1 00:00:00,190 --> 00:00:01,899 FATIH OZAVCI: Test. Okay. Okay? Hi guys, welcome. First of all, my apologies 2 00:00:01,899 --> 00:00:08,899 about my English level. (inaudible) It's a jedi tradition. Just forgive me. 3 00:00:10,959 --> 00:00:17,959 I'm Fatih Ozavci. I'm a penetration tester for 13 years. My special expertise is voice 4 00:00:20,610 --> 00:00:27,610 over IP servers, voice over IP infrastructure, mobile applications, also other ones. 5 00:00:29,080 --> 00:00:35,690 I'm author of Viproy Voice Over IP Penetration Testing Kit. Also, I published a small paper 6 00:00:35,690 --> 00:00:42,690 about SIPRA relationship tracking. Also I demonstrated Viproy Voice Over IP Penetration 7 00:00:43,050 --> 00:00:50,050 testing kit yesterday in Blinket Arsenal. Anyone from Blinket Arsenal here? Okay. 8 00:00:52,229 --> 00:00:59,229 We shall ramp up this Viproy part. Viproy is a penetration testing kit, and I will discuss 9 00:01:00,999 --> 00:01:07,999 a few advanced attacks and Viproy have a few models to demonstrate and exploit these attacks. 10 00:01:10,430 --> 00:01:17,430 And this is a small Viproy demonstration. (Music) 11 00:01:18,770 --> 00:01:25,770 Viproy has a few models, time models, right now, but I'm working on three models. It's 12 00:01:28,030 --> 00:01:35,030 a metasploit models pack. You can download and extract in metasploit realtime. 13 00:01:36,670 --> 00:01:43,670 So you can use it to discover SIP infrastructure, Voice over IP infrastructure, you can collect 14 00:01:44,940 --> 00:01:51,940 information from SIP servers, also you can get a few important things from SIP servers. 15 00:01:53,850 --> 00:02:00,850 Also you can ameliorate target servers. Here is Viproy in action. 16 00:02:01,280 --> 00:02:08,280 Details give us support. Also, it has vargus support. That means you can easily collect 17 00:02:09,090 --> 00:02:16,090 information from debark data. Discovery can be used for collecting information, 18 00:02:19,319 --> 00:02:26,319 so we can use all methods, all SIP infrastructure and protocol methods in this collecting part 19 00:02:29,160 --> 00:02:36,160 and discovery part. So Viproy has register options in softscribe and a few methods to 20 00:02:37,740 --> 00:02:44,740 discover future results in SIP servers. This basically is a SIP client, but a smart one. 21 00:02:46,480 --> 00:02:53,480 You can easily develop another model for your custom tasks or something else. It has a SIP 22 00:02:55,430 --> 00:03:02,430 library, actually a metasploit race library. That's a register task. We can register an 23 00:03:04,920 --> 00:03:11,170 infrastructure or we can register a client or we can register a user using Viproy to 24 00:03:11,170 --> 00:03:17,020 add a SIP server. Also, we can initiate calls with a user or 25 00:03:17,020 --> 00:03:24,020 without a user, or with a SIP proxy or not. Also, we have a few headers in a SIP request, 26 00:03:25,920 --> 00:03:32,920 so we can monitor these requests and these headers to bypass billing, to bypass restrictions 27 00:03:35,099 --> 00:03:42,099 of SIP based CS or SIP based (inaudible). This is a 28 00:03:50,750 --> 00:03:56,069 basic demonstration, basics of Viproy. I will talk about these basic features now, but I 29 00:03:56,069 --> 00:04:03,069 will discuss a few advanced attacks in this demonstration. Also, I have another demo at 30 00:04:03,870 --> 00:04:10,870 the last of this presentation for this advanced attacks. 31 00:04:13,010 --> 00:04:19,250 It's really hard to get him to speak at DEF CONs, give him a big round of applauses. 32 00:04:19,250 --> 00:04:25,090 (Applause) So this is his first time speaking, so we 33 00:04:25,090 --> 00:04:29,969 need to do a shot on stage. (Applause) 34 00:04:29,969 --> 00:04:36,310 FATIH OZAVCI: Okay. Cheers. 35 00:04:36,310 --> 00:04:43,310 Cheers. FATUG IZAVCI: Okay. That was a surprise. 36 00:04:46,760 --> 00:04:50,530 Do you need another one? FATIH OZAVCI: No, not now. Maybe later. 37 00:04:50,530 --> 00:04:55,360 (Laughter) All right. Thanks a lot. 38 00:04:55,360 --> 00:05:00,190 FATIH OZAVCI: Thank you, guys. (Applause) 39 00:05:00,190 --> 00:05:07,190 For some reason I'm fine right now. So okay. We should pass this part, this action, 40 00:05:11,830 --> 00:05:18,830 okay. We have a few people are coming. We can start the actual presentation. 41 00:05:20,620 --> 00:05:27,620 You can watch this video what I just played. It's already in YouTube. Also, I played this 42 00:05:29,870 --> 00:05:36,870 video in (inaudible) conference to show Viproy's basic features and basic attack abilities. 43 00:05:37,510 --> 00:05:44,510 So I will discuss these attacks, and how can we use these attacks to bypass security features 44 00:05:44,790 --> 00:05:51,760 of SIP servers. And this is my agenda today. Discovery footprinting, 45 00:05:51,760 --> 00:05:58,760 collecting information, initiating a call, initiating a bypass for CDR or billing or 46 00:05:58,919 --> 00:06:03,740 restrictions or something else. Also, we have another attack, a SIP (inaudible) 47 00:06:03,740 --> 00:06:10,740 attack. I will explain it. Also, fake services and MITM. We have another 48 00:06:11,460 --> 00:06:18,460 model for SIP proxies, for MITM hunting. Also, SIP servers should be available 7/24. 49 00:06:21,810 --> 00:06:27,040 So we can attack them using those features or something else. 50 00:06:27,040 --> 00:06:32,680 Also, we have another feature, hacking SIP cross relationships, because they trust each 51 00:06:32,680 --> 00:06:39,210 other, so we can act like just one. Also, we can use these SIP features or SIP 52 00:06:39,210 --> 00:06:46,210 cross hacking features to attack another client, a specific mobile client and other desktop 53 00:06:46,380 --> 00:06:50,520 client. Also, fuzzing in advance, another subject 54 00:06:50,520 --> 00:06:57,520 for us. I will discuss a few fuzzing features. Autoscope is actually RTP. I will add RTP 55 00:07:00,460 --> 00:07:06,460 features later. Also, additional services are not subject. 56 00:07:06,460 --> 00:07:13,289 Also, XLMO, Jason based supporting services is not required for this presentation. 57 00:07:13,289 --> 00:07:19,550 SIP is Session Initiation Protocol, is just a signaling protocol for NGN services or SIP-based 58 00:07:19,550 --> 00:07:26,550 telephone services. Next Generation Network is postmodern TDM 59 00:07:28,080 --> 00:07:35,080 devices. Actually, --> sorry. HP blade-like systems. They have three or maybe more or 60 00:07:37,419 --> 00:07:44,419 so switches, RTP proxies, C proxies, or something else, so they should connect MSAN or other 61 00:07:45,139 --> 00:07:51,110 devices. I will show an infrastructure for this sample. 62 00:07:51,110 --> 00:07:58,110 And so SIP and mega protocol, also RTP, they are part of this engine infrastructure. Also 63 00:07:59,139 --> 00:08:06,139 SIP should be implemented securely in NGN platforms. So we will hack this SIP protocol 64 00:08:07,699 --> 00:08:14,699 and we will hack this NGN infrastructure. They use Next Generation Network terms, but 65 00:08:15,000 --> 00:08:21,050 I believe it's not, because SIP is old protocols, SIP has many significant weaknesses and we 66 00:08:21,050 --> 00:08:28,050 will discuss in this presentation these weaknesses. This is a sample SIP server in your network. 67 00:08:28,960 --> 00:08:34,659 If you have a network, commercial network, it should be placed just like that. By the 68 00:08:34,659 --> 00:08:41,229 way, commercial services are completely different. This is a sample of the Next Generation Networking 69 00:08:41,229 --> 00:08:48,229 infrastructure. SIP server, also known as source switch, part of this infrastructure. 70 00:08:48,950 --> 00:08:55,950 STP servers, also other servers, such as VAS or DBI or CDR, these servers should be connected 71 00:09:01,810 --> 00:09:08,430 with source switch. Also, MSAN devices, or metagateway devices, should be implemented 72 00:09:08,430 --> 00:09:15,430 for end point termination. For connection between MSAN metagateway devices 73 00:09:16,980 --> 00:09:23,980 and source switches, the protocol is megacore. Other connections, especially redirecting 74 00:09:26,089 --> 00:09:30,640 calls between source switches, it should be SIP. 75 00:09:30,640 --> 00:09:37,640 Also, you should know you use many soft phone applications in your mobile phones. That means 76 00:09:43,240 --> 00:09:49,630 you already have SIP services and you are a customer of a SIP provider. 77 00:09:49,630 --> 00:09:56,630 But here is the thing. They think they are secure, but it's not. Especially their infrastructure 78 00:10:01,200 --> 00:10:08,200 it's vulnerable. This infrastructure is not closed, but they think it's closed. Actually, 79 00:10:09,279 --> 00:10:16,279 it's open physical access. Also, you can easily manipulate end point terminators, such as 80 00:10:16,649 --> 00:10:23,649 metagating devices, smart modems or something also. Also, they think that using VoIP requires 81 00:10:24,310 --> 00:10:31,310 specific knowledge. That's no longer the case with Viproy because we have many features 82 00:10:33,180 --> 00:10:38,790 to easily test the SIP servers' features and security. 83 00:10:38,790 --> 00:10:44,959 Also, they focused on tall based attacks, tall fraud or something else, but we have 84 00:10:44,959 --> 00:10:51,959 many attacks. Spying, phishing, surveillance or DDOS attacks or attacking actual mobile 85 00:10:53,910 --> 00:10:59,300 clients or desktop clients. Also, one of the servers or another are important vulnerable 86 00:10:59,300 --> 00:11:04,529 servers. Also, they think their vulnerable devices 87 00:11:04,529 --> 00:11:11,529 are well configured and securely. They are vulnerable. They use also fairs. They use 88 00:11:11,820 --> 00:11:18,820 actual legacy fairs, Solaris 5 or Linux slackware 2.1 or something else. So we can easily bypass 89 00:11:23,410 --> 00:11:28,950 and exploit them. But that is not our real subject. 90 00:11:28,950 --> 00:11:35,950 We will discuss a specific one, SIP protocol. Viproy is a Vulcanish word that means "call." 91 00:11:38,279 --> 00:11:45,279 Viproy has many models to test SIP server security. So we can actually initiate a few 92 00:11:45,880 --> 00:11:52,880 advanced attacks and mostly all basic attacks for these target SIP servers, using Viproy's 93 00:11:54,750 --> 00:11:59,980 models. Also, it has custom header support. It has 94 00:11:59,980 --> 00:12:06,839 authentication support, but in many ways, proxy authentication, server authentication, 95 00:12:06,839 --> 00:12:13,839 for many different hashing algorithms, if you want. Also, I have a few new models, such 96 00:12:15,300 --> 00:12:22,300 as trust analyzer, a short message service tester, or bomb scan model DDOS initializer, 97 00:12:22,940 --> 00:12:29,940 or directly MITM proxy tool. You can use this tool to test attacks which we will discuss 98 00:12:31,899 --> 00:12:37,990 now. Basic attacks are important. They are not 99 00:12:37,990 --> 00:12:44,990 new, but we have no sufficient tool to analyze this type of attacks. 100 00:12:44,990 --> 00:12:51,060 So I'm going to go to the left with this. So there is shipshak and other tools are not 101 00:12:51,060 --> 00:12:56,430 sufficient for penetration testing of SIP servers. We should create another one. I should 102 00:12:56,430 --> 00:13:03,430 create another one, because I need it. So I create Viproy to analyze security of SIP 103 00:13:04,570 --> 00:13:11,570 servers, especially their features, discovering SIP servers, ameliorating SIP servers, collecting 104 00:13:13,230 --> 00:13:20,230 remote users internal numbers of clients, bruteforce attacks for internal numbers, users, 105 00:13:20,560 --> 00:13:27,560 SIP password list or not. And, also, identifying specific numbers, identifying other services 106 00:13:29,649 --> 00:13:36,120 or something else. If you use these tests after authentication, you have no choice except 107 00:13:36,120 --> 00:13:43,120 Viproy. By the way, bruteforcing or MMITS features, 108 00:13:43,240 --> 00:13:50,240 they are required to test special features of SIP security. 109 00:13:51,690 --> 00:13:56,399 Also we can initiate direct MMIT attacks. We can initiate MMIT spoofing attacks or we 110 00:13:56,399 --> 00:14:03,399 can initiate (inaudible) MMIT attacks. So we can easily bypass CDR records or ACRs, 111 00:14:05,639 --> 00:14:12,639 or maybe other things. Viproy easily automates these types of attacks. 112 00:14:15,350 --> 00:14:22,350 This is basic discovery. This discovery step is basic, just like other penetration testing 113 00:14:23,120 --> 00:14:30,120 types. We should send a request and we will wait for a response to analyze. So we can 114 00:14:30,920 --> 00:14:37,920 send options, registered in my subscribe message or other methods. So we have all in Viproy. 115 00:14:40,750 --> 00:14:47,750 And another one is visual online headers in response, so left side, generic headers, and 116 00:14:51,100 --> 00:14:55,769 the right side proxy headers and warnings. We can collect many information from these 117 00:14:55,769 --> 00:15:02,769 headers: MSAN devices, invoicing information, remote server software or whether it's vulnerable 118 00:15:04,209 --> 00:15:09,790 or not. Register is another important test, because 119 00:15:09,790 --> 00:15:16,790 many of the other services have no authentication. Another thing is these specific services or 120 00:15:20,339 --> 00:15:27,339 specific trunks or specific gateways has no authentication to heat up or to speed up the 121 00:15:30,380 --> 00:15:35,740 connection. So we can initiate register attack to detect this no authentication services. 122 00:15:35,740 --> 00:15:42,740 Also, we can register our specific port and IP address to initiate rove attacks, such 123 00:15:43,500 --> 00:15:50,139 as rove fuzzing. We will discuss in the fuzzing section. But you should know SIP servers have 124 00:15:50,139 --> 00:15:57,139 many authentication skills. So if it has an authentication, just like that, it fakes your 125 00:16:01,190 --> 00:16:08,190 registration and it sends a privileged ACR or it accepts your specific IP address import 126 00:16:09,630 --> 00:16:16,060 for other requests. If this type of authentication is available, 127 00:16:16,060 --> 00:16:20,100 you can register your specific port and iPad address to initiate other attacks, such as 128 00:16:20,100 --> 00:16:26,519 direct invite, spoofing or fuzzing things. By the way, registered attack could be used 129 00:16:26,519 --> 00:16:32,000 for bruteforce or something else. We have many more attack types. 130 00:16:32,000 --> 00:16:39,000 Also, we can bypass many things using proxy headers, or a few specific features such as 131 00:16:43,040 --> 00:16:48,070 changing "from" field, changing "contact" field, adding specific proxy headers such 132 00:16:48,070 --> 00:16:55,070 as charging vector or changing identity over proxy headers, such as (inaudible) identity 133 00:16:55,290 --> 00:17:02,290 calling ID or P preferred identity. These headers could be used to bypass billing 134 00:17:03,040 --> 00:17:10,040 or security or other SIP specific virals, acting just like another SIP proxy. We can 135 00:17:10,549 --> 00:17:17,279 use these attacks. Also, we have another attack just like invite 136 00:17:17,279 --> 00:17:24,279 or update. We can send an invite request or update request during a call, to change its 137 00:17:26,339 --> 00:17:33,049 charging vector, change its billing features. So we can use these features. Also, you can 138 00:17:33,049 --> 00:17:37,369 develop a specific tool or a specific model for Viproy. 139 00:17:37,369 --> 00:17:44,369 You might request issues just like that. We will send an invite and we will get a specific 140 00:17:48,109 --> 00:17:55,109 response. We can change many headers, so we can easily bypass rules, protected or not. 141 00:17:59,600 --> 00:18:06,600 Specific headers I already mentioned. Also, it's just basic usage. But we will use MMIT 142 00:18:07,580 --> 00:18:13,549 for specific tests, for another test, just trust analyzer or something else. 143 00:18:13,549 --> 00:18:20,549 This is SIP attack. It's similar to balance attack. If remote target has a proxy support, 144 00:18:22,989 --> 00:18:29,989 we can use it to secure other servers, which is stressed or not. So we could use it basically. 145 00:18:30,450 --> 00:18:37,450 These are the screen shots, so this tool exposes user agent or servers and remote servers and 146 00:18:43,149 --> 00:18:50,149 untrusted ones. It works just like that. We will send a register 147 00:18:50,590 --> 00:18:57,590 or option or invite request to target remote server. Also, we will change its RION or URI 148 00:19:01,499 --> 00:19:08,499 to collect another one so we can collect this information. It's important for us, because 149 00:19:08,609 --> 00:19:15,609 remote servers and frontend servers are well protected, and these servers have many co-liaisons. 150 00:19:19,479 --> 00:19:25,950 So we could use these remote targets if it is a proxy support. 151 00:19:25,950 --> 00:19:32,769 Scan other specific features and other inaccessible servers, also we can initiate other attacks, 152 00:19:32,769 --> 00:19:39,720 such as SIP trust relationships. Also, just now I should mention another thing. 153 00:19:39,720 --> 00:19:46,720 I have a friend for you. I will mention after -- sorry. I should have mentioned after the 154 00:19:47,629 --> 00:19:54,629 video, but I already shot, you know, so this is my friend. It's a gift for a best question. 155 00:19:55,200 --> 00:20:02,049 It's five-year old special Turkish liquor. I'm from Turkey, as you know. So if you shout 156 00:20:02,049 --> 00:20:09,049 me a good question, you will have this bottle. If --> if we have no time during the QA section, 157 00:20:14,549 --> 00:20:21,549 you will find me at the Chili Bar, Chili out bar, or the QA section or just push me or 158 00:20:23,679 --> 00:20:30,519 attack me to ask a question. So, we will continue again. 159 00:20:30,519 --> 00:20:37,519 Fake sources and other subjects. We should discuss about fuzzing features, or specific 160 00:20:37,799 --> 00:20:44,799 MITM attacks. Because our regular SIP clients, general SIP clients, have more features to 161 00:20:45,249 --> 00:20:52,249 bypass billing or security features. Also, it has no support for spoofing. So we will 162 00:20:53,239 --> 00:21:00,220 add MITM tools. We can change our client's features. For example, aiding MI support, 163 00:21:00,220 --> 00:21:05,359 MI spoofing support. Specific MI header support to bypass billing. 164 00:21:05,359 --> 00:21:12,359 Also, we can use this feature to fuzz SIP clients or servers. We can easily change specific 165 00:21:13,210 --> 00:21:20,210 data with fuzzing requests, so we will have a few crashes from SIP clients or SIP servers. 166 00:21:23,330 --> 00:21:30,330 Fake services is not yet ready, not really yet. By the way, MITM is ready. I updated 167 00:21:33,729 --> 00:21:40,729 Viproy's GitHub repository, so you can easily download it and you can use it. This MITM 168 00:21:41,989 --> 00:21:48,989 feature is useful for testing or adding specific features. You can use it freely. 169 00:21:50,229 --> 00:21:56,379 But I should mention if you use it to collect information, collect credentials from clients, 170 00:21:56,379 --> 00:22:03,379 such as MITM attacks, or something else, you should use ARP scan or ARP spoof or VLAN hopping 171 00:22:04,299 --> 00:22:09,690 attacks. You should be the man in the middle to collect this information. 172 00:22:09,690 --> 00:22:16,690 Also, DDOS is another important thing that we will discuss about SIP servers. It's not 173 00:22:16,929 --> 00:22:23,929 server, it's a business, so money is really important for them. So we can attack their 174 00:22:25,679 --> 00:22:32,059 availability, logging all users if they have account loggin policy. 175 00:22:32,059 --> 00:22:39,059 Also, we can initiate many call same time, so we can overflow call limits of server. 176 00:22:41,019 --> 00:22:48,019 Or we can ring all clients same time. It's possible. So we can use those things easily. 177 00:22:48,409 --> 00:22:55,409 By the way, we can use these attacks to bypass a few features. For example, if you use --> if 178 00:22:57,460 --> 00:23:04,460 you act --> if you need to act just like a SIP proxy, you should disable it. So you can 179 00:23:07,109 --> 00:23:14,109 use these tools to disable or unresponsive this remote SIP server. 180 00:23:15,419 --> 00:23:22,419 By the way, we have another attack. SIP servers send many responses. It's an RFC. So we can 181 00:23:25,570 --> 00:23:32,570 initiate a bogus request, for example, unauthenticated invite, or something else. They will send 182 00:23:33,580 --> 00:23:40,580 us many responses, 10 plus, 20 plus, maybe more. So we can send IP spoofed requests to 183 00:23:43,779 --> 00:23:50,779 target SIP servers. So this remote SIP server will send responses to another DDOS target, 184 00:23:54,139 --> 00:24:01,139 just like that. So we can search many servers, many SIP servers, and we can collect all of 185 00:24:03,379 --> 00:24:10,379 them to initiate a DDOS attack. You should remember all SIP servers --> all 186 00:24:10,909 --> 00:24:17,909 SIP services should contain many SIP servers for gateway connection, for international 187 00:24:18,219 --> 00:24:24,119 connection, for redirection or for backup. So we can use all of them in same network. 188 00:24:24,119 --> 00:24:31,119 And acting in other one, we cannot access. Also, transrelationship hacking is another 189 00:24:33,139 --> 00:24:40,139 subject. We can act just like SIP proxy. So we can act and we can initiate call. We can 190 00:24:42,869 --> 00:24:49,869 send messages or we can attack mobile clients via these SIP cross relationships. In general, 191 00:24:50,029 --> 00:24:57,029 servers should trust each other, because TCP is slow and TLS or other encryptions are slow. 192 00:24:59,659 --> 00:25:06,659 By the way, they require many CPU usage. So in general infrastructure vendors prefer UDP-based 193 00:25:08,460 --> 00:25:14,799 SIP identification and UDP-based trust. So we can attack just like SIP proxy or something 194 00:25:14,799 --> 00:25:21,799 else. We need specific information for this attack. 195 00:25:22,999 --> 00:25:29,999 We should have an internal number. Basically, we should be a customer of this server. Because 196 00:25:31,669 --> 00:25:38,669 we should have a soft or a hardware client to view caller ID. We will spread IP spoof 197 00:25:41,710 --> 00:25:48,710 or spoof packets to this target server, and if this server trusts other IPs, there will 198 00:25:52,239 --> 00:25:59,239 be a call and we will learn its basic IP and port. It's in baby steps. We should find trans-SIP 199 00:26:01,159 --> 00:26:08,159 networks, mostly B class. We should send requests, invite requests, for each IP and port. That 200 00:26:12,700 --> 00:26:19,700 means 60,000, maybe more requests. If this server, target server, accepts one 201 00:26:21,139 --> 00:26:28,139 of them, we will have a call. But we will have no idea about which one is trusted. Here 202 00:26:29,109 --> 00:26:36,109 is the thing. We have in my spoofing section, so I will add IP and port section in "from" 203 00:26:37,159 --> 00:26:44,159 field. That means when we will have a call, we shall see which IP and port is trusted 204 00:26:46,210 --> 00:26:49,639 in "from" field and calling number. Okay. 205 00:26:49,639 --> 00:26:56,639 Here is the demo. There is an attacker. Attacker has no idea 206 00:26:57,099 --> 00:27:04,099 about Ancora or Istanbul IP addresses or networks. He should know only B class network, maybe 207 00:27:05,469 --> 00:27:12,469 C class network. He should have a soft client from Ismer server, this production server. 208 00:27:15,080 --> 00:27:22,080 He will supply --> he will initiate IP spoof packets from this field, just like sending 209 00:27:25,239 --> 00:27:32,239 from Istanbul or Ancora. And when we have a call, we will see IP address and port. That 210 00:27:35,009 --> 00:27:42,009 means Ismer trusts Istanbul IP address and port. Okay. How can we use it? Stress but 211 00:27:45,649 --> 00:27:52,649 what? We can't initiate a call. If we have a specific IP address and port, we can send 212 00:27:54,339 --> 00:28:01,179 a specific IP address and port and we can send a specific from field and we can initiate 213 00:28:01,179 --> 00:28:08,179 the call. So in my spoofing, also, it's CDR and billing 214 00:28:08,460 --> 00:28:15,460 bypass. By the way, probably you should ask or you will ask it's just one package and 215 00:28:17,979 --> 00:28:24,979 we used IP spoofing and we have no responses, and how the call works? How will it resume? 216 00:28:26,789 --> 00:28:33,789 It's not. All required is we have a packet to send another one. For example, internal 217 00:28:35,639 --> 00:28:42,639 number, 101. One packet is sufficient for many attacks. I will show you. 218 00:28:42,769 --> 00:28:49,769 By the way, in message protocol --> message method has no resume or no state. So you can 219 00:28:50,309 --> 00:28:57,309 send this message, short message, or something else, to remove server. Just like came from 220 00:28:58,789 --> 00:29:05,789 Istanbul or something else, which trusts. That means you can exploit specific voice 221 00:29:06,519 --> 00:29:13,519 over IP features, voice mailbox features, value-added services, just like send a registered 222 00:29:13,749 --> 00:29:20,749 request for us with short message service, invoice me at this amount. We can spoof this 223 00:29:22,940 --> 00:29:29,639 message. So we can change billing features. Or we can activate features. 224 00:29:29,639 --> 00:29:36,639 I'm not here, redirect me for something else. Okay, just send us a message. Which one is 225 00:29:37,119 --> 00:29:44,119 required? Or why you will be available. Okay, redirect space my internal number. It's a 226 00:29:45,019 --> 00:29:51,399 small message. We can send it. So we can handle all calls. It's possible. 227 00:29:51,399 --> 00:29:58,399 By the way, we can use it to initiate DDOS attacks. For example, ringing all clients 228 00:29:59,059 --> 00:30:06,059 by specific features, initiating many calls to overloading servers or VAS services, value-added 229 00:30:08,609 --> 00:30:15,339 services, or CDR fields. By the way, we can attack specific mobile clients or desktop 230 00:30:15,339 --> 00:30:21,839 clients. When we send this invite request or message 231 00:30:21,839 --> 00:30:28,839 request, we have a few features. From, from name, contact fields will be saved. We can 232 00:30:34,039 --> 00:30:41,039 send this request to remove server and remove server and redirect these fields to client. 233 00:30:42,289 --> 00:30:49,289 So we can fuzz it or we can crash it, with many AAAs in from field or from name field 234 00:30:50,599 --> 00:30:56,369 or contact field. Also, we have message support, so we can exploit 235 00:30:56,369 --> 00:31:03,369 this vulnerability over a message, too. Also, maybe, you know, SIP and STP has many 236 00:31:05,369 --> 00:31:12,369 features. So this type of STP request or STP content should be redirected. Also, mine type 237 00:31:13,599 --> 00:31:20,599 support should be available. And you can manipulate mine types or content of these requests to 238 00:31:23,309 --> 00:31:30,309 crash mobile application. This client trusts remote IP address and port, 239 00:31:32,249 --> 00:31:39,249 so we can initiate IP spoofing easily. Basically, I crashed an application. On a phone, iPhone 240 00:31:43,839 --> 00:31:50,839 SIP client, you can download it from app store. It has a vulnerability. It has no border control 241 00:31:51,409 --> 00:31:58,409 in from field, so we can send 550 chars in this field and it will crash. It will be crashed. 242 00:32:02,309 --> 00:32:07,659 So we can exploit it. Okay. We should summarize and collect it. 243 00:32:07,659 --> 00:32:14,659 We can send a packet from Istanbul. We have no idea, and we cannot access Istanbul, to 244 00:32:18,019 --> 00:32:25,019 Ismer, the production server. It has a SIP address, yes. But it will redirect this call 245 00:32:25,119 --> 00:32:32,119 to another one, something else, we have no idea this IP address. But it has an internal 246 00:32:32,299 --> 00:32:39,299 number just your SAN number or something else. So there is no user interaction, the application 247 00:32:40,839 --> 00:32:46,059 will crash. There is a client attack. So many applications 248 00:32:46,059 --> 00:32:53,059 can be vulnerable to this type of attacks. Asterisk has a limit for this from field, 249 00:32:54,019 --> 00:33:01,019 only 1000 chars, maybe more. By the way, SIP SECs or other commercial products have no 250 00:33:03,019 --> 00:33:08,469 restriction for this from field. So we can use this from field, from name field, contact 251 00:33:08,469 --> 00:33:12,809 field or other mine types to crash specific applications. 252 00:33:12,809 --> 00:33:19,809 Also, we have fuzzing. Everybody loves fuzz. But fuzzing is completely different than SIP 253 00:33:24,769 --> 00:33:31,769 protocol. You have many fuzzers, but these fuzzers are old. And it's really important, 254 00:33:33,889 --> 00:33:40,889 because vendors use these old tools to evolve their products. So you have no novelties to 255 00:33:44,099 --> 00:33:49,820 find using these tools. You should change your perspective on a vision. 256 00:33:49,820 --> 00:33:56,820 We can fuzz it in many ways, acting just like SIP server, SIP client, MITM attack or just 257 00:33:59,580 --> 00:34:06,580 like --> acting like proxy or something else. But old school fuzzing is not sufficient. 258 00:34:07,539 --> 00:34:14,539 Request-based and response-based fuzzing, difference. It has a few differences. 259 00:34:16,190 --> 00:34:22,970 Request-based fuzzing is popular and we have many tools for request fuzzing. But they have 260 00:34:22,970 --> 00:34:29,970 no state features, they cannot track all call, and they cannot fuzz during a call. Our newest 261 00:34:34,510 --> 00:34:41,510 SIP fuzzing tool published in DEF CON 2007. So we have no new tool almost six years. We 262 00:34:47,839 --> 00:34:54,839 can develop our specific fuzzing tool, especially for response-based fuzzing. So we can use 263 00:34:56,079 --> 00:35:03,079 these features in Viproy's specific library. We can initiate specific fuzzing features. 264 00:35:03,410 --> 00:35:10,410 How about smart fuzzing? Smart fuzzing should be real smart. It should have state support. 265 00:35:12,430 --> 00:35:19,430 It should have many methods, such as Softscribe, ACK, frak, or MMIT, REMIT update. We have 266 00:35:23,839 --> 00:35:29,880 no support in meta tools. Also, fuzzing reauthentication is a completely 267 00:35:29,880 --> 00:35:36,529 different thing because we have no tools to fuzz remote servers after authentication or 268 00:35:36,529 --> 00:35:42,480 reauthentication. So we have another thing. Yes, fuzzing is 269 00:35:42,480 --> 00:35:49,480 cool, especially crashing an application. But in SIP servers we show fuzz specific numbers 270 00:35:52,779 --> 00:35:59,779 for value-added services, directing its features, directing free call features or directing 271 00:36:01,380 --> 00:36:07,500 a few specific things. So you can easily create your basic fuzzer. 272 00:36:07,500 --> 00:36:14,500 Okay. Viproy. How it helps you. It has a basic SIP library. A few models have a down fuzzing 273 00:36:19,039 --> 00:36:26,039 support. I will show you. Also, we have custom header support, so we 274 00:36:27,250 --> 00:36:34,250 can easily bypass many things before fuzzing. Also, last line, we can develop more. We can 275 00:36:37,230 --> 00:36:44,010 easily develop our tools. Also, it has row request support, so you can combine it with 276 00:36:44,010 --> 00:36:51,010 your generic fuzzer. It's really free. Fuzzing SIP services request based. Okay. 277 00:36:53,010 --> 00:36:59,480 You already knew this request-based fuzzing and I will bypass it. But you should know 278 00:36:59,480 --> 00:37:05,799 headers should be fuzz. Proxy headers or something else. Okay. 279 00:37:05,799 --> 00:37:12,799 Here's the thing. Response-based fuzzing is not popular. Also, there is no tool to fuzz 280 00:37:13,500 --> 00:37:20,500 response features of SIP server. Just imagine you have two clients, one for acting just 281 00:37:21,740 --> 00:37:28,740 like remote SIP client. Just one for attacking and fuzzing remote server during this call. 282 00:37:33,269 --> 00:37:40,269 You can initiate two clients separately and you can drive separately of them. Also you 283 00:37:40,940 --> 00:37:47,940 can initiate many using this library. Starting one, starting two, after that you 284 00:37:50,950 --> 00:37:57,950 will initiate a call from starting two and target is one. Also, you can add reinvite 285 00:37:59,220 --> 00:38:05,650 fuzzing feature during this call. You can add STP fuzzing feature during this call. 286 00:38:05,650 --> 00:38:12,650 Also, this response is important, because when you send a request to a server, server 287 00:38:13,289 --> 00:38:20,289 redirects the request to another client. If this client sends bogus responses, this remote 288 00:38:21,950 --> 00:38:28,950 server should assess and analyze and execute this response. 200, okay, such as. So we can 289 00:38:30,440 --> 00:38:35,950 send bogus responses. So it's a specific feature. You can develop 290 00:38:35,950 --> 00:38:42,950 your tools using Viproy. Viproy has many features. So we have a few things to do a lot, such 291 00:38:44,460 --> 00:38:51,460 as advanced fuzzing support, RTP support, TCPILS support, or many more. By the way, 292 00:38:51,740 --> 00:38:57,339 it's MSF licensed so you can download it freely. You can change it. You can develop your tools 293 00:38:57,339 --> 00:39:04,339 with this library. That's it. I will show another demo. This demo prepares 294 00:39:07,680 --> 00:39:14,680 to show SIP balance attack, hacking SIP transrelationships, directing process servers, initiating a fake 295 00:39:18,440 --> 00:39:25,440 call. After that, crashing MMIT white lines. This is a sample. I have a network. Actually, 296 00:39:32,369 --> 00:39:39,369 a small network. Three SIP servers and four SIP clients. We can initiate this SIP balance 297 00:39:42,170 --> 00:39:49,170 attack to detect servers and clients, trusted or not. We can use remote SIP proxy server. 298 00:39:58,319 --> 00:40:05,319 We will have two SIP servers now. One is ours, another one is inaccessible for us. 299 00:40:20,069 --> 00:40:27,069 Also, we have another range, 200 and 210. I will set this range to the date. Remote 300 00:40:32,319 --> 00:40:39,319 SIP servers (inaudible) during the test. As you see, there are many SIP services, one 301 00:40:50,150 --> 00:40:57,150 of them SIP server, other SIP clients. SIP trusts hacking is basic and old method, 302 00:41:11,210 --> 00:41:18,150 but we can use it easily for NGN platforms, especially for local network. So we can easily 303 00:41:18,150 --> 00:41:25,150 break physical network with smart models, hacking, or physical hacking, breaking locks 304 00:41:25,470 --> 00:41:30,180 or something else, and we can initiate this attack. Also, public SIP service is also vulnerable 305 00:41:30,180 --> 00:41:37,180 for this type of attacks. SIP services it should be paired with a specific 306 00:41:40,210 --> 00:41:47,210 target range and ISAT SIP server, the remote server, source remover is the potential network. 307 00:41:52,609 --> 00:41:59,609 Also, I can set up port range because they can use any port for trust or anything else. 308 00:42:04,119 --> 00:42:11,119 Also, we should set interface for IP spoofing and other requests. 309 00:42:13,279 --> 00:42:20,109 And internal number 103. And you initiate this attack. 310 00:42:20,109 --> 00:42:27,109 If you have a number, you have an IP or something else, you will learn which is trusted. Agency, 311 00:42:29,410 --> 00:42:36,410 202 and this port, 5016, is trusted for support of ACL. So I can set specifically this one. 312 00:42:48,130 --> 00:42:55,130 And I will initiate the call. This is transit host and I set from field 313 00:43:14,940 --> 00:43:21,819 for in my spoofing. I can write anything. I write occupy EZ. If you already knew, it's 314 00:43:21,819 --> 00:43:28,819 from Turkey. It's a tribute. By the way, if you don't know, you can search this tag iterator. 315 00:43:34,269 --> 00:43:41,269 Agency, you have a call. Also, we can crash mobile application. This mobile application 316 00:43:45,920 --> 00:43:52,200 is a phone, an iPhone. You can download it from app store. I downloaded it and I initiate 317 00:43:52,200 --> 00:43:59,200 execute style application, left side, and I start a debugger. And I crashed it with 318 00:43:59,859 --> 00:44:06,859 the right terminal. I set only set action to call. I set from field to fuzz features, 319 00:44:08,160 --> 00:44:15,160 for example, set from fuzz 515. Also, I will set to field. That means our 320 00:44:16,690 --> 00:44:23,690 destination, our internal number remote. So I initiate the debugger. You can watch 321 00:44:45,920 --> 00:44:52,920 this video from me on YouTube, too. It's available from Viproy's home page. 322 00:44:54,420 --> 00:45:01,420 HFC is real easy to use because it's a metasploit set. Left side HFC, 138 is iPhone, iPad rest, 323 00:45:11,460 --> 00:45:16,920 but I have no idea, I didn't set it in my tool. 324 00:45:16,920 --> 00:45:23,920 Initiate the debugger to debug other phone applications. SPID. And the debugger is initiated 325 00:45:29,170 --> 00:45:36,170 for this IP. This continues. When I start attack, you should 326 00:45:41,470 --> 00:45:48,470 watch and you should see left side's internal email address issue. 327 00:45:50,140 --> 00:45:57,140 We have a memory corruption in the email routine and this is a basic DDOS attack. By the way, 328 00:46:01,119 --> 00:46:08,119 it can be exploited. You feel free to develop and exploit for this, using this tool. 329 00:46:10,819 --> 00:46:17,819 So you can download this presentation from my home page, also Viproy's home page. You 330 00:46:20,480 --> 00:46:27,210 can download this tool from Viproy's home page. Also, itsget GitHub source code section. 331 00:46:27,210 --> 00:46:34,210 By the way, you have 15 minutes for any video, you can use it, and also these papers. 332 00:46:36,940 --> 00:46:43,940 These people helped me to present also. They encouraged me. I have many respect for them. 333 00:46:47,119 --> 00:46:54,119 Yes, I have only one minute, so I will be at Chili Out Cafe. I have this one for you 334 00:46:56,410 --> 00:47:02,200 if you will come to ask a specific question or a smart question, I will give you. 335 00:47:02,200 --> 00:47:02,450 Okay. (Applause) 336 00:47:02,259 --> 00:47:02,509 Thank you. Okay. Everybody, a couple announcements. 337 00:47:02,450 --> 00:47:02,769 If you are leaving, head out that direction, to your right, my left. We are not clearing 338 00:47:02,769 --> 00:47:03,109 the room. So that means if you'd like to stay for Mudge's talk, then you can stay where 339 00:47:03,109 --> 00:47:03,450 you are. But it's going to be crowd in here. So to help everybody that is outside waiting 340 00:47:03,450 --> 00:47:04,160 in line, if you can move towards the middle, and bunch together as much as possible, that's 341 00:47:04,160 --> 00:47:07,670 going to help everybody out and get as many people in here to see the talk as possible. 342 00:47:07,670 --> 00:47:08,069 Okay?