HAXPO: Attacking Encrypted VOIP Protocols

This talk will be LIVE STREAMED on YouTube: http://youtube.com/hitbsecconf


 

More and more of classic voice,video,messaging and phone communication is moving nowadays into the IP-based traffic,hence the acronym VOIP-Voice Over IP . To enable voice and video transmission over IP networks, one of the most prevalent VOIP protocols used is SIP – Session Initiation Protocol. SIP is a control protocol that facilitates the negotiation of various voice protocol transmission attributes, including the authentication of the calling parties. Interception of an unencrypted SIP protocol allows the attacker to brute force the passwords as the session dialog executes in a clear text. Metasploit framework comes with two tools, sipdump and sipcrack, which parse the pcap traffic of a captured SIP session and perform password recovery. Recently,however, this task has become more difficult as more and more providers deploy encrypted SIP communication, mostly by deploying some kind of SSL/TLS encrypted communication channel.

This presentation will discuss two aspects of attacking the encrypted SIP transmission: interception and decryption of the SIP session, and streamlined password recovery via newly developed tool. The interception and decryption is done using the existing mitm_relay.py intercepting proxy chained with a BURP proxy. The password recovery is streamlined by a newly developed utility which parses the output of the mitm_relay.py and runs the brute force digest authentication against extracted SIP session attributes. This newly developed tool is required because the existing sipdump cannot parse the output from the mitm_relay.py , hence , sipcrack cannot crack the passwords. By combining these two aspects of interception and decryption on one side, and automated parsing of the output of decryption and password recovery on the other side, I provide a streamlined process of compromising the SIP session. It is worth noting that SIP digest authentication uses the same algorithm as HTTP digest algorithm, therefore, the same attacking model can be used in cracking both SIP and HTTP(s) sessions that use digest authentication. This presentation focuses on a SIP session analysis only.

HAXPO TRACK
Location: Track 4 / HAXPO Date: May 10, 2019 Time: 11:30 am - 12:00 pm Ivica Stipovic