 Hey, what's up? I'm Jason. It's great to be here. I'm super passionate about voice over IP security. This is Arjen I'm gonna tell you I'm gonna start for the quick little story and it's the reason why I like Las Vegas so much We were we were here last month Viper spoke at Sands Pintest Summit on voice over IP pentesting and only in Las Vegas Do I get taken up on the stage of Cirque du Soleil's Humanity and Little did I know that they were going to try and take off my pants The girls that's not a bad thing when girls want to take off your pants, but Lucky for me. I wasn't wearing any underwear. So I kind of escaped that part lucky for the audience as well So I was telling the Sands guy this story and it was kind of funny because they they nicknamed me commando and it was It was a Paul Asadorian with paul.com security. I hope he's in their room, but anyways Paul So he called me commando. So I think that's gonna be my new handle now commando and Yeah, so Paul wherever you are. I want you to know that I'm going commando for this talk in your in your honor So well, let's get started here We got a we got a lot of stuff to talk about I'm gonna go really fast at the beginning on The overview of UC and then we got three really cool demos to do We're gonna talk about like an intro to like some of this video stuff that we're talking about And if you guys stick around to the end the last 10 minutes We're gonna have some awesome like really cool pen testing stuff lessons learn and tricks that we learned here a few weeks ago so Viper voice stands for voice over IP exploit research and really all we are is we're highly specialized pen test firm Dedicated towards UC and voice over IP We do structural research on generic Implementation of VoIP and finding vulnerabilities and void protocols, but it's basically penetration testing and then our research around this We built a real production enterprise network It's basically Cisco of I and Microsoft and what we do is we go in and we do the pen test with a customer We learn more about the configuration We recreate in our lab and then we're even more effective in our pen tests and our research feeds into that So obviously this is Arjun here. I'm Jason. We're Viper team members This is our lab actually in Dallas and we've like I said, we have a Cisco network IPS We can do all types of VoIP exploits through the network IPS We have like Cisco of I and Microsoft phones and Video phones and so forth So you see definitions At first it was the first marketing buzzers was a converged convergence, which was voice and data over the same pipe I added that my my definition of unified communication is just adding video into that and we also have Presence as well So this is just a simple slide just like why do we do what we're doing here We were publishing these free assessment tools for education and awareness because we believe that the only way to show people that VoIP attacks are for real is to actually demonstrate it to them and the way you do that as you use security tools We enable security professionals to test the network to show the customer the risk of VoIP and We also enable like VoIP owners like people deploying VoIP You know to test the network themselves so they can see the risks because they're really the ones that have to make the Risk risk decision if their risk tolerance level will accept that risk So let's let's look at some some real-world business examples, and we're talking about IP video here So private IP video calling between users like the CEO calling the CFO Telepresence or video conferencing IP video surveillance, which we're going to take a close look at Then there's these video streaming applications, and we're really it's really interesting to study these and You know we welcome you guys to come to us if you've seen stuff because all the stuff is new in the market And we're we're just now seeing this come out Okay, so here's here's a a business case. We're just taking a look take a quick look at you know What is driving this these video rollouts? So you know saving money going green not having to save on travel costs Wacovia as a result of their tells telepresence solution cost cuts and And then IP video surveillance We're kind of taking a look at these video analytics applications that you can do programmable User-driven analysis automated on DSPs and co-processors that are on the video surveillance cameras Okay on the IP video streaming applications We have America's team The Dallas Cowboys brand-new stadium awesome and We've got a lot of stuff in the press about the Dallas Cowboys. They have an all IP video network It's this new Cisco Stadium vision technology Cisco's partnered up with the Dallas Cowboys and supposedly every single TV IP TV ever the video boards and everything is all has an IP address So what does that mean for us a lot of fun? Now the Cisco Stadium vision is like targeted revenue streams where they can like customize the whole View of all the IP phone all the IP phones and all the IP TVs They can customize that for whatever the event is if it's like it if it's like a Cowboys game or if it's like a concert and so forth The two 60-yard lawn HGTV video boards are the largest in the world For 40 million dollars. They're manufactured by Mitsubishi Yankee Stadium is also doing this as well Toronto Blue Jays Okay, let's take a look at some some example you see attacks Now we're looking at is the video replay attack where we can play we can replay Thank you, Coupe, which appreciate that. What's your what's your blog website again? Hey? Hey Coupe comm check it out. Good guy Video replay we can do a video replay against an IP video surveillance system by placing a safe video stream and creating the blind camera and Then while the bad guys are seeking and doing the bad stuff we can also we've actually seen some people do this We can Record the CEO in the middle of like a conversation We had one guy use UC sniff to do this and he showed a CCO that that he had recorded the live Conversation, but you can actually replay that so imagine if like in the middle of an important conference call There's like a previous conference call from two weeks ago and the CEO is like saying the same thing little strange Okay, IP video hijack. We're calling this video interception video denial of service So we're intercepting the video and then we're replaying. We're playing whatever we want whether it be replaying a previous like AVI Or taking a random I AVI clip and playing it against the target video session And then we have the video eavesdropping example that we just talked about Okay, I want to do like a overview of UC sniff now UC sniff is our next-generation VoIP sniffer and I want to walk through like what's what the progression of UC sniff and what's happened with UC sniff First of all, there's no other security software that can decode g7 22 audio code Automatically if people who try and use wire shark and edder cap When they're doing their voice sniffing in a pen test you you're limited because you can't actually reconstruct g7 22 This is the first security code that does g7 g7 22, which is the new codec That's a showing up in all the new avaya and Cisco networks Also, you see sif the very first we released this right after Torcon Combined to man-on-the-mill art poisoning Automatic vlan hop and auto constructs forward and reverse into a single way file for both g7 11 and g7 22 all of this done automatically Another thing is we have a target mode that we introduced and we've done this in a pen test We can actually intercept unity Cisco unity voicemail passwords. We can steal voicemail passwords And we do that by intercepting the skinny keypad button messages So the design of UC sniff is a little different because we we basically combine the signaling and the media together We don't actually start eavesdropping on the RTB media until we've detected that a call has started via the signaling So we use this sccp or a sip to detect that that started Then we close down the RTB dissector after we know that the call is ended the result of this design is We can tell who is calling not just random IP IP streams We can actually if you see the screenshot here, we can we can reconstruct like who's Tied into the corporate directory like the CEO is calling the is calling someone else and In security testing the reason why we did this is time is money with pen testing And I don't want to spend like a lot of time like trying to search you away files and so forth trying to find what I'm looking for So another new feature of UC sniff the very first feature with 1.0 was we actually Mimic the entire behavior of the phone and this is the phone on the left to download the corporate directory and we loaded into memory of the Tool, so we're actually targeting corporate VoIP users based on their name or their directory entry and in the corporate directory Now UCSIF 2.0 when we released this February is the first ever IP video sniffer So there's no other tool out there doing that right now We we decode the H.264 video codec, which Arjun is going to go into in detail So we didn't stop there. We're going to keep on going on this April 2009 we released another version that could eavesdrop on Microsoft OCS I am conversations Because we they use the sip subscribe message We have support now for a via sip as well. We we stress tested that in our lab We've actually enhanced the art poisoning with unicast our requests We're going to talk about that in a second and now we have support for g7 11 a law codec So the gratuitous art thing is really really really cool stuff We actually were researching and we found that like these nice 79 85 video IP phones That we couldn't actually art poison them unless we sat there with UCSIF for 10 minutes So we designed like unicast our request which actually speeds it up now We can do art poisoning like immediately We just hit a button and they're art poison We found the same thing with a via IP phones. They actually don't advertise a feature But you cannot art poison a via phones at all unless you use unicast our request But also we ran into a problem because the unified IP phones have a garb disabled feature Which we're going to talk about here at the end and that really kind of stymied us in a lot of things So UCSIF 3.0, I'm going to get into this a second We have a GUI now. We have a windows port. We have windows VLAN support thanks to Arjen We're working on a real-time video monitor where you can actually like eavesdrop live and see like both ends of the reverse and forward video We actually built Cisco UCM 7071 support that was not even like Didn't work at all in the old versions of UCSIF so we're going to release this in a second All the new deployments are 7071 and then we have garb disablement bypass I'm going to run out of time here garb disabled is the feature that I was telling you about and Okay, so so garb disabled is Basically preventing us from art poison the connection from the phone to the network We can still do the network to the phone But when this feature and this is the default now in new deployments So you're basically unless the phones are on the same VLAN We're going to get to a second how we defeated that but basically no successful art poisoning means no man in the middle condition and We can only get the downstream connection coming from a remote VLAN into the phone But we can't get any of the we can't reconstruct the entire media especially for the phone going to the network in a deep in a default config so Basically basically we devised like a new feature and What we did is we're going to beat the race condition on the phone Because we can actually predict when when garb is disabled what happens is the phone will send an art request As soon as the two RTP peers right so as soon as the phone, let's say the both phones are on the same VLAN They're going to send an art request right before the RTP media starts So we can actually we actually program UCSF to look for a message called start media transmission Which is basically the server telling the phone who the remote RTP peer is right So when that happens, then we know we can actually construct our own Spoofed unicast our reply packet and we can actually flood both phones And so that's how we're winning. We're winning the race condition. We actually are poison the phones that way So this is this is the entire process here And it's the new feature. It's dash dash garb disablement bypass and that's going to be released with UCSF 3.0 So with but with this though if both phones are on the same VLAN We can definitely reconstruct the media because we can we can use this feature to beat them, but The phones there when they they only send our request when they boot up and talk to the server So like when they're talking to remote peers, we can't we can't defeat that right now But that's another story. We actually can but we're going to get into that later So like I just said we can't we can only get unidirectional if it's remote peers in another VLAN Okay Hello guys I'm going to talk about the UCSF development and show you a demonstration of IP video use dropping using UCSNF So UCSNF GUI we developed it using the juice libraries So juice is a C++ class library for developing cross-platform applications So it's really good for creating highly highly specialized user interfaces and for handling graphics and sound So it's really easy to create a GUI application using the juicer because like the juice libraries come with Application called juicer and it also has links at some sample demo applications So why we selected juice libraries for developing the GUI? We needed a cross-platform C or C++ application so that UCSNF GUI looks the same way in Mac Linux and Windows so We are working we are currently working on porting UCSNF to Mac So UCSNF Windows port so we ported the UCSNF Linux code to Windows using the MinGW So MinGW stands for minimalist GNU for Windows So basically it ports all the GNU GCC and the GNU binutils for development of native Windows applications So creating a voice VLAN interface on Windows So actually creating a voice VLAN interface on Linux is pretty easy and straightforward But on Windows we have to like follow the toughest procedures by developing to network drivers So we have to develop NDIS protocol driver and an intermediate driver Using the Windows driver development kit. So we will be releasing these two drivers as a separate package along with UCSNF So what is NDIS? So NDIS is a Windows network driver interface specification so Yeah, so we use the NDIS protocol driver for squaring and setting the dot 1q tag on the Ethernet interface So we can also use the NDIS protocol driver for Sending and receiving raw Ethernet packets on Windows. It can be used like libnet But but it's like more programming than using libnet So installing NDIS Prod. So we used an open source tool for installing NDIS Prod So it's called Prod install you can see a screenshot of NDIS Prod getting installed So starting the NDIS Prod service. So you just need to execute net start NDIS Prod So the NDIS Prod is installed as a service. So just started from the Windows command prompt So we will be like all the steps will be automated before we officially release UCSNF So the IM driver. So What does the IM driver do actually so it creates the actual virtual interface for both the wired and the wireless connection So this virtual interface will be tagged with the voice wheel and ID and the interface will be a part of the voice wheel and So installing IM driver. So we added the support for Installing and uninstalling the IM driver on the open source and this Prod tool So here's the interesting thing Decoding video support on UCSNF. So UCSNF decodes the H.264 content from the RTP payload format So this this decoder is compliant with the RFC 3984 which is the specification for the RTP payload format for H.264 video codec So then UCSNF creates a raw H.264 file format Using the decoder H.264 contents So but this video file is only playable using VLC and M player and it does not have any audio It's only a video only file So if you have if you have configured UCSNF with the ffmpeg library support UCSNF Adds an ABI container to the video files that it creates and it also marks us Audio and video together using the ffmpeg libraries So this ABI file can be played using any famous like or well known Media players including Windows media player Here's a screenshot of the new UCSNF GUI just an overview Here's a very cool animation So here's a cool animation that shows how UCSNF works. It's pretty simple and very basic So all you need to do is like unplug the phone from the Ethernet wall Plug in UCSNF UCSNF uses CDP is a Cisco discovery protocol for creating a for finding the VLAN ID and for Creating a VLAN interface Then it uses DHCP to get an IP address in the voice VLAN Then it orbs scans and art poisons the voice VLAN So at this point UCSNF is a middleman like it receives all the traffic from network and forwards it to the right destination clandestinely So for any active call that comes through UCSNF stores the media To a media file and then it forwards it to the right destination This is how pretty much UCSNF works So now I'm going to show you a demonstration of IP video use drop in using UCSNF the targets of the two Cisco 70 and 85 phones Let me start UCSNF This is UCSNF So I'm selecting the interface to VLAN hop on to sniff the wipes wipe traffic I would start the end-to-sport service I thought to do that We're gonna need a volunteer here in a second. I'm selecting the man in the middle mode So there is an option to VLAN hop So there are like three three ways to VLAN hop by spoofing CDP or by sniffing CDP or by specifying the VLAN ID So spoofing CDP is the fastest way to learn the VLAN ID and to VLAN hop So I want to download the corporate directory So in a Cisco network Makers of the phone is an authentication token for downloading the corporate directory So you can get the markers of the phone from the from a small label on the back of the phone Or from the network configuration settings if the screen is unlocked So I have memorized the MAC address So there are two man in the middle modes number one is the learning mode and second is the target mode So in learning mode UCSNF or poison all the hosts in the network and then it use drops on every phone call But in target mode we can target like specific users and then use drop only on phone calls to one from that user We recommend using the target mode Because the network impact is really low for during penetration testing or security assessment So Jason is going to talk more on this after the demo So I'm enabling unicast Rpreq was poisoning I'm starting UCSNF So it has discovered the white VLAN which is 200 and it's waiting for an IP address There you just downloaded the TFTP configuration file for the marketer specified. It's also downloaded the corporate directory So here's the directory list. It's the same as you can browse through the phone Here's the host list It's the active calls tab. There are no current active calls It's the media files tab So which shows the current media files in the current working directory. So UCSNF as a built-in audio player We're also working on building and we're also working on a video player as a plug-in Here's the target's list. So we need a volunteer to make a video call with Jason So there you go UCSNF has created like three three media files. So number one is the bi-directional audio stream Let me play that It's not playing it's playing, but it's not Let me play the video files Here's the forward direction video file from the calling phone to the call party There you go Hello, you know, we're gonna put it up on YouTube later on tonight Here's the reverse direction video file. I think your audio driver is messed up. It's not working Give us one second we're just getting back set up here so we can we can jump on to the next one so what we have here is we're gonna be talking about video jack next and Video jack is our like IP video interception and replay tool It's like hijacking IP video and it's basically like a cousin tool of UCSNF. It has man in the middle feature supports and What we're using is one of our we're gonna be targeting unidirectional video streams Looks like it has a problem. So you're gonna have to Okay Okay, so video jack was released of February 2009 with along with the UCSF video to support It's a free assessment tool hosted on Sourceforge and you can go download it right now But we're about to release this new version of video jack here right after Defcon But it is this first security assessment tool to support h2s h264 even before UCSF We were using video jack all the time. We first started targeting the two seven and ninety five Cisco unified Video phones and now we just moved into the realm of video surveillance security. So we're gonna be talking about this 1080p high-definition video surveillance camera Cisco 4300 series camera. Did you reboot the surveillance camera? Let's go ahead and do that. Let's give it a second Okay So the new features of video jack is it can it can replay an avi avi file and a continuous loop It can do a targeted video DOS against a random avi file that we select which is essentially the same attack But we can we can actually actually also take a raw h264 file and replay it against the phones So we're working on getting that going against the surveillance camera Can you talk about this while while I work on this? So I'm just going to talk about some trivial challenges we face while developing video jack So number one is finding a valid h264 RDP stream It is very easy to find a h264 RDP stream if we can intercept the signaling on the session being negotiated but what happens is like Initially the session and the signaling gets negotiated like at the very beginning and it does not happen very frequently after once the session is Established so particularly in the case of IP video surveillance camera. So we cannot So particularly in case of IP video surveillance camera like The media the media could be streamed to the destination like for days without having any Signaling taking place. So we thought like how to how to find a valid media RDP stream without any signaling So we came up with a module that intelligently detects Media stream just by fine just by looking at the IP and the UDP parameters and the RTP version And the RTP payload type and the SSRC and and also the monotonically increasing sequence number and timestamp values So we do this like for a periodic interval of 15 to 20 packets and And if the RTP and if the RTP packet matches this matches any of them one of the RTP stream We try to map it to a valid RTP stream So here is a screenshot of Here's a screenshot of a sample capture of a session getting established between an IP video camera I'm monitoring endpoint. So here you can see RTSP and STP which which exchanges the session and the codec parameters And here is also the H.264 RTP media codec So H.264 payload format and fragmentation There are like four types of H.264 RTP payload formats number one is the single Network abstraction layer unit number two is the fragmentation unit number three is the single-time aggregate packets and multi-time aggregate packets So what a H.264 client does is if the H.264 payload size exceeds the MTU The payload will be fragmented at the H.264 level. So these H.264 formats are called FUA or FUB But some H.264 clients like the Cisco video phones They do not handle this FUA or FUB packets. They just drop it So for a video jack attack to work successfully against this 70 and 85 phones So we automatically convert the FU type payload to a single NALU type payload so and then we also fragmented at the IP level so that the so that It works perfectly. So this feature of video jack make sure like video jack works against like every H.264 video client so Video jack also uses the FFMPEG libraries to convert the ABI and the raw H.264 file format to RTP media stream So the converted RTP media stream is Will be initialized with the original RTP streams SSRC payload type Increased sequence and timestamp values and spoof source IP and UDP port of the valid source center so So just an overview of a video jack. It's a hundred out four. I just pinged it You should be able to connect to it So we're reconnecting to the surveillance camera and this is actually a Cisco web ActiveX control web application and it basically streams over RTP. So this is not like HTTP that we're doing here We're actually streaming over RTP negotiated via RTSP Looks like we're going to come up here It's okay So let's just talk a quick overview of video jack. We're selecting right now a one-way audio stream that we're targeting We start the attack and as soon as we start we're blackholing the valid RTP packets from the valid IP Then we select the AVI or the H.264 file and then we're using libnet to reconstruct the H.264 RTP packet we use like the SSRC the timestamp values and other values of the drop packet So we're like we're basically is a very intelligent attack We're taking everything of the valid drop packet and we're recreating it But we're putting our own custom H.264 payload in there The video interception like I said can be a replay or a random movie clip And then we target the video device and send it at the destination RTP port So here's a little animation to kind of show this First off, you know on the network we have the streams the valid H.264 stream The video jack attacker has to have physical access to the port now This could be in a physically remote location and there's a misconfiguration where the VLANs a member of the same VLAN Where the where the video network is so once he basically does the art poisoning attack He creates the man in the middle condition now the packets are going through the attacker But the attackers just silently fording this on he's not doing anything at this point Then when he hits the button to start the attack with whichever file he chooses Then what happens is is he's actually dropping that packet. He's constructing his own packet and Thus the attack works that way Okay, here's our target right up here. It's kind of hard to see right here But it's it's a beautiful little new 4300 series IP surveillance camera It's a 1080p high definition. We bought it from a Cisco video surveillance reseller It uses RTP for port negotiation It does support security features like it supports encryption SRTP by default. It's not enabled And it supports 802.1x as well. So like I said, we're using the web application to stream stream it over Okay, so here's for our demo here now to get it get us in the mood for this I have to play this for a second Okay, so they basically took the Faber J egg And it was it was the type of attack that we're gonna demonstrate here Here's our Faber J egg the little water bottle over here Okay, let's give this demo try Works all right Let's let's start video jack So first thing we're going to do is we're going to capture the safe video stream So we use UC sniff to capture the safe video stream We're running wire shark So we're also going to run wire shark and we're going to capture the into a p-cap the traffic with wire shark We have to sample the traffic for about 20 seconds So we're gonna we're gonna need another volunteer So we're on this other laptop in the attacker laptop. We're capturing this So this is like a real surveillance camera here. It's watching the Faber J egg right over there Okay, so you see stuff has finished its work, let's hope that we we captured a good video stream Blot up Okay, Arjun saved off. We're video jack teammates here. We saved off blot up p-cap So right now I'm gonna create I'm gonna use a tool called video snarf Which is a new tool that we're introducing that basically takes as input an offline p-cap and it basically detects all the video and audio streams and Outputs them into separate files So if you're like a network administrator or and you have a monitor span session and you want to actually see all The video and audio going you can use video snarf and we're gonna release this in a little bit, too Also, you can use like eder cap and wire shark if you don't want to use UCSF You can use video snarf eder cap and wire shark Okay, so we've detected a couple streams here Now we're using ffmpeg to convert the h.264 raw file into an avi file So can I get like a volunteer? Let's try and get a girl this time any any girls Anyone anyone oh We do have a girl. She's coming up. All right Round of applause Okay, you're gonna be like the person stealing the egg say we're Don't do anything until we tell you exactly what to do. So go go right over here So ffmpeg is doing its work And we're ready to start the video jack attack Okay, so why don't you like put your hand like here and just like show that put it in the water See now you can see your hand You can see that like a video surveillance camera would like capture that so move your hand out Okay, now move out a little bit. There you go. Okay, so video jack is detected stream We select other We're gonna do a looping attack and we're gonna select replay dot avi now watch the screen here I don't know if you guys notice anything maybe for a split second there There's a problem with the avi file, but now go ahead and reach it and take the water bottle Nothing let's stop the attack Water bottles water bottles gone Let's try it one more time. So put the water bottle back Okay replay dot avi This is a water bottle was almost pushed in the same direction now remove the water bottle And keep it out now watch stop the attack Water bottle gone Okay, there's video jack Thank you actually you can have the water bottle as a present Okay Here's the last demo I'm going to show a video jack attack by playing a movie clip on an active video conversation against the Cisco 785 video phones I'm going to use video jack This time I'm going to be land hop. I'm enabling unicast our breakfast poisoning. So yeah, it's ready to go Let me make a video call Meaning Yeah, so I press F to find an active video stream So I find one from the extension eight thousand to the extension eight thousand one I select the video stream now. I can do a very precision attack by attacking either one of the two phones I'm going to attack the phone of the extension eight thousand It's the phone on the left So it's a seventy nine eighty five model. I'm just going to do a one-time attack. I'm playing the movie clip Italian job There you are I'm stopping it. So I'm going to target the next extension. It's eight thousand one the same procedure there you go So I could have played like a pre-recorded video conversation a pre-recorded h2 64 video file or any dirty movie or active video conversation Thanks, man So imagine the impact of this at like a I mean basically you have to monetize this attack And I don't believe attackers attack for for no good reason other than graffiti But you could do this at like an entertainment venue like very high-profile event Okay, so let's let's jump on to the end here at the exciting void pen testing lessons learn Okay, so I've been using UCSIF this way doing on-site pen testing for a while And it's something I've been meaning to tell a lot of people. I never run UCSIF in learning mode I always run it in target mode and one of the problems you're running to is like when you're doing the pen test You want to target like a remote art remote IP phone, but you really don't know the IP address of the phone So what you can do is is you can take a hub in an environment where you're doing your pen testing and you can share the hub with the attacker's laptop and you can pick up and find any user in the corporate directory and You basically call that user and then you use wire shark on attach to the hub and you find the IP address of the remote phone Right, it's not something you really think of but it's very effective Because normally when you're plugged into the ethernet switch port You really there's really not a way you can find the remote IP phone unless you kind of finagle yourself like this way So I find the IP address and I create this file targets dot text on the phone Within UCSIF working directory and then I specify UCSIF in targeted user mode And what it does is we select from a menu. We select the user UCSIF takes care of the front end for you And now it's extremely low risk of service impact because all we're doing is targeting the traffic between that phone And the rest of the network so if something crashes It's only if it's not going to impact rest of all the IP phones on the network So it's a very silent effective attack and this is the way I recommend it So it's kind of like a little tips and tricks that we learn running UCSIF Okay, now this is really really cool. This is like I'm saving the best for the last how much time do we have? Okay, so we were engaged and there was a viper security consultant that was in Europe just a couple weeks ago And basically they had it was a UCM 7.1 brand new employment. They had gratuitous ARP disabled Now I've actually talked to Cisco p-cert about this. I've already like communicated this. This is not something that's That can't be protected against so it's something that can be remediated by just turning on security features But we couldn't intercept skinny keypad messages and they had the garp disabled feature on so the garp disabled looks exactly like this perfect Garp disabled was no and I talked about this before what this means This means I can't get the any messages from the phone to the network So I can't get the media from the phone in the network and I can't get anything anything that the user dials like and it's really nice To be able to steal voicemail passwords So what did we know? We had to figure out a way to defeat this We knew that garp enabled is a setting that's managed server side We also knew that the Cisco unified phone downloads the configuration file via TFTP Which tells the IP phone how to configure itself? So basically this Configuration file was everything that the phone used that it parses and it learns how to configure itself So and it's only boot and it's only downloaded when the phone boots up Could there be a way for us to force this IP phone to downloads configuration file? This is what we figured out We figured out a method to do this with UC step We call it the TFTP man the middle modification attack. What we do is is we immediately start we target the phone We create targets that text we launch UC step with the new feature that we created for UC step, which we're about to release First off what we do is we drop keep alive back messages Now this is a heartbeat mechanism between the phone to the server But we can't intercept what's from the phone and network But we can intercept the return traffic back to the phone So we start blocking the keep alive back message right from the server to the phone no matter where the server is Now all of a sudden what the phone will do is it'll think that it's lost registration So it'll try and re-register to the server when it does this It actually does a TFTP get for its configuration file Well, guess what when it does a TFTP get the return traffic we can add an RT We can add a TFTP dissector Okay, so we capture the UDP stream on the way back and all we do is look for and intercept that Gratuitous ARP setting so we take it from whatever its setting is one and we change that to zero to garp enable so then UC SIF does its work and Finish Cisco the phone downloads finished parsing the file and now it has the new configuration Garp enabled. Yes So this all happens in less than 30 seconds If users watching the phone they might be able to catch it But they might not think anything of it and all you have to do is is wait until the users go home for the day And you target each phone pick it off one by one and you when they plot arrive for work the next morning They have gratuitous ARP enabled on all the phones in the environment We can add new features onto this when we come up with new ideas So we basically poem the phone we can change anything on the phone. We want to I'm gonna show and like I said You can totally remediate this following Cisco security best practices now I'm gonna show one little quick video of this actual attack. Oh It just started actually There we go Okay, so I'm going to the phone right now and I just I'm finding its IP address 200 dot six and then I'm going to its device configuration and Gratuitous ARP is no We're just verifying that on the phone and then we go to UC SIF when we launched with the new feature We select the targeted phone UC SIF ARP scans its VLAN hopped Now it's listening for traffic. It's looks listening for that drop for that keep alive a message most important part of the Con So it takes a second here See dropping the keep alive act all of a sudden the phone loses registration on the left Now the phone is actually like going out via TFTP and getting the new configuration file We're going to intercept the return traffic from the server the third file coming from the server to the IP phone and a couple seconds here, it's going to Watch the phone. It's going to turn and we just on the right just modified the setting now We go into the phone. It's re-registered and New configuration Gratuitous ARP enabled. I guess that's really it Great time being here. Thanks for everything and we'll be in the Q&A room. It's room 104. We'll be there for about 20 minutes