VoIP Security analysis practices

Author: OrphousV Tianyang Forum

This time I will show the implementation process of several common attack forms.

SIP
Session Initiation Protocol (ietf rfc 3261) is a widely used VoIP Protocol. SIP is responsible for creating and disabling multimedia sessions, and VoIP involves multimedia sessions. In a phone conversation, the SIP message exchange method 1 is shown.


Figure 1
First, the User Agent (User Agent), that is, the User device, is registered on the SIP Registrar. SIP Registrar maintains a database that records user information in different domains. Registration is an important step in VoIP communication. When Bob wants to contact Alice, he will send an INVITE request to a proxy server. The proxy server is responsible for locating users and routing SIP messages. When a contemporary server receives an INVITE request, it attempts to locate the caller and respond to the caller, such as DNS query and routing various SIP messages.
SiVuS
SiVuS is a vulnerability scanning tool for SIP-based VoIP networks. Figure 2 illustrates the applicability of SiVuS using a simple network.

Download(108.09 KB)
The day before yesterday
Figure 2

SiVuS has the following sub-functions:
1. SIP Message generator.
2. SIP component discovery.
3. SIP vulnerability enabled.



The following instances all use the SiVuS function.

Registration Hijacking)
Figure 3 shows a valid registration request


The "Contact" in the registration request indicates the number, IP address, and timeout settings of the user's VoIP Phone device. When a proxy server receives an INVITE request, it will retrieve the user information to know how to contact the user. In the preceding request, the target user's phone number is 201-853-0102, And the IP address is 192. 168. 10. 5. Open Port 5061 and set the timeout value to 60 s. After receiving this request, the proxy server directs the INVITE request to 192. 168. 10. 5.

Please compare this legal request with a malicious registration request (4.


Figure 4

The difference between a malicious registration request and a valid request is that the IP address of the target user is maliciously modified, in this way, after receiving the request, the server sends the INVITE request to the tampered IP address, which may be the IP address of the attacker's VoIP Phone device.
Construct malicious registration requests. We can use SiVuS's SIP Message generator. (5)


Figure 5

This hijacking can be implemented in the following ways:
1. Make it impossible for a legal user to register. To achieve this goal, we have the following options:
O DoS attacks on user devices.
O cancel user registration.
O continuously sends malicious registration requests to the server at a short interval, so that malicious requests are given priority in processing, while valid registration requests are discarded.
2. Send a maliciously modified registration request.
Figure 6 shows the entire identity hijacking attack process.


Figure 6

Identity hijacking is possible for the following reasons:
1. SIP messages are sent in plain text, which allows attackers to collect, modify, and resend messages.
2. The execution program of the SIP message does not support the verification of the message content, so that attackers can modify and resend the message without being detected.

Even if the SIP proxy server needs to verify the user registration information, this attack can still be successful, because the SIP message is sent in plaintext, so it can be easily captured, modified, and resending. In addition, the SIP registration tool can easily implement identity hijacking attacks. Interested readers can try it on their own.
Eavesdropping)
VoIP eavesdropping is different from traditional data eavesdropping in some aspects, but it is similar in concept. VoIP listening must intercept signals and associated call media streams. Among them, the signal message uses a separate network protocol and port. Generally, a media stream is transmitted using RTP (Real Time Protocol) over UDP.
Figure 7 shows the basic steps for capturing VoIP media streams with Wireshark.


Figure 7
The main steps for VoIP listening are:
• Capture and decode sound packets. After capturing data packets with Wireshark, select the Analyze-> RTP-> Show all streams option.
• Analyze sessions. Select a stream for analysis and reorganization.
• Export. Save the captured audio in. au format.
In an IP-based network, even if an Ethernet switch limits broadcast traffic, this attack can still be successful. We can use ARP spoofing for MITM (Man In The Middle, Man In The Middle) attack. For the attack concept, see figure 8.


Figure 8
To achieve this attack, you can easily implement it with Cain. It can implement MITM attacks and capture VoIP data. (9)


Figure 9

DoS Attacks
Because VoIP is based on IP addresses, It is also vulnerable to flood attacks and resource depletion. Some traditional DoS attacks (such as tcp syn, ping attacks, and DDoS attacks) can still put the VoIP server to death, even a single request for continuous registration may achieve the goal. Sipbomber is a VoIP Denial-of-Service attack tool. There are not many cases of denial of service (DoS) attacks, but they should still be paid enough attention.

Summary
Due to the low price of the VoIP service, more and more people are using the VoIP service. VoIP brings convenience and potential threats to people. With the development of the information society, people's lives depend more and more on the network. At the same time, hackers are getting closer and closer to life. Hackers will not stop at traditional attack methods. They will penetrate new types of attacks into their daily lives. Using the VoIP attack technology, black hats can listen to phones, which may steal trade secrets. White hats will constantly improve the VoIP technology to better benefit people. After all, black and white are only separated by one wall. As for which camp should be in black hats, gray hats, and white hats, white hats will be the only way out for hackers in today's Legal Society. It must be understood that hackers were born to study technology rather than disrupt order.