 First of all, my apologies about my English level, it's Yoda level and it's a Jedi tradition. Just forgive me. I'm Fatou Zawjin. I'm a penetration tester for 13 years. My special expertise on voice over IP servers, voice over IP infrastructure, mobile applications, also other ones. I'm author of VipRoy Voice Over IP penetration testing kit. Also I published a small paper about SIPTRAS relationships hacking. Also I demonstrated VipRoy Voice Over IP penetration testing kit yesterday in Blackhead Arsenal. Anyone from Blackhead Arsenal here, okay, we should wrap up this VipRoy part. VipRoy is a penetration testing kit and I will discuss a few advanced attacks. And VipRoy have a few models to demonstrate or exploit these attacks. And this is a small VipRoy demonstration. VipRoy has a few models, time models right now, but I'm working on three models. One is a metasploit module spec. You can download and extract in metasploit root directory. So you can use it to discover SIP infrastructure, voice over IP infrastructure. You can collect information from SIP servers. Also you can get a few important things from SIP servers. Also you can enumerate target servers. This is VipRoy in action. It has debug support. Also it has verbal support. That means you can easily collect information from this debug data. Discovery can be used for collecting information. So we can use all methods, all SIP infrastructure and protocol methods in this collecting part and discovery part. So VipRoy has register, options, invite, subscribe and a few methods to discover features of SIP server. It's basically a SIP client, but a smart one. You can easily develop another module for your custom test or something else. It has a SIP library, actually metasploit-rex library. That's the register test. We can register an infrastructure or we can register a client or we can register a user using VipRoy to a SIP server. Also we can initiate calls with a user or without a user over a SIP proxy or not. Also we have a few headers in the request. So we can manipulate these requests and its headers to bypass billing, to bypass restrictions of SIP ACS or SIP firewalls. This is a basic demonstration, basic features of VipRoy. I will talk about these basic features now. But I will discuss a few advanced attacks in this session. Also I have another demo at last of this presentation for this advanced attacks. It's really hard to get picked to speak at DEF CON. Let's give them a big round of applause. This is his first time speaking so we need him to do a shot on stage. Okay. That was price. Do you need another one? No, not now. Maybe later. Alright, thanks a lot. Thank you guys. I was nervous and I'm fine right now. Okay. We should pass this part, this action. Okay, we have a few people are coming. We can start actual presentation. You can watch this video, what I just played. It's already in YouTube. Also I played this video in many security conferences to show VipRoy's basic features and basic attack abilities. So I will discuss these attacks and how can we use these attacks to bypass security features of SIP servers. And this is my agenda today. Discovery footprinting, collecting information, initiating a call, initiating a bypass for CDR or billing or restrictions or something else. Also we have another attack, SIP bonus attack. I will explain it. Also fake services and MITM. Yeah, we have another model for SIP proxy for MITM think. Also SIP servers should be available 7.24 so we can attack them using those features or something else. Also we have another feature, hacking SIP trust relationships because they trust each other. So we can act like just one. Also we can use these SIP features or SIP trust hacking features to attack another client, a specific mobile client and other desktop client. Also fuzzing in advance, another subject for us. I will discuss a few fuzzing features. Autoscopy is actually RTP. I will add RTP features later. Also additional services are not subject. Also XML or JSON-based supporting services is not required for this presentation. SIP is initiation protocol. It's just a sign-in protocol for NGN services or SIP-based telephony services. Next generation network is post-modern TDM devices. Actually, sorry, HP-Blade-like systems. They have three or maybe more soft switches, RTP proxies, SIP proxies or something else. So they should connect M-SAN or a medi-GDP devices. I will show an infrastructure for this sample. So SIP and MEGAGO protocol, also RTP, they are part of this NGN infrastructure. Also SIP should be implemented securely, this NGN platforms. So we will hack this SIP protocol and we will hack this NGN infrastructure. They use next generation network term, but I believe it's not because SIP is old protocol. SIP has many security weaknesses and we will discuss in this presentation these weaknesses. This is sample SIP server in your network. If you have a network, commercial network, it should be placed just like that. By the way, commercial services are completely different. This is sample an next generation network infrastructure. SIP server, also known as soft switches, part of this infrastructure. SDP servers, also other servers such as VAS or DBI or CDR, these servers should be connected with soft switches. Also M-SAN devices and medi-GDP devices should be implemented for AND point termination. For between M-SAN medi-GDP devices and soft switches, the protocol is Megaco. Other connections, especially redirecting calls between soft switches, it should be SIP. Also, you should know, you used many soft phone applications in your mobile phones. That means you already have SIP services and you are a customer of a SIP provider. But here is the thing, they think they are secure, but it's not. Especially their infrastructure is vulnerable. This infrastructure not closed, but they think it's closed. Actually it's open physical access. Also, you can easily manipulate AND point terminators such as medi-GDP devices, smart modems or something else. Also, they think abusing voice over IP requires specific knowledge. That's no longer the case with VEPRO. Because we have many features to easily test these SIP servers features and security. Also, they focus on toll-based attacks, toll throughout or something else. But we have many attacks. Spying, phishing, surveillance or DDoS attacks or attacking actual mobile clients or desktop clients. Also, value-added services are another important vulnerable servers. Also, they think their vulnerable devices are well-configured and securely. They are vulnerable. They use all softwares. They use actually legacy softwares. Solaris 5 or Linux Slackware 2.1 or something else. So we can easily bypass and exploit them. But that is not our real subject. We will discuss specific one, SIP protocol. VEPRO is a Vulcanish word. That means call. VEPRO has many models to test SIP servers security. So we can actually initiate a few advanced attacks and mostly all basic attacks for this target SIP servers using VEPRO's models. Also, it has custom header support. It has authentication support but in many ways. Just proxy authentication, server authentication for different hashing algorithms and a few ones. Also, I have a few new models such as Thrust Analyzer, short message service tester or bounce scan model, DDoS initializer or directly MITM proxy tool. You can use this tool to test attacks which we'll discuss now. Basic attacks are important. They are not new. But we have no sufficient tool to analyze this type of attacks. So Androgochal left SIP wishes. Also SIP check and other tools not sufficient for penetration testing of SIP servers. We should create another one. I should create another one because I need it. So I create VEPRO to analyze security of SIP servers. Especially their features, discovering SIP servers, enumerating SIP servers, collecting remote users, internal numbers or clients, brute force attacks for internal numbers, users with a password list or not. Also identifying specific numbers, identifying value added services or something else. If you use this test after authentication, you have no choice except VEPRO. By the way, brute forcing or invites features, they are required to test special features of SIP security. Also, we can initiate direct invite attacks. We can initiate invite spoofing attacks or we can initiate proxy redirected invoice attacks. So we can easily bypass CDR records or ACS or maybe invoice things. VEPRO easily automate this type of attacks. This is basic discovery thing. This discovery step is basic, just like other penetration testing types. We should send a request and we will wait for response to analyze. So we can send options, register in my subscribe message or all matters. So we have all in VEPRO. Another one is we should analyze headers in response. So left side generic headers and right side proxy headers and warnings. We can collect many information from these headers. M-sign devices, invoice information, remote service software or it's vulnerable or not. Register is another important test because many value added services has no authentication. Another thing is these specific services or specific trunks or specific gateways has no authentication to speed up the connection. So we can initiate register attack to detect this no authentication services. Also, we can register our specific port and IP address to initiate row attacks such as row fuzzing. We will discuss in fuzzing section what you should know. SIP servers have many authentication skills. So if it has an authentication just like that, it waits your registration and it signed a privileged ACL or it accepts your specific IP address and port without authentication. If this type of authentication is available, you can register your specific port and IP address to initiate other attacks such as direct invite, spoofing or fuzzing things. By the way, register attack could be used for brute force or something else. We have many more attack type. Also, we can bypass many things using proxy headers or a few specific features such as changing from field, changing contact field, adding specific proxy headers such as challenging vector or changing identity over proxy headers such as P-asserted identity calling party ID or P-preferred identity. These headers could be used to bypass billing or security ACS or SIP specific firewalls acting just like another SIP proxy. We can use these attacks. Also, we have another attack just really invite or update. We can send invite request or update request during a call to change its charging vector, change its billing features. So we can use these features. Also, you can develop specific tool or specific module for VEPRO. Invite request issues just like that. We will send an invite and we will get a specific response. We can change many headers. So we can easily bypass rules protected or not. Specific headers I've already mentioned. Also, it's just basic usage. But we will use invite for specific tests, for another test, just trust analysis or something else. This is SIP bounce attack. It's similar to FTP bounce attack. If remote target has a proxy support, we can use it to scan other servers which are trusted or not. So we can use it basically. These are screenshots. So this tool exposes user agent or servers of fair, remote servers and untrusted ones. It works just like that. We will send a register or option or invite request to target remote server. Also, we will change its real or URI to connect another one. So we can collect this information. It's important for us because remote servers and front-end servers are well protected and this server has many call ACLs. So we can use this remote targets if it has a proxy support, scan other specific features and other inaccessible servers. Also, we can initiate other attacks such as SIP trust relationships. Also, just now, I should mention another thing. I have a friend for you. I will mention after the video, but I already shot, you know. So this is my friend. It's a gift for best question. It's five-year-old agent special Turkish record. I'm from Turkey, as you know. So if you shot me a good question, you will have this ball. If we will have no time to create QA section, you will find me at a Chile bar, a Chile out bar or QA section or just push me or attack me to ask a question. So we will continue again. Fake services and other subjects. We should discuss about fuzzing features or specific MITM attacks because our regular SIP clients, generic SIP clients, has no features to bypass billing or security features. Also, it has no support in my spoofing. So we will add MITM tool. We can change our client's features. For example, adding in my support, in my spoofing support, specific proxy headers support to bypass billing. Also, we can use this feature to fuzz SIP clients or servers. We can easily change specific data with fuzzing requests. So we will have a few cracks from SIP clients or servers. Fake services is not yet ready. By the way, MITM is ready. I updated VEPROY's GitHub repository so you can easily download it and you can use it. This MITM feature is useful for testing or adding specific features. You can use it freely. But I should mention, if you use it to collect information, collect credentials from clients such as MITM attacks or something else, you should use ARP scan or ARP spoof or VLAN hopping attacks. You should be a man in the middle to collect this information. Also, those is another important thing when we will discuss about SIP servers. It's not server. It's a business. So money is really important for them. So we can attack their availability, lacking all users if they have account-locking policy. Also, we can initiate many calls at the same time so we can overflow call limits of server. Or we can ring all clients at the same time. It's possible. So we can use those things easily. By the way, we can use these attacks to bypass a few features. For example, if you need to act just like with a SIP proxy, you should disable it. So you can use these tools to disable or unresponsive this remote SIP server. By the way, we have another attack. SIP servers send many responses. It's an RFC. So we can initiate a bogus request. For example, unauthenticated invites or something else. They will send us many responses. Some plus, 20 plus, maybe more. So we can send IP spoofed requests to target SIP servers. So this remote SIP server will send responses to another DDoS target. Just like that. So we can search many servers, many SIP servers, and we can collect all of them to initiate a DDoS attack. You should remember all SIP servers, all SIP services should contain many SIP servers for gateway connection, for international connection, for redirection or backup. So we can use all of them in same network. And acting another one we cannot access. Also trust relationship hacking is another subject. We can act just like SIP proxy. So we can act and we can initiate call, we can send messages, or we can attack mobile clients via these SIP trust relationships. Engine servers should trust each other because TCP's slow and TLS or other encryptions are slow by the way. They require many CPU usage. So engine infrastructure and vendors prefer UDP-based SIP authentication and UDP-based trust. So we can attack just like SIP proxy or something else. We need a specific information for this attack. We should have an internal number. Basically, we should be a customer of this service because we should have a software or hardware client to view caller ID. We will spread IP spoofed and port spoofed packets this target server. And if this server trusts other IPs, there will be a call and we will learn its basic IP address and port. It's in baby steps. We should find trust SIP networks, mostly B-class. We should send request, invite request for each IP and port. That means 60,000 maybe more requests. If this server, target server accepts one of them, we will have a call. But we will have no idea about which one is trusted. Here is the thing. We have a spoofing section. So I will add IP and port section in from field. That means when we will have a call, we should see which IP and port is trusted in from field and calling number. Okay. Here is the demo. There is an attacker. Attacker have no idea about Ankara or Istanbul IP addresses and networks. He should know only B-class network, maybe C-class network. He should have a soft client from ISMIR server, this production server. He will spread, he will initiate IP spoofed packets from this field, just like sending from Istanbul or Ankara. And when we have a call, we will see IP address and port. That means ISMIR trusts Istanbul's IP address and port. Okay. How can we use it? But what? We can initiate a call. If we have a specific IP address and port, we can send specific IP address and port and we can send specific from field and we can initiate a call. So in my spoofing also, it's CDR and building bypass. By the way, probably you should ask or you will ask, it's just one package and we used IP spoofing and we have no responses and how the call works. How will it resume? It's not. All required is we have a packet to send another one. For example, internal number 101. One packet is sufficient for main attacks. I will show you. By the way, in message protocol, a message method has no resume or no state. So you can send this message, short message or something else to a remote server, just like it came from Istanbul or something else, which trusts it. That means you can exploit specific voice over IP features, voicemail box features, edit services, just like send a register request for us with short message service. Invoiced me at this moment. We can spoof this message. So we can change billing features or we can acting a few features. I'm not here redirect me for something else. Okay, just send us a message. Which one is required or where you will be available? Okay, redirect space, my internal number. That's a small message. We can send it. So we can handle all calls. It's possible. By the way, we can use it to initiate those attacks, dealing those service attacks. For example, ringing all clients, bypassing a few features, initiating many calls to overloading servers or Vest services, value-added services or CDR fields. By the way, we can attack specific mobile clients or desktop clients. When we send this invite request or message request, we have a few features. From name, contact fields will be the same. We can send this request to remote server and remote server redirect these fields to client. So we can fuzz it or we can crash it with many AAAs in front field or from name field or contact field. Also, we have message support. So we can exploit this vulnerability over message too. Also, maybe, you know, CIP and STP has many features. So this type of STP request or STP content should be redirected. Also, mine time support should be available and you can manipulate mine types or its contents of this request to crash mobile application. These clients trust remote IP address and port. So we can initiate IP spoofing easily. Basically, I crashed an application. I don't have a phone. iPhone, CIP clients, you can download it from App Store. It has a vulnerability. It has no border control in front field. So we can send 550 charts in this field and it will crash. It will be crashed. So we can exploit it. Okay. We should summarize and collect it. We can send a packet from Istanbul. We have no idea and we cannot access this Istanbul to Izmir, the production server. We have its IP address, yes. But it will redirect this call to another one, something else. We have no idea its IP address but it has internal number, just your send number or something else. So there is no user interaction. The application will crash. There is a client attack. So many applications can be vulnerable, this type of attacks. Asterisk has a limit for this front field. Only 1,000 charts maybe more. By the way, CIPSEX or other commercial products has no restriction for this front field. So we can use this front field, front name field, contact field or other mine types to crash a specific application. Also, we have fuzzing. Anybody love fuzz? But fuzzing is completely different in CIP protocol. You have many fuzzers. But these fuzzers are old. And it's really important because vendors use these old tools to evolve their products. So you have no vulnerabilities to find using these tools. You should change your perspective and vision. We can fuzz it in many ways. Acting just like CIP server, CIP client, MITM attack or just like acting like proxy or something else. But old school fuzzing is not sufficient. Request-based and response-based fuzzing difference has a few differences. Request-based fuzzing is popular and we have many tools for request fuzzing. But they have no state they cannot track all call and they cannot fuzz during a call. Our newest CIP fuzzing tool published in DEF CON 2007. So we have no new tool almost six years. We can develop our specific fuzzing tool especially for response-based fuzzing. We can use these features in VPRO's specific CIP library. We can initiate specific fuzzing features. How about smart fuzzing? Smart fuzzing should be real smart. It should have state support. It should have many methods such as subscribe, act, frag or invite, re-invite, update. We have no support in meta tools. Also fuzzing after authentication is completely different thing because we have no tool to fuzz remote servers after authentication or with authentication. So we have another thing. Yes fuzzing is cool especially crashing an application but in CIP servers we should fuzz numbers for value-added services detecting features free call features or detecting a few specific things. So you can easily create your basic fuzzer. VPRO how it helps you it has a basic CIP library. A few models have a damp fuzzing support I will show you. Also we have custom header support so we can easily bypass many things before fuzzing. Also let's go on the event lines more. We can easily develop our tools. Also it has raw request support so you can combine it with your generic fuzzer. Fuzzing CIP services request based okay you already knew this request based fuzzing and I will bypass it but you should know headers should be fuzz proxy headers or something else. Okay here's the thing response based fuzzing is not popular also there is no tool to fuzz response features of CIP server just imagine you have two clients one for acting just like remove CIP client just one for attacking and fuzzing remove server during this call you can initiate two clients separately and you can drive separately all of them. Also you can initiate many using this library starting one and starting two after that you will initiate a call from starting two and target is one also you can add re-invite fuzzing feature during this call you can add STP fuzzing feature during this call also this response is important because when you send a request the request to another client if this client send bogus responses this remove server should assess and analyze and execute this response 200 okay such as we can send bogus responses so it's a specific feature you can develop your tools using vpro vpro has many features so we have a few things to develop such as advanced fuzzing support rtp support tcptls support or minimo by the way it's MSF licensed so you can download it freely you can change it you can develop your tools with this library that's it I will show another demo this demo prepared to show sip bounce attack hacking sip trust relationships directing trust servers initiating a fake call after that crashing mobile clients this is a sample I have a network actually a small network three sip servers and four sip clients we can initiate this sip bounce attack to detect servers and clients trusted or not we can use remote sip proxy server we will have two sip servers now one is ours another one is inaccessible for us also we have another range 200 and 210 I will set this range to detect sip servers and clients during the test as you see there are many sip services one of them sip server other sip clients sip trust hacking is basic and old method but we can use it easily for engine platforms especially in local network so we can easily break physical network systems hacking physical hacking breaking locks or something else and we can initiate this attack also sip services also vulnerable this type of attacks sip services trust hacking should be prepared with a specific target range and I set sip server the remote server source remotos is potential also I can set a port range because they can use any ports for trust or something else also we should set interface for IP spoofing and a low request and internal number 103 and we will initiate this attack if you have a number we have a IP or something else we will learn which host is trust as you see 202 and its port 5060 is trusted it's a pair, it's a port for restriction on ACL so I can set specifically this one and I will initiate a call this is trusted host and I set from field for invisible field I can write anything I write okupai gezi if you already know gezi park resistance in Turkey it's a tribute by the way if you don't know you can search this attack in twitter as you see we have a call also we can crash mobile application this mobile application is adore phone in iphone you can download it from app store I initiate a secure shah session left side and I start a debugger and I crash it with right terminal I set only set action call I set from field to fuzz features for example set from fuzz 550 also I will set two field that means our destination our internal number so I initiate a debugger you can watch this video from youtube too it's available from Viproy boy kids homepage as you see it's really easy to use because it's a metasploit module set left side as you see 138 is iphone's ipad but I have no idea and I didn't set it in my tool I initiate a debugger to debug adore phone application it's PID and generate a debugger will be initiated for this PID it's continuing when I start attack you should watch and you should see left side a kernel email address issue we have a memory corruption vulnerability and a basic dose attack by the way it can be exploited you feel free to exploit you feel free to develop and exploit for this vulnerability using this tool so you can download this presentation from my homepage also Viproy's homepage you can download this tool from Viproy's homepage also it's github source code section by the way you have a 15 minutes training video you can use it also these papers these people helped me to present also they encouraged me I have many respect for them yes I have only one minute so I will be chilling out I have this one for you if you will come to ask specific question or smart question I will give you ok thank you