Skip to main content

BruCON Training: Module 2, Attacking signaling protocols

Published on Sep 1, 2010 in , ,

This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website.

Most VoIP systems perform signaling using a protocol separate than the media transfer protocol. Signaling protocols allow VoIP systems to register, authenticate, and initiate phone calls and tends to carry a lot of intelligence with it. In this part of the training, Joffrey and myself will talk you through the following different signaling protocols and attacks that apply to these protocols:

  • SIP - an open standard
  • IAX2 - used by Asterisk PBX and compatible phones
  • SCCP (Skinny) - used by Cisco systems
  • MGCP - the media gateway control protocol, typically used between gateways and IVR systems
  • H.323 - found in gateways and older systems

The fun part? The exercises! We plan to use a hands-on approach rather than simply describe the protocols and attacks.

These are some of the practicals we have in store:

  1. Sniffing SIP, in order to understand how it all works and also spy on the metadata or signal
  2. Scanning SIP, to see how we can easily identify SIP devices very quickly using SIPVicious and other tools
  3. SIP extension enumeration and online password cracking, to understand better how VoIP attackers are in fact making phone calls for free at the expense of their victims
  4. Avoiding toll / fraudulent calls, featuring the main ways that attackers are abusing SIP PBX servers out there
  5. INVITE floods, which is still an effective attack and bring down various SIP enabled devices
  6. Fuzzing SIP, existent tools and their usage
  7. Using John the ripper to crack SIP passwords, which also includes capturing the SIP authentication messages and patching John the ripper to crack the hash
  8. Online and offline password cracking in IAX2, the tools and their usage
  9. Scanning IAX2 which allows us to find Asterisk servers
  10. MiTM attacks using SCCP proxy, which is a fun way of playing with the phones and can allow us to turn Cisco phones into remote spy bugs
  11. Capture FAC (Forced Authorization Codes) code, which is a restriction usually used in Cisco VoIP environments to allow / block international calls
  12. Call fraud with MGCP, since MGCP has little or no security
  13. DoS on MGCP, or how to cause your VoIP Gateway to go down
  14. RTP redirection, which can allow all sorts of fun (and sometimes profit)
  15. Callmanager hijack (details later ;-))

With all these exercises we expect all the attendees to get really busy and gain useful experience with the signaling protocols.