[VOIPSEC] Blocking PING, and get REGISTER message

J. Oquendo sil at infiltrated.net
Sat Dec 6 08:03:46 CST 2008 

On Sat, 06 Dec 2008, Gilbert Lee wrote:

> Thank you for your response.
> Let me introduce some documents to you.
> 
> http://gilgil.springnote.com/pages/2250034
> 
> I wish it would be helpful.
> Thank you.
> 
> Regards
> Gilbert Lee
> 

gain, you're missing crucial points I made with my
previous rambling so let me re-point them out using
your very own presentation.

On page eight of your own slide, you have a remote
phone connecting somewhere - where or what is not
really clear, so let's say a remote office because
it's what it looks like to me.

SIPPhone --> Remote office --> SIPProxy

Where does it go after a SIP Proxy? What is it
doing? What are you using for a SIP proxy. You
should clarify this a little more. For example here
is how my SIP proxies work

1) SIP Device
2) Internet
3) My Session Border Controller
4) My SIP Proxy Server (OpenSER)
5) VLAN's
6) PBX or end UA

This is how I have my calls set up and why any
and all of your attacks would fail:

1 --> 2 --> 3 --> 4 --> 5 --> 3 --> 2 --> 6

If you placed a call through me using one of my
trunks, the first thing you're going to hit before
my SIP proxy is going to be my SBC so I can figure
out what's the cheapest rate for you and send you
to a particular provider. For me this could be
Level3, Global Crossing, Verizon and a few others.
For your scenario, I'll choose Verizon.

1 --> 2 --> 3

>From my SBC, I'll then take your IP information
and convert it to RFC1918 space using OpenSER.

1 --> 2 --> 3 --> 4

My OpenSER device and SBC device are configured
to check via static IP, this never changes on my
end, so for you, you'd better be at that address
or you will be performing blind TCP spoofing, and
you're never going to truly know the end result,
the most you can do is keep your fingers crossed
and hope it works.

OpenSER then on my end sends you to a correct
VLAN to keep your packets secure from other
packets going out the wire to your PBX or end
UA.

1 --> 2 --> 3 --> 4 --> 5 --> 3 --> 2 --> 6

Again, your attack relies heavily on assumptions
of a configuration based on solely on passwords
which I kick back to you now. Forget SIP for a
moment, I'm giving you a password, hell I'll
give you the nonce if you want it in fact I'll
make you a generator to gain the correct hash
every time, how do you proceed to get anything
returned to you if you're not the static address
it's not destined for?

So we get into network design now. Because I
keep data and voice separate using port-security
on my switches, that data is never exposed on
any end I configured, how do you propose to
attack me and sniff the wire. At *best* you
might annoy my hackery/butchery VoIP based IPS
I wrote, but that will block your entire IP space
on three failures, so then what? Jump on another
netblock and try again?


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list