Voice of VOIPSA

In the 80s movie “The Color of Money” there’s a great scene where a player challenges Tom Cruise’s character to a game. He strolls up to Vincent and says “So what you got in there?” — to which Vincent replies. “Doom.”

This is akin to how I felt a few weeks ago after I finally got ahold of a Nokia N900 smartphone. Calling it a phone is a bit of a stretch, as it is primarily a Debian Linux tablet with impressive hardware specs and a huge number of .deb packages available for installation…oh, and you can make cellular phone calls with it. Many people use this phone, and despite some glitches it is rapidly developing into a formidable platform for security tools and penetration testing.

Broadly speaking, the objective of this series of blog posts is to introduce folks to the tools available and the potential for this phone as a security testing platform. Given the fact I’m a bit late in obtaining this phone, some smart people out there have already started to address the n900′s capabilities and available tools, and I would be remiss not to mention, and build upon, their insightful work. The key phrase here is “build upon” and get the word out, not to steal or simply re-hash their fine work and efforts!

I’ve one caveat to this series of blog posts. As my n900 is for now a “production phone” for me in that I need to use it and can’t brick it just yet, the path of this blog series on “Weaponizing the Nokia N900″ will progress from known, tested and functioning security tools on this phone — and therefore lower risk of bricking — to more advanced, edgy tools that require more tweaks and modifications, such as replacing the stock kernel. If someone out there finds this series useful, and has interest in furthering research on running security tools on the n900, I’d welcome the donation of a n900 for development and testing, and would credit them for their support. Please ping me offline if you’re interested

NeoPwn and the Nokia N900

One project to watch in particular is the upcoming release of NeoPwn, which is based on BackTrack and bills itself as the “First Ever Network Auditing Distribution for a Mobile Phone Platform” and is due for release sometime this month, hopefully before DefCon. I am fortunate to be in the BETA and will write up a blog post for this series on NeoPwn once I get full access to the NeoPwn toolset.

Worthy Resources on Nokia n900 Security Tools

1. Metasploit on the Nokia n900. ‘Nuff said.

2. knownokia.ca Blog SimonLR wrote an excellent post on “Using the N900 for Fun and Profit” that covers several awesome tools, such as Metasploit, Dsniff, SSLstrip, Aircrack-NG, etc. He’s clearly savvy and his future blogging on tools for the n900 will be great to see.

3. Asterisk on the n900

When I added the extra package repositories to my n900, I was more than a bit surprised to see a full version of Asterisk available as a .deb package. Wow. Think about this for a moment. One can run a full Asterisk server on a phone in their pocket. The capability of Asterisk on the n900 could enable attackers to do all sorts of mischief, such as running the SPITTER tool from their pocket as a simple example. From a surveillance aspect, think of “bad people” with n900s in their pockets running Asterisk servers on their phones and connecting to each other point-to-point over encrypted tunnels — now that’s a challenge.

Stay tuned for more posts on “Weaponizing the Nokia N900″

Two new versions of existing open source VoIP software were recently released and deserve mention.

Last week, the folks at SIPfoundry released the 4.0 version of their SIP server, sipXecs.  I don’t hear a lot of talk about sipXecs so let me say a few things about it here:

* it’s a great SIP software proxy/registrar package, with an active development and support community

* It’s free.

* It has a distributed component software design, which optimizes HA configurations for clustering

* It has a very intuitive web console GUI, and it has a bootable CD with all software pre-loaded on it

* Great documentation wiki.  For example, I had set up a working SIP trunk configuration in under five minutes.

This is not to take away from other high quality open source  SIP server software projects like opensips, but I’ve been using and testing the previous version of sipXecs for a while now, and love this software.  I’ve just started testing this exciting new 4.0 release.  The most noticeable feature of this release is full sip trunking and remote worker support (far-end and near-end NAT traversal, and HA media anchoring).  What this means is that you have a full solution for running your own SBC and SIP Proxy.  The sipxbridge component of sipXecs is the SBC software component.   With sipXecs and sipxbridge, you can set up a proof of concept service provider network in your home, set up an enterprise lab for interop testing and comparison to commercial SBC vendors, use the software for a security testing demo toolkit, or just use the solution to register your remote phones into your network, and place outbound calls.  Great job and thanks to SIPfoundry for this work.

A new version of the VoIP Hopper security assessment tool was released earlier this week, with Nortel VLAN Discovery support.  VoIP Hopper is a free security assessment tool that supports VLAN Hopping – in essence, it mimicks the behavior of an IP phone for the Voice VLAN Discovery protocol or mechanism.  Then it rapidly automates a VLAN Hop, tagging the DHCP request and all subsequent Voice traffic with the discovered Voice VLAN ID.  Since most new VoIP deployments use the segmentation of discrete Voice VLANs for increasing QoS requirements, an attacker must sometimes first gain access into the Voice VLAN as a prerequisite vector, before running other VoIP exploits.  VoIP Hopper enables a regular PC to become a member of the IP Phone VLAN.  The tool is simple yet powerful, and has been used in many security assessments in the past.  The new features of VoIP Hopper:

* Nortel Voice VLAN Discovery and VLAN Hop

* A new CDP Spoof mode for more rapid and automated VLAN Hop in a CDP network

* An integrated DHCP client 

From the VoIP Hopper website, the next features planned for VoIP Hopper are LLDP-MED support and trunk port testing.

Finally, I recently used the SIPVicious tool in a remote VoIP security assessment, and it’s a very useful tool that any VoIP security professional should have.  When you look at the business risk of toll fraud / service theft, this tool can be pretty valuable in enumerating vulnerabilities that can be a risk to your business in the form of remote attackers trying to gain unauthorized access to your VoIP network and placing unauthorized calls.  As VoIP proliferates, we’ll see more usage of tools like this to conduct reconnaissance of open SIP services, valid users, and the brute forcing of subscriber/user passwords.  On the proactive protection side, it’s also good to see folks contributing open source proof of concepts for mitigating this risk.  Here is a “Simple Asterisk Based Toll Fraud Prevention Script”.  If you use an active response firewall/IDS/IPS solution, you could actually detect the attempts to toll fraud/service theft attacks based on a signature, and have your VoIP IPS and/or firewall block the source IP address of the would-be attacker.  It’s called a “Voice Toll-Fraud Intrusion Prevention System”  (VTIPS) .  Good to see open source software progress in this direction.

This is a neat trick. By doing a little up-front scanning and/or guesswork, an attacker can send an INVITE directly to a SIP user agent, causing the device to ring.  Then, when the user agent issues the BYE message to hang-up, the attacker can respond with a 407 Proxy authorization required message, causing the endpoint to then respond with it’s authentication credentials, essentially handing them directly to the attacker.

The page linked above indicates that this attack is currently implemented in the VoIP Pack for CANVAS, so it’s essentially packaged and ready to use for you CANVAS users.  You can see a video of this being used in CANVAS here.  I would expect to see this credential-harvesting attack in other exploitation frameworks or stand-alone tools shortly…

HD Moore of Metasploit Project fame has just released a new set of free War Dialing tools called WarVOX.  What makes these new tools so interesting is that they leverage VoIP service providers to scan and analyze hundreds of phone numbers, finding modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders much much faster than any modem ever could.  Check out the WarVOX screenshots which show the interface and slick reporting features.

Over in the VOIPSEC mailing list, Shawn Merdinger recently pointed out a video produced by the folks at Enable Security to highlight one of their new tools, “sipautohack”, that they sell as part of one of their packages of tools called “VOIPPack”. From their description page, VOIPPack includes:

• sipscan – Scans the network for SIP devices and identifies the user-agent and if the device is a PBX
• sipenumerate – Enumerates extensions on a PBX server
• sipcrack – Launches password attacks on the PBX server
• sipautohack – Given a target network, this module will scan for SIP devices, enumerate any extensions on all PBX servers found and try to guess their password

This video, then, is a demonstration of the last of the listed tools:

Demonstrating sipautohack from Sandro Gauci on Vimeo.

We here at VOIPSA have no connection to this tool or vendor and cannot say anything positive or negative about the tool or company… it’s just another entry in the very long list of VoIP security tools out there (see our Tools list). I just think it’s great to see video screencasts out there showing what tools like this can do. (And if you have a screencast related to VoIP security out there you’d like us to mention, feel free to contact me.)

Technorati Tags:
security, voip, voipsecurity, sip, screencasts

Back in August, the folks at Sipera’s VIPER Lab released a free test tool, XTest, that tests how well (or not) 802.1X with EAP-MD5 protects IP phones and the overall VoIP infrastructure. You can get it at http://xtest.sourceforge.net/.

(And yes, I’ve been meaning to write about this since back in August…. and was intending to write a more thorough review. Perhaps I will at some point, but for now I thought I’d mention the tool’s availability.)

In a message to the VOIPSEC mailing list over the weekend, Mark Collier announced the release of a new suite of VoIP security test tools. Mark, as you may recall, is the co-author with (VOIPSA Chair) David Endler of the book “Hacking Exposed: VoIP” and as part of the book publication he and Dave made available a series of voip security tools through their hackingvoip.com website.

Now, Mark’s back with a second version of those VoIP security tools. He describes the new tools in one blog post on his VoIP security blog and announces their availability in a second blog post. Here’s his description of new tools:

We also built several new tools:

– Several new flood-based DoS tools, which generate floods using different SIP requests, including byeflood, optionsflood, regflood, and subflood. The regflood tool is certainly the most potent of the group.

– dirsniff and dirsortmerge – a passive scanner that builds a directory of valid SIP phone addresses. By using the dirsortmerge tool, you can manage results from this tool, as well as output from the dirscan active scanner.

– Call Monitor and sipsniffer – this tool provides a GUI that shows active SIP calls. The tool allows you to select a call and terminate it (via teardown) or insert/mix in audio (via rtpinsertsound or rtpmixsound). The tool allows you to define up to 10 sound files, that can be inserted/mixed in on command. The tool also streams the call audio to the XMMS player, so you can listen in and “time” when you affect the call.

The Call Monitor tool is particularly interesting. It makes using the rtpinsertsound/rtpmixsound tools a lot easier and more effective. It makes real audio manipulation possible.

Interestingly, the tools are not being made available through Hackingvoip.com but rather directly from SecureLogix’s web site, where you have to register first to download the tools.

Mark also provides a PowerPoint presentation about the “Call Monitor” tool he mentions here. He’d mentioned this tool to me once before when we met at one of the conferences…. basically it provides a “point-and-click” interface to allow you to inject or mix in new audio into existing audio streams. Making it this easy is definitely a scary prospect (and another good argument for why you should be using SRTP to encrypt audio streams).

Anyway, the new tools are now out there if you want to try them out. (Joining the long list of existing VoIP security tools.)

Technorati Tags:
voip, voip security, security, sip, sip security, securelogix, mark collier

Blue Box listener Frank Leonhardt clued us in to the fact that VoIP Hopper 0.9.9 was released back on February 19th. VoIP Hopper is a tool that allows you to “hop” between the data a voice VLANs (or any other VLANs) that was written primarily because the authors were tired of hearing people say that VLANs were a true security mechanism (Hint: They’re NOT!). We’ve written about it before and talked about on a Blue Box episode and a Telcom Junkies show and it is indeed an interesting test tool. Per the release notice, this version 0.9.9 has these new features:

• CDP Generator! VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet. Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.

• Voice VLAN Interface Delete: VoIP Hopper can delete the created Voice
  Interface

• MAC Address Spoof, then exit: VoIP Hopper can change the MAC Address of
  an interface offline and exit, without VLAN Hopping.

You can visit the VoIP Hopper site to learn more.

Technorati Tags:
voip, security, voip security, voip security tools, voip hopper, vlans

Some of you may remember Peter Cox who put out an eavesdropping tool SIPTap last November.

For those who have a short memory, SIPTap monitors “multiple voice-over-IP call streams, listening in and recording them for remote inspection as .wav files.”

At the time, however, the tool didn’t appear to me to be much of a threat because it only worked on the VLAN it was attached to and only if it saw the traffic. Meaning that if you weren’t attached to a span port, a hub or used another tool such as Ettercap, you wouldn’t be able to do much recording.

BUT the tool served Peter Cox’s purpose. Apparently for some time now, Peter Cox has been preaching VoIP security to anyone who will listen… and if he’s like most IA people I know, anyone who doesn’t want to listen, but needs to. The tool, therefore, appeared to be aimed at educating people outside the IA world about the importance of VoIP security and how easy it is to eavesdrop on calls.

Now Peter Cox has started a new company UM Labs where his goal is to develop and deliver products that provide VoIP security in a world where the traditional security foundation of voice and data separation no longer apply.

They are already announcing three products described on the company’s website and here

New VoIP security products are always welcome and UM Labs appears to be looking towards the future to find ways to meet some of the upcoming security challenges of unified networks.

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

| View | Upload your own

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
asterisk, security, voip, voip security, voipsa, conferences, astricon