 Hey, how's everyone doing? Pretty good. So this is not talk on KSLR, this is a phone system testing the hack-a-tracker app was wrong. So if you're expecting that, I'm sorry. We're going to talk about phone systems. Before we get started, mandatory disclaimer, everybody's seen these. These are my opinions and everything. If you're going to do some of this stuff, make sure you're having your GOW jail free card or service pre-mark so that of their owners. So yeah, what we're going to talk about is depth history, evolution of phone systems. Nothing too big or in depth. Not going to talk about SS7 carrier side stuff. It's mostly going to be about VoIP and modern phone systems testing them externally from like the dialing interface. We're going to go on health test those and the issue types if I'm going to map those to the OWASP top ten as best as we can because we know OWASP is the web and we're talking about phone systems. That should be interesting. There's a little bit of overlap between external and internally testing these because the nature of it, but we'll cover that as best we can and then we'll finish them off with some fun tricks that you can do. Although I discovered you could do. It's me, Owen, Snide is my handle. I've been here since year 2000. I don't have a big list of acronyms behind my name or title, but I'm fairly involved with the local OWASP and 2600. Yeah, I like to do presentations, talk to people fun because it gets me out of my like introvert personality, what do you call it like that? Gets me out of my comfort zone. Makes me pretty nervous still getting in front of people. Given a couple of other talks and various topics since about 2005, since 2015 me and Patrick were talking doing phone system stuff and it's just a lot to learn and do so. That's that for real fun actually riding mountain bikes. It's the longest I've ever ran with one topic though is on testing phone systems. So I was born in the 80s, raised in the 90s. Don't know how many of you have seen this before. We had all these antiquated technologies. I'm not sure if I miss the 90s because they weren't that great for me because this how you actually had to play video games if anybody remembers that. It's very depressing. When you have to sit next to somebody, there's no real internet. And if you had an APT, that's how you had to block them. So you could just take the phone off. You can't do that these days. How many people here remember their childhood phone number? I can't see out the back, but a decent number. So you know, people don't keep their numbers like they used to. Times have changed. But the older crowd generally may remember that. I remember my first phone number, which is really weird because I can't remember other things. This is a really good one if you're into social engineering and stuff to find out, post it on social media and get that secret answer to the secret question. So who uses phones? Who do raise their hands? Why not? Nobody, a few. Okay, no, everybody uses phones, right? There's nobody who doesn't in some form particularly interested in all of those, but banking finance could be a daily banking, your retirement, your investments. Those are pretty scary ones. Then all of these other ones are pretty good too, right? Everybody uses them. So for history on them, really, I'm not going to cover a whole bunch of history. Sorry, wrong number. Me and Patrick did that two years ago, did a pretty in-depth, I thought it was in-depth, but a overview of the past, how we got to where we are today, and exploding the phone. This book by Phil Lapsley is supposed to be the best book on the phone, kind of the freak history. I have not read it, it's on my bucket list. But we're not going to talk about that stuff, we're talking about more on a digital side. So the last slide of the history, maybe not the last slide, but let's see if you can hear this. Nope, no sound, but we know what the modem sounds like. We'll get back to this a bit in a further on in the slides, but at the beginning, this picture, you see those. You can't see it right there. That's kind of important for phone systems. So let's see. I'm going to need sound for some of these future demos, but next slide. This is a history of kind of communication, 96 net meeting, all of these, we've kind of been bundling stuff on, everybody's been building technologies to help people communicate. And we got, in what, ten years ago now, the iPhone was released, which is a real game changer. But all of these are closed sourced with the exception of Asterisk because everybody wants to make some money off of communications because you are the product. And in more recent history, we have all of these, hangouts and unified communication, screen sharing, kick snapchat, all of these, they kind of related to phone systems because you are communicating. That's the thing. Even Uber and Lyft, they require a phone number to be activated or to use their service. That's pretty much all the history that I'm going to cover. And we'll get on to more phone systems stuff. PBX is your private branch exchange. This is what is the heart of phone systems. Because you no longer have to have someone physically plugging stuff in and people, everybody runs them, not everybody, but a lot of places run them to reduce your costs. You get the benefits of all these apps and cheap calling. So that's why people run PBX and in your basic deployment, it's going to be a PBX with maybe a soft phone, a SIP phone or just an ATA, which is your analog telephone adapter. And then the clients in the telephony world is called your user agents. These things, this is more common deployment and you just have more stuff basically. You have a ton more user agents and your unified communications is kind of all tying into each other. And you can see you've got two locations, location A, location B, you can pass calls through them and your provider. You've got voice mail, all of these things and then your large deployment looks like that, right? You have redundancy failovers and a whole bunch of other things which really looks like this. Nobody knows what it looks like. But you have call monitoring, transcribing, all of those. Voice biometrics is interesting and people use it for two factor authentication and they really use telephone numbers for a whole bunch of things. So your common protocols, as far as VoIP goes, session initiation protocol. The example for that is on the right. It's very similar to HTTP. You've got a fixed protocol that you send a request and get a response. It's very similar. And it's to initiate a session, a media session, which would be the RTP stream, which is the real time protocol. And then you have H323, which is just another kind of a competitive SIP. And IAX was supposed to kind of be another competitor to SIP, which was created by the creator of Asterisk. And that one was supposed to address some problems with SIP, but it never really took off as much. And XMPB is another one, Extensible Messaging and Presence protocol. It's a mouthful. They all kind of facilitate phone calls. And then once you've facilitated or orchestrated that call, you have the media, which is transported through a codec. And there's a bunch of these people geek out over these all the time. But the ones you really have to be concerned about PCM, A-Law, U-Law, and then GSM. U-Laws for North America, A-Laws for other countries. Let's see. DTMF is your dual-time multi-frequency. So, you know, when you pick up the phone and you dial in and you hear the beeps and then you dial extensions, you hear the beeps. It's basically two times and at the same time or two frequencies. And people are pretty familiar with these. These can be easily generated. And that's what happens when you press a button on your phone. So when you, somebody says we want to test our phone systems, the first thing, so you've got to figure out what you're testing because a phone system could be anything. Right? There's a ton of stuff to test. And the first step is to find out what you want to test. So you have hardware, software, all the user agents, PBX's, soft phones, the apps, protocols, codecs, and each of those is going to require their own specialized skill set to get down into the nitty-gritty. And it's a diverse set of skills, as needed to say. Once you've figured out what you're testing, you've got your black box, white box, you know, determine the scope. Are you trying to be stealthy? Are you trying to avoid detection or are you trying to test your detection capabilities? What is out of limits? You don't want to go treading on people's feet when you're testing this because it's not the system you thought you were testing because you dialed into something and it turns out you don't own that product. So you can do your information gathering and that consists of who isn't, right? You can grab phone numbers from the web, the company, your testing's website, they generally list a bunch of phone numbers there. Or you can use corporate directories and look for patterns in the phone numbers because you can find them there. Do port scans. It's noisy on the web if you're looking for like zip traffic. It's very noisy. So you should kind of throttle that down a bit. And when I say use the web, I mean just Google and use like free carrier look up tools to see. When talking about looking for patterns, you see a company will register a block of phone numbers but they may not publish all of them because there's something in there they don't want you to see. Who has information? I was trying to contact Google and I was Googling for the Google's phone number which is really difficult. But they list in who is, if you ever need to call Googleplex, just who is and you can find that phone number. Externally testing through ports, you can sit there with a regular telephone like any telephone, cell phone or your landline and press buttons. That's what we're talking about here is testing someone says I want to test my phone system and you're okay. Or you could maybe use a modem with AT commands someone's script or you can script that out a little bit. You can use a soft phone. Any of the major ones are going to do that. Test functionality. Getting more advanced, you can use the automatable or scriptable ones. These are really interesting but there's a big learning curve to those. I mean you have to really get into it. Or you can use just a PBX like asterisk. That's what I chose to do for engagement that we got to do. I used orange pie to if anybody is familiar with those very similar to a raspberry or you could use a VM but I used it because it has really decent specs. It can handle asterisks really well. It's fairly portable if you need to show it to somebody. You just take it with you. People like to look at shiny things, right? Turns out. It doesn't take much to run a demo. So software used ambient and asterisk. Bunch of scripting utilities. We'll get more into this a bit later. So this comes to the fun part. The time consuming part of going through the issues you'll find with the OS top 10. Let's take a look. This is the list. You'll probably be familiar with the OS top 10 for 2017 which just came out, right? I'll give you a minute to look over there in case you haven't seen it yet because everybody is still using the version from five years ago. The first one is injection. We all know the injection points for a web app. But for a phone system you have very similar ones. Web, voice, DTMF. And there's XML injection in there which I guess falls into a web injection. And the result is cross-site scripting, SQL injection, you get a buffer overflows or log contamination. There was one with Cisco phones where they were injecting XML or a CD for it. Whether you inject some XML and you could monitor phone calls or even initiate phone calls from these, I guess, SIP phones which is kind of scary. So that's injection. We know that. We've seen it before. Broken off and session management is very rampant in phone systems. I mean, it's mostly authentication but a lot of session management too. You can do call tear down attacks where you're breaking up and just telling to hang up kind of like a Wi-Fi deal off a tag. Then there's the lack of S-cell. S-cell has been and TLS has been in Asterisk since 1.6 version which was released in 2008. If SIP is open and controls aren't in place, you can do your brute forcing of that. That's very common. If anybody runs PBX, you'll see that someone trying to hammer your server all day long. All day long it never stops. If it does stop and you ban them, they'll come from somewhere else. Let's move on to A3 cross site scripting. Who would have thought that phones would have cross site scripting, right? It's a telephone. Believe it or not, they have it. This screenshot is from a previous presentation I've done but it's still saying we see a pop-up box. It's somewhat covered from injection. I mean, it's an outcome of injection as you get a cross site script. This could be very interesting with some payloads or some custom payloads or if you're using a company's portal and you find a cross site scripting on there, you could maybe use that cross site scripting to map out some phone stuff. This demo is from an XSS who was on a system and it used what happened is it created an unauthenticated XSS but the same software had an authenticated LFI so take a look at the demo and basically you're using the XSS to facilitate that LFI from an administrator if you were targeting them. So let's take a look. Is it playing yet? Let me press play. All right, so this is the unauthenticated and that's the payload and I'm sorry for the joking. It's just the way the video record. So that is the payload that is sent and that's to prove that it's unauthenticated. So we delete the file on the server. There's a shell and this is the authenticated user. All right, so that's the actual payload that you would send to them and when they move their mouse over the page, what's it doing? It just says, I mean you'd have to change it if it was running a real attack but then when you look on the server there's a shell. So there's the shell, it's been owned. I mean it's not rocket science, it's the cross-site scripting but it just happens to be a phone system so that's why I wanted to show that. Broken access control A4. This is new for 2017 or they moved it around but the example is not my account. You see that. You have access to or you access something and it has a string and you change it. Victoria's Secret was very famous for this when they had you place an order and you change the order number and you could see why but somebody else had ordered with the full account information. So I mean that can be translated for phone systems into a bad configuration and this happens when sometimes you dial into a system and then you dial an extension and maybe you can dial an external extension which happens to be a phone number that's externally routed. Maybe you can commit toll fraud with that. So it's related to the next one which is a security misconfiguration which is very common, pretty common. SIP allow guests since you're allowing anybody with a SIP or the wants to connect with a SIP client to connect and it's difficult to control the context therein within it. The four digit password for SIP clients which may happen to be the same as the extensions is pretty common. You want to change that. Don't have your username the same as the authentication username. There's two separate ones in there for a reason. Conferencing misconfigurations, maybe you allow somebody to dial into the conference and then dial out. Default password, weak passwords. I consider those misconfigurations and then misconfigured dial plans and AGI's are probably the most common misconfiguration. AGI is like the CGI of Astrosystem. So there is that. Sensitive data exposure. Depends who you talk to but voicemail conferencing. Pretty sensitive information you may get talked about on those corporate directories if you're dialing in. Maybe there's some information in there that shouldn't be. We've seen it before. Other, probably the most famous exploited that. And then the information not used as well. The username, password, combination and enumeration. This is all I could come up with for mapping this to the OF.10. Once you're on the system there's a ton of information in the username, passwords, voicemail passwords, credit card numbers, count numbers, verification. All of this is once you're on a system is there but if you're just talking externally testing. Maybe there's some sensitive information. Maybe not. You have to dig in and find it. Missing function, level access. These kind of overlap together when you're talking about phone systems. But a company or place I used to work had a system that you would, a vendor had this system that they would dial into. And the only access control they had around this was the caller ID. They trusted the caller ID and you could, if you did your reconnaissance and you, who the vendors were, you could pretty much just dial into this system and you'd have full talent access with no password because they trusted the caller ID. But everybody knows you can spoof your caller ID. So that was kind of a big fail. But it was very difficult to get them to say, we really need to change this. So let's see what else we've got for missing function at level access control. And like I was saying, these do overlap. A5's misconfiguration is very related to missing function level access control. Because if it's configured properly, if it's configured properly, you wouldn't have these issues. Misconfiguration with, if you're putting people back into a different context once they have authenticated, maybe they have access now to something they didn't have access to before. And reasonable use is boiling down to don't let people sit and camp on your phone lines all day long going through menus. And maybe if they're five levels deep, you find a combination and it gets you back to the first level. That's an issue. So have session timeouts for trunking because you don't want to let too many people connect and exhaust your trunks which you have to pay for. Crosssite request forgery is very common for vendor apps and products because not everybody patches those. The web board configuration pages are very common and often vulnerable. And really from a phone sense, this one doesn't really apply, right? There's no C-SERF or dial-in into phone systems. But if you did your enumeration properly, you would know which products a vendor was using and you'd be able to maybe target that more specifically. And we get into a situation kind of similar to C-SERF because all C-SERF is your exploiting user's trust in a service. And this is A9. The next one. I did a pivot chart in Excel which you probably can't really see. Actually it comes out better on that screen than it does on mine. And it looks like really the best way into a phone system is through code execution over flow go figure if you want a good level of access. I put as many as I could phone relatives as I could in there and that's what it came up with. But I'm sure somebody with more Excel Foo and more risk experience could probably come up with something really fancy for that. It's just a little thing I've been working on. But when you're talking about components with no vulnerabilities, you're not talking about just PBX. You have everything in the stack, right? Your soft phones, all the user agents and everything in between. So it's really hard to patch everything. Everybody knows you can't patch everything. But we wish you could. So one of the examples for a known vulnerability is this little box is a Cisco ATA 182. They still sell these on, I mean what is it, 40, 60 bucks. And that's what translates your analog phone to be able to use SIP. And in 2002, they had a bug on it. But that's what it looks like if you find one on the web. That's what it looks like when you log in. And if you try and connect with SSL, you can't connect. And that's Cisco's end-of-life announcement for 2010. But these are still used. And the bug actually was you could bypass the authentication completely by sending a few headers of the HTTP request, which is great because, you know, everybody updates this box that's in on their network, right? Nope. So I'm pretty sure that CSERF would work on that portal too if you really wanted to. So you really can't patch everything. And then this is the last one for the OASP top 10. Underprotected APIs, which is new. The AGI is your gateway interface that sits internal to the PBX there. Really isn't an externally facing API, but it may be underprotected or there may not be controls in place for that. And then the ARI is Astros RESTful Interface. That is often sitting on the web. And I'm sure other vendors have all their own APIs. WebRTC is coming up more and more. You see a lot of these with WebSockets misconfigured. There's a huge, huge attack surface for WebSockets because not everybody, it's not had as much testing. And then user agents being able to have their own APIs like the soft phone or the SIP phone in the picture actually runs JavaScript natively on the phone and it does JSON and JS. I'm sure the APIs, they do a pretty good job of securing this. They have pretty good security teams. I'm sure it's good. This is what I would say the mapping for phone systems would look like. Just reordered it a little bit. Misconfiguration probably being the top one. And then going down those, you can all read those. There's really no evidence or research into this. This is what I think and I'd love to debate of people who would like to debate that and kind of do a good list for it because the VoIP security alliance is kind of dead at this point. I think they've been dead. I know their website went down. Do what? I'm not wrong. Thank you. I mean, I was looking at it and I thought, man, it's been how many years since they've done anything? Then they were doing a good job before. Let's move on. Using asterisk to test, I made a vagrant machine and it's in the GitHub repo. You can do it. You just have to configure a few things, the extensions.conf and the zip.conf. And once you do it, you get a console and then you can configure things like your AGI's. And it's very similar to, you know, a router or a metasploit. You can see the great syntax there, call show help, call show help and that will show you how to use trust me. Now, it's not very easy to use as a lot and the best thing you can do to learn is at the bottom, the command reference if you want to get into it. You use any of the soft phones to connect once you have configured. So this is more of the fun stuff. So for my job, they said they wanted to test the phone systems. So, okay, I got actually put on as a secondary to it because one of the other testers snapped that up from the queue and they said, okay, what do you want to test? We'll give you the phone number you can just dial in. And you can test it, right? Okay. Well, it sounds a lot like QA to me. It doesn't really sound like testing. But the other tester, he was using modem and AT commands and going through and he actually used it because he heard the intro, the music too many times now. If he hears it again, he wins this. But I didn't like that. I didn't want to sit there dialing the same thing all day and just hopefully coming across something. So I had this idea from some previous things we've done to kind of do a man in the middle. And I didn't have any idea if it would work. And it's nothing new from an attack perspective, but it sure beats sitting there and dialing numbers all day. What happened was we came up with two vectors for it. We call the first one the fat finger squat and then the second one is the spoof target fish. And the first one, anybody who's familiar with cranky anchors or pranksters would kind of know this one. And then the spoof target fish or a fat finger squat. What we have there is this guy. He looks like a pirate with one hand and it's only a hook. So when he dials who he thought he was dialing, he actually dials the Grim Reaper in this case. Who just goes ahead and patches that to the person he thought he was calling based off of, say, cranky anchors, right, you heard that, like the lady said, it wasn't a Honda dealership. So in this case it's a little bit more malicious. Instead of pranking her, they just patch her through and then listen to everything. So let's test the audio for this. What I did was I forwarded my home phone number to our corporate line. Let's see. For the demo, I did not use our corporate line because any company would be vulnerable to this because really there's nothing you can do. Let's see if we have any audio. No audio. I've got my volume up max. Let's plug it in. We can do that. We can unplug it and use the mic. Since we have to do something because there's very much realising sound. I don't have any sound. This is great. It won't let me do anything. What a demo fail. It wasn't even a hard demo. Let's see now if we have sound. It's alright. We've got some time. There's not much left to come. What's going on with this? Let's plug it in. It doesn't sound hot there. It just goes crazy. Now the signal is gone. Don't you love it when things go so smoothly? Have I tried turning the top on again? That's the HDMI. That's the best. The best sound ever. I just plugged in HDMI. I just unplugged the HDMI because I lost everything from it. It's coming back up now. Let's take a look. Sorry, guys. They told me to do it for a quarter inch. This is weird. Is it logged in? Nope. It's frozen now. What? It's great. Let's get this thing going. Somebody put a magnet under here. Classic death time tradition. She's frozen. It's busted now. It was set to the quarter inch. We're giving it a patient and good minute. It was stuck on the other one when I tried to do it. We'll change the audio out. When it boots, we'll give it a shot. Hooray. It's your first time speaking. It has to happen. One and a half, I guess. Let's jump into some preferences and get the speaker up here. Then we can choose the output device. You can do internal speakers and use the mic. Let's give that a shot. Sorry about that. I have to switch the monitors again. Let's use the mic. How are we doing on time now? I lost it. This is the demo for it. I had to call the New York Public Library because I didn't know who else to call. It wouldn't get me in trouble. Let's see. We will skip the recorded demo. You can trust me that it works. I have a recording of it. I'll put that in the GitHub too. The spoof target vish is pretty much the same thing but it was an add-on for it. Basically what you have now is the attacker has taken it into their own hands and calling the guy with one hand. Maybe he has a context. Maybe he saw him complaining on Twitter how his service wasn't working. The attacker then goes, hey, I'm going to call this guy and calm him down. Then I'll patch him into the real place. If the demo had worked, what you'd be left with is a recording which would contain what would that contain? Maybe DTMF tones or maybe voice-off indication. That would be relevant to something you might have an interest in. Yeah, if you've got DTMF tones in there, you can potentially decode those. It's pretty difficult to decode them, to be honest. Because of codecs, it can be done and it could possibly be done better with a hardware decoder or maybe an ATA or if somebody with more skills comes in and when it's intercepted to call it, it fully disconnects it from the other side. But that would be a problem, right, if you're entering account numbers you can see that. What happens a lot of times is when you type a number and it will repeat it back to you if you're not using your IVR sim when they say, please enter your account number it says, you entered 1, 2, 3, 4, 5 is this correct? That's kind of a problem. So let's see if this one works. 1, 2, 0, right? So yeah, if you can't decode the DTMF sometimes it just plays it back to you. Which is I mean, maybe a problem for you, maybe it's not. But for me it's a project we've been working on it's all on GitHub. We're messing around with voicemail stuff and spoofing caller ideas and hey, if you've got a phone call from your voicemail would you answer it? Would you enter your PIN? So that's kind of what this was spawned out of and I put an RTFM on there because if anybody's seen the red team field manual there is nothing in there about voice so I've started compiling tools and things you can use to test phone systems in there and I've done as much as I can there's more changes to come to to it. I've got some ideas and things to do. Which other demo? This one? Yeah, there's not a whole lot to it I can try. Our normal hours of operation are Monday through Saturday from 9 to 6. You can email your reference question or tap the reference button. For the hours and locations of the Schwartzman building, please press 1. So that was what happened when you call my home phone number now I just forward it through to MYPL and record it. Not much for a demo but it's something. And coming from here's a phone number can you test it. That was a kind of a cool thing to do. Some additional things you can look at if you're interested in voice publishing. It was published in about 2005 but it's a really good book. It has a ton of information. I think it's about 800 pages. And Fatif, he does the voice boards, he's in a bunch of stuff here at Defconn and all around the world he's done a lot of really good stuff. Anything from him is pretty much awesome. And Jason Ostrom did voice hopping the hotel if you want to have a phone system you can hop VLANs, that was really good. And then just for reference there's the voice at the bottom there. That's about all I have. I'd really like to see more people get interested in phone systems because you know you have 2600 in the freaks. And there's Telefreak too. But it doesn't seem like a whole bunch of people are testing their phone systems. I submitted this talk and you guys accepted it. Yeah, I mean things have been involving it a rapid rate but have we been testing? I don't know. So hopefully it was useful, gave you guys some insight, some things you could do and get you interested. And if you have any ideas or things you want to suggest then you can catch me afterwards. I'll be down there, catch me on other websites. That's it, thank you very much.