SlideShare a Scribd company logo

VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)

Fatih Ozavci
Fatih Ozavci

Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues. Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection. Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment. • A brief introduction to Microsoft Lync ecosystem • Security requirements, design vulnerabilities and priorities • Modern threats against commercial Microsoft Lync services • Demonstration of new attack vectors against target test platform

Technology
1 of 48
Download to read offline
Compliance, Protection & Business Confidence  Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 1 VoIP Wars: Destroying Jar Jar Lync 13 November 2015 Fatih Ozavci
Speaker Fatih Ozavci, Principal Security Consultant • VoIP & phreaking • Mobile applications and devices • Network infrastructure • CPE, hardware and IoT hacking • Author of Viproy, Viproxy and VoIP Wars research series • Public speaker and trainer Blackhat USA, Defcon, HITB, AusCert, Troopers, Ruxcon 2
3 Previously on VoIP Wars
4 Current research status • This is only the first stage of the research • Analysing the security requirements of various designs • Developing a tool to • assess communication and voice policies in use • drive official client to attack other clients and servers • debug communication for further attacks • Watch this space • Viproy with Skype for Business authentication support • Potential vulnerabilities to be released
5 Agenda 1. Modern threats targeting UC on Skype for Business 2. Security requirements for various implementations 3. Security testing using Viproxy 4. Demonstration of vulnerabilities identified
6 Security requirements for UC Corporate Communication Commercial Services VLAN Hopping CDP/DTP Attacks Device Tampering MITM Skinny Encryption Authentication DHCP Snooping SIP Physical Security Trust Relationships DDoS Call Spoofing File/Screen Sharing Messaging Toll Fraud Mobile/Desktop Clients Voicemail Botnets Proxy Hosted & Distributed Networks Call Centre Hosted VoIP SSO Federation WebRTC Management Sandbox Encryption Isolation Mobile/Desktop Clients Competitors
7 Modern threats targeting UC
8 Skype for Business M icrosoftLive Com m unications 2005 M icrosoftOffice Com m unicator 2007 M icrosoftLync 2000 -2013 M icrosoftSkype for Business2015
9 UC on Skype for Business • Active Directory, DNS (SRV, NAPTR/Enum) and SSO • Extensions to the traditional protocols • SIP/SIPE, XMPP, OWA/Exchange • PSTN mapping to users • Device support for IP phones and teleconference systems • Mobile services • Not only for corporate communication • Call centres, hosted Lync/Skype services • Office 365 online services, federated services
10 VoIP basics 1- REGISTER 1- 200 OK 2- INVITE 3- INVITE 2- 100 Trying 3- 200 OK 4- ACK RTP Proxy SRTP (AES) Client A Client B SRTP (AES) 4- 200 OK RTP Proxy SRTP (AES) Skype for Business 2015
11 Corporate communication Windows 2012 R2 Domain Controller Windows 2012 R2 Exchange & OWA Skype for Business 2015 Mobile Devices Laptops Phones & Teleconference Systems Services: • Voice and video calls • Instant messaging • Presentation and collaboration • File and desktop sharing • Public and private meetings PSTN Gateway SIP Trunk SIP/TLS ?
12 Federated communication Services: • Federation connections (DNS, Enum, SIP proxies) • Skype for Business external authentication • Connecting the users without individual setup • Public meetings, calls and instant messaging DNS Server Skype for Business 2015 ABC Enterprise Federation communication SIP/TLS ? Mobile ABC Laptop ABC Skype for Business 2015 Edge Server ABC Enterprise Skype for Business 2015 XYZ Enterprise DNS & Enum Services Mobile XYZ
13 Supported client features https://technet.microsoft.com/en-au/library/dn933896.aspx
14 Supported client features https://technet.microsoft.com/en-au/library/dn933896.aspx Give control? Give control?
15 Security of Skype for Business • SIP over TLS is enforced for clients by default • SRTP using AES is enforced for clients by default • SIP replay attack protections are used on servers • Responses have a signature of the critical SIP headers • Content itself and custom headers are not in scope • Clients validate the server response signatures • SIP trunks (PSTN gateway) security • TLS enabled and IP restricted • No authentication support
16 Research and vulnerabilities related • Defcon 20 – The end of the PSTN as you know it • Jason Ostrom, William Borskey, Karl Feinauer • Federation fundamentals, Enumerator, Lyncspoof • Remote command execution through vulnerabilities on the font and graphics libraries (MS15-080, MS15-044) • Targeting Microsoft Lync users with malwared Microsoft Office files • Denial of service and XSS vulnerabilities (MS14-055)
17 Security testing • 3 ways to conduct security testing • Compliance and configuration analysis • MITM analysis (Viproxy 2.0) • Using a custom security tester (Viproy 4.0 is coming soon) • Areas to focus on • Identifying design, authentication and authorisation issues • Unlocking client restrictions to bypass policies • Identifying client and server vulnerabilities • Testing business logic issues, dial plans and user rights
18 Discovering Skype for Business • Autodiscovery features • Autodiscovery web services • Subdomains and DNS records (SRV, NAPTR) • Web services • Authentication, Webtickets and TLS web services • Meeting invitations and components • Skype for Business web application • Active Directory integration • Information gathering via server errors
19 Corporate communication policy • Design of the communication infrastructure • Phone numbers, SIP URIs, domains, federations, gateways • Client type, version and feature enforcements • Meeting codes, security, user rights to create meetings • Open components such as Skype for Business web app • Feature restrictions on clients • File, content and desktop sharing restrictions • User rights (admin vs user) • Encryption design for signalling and media
20 Corporate communication policy The default/custom policies should be assigned to users and groups
21 Corporate communication policy • Meeting rights to be assigned by users • Policies assigned are in use
22 SRTP AES implementation • SRTP using AES is enforced for clients (No ZRTP) • SIP/TLS is enforced for clients • SIP/TLS is optional for SIP trunks and PSTN gateways • Compatibility challenges vs Default configuration • SIP/TCP gateways may leak the SRTP encryption keys a=ice-ufrag:x30M a=ice-pwd:oW7iYHXiAOr19UH05baO7bMJ a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:Gu +c81XctWoAHro7cJ9uN6WqW7QPJndjXfZsofl8|2^31|1:1
23 MITM analysis using Viproxy • Challenges • SIP/TLS is enabled by default • Microsoft Lync clients validate the TLS cert • Compression is enabled, not easy to read • Viproxy 2.0 • A standalone Metasploit module • Supports TCP/TLS interception with TLS certs • Disables compression • Modifies the actions of an official client • Provides a command console for real-time attacks
• Debugging the protocol and collecting samples • Basic find & replace with fuzzing support • Unlocking restricted client features • Bypassing communication policies in use • Injecting malicious content 24 Viproxy test setup Windows 10 Skype for Business Clients Viproxy 2.0 MS Lync for Mac 2011 Client to be used for attacks Windows 2012 R2 Skype for Business 2015 Server
25 Analysing the corporate policy • Instant Messaging (IM) restrictions • File type filters for the file transfers • URL filters for the messaging • Set-CsClientPolicy (DisableEmoticons, DisableHtmlIm, DisableRTFIm) • Call forwarding rights • Meeting rights • Federated attendees • Public attendees • Clients’ default meeting settings • Insecure client versions allowed
26 Attack surfaces on IM and calls • Various content types (HTML, JavaScript, PPTs) • File, desktop and presentation sharing • Limited filtering options (IIMFilter) • File Filter (e.g. exe, xls, ppt, psh) • URL Filter (e.g. WWW, HTTP, call, SIP) • Set-CsClientPolicy (DisableHtmlIm, DisableRTFIm) • Clients process the content before invitation • Presence and update messages • Call and IM invitation requests • Mass compromise via meetings and multiple endpoints
27 How Skype for Business sees VoIP • Custom SIP extensions • XML based INVITE and SUBSCRIBE content • HTML/Javascript based messaging (IM) • Instant and unusual disconnects • C# and C++ combination for apps • File and desktop sharing through RTP sessions
28 Parsing errors and exceptions
29 Microsoft security advisories CVE-2015-6061 (MS15-123) Impact: • Unauthorised script execution • Security bypass https://technet.microsoft.com/en-us/library/security/ms15-123.aspx https://support.microsoft.com/en-us/kb/3105872
30 Bypassing URL filter in IM IM URL filter for Microsoft Skype for Business 2015 (Microsoft Lync 2013) server can be bypassed with content obfuscation <script>var u1=“ht”; u2=“tp”; u3=“://”;o=“w”; k=“.”; i=““; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+”senseofsecurity.com”</script>
31 URL filter bypass Reverse browser visiting Windows 10 Skype for Business Client Malicious MESSAGE
32 URL filter bypass
33 Sending INVITEs w/ HTML/XSS Microsoft Skype for Business 2015 (Microsoft Lync 2013) client executes HTML and JavaScript content in the SIP INVITE request headers without user interaction • No user interaction required Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cuc2Vuc 2VvZnNlY3VyaXR5LmNvbS5hdSI8L3NjcmlwdD4K Base64 decode: <script>window.location=“http://www.senseofsecurity.com.au"</script>
34 Fake Skype update via INVITE
35 Fake Skype update via INVITE
36 Multi endpoint communication • Meeting requests • Private meetings, Open meetings, Web sessions • Multi callee invitations and messages • Attacks do not need actions from the attendees/callees • Injecting endpoints to the requests • XML conference definitions in the INVITE requests • INVITE headers • Endpoint headers • 3rd party SIP trunk, PSTN gateway or federation
37 Sending messages w/ HTML/XSS Microsoft Skype for Business 2015 (Microsoft Lync 2013) client executes HTML and JavaScript content in the SIP MESSAGE requests without user interaction • No user interaction required Content-type: text/html <script>window.location="http:// www.senseofsecurity.com.au"</script>
38 Mass compromise of clients Windows 10 Skype for Business Clients Viproy 4.0 Windows 2012 R2 Skype for Business 2015 Server BEEF Framework Waiting for the XSS hooks Reverse browser hooks CentOS Linux Freeswitch SIP Trunk PSTN Gateway
39 Mass compromise of clients
40 Mass compromise of clients
41 Second stage of the research Analysis of • mobile clients and SFB web app • SFB meeting security and public access • federation security and trust analysis • Further analysis of the crashes and parsing errors identified for exploitation • Social engineering templates for Viproxy and Viproy • Viproy 4.0 with Skype for Business authentication, fuzzing and discovery support
42 Securing Unified Communications Secure design is always the foundation • Physical security of endpoints (e.g. IP phones, teleconference rooms) should be improved • Networks should be segmented based on their trust level • Authentication and encryption should be enabled • Protocol vulnerabilities can be fixed with secure design • Disable unnecessary IM, call and meeting features • Software updates should be reviewed and installed
43 Black Hat Sound Bytes • Microsoft Skype for Business 2015 is the next-generation Unified Communications system, though it still has legacy vulnerabilities and design issues. • There are new security testing tools to test it with new vulnerabilities and techniques which are Viproxy and Viproy. • Secure design is the foundation for securing Unified Communications, and it reduces the attack surfaces.
44 Previously on VoIP Wars VoIP Wars I: Return of the SIP (Defcon, Cluecon, Ruxcon, Athcon) •Modern VoIP attacks via SIP services explained •SIP trust hacking, SIP proxy bounce attack and attacking mobile VoIP clients demonstrated •https://youtu.be/d6cGlTB6qKw VoIP Wars II : Attack of the Cisco phones (Defcon, Blackhat USA) •30+ Cisco HCS vulnerabilities including 0days •Viproy 2.0 with CUCDM exploits, CDP and Skinny support •Hosted VoIP security risks and existing threats discussed •https://youtu.be/hqL25srtoEY The Art of VoIP Hacking Workshop (Defcon, Troopers, AusCERT, Kiwicon) •Live exploitation exercises for several VoIP vulnerabilities •3 0day exploits for Vi-vo and Boghe VoIP clients •New Viproy 3.7 modules and improved features •https://www.linkedin.com/pulse/art-voip-hacking-workshop-materials-fatih-ozavci
45 References Viproy VoIP Penetration and Exploitation Kit Author : http://viproy.com/fozavci Homepage : http://viproy.com Github : http://www.github.com/fozavci/viproy-voipkit VoIP Wars : Attack of the Cisco Phones https://youtu.be/hqL25srtoEY VoIP Wars : Return of the SIP https://youtu.be/d6cGlTB6qKw
46 https://www.senseofsecurity.com.au/aboutus/careers
47 Questions
48 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au

Recommended

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksn|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 

Recommended

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenFatih Ozavci
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksn|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesFatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.Sumutiu Marius
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Securityn|u - The Open Security Community
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
 
Voip security
Voip securityVoip security
Voip securityShethwala Ridhvesh
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopFelipe Prado
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)SI3D systems
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxingNick Straughan
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiPrivateWave Italia SpA
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting StartedAlan Percy
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 
O365Engage17 - Skype for Business Cloud PBX in the Real World
O365Engage17 - Skype for Business Cloud PBX in the Real WorldO365Engage17 - Skype for Business Cloud PBX in the Real World
O365Engage17 - Skype for Business Cloud PBX in the Real WorldNCCOMMS
 
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...Nordic Infrastructure Conference
 

More Related Content

What's hot

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.Sumutiu Marius
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopFelipe Prado
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)SI3D systems
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting StartedAlan Percy
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceSuhas Desai
 

What's hot (20)

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
 
Voip security
Voip securityVoip security
Voip security
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)Product Overview: April 2015 (Si3D)
Product Overview: April 2015 (Si3D)
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosanti
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
 
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open SourceI N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source
 

Similar to VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)

O365Engage17 - Skype for Business Cloud PBX in the Real World
O365Engage17 - Skype for Business Cloud PBX in the Real WorldO365Engage17 - Skype for Business Cloud PBX in the Real World
O365Engage17 - Skype for Business Cloud PBX in the Real WorldNCCOMMS
 
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...Nordic Infrastructure Conference
 
Offre revendeurs UC
Offre revendeurs UCOffre revendeurs UC
Offre revendeurs UCRachid ZINE
 
Expocomm VoIP Presentation
Expocomm VoIP PresentationExpocomm VoIP Presentation
Expocomm VoIP Presentationdiego gosmar
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCHChien Cheng Wu
 
Microsoft Unified Communications Summit
Microsoft Unified Communications SummitMicrosoft Unified Communications Summit
Microsoft Unified Communications SummitConcurrency, Inc.
 
Deploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexitiesDeploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexitiesFabrizio Volpe
 
LyncConference2013 - Dimensionnement et gestion des Réseaux
LyncConference2013 - Dimensionnement et gestion des RéseauxLyncConference2013 - Dimensionnement et gestion des Réseaux
LyncConference2013 - Dimensionnement et gestion des RéseauxMicrosoft Technet France
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityTzoori Tamam
 
Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015Sebastian Davidsohn
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
O365con14 - lync to the future
O365con14 - lync to the futureO365con14 - lync to the future
O365con14 - lync to the futureNCCOMMS
 
Justin Morris - Understanding how lync server 2013 leverages the complete mic...
Justin Morris - Understanding how lync server 2013 leverages the complete mic...Justin Morris - Understanding how lync server 2013 leverages the complete mic...
Justin Morris - Understanding how lync server 2013 leverages the complete mic...Nordic Infrastructure Conference
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 

Similar to VoIP Wars: Destroying Jar Jar Lync (Unfiltered version) (20)

O365Engage17 - Skype for Business Cloud PBX in the Real World
O365Engage17 - Skype for Business Cloud PBX in the Real WorldO365Engage17 - Skype for Business Cloud PBX in the Real World
O365Engage17 - Skype for Business Cloud PBX in the Real World
 
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
Justin Morris - Enhancing your lync 2013 rollout to make it a killer success ...
 
Offre revendeurs UC
Offre revendeurs UCOffre revendeurs UC
Offre revendeurs UC
 
Expocomm VoIP Presentation
Expocomm VoIP PresentationExpocomm VoIP Presentation
Expocomm VoIP Presentation
 
Cloud PBX with Office 365 Webinar Slides
Cloud PBX with Office 365 Webinar SlidesCloud PBX with Office 365 Webinar Slides
Cloud PBX with Office 365 Webinar Slides
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCH
 
Microsoft Unified Communications Summit
Microsoft Unified Communications SummitMicrosoft Unified Communications Summit
Microsoft Unified Communications Summit
 
Deploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexitiesDeploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexities
 
LyncConference2013 - Dimensionnement et gestion des Réseaux
LyncConference2013 - Dimensionnement et gestion des RéseauxLyncConference2013 - Dimensionnement et gestion des Réseaux
LyncConference2013 - Dimensionnement et gestion des Réseaux
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
 
Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Delivering UC Flexibility
Delivering UC FlexibilityDelivering UC Flexibility
Delivering UC Flexibility
 
O365con14 - lync to the future
O365con14 - lync to the futureO365con14 - lync to the future
O365con14 - lync to the future
 
Justin Morris - Understanding how lync server 2013 leverages the complete mic...
Justin Morris - Understanding how lync server 2013 leverages the complete mic...Justin Morris - Understanding how lync server 2013 leverages the complete mic...
Justin Morris - Understanding how lync server 2013 leverages the complete mic...
 
ProSBC a Deep Dive
ProSBC a Deep DiveProSBC a Deep Dive
ProSBC a Deep Dive
 
[Carius] Skype Online, Teams, and PSTN
[Carius] Skype Online, Teams, and PSTN[Carius] Skype Online, Teams, and PSTN
[Carius] Skype Online, Teams, and PSTN
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 

More from Fatih Ozavci

Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiFatih Ozavci
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi KoruyunFatih Ozavci
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeFatih Ozavci
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiFatih Ozavci
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Fatih Ozavci
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarFatih Ozavci
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriFatih Ozavci
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiFatih Ozavci
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiFatih Ozavci
 

More from Fatih Ozavci (10)

Viproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik DenetimiViproy ile VoIP Güvenlik Denetimi
Viproy ile VoIP Güvenlik Denetimi
 
Mahremiyetinizi Koruyun
Mahremiyetinizi KoruyunMahremiyetinizi Koruyun
Mahremiyetinizi Koruyun
 
NGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik DenetimiNGN ve VoIP Ağları Güvenlik Denetimi
NGN ve VoIP Ağları Güvenlik Denetimi
 
Metasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit GelistirmeMetasploit Framework ile Exploit Gelistirme
Metasploit Framework ile Exploit Gelistirme
 
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim RehberiMetasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
Metasploit Framework - Giris Seviyesi Guvenlik Denetim Rehberi
 
Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar Bilgi Guvenligi Temel Kavramlar
Bilgi Guvenligi Temel Kavramlar
 
Mahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur YazilimlarMahremiyet Ekseninde Ozgur Yazilimlar
Mahremiyet Ekseninde Ozgur Yazilimlar
 
Ozgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri YontemleriOzgur Yazilimlar ile Saldiri Yontemleri
Ozgur Yazilimlar ile Saldiri Yontemleri
 
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik DenetimiOzgur Yazilimlar ile VoIP Guvenlik Denetimi
Ozgur Yazilimlar ile VoIP Guvenlik Denetimi
 
Metasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik DenetimiMetasploit Framework ile Güvenlik Denetimi
Metasploit Framework ile Güvenlik Denetimi
 

Recently uploaded

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)

  • 1. Compliance, Protection & Business Confidence  Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 1 VoIP Wars: Destroying Jar Jar Lync 13 November 2015 Fatih Ozavci
  • 2. Speaker Fatih Ozavci, Principal Security Consultant • VoIP & phreaking • Mobile applications and devices • Network infrastructure • CPE, hardware and IoT hacking • Author of Viproy, Viproxy and VoIP Wars research series • Public speaker and trainer Blackhat USA, Defcon, HITB, AusCert, Troopers, Ruxcon 2
  • 4. 4 Current research status • This is only the first stage of the research • Analysing the security requirements of various designs • Developing a tool to • assess communication and voice policies in use • drive official client to attack other clients and servers • debug communication for further attacks • Watch this space • Viproy with Skype for Business authentication support • Potential vulnerabilities to be released
  • 5. 5 Agenda 1. Modern threats targeting UC on Skype for Business 2. Security requirements for various implementations 3. Security testing using Viproxy 4. Demonstration of vulnerabilities identified
  • 6. 6 Security requirements for UC Corporate Communication Commercial Services VLAN Hopping CDP/DTP Attacks Device Tampering MITM Skinny Encryption Authentication DHCP Snooping SIP Physical Security Trust Relationships DDoS Call Spoofing File/Screen Sharing Messaging Toll Fraud Mobile/Desktop Clients Voicemail Botnets Proxy Hosted & Distributed Networks Call Centre Hosted VoIP SSO Federation WebRTC Management Sandbox Encryption Isolation Mobile/Desktop Clients Competitors
  • 9. 9 UC on Skype for Business • Active Directory, DNS (SRV, NAPTR/Enum) and SSO • Extensions to the traditional protocols • SIP/SIPE, XMPP, OWA/Exchange • PSTN mapping to users • Device support for IP phones and teleconference systems • Mobile services • Not only for corporate communication • Call centres, hosted Lync/Skype services • Office 365 online services, federated services
  • 10. 10 VoIP basics 1- REGISTER 1- 200 OK 2- INVITE 3- INVITE 2- 100 Trying 3- 200 OK 4- ACK RTP Proxy SRTP (AES) Client A Client B SRTP (AES) 4- 200 OK RTP Proxy SRTP (AES) Skype for Business 2015
  • 11. 11 Corporate communication Windows 2012 R2 Domain Controller Windows 2012 R2 Exchange & OWA Skype for Business 2015 Mobile Devices Laptops Phones & Teleconference Systems Services: • Voice and video calls • Instant messaging • Presentation and collaboration • File and desktop sharing • Public and private meetings PSTN Gateway SIP Trunk SIP/TLS ?
  • 12. 12 Federated communication Services: • Federation connections (DNS, Enum, SIP proxies) • Skype for Business external authentication • Connecting the users without individual setup • Public meetings, calls and instant messaging DNS Server Skype for Business 2015 ABC Enterprise Federation communication SIP/TLS ? Mobile ABC Laptop ABC Skype for Business 2015 Edge Server ABC Enterprise Skype for Business 2015 XYZ Enterprise DNS & Enum Services Mobile XYZ
  • 15. 15 Security of Skype for Business • SIP over TLS is enforced for clients by default • SRTP using AES is enforced for clients by default • SIP replay attack protections are used on servers • Responses have a signature of the critical SIP headers • Content itself and custom headers are not in scope • Clients validate the server response signatures • SIP trunks (PSTN gateway) security • TLS enabled and IP restricted • No authentication support
  • 16. 16 Research and vulnerabilities related • Defcon 20 – The end of the PSTN as you know it • Jason Ostrom, William Borskey, Karl Feinauer • Federation fundamentals, Enumerator, Lyncspoof • Remote command execution through vulnerabilities on the font and graphics libraries (MS15-080, MS15-044) • Targeting Microsoft Lync users with malwared Microsoft Office files • Denial of service and XSS vulnerabilities (MS14-055)
  • 17. 17 Security testing • 3 ways to conduct security testing • Compliance and configuration analysis • MITM analysis (Viproxy 2.0) • Using a custom security tester (Viproy 4.0 is coming soon) • Areas to focus on • Identifying design, authentication and authorisation issues • Unlocking client restrictions to bypass policies • Identifying client and server vulnerabilities • Testing business logic issues, dial plans and user rights
  • 18. 18 Discovering Skype for Business • Autodiscovery features • Autodiscovery web services • Subdomains and DNS records (SRV, NAPTR) • Web services • Authentication, Webtickets and TLS web services • Meeting invitations and components • Skype for Business web application • Active Directory integration • Information gathering via server errors
  • 19. 19 Corporate communication policy • Design of the communication infrastructure • Phone numbers, SIP URIs, domains, federations, gateways • Client type, version and feature enforcements • Meeting codes, security, user rights to create meetings • Open components such as Skype for Business web app • Feature restrictions on clients • File, content and desktop sharing restrictions • User rights (admin vs user) • Encryption design for signalling and media
  • 20. 20 Corporate communication policy The default/custom policies should be assigned to users and groups
  • 21. 21 Corporate communication policy • Meeting rights to be assigned by users • Policies assigned are in use
  • 22. 22 SRTP AES implementation • SRTP using AES is enforced for clients (No ZRTP) • SIP/TLS is enforced for clients • SIP/TLS is optional for SIP trunks and PSTN gateways • Compatibility challenges vs Default configuration • SIP/TCP gateways may leak the SRTP encryption keys a=ice-ufrag:x30M a=ice-pwd:oW7iYHXiAOr19UH05baO7bMJ a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:Gu +c81XctWoAHro7cJ9uN6WqW7QPJndjXfZsofl8|2^31|1:1
  • 23. 23 MITM analysis using Viproxy • Challenges • SIP/TLS is enabled by default • Microsoft Lync clients validate the TLS cert • Compression is enabled, not easy to read • Viproxy 2.0 • A standalone Metasploit module • Supports TCP/TLS interception with TLS certs • Disables compression • Modifies the actions of an official client • Provides a command console for real-time attacks
  • 24. • Debugging the protocol and collecting samples • Basic find & replace with fuzzing support • Unlocking restricted client features • Bypassing communication policies in use • Injecting malicious content 24 Viproxy test setup Windows 10 Skype for Business Clients Viproxy 2.0 MS Lync for Mac 2011 Client to be used for attacks Windows 2012 R2 Skype for Business 2015 Server
  • 25. 25 Analysing the corporate policy • Instant Messaging (IM) restrictions • File type filters for the file transfers • URL filters for the messaging • Set-CsClientPolicy (DisableEmoticons, DisableHtmlIm, DisableRTFIm) • Call forwarding rights • Meeting rights • Federated attendees • Public attendees • Clients’ default meeting settings • Insecure client versions allowed
  • 26. 26 Attack surfaces on IM and calls • Various content types (HTML, JavaScript, PPTs) • File, desktop and presentation sharing • Limited filtering options (IIMFilter) • File Filter (e.g. exe, xls, ppt, psh) • URL Filter (e.g. WWW, HTTP, call, SIP) • Set-CsClientPolicy (DisableHtmlIm, DisableRTFIm) • Clients process the content before invitation • Presence and update messages • Call and IM invitation requests • Mass compromise via meetings and multiple endpoints
  • 27. 27 How Skype for Business sees VoIP • Custom SIP extensions • XML based INVITE and SUBSCRIBE content • HTML/Javascript based messaging (IM) • Instant and unusual disconnects • C# and C++ combination for apps • File and desktop sharing through RTP sessions
  • 28. 28 Parsing errors and exceptions
  • 29. 29 Microsoft security advisories CVE-2015-6061 (MS15-123) Impact: • Unauthorised script execution • Security bypass https://technet.microsoft.com/en-us/library/security/ms15-123.aspx https://support.microsoft.com/en-us/kb/3105872
  • 30. 30 Bypassing URL filter in IM IM URL filter for Microsoft Skype for Business 2015 (Microsoft Lync 2013) server can be bypassed with content obfuscation <script>var u1=“ht”; u2=“tp”; u3=“://”;o=“w”; k=“.”; i=““; u4=i.concat(o,o,o,k); window.location=u1+u2+u3+u4+”senseofsecurity.com”</script>
  • 31. 31 URL filter bypass Reverse browser visiting Windows 10 Skype for Business Client Malicious MESSAGE
  • 33. 33 Sending INVITEs w/ HTML/XSS Microsoft Skype for Business 2015 (Microsoft Lync 2013) client executes HTML and JavaScript content in the SIP INVITE request headers without user interaction • No user interaction required Ms-IM-Format: text/html; charset=UTF-8; ms- body=PHNjcmlwdD53aW5kb3cubG9jYXRpb249Imh0dHA6Ly93d3cuc2Vuc 2VvZnNlY3VyaXR5LmNvbS5hdSI8L3NjcmlwdD4K Base64 decode: <script>window.location=“http://www.senseofsecurity.com.au"</script>
  • 34. 34 Fake Skype update via INVITE
  • 35. 35 Fake Skype update via INVITE
  • 36. 36 Multi endpoint communication • Meeting requests • Private meetings, Open meetings, Web sessions • Multi callee invitations and messages • Attacks do not need actions from the attendees/callees • Injecting endpoints to the requests • XML conference definitions in the INVITE requests • INVITE headers • Endpoint headers • 3rd party SIP trunk, PSTN gateway or federation
  • 37. 37 Sending messages w/ HTML/XSS Microsoft Skype for Business 2015 (Microsoft Lync 2013) client executes HTML and JavaScript content in the SIP MESSAGE requests without user interaction • No user interaction required Content-type: text/html <script>window.location="http:// www.senseofsecurity.com.au"</script>
  • 38. 38 Mass compromise of clients Windows 10 Skype for Business Clients Viproy 4.0 Windows 2012 R2 Skype for Business 2015 Server BEEF Framework Waiting for the XSS hooks Reverse browser hooks CentOS Linux Freeswitch SIP Trunk PSTN Gateway
  • 41. 41 Second stage of the research Analysis of • mobile clients and SFB web app • SFB meeting security and public access • federation security and trust analysis • Further analysis of the crashes and parsing errors identified for exploitation • Social engineering templates for Viproxy and Viproy • Viproy 4.0 with Skype for Business authentication, fuzzing and discovery support
  • 42. 42 Securing Unified Communications Secure design is always the foundation • Physical security of endpoints (e.g. IP phones, teleconference rooms) should be improved • Networks should be segmented based on their trust level • Authentication and encryption should be enabled • Protocol vulnerabilities can be fixed with secure design • Disable unnecessary IM, call and meeting features • Software updates should be reviewed and installed
  • 43. 43 Black Hat Sound Bytes • Microsoft Skype for Business 2015 is the next-generation Unified Communications system, though it still has legacy vulnerabilities and design issues. • There are new security testing tools to test it with new vulnerabilities and techniques which are Viproxy and Viproy. • Secure design is the foundation for securing Unified Communications, and it reduces the attack surfaces.
  • 44. 44 Previously on VoIP Wars VoIP Wars I: Return of the SIP (Defcon, Cluecon, Ruxcon, Athcon) •Modern VoIP attacks via SIP services explained •SIP trust hacking, SIP proxy bounce attack and attacking mobile VoIP clients demonstrated •https://youtu.be/d6cGlTB6qKw VoIP Wars II : Attack of the Cisco phones (Defcon, Blackhat USA) •30+ Cisco HCS vulnerabilities including 0days •Viproy 2.0 with CUCDM exploits, CDP and Skinny support •Hosted VoIP security risks and existing threats discussed •https://youtu.be/hqL25srtoEY The Art of VoIP Hacking Workshop (Defcon, Troopers, AusCERT, Kiwicon) •Live exploitation exercises for several VoIP vulnerabilities •3 0day exploits for Vi-vo and Boghe VoIP clients •New Viproy 3.7 modules and improved features •https://www.linkedin.com/pulse/art-voip-hacking-workshop-materials-fatih-ozavci
  • 45. 45 References Viproy VoIP Penetration and Exploitation Kit Author : http://viproy.com/fozavci Homepage : http://viproy.com Github : http://www.github.com/fozavci/viproy-voipkit VoIP Wars : Attack of the Cisco Phones https://youtu.be/hqL25srtoEY VoIP Wars : Return of the SIP https://youtu.be/d6cGlTB6qKw
  • 48. 48 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au