Skip to main content

Tags trainings

BruCON Training: Module 4, Attacking Unified Communications

Published on Sep 7, 2010 in , ,

The final module in the upcoming pentesting VoIP crashcourse is the most exciting one. In this section we look at VoIP systems as a whole. Unified communications is one of those words that have been hyped up to include everything, from chat to video phone calls and SMS. What we will look at in this section is how to go about breaking into the following during a penetration test: Web application security flaws in Asterisk-based PBX servers Attacking various services open in PBX servers, such as TFTP How once you’re on a PBX network, you can sometimes simply use your phone to spy on other phone calls How to make use of hardware taps Hardware phone features that can be abused Abuse of various exposed features in Cisco call manager accessible on the HTTP server This module will help familiarize the attendees with the target servers and system.…

Read more »

BruCON Training: Module 3, Attacking the media

Published on Sep 2, 2010 in , ,

This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website. We trust our phones with our sensitive data more than most other forms of communications. We may not trust sending our credit card number by email to the hotel. In the end we give it to them on the phone anyway, and it may not matter if the phone is a mobile phone or a VoIP phone.…

Read more »

BruCON Training: Module 2, Attacking signaling protocols

Published on Sep 1, 2010 in , ,

This is part of the BruCON VoIP security crash course training intro. For more information about the course and to secure a place, check out the BruCON website. Most VoIP systems perform signaling using a protocol separate than the media transfer protocol. Signaling protocols allow VoIP systems to register, authenticate, and initiate phone calls and tends to carry a lot of intelligence with it. In this part of the training, Joffrey and myself will talk you through the following different signaling protocols and attacks that apply to these protocols:…

Read more »

BruCON Training: Module 1, An Introduction to …

Published on Aug 31, 2010 in , ,

An Introduction to VoIP technology, security threats and solutions, module 1. This module allow us to set the stage for the rest of the training. We will introduce the players - Asterisk, Cisco unified communications and other products. We will introduce the protocols briefly - SIP, SCCP (Skinny), IAX2, H.323 and MGCP. We will also look at how VLANs and other solutions are used to provide security (and where they fail).…

Read more »

BruCON Training: A crashcourse in pentesting VOIP networks (update)

Published on Aug 30, 2010 in , ,

We just updated the outline of the 2 day crashcourse on the main BruCON training website! In the coming days I’ll be highlighting the modules to explain what each consist of. Training registration is from this page, and for any questions get in contact with Sn0rky or myself. This is what it looks like: Module 1: Introduction to VoIP technology, security threats and solutions Introduce the protocols Mitigation technologies How confidentiality / integrity / availability applies to VoIP fraud spying on phone calls modification of phone data denial of service Module 2: Attacking signaling protocols…

Read more »

A crashcourse in pentesting VOIP networks at BruCON 2010

Published on Jun 8, 2010 in , ,

Joffrey CZARNY and myself (Sandro) will be hosting a crashcourse at BruCON 2010. This will be a two day workshop on the 22 & 23 September 2010. In a nutshell, we will be helping the attendees quickly get up to speed with VoIP networks and performing security assessments in that idea. More information about the training can be found at the official page. If you would like to register for the training go straight to the BruCON training registration page.…

Read more »

VoIP security workshop at BruCON 2009

Published on Sep 17, 2009 in , ,

I’m back in my little island after SEC-T (which had excellent content btw!) but already need to leave again. This time to Brussels for BruCON, and together with Joffrey Czarny, I’ll be hosting a workshop solely dedicated to VoIP security auditing. Joffrey will be focusing on Cisco and other vendors and I’m really looking forward to that! I, on the other hand, will be talking more about freely available software such as Asterisk, Trixbox and X-lite.…

Read more »

Scanning the Intertubes for VoIP at CONFidence

Published on May 10, 2009 in , ,

As I’m writing, plans are being made for my trip to Krakow, Poland for AppSecEU09 (OWASP) and CONFidence. Will be presenting at CONFidence on VoIP security and how it translates to the Internet. It will consist of a sample of the threats that exist out there and are or may be exploited by would be criminals. What this means is that I’ll be describing a healthy dose of SIP and IAX2 abuse together with various live and recorded demos.…

Read more »