 guys are going to give a fantastic talk and it's going to be really entertaining. Yeah. Thanks for your faith. Yeah. I got a meeting to go to. So, you know, whatever. All right. Let's give him a round of applause. Wow. Is this a Thursday at DEF CON? This place is packed. Thank you, everybody, for coming. Thanks. Yeah. Welcome to Sorry Wrong Number. Mysteries of the Phone System, Past and Present. My name is Patrick McNeil or registered 436 on Twitter. I work for Radware as a security solutions architect and I've got about 15 years of telecom experience, about half of which has been in security. So, I'm Owen. I'm at Linus blog on Twitter and I pretty much started out doing development work. Then I moved on, like breaking stuff more. So, I moved into security, did a bit of apsec, DevOps and most recently Pentestine, so. So, we've been working on a lot of things and we've fully embraced the film noir aspect of this conference. So, we have a pretty black and white deck here. Hopefully we can read it. That's why we're wearing these silver shirts. All right. So, first a brief word from our lawyer. Obviously, everything that we say up here is our opinion only doesn't represent that of our employers and all trademarks, service marks, etc. belong to their holders. We tried to use creative commons where we could, but sometimes you run afoul and it's all fair use at this point. Should be in the slide notes. Most of the slides we attributed. So, some of what we're going to show you today could be used for nefarious purposes or evil. So, some audio. Those who travel wind up in the gut of the prison of the grave. Something bad could happen. Use a life of crime. So, I want to thank DEF CON organizers for letting us speak. It's a great, great time out here today. Why are we doing this? I mean, I like messing around with stuff that's unfamiliar, stuff that's new. So, it's a good opportunity to learn, learn a lot, especially from this guy. And I don't know why you're doing it. Well, I mean, obviously, we wouldn't be up here if we weren't having a good time. And I sought to learn as much about stuff from him as he was from me, because I don't really have an app set background. He didn't really have as much of a telecom background. So, you know, it's a good way to get something together. So, you know, plus a lot of people have forgotten the roots of freaking and hacking. You know, the original hackers were essentially the freaks. Long before there was the internet and the bulletin board systems and all that, they were the first ones that said, here's something electronic that I can mess with. They were the ones who really developed, if you will, the hacker ethos. So, we wanted to highlight that some of the things that hackers used to do, or I'm sorry, that freakers used to do, are still somewhat relevant. The mindset, the approach to things, even potentially some of the attacks. You know, you can look at some of the freaking attacks in a slightly different way and now they're relevant for voice over IP. And voice over IP, as many people know, you know, it wasn't really designed initially to be secure. It was designed to work, designed to generate a source of revenue. And, you know, potentially reduce the number of lines you needed into offices and things like that. So, we're not going to talk about everything. We're going to talk about maybe what's likely to happen. And we wanted to kind of educate a little bit about ways to defend networks rather than just the pen testing and attacking goal. So, kind of known a bit about freaking backgrounds, good. So, we had to have a pie chart. I always love putting pie charts in presentations. Not reflective at all as to what's in the presentation. Really, the percentages are all off. But when you go over history information, you could do some exploitation stuff and there's a little bit of a tool. So, we just move on. All right. So, before users were actually allowed to dial before the little rotary phone, operators were in control of the dialing process. So, if you wanted to call somebody else, you had to pick up the phone and talk to the operator and they would, you tell them in exchange, the exchanges were normally the street name or the intersection where the phone switch was located. And then each of those exchanges had anywhere from three to five digits that were used for the subscriber. So, we have a video clip for you. This example is from a movie called Sorry, Wrong Number, which is the inspiration for our talk from 1948. So, you can play video. Operator, your call, please. Operator, I've been ringing Murray Hill 3, 5097 for the last half hour and the line is always busy. Would you ring it for me, please? Murray Hill 3 is 5097. And this movie, she's supposed to be an Indian. My husband got it. It should have been home hours ago. I can't think what's keeping him or why that ridiculous wire should be sitting. Yeah, she's smoking in there. It's almost 6 o'clock. Thank you. I love how you can have conversations with the operators to explain your situation. Hello, Mr. Stevenson, please. I want to speak to Mr. Henry Stevenson. Hello, who is this? What number am I calling? Excuse me, what's going on here? I'm using this wire. So, it's a little hard to hear, but they were actually talking about a murder plot. And that sort of thing, well... I like today's movies. You know, you see people grabbing stuff and putting it on the other side. That's the depiction of hacking. I don't know if... I can believe this. It was something that could actually happen across wire, basically. So, user dialing. User dialing and getting away from the operator actually came from a relatively unlikely source. Almond Stroger was an undertaker. And he was under the impression that somebody was stealing his business. And he figured out that one of the operators in town was actually married to the other undertaker in town. So, when somebody would call and say, I want to talk to the undertaker, it was his impression that they were putting that caller through to... The operator was putting him through to her husband instead. So, he came up with this thing called the Stroger switch, which is essentially a cylinder. And it would use alternating current pulses to rotate the cylinder. And there would be one per digit dialed. So, the phone that he came up with essentially had three buttons on it. And there was one button for the hundreds place, one for the tens and one for the ones. And you had to repeatedly press that button with no indication of how many times you pressed it. So, you better be counting when you did it. And it would turn the cylinder and it would be a little armature that would click in. They ended up being called step by step and eventually acquired by the bell system. So, as implemented by the bell system, however, they got away from those little buttons that you had to press. That's when we first started seeing the actual rotary dial. And when you would turn the rotary and we go click, click, click, click all the way back, well, that's what was actually sending the alternating current pulses and turning the switch. The problem was that was only good within one exchange. And those switches were tied up for the duration, the entire duration of the call. So, eventually, they got around to dialing from exchange to exchange, adding more digits onto the front of the number. But in order to dial from exchange to exchange, you no longer could reference the name of the exchange. So, they had to come up with a way for them to do that. And basically, they said, well, we'll abbreviate all the exchange names and then convert those letters into digits. And that's how we came up or how they came up with the letters that were assigned to every number around the phone dial. Now, of course, nothing really changes without a motivating event. And the motivating event for AT&T was really a combination of workforce growth, the need for efficiencies, the cost of running the network, all those switches that were tied up. So, they ended up having to work on an electronic switch. And the switch that they came up with was the panel on crossbar, which introduced common control. And when you dialed, it would actually build up the number that you dialed in something called a sender before it would send it on for processing. That was good enough for local dialing, but now we had to get to long distance. And long distance dialing, they developed something called the 4A crossbar switch. That was something that used, it was very similar to a old computer punch card that was made out of metal. And there were punches in that that represented the routes from city to city. And there were alternate paths. So you would follow the punches to figure out how to get from one city to the other. And now, of course, we had to introduce the area code so you knew or that the system knew when you dialed which exchange you were trying to get to. Unfortunately, there was a big design flaw that they didn't think about. And a lot of us are familiar with 2600. The reason 2600 is called that is because of the 2600 megahertz tone, supervisory tone. Essentially, the flaw was they were using in-band signaling. So the signal was actually being carried over the same audio path or the path that the subscriber was using. What that meant was if you dialed a toll free number, a long distance number, you could then send the 2600 hertz supervisory tone. And the long distance switch would think that you'd actually hung up the call. From there, you could then send either single or multi frequency tones depending on what that long distance switch supported and dial another number. So that's how people were able to make free long distance phone calls. Let's see. So I thought it was one more slide back because you didn't do that one, did you? Yeah, I just did that. I wasn't paying attention. It's not our first time, I swear. So when we're looking in the future, you've seen a lot of VoIP. Yeah, I can see you. So when you're looking in the future with the VoIP, what could happen? We've got a lot of technology driving innovation. We've got watches, phone, having SIP support added in the latest Android. Why do they do that? And what about WebRTC? WebRTC, we're going to see more people vishing for one-time passwords or credentials. We don't know. We haven't got crystal balls there. We're not going to show you any leaked new exploits. We'll cover tag vectors that are still relevant today based on the phone system and still effectively need to be defended against. And we show you a vector we thought of after Carolina comms sitting at a table just goofing off, mostly created with AGI scripts. We'll get a bit more into that a bit later hold on. So many of you if you're familiar with VoIP at all will have heard of asterisk and it's created in 99. So it's been around a long time. It was created by Mark Spencer and it's now made by or maintained by Digium. There's a confusing number of releases. You've got long-term support and latest stable GPL and a bunch of books. You know you've made it as a product when you have a Fadami's book published after you. So AMI and AGI, the asterisk management interface and the asterisk gateway interface, AGI can be thought of like the CGI for phone systems. You can write scripts and they will do stuff for you. And it's really cool you can do some really cool stuff. So from this, you know, you create, you got this cool system. Now you have all these variants. Some of these are real popular. Just making it easier. Asterisk home free PBX and Tricks box are really big. The one that runs on the Raspberry Pi is pretty cool. But the problem is, you know, they don't necessarily take security into mind. It takes them a while to catch up to the latest branch from Asterisk. So what happens is you keep on building stuff and you can't keep up with it. You end up with a big pile of trash and some of them aren't even maintained. I think 2013 was the latest update for one of them. Eventually that trash may fall over and anyone's watched idiocracy or, you know, trash could fall into a lawyer's apartment. So we're going to go through some attack and defense. Yeah, so we're going to do attack and defense for several categories of threats. And we used Al Capone on all the slides for the attacker. The famous gangster and J. Edgar Hoover, the original director of the FBI is our defender. So you can see the little icon at the top right and know which one we're talking about. It used to be red versus blue but we decided to do that. It didn't work for film noir. Black hat versus white, I guess. So we're not going to cover every voice threat, right? There's a lot that we could cover. We're going to cover the most likely stuff. Not probable. Yeah. Possible but not probable. Alright, so information leakage. When a system that is designed to be used only by authorized parties gives you stuff you can work with so you can abuse it. So, you know, the freaks were the original phone enthusiasts and they like to explore the phone system. They took advantage of information leakage all over the place because it was not designed to be secure, confidential. You know, the very first thing that they could do is socially engineer operators. The operators were mostly female so some of them, believe it or not, would actually use girlfriends and get their girlfriends to call the operator and say, they were another operator and could you put me through to this number? Yes, hackers or freakers in this case actually had girlfriends. So the other thing they could do is they could pretend to be one of the male workers, one of the test line operators and say, yeah, I'm trying to test this particular number, put me through here and of course the operator was more than willing to oblige. Phone techs were also very proud to work for the company. So they could, you know, hey geez, how does this particular thing work? And in most cases they were willing to share. I mean, anybody who's proud of their job, you might be willing to talk about it. Especially if you're not told any of this is confidential. And then of course there was really obvious stuff. You're picking up the phone and you're dialing, you're hearing all kinds of clicks and you dial a long distance number and you hear the tones, you start to wonder, well what are those things if you're our type of mentality? And they started recording them on tapes and slicing up the tapes and eventually figured out, well we could build something called a blue box and actually replicate those tones by pressing a button. And of course I would say the biggest gift to the Freakers was actually a 1960 technical journal, Bell Technical Journal. They published these on a regular basis and it actually published the single frequency and multi-frequency tones that were required to send from exchange or from one longest and switch to the other. So they basically said, oh yeah, by the way, if you want to control our longest and switches, here are the exact frequencies you need to send. Perfect if you're trying to put together a blue box, right? So, and then of course, exhaustive dialing of numbers quickly figured out that those metal dials were abusive on your fingers so they'd use pencils and just dial all kinds of numbers that were outside of the normal phone range and discovered that, hey there are special codes that you can use for routing in certain directions, avoiding charges, accessing certain features. And then of course there was something called a loop around, which was really supposed to be for testing by the field technicians and Freakers figured out that if you could stand to listen to the annoying tone that was on the loop around, you could connect two people together and just chat, just have a exchange of information. If you could get over the, you said an annoying tone on that, right? Yeah, it was a supervisory tone that would play. Yes. Yes, a T-Prophet said, yeah, they accepted collect calls. So, the world was largely oblivious to the freaking community and they really found out in this 1971 Esquire article called Secrets of a Little Blue Box and some of the people that were made famous or infamous in that included Joe Ingressia, Mark Brunet and John Draper, aka Captain Crunch. They were certainly not the first Freakers as we've kind of seen because freaking was around for a long time, but they certainly became the more popular ones. On a bit of a side note, AT&T was at the time the monopoly owner of the phone system and they had a policy in terms of service that said you couldn't hook anything to the phone system that was not sold by them. So, Freakers decided, well, that's no fun and we want to share some jokes. So, basically the first answering machine was made. Didn't actually record anything, but it would play jokes. Joke lines became really popular. So, that's pretty much the bulk of the history that I'm going to try to dump on you today. So, I would definitely recommend exploding the phone by Phil Lapsley. It's a great read. It's entertaining and he's done a lot of really good research. So, the phone companies eventually stopped blue boxing by moving to something called common channel interoffice signaling. What they did, essentially, was they put in another line from office to office using a modem so they could digitally signal the calls. So, you no longer had the signaling over the call path. As Freakers figured out what was going on there, it's like, well, wait a minute, if the phone company can use modems to send information digitally from point to point, maybe we can with these new personal computers that we're discovering. And very quickly they figured out that they could now connect over things like a bullet import service instead of having to do it over the phone. So, this is where we started to see a little bit of segmentation between the PC hackers and the Freakers. And of course, the protocol that they used to communicate over these modem lines eventually was IP. And that started the downhill roll. It turned into, you know, let's make an IP card that you can jam into the back of your old switch. And eventually, well, let's make it all IP so it performs better and we'll just have a gateway that goes on to the TDM network. And of course, the subsequent step from that is, hey, now we have virtualization. Let's just make a virtual thing that we can run on a laptop and, you know, use a soft client instead of an actual phone. So, nowadays, information leakage, I mean, you can do a lot of stuff that you would normally do with any sort of scan or pen test. You know, your basic port scanning, send a SIP message and see what comes back for your stacked fingerprinting extension enumeration where you're just sending like a register message or an invite message to every possible phone number that you think might be in that range and just see what comes back. And of course, if you're actually looking at the SIP signaling, SIP in and of itself leads information like crazy. The user agent might tell you what type of software is being run by the PBX or the endpoint you're talking to. The methods that are supported by that endpoint may tell you a little bit more about what it is. Yes, it's very similar. If you take a look at it to the way HTTP works, you've got your allow methods and the interesting parts are really in yellow. Yeah, it's text-based. So, what does that mean? We can man in the middle of that because we can easily write a little script that says, if I see this, do this to it instead. And SIP, unfortunately, is still using the crypto that Time Forgot, MD5. So, you know, you can cram anything over TLS and SRTP and hopefully make it more secure, but oh my god, certs are hard. So, nobody wants to issue client certificates. And basically, yes, you can get some integrity and maybe a little bit of confidentiality out of having that flow, but there are still TLS attacks. So, you know, I'll get into later what I recommend here, but obviously having TLS doesn't guarantee security. It's worth to note too, the MD5 doesn't change. It's the same for every phone call that session makes. And I asked, why didn't you just change it to a more secure algorithm and can't be that hard to... ROCs man, go argue with the IETF. Alright, so when actually gathering information on a phone system, you know, start with the basic stuff, don't think of this as a phone system, do your Google searches, scan, you know, do DNS queries, scan job boards, figure out what somebody is running through a side channel basically and you can actually make phone calls and listen to the voicemail prompts for people that aren't there and you can usually figure out about what phone system they might be running just because they're standard prompts with the voice they use. Yeah, exactly, which you'll hear later. And of course, if you're internet connected, SIP options is generally used by many scanners to try to detect the presence of a PBX, but a lot of vendors have either patched against that or they put in rules that say, don't allow options from anybody except this specific endpoint. So use something like an invite or even a cancel message, something that will evade that. And then of course you can look for X headers, which are unique to particular vendors, you know, do your extension enumeration by sending lots of register messages, basically just see everything you can get to come back. When you're doing your port scans, remember that the, at least most people use Nmap, so they don't change the default options always. Yeah, you gotta mess with the default options or add in new options, so definitely scan UDP because SIP is generally sent over UDP, but also include the ports for AMI and AGI interfaces that are not part of the default port range. You will miss them if you don't add in those ports. Scan slow so you don't get picked up by something that's looking at rate-based. When you're using a tool, and I think this goes without saying, but understand what the tool is doing rather than just accepting it and running it. A good example is SIPvicious that's used by about 99% of the people scanning for SIP services, has a default user agent string that just about everybody has patched against now. So you'll see a friendly scanner come in, not, and you know that's SIPvicious. Didn't SIPvicious make a bunch of people's phones ring in Korea too? Exactly. So scan with a different tool name, a user agent name, scan with a different method like an inviter cancel. The Metasploit scanner is pretty good because it randomizes everything, but it doesn't do at least the modules that I've seen so far haven't done credential cracking. And also not many of the VoIP scanners around today are being actively maintained, with two exceptions. One is VipRoy, and actually if you go to the VoIP hacking seminar or whatever, the session being held by Fatih, he actually maintains that, and BlueBoxNG is also maintained. But the others still work, so yeah, for the most part. So the next exercise, Patrick looked at the Rapid7 GMAP data and came up with some interesting analysis. Yeah, I noticed that they basically just collected SIP-UDP. They had just an initial options response, so if I was doing it, I might have used a different method just to maybe get some more information back, but it is what it is. It's a big dataset, and what was interesting was the numbers that came back weren't as big as I thought they were going to be, because there's an awful lot of SIP stuff out there that is connected to the internet. So maybe people put in ACLs to block their scanner or something, but we got 52 to 53,000 that came back as just generic asterisk, and nearly 11,000 that said asterisk PBX, and the interesting one for us, which you'll see why later, was this asterisk PBX, and what was it? The phone core. That's actually Tricksbox, which is asterisk installed on a piece of hardware. It's a virtual machine. Yeah, it's sold as sort of a quick startup. Yeah, like an all-in-one point-click configure type. And of course, as I expected, we saw a lot of small to medium business systems, lots of old MTA software releases, and the stuff that totally blew me away was the couple instances of like a NordTel DMS 100. This is like a big, big switch. Who would put that on the internet? There were a lot of user agents that just said camera, and they all seem to be based in China, which was kind of weird. And then lots of MTAs that are being deployed in Germany, that there's been a really active push for that, and lots of Huawei and Iran. You know, I'm guessing because not many American companies are going to be selling in Iran. What's the Fritz OS? Yeah, Fritz OS was the MTA deployed in Germany. All right, so what can you do to defend yourself against this information leakage? Number one, security by obscurity. Change your default user agent. There's no reason that you need to have it. It's not really used by anything. So call it asterisk when you're on a VIAS system or something else, right? So it's not used. You could try that. It may work. Block known bad user agents. We have a bunch of known bad user agents that are in an IP tables on our GitHub. I did some sip honey pot research for a while, so I had about three years of data that I just parsed through and you know, here's a list of them for you. Especially if you're on asterisk, use this. Always off reject. Essentially the error code that's returned is usually different if an extension exists versus if you've got a bad password. In this setting basically returns the same error message for everything so you can't quite tell. So the question was, are you setting that for every sip pure? Yes. There's no reason... Yeah, there's no reason to have it otherwise. So you're going to use fail to ban, to block IPs that are repeatedly trying to hammer you? What happened to your video? Yeah. Thanks a lot, Master Chen. Try plugging it back in while you're the laptop doing that. Before I even get to the good stuff too. Oh my god. I saw something happen. What might that do again? Shift F5 resumes at your current slide. All right. That was weird. Who's messing with it? Okay, and then lastly, use a security appliance that will block sip skins. So exploitation, we don't really need the definition for this rule here. Using it something for the greatest possible advantage for shellfish users. So how did the freaks use it? Yeah, so exploitation usually has this connotation of being malicious, but for the most part, the while the freaks was similar to the medical profession, do no harm. It was all about just exploration and it was fairly innocent for the most part. Knowledge search. So nowadays it's pretty much anything you can imagine you got fraud, DDoS, botnets, profit, whatever you want to do. I mean bad guys are going to use it for however they want. So we take a look at the Tricksbox example that we were talking about earlier. There's 1200 on there. And what's this? Quality software. Last updated and what's that? June 18th, 2013. It's got five stars on Sourceforge. So we know it's good. This is a little bit out of the freaking theme, but kind of example of what happens when you keep building technologies upon technologies and not necessarily taking security into consideration. These are the vulnerabilities for asterisk as of a few months ago. You can see there's one for every category in the Denial of Service code execution overflows. You name it. I like the one bypass something. That's cool. There's more you can look into depends what version you're running. So this one's actually written by a guy called AttackTerrorist. If he's here, we want to buy you a few beers. I want to give you a hug. But yeah, he made an unauthenticated cross-site scripting. It's against the help module. It's a basic cross-site scripting. I did a pop-up, but that's a real cool rate. It doesn't work in the newest CRAM Firefox. I didn't test IE because who runs that. So he also found in the same CVE, a local filing inclusion, where you could pretty much include any file you wanted to. You can't read all files on the system because some people know that if you include like proc slash fd, which is your file descriptors, you can write files. And you can do php input filters, which would also allow you to kind of read php code. But once you get an LFI on an asterisk system, or on one of these all in ones, you can pretty much go around reading configuration files. User.conf, you can read those if the permissions aren't set up properly, which they generally aren't. You can read the extensions, what's on there. The amport of config is great because it has your MySQL password in it, and you can also read the asterisk log to see what's going in, going out, what's happening on the network. And was that authenticated or unauthenticated? This is authenticated. So you have to be an admin. So you could generally do this functionality anyway if you were an admin, but it's still a vulnerability, right? So there's also a remote code execution. Great. What this example does is it echoes some php code into shell. And then we call that shell and execute PanTestMonkey's Python shell. So pretty cool. And we have a video for that one. So this is the shell execution. This is also authenticated. I have to press spacebar once more time. Yeah, one more time. There you go. And here's the video. So I'm going to, I'm on the server right there. I removed the shell to show no funny business going on. And this is authenticated again and it's loading echo in the shell with bash. It's not rocket science, but it works. So we go back to the server and Alice again and hey, that's the shell. So the video gets a little funky. I think I mess it up. There's the listener. The listener and my local host and there's the call to the shell. Sort of anticlimactic because it doesn't really do anything, but bam, right there. Yep. So who am I? I'm Asterisk. So yeah, you can kind of do whatever you want there. So that was cool. And then this next one gets a little tricky. So this is using the same LFI we saw earlier, but we do remote code execution by reading the Asterisk logs using a SIP message that I thought, well, if I can read the Asterisk log, maybe I can inject some things. So we play this one. So again, this is authenticated, but you wouldn't necessarily need to be offended where you would to execute it. The local file inclusion, but not to it, submit the script to it. So there's your local file. We're reading passwords file. I do proc CPU for fun. It's cool to see what CPU is running just to make sure it's working and all that. And then this is the Asterisk logs, refresh that. So there you go. The next step what we do is this is Sipsack and I just send a test message that's not even a valid user, by the way. That's just a random user. It's dope. And you'll see that the test message shows up way at the bottom somewhere. So then I just go ahead and echoes the PHP info in there. So we're basically injecting stuff right into log file. Which you can do with Apache too if there's an LFI on Apache. And then there's your PHP info. So you can execute PHP code as you wish. So that's cool. But those are both authenticated. So I thought what I'd do is I'd take the unauthenticated cross-site scripting and then use the remote code execution which is authenticating. You can kind of do a fish. So this is the one that gets kind of really, it makes me confused too. So you use the cross-site scripting and you use this and hide it on mouse over, hide a frame and replace the window location. With this base64 decoded stuff. And then you do your shell echo in there. We've got a video to kind of show this. This one took a little bit of time to get right. But it works. So this is the window that's authentication required and I think I need to press it. That's the fish showing that it doesn't work for an unauthenticated user. So you're going to want to send that payload to somebody you know who has access to the system. I can't do it because I don't have credentials on the server. Just removing the shell again, show you. So this is the logged in user and this is the fish, reload it. And I do it twice just to make sure it works. What is going on here? As most people probably weird as they're moving their mouse around. And you probably changed this so it wasn't that cheesy but you put it in an high frame. Yeah, you put it in an high frame and put it on a popular site or something and then it would do the same thing. So there's your own. So that's from unauthenticated. That's why it's dangerous to oh I don't care about an unauthenticated cross-executive. What could you possibly do with that? Well, you could do something pretty malicious. So how do you defend against this? It's actually really easy for the cross-executive Delify and remote code execution. It's all the same. You make an array of what you want and you feel to embrace upon that. You want us to sanitize input? Yeah, it's simple. Like don't just say what language do you want? Oh, I'm going to try and read that file now. Just English, French, Spanish, whatever you want but don't take anything else. So never trust any input from the end user. And it's not the end user's fault. It's because you can't trust bad people. So it's more defense. We've got to pick it up. Wow. So avoid all and one distributions, update, custom build. It's not hard to do a custom build if you build and you don't build what you don't know and configure it properly like some of the other slides do your firewall and fail to ban. So is your fraud and abuse necessary? Yeah, so fraud and abuse, my definition was fraud is when you have no intention to pay for using the services that you're using potentially causes loss or damage to the owner enables criminals to make a profit. And yeah, I guess you could say abuse, manipulation of the telephone network to do something maybe fun or unintended. So skip these? Yeah, I'm going to skip these for now. I had some little Q&As here you can get from the slides you want to get to the good stuff. All right, so making money is a top motivation for phone fraud. International revenue sharing fraud is the top fraud scheme where you compromise a phone system and make lots of calls to a foreign destination. And the owner of the switch at that foreign destination splits the profits with you because of international telecom revenue agreements. Phone companies are forced to pay the peer who delivered the call. And you talked about that last year. Yeah, I talked about that last year at Sky Talks. All online. Caller ID spoofing or back spoofing which is a social engineering vector where you can make a phone number that you don't own pop up on the caller ID display and that has implications for the name that also shows up. We're going to show a demo of that. Telephony denial of service where you basically just target somebody either for purposes of extortion or just maliciousness and keep cramming calls at them so they can't get a call through. The last one was phishing. Yeah, so fraud and abuse demo basically when a number comes into your phone the the person sending that that call doesn't actually send along the caller ID display the CNAME display. That is actually in a database that the phone companies use and you your phone company does a dip to the CNAME database and then says Hey, this is what you need to display on your phone. Well, can it be useful? Yeah, so most companies that offer sip trunking do not allow you to set the number that you're sending as part of the call. You have to tell them in advance you know this is my phone number or they'll assign you the phone number and that's all you can send. It is useful to be able to send a different number especially in something like a call center but usually agreements will be made so that they know what numbers will be coming through. However, some smaller providers look in the terms of service experiment with it. You can set the caller ID information on a sip trunk. And by the way, it is illegal to cause loss or damage as part of spoofing. Or with an intent to cause harm. Intent to harm. So, and while you might not intend to cause harm if you spoof a law enforcement number, I generally wouldn't recommend it. So this is how you set caller ID in asterisk of extensions.conf. It's real easy online. And this is another way this is used in project we'll show you in a .call file for an automated call. But it is worth noting you have to find a provider that will send this on correctly. So these are just two ways we've used it in this demos. So who's calling me? So hey, look who's calling me. I'm sitting on my couch watching Jurassic Park as you do. Bosses, right? He's the reason why we're here. That's enough of that. So that's real fun and stuff. So I got this idea we were sitting around at the table and we were saying, what if you spoofed voicemail? What would happen? Would you answer your phone? I mean, I was originally thinking if you just had your caller ID set to voicemail would people call it back and enter their pin numbers if you randomly called them? But yeah, so we were thinking about it. And here's some scenarios we came up with. Yeah, so you can get a call from your voicemail system and it says, we've been acquired. Punch in your pin number now for security reasons to listen to this message. And here's another one. The tech support fast track. Yeah, tech support fast track entering your date of birth. Things that you'd want to collect for maybe getting through a password challenge. So I created it. It's not really an IVR. It's not interactive voice responses. It's punching the numbers. Yeah, I guess so. So what you do is you configure it, configure SIP trunk, configure up some variables in PHP and you set up a recording of those scenarios we were just talking about. Create a target list of text, text list of phone numbers or you can do a single number just for fun and do a dry run of the recording make sure everything works. You can test against your local phone number and then you run the campaign. And the key here is you dial into the system from your phone. And you designate the targets from your phone. So I thought it was cooler than making a web app to do it but the web app would have been way easier. So it's a little more old school freaker feel rather than just doing it from a script. And they make a web app for it. So this is, I go to press space twice. Yeah. So this is kind of what happens when you dial in. Menu off to turn on press to turn to main menu. What you can't hear is you press all times and it beeps afterwards. Yeah. So basically note that when the call comes in to this mobile phone it's showing up as the voicemail number that's already stored in the phone. So we go to the video. This one starts off really loud. You might want to turn it down. You hear one important recording that we selected. So you can, he enters a pin number and there's the it's console based at this point. I just finished making it so you could dial in and it would tell you. And there's the pin number he entered. So it's cool. It works. So why do we care? I was thinking when I wrote this, oh you can get people's voicemail passwords and you get their pins and read their voicemails and delete them and stuff. But apparently there's more risk to it than just that. Yeah. So you get that pin number and some voicemail systems will let you forward calls, let you originate calls, make a voicemail broadcast to the entire company. What would you do if you had that power? You could also adapt it to get one-time passwords or conference and information. Right. So I have a bunch of fraud and abuse defense stuff that you can see in the slides because I know we're running out of time here. But one of the things that I really wanted to point out as part of this was if you're trying to block international numbers, those revenue sharing numbers, you cannot just block 011 for your international dialing codes at least within the North American numbering plan. There's a lot of Caribbean destinations that are also considered high cost and if you look at them it's just a regular 10 digit. It looks like a regular U.S. number. There's some more stuff. Yup. Set pins on long distance trunks, etc. And... Oh, you got to that already? Yeah. Thanks. That's our GitHub. Thanks a lot everybody. We'll be around.