – Converts RTP and PSTN voice traffic ● Signalling Gateway – Converts SIGTRAN/SCTP to SS7

28 VoIP Security

29 Nature of vulnerabilities ● Generic software problems – Memory corruption bugs ● Buffer overflows, format strings, int wraps – Race conditions ● Application specific problems – Web App ● SQL injection, LDAP injection – VoIP infrastructure ● Telephony attacks

30 VoIP Concerns ● VoIP end users – Quality of Service (QoS) – Privacy – Authentication ● VoIP service providers – Billing – Quality of Service

31 Internet Telephony Attacks

32 Historic telephony attacks ● Signalling and media over same line – In band ● Original phreaks exploited access to signalling band – Blueboxing ● Eradicated with separation of signalling and media – Out of band

33 Attacks against VoIP users ● Session Hijacking – RTP Hijacking – SIP redirection hijacking ● Re-INVITE ● Spam over Internet Telephony (SPIT) – SIP 'Alert-Info' header – Not entirely sure of the economics of SPIT

34 Against VoIP users, cont. ● Media stream injection – Various private tools exist ● Media stream monitoring – RTP stream sniffing – SIP redirection – SIP 3 rd party injection ● Denial of service

35 Attacking VoIP service providers ● Billing attacks – Mis-charged calls ● Various SIP attacks involving spoofing – Free phone calls ● MGCP attacks ● SIP attacks ● Hijack equipment – Usually very insecure “embedded” devices

36 SIP spoofing ● SIP packets provide two core identifier URIs – From – Contact ● Mismatches between the two can exploit poorly developed software

37 SIP spoofing example

38 MGCP Attacks ● MGCP spec on “security considerations”: Security is not provided as an integral part of MGCP. Instead MGCP assumes the existence of a lower layer providing the actual security.

39 MGCP Attacks -- Techniques ● Hijacking active calls – MDCX – modify connection ● Creating new (free) calls – CRCX – create connection ● Denial of service attacks – DLCX – delete connection

40 MGCP Attacks Example

41 Attacks using VoIP service providers ● Caller-ID spoofing – Impersonate phone numbers ● Voicemail ● Credit card authorisation ● Etc. etc. etc. ● Full ANI spoofing – Anonymous phone calls – Mis-billed phone calls – Scams involving 'pay by phone' services

42 Abusing nufone.net ● Allows caller ID spoofing by default SetCallerID ( ) ● Combined with a misconfigured VoIP calling card – Full ANI spoofing – Empty portions of the ANI are filled in from the Caller ID information

43 Phone Attack Conc. ● Multiple VoIP attack usages – Against VoIP end-users – Against VoIP service providers – Using VoIP service providers ● VoIP attacks enable additional criminal activities

44 Conclusion ● Existing security solutions are immature ● Convergence of (trusted) PSTN and (untrusted) IP networks happening rapidly ● Brave new world of VoIPhreaking is emerging

45 Q & A

Download ppt "VoIPhreaking How to make free phone calls and influence people by the grugq."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Presence and Instant Messaging

SIP, Presence and Instant Messaging
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
VoIP PRESENTATION BY HÜSEYİN SAVRAN 220702044. OUTLINE PSTN an brief history of telephone.

VoIP PRESENTATION BY HÜSEYİN SAVRAN OUTLINE PSTN an brief history of telephone.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.
Microsoft ISA Server H.323 Gateway and Gatekeeper Overview of IP Telephony, H.323, and ISA Server H.323 Support.

Microsoft ISA Server H.323 Gateway and Gatekeeper Overview of IP Telephony, H.323, and ISA Server H.323 Support.
Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
Session Initiation Protocol Winelfred G. Pasamba.

Session Initiation Protocol Winelfred G. Pasamba.
Session Initiation Protocol (SIP) By: Zhixin Chen.

Session Initiation Protocol (SIP) By: Zhixin Chen.

Similar presentations

Ads by Google