This post may seem a little ironic, considering that I just posted info on some new SIP-based tools we built, but I wanted to rant a little about all the SIP attack tools that are out there. My team conducts VoIP security assessments for enterprises, and they have a huge collection of wicked SIP-based attack tools. If we are lucky enough to find some box listening on port 5060, its pretty much toast, considering all the DoS, fuzzing, hijacking, and so on tools that we and the community have access to.
That said, the proliferation of SIP-based attack tools has raised awareness of issues and made a lot of implementations more secure, at least to well known attacks like protocol fuzzing suites.
The reality is that most enterprises have very little, if any SIP. Of course there are some little-known SIP interfaces, like that between CME and CUE, some internal SIP trunking, and in some very rare cases, SIP to the service provider, but very little handset SIP. The vast majority of the protocols you run into include H.323 (inlcuding proprietary mutations), SCCP, Unistim, MGCP, etc. What the community needs are more tools that can be used to test for vulnerabilities on the protocols that are actually being used by enterprises. I am sure some of these exist, but I am not aware of many that are public. This is too bad, because I don't think customers understand how fragile some of these systems are. For example we have a tool that perform a "call flood" attack on one of these protocols and forces a reboot of a key VoIP system component. I suspect other folks, including the bad guys, have similar tools. I hope the VoIP security community can spend more time on these sorts of tools, to show enterprises where the vulnerabilities are, and in general, improve the security of these systems.
Of course there are many vectors of attack into a VoIP system, but the signaling (and media to some degree) are always lucrative, because they have to be exposed to the network.
The folks at iSecPartners recently (at Blackhat actually) released information and a tool that injects audio into a VoIP (RTP) session. As they correctly point out, some earlier tools like ours are command-line and can be a chore to use. They have built a slick GUI, that appears to just key off of RTP (which makes it independent of the signaling) and inject audio. I don't think they have the ability to mix audio.
Here are links to the software and a presentation:
I am hoping to build a version of the Call Monitor that I described on the previous post, that doesn't require SIP. It will either work with common signaling protocols like SCCP, H323 mutations, Unistim, or if possible, just key off of RTP.
We (Mark O'Brien and I) recently upgraded the SIP tool set we released along with the Hacking Exposed Book, on a contract with the US government. A summary of the new features is:
o Additional support for TCP and authentication where appropriate.
o A new passive directory scanner.
o A new tool to query registrations.
o Several new DoS tools, using different requests.
o A state-full fuzzing tool, based on SIPp.
o Multiple enhancements to the sip_rogue application-level MITM platform.
o A new Call Monitor tool
The call monitor tool is probably the most interesting - it graphically displays all active SIP calls. It allows the user to run other attack tools, including the teardown and RTPinsertsound and RTPmixsound tools. This is nice, because these tools require a lot of command line parameters, so the Call Monitor makes the tools a lot easier to run. It addition, the Call Monitor allows the user to define up to 10 pre-defined audio files, which can be inserted or mixed into a call on command. The Call Monitor also streams the audio for a selected call to an audio player, so the user can listen to a conversation and properly "time" insertion of a word, phrase, or sound. This makes attacks like replacing "buy"/"sell", "1000"/"1,000,000" in a trading scenario possible. Here is a screen shot of the Call Monitor:
I am not sure we will be able to release these tools, but I am working on that.
I updated the link to the SIPVicious tool set in my "Tools" typelist. Also, here is a link to the authors blog. I haven't had a chance to play with the tools, its on my list like a zillion other things, but they look pretty cool and useful.
Here is an interesting presentation by Dustin Trammell on RTP stenography. Dustin presented this material at the most recent Blackhat/Defcon. Dustin includes links to tools that allow you to tunnel data through an RTP session:
Dustin Trammell posted on the VoIPSA blog, that McAfee predicts that VoIP attacks will rise 50% in 2008. When we conduct assessments for enterprises, we always find vulnerabilities, but rarely if ever find evidence of attacks. Interestingly, we ALWAYS find ongoing attacks/misuse of the legacy systems. I have no idea for how many VoIP attacks will occur in 2007, but whatever the number is, McAfee, a major security technology vendor, believes these attacks will go up 50%. We will see.
Sipera's Viper lab has a web page with general information, vulnerabilities, attacks, and a blog. They have had this for a while, but seem to be updating it a bit more lately. Here is a link (it is also in my links list for VoIP security blogs):