Sandro Gauci (Founder, EnableSecurity) & Joffrey Czarny (Devoteam Security)

Presentation Title HITB Labs: VoIP Security: Attacking CUCM
Presentation Abstract

We’re going to cover different signaling protocols and how one can scan for them. The outline of this 2 hour lab session is as follows:

Attacking Signalling Protocols

SIP Protocol
Scanning
a. How and why it works
b. using svmap, nmap, smap
c. fingeprinting SIP

Attacks
a. Credential grabbing
b. Enumerating extensions, protections and bypassing protection too
c. SIP update or RE-INVITE

Cracking digest authentication (online and offline attacks)

Various attacks related to SIP
a. Finding SIP open relays (toll fraud and accessing internal systems

DoS
a. Malformed messages (e.g. SIP messages that crash a PBX)
b. Flooding is effective – various types of flooding

SCCP
1. Protocol
2. Scanning
3. Attacks
a. Capture FAC-code
b. MiTM (sccp proxy)
c. Callmanager hijack / spoofing + crash phone

Attacking Cisco CallManager

1. CCMuser SQL injection
2. Webdialer
3. Jailbreaking CUCM

Attacks on Client “hard phones”

Extension mobility abuse
a. Grabbing credential
b. Take control of phone
c. DoS

URI feature abuse
a. Remote control
b. Display fake message Remotely
c. Remote Wiretapping

About Sandro Gauci

Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 10 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.

About Joffrey Czarny

Joffrey CZARNY, working for Devoteam Security Business Unit (FR). Since 2001, Joffrey is a pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at Hack.lu 2005, VoIP at Hack.lu 2007/2008 and ITunderground 2008/2009). On his site, www.insomnihack.net, he maintained the Elsenot project (“http://insomnihack.net/elsenot/”) and posts video tutorials and tools on several security aspects.