 Hi there, so we are live with speakers who presented on practical VoIP hacking using Mr. Sip and welcome. Welcome to Defcon safe mode. Not quite what you would normally have expected probably for coming to Vegas, right? But glad that you're able to join us and share some information with us. I understand though that you are both first time speakers at Defcon. Is that correct? Yes, that's correct. Thank you. Thank you for the opportunity. Yeah, that's great. Yeah, so we have a tradition here at Defcon for first time speakers where really it's a historical tradition of where we kind of do a shot or a drink with someone on stage to kind of welcome then to Defcon. So as your first time speakers, I'd like to, you know, hold up a cup and then have a have a drink here with you both and say cheers and say welcome to Defcon. Okay, cheers. Cheers. That was strong. Little early where you are. Strong coffee. Awesome. Awesome. Yeah, so that's great. So let's, let's get into a couple of the questions and everything. First off, right, so you recorded the talk a little bit ago. Really, right, like since you went since you recorded and kind of presented on Mr. Sip here at Defcon. Is there any major changes or updates you kind of want to share with with the audience? So first of all, so inside this presentation Defcon, we actually show most of the new updates so they were not published before. Recently we presented many other modules and all these demos. They're all new. And we first time showed them in Defcon, since the video published like in a week time. We are still updating the documentation and the YouTube channel we have Twitter page we have people can follow and the GitLab page we use to host the website for the pro version. These are the recent updates we can say, but other than that, the whole Defcon experiences the new updates so everything we show is the new content, all these pro features to new modules. They were not published before and then right now we just introduced them. Awesome. Awesome. Yeah, so kind of I guess also to kick things off here so kind of what drew you to like VoIP research and SIP security and like kind of what's the origin for Mr. Sip. Okay, that's that's a big question I think. Milly, I would like to answer that and if you would like to add something that you welcome. So Mr. Sip goes back to 2011. And one of our meeting with Milly also goes back to one of like 2012 or 2013 interview because, like, once I had a job application in Milly's company, and he was interviewing me but there was no SIP that time but that is just once we came to meet each other. And around that time, so Milly was working for a big telecom company, one of the biggest in the world, and they had the SIP team and security team there. They were developing one internal tool. And with that internal tool, they were also hiring somebody like a research supporter. And then in 2012, I think they didn't have NDA and one of that guy who was not hired for the project. And also published some open source modules, but I think the project didn't go too deep. Because it doesn't have any like also that's a comparison I think we can say it doesn't have any novel or unique exploits vulnerabilities inside but Mr. Sip stands out that it is both scientific and practical. And it has like, it is very interdisciplinary I would say it is the, it has full automatic modules that does all the vulnerability search but then in the real world attacks. It is utilizing novel exploits CV that is even just not published before it Mr. Sip so it contains a lot. But if we go back again 2012 to 2015 Milly worked on a close source project, different version of Mr. Sip that was kept always private and closed in the under the company. And by 2015 Milly left the company, and he was thinking, and by coincidence we met in blackhead London 2016. Oh, hi, you interviewed me four years ago, and I said, Oh, how's going. He said, Oh, I quit that company, etc. And then this was a story we said, Okay, what is happening. Mr. Sip, like, he said, I want to program it from scratch, make it bigger, like, like, make it like perpsuit. You know, we had the idea that we could make it just like a real application that every pen tester penetration testers using. That was a dream in 2016. Nowadays, after four years, you have about 10 modules. It is becoming a reality. So we work hard on those programming software engineering, because it is a big project it is not one time published application but it's evolving up all the time. And we have lots of lots in the roadmap. First, it appeared many times in arsenals, blackhead arsenals, and some other technical conferences practitioners conferences, and also many published several research articles during his PhD. Mr. Sip actually gave him both, I would say, almost like a startup company and a PhD so that there are a lot of, I think, let's say events happen through the history of Mr. Sip it is not a small application. It has several journals behind a PhD work like a four years of PhD work. Plus, it is becoming almost like a startup but the main idea is that we keep it open source and we want to, we want community to use it and see that how Sip is important way but actually important and how they can just have a reliable tool. Awesome. Yeah, there actually is a question in the chat about, why does the website for Mr. Sip pro require signing into get lab. Is that maybe one of the ones or. I think that's ready that's why so we didn't want Google to index something that is like a demo content because we have a template now imported and get lab, and it is getting updated we are keeping it, but we didn't want to show it. So it is just ongoing it's very new, and we wanted to include the link, because the DEF CON video will remain online, and maybe next week it will be open the website, the Mr. Sip pro website, but right now it is still ongoing. That's why it requires sign in, even if you sign in it will say you're not authorized. I think I'm happy if people go and sign up to get my people to school. Three and it allows a lot of things. Awesome. Awesome. Yeah, so yeah. Yep, so sorry, I was just saying sorry for those users that we're trying to get into the website. I'm sorry that we are. They're struggling because of the story I interrupted you. You're good. No, this shows interest right it's good everyone's excited. Yeah, so another question from the chat. So, you know, if you're aware that someone's going to use an attack, you know, using Mr. Sip so imagine you're on a blue team right or like, you know, in the sock. You know, what would you suggest is the first line of defense to protect yourself or your company. I think, like, okay, I will say something maybe but feel free. I take the first sentence and feel pretty at after me. I think to when they do penetration testing inside the company, like let's say they are using Mr. Sip. And they are trying to find vulnerabilities and all tests. One of the defense they could do is like we also mentioned in the presentation that awareness, the password policy awareness so usually it is the lowest priority in the companies and security policies, and strong password policies really are not necessarily necessary. But when we look at Sip itself, it is vulnerable. So there are some, some of the aspects that unavoidable like that there will be VoIP attacks, and there will be almost no defense. If you deploy a like sophisticated attack. So, there is not much to do, but they could do the standards like monitoring and actively, you know, having some security researchers looking at things, and lots of awareness and strong policy for passwords. All these things are, I think, good for defense. But I'm not sure maybe you want to add something maybe. Yeah. Using wave specific security parameters like VoIP application firewall or VoIP IPS should be beneficial. Yeah. Cool. Appreciate that. Yeah, so we'll go one other question here. Right, so if you have a lot of experience obviously looking at kind of SIP and VoIP attacks and everything. Would you say that there's any device or companies out there you'd recommend over another to kind of do a better job of protecting against like the style of attacks that are in Mr. Sip. Okay, I think I will give this question to Melly by adding some on that. So maybe when we recommend or think about the company is the client applications and the server applications we can talk about. I would think they are mostly similar. Melly, what do you think about the companies like SIP servers or other companies deploying to products? What do you think about them? I couldn't get the exact question, but could you put some of it? Like I think what I think is, so at the end our attacks are against the SIP protocol. It is not for products and I think every product is vulnerable over there. So it is not product based thing also because I think inside the clients or servers they don't have any defense mechanisms deployed in the server. So they have to get additional defense mechanism. But Melly, what I'm thinking is, do you have more experience on that? What do you think if any SIP servers, some brands or products are better than other ones, do you recommend any of them? It's not appropriate to say to bring some vendors. Yeah, don't worry, that's fine. Yeah, so for someone who's kind of, let's say, you know, isn't just familiar with the SIP space or VoIP attacks, right? They're more used to using some of the standard, you know, things against Windows or Linux. You know, I guess how would you recommend someone start to learn and kind of experiment or, you know, come into, you know, what kind of resources would you recommend for someone starting to look at like SIP or VoIP style of attacks? Other than just saying use Mr. SIP. Other than what? Other than just saying use Mr. SIP. Okay, yeah. I think one of the things they can definitely deploy the environment, right, the lab environment, where they can simulate or emulate the SIP servers and the client. So they can have, because nobody has this all SIP deployment at home, but every company has it. So my university at Oxford we have this SIP servers clients and it would be really easy I think to hijack the professor's phone and then do these things. But at the end for a new starter to experiment it, it is not going to be possible to deploy or have a SIP deployment at home. Nobody does that. But they can definitely emulate something on their computer. And there are many tools for that, that they can start generating SIP messages on their local server, and they can run virtual machine. So you take some virtual box, few instances, one of them is server, it has an IP address, other one is few clients, etc. And then one, imagine one virtual box is calling another one. And while doing so you have another virtual box which is Kali Linux. And then this one is the attacker machine gets access to the network and they can play with it so they can watch this start watching the network messages and play with it. I think new beginners could do that. And that would be fun. So, also, reading the first CPRFC is very beneficial. Is it virtual CPVs, they can use any kind of Asterix based CPVs, such as tricks packs or free PVs, etc. Awesome. There's a question in the chat from RPTK 2015. Can you expand a little bit about wholesale VoIP carrier voice and call shop, kind of the attacks were mentioned in the talk in context of registration hijacking. Yeah. I would like to give some quick summary on that because it is a real incident, first of all, and Millie was also one of the investigators and, you know, like an expert, like preparing technical reports on it, like in a real million dollar hijacking. So they found out how the hackers did it and now also in DEF CON we showed how they did it. So what happens is the steps are simple I think. So the hackers should get into the company network that is I think one of the precondition. And then, with using Mr. Sip, they can enumerate the users, break the passwords, get into the, or collect all the users credentials that is the step. This is not difficult by using Mr. Sip. Everything is automatic. Once the hackers collect enough information about the users, what they do is that they can start selling whenever the users are sleeping or not using their accounts or the accounts, let's say, the hackers can start selling their accounts and just charge all these things into the company because company has the infrastructure that's running. And if they allow calls to, let's say other countries and hackers can just without running any infrastructure telecom infrastructure they can just charge them and make calls on behalf of all these stolen users. And at the end, maybe three months later, the company will realize okay, there were all these frauds going on, they will deduct but it will be too late because the guys, the hackers will already make, I think, millions easily by selling few months of utilizing this telecom infrastructure for a few months. So what they can do, they can, for example, run a local phone call shop, imagine one of the corner shops that says okay you can make international calls, and they might be using actually one of the other big company infrastructure and underground, like maybe stolen credentials, but they still go and pay them and make the call and it is maybe long distance call, super expensive thing, and they charge small money, but because they don't pay anything for the infrastructure. And because everything is free in quickly, as much as they can, they start selling those services, and many other things they are very creative, right, very creative people. And that's basically it. So few months, I think it will take until a company realizes okay, why our bills are much higher than usual or the traffic going on too much. And that will happen, I think that is the story like that is how. Yeah, even if they understand that they need to pinpoint the problem, exact problem, because they still don't know about the fact. This is also very common hacking story in the real life. So I experienced a lot. Emily, can I ask you a quick question. So do you think, not only the telecom companies I think the banks can have this or what other type of companies can have this type of call for it because if a bank has the infrastructure for their own use. And if they allow with the tip trunks external calls so they can also be the victim of this type of fraud right. And other companies, it's not only the telecom companies so many other companies can suffer. Any company any enterprises running with the IP and making out calls to internet can be vulnerable for that kind of attack. Cool, cool. Yes, we have another question from the chat from thought seeker. Do you recommend using session border controls in front of critical sip infrastructure. I cannot reply this question. Yeah. SPC is the session border controllers are very common in internet service provider level companies, not for enterprises, maybe they are expensive as far as I know, but it's very beneficial. I think like sip firewall application firewall so it's one of the best security firewall type, I can say, cool. Awesome. Yeah, so something else. So just kind of pondering, you know, what do you what do you think is probably the most significant attack someone kind of do using like sip void traffic like what do you think that maybe it would be the most impactful or significant thing you could see someone trying to do. Right. I mean, do you want, do you want to answer that maybe I have some stories I think but we can both, I think, elaborate on this. What do you think in this service provider level, there are many fraud, fraud type attacks, but for enterprises. Telephony dose is one of the most powerful attack. Impactful attack. So, there are many different kind of deep telephony dose attacks. You can run. You need to voice over systems. Yeah, I think so in the dose denial of service attacks. Mr ship is very skilled because we have so many protocol level vulnerabilities being published and getting also published. And that is one of the area that Mr ship is very powerful. It has very unique novel attacks built in modules. And by doing so, I would say, those is definitely one of the impactful, but at the same time inside Mr said we have advanced scenarios that where you want to make an impact without knowing anything full automatic scenario that you want to attack an infrastructure. All these advanced custom scenarios, we have a mechanism to write and prepare your attack. And then Mr ship will automatically follow all the attack, and you will not do anything but let's say you put a raspberry pi into the company network leave it there. Maybe a month later, nobody is there but it will begin an attack deploy the full automatic attack and any of those imagine the fraud infrastructure running. You can build a VPN server inside, make a tunnel outside and play a lot with this and then anytime you want to distract people, you can place a dose attack and any other stuff. We have a, we couldn't have a chance to make demonstration for our attack scenario player, but it's the module of Mr ship new module of Mr ship. And we have added some predefined attacks scenarios including DDoS telephony DDoS type of attacks, and one of them is like, just by sending one in CP might message, we can occupy the server for 64 seconds. And we gave theoretical information about that kind of attack, which was normal attack and we have published it in our academic research papers. Yeah. Yeah, so we're coming near the end. But yeah, is there anything in particular you really wanted to add that you kind of ran out of time to cover in the talk. Anything you really want to make sure you share with everyone here. I would recommend everybody and all this community to support and give us the feedback that is one of the important thing. Because Mr ship is not a one time tool it's evolving. And last four years I think we showed the good progress. And in the next few years, there will be a lot of new modules and novel attacks coming up, because our roadmap is huge. So we still say some of the parts, I know what really has and we discuss all the night. We have, we have huge abilities, we will integrate keep integrating into Mr ship. And we would like to say the community that they should definitely follow and tell us how we can cooperate how they can join their most welcome to help Mr ship and take apart active role. And then so that we can make it better but the point that we should not miss is definitely follow and communicate because there are a lot coming. Awesome. Awesome. Yeah, I guess the last last kind of question I guess to wrap things up. So if folks want to to learn more right or want to contribute like you were saying, you know, what's the best way for them to kind of reach out kind of what's the best contact like through the GitHub or Twitter or what's your preferred means of communication we can share shared links as well in the chat. So definitely GitHub is our first point of contact that we have the public version, open source version, the pro version is right now private. We are also open sourcing gradually the pro version modules, they will get into the public domain at some point, but GitHub is definitely useful we have the links in the slide. Tivity is definitely a good contact private mail address or many personal accounts, they are definitely good contact point we are very active, and we will likely not miss anything that anybody uses any of the point of contact in social media. Our private accounts are personal details personal accounts, most welcome I think we don't mind, there's no official or like crazy strict rules on how to reach but just call it like easy. Do you want to add something on. I can add one more thing, people just asking about demo and we will share new demo videos on our YouTube channel, most probably next week. Yeah, I think that is very important that we should tell yeah. Because in the DEF CON video, I think the fonts were small, that was not very readable it's HD and high definition. If they actually watch HD quality. They will see they will be able to read everything but we will also publish the videos of all the modules and all these attacks, bigger funds, maybe slowly in a better quality. They will come and you recommend that I think definitely they should be watching the YouTube channel. Awesome awesome yeah I definitely think that'd be helpful. Cool. Well, if there's no last minute thoughts for either of you. I would really just say thank you for joining us for for DEF CON thank you for participating for you know remote places again not in Vegas. And yeah, and look forward to running into you in a future DEF CON hopefully in Vegas in person. And otherwise, just really want to want to thank you and you know stay safe out there. Thank you guys. Yeah, we would like to thank everybody there yeah. I think the DEF CON team helped a lot through this online experience, Pardus and Nikita and everybody taking role there. And thank you guys for helping and arranging all these things, even in last minute that in all these difficult time. Awesome. Well, thanks and again everyone stay safe out there. Cheers. Thank you. Thank you.