Well, we are putting the finishing touches on our book, Hacking Exposed: VoIP. I am reviewing some of the final page proofs, in the middle of the last one. Here is a shot of the cover. We are in the home stretch now.
This is a little repetitive, I posted it on VoIPSA, but just for completeness...
David Endler and I posted several new tools and on our “Hacking Exposed” website, www.hackingvoip.com. We also provided updates and better README files for some of the existing tools. Here is a quick summary of the new tools:
rtpinsertsound/rtpmixsound - these tools take the contents of a .wav or tcpdump format file and insert or mix in the sound. These tools require access (but not MITM) to the RTP stream, so they can properly craft sequence numbers, timestamps, etc. rtpinsertsound, with the right timing, can be used to add words or phrases to a conversation. rtpmixsound can be used to merge in background audio, like noise, sounds from a “gentlemans club”, curse words, etc., etc. These tools have been tested in a variety of vendor environments and work in pretty much any environment, where encryption isn’t used.
redirectpoison - this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location. This tool requires access to the SIP signaling, but does not have to operate MITM. We tested this tool with the Asterisk and SER SIP proxies, along with a variety of SIP phones.
spitter - this tool works in conjunction with Asterisk, to set up a voice SPAM/SPIT generation platform. Once Asterisk is set up, spitter is used to schedule any number of calls, using your choice of audio files.
The tools come with README files, so they should be pretty easy to use. Please let us know what you think. We are particularly interested in results for the rtpxxxsound tools. A number of us “security experts” have been warning of these attacks, but this is the first set of tools I have seen that actually accomplish them.
In SIP, a proxy or UA can respond to an INVITE request with a redirection response. This response tells the UA to look for the callee at another location. Redirection responses can be temporary or permanent.
I have warned in the past about an attack that monitors for the INVITE and responds with a redirection response, preventing the call from going to the intended recipient and most likely to another location, which may be a rogue. We have developed a new SIP attack tool to that performs this attack. The tool monitors for a SIP INVITE and when it sees it, it responds with a "Moved Permanently" response. The response includes a new contact, which is specified on the command line. The UA uses this new contact and the call goes to that location, rather than the intended location. This is an easy way to deny service to some users and trick the caller into talking to a rogue.
We will be putting the code (and readme file) for this tool on our hacking exposed website (www.hackingvoip.com) this week.
Well, this has nothing to do with VoIP security, but I wanted to post a picture of my new toy. I bought a BMW M6 (the first one in San Antonio). I have found out that there just isn't enough open road for this car. Also, the gas gauge moves almost as fast as the tach...
I will also be speaking at the next Voicecon, held in March/2007 in Orlando. Here is a blurb on the presentation:
Wednesday, March 7, 1:00 - 2:15 p.m. Voice-Oriented Attacks You've heard all the clever new acronyms and slang like SPIT (spam over IP telephony) and VOIP phishing, and these attacks are becoming more of a concern. At the same time, however, attacks traditionally aimed at the data network are being tailored toward voice infrastructure--for example, denial of service attacks that tie up telephone trunks and block the call center. This session will familiarize you with voice-oriented attacks that you may not have encountered yet, but do need to think about preventing.
KEY QUESTIONS: * What are the most serious voice-oriented attacks being seen "in the wild"? Which have only appeared as hackers' "proof of concept," but could soon go live? * What avenues are used to attack voice-specific infrastructure, and how do you protect these? * What types of equipment and technologies must you implement to stop voice-oriented attacks? * What specific kinds of damage can these attacks cause?
Considering the splash that you made with your book and presentation at Black Hat, we'd like to structure this session as follows: You would open the session by delivering a 30-minute PPT presentation; then you'd lead a roundtable discussion with 2 other panelists for the remainder of the session, talking with them and taking audience questions. We were planning to invite David Endler of Tipping Point to be one of these 2 panelists.
For our upcoming "Hacking Exposed: VoIP" book, we developed several SIP and RTP attack tools. One of the most interesting is a pair of tools called rtpmixsound/rtpinsertsound. These tools insert or mix pre-recorded audio into a conversation. I have long heard security experts warn of this sort of attack, but I have never seen an actual tool that allows it. That may partially be because it is pretty tricky to do. Anyway, we developed a tool and will be posting it on our Hacking Exposed website - www.hackingvoip.com.
These tools require the ability to monitor the conversation to be affected. They do not have to be man-in-the-middle, although we have also added this capability to another tool that does work MITM. The basic trick is to monitor the RTP and generate bogus packets with the "correct" sequence numbers and timestamps, which tricks the target into using the bogus packets, rather than the legitimate ones. "Correct" usually means adding 1 or 2 to the sequence number, meaning the bogus packet is used rather than the real one, which arrives later. This varies depending on phone, but works on all the phones we tested.
Both tools accept a .wav file or a tcpdump format file containing the audio. The rtpinsertsound tool REPLACES the real audio with that from the file. The rtpmixsound tool is more evil, it actually mixes in the audio from the file, making it sound like background noise. This allows some truly evil attacks, like mixing in the sound of a strip club, card game, cursing, moaning woman, etc. - you get the idea. The bogus audio is only mixed for one side, so the victim has no idea what is going on. You can also run multiple copies of the tool to affect multiple RTP streams.
This is a truly evil tool. Since it affects RTP, it can be used in virtually any VoIP environment (as opposed to a SIP attack tool, that wouldn't work in a proprietary signaling environment.